app/services/clusters/cleanup/service_account_service.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

# frozen_string_literal: true

module Clusters
  module Cleanup
    class ServiceAccountService < ::Clusters::Cleanup::BaseService
      def execute
        delete_gitlab_service_account

        log_event(:destroying_cluster)

        cluster.destroy!
      end

      private

      def delete_gitlab_service_account
        log_event(:deleting_gitlab_service_account)

        cluster.kubeclient&.delete_service_account(
          ::Clusters::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAME,
          ::Clusters::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAMESPACE
        )
      rescue Kubeclient::ResourceNotFoundError
        # The resources have already been deleted, possibly on a previous attempt that timed out
      rescue Gitlab::UrlBlocker::BlockedUrlError
        # User gave an invalid cluster from the start, or deleted the endpoint before this job ran
      rescue Kubeclient::HttpError => e
        # unauthorized, forbidden: GitLab's access has been revoked
        # certificate verify failed: Cluster is probably gone forever
        raise unless e.message =~ /unauthorized|forbidden|certificate verify failed/i
      end
    end
  end
end