lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

# frozen_string_literal: true

module Gitlab
  module Ci
    module Build
      module Prerequisite
        class KubernetesNamespace < Base
          def unmet?
            deployment_cluster.present? &&
              deployment_cluster.managed? &&
              missing_namespace?
          end

          def complete!
            return unless unmet?

            create_namespace
          end

          private

          def missing_namespace?
            kubernetes_namespace.nil? || kubernetes_namespace.service_account_token.blank?
          end

          def deployment_cluster
            build.deployment&.cluster
          end

          def environment
            build.deployment.environment
          end

          def kubernetes_namespace
            strong_memoize(:kubernetes_namespace) do
              ::Clusters::KubernetesNamespaceFinder.new(
                deployment_cluster,
                project: environment.project,
                environment_name: environment.name,
                allow_blank_token: true
              ).execute
            end
          end

          def create_namespace
            namespace = kubernetes_namespace || build_namespace_record

            return if conflicting_ci_namespace_requested?(namespace)

            ::Clusters::Kubernetes::CreateOrUpdateNamespaceService.new(
              cluster: deployment_cluster,
              kubernetes_namespace: namespace
            ).execute
          end

          ##
          # A namespace can only be specified via gitlab-ci.yml
          # for unmanaged clusters, as we currently have no way
          # of preventing a job requesting a namespace it
          # shouldn't have access to.
          #
          # To make this clear, we fail the build instead of
          # silently using a namespace other than the one
          # explicitly specified.
          #
          # Support for managed clusters will be added in
          # https://gitlab.com/gitlab-org/gitlab/issues/38054
          def conflicting_ci_namespace_requested?(namespace_record)
            build.expanded_kubernetes_namespace.present? &&
              namespace_record.namespace != build.expanded_kubernetes_namespace
          end

          def build_namespace_record
            ::Clusters::BuildKubernetesNamespaceService.new(
              deployment_cluster,
              environment: environment
            ).execute
          end
        end
      end
    end
  end
end