Commit 15af0a45 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch '55447-validate-k8s-ca-cert' into 'master'

Validate k8s CA certificate at cluster creation

See merge request gitlab-org/gitlab-ce!24990
parents 8886924c 73e5d3a2
...@@ -43,6 +43,7 @@ module Clusters ...@@ -43,6 +43,7 @@ module Clusters
# We expect to be `active?` only when enabled and cluster is created (the api_url is assigned) # We expect to be `active?` only when enabled and cluster is created (the api_url is assigned)
validates :api_url, url: true, presence: true validates :api_url, url: true, presence: true
validates :token, presence: true validates :token, presence: true
validates :ca_cert, certificate: true, allow_blank: true, if: :ca_cert_changed?
validate :prevent_modification, on: :update validate :prevent_modification, on: :update
......
---
title: Validate kubernetes cluster CA certificate
merge_request: 24990
author:
type: changed
...@@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do ...@@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) } let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) }
let(:api_url) { 'https://kube.domain.com' } let(:api_url) { 'https://kube.domain.com' }
let(:ca_pem) { 'CA PEM DATA' } let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
let(:token) { 'token' } let(:token) { 'token' }
let(:kubeconfig) do let(:kubeconfig) do
......
...@@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching ...@@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
end end
end end
context 'ca_cert' do
let(:kubernetes) { build(:cluster_platform_kubernetes, ca_pem: ca_pem) }
context 'with a valid certificate' do
let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
it { is_expected.to be_truthy }
end
context 'with an invalid certificate' do
let(:ca_pem) { "invalid" }
it { is_expected.to be_falsey }
context 'but the certificate is not being updated' do
before do
allow(kubernetes).to receive(:ca_cert_changed?).and_return(false)
end
it { is_expected.to be_truthy }
end
end
context 'with no certificate' do
let(:ca_pem) { "" }
it { is_expected.to be_truthy }
end
end
describe 'when using reserved namespaces' do describe 'when using reserved namespaces' do
subject { build(:cluster_platform_kubernetes, namespace: namespace) } subject { build(:cluster_platform_kubernetes, namespace: namespace) }
...@@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching ...@@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) } let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) }
let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) } let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) }
let(:api_url) { 'https://kube.domain.com' } let(:api_url) { 'https://kube.domain.com' }
let(:ca_pem) { 'CA PEM DATA' } let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
subject { kubernetes.predefined_variables(project: cluster.project) } subject { kubernetes.predefined_variables(project: cluster.project) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment