Commit 3eec327d authored by Thong Kuah's avatar Thong Kuah

Refactor to DRY out building of kube_client into originator service

parent 7ebc18d1
...@@ -25,11 +25,7 @@ module Clusters ...@@ -25,11 +25,7 @@ module Clusters
private private
def create_gitlab_service_account! def create_gitlab_service_account!
Clusters::Gcp::Kubernetes::CreateServiceAccountService.new( Clusters::Gcp::Kubernetes::CreateServiceAccountService.new(kube_client).execute
'https://' + gke_cluster.endpoint,
Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
gke_cluster.master_auth.username,
gke_cluster.master_auth.password).execute
end end
def configure_provider def configure_provider
...@@ -49,11 +45,7 @@ module Clusters ...@@ -49,11 +45,7 @@ module Clusters
end end
def request_kubernetes_token def request_kubernetes_token
Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new( Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client).execute
'https://' + gke_cluster.endpoint,
Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
gke_cluster.master_auth.username,
gke_cluster.master_auth.password).execute
end end
# GKE Clusters have RBAC enabled on Kubernetes >= 1.6 # GKE Clusters have RBAC enabled on Kubernetes >= 1.6
...@@ -61,6 +53,40 @@ module Clusters ...@@ -61,6 +53,40 @@ module Clusters
'rbac' 'rbac'
end end
def kube_client
@kube_client ||= build_kube_client!(
'https://' + gke_cluster.endpoint,
Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
gke_cluster.master_auth.username,
gke_cluster.master_auth.password,
api_groups: ['api', 'apis/rbac.authorization.k8s.io']
)
end
def build_kube_client!(api_url, ca_pem, username, password, api_groups: ['api'], api_version: 'v1')
raise "Incomplete settings" unless api_url && username && password
Gitlab::Kubernetes::KubeClient.new(
api_url,
api_groups,
api_version,
auth_options: { username: username, password: password },
ssl_options: kubeclient_ssl_options(ca_pem),
http_proxy_uri: ENV['http_proxy']
)
end
def kubeclient_ssl_options(ca_pem)
opts = { verify_ssl: OpenSSL::SSL::VERIFY_PEER }
if ca_pem.present?
opts[:cert_store] = OpenSSL::X509::Store.new
opts[:cert_store].add_cert(OpenSSL::X509::Certificate.new(ca_pem))
end
opts
end
def gke_cluster def gke_cluster
@gke_cluster ||= provider.api_client.projects_zones_clusters_get( @gke_cluster ||= provider.api_client.projects_zones_clusters_get(
provider.gcp_project_id, provider.gcp_project_id,
......
...@@ -4,18 +4,13 @@ module Clusters ...@@ -4,18 +4,13 @@ module Clusters
module Gcp module Gcp
module Kubernetes module Kubernetes
class CreateServiceAccountService class CreateServiceAccountService
attr_reader :api_url, :ca_pem, :username, :password attr_reader :kubeclient
def initialize(api_url, ca_pem, username, password) def initialize(kubeclient)
@api_url = api_url @kubeclient = kubeclient
@ca_pem = ca_pem
@username = username
@password = password
end end
def execute def execute
kubeclient = build_kube_client!(api_groups: ['api', 'apis/rbac.authorization.k8s.io'])
kubeclient.create_service_account(service_account_resource) kubeclient.create_service_account(service_account_resource)
kubeclient.create_cluster_role_binding(cluster_role_binding_resource) kubeclient.create_cluster_role_binding(cluster_role_binding_resource)
end end
...@@ -35,30 +30,6 @@ module Clusters ...@@ -35,30 +30,6 @@ module Clusters
subjects subjects
).generate ).generate
end end
def build_kube_client!(api_groups: ['api'], api_version: 'v1')
raise "Incomplete settings" unless api_url && username && password
Gitlab::Kubernetes::KubeClient.new(
api_url,
api_groups,
api_version,
auth_options: { username: username, password: password },
ssl_options: kubeclient_ssl_options,
http_proxy_uri: ENV['http_proxy']
)
end
def kubeclient_ssl_options
opts = { verify_ssl: OpenSSL::SSL::VERIFY_PEER }
if ca_pem.present?
opts[:cert_store] = OpenSSL::X509::Store.new
opts[:cert_store].add_cert(OpenSSL::X509::Certificate.new(ca_pem))
end
opts
end
end end
end end
end end
......
...@@ -4,13 +4,10 @@ module Clusters ...@@ -4,13 +4,10 @@ module Clusters
module Gcp module Gcp
module Kubernetes module Kubernetes
class FetchKubernetesTokenService class FetchKubernetesTokenService
attr_reader :api_url, :ca_pem, :username, :password attr_reader :kubeclient
def initialize(api_url, ca_pem, username, password) def initialize(kubeclient)
@api_url = api_url @kubeclient = kubeclient
@ca_pem = ca_pem
@username = username
@password = password
end end
def execute def execute
...@@ -32,46 +29,12 @@ module Clusters ...@@ -32,46 +29,12 @@ module Clusters
end end
def read_secrets def read_secrets
kubeclient = build_kubeclient!
kubeclient.get_secrets.as_json kubeclient.get_secrets.as_json
rescue Kubeclient::HttpError => err rescue Kubeclient::HttpError => err
raise err unless err.error_code == 404 raise err unless err.error_code == 404
[] []
end end
def build_kubeclient!(api_path: 'api', api_version: 'v1')
raise "Incomplete settings" unless api_url && username && password
::Kubeclient::Client.new(
join_api_url(api_path),
api_version,
auth_options: { username: username, password: password },
ssl_options: kubeclient_ssl_options,
http_proxy_uri: ENV['http_proxy']
)
end
def join_api_url(api_path)
url = URI.parse(api_url)
prefix = url.path.sub(%r{/+\z}, '')
url.path = [prefix, api_path].join("/")
url.to_s
end
def kubeclient_ssl_options
opts = { verify_ssl: OpenSSL::SSL::VERIFY_PEER }
if ca_pem.present?
opts[:cert_store] = OpenSSL::X509::Store.new
opts[:cert_store].add_cert(OpenSSL::X509::Certificate.new(ca_pem))
end
opts
end
end end
end end
end end
......
...@@ -5,15 +5,21 @@ require 'spec_helper' ...@@ -5,15 +5,21 @@ require 'spec_helper'
describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do
include KubernetesHelpers include KubernetesHelpers
let(:service) { described_class.new(api_url, ca_pem, username, password) } let(:service) { described_class.new(kubeclient) }
describe '#execute' do describe '#execute' do
subject { service.execute } subject { service.execute }
let(:api_url) { 'http://111.111.111.111' } let(:api_url) { 'http://111.111.111.111' }
let(:ca_pem) { '' }
let(:username) { 'admin' } let(:username) { 'admin' }
let(:password) { 'xxx' } let(:password) { 'xxx' }
let(:kubeclient) do
Gitlab::Kubernetes::KubeClient.new(
api_url,
['api', 'apis/rbac.authorization.k8s.io'],
auth_options: { username: username, password: password }
)
end
context 'when params are correct' do context 'when params are correct' do
before do before do
...@@ -44,23 +50,5 @@ describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do ...@@ -44,23 +50,5 @@ describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do
) )
end end
end end
context 'when api_url is nil' do
let(:api_url) { nil }
it { expect { subject }.to raise_error("Incomplete settings") }
end
context 'when username is nil' do
let(:username) { nil }
it { expect { subject }.to raise_error("Incomplete settings") }
end
context 'when password is nil' do
let(:password) { nil }
it { expect { subject }.to raise_error("Incomplete settings") }
end
end end
end end
...@@ -2,12 +2,18 @@ require 'spec_helper' ...@@ -2,12 +2,18 @@ require 'spec_helper'
describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
describe '#execute' do describe '#execute' do
subject { described_class.new(api_url, ca_pem, username, password).execute } subject { described_class.new(kubeclient).execute }
let(:api_url) { 'http://111.111.111.111' } let(:api_url) { 'http://111.111.111.111' }
let(:ca_pem) { '' }
let(:username) { 'admin' } let(:username) { 'admin' }
let(:password) { 'xxx' } let(:password) { 'xxx' }
let(:kubeclient) do
Gitlab::Kubernetes::KubeClient.new(
api_url,
['api', 'apis/rbac.authorization.k8s.io'],
auth_options: { username: username, password: password }
)
end
context 'when params correct' do context 'when params correct' do
let(:token) { 'xxx.token.xxx' } let(:token) { 'xxx.token.xxx' }
...@@ -50,23 +56,5 @@ describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do ...@@ -50,23 +56,5 @@ describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
it { is_expected.to be_nil } it { is_expected.to be_nil }
end end
end end
context 'when api_url is nil' do
let(:api_url) { nil }
it { expect { subject }.to raise_error("Incomplete settings") }
end
context 'when username is nil' do
let(:username) { nil }
it { expect { subject }.to raise_error("Incomplete settings") }
end
context 'when password is nil' do
let(:password) { nil }
it { expect { subject }.to raise_error("Incomplete settings") }
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment