Commit 577c79bb authored by Thong Kuah's avatar Thong Kuah

ABAC: fetch default service account token; RBAC: fetch gitlab service acount token

Keeps existing behaviour for ABAC cluster
parent c9af170d
......@@ -47,7 +47,9 @@ module Clusters
end
def request_kubernetes_token
Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client).execute
service_account_name = rbac_clusters_feature_enabled? ? Clusters::Gcp::Kubernetes::SERVICE_ACCOUNT_NAME : 'default'
Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client, service_account_name).execute
end
def authorization_type
......
......@@ -4,10 +4,11 @@ module Clusters
module Gcp
module Kubernetes
class FetchKubernetesTokenService
attr_reader :kubeclient
attr_reader :kubeclient, :service_account_name
def initialize(kubeclient)
def initialize(kubeclient, service_account_name)
@kubeclient = kubeclient
@service_account_name = service_account_name
end
def execute
......@@ -25,7 +26,7 @@ module Clusters
private
def token_regex
/#{SERVICE_ACCOUNT_NAME}-token/
/#{service_account_name}-token/
end
def read_secrets
......
......@@ -52,13 +52,14 @@ describe Clusters::Gcp::FinalizeCreationService do
end
context 'when suceeded to fetch kuberenetes token' do
let(:secret_name) { 'default-token-Y1a' }
let(:token) { 'sample-token' }
before do
stub_kubeclient_get_secrets(
api_url,
{
metadata_name: 'gitlab-token-Y1a',
metadata_name: secret_name,
token: Base64.encode64(token)
} )
end
......@@ -81,6 +82,8 @@ describe Clusters::Gcp::FinalizeCreationService do
end
context 'rbac_clusters feature enabled' do
let(:secret_name) { 'gitlab-token-Y1a' }
before do
stub_feature_flags(rbac_clusters: true)
stub_kubeclient_create_service_account(api_url)
......@@ -106,20 +109,44 @@ describe Clusters::Gcp::FinalizeCreationService do
end
end
context 'when default-token is not found' do
context 'when no matching token is found' do
before do
stub_kubeclient_get_secrets(api_url, metadata_name: 'aaaa')
stub_kubeclient_get_secrets(api_url, metadata_name: 'not-default-not-gitlab')
end
it_behaves_like 'error'
context 'rbac_clusters feature enabled' do
before do
stub_feature_flags(rbac_clusters: true)
stub_kubeclient_create_service_account(api_url)
stub_kubeclient_create_cluster_role_binding(api_url)
end
it_behaves_like 'error'
end
end
context 'when token is empty' do
let(:secret_name) { 'default-token-123' }
before do
stub_kubeclient_get_secrets(api_url, token: '')
stub_kubeclient_get_secrets(api_url, token: '', metadata_name: secret_name)
end
it_behaves_like 'error'
context 'rbac_clusters feature enabled' do
let(:secret_name) { 'gitlab-token-321' }
before do
stub_feature_flags(rbac_clusters: true)
stub_kubeclient_create_service_account(api_url)
stub_kubeclient_create_cluster_role_binding(api_url)
end
it_behaves_like 'error'
end
end
context 'when failed to fetch kuberenetes token' do
......@@ -128,6 +155,16 @@ describe Clusters::Gcp::FinalizeCreationService do
end
it_behaves_like 'error'
context 'rbac_clusters feature enabled' do
before do
stub_feature_flags(rbac_clusters: true)
stub_kubeclient_create_service_account(api_url)
stub_kubeclient_create_cluster_role_binding(api_url)
end
it_behaves_like 'error'
end
end
end
......
......@@ -2,11 +2,13 @@ require 'spec_helper'
describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
describe '#execute' do
subject { described_class.new(kubeclient).execute }
subject { described_class.new(kubeclient, service_account_name).execute }
let(:service_account_name) { 'gitlab-sa' }
let(:api_url) { 'http://111.111.111.111' }
let(:username) { 'admin' }
let(:password) { 'xxx' }
let(:kubeclient) do
Gitlab::Kubernetes::KubeClient.new(
api_url,
......@@ -44,8 +46,8 @@ describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
.to receive(:get_secrets).and_return(secrets_json)
end
context 'when gitlab-token exists' do
let(:metadata_name) { 'gitlab-token-123' }
context 'when token for service account exists' do
let(:metadata_name) { 'gitlab-sa-token-123' }
it { is_expected.to eq(token) }
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment