Allow group install of JupyterHub

Removes limitations on cluster types that can install JupyterHub

app/models/clusters/applications/jupyter.rb

@@ -85,7 +85,8 @@ module Clusters
               "clientId" => oauth_application.uid,
               "clientSecret" => oauth_application.secret,
               "callbackUrl" => callback_url,
-              "gitlabProjectIdWhitelist" => [project_id]
+              "gitlabProjectIdWhitelist" => cluster.projects.ids,
+              "gitlabGroupWhitelist" => cluster.groups.map(&:to_param)
             }
           },
           "singleuser" => {
@@ -101,10 +102,6 @@ module Clusters
         @crypto_key ||= SecureRandom.hex(32)
       end
 
-      def project_id
-        cluster&.project&.id
-      end
-
       def gitlab_url
         Gitlab.config.gitlab.url
       end

app/models/clusters/cluster.rb

@@ -10,15 +10,15 @@ module Clusters
     self.table_name = 'clusters'
 
     PROJECT_ONLY_APPLICATIONS = {
-      Applications::Jupyter.application_name => Applications::Jupyter,
       Applications::Knative.application_name => Applications::Knative
     }.freeze
     APPLICATIONS = {
       Applications::Helm.application_name => Applications::Helm,
       Applications::Ingress.application_name => Applications::Ingress,
       Applications::CertManager.application_name => Applications::CertManager,
+      Applications::Prometheus.application_name => Applications::Prometheus,
       Applications::Runner.application_name => Applications::Runner,
-      Applications::Prometheus.application_name => Applications::Prometheus
+      Applications::Jupyter.application_name => Applications::Jupyter
     }.merge(PROJECT_ONLY_APPLICATIONS).freeze
     DEFAULT_ENVIRONMENT = '*'
     KUBE_INGRESS_BASE_DOMAIN = 'KUBE_INGRESS_BASE_DOMAIN'

changelogs/unreleased/group_level_jupyterhub.yml

+---
+title: Group level JupyterHub
+merge_request: 32512
+author:
+type: added

spec/models/clusters/applications/jupyter_spec.rb

@@ -81,27 +81,45 @@ describe Clusters::Applications::Jupyter do
   end
 
   describe '#files' do
-    let(:application) { create(:clusters_applications_jupyter) }
+    let(:cluster) { create(:cluster, :with_installed_helm, :provided_by_gcp, :project) }
+    let(:application) { create(:clusters_applications_jupyter, cluster: cluster) }
     let(:values) { subject[:'values.yaml'] }
 
     subject { application.files }
 
-    it 'includes valid values' do
-      expect(values).to include('ingress')
-      expect(values).to include('hub')
-      expect(values).to include('rbac')
-      expect(values).to include('proxy')
-      expect(values).to include('auth')
-      expect(values).to include('singleuser')
-      expect(values).to match(/clientId: '?#{application.oauth_application.uid}/)
-      expect(values).to match(/callbackUrl: '?#{application.callback_url}/)
-      expect(values).to include("gitlabProjectIdWhitelist:\n    - #{application.cluster.project.id}")
-      expect(values).to include("c.GitLabOAuthenticator.scope = ['api read_repository write_repository']")
-      expect(values).to match(/GITLAB_HOST: '?#{Gitlab.config.gitlab.host}/)
+    context 'when cluster belongs to a project' do
+      it 'includes valid values' do
+        expect(values).to include('ingress')
+        expect(values).to include('hub')
+        expect(values).to include('rbac')
+        expect(values).to include('proxy')
+        expect(values).to include('auth')
+        expect(values).to include('singleuser')
+        expect(values).to match(/clientId: '?#{application.oauth_application.uid}/)
+        expect(values).to match(/callbackUrl: '?#{application.callback_url}/)
+        expect(values).to include("gitlabProjectIdWhitelist:\n    - #{application.cluster.project.id}")
+        expect(values).to include("c.GitLabOAuthenticator.scope = ['api read_repository write_repository']")
+        expect(values).to match(/GITLAB_HOST: '?#{Gitlab.config.gitlab.host}/)
+        expect(values).to match(/GITLAB_CLUSTER_ID: '?#{application.cluster.id}/)
+      end
     end
 
-    context 'when cluster belongs to a project' do
-      it 'sets GitLab project id' do
+    context 'when cluster belongs to a group' do
+      let(:group) { create(:group) }
+      let(:cluster) { create(:cluster, :with_installed_helm, :provided_by_gcp, :group, groups: [group]) }
+
+      it 'includes valid values' do
+        expect(values).to include('ingress')
+        expect(values).to include('hub')
+        expect(values).to include('rbac')
+        expect(values).to include('proxy')
+        expect(values).to include('auth')
+        expect(values).to include('singleuser')
+        expect(values).to match(/clientId: '?#{application.oauth_application.uid}/)
+        expect(values).to match(/callbackUrl: '?#{application.callback_url}/)
+        expect(values).to include("gitlabGroupWhitelist:\n    - #{group.to_param}")
+        expect(values).to include("c.GitLabOAuthenticator.scope = ['api read_repository write_repository']")
+        expect(values).to match(/GITLAB_HOST: '?#{Gitlab.config.gitlab.host}/)
         expect(values).to match(/GITLAB_CLUSTER_ID: '?#{application.cluster.id}/)
       end
     end

spec/services/clusters/applications/create_service_spec.rb

@@ -147,12 +147,12 @@ describe Clusters::Applications::CreateService do
 
       using RSpec::Parameterized::TableSyntax
 
-      where(:application, :association, :allowed, :pre_create_helm) do
-        'helm'       | :application_helm       | true | false
-        'ingress'    | :application_ingress    | true | true
-        'runner'     | :application_runner     | true | true
-        'prometheus' | :application_prometheus | true | true
-        'jupyter'    | :application_jupyter    | false | true
+      where(:application, :association, :allowed, :pre_create_helm, :pre_create_ingress) do
+        'helm'       | :application_helm       | true | false | false
+        'ingress'    | :application_ingress    | true | true | false
+        'runner'     | :application_runner     | true | true | false
+        'prometheus' | :application_prometheus | true | true | false
+        'jupyter'    | :application_jupyter    | true | true | true
       end
 
       with_them do
@@ -160,6 +160,7 @@ describe Clusters::Applications::CreateService do
           klass = "Clusters::Applications::#{application.titleize}"
           allow_any_instance_of(klass.constantize).to receive(:make_scheduled!).and_call_original
           create(:clusters_applications_helm, :installed, cluster: cluster) if pre_create_helm
+          create(:clusters_applications_ingress, :installed, cluster: cluster, external_hostname: 'example.com') if pre_create_ingress
         end
 
         let(:params) { { application: application } }