Commit c4220a6a authored by Thong Kuah's avatar Thong Kuah

Merge branch 'mattkasa/fixes_for_20244_rbac_kubernetes_prerequisite' into 'master'

Fixes for !20244 RBAC Kubernetes namespace prerequisite

See merge request gitlab-org/gitlab!21227
parents c42f73f2 b452d6c9
# frozen_string_literal: true
module Clusters
class KnativeServingNamespaceFinder
attr_reader :cluster
def initialize(cluster)
@cluster = cluster
end
def execute
cluster.kubeclient&.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
rescue Kubeclient::ResourceNotFoundError
nil
end
end
end
...@@ -9,9 +9,9 @@ module Clusters ...@@ -9,9 +9,9 @@ module Clusters
end end
def execute def execute
cluster&.kubeclient&.get_cluster_role_bindings&.find do |resource| cluster.kubeclient&.get_cluster_role_binding(Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME)
resource.metadata.name == Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME rescue Kubeclient::ResourceNotFoundError
end nil
end end
end end
end end
...@@ -71,9 +71,9 @@ module Clusters ...@@ -71,9 +71,9 @@ module Clusters
end end
def knative_serving_namespace def knative_serving_namespace
kubeclient.core_client.get_namespaces.find do |namespace| kubeclient.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
namespace.metadata.name == Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE rescue Kubeclient::ResourceNotFoundError
end nil
end end
def create_role_or_cluster_role_binding def create_role_or_cluster_role_binding
......
...@@ -8,7 +8,7 @@ module Gitlab ...@@ -8,7 +8,7 @@ module Gitlab
def unmet? def unmet?
deployment_cluster.present? && deployment_cluster.present? &&
deployment_cluster.managed? && deployment_cluster.managed? &&
(missing_namespace? || missing_knative_version_role_binding?) (missing_namespace? || need_knative_version_role_binding?)
end end
def complete! def complete!
...@@ -23,8 +23,8 @@ module Gitlab ...@@ -23,8 +23,8 @@ module Gitlab
kubernetes_namespace.nil? || kubernetes_namespace.service_account_token.blank? kubernetes_namespace.nil? || kubernetes_namespace.service_account_token.blank?
end end
def missing_knative_version_role_binding? def need_knative_version_role_binding?
knative_version_role_binding.nil? !knative_serving_namespace.nil? && knative_version_role_binding.nil?
end end
def deployment_cluster def deployment_cluster
...@@ -35,6 +35,14 @@ module Gitlab ...@@ -35,6 +35,14 @@ module Gitlab
build.deployment.environment build.deployment.environment
end end
def knative_serving_namespace
strong_memoize(:knative_serving_namespace) do
Clusters::KnativeServingNamespaceFinder.new(
deployment_cluster
).execute
end
end
def knative_version_role_binding def knative_version_role_binding
strong_memoize(:knative_version_role_binding) do strong_memoize(:knative_version_role_binding) do
Clusters::KnativeVersionRoleBindingFinder.new( Clusters::KnativeVersionRoleBindingFinder.new(
......
...@@ -38,6 +38,21 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do ...@@ -38,6 +38,21 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
.and_return(double(execute: kubernetes_namespace)) .and_return(double(execute: kubernetes_namespace))
end end
context 'and the knative-serving namespace is missing' do
before do
allow(Clusters::KnativeServingNamespaceFinder).to receive(:new)
.and_return(double(execute: false))
end
it { is_expected.to be_truthy }
end
context 'and the knative-serving namespace exists' do
before do
allow(Clusters::KnativeServingNamespaceFinder).to receive(:new)
.and_return(double(execute: true))
end
context 'and the knative version role binding is missing' do context 'and the knative version role binding is missing' do
before do before do
allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new) allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new)
...@@ -63,6 +78,7 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do ...@@ -63,6 +78,7 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
end end
end end
end end
end
context 'and no cluster to deploy to' do context 'and no cluster to deploy to' do
let(:cluster) { nil } let(:cluster) { nil }
......
...@@ -22,7 +22,6 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do ...@@ -22,7 +22,6 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
before do before do
stub_kubeclient_discover(api_url) stub_kubeclient_discover(api_url)
stub_kubeclient_get_namespaces(api_url)
stub_kubeclient_get_service_account_error(api_url, 'gitlab') stub_kubeclient_get_service_account_error(api_url, 'gitlab')
stub_kubeclient_create_service_account(api_url) stub_kubeclient_create_service_account(api_url)
stub_kubeclient_get_secret_error(api_url, 'gitlab-token') stub_kubeclient_get_secret_error(api_url, 'gitlab-token')
...@@ -31,6 +30,7 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do ...@@ -31,6 +30,7 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
stub_kubeclient_get_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace) stub_kubeclient_get_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace) stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
stub_kubeclient_get_namespace(api_url, namespace: namespace) stub_kubeclient_get_namespace(api_url, namespace: namespace)
stub_kubeclient_get_namespace(api_url, namespace: Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace) stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace)
stub_kubeclient_create_service_account(api_url, namespace: namespace) stub_kubeclient_create_service_account(api_url, namespace: namespace)
stub_kubeclient_create_secret(api_url, namespace: namespace) stub_kubeclient_create_secret(api_url, namespace: namespace)
......
...@@ -141,7 +141,7 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do ...@@ -141,7 +141,7 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
before do before do
cluster.platform_kubernetes.rbac! cluster.platform_kubernetes.rbac!
stub_kubeclient_get_namespaces(api_url) stub_kubeclient_get_namespace(api_url, namespace: Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
stub_kubeclient_get_role_binding_error(api_url, role_binding_name, namespace: namespace) stub_kubeclient_get_role_binding_error(api_url, role_binding_name, namespace: namespace)
stub_kubeclient_create_role_binding(api_url, namespace: namespace) stub_kubeclient_create_role_binding(api_url, namespace: namespace)
stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace) stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment