Merge branch '55447-validate-k8s-ca-cert' into 'master'

Validate k8s CA certificate at cluster creation See merge request gitlab-org/gitlab-ce!24990
2019-02-11 09:59:59 +00:00 · 2019-02-11 09:59:59 +00:00 · 15af0a4508
parent 8886924ca9 73e5d3a269
commit 15af0a4508
5 changed files with 39 additions and 3 deletions
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@ -43,6 +43,7 @@ module Clusters
      # We expect to be `active?` only when enabled and cluster is created (the api_url is assigned)
      validates :api_url, url: true, presence: true
      validates :token, presence: true
+      validates :ca_cert, certificate: true, allow_blank: true, if: :ca_cert_changed?

      validate :prevent_modification, on: :update

--- a/changelogs/unreleased/55447-validate-k8s-ca-cert.yml
+++ b/changelogs/unreleased/55447-validate-k8s-ca-cert.yml
@ -0,0 +1,5 @@
+---
+title: Validate kubernetes cluster CA certificate
+merge_request: 24990
+author:
+type: changed
--- a/spec/fixtures/clusters/sample_cert.pem
+++ b/spec/fixtures/clusters/sample_cert.pem
@ -30,4 +30,4 @@ TkIdFE47ZisEDhIdF6wC1izEMLeMEsPAO7/Y6MY4nRxsinSe95lRaw+yQpzx+mvJ
 Q7n1kiHI9Pd5M3+CiQda0d/GO1o5ORJnUGJRvr9HKuNmE7Lif0As/N0AlywjzE7A
 6Z8AEiWyRV1ffshu1k2UKmzvZuZeGGKRtrIjbJIRAtpRVtVZZGzhq5/sojCLoJ+u
 texqFBUo/4mFRZa4pDItUdyOlDy2/LO/ag==
-----END CERTIFICATE-----
+-----END CERTIFICATE-----
--- a/spec/models/clusters/kubernetes_namespace_spec.rb
+++ b/spec/models/clusters/kubernetes_namespace_spec.rb
@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
    let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) }

    let(:api_url) { 'https://kube.domain.com' }
-    let(:ca_pem) { 'CA PEM DATA' }
+    let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
    let(:token) { 'token' }

    let(:kubeconfig) do
--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
      end
    end

+    context 'ca_cert' do
+      let(:kubernetes) { build(:cluster_platform_kubernetes, ca_pem: ca_pem) }
+
+      context 'with a valid certificate' do
+        let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
+
+        it { is_expected.to be_truthy }
+      end
+
+      context 'with an invalid certificate' do
+        let(:ca_pem) { "invalid" }
+
+        it { is_expected.to be_falsey }
+
+        context 'but the certificate is not being updated' do
+          before do
+            allow(kubernetes).to receive(:ca_cert_changed?).and_return(false)
+          end
+
+          it { is_expected.to be_truthy }
+        end
+      end
+
+      context 'with no certificate' do
+        let(:ca_pem) { "" }
+
+        it { is_expected.to be_truthy }
+      end
+    end
+
    describe 'when using reserved namespaces' do
      subject { build(:cluster_platform_kubernetes, namespace: namespace) }

@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
    let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) }
    let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) }
    let(:api_url) { 'https://kube.domain.com' }
-    let(:ca_pem) { 'CA PEM DATA' }
+    let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }

    subject { kubernetes.predefined_variables(project: cluster.project) }