Resolve "Automatically provide a Deploy Token to projects when Auto DevOps is enabled"

app/models/project_auto_devops.rb

@@ -6,6 +6,8 @@ class ProjectAutoDevops < ActiveRecord::Base
 
   validates :domain, allow_blank: true, hostname: { allow_numeric_hostname: true }
 
+  after_save :create_gitlab_deploy_token, if: :needs_to_create_deploy_token?
+
   def instance_domain
     Gitlab::CurrentSettings.auto_devops_domain
   end
@@ -22,4 +24,23 @@ class ProjectAutoDevops < ActiveRecord::Base
       end
     end
   end
+
+  private
+
+  def create_gitlab_deploy_token
+    project.deploy_tokens.create!(
+      name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME,
+      read_registry: true
+    )
+  end
+
+  def needs_to_create_deploy_token?
+    auto_devops_enabled? &&
+      !project.public? &&
+      !project.deploy_tokens.find_by(name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME).present?
+  end
+
+  def auto_devops_enabled?
+    Gitlab::CurrentSettings.auto_devops_enabled? || enabled?
+  end
 end

changelogs/unreleased/46075-automatically-provide-deploy-token-when-autodevops-is-enabled.yml

@@ -0,0 +1,5 @@
+---
+title: Automatize Deploy Token creation for Auto Devops
+merge_request: 19507
+author:
+type: added

doc/topics/autodevops/index.md

@@ -426,6 +426,15 @@ no longer be valid as soon as the deployment job finishes. This means that
 Kubernetes can run the application, but in case it should be restarted or
 executed somewhere else, it cannot be accessed again.
 
+> [Introduced][ce-19507] in GitLab 11.0.
+
+For internal and private projects a [GitLab Deploy Token](../../user/project/deploy_tokens/index.md###gitlab-deploy-token) 
+will be automatically created, when Auto DevOps is enabled and the Auto DevOps settings are saved. This Deploy Token
+can be used for permanent access to the registry.
+
+Note: **Note**
+When the GitLab Deploy Token has been manually revoked, it won't be automatically created.
+
 ### Auto Monitoring
 
 NOTE: **Note:**
@@ -809,3 +818,4 @@ curl --data "value=true" --header "PRIVATE-TOKEN: personal_access_token" https:/
 [Auto DevOps template]: https://gitlab.com/gitlab-org/gitlab-ci-yml/blob/master/Auto-DevOps.gitlab-ci.yml
 [GitLab Omnibus Helm Chart]: ../../install/kubernetes/gitlab_omnibus.md
 [ee]: https://about.gitlab.com/products/
+[ce-19507]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/19507

spec/factories/project_auto_devops.rb

@@ -3,5 +3,9 @@ FactoryBot.define do
     project
     enabled true
     domain "example.com"
+
+    trait :disabled do
+      enabled false
+    end
   end
 end

spec/models/project_auto_devops_spec.rb

@@ -71,4 +71,97 @@ describe ProjectAutoDevops do
       { key: 'AUTO_DEVOPS_DOMAIN', value: 'example.com', public: true }
     end
   end
+
+  describe '#set_gitlab_deploy_token' do
+    let(:auto_devops) { build(:project_auto_devops, project: project) }
+
+    context 'when the project is public' do
+      let(:project) { create(:project, :repository, :public) }
+
+      it 'should not create a gitlab deploy token' do
+        expect do
+          auto_devops.save
+        end.not_to change { DeployToken.count }
+      end
+    end
+
+    context 'when the project is internal' do
+      let(:project) { create(:project, :repository, :internal) }
+
+      it 'should create a gitlab deploy token' do
+        expect do
+          auto_devops.save
+        end.to change { DeployToken.count }.by(1)
+      end
+    end
+
+    context 'when the project is private' do
+      let(:project) { create(:project, :repository, :private) }
+
+      it 'should create a gitlab deploy token' do
+        expect do
+          auto_devops.save
+        end.to change { DeployToken.count }.by(1)
+      end
+    end
+
+    context 'when autodevops is enabled at project level' do
+      let(:project) { create(:project, :repository, :internal) }
+      let(:auto_devops) { build(:project_auto_devops, project: project) }
+
+      it 'should create a deploy token' do
+        expect do
+          auto_devops.save
+        end.to change { DeployToken.count }.by(1)
+      end
+    end
+
+    context 'when autodevops is enabled at instancel level' do
+      let(:project) { create(:project, :repository, :internal) }
+      let(:auto_devops) { build(:project_auto_devops, :disabled, project: project) }
+
+      it 'should create a deploy token' do
+        allow(Gitlab::CurrentSettings).to receive(:auto_devops_enabled?).and_return(true)
+
+        expect do
+          auto_devops.save
+        end.to change { DeployToken.count }.by(1)
+      end
+    end
+
+    context 'when autodevops is disabled' do
+      let(:project) { create(:project, :repository, :internal) }
+      let(:auto_devops) { build(:project_auto_devops, :disabled, project: project) }
+
+      it 'should not create a deploy token' do
+        expect do
+          auto_devops.save
+        end.not_to change { DeployToken.count }
+      end
+    end
+
+    context 'when the project already has an active gitlab-deploy-token' do
+      let(:project) { create(:project, :repository, :internal) }
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) }
+      let(:auto_devops) { build(:project_auto_devops, project: project) }
+
+      it 'should not create a deploy token' do
+        expect do
+          auto_devops.save
+        end.not_to change { DeployToken.count }
+      end
+    end
+
+    context 'when the project already has a revoked gitlab-deploy-token' do
+      let(:project) { create(:project, :repository, :internal) }
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :expired, projects: [project]) }
+      let(:auto_devops) { build(:project_auto_devops, project: project) }
+
+      it 'should not create a deploy token' do
+        expect do
+          auto_devops.save
+        end.not_to change { DeployToken.count }
+      end
+    end
+  end
 end