Fix deployment jobs using nil token

app/models/clusters/kubernetes_namespace.rb

@@ -22,6 +22,8 @@ module Clusters
         key: Settings.attr_encrypted_db_key_base_truncated,
         algorithm: 'aes-256-cbc'
 
+    scope :has_service_account_token, -> { where.not(encrypted_service_account_token: nil) }
+
     def token_name
       "#{namespace}-token"
     end

app/models/clusters/platforms/kubernetes.rb

@@ -83,7 +83,7 @@ module Clusters
               .append(key: 'KUBE_CA_PEM_FILE', value: ca_pem, file: true)
           end
 
-          if kubernetes_namespace = cluster.kubernetes_namespaces.find_by(project: project)
+          if kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project)
             variables.concat(kubernetes_namespace.predefined_variables)
           else
             # From 11.5, every Clusters::Project should have at least one

changelogs/unreleased/53879-kube-token-nil.yml

@@ -0,0 +1,5 @@
+---
+title: Fix deployment jobs using nil KUBE_TOKEN due to migration issue
+merge_request: 23009
+author:
+type: fixed

spec/factories/clusters/kubernetes_namespaces.rb

@@ -13,7 +13,7 @@ FactoryBot.define do
     end
 
     trait :with_token do
-      service_account_token { Faker::Lorem.characters(10) }
+      service_account_token { FFaker::Lorem.characters(10) }
     end
   end
 end

spec/models/clusters/kubernetes_namespace_spec.rb

@@ -8,6 +8,22 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
   it { is_expected.to belong_to(:cluster) }
   it { is_expected.to have_one(:platform_kubernetes) }
 
+  describe 'has_service_account_token' do
+    subject { described_class.has_service_account_token }
+
+    context 'namespace has service_account_token' do
+      let!(:namespace) { create(:cluster_kubernetes_namespace, :with_token) }
+
+      it { is_expected.to include(namespace) }
+    end
+
+    context 'namespace has no service_account_token' do
+      let!(:namespace) { create(:cluster_kubernetes_namespace) }
+
+      it { is_expected.not_to include(namespace) }
+    end
+  end
+
   describe 'namespace uniqueness validation' do
     let(:cluster_project) { create(:cluster_project) }
     let(:kubernetes_namespace) { build(:cluster_kubernetes_namespace, namespace: 'my-namespace') }

spec/models/clusters/platforms/kubernetes_spec.rb

@@ -210,9 +210,11 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
     let(:api_url) { 'https://kube.domain.com' }
     let(:ca_pem) { 'CA PEM DATA' }
 
+    subject { kubernetes.predefined_variables(project: cluster.project) }
+
     shared_examples 'setting variables' do
       it 'sets the variables' do
-        expect(kubernetes.predefined_variables(project: cluster.project)).to include(
+        expect(subject).to include(
           { key: 'KUBE_URL', value: api_url, public: true },
           { key: 'KUBE_CA_PEM', value: ca_pem, public: true },
           { key: 'KUBE_CA_PEM_FILE', value: ca_pem, public: true, file: true }
@@ -220,6 +222,30 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
       end
     end
 
+    context 'kubernetes namespace is created with no service account token' do
+      let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, cluster: cluster) }
+
+      it_behaves_like 'setting variables'
+
+      it 'sets KUBE_TOKEN' do
+        expect(subject).to include(
+          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false }
+        )
+      end
+    end
+
+    context 'kubernetes namespace is created with no service account token' do
+      let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token, cluster: cluster) }
+
+      it_behaves_like 'setting variables'
+
+      it 'sets KUBE_TOKEN' do
+        expect(subject).to include(
+          { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false }
+        )
+      end
+    end
+
     context 'namespace is provided' do
       let(:namespace) { 'my-project' }
 
@@ -228,12 +254,24 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
       end
 
       it_behaves_like 'setting variables'
+
+      it 'sets KUBE_TOKEN' do
+        expect(subject).to include(
+          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false }
+        )
+      end
     end
 
     context 'no namespace provided' do
       let(:namespace) { kubernetes.actual_namespace }
 
       it_behaves_like 'setting variables'
+
+      it 'sets KUBE_TOKEN' do
+        expect(subject).to include(
+          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false }
+        )
+      end
     end
   end
 

spec/models/project_spec.rb

@@ -2415,7 +2415,7 @@ describe Project do
       end
 
       context 'when user configured kubernetes from CI/CD > Clusters and KubernetesNamespace migration has been executed' do
-        let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace) }
+        let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token) }
         let!(:cluster) { kubernetes_namespace.cluster }
         let(:project) { kubernetes_namespace.project }