From 89132bbdd63bbd033c43422500a972af6d94a4d0 Mon Sep 17 00:00:00 2001 From: Mayra Cabrera Date: Fri, 3 May 2019 01:05:53 +0000 Subject: [PATCH] Add gitlab-managed option to clusters form When this option is enabled, GitLab will create namespaces and service accounts as usual. When disabled, GitLab wont create any project specific kubernetes resources Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56557 --- .../clusters/clusters_controller.rb | 2 + app/models/clusters/cluster.rb | 1 + app/models/clusters/platforms/kubernetes.rb | 11 ++--- app/services/clusters/refresh_service.rb | 4 +- .../clusters/clusters/gcp/_form.html.haml | 13 ++++-- .../clusters/clusters/user/_form.html.haml | 11 ++++- .../platforms/kubernetes/_form.html.haml | 7 ++++ app/workers/cluster_configure_worker.rb | 2 +- ...etes-namespace-service-account-backend.yml | 5 +++ doc/api/project_clusters.md | 1 + doc/user/group/clusters/index.md | 23 +++++++++++ doc/user/project/clusters/index.md | 40 ++++++++++++++++--- lib/api/project_clusters.rb | 1 + .../prerequisite/kubernetes_namespace.rb | 1 + locale/gitlab.pot | 6 +++ .../groups/clusters_controller_spec.rb | 27 +++++++++++++ .../projects/clusters_controller_spec.rb | 35 ++++++++++++++-- spec/factories/clusters/clusters.rb | 2 +- .../prerequisite/kubernetes_namespace_spec.rb | 6 +++ spec/models/clusters/cluster_spec.rb | 18 +++++++++ .../clusters/platforms/kubernetes_spec.rb | 12 ++++++ spec/requests/api/project_clusters_spec.rb | 2 + .../services/clusters/refresh_service_spec.rb | 6 +++ spec/workers/cluster_configure_worker_spec.rb | 10 +++++ 24 files changed, 224 insertions(+), 22 deletions(-) create mode 100644 changelogs/unreleased/56557-disable-kubernetes-namespace-service-account-backend.yml diff --git a/app/controllers/clusters/clusters_controller.rb b/app/controllers/clusters/clusters_controller.rb index edaf07063ec..73ebd4e0e42 100644 --- a/app/controllers/clusters/clusters_controller.rb +++ b/app/controllers/clusters/clusters_controller.rb @@ -156,6 +156,7 @@ class Clusters::ClustersController < Clusters::BaseController :enabled, :name, :environment_scope, + :managed, provider_gcp_attributes: [ :gcp_project_id, :zone, @@ -174,6 +175,7 @@ class Clusters::ClustersController < Clusters::BaseController :enabled, :name, :environment_scope, + :managed, platform_kubernetes_attributes: [ :namespace, :api_url, diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb index 4262c03498d..f6d2082d257 100644 --- a/app/models/clusters/cluster.rb +++ b/app/models/clusters/cluster.rb @@ -94,6 +94,7 @@ module Clusters scope :user_provided, -> { where(provider_type: ::Clusters::Cluster.provider_types[:user]) } scope :gcp_provided, -> { where(provider_type: ::Clusters::Cluster.provider_types[:gcp]) } scope :gcp_installed, -> { gcp_provided.includes(:provider_gcp).where(cluster_providers_gcp: { status: ::Clusters::Providers::Gcp.state_machines[:status].states[:created].value }) } + scope :managed, -> { where(managed: true) } scope :default_environment, -> { where(environment_scope: DEFAULT_ENVIRONMENT) } diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index ca7d109d4f0..3b7b93e7631 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -92,11 +92,12 @@ module Clusters if kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project) variables.concat(kubernetes_namespace.predefined_variables) - elsif cluster.project_type? - # From 11.5, every Clusters::Project should have at least one - # Clusters::KubernetesNamespace, so once migration has been completed, - # this 'else' branch will be removed. For more information, please see - # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22433 + elsif cluster.project_type? || !cluster.managed? + # As of 11.11 a user can create a cluster that they manage themselves, + # which replicates the existing project-level cluster behaviour. + # Once we have marked all project-level clusters that make use of this + # behaviour as "unmanaged", we can remove the `cluster.project_type?` + # check here. variables .append(key: 'KUBE_URL', value: api_url) .append(key: 'KUBE_TOKEN', value: token, public: false, masked: true) diff --git a/app/services/clusters/refresh_service.rb b/app/services/clusters/refresh_service.rb index 76ad8dd0fb0..b02bb9c0247 100644 --- a/app/services/clusters/refresh_service.rb +++ b/app/services/clusters/refresh_service.rb @@ -22,9 +22,9 @@ module Clusters def self.clusters_with_missing_kubernetes_namespaces_for_project(project) if Feature.enabled?(:ci_preparing_state, default_enabled: true) - project.clusters.missing_kubernetes_namespace(project.kubernetes_namespaces) + project.clusters.managed.missing_kubernetes_namespace(project.kubernetes_namespaces) else - project.all_clusters.missing_kubernetes_namespace(project.kubernetes_namespaces) + project.all_clusters.managed.missing_kubernetes_namespace(project.kubernetes_namespaces) end end diff --git a/app/views/clusters/clusters/gcp/_form.html.haml b/app/views/clusters/clusters/gcp/_form.html.haml index 3e0f8955081..70e2eaeaf3b 100644 --- a/app/views/clusters/clusters/gcp/_form.html.haml +++ b/app/views/clusters/clusters/gcp/_form.html.haml @@ -74,6 +74,13 @@ = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'role-based-access-control-rbac-core-only'), target: '_blank' - .form-group - = field.submit s_('ClusterIntegration|Create Kubernetes cluster'), - class: 'js-gke-cluster-creation-submit btn btn-success', disabled: true + .form-group + = field.check_box :managed, { label: s_('ClusterIntegration|GitLab-managed cluster'), + label_class: 'label-bold' } + .form-text.text-muted + = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-clusters'), target: '_blank' + + .form-group + = field.submit s_('ClusterIntegration|Create Kubernetes cluster'), + class: 'js-gke-cluster-creation-submit btn btn-success', disabled: true diff --git a/app/views/clusters/clusters/user/_form.html.haml b/app/views/clusters/clusters/user/_form.html.haml index 4dba0e530e7..f2fc5ac93fb 100644 --- a/app/views/clusters/clusters/user/_form.html.haml +++ b/app/views/clusters/clusters/user/_form.html.haml @@ -44,5 +44,12 @@ { class: 'qa-rbac-checkbox', label: s_('ClusterIntegration|RBAC-enabled cluster'), label_class: 'label-bold', inline: true }, 'rbac', 'abac' - .form-group - = field.submit s_('ClusterIntegration|Add Kubernetes cluster'), class: 'btn btn-success' + .form-group + = field.check_box :managed, { label: s_('ClusterIntegration|GitLab-managed cluster'), + label_class: 'label-bold' } + .form-text.text-muted + = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-clusters'), target: '_blank' + + .form-group + = field.submit s_('ClusterIntegration|Add Kubernetes cluster'), class: 'btn btn-success' diff --git a/app/views/clusters/platforms/kubernetes/_form.html.haml b/app/views/clusters/platforms/kubernetes/_form.html.haml index f9f8097cb38..8caa25a7b5e 100644 --- a/app/views/clusters/platforms/kubernetes/_form.html.haml +++ b/app/views/clusters/platforms/kubernetes/_form.html.haml @@ -47,5 +47,12 @@ = s_('ClusterIntegration|Enable this setting if using role-based access control (RBAC).') = s_('ClusterIntegration|This option will allow you to install applications on RBAC clusters.') + .form-group + = field.check_box :managed, { disabled: true, label: s_('ClusterIntegration|GitLab-managed cluster'), + label_class: 'label-bold' } + .form-text.text-muted + = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-clusters'), target: '_blank' + .form-group = field.submit s_('ClusterIntegration|Save changes'), class: 'btn btn-success' diff --git a/app/workers/cluster_configure_worker.rb b/app/workers/cluster_configure_worker.rb index 22681157b62..37ea7dde7a1 100644 --- a/app/workers/cluster_configure_worker.rb +++ b/app/workers/cluster_configure_worker.rb @@ -5,7 +5,7 @@ class ClusterConfigureWorker include ClusterQueue def perform(cluster_id) - Clusters::Cluster.find_by_id(cluster_id).try do |cluster| + Clusters::Cluster.managed.find_by_id(cluster_id).try do |cluster| if cluster.project_type? || Feature.disabled?(:ci_preparing_state, default_enabled: true) Clusters::RefreshService.create_or_update_namespaces_for_cluster(cluster) end diff --git a/changelogs/unreleased/56557-disable-kubernetes-namespace-service-account-backend.yml b/changelogs/unreleased/56557-disable-kubernetes-namespace-service-account-backend.yml new file mode 100644 index 00000000000..6521eb9d1c0 --- /dev/null +++ b/changelogs/unreleased/56557-disable-kubernetes-namespace-service-account-backend.yml @@ -0,0 +1,5 @@ +--- +title: Disables kubernetes resources creation if a cluster is not managed +merge_request: 26565 +author: +type: added diff --git a/doc/api/project_clusters.md b/doc/api/project_clusters.md index f36e352da67..c831cc52a93 100644 --- a/doc/api/project_clusters.md +++ b/doc/api/project_clusters.md @@ -161,6 +161,7 @@ Parameters: | `name` | String | yes | The name of the cluster | | `domain` | String | no | The [base domain](../user/project/clusters/index.md#base-domain) of the cluster | | `enabled` | Boolean | no | Determines if cluster is active or not, defaults to true | +| `managed` | Boolean | no | Determines if GitLab will manage namespaces and service accounts for this cluster, defaults to true | | `platform_kubernetes_attributes[api_url]` | String | yes | The URL to access the Kubernetes API | | `platform_kubernetes_attributes[token]` | String | yes | The token to authenticate against Kubernetes | | `platform_kubernetes_attributes[ca_cert]` | String | no | TLS certificate (needed if API is using a self-signed TLS certificate | diff --git a/doc/user/group/clusters/index.md b/doc/user/group/clusters/index.md index 984881ef26c..0f71587830f 100644 --- a/doc/user/group/clusters/index.md +++ b/doc/user/group/clusters/index.md @@ -72,6 +72,29 @@ Add another cluster similar to the first one and make sure to [set an environment scope](#environment-scopes-premium) that will differentiate the new cluster from the rest. +## Gitlab-managed clusters + +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011) in GitLab 11.5. +> Became [optional](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26565) in GitLab 11.11. + +NOTE: **Note:** +Only available when creating clusters. Existing clusters not managed by GitLab +cannot become GitLab-managed later. + +You can choose to allow GitLab to manage your cluster for you. If your cluster is +managed by GitLab, resources for your projects will be automatically created. See the +[Access controls](../../project/clusters/index.md#access-controls) section for details on which resources will +be created. + +If you choose to manage your own cluster, project-specific resources will not be created +automatically. If you are using [Auto DevOps](../../../topics/autodevops/index.md), you will +need to explicitly provide the `KUBE_NAMESPACE` [deployment variable](../../project/clusters/index.md#deployment-variables) +that will be used by your deployment jobs. + +NOTE: **Note:** +If you [install applications](#installing-applications) on your cluster, GitLab will create +the resources required to run these even if you have chosen to manage your own cluster. + ## Base domain > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24580) in GitLab 11.8. diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 0677fe622f2..52b1708fe2d 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -70,6 +70,7 @@ new Kubernetes cluster to your project: - **Machine type** - The [machine type](https://cloud.google.com/compute/docs/machine-types) of the Virtual Machine instance that the cluster will be based on. - **RBAC-enabled cluster** - Leave this checked if using default GKE creation options, see the [RBAC section](#role-based-access-control-rbac) for more information. + - **GitLab-managed cluster** - Leave this checked if you want GitLab to manage namespaces and service accounts for this cluster. See the [Managed clusters section](#gitlab-managed-clusters) for more information. 1. Finally, click the **Create Kubernetes cluster** button. After a couple of minutes, your cluster will be ready to go. You can now proceed @@ -188,6 +189,9 @@ To add an existing Kubernetes cluster to your project: role binding. You can follow the [Google Cloud documentation](https://cloud.google.com/iam/docs/granting-changing-revoking-access) to grant access. + + - **GitLab-managed cluster** - Leave this checked if you want GitLab to manage namespaces and service accounts for this cluster. See the [Managed clusters section](#gitlab-managed-clusters) for more information. + - **Project namespace** (optional) - You don't have to fill it in; by leaving it blank, GitLab will create one for you. Also: - Each project should have a unique namespace. @@ -214,6 +218,29 @@ functionalities needed to successfully build and deploy a containerized application. Bear in mind that the same credentials are used for all the applications running on the cluster. +## Gitlab-managed clusters + +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011) in GitLab 11.5. +> Became [optional](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26565) in GitLab 11.11. + +NOTE: **Note:** +Only available when creating clusters. Existing clusters not managed by GitLab +cannot become GitLab-managed later. + +You can choose to allow GitLab to manage your cluster for you. If your cluster is +managed by GitLab, resources for your projects will be automatically created. See the +[Access controls](#access-controls) section for details on which resources will +be created. + +If you choose to manage your own cluster, project-specific resources will not be created +automatically. If you are using [Auto DevOps](../../../topics/autodevops/index.md), you will +need to explicitly provide the `KUBE_NAMESPACE` [deployment variable](#deployment-variables) +that will be used by your deployment jobs, otherwise a namespace will be created for you. + +NOTE: **Note:** +If you [install applications](#installing-applications) on your cluster, GitLab will create +the resources required to run these even if you have chosen to manage your own cluster. + ## Base domain > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24580) in GitLab 11.8. @@ -278,8 +305,8 @@ The following sections summarize which resources will be created on ABAC/RBAC cl | `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | | `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | | `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | -| Project namespace | `ServiceAccount` | Uses namespace of Project | Creating/Adding a new GKE Cluster | -| Project namespace | `Secret` | Token for project ServiceAccount | Creating/Adding a new GKE Cluster | +| Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster | +| Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster | ### Role-based access control (RBAC) @@ -290,9 +317,12 @@ The following sections summarize which resources will be created on ABAC/RBAC cl | `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | | `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | | `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | -| Project namespace | `ServiceAccount` | Uses namespace of Project | Creating/Adding a new GKE Cluster | -| Project namespace | `Secret` | Token for project ServiceAccount | Creating/Adding a new GKE Cluster | -| Project namespace | `RoleBinding` | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Creating/Adding a new GKE Cluster | +| Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster | +| Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster | +| Project namespace | `RoleBinding` | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Deploying to a cluster | + +NOTE: **Note:** +Project-specific resources are only created if your cluster is [managed by GitLab](#gitlab-managed-clusters). ### Security of GitLab Runners diff --git a/lib/api/project_clusters.rb b/lib/api/project_clusters.rb index b62ec887183..dcc8d94fb79 100644 --- a/lib/api/project_clusters.rb +++ b/lib/api/project_clusters.rb @@ -54,6 +54,7 @@ module API requires :name, type: String, desc: 'Cluster name' optional :enabled, type: Boolean, default: true, desc: 'Determines if cluster is active or not, defaults to true' optional :domain, type: String, desc: 'Cluster base domain' + optional :managed, type: Boolean, default: true, desc: 'Determines if GitLab will manage namespaces and service accounts for this cluster, defaults to true' requires :platform_kubernetes_attributes, type: Hash, desc: %q(Platform Kubernetes data) do requires :api_url, type: String, allow_blank: false, desc: 'URL to access the Kubernetes API' requires :token, type: String, desc: 'Token to authenticate against Kubernetes' diff --git a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb index bb2b209e793..dbdc59505ac 100644 --- a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb +++ b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb @@ -7,6 +7,7 @@ module Gitlab class KubernetesNamespace < Base def unmet? deployment_cluster.present? && + deployment_cluster.managed? && !deployment_cluster.project_type? && kubernetes_namespace.new_record? end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 8a51ab80d6f..96d18fca643 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -2017,6 +2017,9 @@ msgstr "" msgid "ClusterIntegration|All data will be deleted and cannot be restored." msgstr "" +msgid "ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster." +msgstr "" + msgid "ClusterIntegration|Alternatively" msgstr "" @@ -2140,6 +2143,9 @@ msgstr "" msgid "ClusterIntegration|GitLab Runner connects to the repository and executes CI/CD jobs, pushing results back and deploying applications to production." msgstr "" +msgid "ClusterIntegration|GitLab-managed cluster" +msgstr "" + msgid "ClusterIntegration|Google Cloud Platform project" msgstr "" diff --git a/spec/controllers/groups/clusters_controller_spec.rb b/spec/controllers/groups/clusters_controller_spec.rb index e5180ec5c5c..7349cb7094c 100644 --- a/spec/controllers/groups/clusters_controller_spec.rb +++ b/spec/controllers/groups/clusters_controller_spec.rb @@ -189,6 +189,7 @@ describe Groups::ClustersController do { cluster: { name: 'new-cluster', + managed: '1', provider_gcp_attributes: { gcp_project_id: 'gcp-project-12345', legacy_abac: legacy_abac_param @@ -218,6 +219,7 @@ describe Groups::ClustersController do expect(cluster).to be_gcp expect(cluster).to be_kubernetes expect(cluster.provider_gcp).to be_legacy_abac + expect(cluster).to be_managed end context 'when legacy_abac param is false' do @@ -278,6 +280,7 @@ describe Groups::ClustersController do { cluster: { name: 'new-cluster', + managed: '1', platform_kubernetes_attributes: { api_url: 'http://my-url', token: 'test' @@ -303,6 +306,7 @@ describe Groups::ClustersController do expect(response).to redirect_to(group_cluster_path(group, cluster)) expect(cluster).to be_user expect(cluster).to be_kubernetes + expect(cluster).to be_managed end end @@ -334,6 +338,29 @@ describe Groups::ClustersController do expect(cluster).to be_platform_kubernetes_rbac end end + + context 'when creates a user-managed cluster' do + let(:params) do + { + cluster: { + name: 'new-cluster', + managed: '0', + platform_kubernetes_attributes: { + api_url: 'http://my-url', + token: 'test', + authorization_type: 'rbac' + } + } + } + end + + it 'creates a new user-managed cluster' do + go + + cluster = group.clusters.first + expect(cluster.managed?).to be_falsy + end + end end describe 'security' do diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb index d94c18ddc02..8d37bd82d21 100644 --- a/spec/controllers/projects/clusters_controller_spec.rb +++ b/spec/controllers/projects/clusters_controller_spec.rb @@ -165,6 +165,7 @@ describe Projects::ClustersController do { cluster: { name: 'new-cluster', + managed: '1', provider_gcp_attributes: { gcp_project_id: 'gcp-project-12345', legacy_abac: legacy_abac_param @@ -191,6 +192,7 @@ describe Projects::ClustersController do expect(project.clusters.first).to be_gcp expect(project.clusters.first).to be_kubernetes expect(project.clusters.first.provider_gcp).to be_legacy_abac + expect(project.clusters.first.managed?).to be_truthy end context 'when legacy_abac param is false' do @@ -251,6 +253,7 @@ describe Projects::ClustersController do { cluster: { name: 'new-cluster', + managed: '1', platform_kubernetes_attributes: { api_url: 'http://my-url', token: 'test', @@ -302,9 +305,35 @@ describe Projects::ClustersController do expect(response).to redirect_to(project_cluster_path(project, project.clusters.first)) - expect(project.clusters.first).to be_user - expect(project.clusters.first).to be_kubernetes - expect(project.clusters.first).to be_platform_kubernetes_rbac + cluster = project.clusters.first + + expect(cluster).to be_user + expect(cluster).to be_kubernetes + expect(cluster).to be_platform_kubernetes_rbac + end + end + + context 'when creates a user-managed cluster' do + let(:params) do + { + cluster: { + name: 'new-cluster', + managed: '0', + platform_kubernetes_attributes: { + api_url: 'http://my-url', + token: 'test', + namespace: 'aaa', + authorization_type: 'rbac' + } + } + } + end + + it 'creates a new user-managed cluster' do + go + cluster = project.clusters.first + + expect(cluster.managed?).to be_falsy end end end diff --git a/spec/factories/clusters/clusters.rb b/spec/factories/clusters/clusters.rb index 97405ec7c58..6eb0194b710 100644 --- a/spec/factories/clusters/clusters.rb +++ b/spec/factories/clusters/clusters.rb @@ -65,7 +65,7 @@ FactoryBot.define do domain 'example.com' end - trait :user_managed do + trait :not_managed do managed false end end diff --git a/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb b/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb index e8332b14627..5387863bd07 100644 --- a/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb +++ b/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb @@ -28,6 +28,12 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do it { is_expected.to be_truthy } + context 'and the cluster is not managed' do + let(:cluster) { create(:cluster, :not_managed, projects: [build.project]) } + + it { is_expected.to be_falsey } + end + context 'and a namespace is already created for this project' do let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, cluster: cluster, project: build.project) } diff --git a/spec/models/clusters/cluster_spec.rb b/spec/models/clusters/cluster_spec.rb index 894ef3fb956..e1506c06044 100644 --- a/spec/models/clusters/cluster_spec.rb +++ b/spec/models/clusters/cluster_spec.rb @@ -95,6 +95,24 @@ describe Clusters::Cluster do it { is_expected.to contain_exactly(cluster) } end + describe '.managed' do + subject do + described_class.managed + end + + context 'cluster is not managed' do + let!(:cluster) { create(:cluster, :not_managed) } + + it { is_expected.not_to include(cluster) } + end + + context 'cluster is managed' do + let!(:cluster) { create(:cluster) } + + it { is_expected.to include(cluster) } + end + end + describe '.missing_kubernetes_namespace' do let!(:cluster) { create(:cluster, :provided_by_gcp, :project) } let(:project) { cluster.project } diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb index 0281dd2c303..e35d14f2282 100644 --- a/spec/models/clusters/platforms/kubernetes_spec.rb +++ b/spec/models/clusters/platforms/kubernetes_spec.rb @@ -331,6 +331,18 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching { key: 'KUBE_TOKEN', value: kubernetes.token, public: false } ) end + + context 'the cluster is not managed' do + let!(:cluster) { create(:cluster, :group, :not_managed, platform_kubernetes: kubernetes) } + + it_behaves_like 'setting variables' + + it 'sets KUBE_TOKEN' do + expect(subject).to include( + { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true } + ) + end + end end context 'kubernetes namespace exists for the project' do diff --git a/spec/requests/api/project_clusters_spec.rb b/spec/requests/api/project_clusters_spec.rb index 94e6ca2c07c..5357be3cdee 100644 --- a/spec/requests/api/project_clusters_spec.rb +++ b/spec/requests/api/project_clusters_spec.rb @@ -189,6 +189,7 @@ describe API::ProjectClusters do { name: 'test-cluster', domain: 'domain.example.com', + managed: false, platform_kubernetes_attributes: platform_kubernetes_attributes } end @@ -220,6 +221,7 @@ describe API::ProjectClusters do expect(cluster_result.project).to eq(project) expect(cluster_result.name).to eq('test-cluster') expect(cluster_result.domain).to eq('domain.example.com') + expect(cluster_result.managed).to be_falsy expect(platform_kubernetes.rbac?).to be_truthy expect(platform_kubernetes.api_url).to eq(api_url) expect(platform_kubernetes.namespace).to eq(namespace) diff --git a/spec/services/clusters/refresh_service_spec.rb b/spec/services/clusters/refresh_service_spec.rb index 9e442ebf4e9..94c35228955 100644 --- a/spec/services/clusters/refresh_service_spec.rb +++ b/spec/services/clusters/refresh_service_spec.rb @@ -121,5 +121,11 @@ describe Clusters::RefreshService do end end end + + context 'cluster is not managed' do + let!(:cluster) { create(:cluster, :project, :not_managed, projects: [project]) } + + include_examples 'does not create a kubernetes namespace' + end end end diff --git a/spec/workers/cluster_configure_worker_spec.rb b/spec/workers/cluster_configure_worker_spec.rb index bdb8e0e9c84..daf014ac574 100644 --- a/spec/workers/cluster_configure_worker_spec.rb +++ b/spec/workers/cluster_configure_worker_spec.rb @@ -68,6 +68,16 @@ describe ClusterConfigureWorker, '#perform' do it_behaves_like 'configured cluster' end + context 'when cluster is not managed' do + let(:cluster) { create(:cluster, :not_managed) } + + it 'does not configure the cluster' do + expect(Clusters::RefreshService).not_to receive(:create_or_update_namespaces_for_cluster) + + described_class.new.perform(cluster.id) + end + end + context 'when cluster does not exist' do it 'does not provision a cluster' do expect_any_instance_of(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:execute)