Move generic k8s services out of GCP namespace
These services aren't specific to GCP, and will be used for AWS as part of https://gitlab.com/gitlab-org/gitlab-ce/issues/46686
This commit is contained in:
parent
5822c09296
commit
9e8daeb8a6
|
@ -26,7 +26,7 @@ module Clusters
|
||||||
private
|
private
|
||||||
|
|
||||||
def create_gitlab_service_account!
|
def create_gitlab_service_account!
|
||||||
Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService.gitlab_creator(
|
Clusters::Kubernetes::CreateOrUpdateServiceAccountService.gitlab_creator(
|
||||||
kube_client,
|
kube_client,
|
||||||
rbac: create_rbac_cluster?
|
rbac: create_rbac_cluster?
|
||||||
).execute
|
).execute
|
||||||
|
@ -49,10 +49,10 @@ module Clusters
|
||||||
end
|
end
|
||||||
|
|
||||||
def request_kubernetes_token
|
def request_kubernetes_token
|
||||||
Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(
|
Clusters::Kubernetes::FetchKubernetesTokenService.new(
|
||||||
kube_client,
|
kube_client,
|
||||||
Clusters::Gcp::Kubernetes::GITLAB_ADMIN_TOKEN_NAME,
|
Clusters::Kubernetes::GITLAB_ADMIN_TOKEN_NAME,
|
||||||
Clusters::Gcp::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAMESPACE
|
Clusters::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAMESPACE
|
||||||
).execute
|
).execute
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
module Clusters
|
|
||||||
module Gcp
|
|
||||||
module Kubernetes
|
|
||||||
GITLAB_SERVICE_ACCOUNT_NAME = 'gitlab'
|
|
||||||
GITLAB_SERVICE_ACCOUNT_NAMESPACE = 'default'
|
|
||||||
GITLAB_ADMIN_TOKEN_NAME = 'gitlab-token'
|
|
||||||
GITLAB_CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin'
|
|
||||||
GITLAB_CLUSTER_ROLE_NAME = 'cluster-admin'
|
|
||||||
PROJECT_CLUSTER_ROLE_NAME = 'edit'
|
|
||||||
GITLAB_KNATIVE_SERVING_ROLE_NAME = 'gitlab-knative-serving-role'
|
|
||||||
GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME = 'gitlab-knative-serving-rolebinding'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,47 +0,0 @@
|
||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
module Clusters
|
|
||||||
module Gcp
|
|
||||||
module Kubernetes
|
|
||||||
class CreateOrUpdateNamespaceService
|
|
||||||
def initialize(cluster:, kubernetes_namespace:)
|
|
||||||
@cluster = cluster
|
|
||||||
@kubernetes_namespace = kubernetes_namespace
|
|
||||||
@platform = cluster.platform
|
|
||||||
end
|
|
||||||
|
|
||||||
def execute
|
|
||||||
create_project_service_account
|
|
||||||
configure_kubernetes_token
|
|
||||||
|
|
||||||
kubernetes_namespace.save!
|
|
||||||
end
|
|
||||||
|
|
||||||
private
|
|
||||||
|
|
||||||
attr_reader :cluster, :kubernetes_namespace, :platform
|
|
||||||
|
|
||||||
def create_project_service_account
|
|
||||||
Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService.namespace_creator(
|
|
||||||
platform.kubeclient,
|
|
||||||
service_account_name: kubernetes_namespace.service_account_name,
|
|
||||||
service_account_namespace: kubernetes_namespace.namespace,
|
|
||||||
rbac: platform.rbac?
|
|
||||||
).execute
|
|
||||||
end
|
|
||||||
|
|
||||||
def configure_kubernetes_token
|
|
||||||
kubernetes_namespace.service_account_token = fetch_service_account_token
|
|
||||||
end
|
|
||||||
|
|
||||||
def fetch_service_account_token
|
|
||||||
Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(
|
|
||||||
platform.kubeclient,
|
|
||||||
kubernetes_namespace.token_name,
|
|
||||||
kubernetes_namespace.namespace
|
|
||||||
).execute
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,141 +0,0 @@
|
||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
module Clusters
|
|
||||||
module Gcp
|
|
||||||
module Kubernetes
|
|
||||||
class CreateOrUpdateServiceAccountService
|
|
||||||
def initialize(kubeclient, service_account_name:, service_account_namespace:, token_name:, rbac:, namespace_creator: false, role_binding_name: nil)
|
|
||||||
@kubeclient = kubeclient
|
|
||||||
@service_account_name = service_account_name
|
|
||||||
@service_account_namespace = service_account_namespace
|
|
||||||
@token_name = token_name
|
|
||||||
@rbac = rbac
|
|
||||||
@namespace_creator = namespace_creator
|
|
||||||
@role_binding_name = role_binding_name
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.gitlab_creator(kubeclient, rbac:)
|
|
||||||
self.new(
|
|
||||||
kubeclient,
|
|
||||||
service_account_name: Clusters::Gcp::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAME,
|
|
||||||
service_account_namespace: Clusters::Gcp::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAMESPACE,
|
|
||||||
token_name: Clusters::Gcp::Kubernetes::GITLAB_ADMIN_TOKEN_NAME,
|
|
||||||
rbac: rbac
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.namespace_creator(kubeclient, service_account_name:, service_account_namespace:, rbac:)
|
|
||||||
self.new(
|
|
||||||
kubeclient,
|
|
||||||
service_account_name: service_account_name,
|
|
||||||
service_account_namespace: service_account_namespace,
|
|
||||||
token_name: "#{service_account_namespace}-token",
|
|
||||||
rbac: rbac,
|
|
||||||
namespace_creator: true,
|
|
||||||
role_binding_name: "gitlab-#{service_account_namespace}"
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
def execute
|
|
||||||
ensure_project_namespace_exists if namespace_creator
|
|
||||||
|
|
||||||
kubeclient.create_or_update_service_account(service_account_resource)
|
|
||||||
kubeclient.create_or_update_secret(service_account_token_resource)
|
|
||||||
|
|
||||||
return unless rbac
|
|
||||||
|
|
||||||
create_role_or_cluster_role_binding
|
|
||||||
|
|
||||||
return unless namespace_creator
|
|
||||||
|
|
||||||
create_or_update_knative_serving_role
|
|
||||||
create_or_update_knative_serving_role_binding
|
|
||||||
end
|
|
||||||
|
|
||||||
private
|
|
||||||
|
|
||||||
attr_reader :kubeclient, :service_account_name, :service_account_namespace, :token_name, :rbac, :namespace_creator, :role_binding_name
|
|
||||||
|
|
||||||
def ensure_project_namespace_exists
|
|
||||||
Gitlab::Kubernetes::Namespace.new(
|
|
||||||
service_account_namespace,
|
|
||||||
kubeclient
|
|
||||||
).ensure_exists!
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_role_or_cluster_role_binding
|
|
||||||
if namespace_creator
|
|
||||||
kubeclient.create_or_update_role_binding(role_binding_resource)
|
|
||||||
else
|
|
||||||
kubeclient.create_or_update_cluster_role_binding(cluster_role_binding_resource)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_or_update_knative_serving_role
|
|
||||||
kubeclient.update_role(knative_serving_role_resource)
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_or_update_knative_serving_role_binding
|
|
||||||
kubeclient.update_role_binding(knative_serving_role_binding_resource)
|
|
||||||
end
|
|
||||||
|
|
||||||
def service_account_resource
|
|
||||||
Gitlab::Kubernetes::ServiceAccount.new(
|
|
||||||
service_account_name,
|
|
||||||
service_account_namespace
|
|
||||||
).generate
|
|
||||||
end
|
|
||||||
|
|
||||||
def service_account_token_resource
|
|
||||||
Gitlab::Kubernetes::ServiceAccountToken.new(
|
|
||||||
token_name,
|
|
||||||
service_account_name,
|
|
||||||
service_account_namespace
|
|
||||||
).generate
|
|
||||||
end
|
|
||||||
|
|
||||||
def cluster_role_binding_resource
|
|
||||||
subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: service_account_namespace }]
|
|
||||||
|
|
||||||
Gitlab::Kubernetes::ClusterRoleBinding.new(
|
|
||||||
Clusters::Gcp::Kubernetes::GITLAB_CLUSTER_ROLE_BINDING_NAME,
|
|
||||||
Clusters::Gcp::Kubernetes::GITLAB_CLUSTER_ROLE_NAME,
|
|
||||||
subjects
|
|
||||||
).generate
|
|
||||||
end
|
|
||||||
|
|
||||||
def role_binding_resource
|
|
||||||
Gitlab::Kubernetes::RoleBinding.new(
|
|
||||||
name: role_binding_name,
|
|
||||||
role_name: Clusters::Gcp::Kubernetes::PROJECT_CLUSTER_ROLE_NAME,
|
|
||||||
role_kind: :ClusterRole,
|
|
||||||
namespace: service_account_namespace,
|
|
||||||
service_account_name: service_account_name
|
|
||||||
).generate
|
|
||||||
end
|
|
||||||
|
|
||||||
def knative_serving_role_resource
|
|
||||||
Gitlab::Kubernetes::Role.new(
|
|
||||||
name: Clusters::Gcp::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME,
|
|
||||||
namespace: service_account_namespace,
|
|
||||||
rules: [{
|
|
||||||
apiGroups: %w(serving.knative.dev),
|
|
||||||
resources: %w(configurations configurationgenerations routes revisions revisionuids autoscalers services),
|
|
||||||
verbs: %w(get list create update delete patch watch)
|
|
||||||
}]
|
|
||||||
).generate
|
|
||||||
end
|
|
||||||
|
|
||||||
def knative_serving_role_binding_resource
|
|
||||||
Gitlab::Kubernetes::RoleBinding.new(
|
|
||||||
name: Clusters::Gcp::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME,
|
|
||||||
role_name: Clusters::Gcp::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME,
|
|
||||||
role_kind: :Role,
|
|
||||||
namespace: service_account_namespace,
|
|
||||||
service_account_name: service_account_name
|
|
||||||
).generate
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,42 +0,0 @@
|
||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
module Clusters
|
|
||||||
module Gcp
|
|
||||||
module Kubernetes
|
|
||||||
class FetchKubernetesTokenService
|
|
||||||
DEFAULT_TOKEN_RETRY_DELAY = 5.seconds
|
|
||||||
TOKEN_RETRY_LIMIT = 5
|
|
||||||
|
|
||||||
attr_reader :kubeclient, :service_account_token_name, :namespace
|
|
||||||
|
|
||||||
def initialize(kubeclient, service_account_token_name, namespace, token_retry_delay: DEFAULT_TOKEN_RETRY_DELAY)
|
|
||||||
@kubeclient = kubeclient
|
|
||||||
@service_account_token_name = service_account_token_name
|
|
||||||
@namespace = namespace
|
|
||||||
@token_retry_delay = token_retry_delay
|
|
||||||
end
|
|
||||||
|
|
||||||
def execute
|
|
||||||
# Kubernetes will create the Secret and set the token asynchronously
|
|
||||||
# so it is necessary to retry
|
|
||||||
# https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#token-controller
|
|
||||||
TOKEN_RETRY_LIMIT.times do
|
|
||||||
token_base64 = get_secret&.dig('data', 'token')
|
|
||||||
return Base64.decode64(token_base64) if token_base64
|
|
||||||
|
|
||||||
sleep @token_retry_delay
|
|
||||||
end
|
|
||||||
|
|
||||||
nil
|
|
||||||
end
|
|
||||||
|
|
||||||
private
|
|
||||||
|
|
||||||
def get_secret
|
|
||||||
kubeclient.get_secret(service_account_token_name, namespace).as_json
|
|
||||||
rescue Kubeclient::ResourceNotFoundError
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module Clusters
|
||||||
|
module Kubernetes
|
||||||
|
class CreateOrUpdateNamespaceService
|
||||||
|
def initialize(cluster:, kubernetes_namespace:)
|
||||||
|
@cluster = cluster
|
||||||
|
@kubernetes_namespace = kubernetes_namespace
|
||||||
|
@platform = cluster.platform
|
||||||
|
end
|
||||||
|
|
||||||
|
def execute
|
||||||
|
create_project_service_account
|
||||||
|
configure_kubernetes_token
|
||||||
|
|
||||||
|
kubernetes_namespace.save!
|
||||||
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
attr_reader :cluster, :kubernetes_namespace, :platform
|
||||||
|
|
||||||
|
def create_project_service_account
|
||||||
|
Clusters::Kubernetes::CreateOrUpdateServiceAccountService.namespace_creator(
|
||||||
|
platform.kubeclient,
|
||||||
|
service_account_name: kubernetes_namespace.service_account_name,
|
||||||
|
service_account_namespace: kubernetes_namespace.namespace,
|
||||||
|
rbac: platform.rbac?
|
||||||
|
).execute
|
||||||
|
end
|
||||||
|
|
||||||
|
def configure_kubernetes_token
|
||||||
|
kubernetes_namespace.service_account_token = fetch_service_account_token
|
||||||
|
end
|
||||||
|
|
||||||
|
def fetch_service_account_token
|
||||||
|
Clusters::Kubernetes::FetchKubernetesTokenService.new(
|
||||||
|
platform.kubeclient,
|
||||||
|
kubernetes_namespace.token_name,
|
||||||
|
kubernetes_namespace.namespace
|
||||||
|
).execute
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,139 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module Clusters
|
||||||
|
module Kubernetes
|
||||||
|
class CreateOrUpdateServiceAccountService
|
||||||
|
def initialize(kubeclient, service_account_name:, service_account_namespace:, token_name:, rbac:, namespace_creator: false, role_binding_name: nil)
|
||||||
|
@kubeclient = kubeclient
|
||||||
|
@service_account_name = service_account_name
|
||||||
|
@service_account_namespace = service_account_namespace
|
||||||
|
@token_name = token_name
|
||||||
|
@rbac = rbac
|
||||||
|
@namespace_creator = namespace_creator
|
||||||
|
@role_binding_name = role_binding_name
|
||||||
|
end
|
||||||
|
|
||||||
|
def self.gitlab_creator(kubeclient, rbac:)
|
||||||
|
self.new(
|
||||||
|
kubeclient,
|
||||||
|
service_account_name: Clusters::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAME,
|
||||||
|
service_account_namespace: Clusters::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAMESPACE,
|
||||||
|
token_name: Clusters::Kubernetes::GITLAB_ADMIN_TOKEN_NAME,
|
||||||
|
rbac: rbac
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
def self.namespace_creator(kubeclient, service_account_name:, service_account_namespace:, rbac:)
|
||||||
|
self.new(
|
||||||
|
kubeclient,
|
||||||
|
service_account_name: service_account_name,
|
||||||
|
service_account_namespace: service_account_namespace,
|
||||||
|
token_name: "#{service_account_namespace}-token",
|
||||||
|
rbac: rbac,
|
||||||
|
namespace_creator: true,
|
||||||
|
role_binding_name: "gitlab-#{service_account_namespace}"
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
def execute
|
||||||
|
ensure_project_namespace_exists if namespace_creator
|
||||||
|
|
||||||
|
kubeclient.create_or_update_service_account(service_account_resource)
|
||||||
|
kubeclient.create_or_update_secret(service_account_token_resource)
|
||||||
|
|
||||||
|
return unless rbac
|
||||||
|
|
||||||
|
create_role_or_cluster_role_binding
|
||||||
|
|
||||||
|
return unless namespace_creator
|
||||||
|
|
||||||
|
create_or_update_knative_serving_role
|
||||||
|
create_or_update_knative_serving_role_binding
|
||||||
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
attr_reader :kubeclient, :service_account_name, :service_account_namespace, :token_name, :rbac, :namespace_creator, :role_binding_name
|
||||||
|
|
||||||
|
def ensure_project_namespace_exists
|
||||||
|
Gitlab::Kubernetes::Namespace.new(
|
||||||
|
service_account_namespace,
|
||||||
|
kubeclient
|
||||||
|
).ensure_exists!
|
||||||
|
end
|
||||||
|
|
||||||
|
def create_role_or_cluster_role_binding
|
||||||
|
if namespace_creator
|
||||||
|
kubeclient.create_or_update_role_binding(role_binding_resource)
|
||||||
|
else
|
||||||
|
kubeclient.create_or_update_cluster_role_binding(cluster_role_binding_resource)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def create_or_update_knative_serving_role
|
||||||
|
kubeclient.update_role(knative_serving_role_resource)
|
||||||
|
end
|
||||||
|
|
||||||
|
def create_or_update_knative_serving_role_binding
|
||||||
|
kubeclient.update_role_binding(knative_serving_role_binding_resource)
|
||||||
|
end
|
||||||
|
|
||||||
|
def service_account_resource
|
||||||
|
Gitlab::Kubernetes::ServiceAccount.new(
|
||||||
|
service_account_name,
|
||||||
|
service_account_namespace
|
||||||
|
).generate
|
||||||
|
end
|
||||||
|
|
||||||
|
def service_account_token_resource
|
||||||
|
Gitlab::Kubernetes::ServiceAccountToken.new(
|
||||||
|
token_name,
|
||||||
|
service_account_name,
|
||||||
|
service_account_namespace
|
||||||
|
).generate
|
||||||
|
end
|
||||||
|
|
||||||
|
def cluster_role_binding_resource
|
||||||
|
subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: service_account_namespace }]
|
||||||
|
|
||||||
|
Gitlab::Kubernetes::ClusterRoleBinding.new(
|
||||||
|
Clusters::Kubernetes::GITLAB_CLUSTER_ROLE_BINDING_NAME,
|
||||||
|
Clusters::Kubernetes::GITLAB_CLUSTER_ROLE_NAME,
|
||||||
|
subjects
|
||||||
|
).generate
|
||||||
|
end
|
||||||
|
|
||||||
|
def role_binding_resource
|
||||||
|
Gitlab::Kubernetes::RoleBinding.new(
|
||||||
|
name: role_binding_name,
|
||||||
|
role_name: Clusters::Kubernetes::PROJECT_CLUSTER_ROLE_NAME,
|
||||||
|
role_kind: :ClusterRole,
|
||||||
|
namespace: service_account_namespace,
|
||||||
|
service_account_name: service_account_name
|
||||||
|
).generate
|
||||||
|
end
|
||||||
|
|
||||||
|
def knative_serving_role_resource
|
||||||
|
Gitlab::Kubernetes::Role.new(
|
||||||
|
name: Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME,
|
||||||
|
namespace: service_account_namespace,
|
||||||
|
rules: [{
|
||||||
|
apiGroups: %w(serving.knative.dev),
|
||||||
|
resources: %w(configurations configurationgenerations routes revisions revisionuids autoscalers services),
|
||||||
|
verbs: %w(get list create update delete patch watch)
|
||||||
|
}]
|
||||||
|
).generate
|
||||||
|
end
|
||||||
|
|
||||||
|
def knative_serving_role_binding_resource
|
||||||
|
Gitlab::Kubernetes::RoleBinding.new(
|
||||||
|
name: Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME,
|
||||||
|
role_name: Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME,
|
||||||
|
role_kind: :Role,
|
||||||
|
namespace: service_account_namespace,
|
||||||
|
service_account_name: service_account_name
|
||||||
|
).generate
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,40 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module Clusters
|
||||||
|
module Kubernetes
|
||||||
|
class FetchKubernetesTokenService
|
||||||
|
DEFAULT_TOKEN_RETRY_DELAY = 5.seconds
|
||||||
|
TOKEN_RETRY_LIMIT = 5
|
||||||
|
|
||||||
|
attr_reader :kubeclient, :service_account_token_name, :namespace
|
||||||
|
|
||||||
|
def initialize(kubeclient, service_account_token_name, namespace, token_retry_delay: DEFAULT_TOKEN_RETRY_DELAY)
|
||||||
|
@kubeclient = kubeclient
|
||||||
|
@service_account_token_name = service_account_token_name
|
||||||
|
@namespace = namespace
|
||||||
|
@token_retry_delay = token_retry_delay
|
||||||
|
end
|
||||||
|
|
||||||
|
def execute
|
||||||
|
# Kubernetes will create the Secret and set the token asynchronously
|
||||||
|
# so it is necessary to retry
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#token-controller
|
||||||
|
TOKEN_RETRY_LIMIT.times do
|
||||||
|
token_base64 = get_secret&.dig('data', 'token')
|
||||||
|
return Base64.decode64(token_base64) if token_base64
|
||||||
|
|
||||||
|
sleep @token_retry_delay
|
||||||
|
end
|
||||||
|
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def get_secret
|
||||||
|
kubeclient.get_secret(service_account_token_name, namespace).as_json
|
||||||
|
rescue Kubeclient::ResourceNotFoundError
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,14 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module Clusters
|
||||||
|
module Kubernetes
|
||||||
|
GITLAB_SERVICE_ACCOUNT_NAME = 'gitlab'
|
||||||
|
GITLAB_SERVICE_ACCOUNT_NAMESPACE = 'default'
|
||||||
|
GITLAB_ADMIN_TOKEN_NAME = 'gitlab-token'
|
||||||
|
GITLAB_CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin'
|
||||||
|
GITLAB_CLUSTER_ROLE_NAME = 'cluster-admin'
|
||||||
|
PROJECT_CLUSTER_ROLE_NAME = 'edit'
|
||||||
|
GITLAB_KNATIVE_SERVING_ROLE_NAME = 'gitlab-knative-serving-role'
|
||||||
|
GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME = 'gitlab-knative-serving-rolebinding'
|
||||||
|
end
|
||||||
|
end
|
|
@ -43,7 +43,7 @@ module Gitlab
|
||||||
end
|
end
|
||||||
|
|
||||||
def create_namespace
|
def create_namespace
|
||||||
Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService.new(
|
Clusters::Kubernetes::CreateOrUpdateNamespaceService.new(
|
||||||
cluster: deployment_cluster,
|
cluster: deployment_cluster,
|
||||||
kubernetes_namespace: kubernetes_namespace || build_namespace_record
|
kubernetes_namespace: kubernetes_namespace || build_namespace_record
|
||||||
).execute
|
).execute
|
||||||
|
|
|
@ -13,7 +13,7 @@ describe 'User Cluster', :js do
|
||||||
gitlab_sign_in(user)
|
gitlab_sign_in(user)
|
||||||
|
|
||||||
allow(Groups::ClustersController).to receive(:STATUS_POLLING_INTERVAL) { 100 }
|
allow(Groups::ClustersController).to receive(:STATUS_POLLING_INTERVAL) { 100 }
|
||||||
allow_any_instance_of(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).to receive(:execute)
|
allow_any_instance_of(Clusters::Kubernetes::CreateOrUpdateNamespaceService).to receive(:execute)
|
||||||
allow_any_instance_of(Clusters::Cluster).to receive(:retrieve_connection_status).and_return(:connected)
|
allow_any_instance_of(Clusters::Cluster).to receive(:retrieve_connection_status).and_return(:connected)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@ describe 'User Cluster', :js do
|
||||||
gitlab_sign_in(user)
|
gitlab_sign_in(user)
|
||||||
|
|
||||||
allow(Projects::ClustersController).to receive(:STATUS_POLLING_INTERVAL) { 100 }
|
allow(Projects::ClustersController).to receive(:STATUS_POLLING_INTERVAL) { 100 }
|
||||||
allow_any_instance_of(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).to receive(:execute)
|
allow_any_instance_of(Clusters::Kubernetes::CreateOrUpdateNamespaceService).to receive(:execute)
|
||||||
allow_any_instance_of(Clusters::Cluster).to receive(:retrieve_connection_status).and_return(:connected)
|
allow_any_instance_of(Clusters::Cluster).to receive(:retrieve_connection_status).and_return(:connected)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -87,7 +87,7 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
|
||||||
.with(cluster, environment: deployment.environment)
|
.with(cluster, environment: deployment.environment)
|
||||||
.and_return(namespace_builder)
|
.and_return(namespace_builder)
|
||||||
|
|
||||||
expect(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService)
|
expect(Clusters::Kubernetes::CreateOrUpdateNamespaceService)
|
||||||
.to receive(:new)
|
.to receive(:new)
|
||||||
.with(cluster: cluster, kubernetes_namespace: kubernetes_namespace)
|
.with(cluster: cluster, kubernetes_namespace: kubernetes_namespace)
|
||||||
.and_return(service)
|
.and_return(service)
|
||||||
|
@ -107,7 +107,7 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
|
||||||
it 'creates a namespace using the tokenless record' do
|
it 'creates a namespace using the tokenless record' do
|
||||||
expect(Clusters::BuildKubernetesNamespaceService).not_to receive(:new)
|
expect(Clusters::BuildKubernetesNamespaceService).not_to receive(:new)
|
||||||
|
|
||||||
expect(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService)
|
expect(Clusters::Kubernetes::CreateOrUpdateNamespaceService)
|
||||||
.to receive(:new)
|
.to receive(:new)
|
||||||
.with(cluster: cluster, kubernetes_namespace: kubernetes_namespace)
|
.with(cluster: cluster, kubernetes_namespace: kubernetes_namespace)
|
||||||
.and_return(service)
|
.and_return(service)
|
||||||
|
@ -123,7 +123,7 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'does not create a namespace' do
|
it 'does not create a namespace' do
|
||||||
expect(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new)
|
expect(Clusters::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new)
|
||||||
|
|
||||||
subject
|
subject
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
require 'spec_helper'
|
require 'spec_helper'
|
||||||
|
|
||||||
describe Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
|
describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
|
||||||
include KubernetesHelpers
|
include KubernetesHelpers
|
||||||
|
|
||||||
let(:cluster) { create(:cluster, :project, :provided_by_gcp) }
|
let(:cluster) { create(:cluster, :project, :provided_by_gcp) }
|
||||||
|
@ -35,8 +35,8 @@ describe Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService, '#execute' d
|
||||||
stub_kubeclient_create_service_account(api_url, namespace: namespace)
|
stub_kubeclient_create_service_account(api_url, namespace: namespace)
|
||||||
stub_kubeclient_create_secret(api_url, namespace: namespace)
|
stub_kubeclient_create_secret(api_url, namespace: namespace)
|
||||||
stub_kubeclient_put_secret(api_url, "#{namespace}-token", namespace: namespace)
|
stub_kubeclient_put_secret(api_url, "#{namespace}-token", namespace: namespace)
|
||||||
stub_kubeclient_put_role(api_url, Clusters::Gcp::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
|
stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
|
||||||
stub_kubeclient_put_role_binding(api_url, Clusters::Gcp::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
|
stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
|
||||||
|
|
||||||
stub_kubeclient_get_secret(
|
stub_kubeclient_get_secret(
|
||||||
api_url,
|
api_url,
|
||||||
|
@ -56,7 +56,7 @@ describe Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService, '#execute' d
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'creates project service account' do
|
it 'creates project service account' do
|
||||||
expect_any_instance_of(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:execute).once
|
expect_any_instance_of(Clusters::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:execute).once
|
||||||
|
|
||||||
subject
|
subject
|
||||||
end
|
end
|
||||||
|
@ -123,7 +123,7 @@ describe Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService, '#execute' d
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'creates project service account' do
|
it 'creates project service account' do
|
||||||
expect_any_instance_of(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:execute).once
|
expect_any_instance_of(Clusters::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:execute).once
|
||||||
|
|
||||||
subject
|
subject
|
||||||
end
|
end
|
|
@ -1,7 +1,7 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
require 'spec_helper'
|
require 'spec_helper'
|
||||||
|
|
||||||
describe Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService do
|
describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
|
||||||
include KubernetesHelpers
|
include KubernetesHelpers
|
||||||
|
|
||||||
let(:api_url) { 'http://111.111.111.111' }
|
let(:api_url) { 'http://111.111.111.111' }
|
||||||
|
@ -143,8 +143,8 @@ describe Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService do
|
||||||
|
|
||||||
stub_kubeclient_get_role_binding_error(api_url, role_binding_name, namespace: namespace)
|
stub_kubeclient_get_role_binding_error(api_url, role_binding_name, namespace: namespace)
|
||||||
stub_kubeclient_create_role_binding(api_url, namespace: namespace)
|
stub_kubeclient_create_role_binding(api_url, namespace: namespace)
|
||||||
stub_kubeclient_put_role(api_url, Clusters::Gcp::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
|
stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
|
||||||
stub_kubeclient_put_role_binding(api_url, Clusters::Gcp::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
|
stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
|
||||||
end
|
end
|
||||||
|
|
||||||
it_behaves_like 'creates service account and token'
|
it_behaves_like 'creates service account and token'
|
||||||
|
@ -175,10 +175,10 @@ describe Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService do
|
||||||
it 'creates a role and role binding granting knative serving permissions to the service account' do
|
it 'creates a role and role binding granting knative serving permissions to the service account' do
|
||||||
subject
|
subject
|
||||||
|
|
||||||
expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/roles/#{Clusters::Gcp::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME}").with(
|
expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/roles/#{Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME}").with(
|
||||||
body: hash_including(
|
body: hash_including(
|
||||||
metadata: {
|
metadata: {
|
||||||
name: Clusters::Gcp::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME,
|
name: Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME,
|
||||||
namespace: namespace
|
namespace: namespace
|
||||||
},
|
},
|
||||||
rules: [{
|
rules: [{
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
require 'spec_helper'
|
require 'spec_helper'
|
||||||
|
|
||||||
describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
|
describe Clusters::Kubernetes::FetchKubernetesTokenService do
|
||||||
include KubernetesHelpers
|
include KubernetesHelpers
|
||||||
|
|
||||||
describe '#execute' do
|
describe '#execute' do
|
Loading…
Reference in New Issue