Remove project-level cluster credential fallback
Project-level clusters that made use of this legacy behaviour have been migrated to unmanaged clusters, so we are now free to remove this fallback.
This commit is contained in:
parent
148516ba36
commit
a87f0f3937
|
@ -91,19 +91,6 @@ module Clusters
|
||||||
|
|
||||||
elsif kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project)
|
elsif kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project)
|
||||||
variables.concat(kubernetes_namespace.predefined_variables)
|
variables.concat(kubernetes_namespace.predefined_variables)
|
||||||
elsif cluster.project_type?
|
|
||||||
# As of 11.11 a user can create a cluster that they manage themselves,
|
|
||||||
# which replicates the existing project-level cluster behaviour.
|
|
||||||
# Once we have marked all project-level clusters that make use of this
|
|
||||||
# behaviour as "unmanaged", we can remove the `cluster.project_type?`
|
|
||||||
# check here.
|
|
||||||
project_namespace = cluster.kubernetes_namespace_for(project)
|
|
||||||
|
|
||||||
variables
|
|
||||||
.append(key: 'KUBE_URL', value: api_url)
|
|
||||||
.append(key: 'KUBE_TOKEN', value: token, public: false, masked: true)
|
|
||||||
.append(key: 'KUBE_NAMESPACE', value: project_namespace)
|
|
||||||
.append(key: 'KUBECONFIG', value: kubeconfig(project_namespace), public: false, file: true)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
variables.concat(cluster.predefined_variables)
|
variables.concat(cluster.predefined_variables)
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Disable Kubernetes credential passthrough for managed project-level clusters
|
||||||
|
merge_request: 29262
|
||||||
|
author:
|
||||||
|
type: removed
|
|
@ -532,6 +532,14 @@ This job failed because the necessary resources were not successfully created.
|
||||||
|
|
||||||
To find the cause of this error when creating a namespace and service account, check the [logs](../../../administration/logs.md#kuberneteslog).
|
To find the cause of this error when creating a namespace and service account, check the [logs](../../../administration/logs.md#kuberneteslog).
|
||||||
|
|
||||||
|
NOTE: **NOTE:**
|
||||||
|
As of GitLab 12.1 we require [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
|
||||||
|
tokens for all project level clusters unless you unselect the
|
||||||
|
[GitLab-managed cluster](#gitlab-managed-clusters) option. If you
|
||||||
|
want to manage namespaces and service accounts yourself and don't
|
||||||
|
want to provide a `cluster-admin` token to GitLab you must unselect this
|
||||||
|
option or you will get the above error.
|
||||||
|
|
||||||
Common reasons for failure include:
|
Common reasons for failure include:
|
||||||
|
|
||||||
- The token you gave GitLab did not have [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
|
- The token you gave GitLab did not have [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
|
||||||
|
|
|
@ -281,14 +281,14 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
|
||||||
|
|
||||||
it_behaves_like 'setting variables'
|
it_behaves_like 'setting variables'
|
||||||
|
|
||||||
it 'sets KUBE_TOKEN' do
|
it 'does not set KUBE_TOKEN' do
|
||||||
expect(subject).to include(
|
expect(subject).not_to include(
|
||||||
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
|
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'kubernetes namespace is created with no service account token' do
|
context 'kubernetes namespace is created with service account token' do
|
||||||
let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token, cluster: cluster) }
|
let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token, cluster: cluster) }
|
||||||
|
|
||||||
it_behaves_like 'setting variables'
|
it_behaves_like 'setting variables'
|
||||||
|
@ -340,32 +340,6 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'namespace is provided' do
|
|
||||||
let(:namespace) { 'my-project' }
|
|
||||||
|
|
||||||
before do
|
|
||||||
kubernetes.namespace = namespace
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'setting variables'
|
|
||||||
|
|
||||||
it 'sets KUBE_TOKEN' do
|
|
||||||
expect(subject).to include(
|
|
||||||
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'no namespace provided' do
|
|
||||||
it_behaves_like 'setting variables'
|
|
||||||
|
|
||||||
it 'sets KUBE_TOKEN' do
|
|
||||||
expect(subject).to include(
|
|
||||||
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'group level cluster' do
|
context 'group level cluster' do
|
||||||
let!(:cluster) { create(:cluster, :group, platform_kubernetes: kubernetes) }
|
let!(:cluster) { create(:cluster, :group, platform_kubernetes: kubernetes) }
|
||||||
|
|
||||||
|
|
|
@ -2656,8 +2656,8 @@ describe Project do
|
||||||
let!(:cluster) { create(:cluster, :project, :provided_by_gcp) }
|
let!(:cluster) { create(:cluster, :project, :provided_by_gcp) }
|
||||||
let(:project) { cluster.project }
|
let(:project) { cluster.project }
|
||||||
|
|
||||||
it 'returns variables from this service' do
|
it 'does not return variables from this service' do
|
||||||
expect(project.deployment_variables).to include(
|
expect(project.deployment_variables).not_to include(
|
||||||
{ key: 'KUBE_TOKEN', value: project.deployment_platform.token, public: false, masked: true }
|
{ key: 'KUBE_TOKEN', value: project.deployment_platform.token, public: false, masked: true }
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue