Remove project-level cluster credential fallback
Project-level clusters that made use of this legacy behaviour have been migrated to unmanaged clusters, so we are now free to remove this fallback.
This commit is contained in:
parent
148516ba36
commit
a87f0f3937
|
@ -91,19 +91,6 @@ module Clusters
|
|||
|
||||
elsif kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project)
|
||||
variables.concat(kubernetes_namespace.predefined_variables)
|
||||
elsif cluster.project_type?
|
||||
# As of 11.11 a user can create a cluster that they manage themselves,
|
||||
# which replicates the existing project-level cluster behaviour.
|
||||
# Once we have marked all project-level clusters that make use of this
|
||||
# behaviour as "unmanaged", we can remove the `cluster.project_type?`
|
||||
# check here.
|
||||
project_namespace = cluster.kubernetes_namespace_for(project)
|
||||
|
||||
variables
|
||||
.append(key: 'KUBE_URL', value: api_url)
|
||||
.append(key: 'KUBE_TOKEN', value: token, public: false, masked: true)
|
||||
.append(key: 'KUBE_NAMESPACE', value: project_namespace)
|
||||
.append(key: 'KUBECONFIG', value: kubeconfig(project_namespace), public: false, file: true)
|
||||
end
|
||||
|
||||
variables.concat(cluster.predefined_variables)
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Disable Kubernetes credential passthrough for managed project-level clusters
|
||||
merge_request: 29262
|
||||
author:
|
||||
type: removed
|
|
@ -532,6 +532,14 @@ This job failed because the necessary resources were not successfully created.
|
|||
|
||||
To find the cause of this error when creating a namespace and service account, check the [logs](../../../administration/logs.md#kuberneteslog).
|
||||
|
||||
NOTE: **NOTE:**
|
||||
As of GitLab 12.1 we require [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
|
||||
tokens for all project level clusters unless you unselect the
|
||||
[GitLab-managed cluster](#gitlab-managed-clusters) option. If you
|
||||
want to manage namespaces and service accounts yourself and don't
|
||||
want to provide a `cluster-admin` token to GitLab you must unselect this
|
||||
option or you will get the above error.
|
||||
|
||||
Common reasons for failure include:
|
||||
|
||||
- The token you gave GitLab did not have [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
|
||||
|
|
|
@ -281,14 +281,14 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
|
|||
|
||||
it_behaves_like 'setting variables'
|
||||
|
||||
it 'sets KUBE_TOKEN' do
|
||||
expect(subject).to include(
|
||||
it 'does not set KUBE_TOKEN' do
|
||||
expect(subject).not_to include(
|
||||
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'kubernetes namespace is created with no service account token' do
|
||||
context 'kubernetes namespace is created with service account token' do
|
||||
let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token, cluster: cluster) }
|
||||
|
||||
it_behaves_like 'setting variables'
|
||||
|
@ -340,32 +340,6 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
|
|||
end
|
||||
end
|
||||
|
||||
context 'namespace is provided' do
|
||||
let(:namespace) { 'my-project' }
|
||||
|
||||
before do
|
||||
kubernetes.namespace = namespace
|
||||
end
|
||||
|
||||
it_behaves_like 'setting variables'
|
||||
|
||||
it 'sets KUBE_TOKEN' do
|
||||
expect(subject).to include(
|
||||
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'no namespace provided' do
|
||||
it_behaves_like 'setting variables'
|
||||
|
||||
it 'sets KUBE_TOKEN' do
|
||||
expect(subject).to include(
|
||||
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'group level cluster' do
|
||||
let!(:cluster) { create(:cluster, :group, platform_kubernetes: kubernetes) }
|
||||
|
||||
|
|
|
@ -2656,8 +2656,8 @@ describe Project do
|
|||
let!(:cluster) { create(:cluster, :project, :provided_by_gcp) }
|
||||
let(:project) { cluster.project }
|
||||
|
||||
it 'returns variables from this service' do
|
||||
expect(project.deployment_variables).to include(
|
||||
it 'does not return variables from this service' do
|
||||
expect(project.deployment_variables).not_to include(
|
||||
{ key: 'KUBE_TOKEN', value: project.deployment_platform.token, public: false, masked: true }
|
||||
)
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue