From a97d8767514c6fc1e314a2b83260a8dad5a7e1f2 Mon Sep 17 00:00:00 2001 From: Thong Kuah Date: Tue, 27 Nov 2018 17:30:09 +1300 Subject: [PATCH] Fallback to admin token for project clusters only We do not want group level clusters to fall back to what was old behaviour for project level clusters. So instead we will not return any KUBE_TOKEN if we cannot find a suitable kubernetes_namespace for the project, in the group level cluster case. Add test cases to assert above --- app/models/clusters/platforms/kubernetes.rb | 2 +- ...acy_fallback_for_project_clusters_only.yml | 5 ++++ .../clusters/kubernetes_namespaces.rb | 8 +++-- .../clusters/platforms/kubernetes_spec.rb | 30 +++++++++++++++++++ 4 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 changelogs/unreleased/legacy_fallback_for_project_clusters_only.yml diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index 3c5d7756eec..dc8b52105cc 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -85,7 +85,7 @@ module Clusters if kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project) variables.concat(kubernetes_namespace.predefined_variables) - else + elsif cluster.project_type? # From 11.5, every Clusters::Project should have at least one # Clusters::KubernetesNamespace, so once migration has been completed, # this 'else' branch will be removed. For more information, please see diff --git a/changelogs/unreleased/legacy_fallback_for_project_clusters_only.yml b/changelogs/unreleased/legacy_fallback_for_project_clusters_only.yml new file mode 100644 index 00000000000..c8e959176d0 --- /dev/null +++ b/changelogs/unreleased/legacy_fallback_for_project_clusters_only.yml @@ -0,0 +1,5 @@ +--- +title: Fallback to admin KUBE_TOKEN for project clusters only +merge_request: 23527 +author: +type: other diff --git a/spec/factories/clusters/kubernetes_namespaces.rb b/spec/factories/clusters/kubernetes_namespaces.rb index 6ad93fb0f45..3b50a57433f 100644 --- a/spec/factories/clusters/kubernetes_namespaces.rb +++ b/spec/factories/clusters/kubernetes_namespaces.rb @@ -5,10 +5,12 @@ FactoryBot.define do association :cluster, :project, :provided_by_gcp after(:build) do |kubernetes_namespace| - cluster_project = kubernetes_namespace.cluster.cluster_project + if kubernetes_namespace.cluster.project_type? + cluster_project = kubernetes_namespace.cluster.cluster_project - kubernetes_namespace.project = cluster_project.project - kubernetes_namespace.cluster_project = cluster_project + kubernetes_namespace.project = cluster_project.project + kubernetes_namespace.cluster_project = cluster_project + end end trait :with_token do diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb index 99fd6ccc4d8..28019eab320 100644 --- a/spec/models/clusters/platforms/kubernetes_spec.rb +++ b/spec/models/clusters/platforms/kubernetes_spec.rb @@ -273,6 +273,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching ) end end + + context 'group level cluster' do + let!(:cluster) { create(:cluster, :group, platform_kubernetes: kubernetes) } + + let(:project) { create(:project, group: cluster.group) } + + subject { kubernetes.predefined_variables(project: project) } + + context 'no kubernetes namespace for the project' do + it_behaves_like 'setting variables' + + it 'does not return KUBE_TOKEN' do + expect(subject).not_to include( + { key: 'KUBE_TOKEN', value: kubernetes.token, public: false } + ) + end + end + + context 'kubernetes namespace exists for the project' do + let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token, cluster: cluster, project: project) } + + it_behaves_like 'setting variables' + + it 'sets KUBE_TOKEN' do + expect(subject).to include( + { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false } + ) + end + end + end end describe '#terminals' do