Migrate clusters with no token to unmanaged

There are clusters that have Kubernetes namespaces
stored which are missing a service account token.
These namespaces are unable to be used for deployments,
so marking the clusters as unmanaged will allow the
platform credentials to be used instead.

changelogs/unreleased/63079-migrate-clusters-with-no-token-to-unmanaged.yml

@@ -0,0 +1,6 @@
+---
+title: Migrate GitLab managed project-level clusters to unmanaged if they are missing
+  a Kubernetes service account token
+merge_request: 29648
+author:
+type: other

db/post_migrate/20190613231640_migrate_managed_clusters_with_no_token_to_unmanaged.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class MigrateManagedClustersWithNoTokenToUnmanaged < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  class Cluster < ActiveRecord::Base
+    include EachBatch
+
+    self.table_name = 'clusters'
+
+    has_many :kubernetes_namespaces, class_name: 'MigrateManagedClustersWithNoTokenToUnmanaged::KubernetesNamespace'
+
+    scope :managed, -> { where(managed: true) }
+
+    enum cluster_type: {
+      instance_type: 1,
+      group_type: 2,
+      project_type: 3
+    }
+  end
+
+  class KubernetesNamespace < ActiveRecord::Base
+    self.table_name = 'clusters_kubernetes_namespaces'
+
+    belongs_to :cluster, class_name: 'MigrateManagedClustersWithNoTokenToUnmanaged::Cluster'
+  end
+
+  def up
+    Cluster.managed
+      .project_type
+      .joins(:kubernetes_namespaces)
+      .where(clusters_kubernetes_namespaces: { encrypted_service_account_token: nil })
+      .where('clusters.created_at < ?', Date.new(2018, 12, 1).midnight)
+      .each_batch do |batch|
+        batch.update_all(managed: false)
+      end
+  end
+
+  def down
+  end
+end

spec/migrations/migrate_managed_clusters_with_no_token_to_unmanaged_spec.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require Rails.root.join('db', 'post_migrate', '20190613231640_migrate_managed_clusters_with_no_token_to_unmanaged.rb')
+
+describe MigrateManagedClustersWithNoTokenToUnmanaged, :migration do
+  let(:cluster_type) { 'project_type' }
+  let(:created_at) { Date.new(2018, 11, 1).midnight }
+
+  let!(:cluster) do
+    table(:clusters).create!(
+      name: 'cluster',
+      cluster_type: described_class::Cluster.cluster_types[cluster_type],
+      managed: true,
+      created_at: created_at
+    )
+  end
+
+  let!(:kubernetes_namespace) do
+    table(:clusters_kubernetes_namespaces).create!(
+      cluster_id: cluster.id,
+      namespace: 'namespace'
+    )
+  end
+
+  it 'marks the cluster as unmanaged' do
+    migrate!
+    expect(cluster.reload).not_to be_managed
+  end
+
+  context 'cluster is not project type' do
+    let(:cluster_type) { 'group_type' }
+
+    it 'does not update the cluster' do
+      migrate!
+      expect(cluster.reload).to be_managed
+    end
+  end
+
+  context 'kubernetes namespace has a service account token' do
+    before do
+      kubernetes_namespace.update!(encrypted_service_account_token: "TOKEN")
+    end
+
+    it 'does not update the cluster' do
+      migrate!
+      expect(cluster.reload).to be_managed
+    end
+  end
+
+  context 'cluster was created after the cutoff' do
+    let(:created_at) { Date.new(2019, 1, 1).midnight }
+
+    it 'does not update the cluster' do
+      migrate!
+      expect(cluster.reload).to be_managed
+    end
+  end
+end