140 lines
4.0 KiB
Ruby
140 lines
4.0 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module Clusters
|
|
module Aws
|
|
class FinalizeCreationService
|
|
include Gitlab::Utils::StrongMemoize
|
|
|
|
attr_reader :provider
|
|
|
|
delegate :cluster, to: :provider
|
|
|
|
def execute(provider)
|
|
@provider = provider
|
|
|
|
configure_provider
|
|
create_gitlab_service_account!
|
|
configure_platform_kubernetes
|
|
configure_node_authentication!
|
|
|
|
cluster.save!
|
|
rescue ::Aws::CloudFormation::Errors::ServiceError => e
|
|
log_service_error(e.class.name, provider.id, e.message)
|
|
provider.make_errored!(s_('ClusterIntegration|Failed to fetch CloudFormation stack: %{message}') % { message: e.message })
|
|
rescue Kubeclient::HttpError => e
|
|
log_service_error(e.class.name, provider.id, e.message)
|
|
provider.make_errored!(s_('ClusterIntegration|Failed to run Kubeclient: %{message}') % { message: e.message })
|
|
rescue ActiveRecord::RecordInvalid => e
|
|
log_service_error(e.class.name, provider.id, e.message)
|
|
provider.make_errored!(s_('ClusterIntegration|Failed to configure EKS provider: %{message}') % { message: e.message })
|
|
end
|
|
|
|
private
|
|
|
|
def create_gitlab_service_account!
|
|
Clusters::Kubernetes::CreateOrUpdateServiceAccountService.gitlab_creator(
|
|
kube_client,
|
|
rbac: true
|
|
).execute
|
|
end
|
|
|
|
def configure_provider
|
|
provider.status_event = :make_created
|
|
end
|
|
|
|
def configure_platform_kubernetes
|
|
cluster.build_platform_kubernetes(
|
|
api_url: cluster_endpoint,
|
|
ca_cert: cluster_certificate,
|
|
token: request_kubernetes_token)
|
|
end
|
|
|
|
def request_kubernetes_token
|
|
Clusters::Kubernetes::FetchKubernetesTokenService.new(
|
|
kube_client,
|
|
Clusters::Kubernetes::GITLAB_ADMIN_TOKEN_NAME,
|
|
Clusters::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAMESPACE
|
|
).execute
|
|
end
|
|
|
|
def kube_client
|
|
@kube_client ||= build_kube_client!(
|
|
cluster_endpoint,
|
|
cluster_certificate
|
|
)
|
|
end
|
|
|
|
def build_kube_client!(api_url, ca_pem)
|
|
raise "Incomplete settings" unless api_url
|
|
|
|
Gitlab::Kubernetes::KubeClient.new(
|
|
api_url,
|
|
auth_options: kubeclient_auth_options,
|
|
ssl_options: kubeclient_ssl_options(ca_pem),
|
|
http_proxy_uri: ENV['http_proxy']
|
|
)
|
|
end
|
|
|
|
def kubeclient_auth_options
|
|
{ bearer_token: Kubeclient::AmazonEksCredentials.token(provider.credentials, cluster.name) }
|
|
end
|
|
|
|
def kubeclient_ssl_options(ca_pem)
|
|
opts = { verify_ssl: OpenSSL::SSL::VERIFY_PEER }
|
|
|
|
if ca_pem.present?
|
|
opts[:cert_store] = OpenSSL::X509::Store.new
|
|
opts[:cert_store].add_cert(OpenSSL::X509::Certificate.new(ca_pem))
|
|
end
|
|
|
|
opts
|
|
end
|
|
|
|
def cluster_stack
|
|
@cluster_stack ||= provider.api_client.describe_stacks(stack_name: provider.cluster.name).stacks.first
|
|
end
|
|
|
|
def stack_output_value(key)
|
|
cluster_stack.outputs.detect { |output| output.output_key == key }.output_value
|
|
end
|
|
|
|
def node_instance_role_arn
|
|
stack_output_value('NodeInstanceRole')
|
|
end
|
|
|
|
def cluster_endpoint
|
|
strong_memoize(:cluster_endpoint) do
|
|
stack_output_value('ClusterEndpoint')
|
|
end
|
|
end
|
|
|
|
def cluster_certificate
|
|
strong_memoize(:cluster_certificate) do
|
|
Base64.decode64(stack_output_value('ClusterCertificate'))
|
|
end
|
|
end
|
|
|
|
def configure_node_authentication!
|
|
kube_client.create_config_map(node_authentication_config)
|
|
end
|
|
|
|
def node_authentication_config
|
|
Gitlab::Kubernetes::ConfigMaps::AwsNodeAuth.new(node_instance_role_arn).generate
|
|
end
|
|
|
|
def logger
|
|
@logger ||= Gitlab::Kubernetes::Logger.build
|
|
end
|
|
|
|
def log_service_error(exception, provider_id, message)
|
|
logger.error(
|
|
exception: exception.class.name,
|
|
service: self.class.name,
|
|
provider_id: provider_id,
|
|
message: message
|
|
)
|
|
end
|
|
end
|
|
end
|
|
end
|