ABAC: fetch default service account token; RBAC: fetch gitlab service acount token

Keeps existing behaviour for ABAC cluster

ABAC: fetch default service account token; RBAC: fetch gitlab service acount token
Keeps existing behaviour for ABAC cluster
577c79bb · Thong Kuah · c9af170d · 577c79bb · 577c79bb · 577c79bb
Commit 577c79bb authored Sep 07, 2018 by Thong Kuah
4 changed files
--- a/app/services/clusters/gcp/finalize_creation_service.rb
+++ b/app/services/clusters/gcp/finalize_creation_service.rb
@@ -47,7 +47,9 @@ module Clusters
      end

      def request_kubernetes_token
-        Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client).execute
+        service_account_name = rbac_clusters_feature_enabled? ? Clusters::Gcp::Kubernetes::SERVICE_ACCOUNT_NAME : 'default'
+
+        Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client, service_account_name).execute
      end

      def authorization_type

--- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
+++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
@@ -4,10 +4,11 @@ module Clusters
  module Gcp
    module Kubernetes
      class FetchKubernetesTokenService
-        attr_reader :kubeclient
+        attr_reader :kubeclient, :service_account_name

-        def initialize(kubeclient)
+        def initialize(kubeclient, service_account_name)
          @kubeclient = kubeclient
+          @service_account_name = service_account_name
        end

        def execute
@@ -25,7 +26,7 @@ module Clusters
        private

        def token_regex
-          /#{SERVICE_ACCOUNT_NAME}-token/
+          /#{service_account_name}-token/
        end

        def read_secrets

--- a/spec/services/clusters/gcp/finalize_creation_service_spec.rb
+++ b/spec/services/clusters/gcp/finalize_creation_service_spec.rb
@@ -52,13 +52,14 @@ describe Clusters::Gcp::FinalizeCreationService do
      end

      context 'when suceeded to fetch kuberenetes token' do
+        let(:secret_name) { 'default-token-Y1a' }
        let(:token) { 'sample-token' }

        before do
          stub_kubeclient_get_secrets(
            api_url,
            {
-              metadata_name: 'gitlab-token-Y1a',
+              metadata_name: secret_name,
              token: Base64.encode64(token)
            } )
        end
@@ -81,6 +82,8 @@ describe Clusters::Gcp::FinalizeCreationService do
        end

        context 'rbac_clusters feature enabled' do
+          let(:secret_name) { 'gitlab-token-Y1a' }
+
          before do
            stub_feature_flags(rbac_clusters: true)
            stub_kubeclient_create_service_account(api_url)
@@ -106,20 +109,44 @@ describe Clusters::Gcp::FinalizeCreationService do
        end
      end

-      context 'when default-token is not found' do
+      context 'when no matching token is found' do
        before do
-          stub_kubeclient_get_secrets(api_url, metadata_name: 'aaaa')
+          stub_kubeclient_get_secrets(api_url, metadata_name: 'not-default-not-gitlab')
        end

        it_behaves_like 'error'
+
+        context 'rbac_clusters feature enabled' do
+          before do
+            stub_feature_flags(rbac_clusters: true)
+            stub_kubeclient_create_service_account(api_url)
+            stub_kubeclient_create_cluster_role_binding(api_url)
+          end
+
+          it_behaves_like 'error'
+        end
      end

      context 'when token is empty' do
+        let(:secret_name) { 'default-token-123' }
+
        before do
-          stub_kubeclient_get_secrets(api_url, token: '')
+          stub_kubeclient_get_secrets(api_url, token: '', metadata_name: secret_name)
        end

        it_behaves_like 'error'
+
+        context 'rbac_clusters feature enabled' do
+          let(:secret_name) { 'gitlab-token-321' }
+
+          before do
+            stub_feature_flags(rbac_clusters: true)
+            stub_kubeclient_create_service_account(api_url)
+            stub_kubeclient_create_cluster_role_binding(api_url)
+          end
+
+          it_behaves_like 'error'
+        end
      end

      context 'when failed to fetch kuberenetes token' do
@@ -128,6 +155,16 @@ describe Clusters::Gcp::FinalizeCreationService do
        end

        it_behaves_like 'error'
+
+        context 'rbac_clusters feature enabled' do
+          before do
+            stub_feature_flags(rbac_clusters: true)
+            stub_kubeclient_create_service_account(api_url)
+            stub_kubeclient_create_cluster_role_binding(api_url)
+          end
+
+          it_behaves_like 'error'
+        end
      end
    end


--- a/spec/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service_spec.rb
+++ b/spec/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service_spec.rb
@@ -2,11 +2,13 @@ require 'spec_helper'

 describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
  describe '#execute' do
-    subject { described_class.new(kubeclient).execute }
+    subject { described_class.new(kubeclient, service_account_name).execute }

+    let(:service_account_name) { 'gitlab-sa' }
    let(:api_url) { 'http://111.111.111.111' }
    let(:username) { 'admin' }
    let(:password) { 'xxx' }
+
    let(:kubeclient) do
      Gitlab::Kubernetes::KubeClient.new(
        api_url,
@@ -44,8 +46,8 @@ describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
          .to receive(:get_secrets).and_return(secrets_json)
      end

-      context 'when gitlab-token exists' do
-        let(:metadata_name) { 'gitlab-token-123' }
+      context 'when token for service account exists' do
+        let(:metadata_name) { 'gitlab-sa-token-123' }

        it { is_expected.to eq(token) }
      end