Kubernetes secret are namespaced, so must always pass a namespace arg.

In our case it's 'default'.

Kubernetes secret are namespaced, so must always pass a namespace arg.
In our case it's 'default'.
fd9d2f49 · Thong Kuah · 3c5c6c2c · fd9d2f49 · fd9d2f49 · fd9d2f49
Commit fd9d2f49 authored Sep 12, 2018 by Thong Kuah
4 changed files
--- a/app/services/clusters/gcp/kubernetes.rb
+++ b/app/services/clusters/gcp/kubernetes.rb
@@ -4,6 +4,7 @@ module Clusters
  module Gcp
    module Kubernetes
      SERVICE_ACCOUNT_NAME = 'gitlab'
+      SERVICE_ACCOUNT_NAMESPACE = 'default'
      SERVICE_ACCOUNT_TOKEN_NAME = 'gitlab-token'
      CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin'
      CLUSTER_ROLE_NAME = 'cluster-admin'

--- a/app/services/clusters/gcp/kubernetes/create_service_account_service.rb
+++ b/app/services/clusters/gcp/kubernetes/create_service_account_service.rb
@@ -20,16 +20,16 @@ module Clusters
        private

        def service_account_resource
-          Gitlab::Kubernetes::ServiceAccount.new(service_account_name, namespace).generate
+          Gitlab::Kubernetes::ServiceAccount.new(service_account_name, service_account_namespace).generate
        end

        def service_account_token_resource
          Gitlab::Kubernetes::ServiceAccountToken.new(
-            SERVICE_ACCOUNT_TOKEN_NAME, service_account_name, namespace).generate
+            SERVICE_ACCOUNT_TOKEN_NAME, service_account_name, service_account_namespace).generate
        end

        def cluster_role_binding_resource
-          subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: namespace }]
+          subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: service_account_namespace }]

          Gitlab::Kubernetes::ClusterRoleBinding.new(
            CLUSTER_ROLE_BINDING_NAME,
@@ -42,8 +42,8 @@ module Clusters
          SERVICE_ACCOUNT_NAME
        end

-        def namespace
-          'default'
+        def service_account_namespace
+          SERVICE_ACCOUNT_NAMESPACE
        end
      end
    end

--- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
+++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
@@ -18,7 +18,7 @@ module Clusters
        private

        def get_secret
-          kubeclient.get_secret(SERVICE_ACCOUNT_TOKEN_NAME).as_json
+          kubeclient.get_secret(SERVICE_ACCOUNT_TOKEN_NAME, SERVICE_ACCOUNT_NAMESPACE).as_json
        rescue Kubeclient::HttpError => err
          raise err unless err.error_code == 404


--- a/spec/support/helpers/kubernetes_helpers.rb
+++ b/spec/support/helpers/kubernetes_helpers.rb
@@ -33,15 +33,15 @@ module KubernetesHelpers
    WebMock.stub_request(:get, deployments_url).to_return(response || kube_deployments_response)
  end

-  def stub_kubeclient_get_secret(api_url, **options)
+  def stub_kubeclient_get_secret(api_url, namespace: 'default', **options)
    options[:metadata_name] ||= "default-token-1"

-    WebMock.stub_request(:get, api_url + "/api/v1/secrets/#{options[:metadata_name]}")
+    WebMock.stub_request(:get, api_url + "/api/v1/namespaces/#{namespace}/secrets/#{options[:metadata_name]}")
      .to_return(kube_response(kube_v1_secret_body(options)))
  end

-  def stub_kubeclient_get_secret_error(api_url, name)
-    WebMock.stub_request(:get, api_url + "/api/v1/secrets/#{name}")
+  def stub_kubeclient_get_secret_error(api_url, name, namespace: 'default')
+    WebMock.stub_request(:get, api_url + "/api/v1/namespaces/#{namespace}/secrets/#{name}")
      .to_return(status: [404, "Internal Server Error"])
  end