Require k8s cluster for DAST template

During transition to rules syntax, we missed the condition required to ensure DAST jobs only execute if a cluster is present. Replacing the previous `only:kubernetes` behavior, we need `CI_KUBERNETES_ACTIVE` Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/224117

Require k8s cluster for DAST template
During transition to rules syntax, we missed the condition required to ensure DAST jobs only execute if a cluster is present. Replacing the previous `only:kubernetes` behavior, we need `CI_KUBERNETES_ACTIVE` Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/224117
90345b7a · Lucas Charles · Stan Hu · 31307c8b · 90345b7a · 90345b7a
Commit 90345b7a authored Jul 01, 2020 by Lucas Charles Committed by Stan Hu Jul 01, 2020
3 changed files
--- a/changelogs/unreleased/224117-require-k8s-for-dast-template.yml
+++ b/changelogs/unreleased/224117-require-k8s-for-dast-template.yml
+---
+title: Only run DAST job if Kubernetes active
+merge_request: 35259
+author:
+type: fixed
--- a/ee/spec/lib/gitlab/ci/templates/dast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/dast_gitlab_ci_yaml_spec.rb
@@ -28,19 +28,54 @@ RSpec.describe 'DAST.gitlab-ci.yml' do
    context 'when project has Ultimate license' do
      let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
+      let(:cluster) { create(:cluster, :project, :provided_by_gcp, projects: [project]) }
      before do
        allow(License).to receive(:current).and_return(license)
      end
      context 'by default' do
+        before do
+          allow(cluster).to receive(:active?).and_return(true)
+        end
        it 'includes job' do
          expect(build_names).to match_array(%w[dast])
        end
      end
+      context 'when cluster is not active' do
+        context 'by default' do
+          it 'includes no jobs' do
+            expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+          end
+        end
+        context 'when DAST_WEBSITE is present' do
+          before do
+            create(:ci_variable, project: project, key: 'DAST_WEBSITE', value: 'http://example.com')
+          end
+          it 'includes job' do
+            expect(build_names).to match_array(%w[dast])
+          end
+        end
+        context 'when DAST_API_SPECIFICATION is present' do
+          before do
+            create(:ci_variable, project: project, key: 'DAST_API_SPECIFICATION', value: 'http://my.api/api-specification.yml')
+          end
+          it 'includes job' do
+            expect(build_names).to match_array(%w[dast])
+          end
+        end
+      end
      context 'when DAST_DISABLED=1' do
        before do
+          allow(cluster).to receive(:active?).and_return(true)
          create(:ci_variable, project: project, key: 'DAST_DISABLED', value: '1')
        end
@@ -51,6 +86,8 @@ RSpec.describe 'DAST.gitlab-ci.yml' do
      context 'when DAST_DISABLED_FOR_DEFAULT_BRANCH=1' do
        before do
+          allow(cluster).to receive(:active?).and_return(true)
          create(:ci_variable, project: project, key: 'DAST_DISABLED_FOR_DEFAULT_BRANCH', value: '1')
        end
@@ -75,6 +112,8 @@ RSpec.describe 'DAST.gitlab-ci.yml' do
      context 'when REVIEW_DISABLED=true' do
        before do
+          allow(cluster).to receive(:active?).and_return(true)
          create(:ci_variable, project: project, key: 'REVIEW_DISABLED', value: 'true')
        end

--- a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
@@ -41,4 +41,11 @@ dast:
          $DAST_API_SPECIFICATION == null
      when: never
    - if: $CI_COMMIT_BRANCH &&
+          $CI_KUBERNETES_ACTIVE &&
          $GITLAB_FEATURES =~ /\bdast\b/
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdast\b/ &&
+          $DAST_WEBSITE
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdast\b/ &&
+          $DAST_API_SPECIFICATION