Commit b452d6c9 authored by Matt Kasa's avatar Matt Kasa Committed by Thong Kuah

Implement suggestions on Knative RBAC from @tkuah

Relates to https://gitlab.com/gitlab-org/gitlab/merge_requests/20244Co-Authored-By: default avatarThong Kuah <tkuah@gitlab.com>
parent c42f73f2
# frozen_string_literal: true
module Clusters
class KnativeServingNamespaceFinder
attr_reader :cluster
def initialize(cluster)
@cluster = cluster
end
def execute
cluster.kubeclient&.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
rescue Kubeclient::ResourceNotFoundError
nil
end
end
end
...@@ -9,9 +9,9 @@ module Clusters ...@@ -9,9 +9,9 @@ module Clusters
end end
def execute def execute
cluster&.kubeclient&.get_cluster_role_bindings&.find do |resource| cluster.kubeclient&.get_cluster_role_binding(Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME)
resource.metadata.name == Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME rescue Kubeclient::ResourceNotFoundError
end nil
end end
end end
end end
...@@ -71,9 +71,9 @@ module Clusters ...@@ -71,9 +71,9 @@ module Clusters
end end
def knative_serving_namespace def knative_serving_namespace
kubeclient.core_client.get_namespaces.find do |namespace| kubeclient.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
namespace.metadata.name == Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE rescue Kubeclient::ResourceNotFoundError
end nil
end end
def create_role_or_cluster_role_binding def create_role_or_cluster_role_binding
......
...@@ -8,7 +8,7 @@ module Gitlab ...@@ -8,7 +8,7 @@ module Gitlab
def unmet? def unmet?
deployment_cluster.present? && deployment_cluster.present? &&
deployment_cluster.managed? && deployment_cluster.managed? &&
(missing_namespace? || missing_knative_version_role_binding?) (missing_namespace? || need_knative_version_role_binding?)
end end
def complete! def complete!
...@@ -23,8 +23,8 @@ module Gitlab ...@@ -23,8 +23,8 @@ module Gitlab
kubernetes_namespace.nil? || kubernetes_namespace.service_account_token.blank? kubernetes_namespace.nil? || kubernetes_namespace.service_account_token.blank?
end end
def missing_knative_version_role_binding? def need_knative_version_role_binding?
knative_version_role_binding.nil? !knative_serving_namespace.nil? && knative_version_role_binding.nil?
end end
def deployment_cluster def deployment_cluster
...@@ -35,6 +35,14 @@ module Gitlab ...@@ -35,6 +35,14 @@ module Gitlab
build.deployment.environment build.deployment.environment
end end
def knative_serving_namespace
strong_memoize(:knative_serving_namespace) do
Clusters::KnativeServingNamespaceFinder.new(
deployment_cluster
).execute
end
end
def knative_version_role_binding def knative_version_role_binding
strong_memoize(:knative_version_role_binding) do strong_memoize(:knative_version_role_binding) do
Clusters::KnativeVersionRoleBindingFinder.new( Clusters::KnativeVersionRoleBindingFinder.new(
......
...@@ -38,28 +38,44 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do ...@@ -38,28 +38,44 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
.and_return(double(execute: kubernetes_namespace)) .and_return(double(execute: kubernetes_namespace))
end end
context 'and the knative version role binding is missing' do context 'and the knative-serving namespace is missing' do
before do before do
allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new) allow(Clusters::KnativeServingNamespaceFinder).to receive(:new)
.and_return(double(execute: nil)) .and_return(double(execute: false))
end end
it { is_expected.to be_truthy } it { is_expected.to be_truthy }
end end
context 'and the knative version role binding already exists' do context 'and the knative-serving namespace exists' do
before do before do
allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new) allow(Clusters::KnativeServingNamespaceFinder).to receive(:new)
.and_return(double(execute: true)) .and_return(double(execute: true))
end end
it { is_expected.to be_falsey } context 'and the knative version role binding is missing' do
before do
context 'and the service_account_token is blank' do allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new)
let(:kubernetes_namespace) { instance_double(Clusters::KubernetesNamespace, service_account_token: nil) } .and_return(double(execute: nil))
end
it { is_expected.to be_truthy } it { is_expected.to be_truthy }
end end
context 'and the knative version role binding already exists' do
before do
allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new)
.and_return(double(execute: true))
end
it { is_expected.to be_falsey }
context 'and the service_account_token is blank' do
let(:kubernetes_namespace) { instance_double(Clusters::KubernetesNamespace, service_account_token: nil) }
it { is_expected.to be_truthy }
end
end
end end
end end
end end
......
...@@ -22,7 +22,6 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do ...@@ -22,7 +22,6 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
before do before do
stub_kubeclient_discover(api_url) stub_kubeclient_discover(api_url)
stub_kubeclient_get_namespaces(api_url)
stub_kubeclient_get_service_account_error(api_url, 'gitlab') stub_kubeclient_get_service_account_error(api_url, 'gitlab')
stub_kubeclient_create_service_account(api_url) stub_kubeclient_create_service_account(api_url)
stub_kubeclient_get_secret_error(api_url, 'gitlab-token') stub_kubeclient_get_secret_error(api_url, 'gitlab-token')
...@@ -31,6 +30,7 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do ...@@ -31,6 +30,7 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
stub_kubeclient_get_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace) stub_kubeclient_get_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace) stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
stub_kubeclient_get_namespace(api_url, namespace: namespace) stub_kubeclient_get_namespace(api_url, namespace: namespace)
stub_kubeclient_get_namespace(api_url, namespace: Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace) stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace)
stub_kubeclient_create_service_account(api_url, namespace: namespace) stub_kubeclient_create_service_account(api_url, namespace: namespace)
stub_kubeclient_create_secret(api_url, namespace: namespace) stub_kubeclient_create_secret(api_url, namespace: namespace)
......
...@@ -141,7 +141,7 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do ...@@ -141,7 +141,7 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
before do before do
cluster.platform_kubernetes.rbac! cluster.platform_kubernetes.rbac!
stub_kubeclient_get_namespaces(api_url) stub_kubeclient_get_namespace(api_url, namespace: Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
stub_kubeclient_get_role_binding_error(api_url, role_binding_name, namespace: namespace) stub_kubeclient_get_role_binding_error(api_url, role_binding_name, namespace: namespace)
stub_kubeclient_create_role_binding(api_url, namespace: namespace) stub_kubeclient_create_role_binding(api_url, namespace: namespace)
stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace) stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment