Add a QA spec for RBAC cluster and auto devops

This fails now because we have not yet implemented support for this

app/views/projects/clusters/user/_form.html.haml

@@ -27,7 +27,7 @@
 
     .form-group
       .form-check
-        = platform_kubernetes_field.check_box :authorization_type, { class: 'form-check-input' }, 'rbac', 'abac'
+        = platform_kubernetes_field.check_box :authorization_type, { class: 'form-check-input qa-rbac-checkbox' }, 'rbac', 'abac'
         = platform_kubernetes_field.label :authorization_type, s_('ClusterIntegration|RBAC-enabled cluster (experimental)'), class: 'form-check-label label-bold'
         .form-text.text-muted
           = s_('ClusterIntegration|Enable this setting if using role-based access control (RBAC).')

qa/qa/factory/resource/kubernetes_cluster.rb

@@ -31,6 +31,7 @@ module QA
             page.set_api_url(@cluster.api_url)
             page.set_ca_certificate(@cluster.ca_certificate)
             page.set_token(@cluster.token)
+            page.check_rbac! if @cluster.rbac
             page.add_cluster!
           end
 

qa/qa/page/project/operations/kubernetes/add_existing.rb

@@ -10,6 +10,7 @@ module QA
               element :ca_certificate, 'text_area :ca_cert'
               element :token, 'text_field :token'
               element :add_cluster_button, "submit s_('ClusterIntegration|Add Kubernetes cluster')"
+              element :rbac_checkbox
             end
 
             def set_cluster_name(name)
@@ -31,6 +32,10 @@ module QA
             def add_cluster!
               click_on 'Add Kubernetes cluster'
             end
+
+            def check_rbac!
+              check_element :rbac_checkbox
+            end
           end
         end
       end

qa/qa/service/kubernetes_cluster.rb

 require 'securerandom'
 require 'mkmf'
+require 'pathname'
 
 module QA
   module Service
     class KubernetesCluster
       include Service::Shellout
 
-      attr_reader :api_url, :ca_certificate, :token
+      attr_reader :api_url, :ca_certificate, :token, :rbac
+
+      def initialize(rbac: false)
+        @rbac = rbac
+      end
 
       def cluster_name
         @cluster_name ||= "qa-cluster-#{SecureRandom.hex(4)}-#{Time.now.utc.strftime("%Y%m%d%H%M%S")}"
@@ -19,7 +24,7 @@ module QA
         shell <<~CMD.tr("\n", ' ')
           gcloud container clusters
           create #{cluster_name}
-          --enable-legacy-authorization
+          #{auth_options}
           --zone #{Runtime::Env.gcloud_zone}
           && gcloud container clusters
           get-credentials
@@ -28,8 +33,21 @@ module QA
         CMD
 
         @api_url = `kubectl config view --minify -o jsonpath='{.clusters[].cluster.server}'`
+        if rbac
+          create_service_account
+
+          secrets = JSON.parse(`kubectl get secrets -o json`)
+          gitlab_account = secrets['items'].find do |item|
+            item['metadata']['annotations']['kubernetes.io/service-account.name'] == 'gitlab-account'
+          end
+
+          @ca_certificate = Base64.decode64(gitlab_account['data']['ca.crt'])
+          @token = Base64.decode64(gitlab_account['data']['token'])
+        else
           @ca_certificate = Base64.decode64(`kubectl get secrets -o jsonpath="{.items[0].data['ca\\.crt']}"`)
           @token = Base64.decode64(`kubectl get secrets -o jsonpath='{.items[0].data.token}'`)
+        end
+
         self
       end
 
@@ -44,6 +62,42 @@ module QA
 
       private
 
+      def create_service_account
+        shell('kubectl create -f -', stdin_data: service_account)
+        shell('kubectl create -f -', stdin_data: service_account_role_binding)
+      end
+
+      def service_account
+        <<~YAML
+          apiVersion: v1
+          kind: ServiceAccount
+          metadata:
+            name: gitlab-account
+            namespace: default
+        YAML
+      end
+
+      def service_account_role_binding
+        <<~YAML
+          kind: ClusterRoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          metadata:
+            name: gitlab-account-binding
+          subjects:
+          - kind: ServiceAccount
+            name: gitlab-account
+            namespace: default
+          roleRef:
+            kind: ClusterRole
+            name: cluster-admin
+            apiGroup: rbac.authorization.k8s.io
+        YAML
+      end
+
+      def auth_options
+        "--enable-legacy-authorization" unless rbac
+      end
+
       def validate_dependencies
         find_executable('gcloud') || raise("You must first install `gcloud` executable to run these tests.")
         find_executable('kubectl') || raise("You must first install `kubectl` executable to run these tests.")

qa/qa/service/shellout.rb

@@ -11,10 +11,12 @@ module QA
       # TODO, make it possible to use generic QA framework classes
       # as a library - gitlab-org/gitlab-qa#94
       #
-      def shell(command)
+      def shell(command, stdin_data: nil)
         puts "Executing `#{command}`"
 
-        Open3.popen2e(*command) do |_in, out, wait|
+        Open3.popen2e(*command) do |stdin, out, wait|
+          stdin.puts(stdin_data) if stdin_data
+          stdin.close if stdin_data
           out.each { |line| puts line }
 
           if wait.value.exited? && wait.value.exitstatus.nonzero?

qa/qa/specs/features/browser_ui/7_configure/auto_devops/create_project_with_auto_devops_spec.rb

@@ -9,6 +9,8 @@ module QA
         @cluster&.remove!
       end
 
+      [true, false].each do |rbac|
+        context "when rbac is #{rbac ? 'enabled' : 'disabled'}" do
           it 'user creates a new project and runs auto devops' do
             Runtime::Browser.visit(:gitlab, Page::Main::Login)
             Page::Main::Login.act { sign_in_using_credentials }
@@ -38,7 +40,7 @@ module QA
             Page::Project::Show.act { wait_for_push }
 
             # Create and connect K8s cluster
-        @cluster = Service::KubernetesCluster.new.create!
+            @cluster = Service::KubernetesCluster.new(rbac: rbac).create!
             kubernetes_cluster = Factory::Resource::KubernetesCluster.fabricate! do |cluster|
               cluster.project = project
               cluster.cluster = @cluster
@@ -66,4 +68,6 @@ module QA
           end
         end
       end
+    end
+  end
 end