Merge branch 'namespace-labels' into 'master'

Assign labels to the GMA and project k8s namespaces See merge request gitlab-org/gitlab!23027

Merge branch 'namespace-labels' into 'master'
Assign labels to the GMA and project k8s namespaces See merge request gitlab-org/gitlab!23027
dd5d5571 · Thong Kuah · fa86a635 · 375e1a52 · dd5d5571 · dd5d5571
Commit dd5d5571 authored Jan 17, 2020 by Thong Kuah
10 changed files
--- a/app/services/clusters/kubernetes/create_or_update_namespace_service.rb
+++ b/app/services/clusters/kubernetes/create_or_update_namespace_service.rb
@@ -21,10 +21,15 @@ module Clusters
      attr_reader :cluster, :kubernetes_namespace, :platform
      def create_project_service_account
+        environment_slug = kubernetes_namespace.environment&.slug
+        namespace_labels = { 'app.gitlab.com/app' => kubernetes_namespace.project.full_path_slug }
+        namespace_labels['app.gitlab.com/env'] = environment_slug if environment_slug
        Clusters::Kubernetes::CreateOrUpdateServiceAccountService.namespace_creator(
          platform.kubeclient,
          service_account_name: kubernetes_namespace.service_account_name,
          service_account_namespace: kubernetes_namespace.namespace,
+          service_account_namespace_labels: namespace_labels,
          rbac: platform.rbac?
        ).execute
      end

--- a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
+++ b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
@@ -3,10 +3,11 @@
 module Clusters
  module Kubernetes
    class CreateOrUpdateServiceAccountService
-      def initialize(kubeclient, service_account_name:, service_account_namespace:, token_name:, rbac:, namespace_creator: false, role_binding_name: nil)
+      def initialize(kubeclient, service_account_name:, service_account_namespace:, service_account_namespace_labels: nil, token_name:, rbac:, namespace_creator: false, role_binding_name: nil)
        @kubeclient = kubeclient
        @service_account_name = service_account_name
        @service_account_namespace = service_account_namespace
+        @service_account_namespace_labels = service_account_namespace_labels
        @token_name = token_name
        @rbac = rbac
        @namespace_creator = namespace_creator
@@ -23,11 +24,12 @@ module Clusters
        )
      end
-      def self.namespace_creator(kubeclient, service_account_name:, service_account_namespace:, rbac:)
+      def self.namespace_creator(kubeclient, service_account_name:, service_account_namespace:, service_account_namespace_labels:, rbac:)
        self.new(
          kubeclient,
          service_account_name: service_account_name,
          service_account_namespace: service_account_namespace,
+          service_account_namespace_labels: service_account_namespace_labels,
          token_name: "#{service_account_namespace}-token",
          rbac: rbac,
          namespace_creator: true,
@@ -55,12 +57,13 @@ module Clusters
      private
-      attr_reader :kubeclient, :service_account_name, :service_account_namespace, :token_name, :rbac, :namespace_creator, :role_binding_name
+      attr_reader :kubeclient, :service_account_name, :service_account_namespace, :service_account_namespace_labels, :token_name, :rbac, :namespace_creator, :role_binding_name
      def ensure_project_namespace_exists
        Gitlab::Kubernetes::Namespace.new(
          service_account_namespace,
-          kubeclient
+          kubeclient,
+          labels: service_account_namespace_labels
        ).ensure_exists!
      end

--- a/changelogs/unreleased/namespace-labels.yml
+++ b/changelogs/unreleased/namespace-labels.yml
+---
+title: Assign labels to the GMA and project k8s namespaces
+merge_request: 23027
+author:
+type: added
--- a/lib/gitlab/kubernetes/helm.rb
+++ b/lib/gitlab/kubernetes/helm.rb
@@ -6,6 +6,7 @@ module Gitlab
      HELM_VERSION = '2.16.1'
      KUBECTL_VERSION = '1.13.12'
      NAMESPACE = 'gitlab-managed-apps'
+      NAMESPACE_LABELS = { 'app.gitlab.com/managed_by' => :gitlab }.freeze
      SERVICE_ACCOUNT = 'tiller'
      CLUSTER_ROLE_BINDING = 'tiller-admin'
      CLUSTER_ROLE = 'cluster-admin'

--- a/lib/gitlab/kubernetes/helm/api.rb
+++ b/lib/gitlab/kubernetes/helm/api.rb
@@ -6,7 +6,11 @@ module Gitlab
      class Api
        def initialize(kubeclient)
          @kubeclient = kubeclient
-          @namespace = Gitlab::Kubernetes::Namespace.new(Gitlab::Kubernetes::Helm::NAMESPACE, kubeclient)
+          @namespace = Gitlab::Kubernetes::Namespace.new(
+            Gitlab::Kubernetes::Helm::NAMESPACE,
+            kubeclient,
+            labels: Gitlab::Kubernetes::Helm::NAMESPACE_LABELS
+          )
        end
        def install(command)

--- a/lib/gitlab/kubernetes/namespace.rb
+++ b/lib/gitlab/kubernetes/namespace.rb
@@ -3,11 +3,12 @@
 module Gitlab
  module Kubernetes
    class Namespace
-      attr_accessor :name
+      attr_accessor :name, :labels
-      def initialize(name, client)
+      def initialize(name, client, labels: nil)
        @name = name
        @client = client
+        @labels = labels
      end
      def exists?
@@ -17,7 +18,7 @@ module Gitlab
      end
      def create!
-        resource = ::Kubeclient::Resource.new(metadata: { name: name })
+        resource = ::Kubeclient::Resource.new(metadata: { name: name, labels: labels })
        log_event(:begin_create)
        @client.create_namespace(resource)

--- a/spec/lib/gitlab/kubernetes/helm/api_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/api_spec.rb
@@ -6,7 +6,8 @@ describe Gitlab::Kubernetes::Helm::Api do
  let(:client) { double('kubernetes client') }
  let(:helm) { described_class.new(client) }
  let(:gitlab_namespace) { Gitlab::Kubernetes::Helm::NAMESPACE }
-  let(:namespace) { Gitlab::Kubernetes::Namespace.new(gitlab_namespace, client) }
+  let(:gitlab_namespace_labels) { Gitlab::Kubernetes::Helm::NAMESPACE_LABELS }
+  let(:namespace) { Gitlab::Kubernetes::Namespace.new(gitlab_namespace, client, labels: gitlab_namespace_labels) }
  let(:application_name) { 'app-name' }
  let(:rbac) { false }
  let(:files) { {} }
@@ -23,13 +24,17 @@ describe Gitlab::Kubernetes::Helm::Api do
  subject { helm }
  before do
-    allow(Gitlab::Kubernetes::Namespace).to receive(:new).with(gitlab_namespace, client).and_return(namespace)
+    allow(Gitlab::Kubernetes::Namespace).to(
+      receive(:new).with(gitlab_namespace, client, labels: gitlab_namespace_labels).and_return(namespace)
+    )
    allow(client).to receive(:create_config_map)
  end
  describe '#initialize' do
    it 'creates a namespace object' do
-      expect(Gitlab::Kubernetes::Namespace).to receive(:new).with(gitlab_namespace, client)
+      expect(Gitlab::Kubernetes::Namespace).to(
+        receive(:new).with(gitlab_namespace, client, labels: gitlab_namespace_labels)
+      )
      subject
    end

--- a/spec/lib/gitlab/kubernetes/namespace_spec.rb
+++ b/spec/lib/gitlab/kubernetes/namespace_spec.rb
@@ -5,8 +5,9 @@ require 'spec_helper'
 describe Gitlab::Kubernetes::Namespace do
  let(:name) { 'a_namespace' }
  let(:client) { double('kubernetes client') }
+  let(:labels) { nil }
-  subject { described_class.new(name, client) }
+  subject { described_class.new(name, client, labels: labels) }
  it { expect(subject.name).to eq(name) }
@@ -49,6 +50,17 @@ describe Gitlab::Kubernetes::Namespace do
      expect { subject.create! }.not_to raise_error
    end
+    context 'with labels' do
+      let(:labels) { { foo: :bar } }
+      it 'creates a namespace with labels' do
+        matcher = have_attributes(metadata: have_attributes(name: name, labels: have_attributes(foo: :bar)))
+        expect(client).to receive(:create_namespace).with(matcher).once
+        expect { subject.create! }.not_to raise_error
+      end
+    end
  end
  describe '#ensure_exists!' do

--- a/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb
@@ -57,11 +57,21 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
      end.to change(Clusters::KubernetesNamespace, :count).by(1)
    end
-    it 'creates project service account' do
+    it 'creates project service account and namespace' do
-      expect_next_instance_of(Clusters::Kubernetes::CreateOrUpdateServiceAccountService) do |instance|
+      account_service = double(Clusters::Kubernetes::CreateOrUpdateServiceAccountService)
-        expect(instance).to receive(:execute).once
+      expect(Clusters::Kubernetes::CreateOrUpdateServiceAccountService).to(
-      end
+        receive(:namespace_creator).with(
+          cluster.platform.kubeclient,
+          service_account_name: "#{namespace}-service-account",
+          service_account_namespace: namespace,
+          service_account_namespace_labels: {
+            'app.gitlab.com/app' => project.full_path_slug,
+            'app.gitlab.com/env' => environment.slug
+          },
+          rbac: true
+        ).and_return(account_service)
+      )
+      expect(account_service).to receive(:execute).once
      subject
    end
@@ -73,6 +83,29 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
      expect(kubernetes_namespace.service_account_name).to eq("#{namespace}-service-account")
      expect(kubernetes_namespace.encrypted_service_account_token).to be_present
    end
+    context 'without environment' do
+      before do
+        kubernetes_namespace.environment = nil
+      end
+      it 'creates project service account and namespace' do
+        account_service = double(Clusters::Kubernetes::CreateOrUpdateServiceAccountService)
+        expect(Clusters::Kubernetes::CreateOrUpdateServiceAccountService).to(
+          receive(:namespace_creator).with(
+            cluster.platform.kubeclient,
+            service_account_name: "#{namespace}-service-account",
+            service_account_namespace: namespace,
+            service_account_namespace_labels: {
+              'app.gitlab.com/app' => project.full_path_slug
+            },
+            rbac: true
+          ).and_return(account_service)
+        )
+        expect(account_service).to receive(:execute).once
+        subject
+      end
+    end
  end
  context 'group clusters' do

--- a/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
@@ -116,6 +116,7 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
  describe '.namespace_creator' do
    let(:namespace) { "#{project.path}-#{project.id}" }
+    let(:namespace_labels) { { app: project.full_path_slug, env: "staging" } }
    let(:service_account_name) { "#{namespace}-service-account" }
    let(:token_name) { "#{namespace}-token" }
@@ -124,6 +125,7 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
        kubeclient,
        service_account_name: service_account_name,
        service_account_namespace: namespace,
+        service_account_namespace_labels: namespace_labels,
        rbac: rbac
      ).execute
    end
@@ -149,6 +151,16 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
        stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME, namespace: namespace)
      end
+      it 'creates a namespace object' do
+        kubernetes_namespace = double(Gitlab::Kubernetes::Namespace)
+        expect(Gitlab::Kubernetes::Namespace).to(
+          receive(:new).with(namespace, kubeclient, labels: namespace_labels).and_return(kubernetes_namespace)
+        )
+        expect(kubernetes_namespace).to receive(:ensure_exists!)
+        subject
+      end
      it_behaves_like 'creates service account and token'
      it 'creates a namespaced role binding with edit access' do