Commit 08bc9d5e authored by Kamil Trzciński's avatar Kamil Trzciński

Merge branch '53696-make-rbac-default' into 'master'

Make RBAC enabled by default for new clusters

Closes #53696

See merge request gitlab-org/gitlab-ce!24119
parents 553fb1bc 9275e1df
...@@ -65,6 +65,8 @@ module Clusters ...@@ -65,6 +65,8 @@ module Clusters
abac: 2 abac: 2
} }
default_value_for :authorization_type, :rbac
def actual_namespace def actual_namespace
if namespace.present? if namespace.present?
namespace namespace
......
---
title: Make RBAC enabled default for new clusters
merge_request: 24119
author:
type: changed
# frozen_string_literal: true
class MakeLegacyFalseDefault < ActiveRecord::Migration[5.0]
DOWNTIME = false
def change
change_column_default :cluster_providers_gcp, :legacy_abac, from: true, to: false
end
end
...@@ -10,7 +10,7 @@ ...@@ -10,7 +10,7 @@
# #
# It's strongly recommended that you check this file into your version control system. # It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 20181219145520) do ActiveRecord::Schema.define(version: 20190103140724) do
# These are extensions that must be enabled in order to support this database # These are extensions that must be enabled in order to support this database
enable_extension "plpgsql" enable_extension "plpgsql"
...@@ -630,7 +630,7 @@ ActiveRecord::Schema.define(version: 20181219145520) do ...@@ -630,7 +630,7 @@ ActiveRecord::Schema.define(version: 20181219145520) do
t.string "endpoint" t.string "endpoint"
t.text "encrypted_access_token" t.text "encrypted_access_token"
t.string "encrypted_access_token_iv" t.string "encrypted_access_token_iv"
t.boolean "legacy_abac", default: true, null: false t.boolean "legacy_abac", default: false, null: false
t.index ["cluster_id"], name: "index_cluster_providers_gcp_on_cluster_id", unique: true, using: :btree t.index ["cluster_id"], name: "index_cluster_providers_gcp_on_cluster_id", unique: true, using: :btree
end end
......
...@@ -92,6 +92,10 @@ module QA ...@@ -92,6 +92,10 @@ module QA
find_element(name).set(true) find_element(name).set(true)
end end
def uncheck_element(name)
find_element(name).set(false)
end
def click_element(name) def click_element(name)
find_element(name).click find_element(name).click
end end
......
...@@ -33,8 +33,8 @@ module QA ...@@ -33,8 +33,8 @@ module QA
click_on 'Add Kubernetes cluster' click_on 'Add Kubernetes cluster'
end end
def check_rbac! def uncheck_rbac!
check_element :rbac_checkbox uncheck_element :rbac_checkbox
end end
end end
end end
......
...@@ -29,7 +29,7 @@ module QA ...@@ -29,7 +29,7 @@ module QA
page.set_api_url(@cluster.api_url) page.set_api_url(@cluster.api_url)
page.set_ca_certificate(@cluster.ca_certificate) page.set_ca_certificate(@cluster.ca_certificate)
page.set_token(@cluster.token) page.set_token(@cluster.token)
page.check_rbac! if @cluster.rbac page.uncheck_rbac! unless @cluster.rbac
page.add_cluster! page.add_cluster!
end end
......
...@@ -33,32 +33,6 @@ describe 'Gcp Cluster', :js do ...@@ -33,32 +33,6 @@ describe 'Gcp Cluster', :js do
context 'when user filled form with valid parameters' do context 'when user filled form with valid parameters' do
subject { click_button 'Create Kubernetes cluster' } subject { click_button 'Create Kubernetes cluster' }
shared_examples 'valid cluster gcp form' do
it 'users sees a form with the GCP token' do
expect(page).to have_selector(:css, 'form[data-token="token"]')
end
it 'user sees a cluster details page and creation status' do
subject
expect(page).to have_content('Kubernetes cluster is being created on Google Kubernetes Engine...')
Clusters::Cluster.last.provider.make_created!
expect(page).to have_content('Kubernetes cluster was successfully created on Google Kubernetes Engine')
end
it 'user sees a error if something wrong during creation' do
subject
expect(page).to have_content('Kubernetes cluster is being created on Google Kubernetes Engine...')
Clusters::Cluster.last.provider.make_errored!('Something wrong!')
expect(page).to have_content('Something wrong!')
end
end
before do before do
allow_any_instance_of(GoogleApi::CloudPlatform::Client) allow_any_instance_of(GoogleApi::CloudPlatform::Client)
.to receive(:projects_zones_clusters_create) do .to receive(:projects_zones_clusters_create) do
...@@ -82,14 +56,32 @@ describe 'Gcp Cluster', :js do ...@@ -82,14 +56,32 @@ describe 'Gcp Cluster', :js do
fill_in 'cluster[provider_gcp_attributes][machine_type]', with: 'n1-standard-2' fill_in 'cluster[provider_gcp_attributes][machine_type]', with: 'n1-standard-2'
end end
it_behaves_like 'valid cluster gcp form' it 'users sees a form with the GCP token' do
expect(page).to have_selector(:css, 'form[data-token="token"]')
end
context 'RBAC is enabled for the cluster' do it 'user sees a cluster details page and creation status' do
before do subject
check 'cluster_provider_gcp_attributes_legacy_abac'
expect(page).to have_content('Kubernetes cluster is being created on Google Kubernetes Engine...')
Clusters::Cluster.last.provider.make_created!
expect(page).to have_content('Kubernetes cluster was successfully created on Google Kubernetes Engine')
end
it 'user sees a error if something wrong during creation' do
subject
expect(page).to have_content('Kubernetes cluster is being created on Google Kubernetes Engine...')
Clusters::Cluster.last.provider.make_errored!('Something wrong!')
expect(page).to have_content('Something wrong!')
end end
it_behaves_like 'valid cluster gcp form' it 'user sees RBAC is enabled by default' do
expect(page).to have_checked_field('RBAC-enabled cluster')
end end
end end
......
...@@ -23,19 +23,6 @@ describe 'User Cluster', :js do ...@@ -23,19 +23,6 @@ describe 'User Cluster', :js do
end end
context 'when user filled form with valid parameters' do context 'when user filled form with valid parameters' do
shared_examples 'valid cluster user form' do
it 'user sees a cluster details page' do
subject
expect(page).to have_content('Kubernetes cluster integration')
expect(page.find_field('cluster[name]').value).to eq('dev-cluster')
expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value)
.to have_content('http://example.com')
expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value)
.to have_content('my-token')
end
end
before do before do
fill_in 'cluster_name', with: 'dev-cluster' fill_in 'cluster_name', with: 'dev-cluster'
fill_in 'cluster_platform_kubernetes_attributes_api_url', with: 'http://example.com' fill_in 'cluster_platform_kubernetes_attributes_api_url', with: 'http://example.com'
...@@ -44,20 +31,19 @@ describe 'User Cluster', :js do ...@@ -44,20 +31,19 @@ describe 'User Cluster', :js do
subject { click_button 'Add Kubernetes cluster' } subject { click_button 'Add Kubernetes cluster' }
it_behaves_like 'valid cluster user form' it 'user sees a cluster details page' do
context 'RBAC is enabled for the cluster' do
before do
check 'cluster_platform_kubernetes_attributes_authorization_type'
end
it_behaves_like 'valid cluster user form'
it 'user sees a cluster details page with RBAC enabled' do
subject subject
expect(page.find_field('cluster[platform_kubernetes_attributes][authorization_type]', disabled: true)).to be_checked expect(page).to have_content('Kubernetes cluster integration')
expect(page.find_field('cluster[name]').value).to eq('dev-cluster')
expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value)
.to have_content('http://example.com')
expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value)
.to have_content('my-token')
end end
it 'user sees RBAC is enabled by default' do
expect(page).to have_checked_field('RBAC-enabled cluster')
end end
end end
......
...@@ -29,7 +29,7 @@ describe Clusters::Applications::CertManager do ...@@ -29,7 +29,7 @@ describe Clusters::Applications::CertManager do
expect(subject.name).to eq('certmanager') expect(subject.name).to eq('certmanager')
expect(subject.chart).to eq('stable/cert-manager') expect(subject.chart).to eq('stable/cert-manager')
expect(subject.version).to eq('v0.5.2') expect(subject.version).to eq('v0.5.2')
expect(subject).not_to be_rbac expect(subject).to be_rbac
expect(subject.files).to eq(cert_manager.files.merge(cluster_issuer_file)) expect(subject.files).to eq(cert_manager.files.merge(cluster_issuer_file))
expect(subject.postinstall).to eq(['/usr/bin/kubectl create -f /data/helm/certmanager/config/cluster_issuer.yaml']) expect(subject.postinstall).to eq(['/usr/bin/kubectl create -f /data/helm/certmanager/config/cluster_issuer.yaml'])
end end
...@@ -45,12 +45,12 @@ describe Clusters::Applications::CertManager do ...@@ -45,12 +45,12 @@ describe Clusters::Applications::CertManager do
end end
end end
context 'on a rbac enabled cluster' do context 'on a non rbac enabled cluster' do
before do before do
cert_manager.cluster.platform_kubernetes.rbac! cert_manager.cluster.platform_kubernetes.abac!
end end
it { is_expected.to be_rbac } it { is_expected.not_to be_rbac }
end end
context 'application failed to install previously' do context 'application failed to install previously' do
......
...@@ -49,16 +49,16 @@ describe Clusters::Applications::Helm do ...@@ -49,16 +49,16 @@ describe Clusters::Applications::Helm do
end end
describe 'rbac' do describe 'rbac' do
context 'non rbac cluster' do context 'rbac cluster' do
it { expect(subject).not_to be_rbac } it { expect(subject).to be_rbac }
end end
context 'rbac cluster' do context 'non rbac cluster' do
before do before do
helm.cluster.platform_kubernetes.rbac! helm.cluster.platform_kubernetes.abac!
end end
it { expect(subject).to be_rbac } it { expect(subject).not_to be_rbac }
end end
end end
end end
......
...@@ -91,16 +91,16 @@ describe Clusters::Applications::Ingress do ...@@ -91,16 +91,16 @@ describe Clusters::Applications::Ingress do
expect(subject.name).to eq('ingress') expect(subject.name).to eq('ingress')
expect(subject.chart).to eq('stable/nginx-ingress') expect(subject.chart).to eq('stable/nginx-ingress')
expect(subject.version).to eq('0.23.0') expect(subject.version).to eq('0.23.0')
expect(subject).not_to be_rbac expect(subject).to be_rbac
expect(subject.files).to eq(ingress.files) expect(subject.files).to eq(ingress.files)
end end
context 'on a rbac enabled cluster' do context 'on a non rbac enabled cluster' do
before do before do
ingress.cluster.platform_kubernetes.rbac! ingress.cluster.platform_kubernetes.abac!
end end
it { is_expected.to be_rbac } it { is_expected.not_to be_rbac }
end end
context 'application failed to install previously' do context 'application failed to install previously' do
......
...@@ -52,17 +52,17 @@ describe Clusters::Applications::Jupyter do ...@@ -52,17 +52,17 @@ describe Clusters::Applications::Jupyter do
expect(subject.name).to eq('jupyter') expect(subject.name).to eq('jupyter')
expect(subject.chart).to eq('jupyter/jupyterhub') expect(subject.chart).to eq('jupyter/jupyterhub')
expect(subject.version).to eq('v0.6') expect(subject.version).to eq('v0.6')
expect(subject).not_to be_rbac expect(subject).to be_rbac
expect(subject.repository).to eq('https://jupyterhub.github.io/helm-chart/') expect(subject.repository).to eq('https://jupyterhub.github.io/helm-chart/')
expect(subject.files).to eq(jupyter.files) expect(subject.files).to eq(jupyter.files)
end end
context 'on a rbac enabled cluster' do context 'on a non rbac enabled cluster' do
before do before do
jupyter.cluster.platform_kubernetes.rbac! jupyter.cluster.platform_kubernetes.abac!
end end
it { is_expected.to be_rbac } it { is_expected.not_to be_rbac }
end end
context 'application failed to install previously' do context 'application failed to install previously' do
......
...@@ -161,20 +161,16 @@ describe Clusters::Applications::Prometheus do ...@@ -161,20 +161,16 @@ describe Clusters::Applications::Prometheus do
expect(subject.name).to eq('prometheus') expect(subject.name).to eq('prometheus')
expect(subject.chart).to eq('stable/prometheus') expect(subject.chart).to eq('stable/prometheus')
expect(subject.version).to eq('6.7.3') expect(subject.version).to eq('6.7.3')
expect(subject).not_to be_rbac expect(subject).to be_rbac
expect(subject.files).to eq(prometheus.files) expect(subject.files).to eq(prometheus.files)
end end
it 'should not install knative metrics' do context 'on a non rbac enabled cluster' do
expect(subject.postinstall).to be_nil
end
context 'on a rbac enabled cluster' do
before do before do
prometheus.cluster.platform_kubernetes.rbac! prometheus.cluster.platform_kubernetes.abac!
end end
it { is_expected.to be_rbac } it { is_expected.not_to be_rbac }
end end
context 'application failed to install previously' do context 'application failed to install previously' do
...@@ -185,13 +181,17 @@ describe Clusters::Applications::Prometheus do ...@@ -185,13 +181,17 @@ describe Clusters::Applications::Prometheus do
end end
end end
it 'should not install knative metrics' do
expect(subject.postinstall).to be_nil
end
context 'with knative installed' do context 'with knative installed' do
let(:knative) { create(:clusters_applications_knative, :installed ) } let(:knative) { create(:clusters_applications_knative, :installed ) }
let(:prometheus) { create(:clusters_applications_prometheus, cluster: knative.cluster) } let(:prometheus) { create(:clusters_applications_prometheus, cluster: knative.cluster) }
subject { prometheus.install_command } subject { prometheus.install_command }
it 'should install metrics' do it 'should install knative metrics' do
expect(subject.postinstall).to include("kubectl apply -f #{Clusters::Applications::Knative::METRICS_CONFIG}") expect(subject.postinstall).to include("kubectl apply -f #{Clusters::Applications::Knative::METRICS_CONFIG}")
end end
end end
......
...@@ -47,17 +47,17 @@ describe Clusters::Applications::Runner do ...@@ -47,17 +47,17 @@ describe Clusters::Applications::Runner do
expect(subject.name).to eq('runner') expect(subject.name).to eq('runner')
expect(subject.chart).to eq('runner/gitlab-runner') expect(subject.chart).to eq('runner/gitlab-runner')
expect(subject.version).to eq('0.1.43') expect(subject.version).to eq('0.1.43')
expect(subject).not_to be_rbac expect(subject).to be_rbac
expect(subject.repository).to eq('https://charts.gitlab.io') expect(subject.repository).to eq('https://charts.gitlab.io')
expect(subject.files).to eq(gitlab_runner.files) expect(subject.files).to eq(gitlab_runner.files)
end end
context 'on a rbac enabled cluster' do context 'on a non rbac enabled cluster' do
before do before do
gitlab_runner.cluster.platform_kubernetes.rbac! gitlab_runner.cluster.platform_kubernetes.abac!
end end
it { is_expected.to be_rbac } it { is_expected.not_to be_rbac }
end end
context 'application failed to install previously' do context 'application failed to install previously' do
......
...@@ -154,21 +154,13 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching ...@@ -154,21 +154,13 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
end end
describe '#rbac?' do describe '#rbac?' do
subject { kubernetes.rbac? }
let(:kubernetes) { build(:cluster_platform_kubernetes, :configured) } let(:kubernetes) { build(:cluster_platform_kubernetes, :configured) }
context 'when authorization type is rbac' do subject { kubernetes.rbac? }
let(:kubernetes) { build(:cluster_platform_kubernetes, :rbac_enabled, :configured) }
it { is_expected.to be_truthy } it { is_expected.to be_truthy }
end end
context 'when authorization type is nil' do
it { is_expected.to be_falsey }
end
end
describe '#actual_namespace' do describe '#actual_namespace' do
let(:cluster) { create(:cluster, :project) } let(:cluster) { create(:cluster, :project) }
let(:project) { cluster.project } let(:project) { cluster.project }
......
...@@ -79,17 +79,7 @@ describe Clusters::Providers::Gcp do ...@@ -79,17 +79,7 @@ describe Clusters::Providers::Gcp do
subject { gcp } subject { gcp }
it 'should default to true' do it { is_expected.not_to be_legacy_abac }
is_expected.to be_legacy_abac
end
context 'legacy_abac is set to false' do
let(:gcp) { build(:cluster_provider_gcp, legacy_abac: false) }
it 'is false' do
is_expected.not_to be_legacy_abac
end
end
end end
describe '#state_machine' do describe '#state_machine' do
......
...@@ -27,6 +27,8 @@ describe Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService, '#execute' d ...@@ -27,6 +27,8 @@ describe Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService, '#execute' d
stub_kubeclient_get_secret_error(api_url, 'gitlab-token') stub_kubeclient_get_secret_error(api_url, 'gitlab-token')
stub_kubeclient_create_secret(api_url) stub_kubeclient_create_secret(api_url)
stub_kubeclient_get_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
stub_kubeclient_get_namespace(api_url, namespace: namespace) stub_kubeclient_get_namespace(api_url, namespace: namespace)
stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace) stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace)
stub_kubeclient_create_service_account(api_url, namespace: namespace) stub_kubeclient_create_service_account(api_url, namespace: namespace)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment