Commit 577c79bb authored by Thong Kuah's avatar Thong Kuah

ABAC: fetch default service account token; RBAC: fetch gitlab service acount token

Keeps existing behaviour for ABAC cluster
parent c9af170d
No related merge requests found
...@@ -47,7 +47,9 @@ module Clusters ...@@ -47,7 +47,9 @@ module Clusters
end end
def request_kubernetes_token def request_kubernetes_token
Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client).execute service_account_name = rbac_clusters_feature_enabled? ? Clusters::Gcp::Kubernetes::SERVICE_ACCOUNT_NAME : 'default'
Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client, service_account_name).execute
end end
def authorization_type def authorization_type
......
...@@ -4,10 +4,11 @@ module Clusters ...@@ -4,10 +4,11 @@ module Clusters
module Gcp module Gcp
module Kubernetes module Kubernetes
class FetchKubernetesTokenService class FetchKubernetesTokenService
attr_reader :kubeclient attr_reader :kubeclient, :service_account_name
def initialize(kubeclient) def initialize(kubeclient, service_account_name)
@kubeclient = kubeclient @kubeclient = kubeclient
@service_account_name = service_account_name
end end
def execute def execute
...@@ -25,7 +26,7 @@ module Clusters ...@@ -25,7 +26,7 @@ module Clusters
private private
def token_regex def token_regex
/#{SERVICE_ACCOUNT_NAME}-token/ /#{service_account_name}-token/
end end
def read_secrets def read_secrets
......
...@@ -52,13 +52,14 @@ describe Clusters::Gcp::FinalizeCreationService do ...@@ -52,13 +52,14 @@ describe Clusters::Gcp::FinalizeCreationService do
end end
context 'when suceeded to fetch kuberenetes token' do context 'when suceeded to fetch kuberenetes token' do
let(:secret_name) { 'default-token-Y1a' }
let(:token) { 'sample-token' } let(:token) { 'sample-token' }
before do before do
stub_kubeclient_get_secrets( stub_kubeclient_get_secrets(
api_url, api_url,
{ {
metadata_name: 'gitlab-token-Y1a', metadata_name: secret_name,
token: Base64.encode64(token) token: Base64.encode64(token)
} ) } )
end end
...@@ -81,6 +82,8 @@ describe Clusters::Gcp::FinalizeCreationService do ...@@ -81,6 +82,8 @@ describe Clusters::Gcp::FinalizeCreationService do
end end
context 'rbac_clusters feature enabled' do context 'rbac_clusters feature enabled' do
let(:secret_name) { 'gitlab-token-Y1a' }
before do before do
stub_feature_flags(rbac_clusters: true) stub_feature_flags(rbac_clusters: true)
stub_kubeclient_create_service_account(api_url) stub_kubeclient_create_service_account(api_url)
...@@ -106,20 +109,44 @@ describe Clusters::Gcp::FinalizeCreationService do ...@@ -106,20 +109,44 @@ describe Clusters::Gcp::FinalizeCreationService do
end end
end end
context 'when default-token is not found' do context 'when no matching token is found' do
before do before do
stub_kubeclient_get_secrets(api_url, metadata_name: 'aaaa') stub_kubeclient_get_secrets(api_url, metadata_name: 'not-default-not-gitlab')
end end
it_behaves_like 'error' it_behaves_like 'error'
context 'rbac_clusters feature enabled' do
before do
stub_feature_flags(rbac_clusters: true)
stub_kubeclient_create_service_account(api_url)
stub_kubeclient_create_cluster_role_binding(api_url)
end
it_behaves_like 'error'
end
end end
context 'when token is empty' do context 'when token is empty' do
let(:secret_name) { 'default-token-123' }
before do before do
stub_kubeclient_get_secrets(api_url, token: '') stub_kubeclient_get_secrets(api_url, token: '', metadata_name: secret_name)
end end
it_behaves_like 'error' it_behaves_like 'error'
context 'rbac_clusters feature enabled' do
let(:secret_name) { 'gitlab-token-321' }
before do
stub_feature_flags(rbac_clusters: true)
stub_kubeclient_create_service_account(api_url)
stub_kubeclient_create_cluster_role_binding(api_url)
end
it_behaves_like 'error'
end
end end
context 'when failed to fetch kuberenetes token' do context 'when failed to fetch kuberenetes token' do
...@@ -128,6 +155,16 @@ describe Clusters::Gcp::FinalizeCreationService do ...@@ -128,6 +155,16 @@ describe Clusters::Gcp::FinalizeCreationService do
end end
it_behaves_like 'error' it_behaves_like 'error'
context 'rbac_clusters feature enabled' do
before do
stub_feature_flags(rbac_clusters: true)
stub_kubeclient_create_service_account(api_url)
stub_kubeclient_create_cluster_role_binding(api_url)
end
it_behaves_like 'error'
end
end end
end end
......
...@@ -2,11 +2,13 @@ require 'spec_helper' ...@@ -2,11 +2,13 @@ require 'spec_helper'
describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
describe '#execute' do describe '#execute' do
subject { described_class.new(kubeclient).execute } subject { described_class.new(kubeclient, service_account_name).execute }
let(:service_account_name) { 'gitlab-sa' }
let(:api_url) { 'http://111.111.111.111' } let(:api_url) { 'http://111.111.111.111' }
let(:username) { 'admin' } let(:username) { 'admin' }
let(:password) { 'xxx' } let(:password) { 'xxx' }
let(:kubeclient) do let(:kubeclient) do
Gitlab::Kubernetes::KubeClient.new( Gitlab::Kubernetes::KubeClient.new(
api_url, api_url,
...@@ -44,8 +46,8 @@ describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do ...@@ -44,8 +46,8 @@ describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
.to receive(:get_secrets).and_return(secrets_json) .to receive(:get_secrets).and_return(secrets_json)
end end
context 'when gitlab-token exists' do context 'when token for service account exists' do
let(:metadata_name) { 'gitlab-token-123' } let(:metadata_name) { 'gitlab-sa-token-123' }
it { is_expected.to eq(token) } it { is_expected.to eq(token) }
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment