Commit 5f014ee4 authored by Hordur Freyr Yngvason's avatar Hordur Freyr Yngvason Committed by Sean McGivern

Silence unrecoverable `Kubeclient::HttpError`s in cleanup

These should not cause cluster removal to fail, because
they will never recover. And they are likely "user errors",
so they should not affect our error budgets.

See https://gitlab.com/gitlab-org/gitlab/-/issues/342923

Changelog: fixed

Add specs to Kubeclient::HttpError rescue
parent 6f1b8a86
...@@ -26,8 +26,10 @@ module Clusters ...@@ -26,8 +26,10 @@ module Clusters
begin begin
kubeclient_delete_namespace(kubernetes_namespace) kubeclient_delete_namespace(kubernetes_namespace)
rescue Kubeclient::HttpError rescue Kubeclient::HttpError => e
next # unauthorized, forbidden: GitLab's access has been revoked
# certificate verify failed: Cluster is probably gone forever
raise unless e.message =~ /unauthorized|forbidden|certificate verify failed/i
end end
kubernetes_namespace.destroy! kubernetes_namespace.destroy!
......
...@@ -24,6 +24,10 @@ module Clusters ...@@ -24,6 +24,10 @@ module Clusters
# The resources have already been deleted, possibly on a previous attempt that timed out # The resources have already been deleted, possibly on a previous attempt that timed out
rescue Gitlab::UrlBlocker::BlockedUrlError rescue Gitlab::UrlBlocker::BlockedUrlError
# User gave an invalid cluster from the start, or deleted the endpoint before this job ran # User gave an invalid cluster from the start, or deleted the endpoint before this job ran
rescue Kubeclient::HttpError => e
# unauthorized, forbidden: GitLab's access has been revoked
# certificate verify failed: Cluster is probably gone forever
raise unless e.message =~ /unauthorized|forbidden|certificate verify failed/i
end end
end end
end end
......
...@@ -95,5 +95,31 @@ RSpec.describe Clusters::Cleanup::ProjectNamespaceService do ...@@ -95,5 +95,31 @@ RSpec.describe Clusters::Cleanup::ProjectNamespaceService do
subject subject
end end
end end
context 'when there is a Kubeclient::HttpError' do
let(:kubeclient_instance_double) do
instance_double(Gitlab::Kubernetes::KubeClient)
end
['Unauthorized', 'forbidden', 'Certificate verify Failed'].each do |message|
it 'schedules ::ServiceAccountWorker with accepted errors' do
allow(kubeclient_instance_double)
.to receive(:delete_namespace)
.and_raise(Kubeclient::HttpError.new(401, message, nil))
expect(Clusters::Cleanup::ServiceAccountWorker).to receive(:perform_async).with(cluster.id)
subject
end
end
it 'raises error with unaccepted errors' do
allow(kubeclient_instance_double)
.to receive(:delete_namespace)
.and_raise(Kubeclient::HttpError.new(401, 'unexpected message', nil))
expect { subject }.to raise_error(Kubeclient::HttpError)
end
end
end end
end end
...@@ -52,5 +52,19 @@ RSpec.describe Clusters::Cleanup::ServiceAccountService do ...@@ -52,5 +52,19 @@ RSpec.describe Clusters::Cleanup::ServiceAccountService do
expect { subject }.to change { Clusters::Cluster.where(id: cluster.id).exists? }.from(true).to(false) expect { subject }.to change { Clusters::Cluster.where(id: cluster.id).exists? }.from(true).to(false)
end end
end end
context 'when there is a Kubeclient::HttpError' do
['Unauthorized', 'forbidden', 'Certificate verify Failed'].each do |message|
before do
allow(kubeclient_instance_double)
.to receive(:delete_service_account)
.and_raise(Kubeclient::HttpError.new(401, message, nil))
end
it 'destroys cluster' do
expect { subject }.to change { Clusters::Cluster.where(id: cluster.id).exists? }.from(true).to(false)
end
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment