Add GitLab.com only feature flag for KAS rollout

This allows us to rollout KAS progressively for projects

config/feature_flags/development/kubernetes_agent_on_gitlab_com.yml

+---
+name: kubernetes_agent_on_gitlab_com
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53322
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/300960
+milestone: '13.9'
+type: development
+group: group::configure
+default_enabled: false

ee/app/services/clusters/agents/create_service.rb

@@ -4,6 +4,7 @@ module Clusters
   module Agents
     class CreateService < BaseService
       def execute(name:)
+        return error_rollout_gitlab_com unless included_in_gitlab_com_rollout?
         return error_not_premium_plan unless project.feature_available?(:cluster_agents)
         return error_no_permissions unless cluster_agent_permissions?
 
@@ -18,6 +19,14 @@ module Clusters
 
       private
 
+      def included_in_gitlab_com_rollout?
+        Gitlab::Kas.included_in_gitlab_com_rollout?(project)
+      end
+
+      def error_rollout_gitlab_com
+        error(s_('ClusterAgent|This project is not included in the GitLab.com rollout for Kubernetes agent'))
+      end
+
       def cluster_agent_permissions?
         current_user.can?(:admin_pipeline, project) && current_user.can?(:create_cluster, project)
       end

ee/spec/requests/api/internal/kubernetes_spec.rb

@@ -76,12 +76,42 @@ RSpec.describe API::Internal::Kubernetes do
         }
       end
 
-      it 'returns no_content for valid alert payload' do
+      it 'returns success for valid alert payload' do
         send_request(params: payload, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
 
         expect(AlertManagement::Alert.count).to eq(1)
         expect(AlertManagement::Alert.all.first.project).to eq(agent.project)
-        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to have_gitlab_http_status(:success)
+      end
+
+      context 'on GitLab.com' do
+        before do
+          allow(::Gitlab).to receive(:com?).and_return(true)
+        end
+
+        context 'kubernetes_agent_on_gitlab_com feature flag disabled' do
+          before do
+            stub_feature_flags(kubernetes_agent_on_gitlab_com: false)
+          end
+
+          it 'returns 403' do
+            send_request(params: payload, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:forbidden)
+          end
+        end
+
+        context 'kubernetes_agent_on_gitlab_com feature flag enabled' do
+          before do
+            stub_feature_flags(kubernetes_agent_on_gitlab_com: agent_token.agent.project)
+          end
+
+          it 'returns success' do
+            send_request(params: payload, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:success)
+          end
+        end
       end
 
       context 'when payload is invalid' do

ee/spec/services/clusters/agents/create_service_spec.rb

@@ -59,6 +59,57 @@ RSpec.describe Clusters::Agents::CreateService do
           message: ["Name can contain only lowercase letters, digits, and '-', but cannot start or end with '-'"]
         })
       end
+
+      context 'not on GitLab.com' do
+        before do
+          allow(::Gitlab).to receive(:com?).and_return(false)
+        end
+
+        context 'kubernetes_agent_on_gitlab_com feature flag disabled' do
+          before do
+            stub_feature_flags(kubernetes_agent_on_gitlab_com: project)
+          end
+
+          it 'returns success status', :aggregate_failures do
+            result = service.execute(name: 'success')
+
+            expect(result[:status]).to eq(:success)
+            expect(result[:message]).to be_nil
+          end
+        end
+      end
+
+      context 'on GitLab.com' do
+        before do
+          allow(::Gitlab).to receive(:com?).and_return(true)
+        end
+
+        context 'kubernetes_agent_on_gitlab_com feature flag disabled' do
+          before do
+            stub_feature_flags(kubernetes_agent_on_gitlab_com: false)
+          end
+
+          it 'returns errors when project is not in rollout' do
+            expect(service.execute(name: 'not-in-rollout')).to eq({
+              status: :error,
+              message: 'This project is not included in the GitLab.com rollout for Kubernetes agent'
+            })
+          end
+        end
+
+        context 'kubernetes_agent_on_gitlab_com feature flag enabled' do
+          before do
+            stub_feature_flags(kubernetes_agent_on_gitlab_com: project)
+          end
+
+          it 'returns success status', :aggregate_failures do
+            result = service.execute(name: 'success')
+
+            expect(result[:status]).to eq(:success)
+            expect(result[:message]).to be_nil
+          end
+        end
+      end
     end
   end
 end

lib/api/internal/kubernetes.rb

@@ -52,6 +52,8 @@ module API
 
         def check_agent_token
           forbidden! unless agent_token
+
+          forbidden! unless Gitlab::Kas.included_in_gitlab_com_rollout?(agent.project)
         end
       end
 

lib/gitlab/kas.rb

@@ -23,6 +23,12 @@ module Gitlab
 
         write_secret
       end
+
+      def included_in_gitlab_com_rollout?(project)
+        return true unless ::Gitlab.com?
+
+        Feature.enabled?(:kubernetes_agent_on_gitlab_com, project)
+      end
     end
   end
 end

locale/gitlab.pot

@@ -6051,6 +6051,9 @@ msgstr ""
 msgid "ClusterAgent|This feature is only available for premium plans"
 msgstr ""
 
+msgid "ClusterAgent|This project is not included in the GitLab.com rollout for Kubernetes agent"
+msgstr ""
+
 msgid "ClusterAgent|User has insufficient permissions to create a token for this project"
 msgstr ""
 

spec/lib/gitlab/kas_spec.rb

@@ -58,4 +58,48 @@ RSpec.describe Gitlab::Kas do
       end
     end
   end
+
+  describe '.included_in_gitlab_com_rollout?' do
+    let_it_be(:project) { create(:project) }
+
+    context 'not GitLab.com' do
+      before do
+        allow(Gitlab).to receive(:com?).and_return(false)
+      end
+
+      it 'returns true' do
+        expect(described_class.included_in_gitlab_com_rollout?(project)).to be_truthy
+      end
+    end
+
+    context 'GitLab.com' do
+      before do
+        allow(Gitlab).to receive(:com?).and_return(true)
+      end
+
+      context 'kubernetes_agent_on_gitlab_com feature flag disabled' do
+        before do
+          stub_feature_flags(kubernetes_agent_on_gitlab_com: false)
+        end
+
+        it 'returns false' do
+          expect(described_class.included_in_gitlab_com_rollout?(project)).to be_falsey
+        end
+      end
+
+      context 'kubernetes_agent_on_gitlab_com feature flag enabled' do
+        before do
+          stub_feature_flags(kubernetes_agent_on_gitlab_com: project)
+        end
+
+        it 'returns true' do
+          expect(described_class.included_in_gitlab_com_rollout?(project)).to be_truthy
+        end
+
+        it 'returns false for another project' do
+          expect(described_class.included_in_gitlab_com_rollout?(create(:project))).to be_falsey
+        end
+      end
+    end
+  end
 end

spec/requests/api/internal/kubernetes_spec.rb

@@ -125,6 +125,36 @@ RSpec.describe API::Internal::Kubernetes do
           )
         )
       end
+
+      context 'on GitLab.com' do
+        before do
+          allow(::Gitlab).to receive(:com?).and_return(true)
+        end
+
+        context 'kubernetes_agent_on_gitlab_com feature flag disabled' do
+          before do
+            stub_feature_flags(kubernetes_agent_on_gitlab_com: false)
+          end
+
+          it 'returns 403' do
+            send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:forbidden)
+          end
+        end
+
+        context 'kubernetes_agent_on_gitlab_com feature flag enabled' do
+          before do
+            stub_feature_flags(kubernetes_agent_on_gitlab_com: agent_token.agent.project)
+          end
+
+          it 'returns success' do
+            send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:success)
+          end
+        end
+      end
     end
   end
 
@@ -174,6 +204,36 @@ RSpec.describe API::Internal::Kubernetes do
             expect(response).to have_gitlab_http_status(:not_found)
           end
         end
+
+        context 'on GitLab.com' do
+          before do
+            allow(::Gitlab).to receive(:com?).and_return(true)
+          end
+
+          context 'kubernetes_agent_on_gitlab_com feature flag disabled' do
+            before do
+              stub_feature_flags(kubernetes_agent_on_gitlab_com: false)
+            end
+
+            it 'returns 403' do
+              send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+              expect(response).to have_gitlab_http_status(:forbidden)
+            end
+          end
+
+          context 'kubernetes_agent_on_gitlab_com feature flag enabled' do
+            before do
+              stub_feature_flags(kubernetes_agent_on_gitlab_com: agent_token.agent.project)
+            end
+
+            it 'returns success' do
+              send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+              expect(response).to have_gitlab_http_status(:success)
+            end
+          end
+        end
       end
 
       context 'project is private' do