Enable project-level JIT resource creation

Previously this behaviour was only available to group
and instance-level clusters, as some project clusters
relied on Kubernetes credentials being passed through
to the runner instead of having their resources managed
by GitLab (which is not available when using JIT). These
clusters have been migrated to unmanaged, so resources
can be created on demand for the remaining managed clusters.

app/models/clusters/platforms/kubernetes.rb

@@ -47,7 +47,6 @@ module Clusters
       validate :prevent_modification, on: :update
 
       after_save :clear_reactive_cache!
-      after_update :update_kubernetes_namespace
 
       alias_attribute :ca_pem, :ca_cert
 
@@ -223,14 +222,6 @@ module Clusters
 
         true
       end
-
-      def update_kubernetes_namespace
-        return unless saved_change_to_namespace?
-
-        run_after_commit do
-          ClusterConfigureWorker.perform_async(cluster_id)
-        end
-      end
     end
   end
 end

app/services/clusters/gcp/finalize_creation_service.rb

@@ -12,9 +12,6 @@ module Clusters
         create_gitlab_service_account!
         configure_kubernetes
         cluster.save!
-
-        ClusterConfigureWorker.perform_async(cluster.id)
-
       rescue Google::Apis::ServerError, Google::Apis::ClientError, Google::Apis::AuthorizationError => e
         log_service_error(e.class.name, provider.id, e.message)
         provider.make_errored!(s_('ClusterIntegration|Failed to request to Google Cloud Platform: %{message}') % { message: e.message })

app/workers/cluster_provision_worker.rb

@@ -9,8 +9,6 @@ class ClusterProvisionWorker
       cluster.provider.try do |provider|
         Clusters::Gcp::ProvisionService.new.execute(provider) if cluster.gcp?
       end
-
-      ClusterConfigureWorker.perform_async(cluster.id) if cluster.user?
     end
   end
 end

changelogs/unreleased/60617-enable-project-cluster-jit.yml

+---
+title: Enable just-in-time Kubernetes resource creation for project-level clusters
+merge_request: 29515
+author:
+type: changed

doc/user/project/clusters/index.md

@@ -518,9 +518,7 @@ service account of the cluster integration.
 ### Troubleshooting failed deployment jobs
 
 GitLab will create a namespace and service account specifically for your
-deployment jobs. On project level clusters, this happens when the cluster
-is created. On group level clusters, resources are created immediately
-before the deployment job starts.
+deployment jobs. This happens immediately before the deployment job starts.
 
 However, sometimes GitLab can not create them. In such instances, your job will fail with the message:
 

lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb

@@ -8,7 +8,6 @@ module Gitlab
           def unmet?
             deployment_cluster.present? &&
               deployment_cluster.managed? &&
-              !deployment_cluster.project_type? &&
               (kubernetes_namespace.new_record? || kubernetes_namespace.service_account_token.blank?)
           end
 

spec/controllers/projects/clusters_controller_spec.rb

@@ -340,7 +340,6 @@ describe Projects::ClustersController do
 
     describe 'security' do
       before do
-        allow(ClusterConfigureWorker).to receive(:perform_async)
         stub_kubeclient_get_namespace('https://kubernetes.example.com', namespace: 'my-namespace')
       end
 
@@ -438,7 +437,6 @@ describe Projects::ClustersController do
     end
 
     before do
-      allow(ClusterConfigureWorker).to receive(:perform_async)
       stub_kubeclient_get_namespace('https://kubernetes.example.com', namespace: 'my-namespace')
     end
 

spec/features/projects/clusters/gcp_spec.rb

@@ -122,7 +122,6 @@ describe 'Gcp Cluster', :js do
 
       context 'when user changes cluster parameters' do
         before do
-          allow(ClusterConfigureWorker).to receive(:perform_async)
           fill_in 'cluster_platform_kubernetes_attributes_namespace', with: 'my-namespace'
           page.within('#js-cluster-details') { click_button 'Save changes' }
         end

spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb

@@ -45,12 +45,6 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
             it { is_expected.to be_truthy }
           end
         end
-
-        context 'and cluster is project type' do
-          let(:cluster) { create(:cluster, :project) }
-
-          it { is_expected.to be_falsey }
-        end
       end
 
       context 'and no cluster to deploy to' do

spec/models/clusters/platforms/kubernetes_spec.rb

@@ -510,27 +510,4 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
       it { is_expected.to include(pods: []) }
     end
   end
-
-  describe '#update_kubernetes_namespace' do
-    let(:cluster) { create(:cluster, :provided_by_gcp) }
-    let(:platform) { cluster.platform }
-
-    context 'when namespace is updated' do
-      it 'calls ConfigureWorker' do
-        expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id).once
-
-        platform.namespace = 'new-namespace'
-        platform.save
-      end
-    end
-
-    context 'when namespace is not updated' do
-      it 'does not call ConfigureWorker' do
-        expect(ClusterConfigureWorker).not_to receive(:perform_async)
-
-        platform.username = "new-username"
-        platform.save
-      end
-    end
-  end
 end

spec/services/clusters/gcp/finalize_creation_service_spec.rb

@@ -19,10 +19,6 @@ describe Clusters::Gcp::FinalizeCreationService, '#execute' do
 
   subject { described_class.new.execute(provider) }
 
-  before do
-    allow(ClusterConfigureWorker).to receive(:perform_async)
-  end
-
   shared_examples 'success' do
     it 'configures provider and kubernetes' do
       subject
@@ -42,12 +38,6 @@ describe Clusters::Gcp::FinalizeCreationService, '#execute' do
       expect(platform.password).to eq(password)
       expect(platform.token).to eq(token)
     end
-
-    it 'calls ClusterConfigureWorker in a ascync fashion' do
-      expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id)
-
-      subject
-    end
   end
 
   shared_examples 'error' do

spec/services/clusters/update_service_spec.rb

@@ -39,7 +39,6 @@ describe Clusters::UpdateService do
         end
 
         before do
-          allow(ClusterConfigureWorker).to receive(:perform_async)
           stub_kubeclient_get_namespace('https://kubernetes.example.com', namespace: 'my-namespace')
         end
 

spec/workers/cluster_provision_worker_spec.rb

@@ -23,18 +23,11 @@ describe ClusterProvisionWorker do
 
         described_class.new.perform(cluster.id)
       end
-
-      it 'configures kubernetes platform' do
-        expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id)
-
-        described_class.new.perform(cluster.id)
-      end
     end
 
     context 'when cluster does not exist' do
       it 'does not provision a cluster' do
         expect_any_instance_of(Clusters::Gcp::ProvisionService).not_to receive(:execute)
-        expect(ClusterConfigureWorker).not_to receive(:perform_async)
 
         described_class.new.perform(123)
       end