Enable project-level JIT resource creation

Previously this behaviour was only available to group and instance-level clusters, as some project clusters relied on Kubernetes credentials being passed through to the runner instead of having their resources managed by GitLab (which is not available when using JIT). These clusters have been migrated to unmanaged, so resources can be created on demand for the remaining managed clusters.

Enable project-level JIT resource creation
Previously this behaviour was only available to group and instance-level clusters, as some project clusters relied on Kubernetes credentials being passed through to the runner instead of having their resources managed by GitLab (which is not available when using JIT). These clusters have been migrated to unmanaged, so resources can be created on demand for the remaining managed clusters.
74702f0e · Tiger · db9ef692 · 74702f0e · 74702f0e · 74702f0e
Commit 74702f0e authored Jun 12, 2019 by Tiger
13 changed files
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -47,7 +47,6 @@ module Clusters
      validate :prevent_modification, on: :update
      after_save :clear_reactive_cache!
-      after_update :update_kubernetes_namespace
      alias_attribute :ca_pem, :ca_cert
@@ -223,14 +222,6 @@ module Clusters
        true
      end
-      def update_kubernetes_namespace
-        return unless saved_change_to_namespace?
-        run_after_commit do
-          ClusterConfigureWorker.perform_async(cluster_id)
-        end
-      end
    end
  end
 end
--- a/app/services/clusters/gcp/finalize_creation_service.rb
+++ b/app/services/clusters/gcp/finalize_creation_service.rb
@@ -12,9 +12,6 @@ module Clusters
        create_gitlab_service_account!
        configure_kubernetes
        cluster.save!
-        ClusterConfigureWorker.perform_async(cluster.id)
      rescue Google::Apis::ServerError, Google::Apis::ClientError, Google::Apis::AuthorizationError => e
        log_service_error(e.class.name, provider.id, e.message)
        provider.make_errored!(s_('ClusterIntegration|Failed to request to Google Cloud Platform: %{message}') % { message: e.message })

--- a/app/workers/cluster_provision_worker.rb
+++ b/app/workers/cluster_provision_worker.rb
@@ -9,8 +9,6 @@ class ClusterProvisionWorker
      cluster.provider.try do |provider|
        Clusters::Gcp::ProvisionService.new.execute(provider) if cluster.gcp?
      end
-      ClusterConfigureWorker.perform_async(cluster.id) if cluster.user?
    end
  end
 end
--- a/changelogs/unreleased/60617-enable-project-cluster-jit.yml
+++ b/changelogs/unreleased/60617-enable-project-cluster-jit.yml
+---
+title: Enable just-in-time Kubernetes resource creation for project-level clusters
+merge_request: 29515
+author:
+type: changed
--- a/doc/user/project/clusters/index.md
+++ b/doc/user/project/clusters/index.md
@@ -518,9 +518,7 @@ service account of the cluster integration.
 ### Troubleshooting failed deployment jobs
 GitLab will create a namespace and service account specifically for your
-deployment jobs. On project level clusters, this happens when the cluster
+deployment jobs. This happens immediately before the deployment job starts.
-is created. On group level clusters, resources are created immediately
-before the deployment job starts.
 However, sometimes GitLab can not create them. In such instances, your job will fail with the message:

--- a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb
+++ b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb
@@ -8,7 +8,6 @@ module Gitlab
          def unmet?
            deployment_cluster.present? &&
              deployment_cluster.managed? &&
-              !deployment_cluster.project_type? &&
              (kubernetes_namespace.new_record? || kubernetes_namespace.service_account_token.blank?)
          end

--- a/spec/controllers/projects/clusters_controller_spec.rb
+++ b/spec/controllers/projects/clusters_controller_spec.rb
@@ -340,7 +340,6 @@ describe Projects::ClustersController do
    describe 'security' do
      before do
-        allow(ClusterConfigureWorker).to receive(:perform_async)
        stub_kubeclient_get_namespace('https://kubernetes.example.com', namespace: 'my-namespace')
      end
@@ -438,7 +437,6 @@ describe Projects::ClustersController do
    end
    before do
-      allow(ClusterConfigureWorker).to receive(:perform_async)
      stub_kubeclient_get_namespace('https://kubernetes.example.com', namespace: 'my-namespace')
    end

--- a/spec/features/projects/clusters/gcp_spec.rb
+++ b/spec/features/projects/clusters/gcp_spec.rb
@@ -122,7 +122,6 @@ describe 'Gcp Cluster', :js do
      context 'when user changes cluster parameters' do
        before do
-          allow(ClusterConfigureWorker).to receive(:perform_async)
          fill_in 'cluster_platform_kubernetes_attributes_namespace', with: 'my-namespace'
          page.within('#js-cluster-details') { click_button 'Save changes' }
        end

--- a/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb
+++ b/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb
@@ -45,12 +45,6 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
            it { is_expected.to be_truthy }
          end
        end
-        context 'and cluster is project type' do
-          let(:cluster) { create(:cluster, :project) }
-          it { is_expected.to be_falsey }
-        end
      end
      context 'and no cluster to deploy to' do

--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@@ -510,27 +510,4 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
      it { is_expected.to include(pods: []) }
    end
  end
-  describe '#update_kubernetes_namespace' do
-    let(:cluster) { create(:cluster, :provided_by_gcp) }
-    let(:platform) { cluster.platform }
-    context 'when namespace is updated' do
-      it 'calls ConfigureWorker' do
-        expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id).once
-        platform.namespace = 'new-namespace'
-        platform.save
-      end
-    end
-    context 'when namespace is not updated' do
-      it 'does not call ConfigureWorker' do
-        expect(ClusterConfigureWorker).not_to receive(:perform_async)
-        platform.username = "new-username"
-        platform.save
-      end
-    end
-  end
 end
--- a/spec/services/clusters/gcp/finalize_creation_service_spec.rb
+++ b/spec/services/clusters/gcp/finalize_creation_service_spec.rb
@@ -19,10 +19,6 @@ describe Clusters::Gcp::FinalizeCreationService, '#execute' do
  subject { described_class.new.execute(provider) }
-  before do
-    allow(ClusterConfigureWorker).to receive(:perform_async)
-  end
  shared_examples 'success' do
    it 'configures provider and kubernetes' do
      subject
@@ -42,12 +38,6 @@ describe Clusters::Gcp::FinalizeCreationService, '#execute' do
      expect(platform.password).to eq(password)
      expect(platform.token).to eq(token)
    end
-    it 'calls ClusterConfigureWorker in a ascync fashion' do
-      expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id)
-      subject
-    end
  end
  shared_examples 'error' do

--- a/spec/services/clusters/update_service_spec.rb
+++ b/spec/services/clusters/update_service_spec.rb
@@ -39,7 +39,6 @@ describe Clusters::UpdateService do
        end
        before do
-          allow(ClusterConfigureWorker).to receive(:perform_async)
          stub_kubeclient_get_namespace('https://kubernetes.example.com', namespace: 'my-namespace')
        end

--- a/spec/workers/cluster_provision_worker_spec.rb
+++ b/spec/workers/cluster_provision_worker_spec.rb
@@ -23,18 +23,11 @@ describe ClusterProvisionWorker do
        described_class.new.perform(cluster.id)
      end
-      it 'configures kubernetes platform' do
-        expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id)
-        described_class.new.perform(cluster.id)
-      end
    end
    context 'when cluster does not exist' do
      it 'does not provision a cluster' do
        expect_any_instance_of(Clusters::Gcp::ProvisionService).not_to receive(:execute)
-        expect(ClusterConfigureWorker).not_to receive(:perform_async)
        described_class.new.perform(123)
      end