Merge branch 'mattkasa/fixes_for_20244_rbac_kubernetes_prerequisite' into 'master'

Fixes for !20244 RBAC Kubernetes namespace prerequisite See merge request gitlab-org/gitlab!21227

Merge branch 'mattkasa/fixes_for_20244_rbac_kubernetes_prerequisite' into 'master'
Fixes for !20244 RBAC Kubernetes namespace prerequisite See merge request gitlab-org/gitlab!21227
c4220a6a · Thong Kuah · c42f73f2 · b452d6c9 · c4220a6a · c4220a6a
Commit c4220a6a authored Dec 06, 2019 by Thong Kuah
7 changed files
--- a/app/finders/clusters/knative_serving_namespace_finder.rb
+++ b/app/finders/clusters/knative_serving_namespace_finder.rb
+# frozen_string_literal: true
+
+module Clusters
+  class KnativeServingNamespaceFinder
+    attr_reader :cluster
+
+    def initialize(cluster)
+      @cluster = cluster
+    end
+
+    def execute
+      cluster.kubeclient&.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
+    rescue Kubeclient::ResourceNotFoundError
+      nil
+    end
+  end
+end
--- a/app/finders/clusters/knative_version_role_binding_finder.rb
+++ b/app/finders/clusters/knative_version_role_binding_finder.rb
@@ -9,9 +9,9 @@ module Clusters
    end

    def execute
-      cluster&.kubeclient&.get_cluster_role_bindings&.find do |resource|
-        resource.metadata.name == Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME
-      end
+      cluster.kubeclient&.get_cluster_role_binding(Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME)
+    rescue Kubeclient::ResourceNotFoundError
+      nil
    end
  end
 end
--- a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
+++ b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
@@ -71,9 +71,9 @@ module Clusters
      end

      def knative_serving_namespace
-        kubeclient.core_client.get_namespaces.find do |namespace|
-          namespace.metadata.name == Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE
-        end
+        kubeclient.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
+      rescue Kubeclient::ResourceNotFoundError
+        nil
      end

      def create_role_or_cluster_role_binding

--- a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb
+++ b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb
@@ -8,7 +8,7 @@ module Gitlab
          def unmet?
            deployment_cluster.present? &&
              deployment_cluster.managed? &&
-              (missing_namespace? || missing_knative_version_role_binding?)
+              (missing_namespace? || need_knative_version_role_binding?)
          end

          def complete!
@@ -23,8 +23,8 @@ module Gitlab
            kubernetes_namespace.nil? || kubernetes_namespace.service_account_token.blank?
          end

-          def missing_knative_version_role_binding?
-            knative_version_role_binding.nil?
+          def need_knative_version_role_binding?
+            !knative_serving_namespace.nil? && knative_version_role_binding.nil?
          end

          def deployment_cluster
@@ -35,6 +35,14 @@ module Gitlab
            build.deployment.environment
          end

+          def knative_serving_namespace
+            strong_memoize(:knative_serving_namespace) do
+              Clusters::KnativeServingNamespaceFinder.new(
+                deployment_cluster
+              ).execute
+            end
+          end
+
          def knative_version_role_binding
            strong_memoize(:knative_version_role_binding) do
              Clusters::KnativeVersionRoleBindingFinder.new(

--- a/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb
+++ b/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb
@@ -38,28 +38,44 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
              .and_return(double(execute: kubernetes_namespace))
          end

-          context 'and the knative version role binding is missing' do
+          context 'and the knative-serving namespace is missing' do
            before do
-              allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new)
-                .and_return(double(execute: nil))
+              allow(Clusters::KnativeServingNamespaceFinder).to receive(:new)
+                .and_return(double(execute: false))
            end

            it { is_expected.to be_truthy }
          end

-          context 'and the knative version role binding already exists' do
+          context 'and the knative-serving namespace exists' do
            before do
-              allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new)
+              allow(Clusters::KnativeServingNamespaceFinder).to receive(:new)
                .and_return(double(execute: true))
            end

-            it { is_expected.to be_falsey }
-
-            context 'and the service_account_token is blank' do
-              let(:kubernetes_namespace) { instance_double(Clusters::KubernetesNamespace, service_account_token: nil) }
+            context 'and the knative version role binding is missing' do
+              before do
+                allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new)
+                  .and_return(double(execute: nil))
+              end

              it { is_expected.to be_truthy }
            end
+
+            context 'and the knative version role binding already exists' do
+              before do
+                allow(Clusters::KnativeVersionRoleBindingFinder).to receive(:new)
+                  .and_return(double(execute: true))
+              end
+
+              it { is_expected.to be_falsey }
+
+              context 'and the service_account_token is blank' do
+                let(:kubernetes_namespace) { instance_double(Clusters::KubernetesNamespace, service_account_token: nil) }
+
+                it { is_expected.to be_truthy }
+              end
+            end
          end
        end
      end

--- a/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb
@@ -22,7 +22,6 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do

  before do
    stub_kubeclient_discover(api_url)
-    stub_kubeclient_get_namespaces(api_url)
    stub_kubeclient_get_service_account_error(api_url, 'gitlab')
    stub_kubeclient_create_service_account(api_url)
    stub_kubeclient_get_secret_error(api_url, 'gitlab-token')
@@ -31,6 +30,7 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
    stub_kubeclient_get_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
    stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
    stub_kubeclient_get_namespace(api_url, namespace: namespace)
+    stub_kubeclient_get_namespace(api_url, namespace: Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
    stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace)
    stub_kubeclient_create_service_account(api_url, namespace: namespace)
    stub_kubeclient_create_secret(api_url, namespace: namespace)

--- a/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
@@ -141,7 +141,7 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
      before do
        cluster.platform_kubernetes.rbac!

-        stub_kubeclient_get_namespaces(api_url)
+        stub_kubeclient_get_namespace(api_url, namespace: Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
        stub_kubeclient_get_role_binding_error(api_url, role_binding_name, namespace: namespace)
        stub_kubeclient_create_role_binding(api_url, namespace: namespace)
        stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)