Merge branch 'delete_role_binding_to_recreate' into 'master'

Recreate rolebinding because roleRef attr is immutable See merge request gitlab-org/gitlab!45968

Merge branch 'delete_role_binding_to_recreate' into 'master'
Recreate rolebinding because roleRef attr is immutable See merge request gitlab-org/gitlab!45968
dee53416 · Alper Akgun · 0753e983 · dd93b878 · dee53416 · dee53416
Commit dee53416 authored Oct 27, 2020 by Alper Akgun
6 changed files
--- a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
+++ b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
@@ -69,7 +69,13 @@ module Clusters
      def create_role_or_cluster_role_binding
        if namespace_creator
-          kubeclient.create_or_update_role_binding(role_binding_resource)
+          begin
+            kubeclient.delete_role_binding(role_binding_name, service_account_namespace)
+          rescue Kubeclient::ResourceNotFoundError
+            # Do nothing as we will create new role binding below
+          end
+          kubeclient.update_role_binding(role_binding_resource)
        else
          kubeclient.create_or_update_cluster_role_binding(cluster_role_binding_resource)
        end

--- a/lib/gitlab/kubernetes/kube_client.rb
+++ b/lib/gitlab/kubernetes/kube_client.rb
@@ -61,18 +61,11 @@ module Gitlab
      # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
      # group client
      delegate :update_cluster_role_binding,
-        to: :rbac_client
+        :create_role,
+        :get_role,
-      # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
+        :update_role,
-      # group client
+        :delete_role_binding,
-      delegate :create_role,
+        :update_role_binding,
-      :get_role,
-      :update_role,
-      to: :rbac_client
-      # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
-      # group client
-      delegate :update_role_binding,
        to: :rbac_client
      # non-entity methods that can only work with the core client
@@ -186,6 +179,7 @@ module Gitlab
        update_cluster_role_binding(resource)
      end
+      # Note that we cannot update roleRef as that is immutable
      def create_or_update_role_binding(resource)
        update_role_binding(resource)
      end

--- a/spec/lib/gitlab/kubernetes/kube_client_spec.rb
+++ b/spec/lib/gitlab/kubernetes/kube_client_spec.rb
@@ -302,6 +302,8 @@ RSpec.describe Gitlab::Kubernetes::KubeClient do
      :create_role,
      :get_role,
      :update_role,
+      :delete_role_binding,
+      :update_role_binding,
      :update_cluster_role_binding
    ].each do |method|
      describe "##{method}" do

--- a/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb
@@ -28,6 +28,7 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute'
    stub_kubeclient_get_secret_error(api_url, 'gitlab-token')
    stub_kubeclient_create_secret(api_url)
+    stub_kubeclient_delete_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
    stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
    stub_kubeclient_get_namespace(api_url, namespace: namespace)
    stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace)

--- a/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
@@ -141,6 +141,7 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
      before do
        cluster.platform_kubernetes.rbac!
+        stub_kubeclient_delete_role_binding(api_url, role_binding_name, namespace: namespace)
        stub_kubeclient_put_role_binding(api_url, role_binding_name, namespace: namespace)
        stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
        stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)

--- a/spec/support/helpers/kubernetes_helpers.rb
+++ b/spec/support/helpers/kubernetes_helpers.rb
@@ -250,6 +250,11 @@ module KubernetesHelpers
      .to_return(kube_response({}))
  end
+  def stub_kubeclient_delete_role_binding(api_url, name, namespace: 'default')
+    WebMock.stub_request(:delete, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{name}")
+      .to_return(kube_response({}))
+  end
  def stub_kubeclient_put_role_binding(api_url, name, namespace: 'default')
    WebMock.stub_request(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{name}")
      .to_return(kube_response({}))