From b0aaf1991fb99160f2ac5d3bbfc07b81e8be4cbb Mon Sep 17 00:00:00 2001 From: Mayra Cabrera Date: Mon, 25 Mar 2019 12:25:28 -0600 Subject: [PATCH 01/10] Add gitlab-managed option to clusters form When this option is enabled, GitLab will create namespaces and service accounts as usual. When disabled, GitLab wont create any project specific kubernetes resources Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56557 --- .../clusters/clusters_controller.rb | 2 ++ app/models/deployment.rb | 1 + .../clusters/gcp/finalize_creation_service.rb | 10 ++++-- .../clusters/clusters/gcp/_form.html.haml | 13 +++++-- .../clusters/clusters/user/_form.html.haml | 11 ++++-- .../platforms/kubernetes/_form.html.haml | 8 +++++ app/workers/cluster_provision_worker.rb | 8 ++++- ...etes-namespace-service-account-backend.yml | 5 +++ .../prerequisite/kubernetes_namespace.rb | 1 + locale/gitlab.pot | 6 ++++ .../groups/clusters_controller_spec.rb | 27 ++++++++++++++ .../projects/clusters_controller_spec.rb | 35 +++++++++++++++++-- spec/factories/clusters/clusters.rb | 2 +- .../prerequisite/kubernetes_namespace_spec.rb | 22 +++++++++--- .../gcp/finalize_creation_service_spec.rb | 33 +++++++++++++---- spec/workers/cluster_provision_worker_spec.rb | 10 ++++++ 16 files changed, 170 insertions(+), 24 deletions(-) create mode 100644 changelogs/unreleased/56557-disable-kubernetes-namespace-service-account-backend.yml diff --git a/app/controllers/clusters/clusters_controller.rb b/app/controllers/clusters/clusters_controller.rb index edaf07063ec..73ebd4e0e42 100644 --- a/app/controllers/clusters/clusters_controller.rb +++ b/app/controllers/clusters/clusters_controller.rb @@ -156,6 +156,7 @@ def create_gcp_cluster_params :enabled, :name, :environment_scope, + :managed, provider_gcp_attributes: [ :gcp_project_id, :zone, @@ -174,6 +175,7 @@ def create_user_cluster_params :enabled, :name, :environment_scope, + :managed, platform_kubernetes_attributes: [ :namespace, :api_url, diff --git a/app/models/deployment.rb b/app/models/deployment.rb index 92c7311014a..945ddffa65f 100644 --- a/app/models/deployment.rb +++ b/app/models/deployment.rb @@ -4,6 +4,7 @@ class Deployment < ApplicationRecord include AtomicInternalId include IidRoutes include AfterCommitQueue + include Gitlab::Utils::StrongMemoize belongs_to :project, required: true belongs_to :environment, required: true diff --git a/app/services/clusters/gcp/finalize_creation_service.rb b/app/services/clusters/gcp/finalize_creation_service.rb index 5525c1b9b7f..3ce4f60f6eb 100644 --- a/app/services/clusters/gcp/finalize_creation_service.rb +++ b/app/services/clusters/gcp/finalize_creation_service.rb @@ -12,9 +12,7 @@ def execute(provider) create_gitlab_service_account! configure_kubernetes cluster.save! - - ClusterConfigureWorker.perform_async(cluster.id) - + configure_kubernetes_resources_on_cluster rescue Google::Apis::ServerError, Google::Apis::ClientError, Google::Apis::AuthorizationError => e log_service_error(e.class.name, provider.id, e.message) provider.make_errored!(s_('ClusterIntegration|Failed to request to Google Cloud Platform: %{message}') % { message: e.message }) @@ -121,6 +119,12 @@ def log_service_error(exception, provider_id, message) message: message ) end + + def configure_kubernetes_resources_on_cluster + return unless cluster.managed? + + ClusterConfigureWorker.perform_async(cluster.id) + end end end end diff --git a/app/views/clusters/clusters/gcp/_form.html.haml b/app/views/clusters/clusters/gcp/_form.html.haml index 3e0f8955081..36101abfa45 100644 --- a/app/views/clusters/clusters/gcp/_form.html.haml +++ b/app/views/clusters/clusters/gcp/_form.html.haml @@ -74,6 +74,13 @@ = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'role-based-access-control-rbac-core-only'), target: '_blank' - .form-group - = field.submit s_('ClusterIntegration|Create Kubernetes cluster'), - class: 'js-gke-cluster-creation-submit btn btn-success', disabled: true + .form-group + = field.check_box :managed, { label: s_('ClusterIntegration|GitLab-managed cluster'), + label_class: 'label-bold' } + .form-text.text-muted + = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-cluster'), target: '_blank' + + .form-group + = field.submit s_('ClusterIntegration|Create Kubernetes cluster'), + class: 'js-gke-cluster-creation-submit btn btn-success', disabled: true diff --git a/app/views/clusters/clusters/user/_form.html.haml b/app/views/clusters/clusters/user/_form.html.haml index 4dba0e530e7..c47a1702344 100644 --- a/app/views/clusters/clusters/user/_form.html.haml +++ b/app/views/clusters/clusters/user/_form.html.haml @@ -44,5 +44,12 @@ { class: 'qa-rbac-checkbox', label: s_('ClusterIntegration|RBAC-enabled cluster'), label_class: 'label-bold', inline: true }, 'rbac', 'abac' - .form-group - = field.submit s_('ClusterIntegration|Add Kubernetes cluster'), class: 'btn btn-success' + .form-group + = field.check_box :managed, { label: s_('ClusterIntegration|GitLab-managed cluster'), + label_class: 'label-bold' } + .form-text.text-muted + = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-cluster'), target: '_blank' + + .form-group + = field.submit s_('ClusterIntegration|Add Kubernetes cluster'), class: 'btn btn-success' diff --git a/app/views/clusters/platforms/kubernetes/_form.html.haml b/app/views/clusters/platforms/kubernetes/_form.html.haml index f9f8097cb38..a98a6a84ba6 100644 --- a/app/views/clusters/platforms/kubernetes/_form.html.haml +++ b/app/views/clusters/platforms/kubernetes/_form.html.haml @@ -47,5 +47,13 @@ = s_('ClusterIntegration|Enable this setting if using role-based access control (RBAC).') = s_('ClusterIntegration|This option will allow you to install applications on RBAC clusters.') + .form-group + .form-check + = field.check_box :managed, { class: 'form-check-input', disabled: true }, 'managed', 'non-managed' + = field.label :managed, s_('ClusterIntegration|GitLab-managed cluster'), class: 'form-check-label label-bold' + .form-text.text-muted + = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-cluster'), target: '_blank' + .form-group = field.submit s_('ClusterIntegration|Save changes'), class: 'btn btn-success' diff --git a/app/workers/cluster_provision_worker.rb b/app/workers/cluster_provision_worker.rb index 926ae2b7286..2c9a5920dd3 100644 --- a/app/workers/cluster_provision_worker.rb +++ b/app/workers/cluster_provision_worker.rb @@ -10,7 +10,13 @@ def perform(cluster_id) Clusters::Gcp::ProvisionService.new.execute(provider) if cluster.gcp? end - ClusterConfigureWorker.perform_async(cluster.id) if cluster.user? + ClusterConfigureWorker.perform_async(cluster.id) if configure_kubernetes_resources?(cluster) end end + + private + + def configure_kubernetes_resources?(cluster) + cluster.user? && cluster.managed? + end end diff --git a/changelogs/unreleased/56557-disable-kubernetes-namespace-service-account-backend.yml b/changelogs/unreleased/56557-disable-kubernetes-namespace-service-account-backend.yml new file mode 100644 index 00000000000..6521eb9d1c0 --- /dev/null +++ b/changelogs/unreleased/56557-disable-kubernetes-namespace-service-account-backend.yml @@ -0,0 +1,5 @@ +--- +title: Disables kubernetes resources creation if a cluster is not managed +merge_request: 26565 +author: +type: added diff --git a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb index bb2b209e793..43c20f964b4 100644 --- a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb +++ b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb @@ -7,6 +7,7 @@ module Prerequisite class KubernetesNamespace < Base def unmet? deployment_cluster.present? && + !deployment_cluster.managed? && !deployment_cluster.project_type? && kubernetes_namespace.new_record? end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index c8b583575c8..fc57a74551c 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -1944,6 +1944,9 @@ msgstr "" msgid "ClusterIntegration|Advanced options on this Kubernetes cluster's integration" msgstr "" +msgid "ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster." +msgstr "" + msgid "ClusterIntegration|Alternatively" msgstr "" @@ -2064,6 +2067,9 @@ msgstr "" msgid "ClusterIntegration|GitLab Runner connects to the repository and executes CI/CD jobs, pushing results back and deploying applications to production." msgstr "" +msgid "ClusterIntegration|GitLab-managed cluster" +msgstr "" + msgid "ClusterIntegration|Google Cloud Platform project" msgstr "" diff --git a/spec/controllers/groups/clusters_controller_spec.rb b/spec/controllers/groups/clusters_controller_spec.rb index e5180ec5c5c..7349cb7094c 100644 --- a/spec/controllers/groups/clusters_controller_spec.rb +++ b/spec/controllers/groups/clusters_controller_spec.rb @@ -189,6 +189,7 @@ def go { cluster: { name: 'new-cluster', + managed: '1', provider_gcp_attributes: { gcp_project_id: 'gcp-project-12345', legacy_abac: legacy_abac_param @@ -218,6 +219,7 @@ def go expect(cluster).to be_gcp expect(cluster).to be_kubernetes expect(cluster.provider_gcp).to be_legacy_abac + expect(cluster).to be_managed end context 'when legacy_abac param is false' do @@ -278,6 +280,7 @@ def go { cluster: { name: 'new-cluster', + managed: '1', platform_kubernetes_attributes: { api_url: 'http://my-url', token: 'test' @@ -303,6 +306,7 @@ def go expect(response).to redirect_to(group_cluster_path(group, cluster)) expect(cluster).to be_user expect(cluster).to be_kubernetes + expect(cluster).to be_managed end end @@ -334,6 +338,29 @@ def go expect(cluster).to be_platform_kubernetes_rbac end end + + context 'when creates a user-managed cluster' do + let(:params) do + { + cluster: { + name: 'new-cluster', + managed: '0', + platform_kubernetes_attributes: { + api_url: 'http://my-url', + token: 'test', + authorization_type: 'rbac' + } + } + } + end + + it 'creates a new user-managed cluster' do + go + + cluster = group.clusters.first + expect(cluster.managed?).to be_falsy + end + end end describe 'security' do diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb index d94c18ddc02..8d37bd82d21 100644 --- a/spec/controllers/projects/clusters_controller_spec.rb +++ b/spec/controllers/projects/clusters_controller_spec.rb @@ -165,6 +165,7 @@ def go { cluster: { name: 'new-cluster', + managed: '1', provider_gcp_attributes: { gcp_project_id: 'gcp-project-12345', legacy_abac: legacy_abac_param @@ -191,6 +192,7 @@ def go expect(project.clusters.first).to be_gcp expect(project.clusters.first).to be_kubernetes expect(project.clusters.first.provider_gcp).to be_legacy_abac + expect(project.clusters.first.managed?).to be_truthy end context 'when legacy_abac param is false' do @@ -251,6 +253,7 @@ def go { cluster: { name: 'new-cluster', + managed: '1', platform_kubernetes_attributes: { api_url: 'http://my-url', token: 'test', @@ -302,9 +305,35 @@ def go expect(response).to redirect_to(project_cluster_path(project, project.clusters.first)) - expect(project.clusters.first).to be_user - expect(project.clusters.first).to be_kubernetes - expect(project.clusters.first).to be_platform_kubernetes_rbac + cluster = project.clusters.first + + expect(cluster).to be_user + expect(cluster).to be_kubernetes + expect(cluster).to be_platform_kubernetes_rbac + end + end + + context 'when creates a user-managed cluster' do + let(:params) do + { + cluster: { + name: 'new-cluster', + managed: '0', + platform_kubernetes_attributes: { + api_url: 'http://my-url', + token: 'test', + namespace: 'aaa', + authorization_type: 'rbac' + } + } + } + end + + it 'creates a new user-managed cluster' do + go + cluster = project.clusters.first + + expect(cluster.managed?).to be_falsy end end end diff --git a/spec/factories/clusters/clusters.rb b/spec/factories/clusters/clusters.rb index 97405ec7c58..6eb0194b710 100644 --- a/spec/factories/clusters/clusters.rb +++ b/spec/factories/clusters/clusters.rb @@ -65,7 +65,7 @@ domain 'example.com' end - trait :user_managed do + trait :not_managed do managed false end end diff --git a/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb b/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb index e8332b14627..981eacbda80 100644 --- a/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb +++ b/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb @@ -77,14 +77,26 @@ end context 'completion is not required' do - before do - expect(deployment.cluster).to be_nil + context 'when deployment does not have a cluster' do + it 'does not create a kubernetes namespace' do + expect(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new) + + subject + end end - it 'does not create a namespace' do - expect(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new) + context 'when cluster is managed' do + let(:cluster) { create(:cluster, projects: [build.project]) } - subject + before do + allow(build.deployment).to receive(:cluster).and_return(cluster) + end + + it 'does not create a kubernetes namespace' do + expect(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new) + + subject + end end end end diff --git a/spec/services/clusters/gcp/finalize_creation_service_spec.rb b/spec/services/clusters/gcp/finalize_creation_service_spec.rb index 2664649df47..7ecb2e3d13a 100644 --- a/spec/services/clusters/gcp/finalize_creation_service_spec.rb +++ b/spec/services/clusters/gcp/finalize_creation_service_spec.rb @@ -42,12 +42,6 @@ expect(platform.password).to eq(password) expect(platform.token).to eq(token) end - - it 'calls ClusterConfigureWorker in a ascync fashion' do - expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id) - - subject - end end shared_examples 'error' do @@ -162,4 +156,31 @@ it_behaves_like 'kubernetes information not successfully fetched' end + + context 'when user changes how gitlab is managed' do + before do + stub_kubeclient_get_cluster_role_binding_error(api_url, 'gitlab-admin') + stub_kubeclient_create_cluster_role_binding(api_url) + end + + include_context 'kubernetes information successfully fetched' + + context 'with a gitlab-managed cluster' do + it 'configures Kubernetes resources' do + expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id) + + subject + end + end + + context 'with a non gitlab-managed cluster' do + let(:cluster) { create(:cluster, :project, :providing_by_gcp, :not_managed) } + + it 'does not configure kubernetes resources' do + expect(ClusterConfigureWorker).not_to receive(:perform_async) + + subject + end + end + end end diff --git a/spec/workers/cluster_provision_worker_spec.rb b/spec/workers/cluster_provision_worker_spec.rb index 9cc2ad12bfc..8e3e4283137 100644 --- a/spec/workers/cluster_provision_worker_spec.rb +++ b/spec/workers/cluster_provision_worker_spec.rb @@ -29,6 +29,16 @@ described_class.new.perform(cluster.id) end + + context 'when cluster is not managed by GitLab' do + let(:cluster) { create(:cluster, :provided_by_user, :not_managed) } + + it 'does not configure kubernetes platform' do + expect(ClusterConfigureWorker).not_to receive(:perform_async) + + described_class.new.perform(cluster.id) + end + end end context 'when cluster does not exist' do -- GitLab From fa315651c88fbb6d85ad9cd6e2cbae7990daf20b Mon Sep 17 00:00:00 2001 From: Tiger Date: Tue, 9 Apr 2019 17:47:42 +1000 Subject: [PATCH 02/10] Don't create namespaces for user-managed clusters Addresses #note_157653688 on https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26565 --- app/models/clusters/cluster.rb | 2 +- .../prerequisite/kubernetes_namespace.rb | 2 +- .../prerequisite/kubernetes_namespace_spec.rb | 28 ++++++++----------- 3 files changed, 13 insertions(+), 19 deletions(-) diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb index 4262c03498d..c12dfd41876 100644 --- a/app/models/clusters/cluster.rb +++ b/app/models/clusters/cluster.rb @@ -100,7 +100,7 @@ class Cluster < ApplicationRecord scope :missing_kubernetes_namespace, -> (kubernetes_namespaces) do subquery = kubernetes_namespaces.select('1').where('clusters_kubernetes_namespaces.cluster_id = clusters.id') - where('NOT EXISTS (?)', subquery) + where(managed: true).where('NOT EXISTS (?)', subquery) end scope :with_knative_installed, -> { joins(:application_knative).merge(Clusters::Applications::Knative.available) } diff --git a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb index 43c20f964b4..dbdc59505ac 100644 --- a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb +++ b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb @@ -7,7 +7,7 @@ module Prerequisite class KubernetesNamespace < Base def unmet? deployment_cluster.present? && - !deployment_cluster.managed? && + deployment_cluster.managed? && !deployment_cluster.project_type? && kubernetes_namespace.new_record? end diff --git a/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb b/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb index 981eacbda80..5387863bd07 100644 --- a/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb +++ b/spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb @@ -28,6 +28,12 @@ it { is_expected.to be_truthy } + context 'and the cluster is not managed' do + let(:cluster) { create(:cluster, :not_managed, projects: [build.project]) } + + it { is_expected.to be_falsey } + end + context 'and a namespace is already created for this project' do let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, cluster: cluster, project: build.project) } @@ -77,26 +83,14 @@ end context 'completion is not required' do - context 'when deployment does not have a cluster' do - it 'does not create a kubernetes namespace' do - expect(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new) - - subject - end + before do + expect(deployment.cluster).to be_nil end - context 'when cluster is managed' do - let(:cluster) { create(:cluster, projects: [build.project]) } + it 'does not create a namespace' do + expect(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new) - before do - allow(build.deployment).to receive(:cluster).and_return(cluster) - end - - it 'does not create a kubernetes namespace' do - expect(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new) - - subject - end + subject end end end -- GitLab From 2d9d1e5bf75f9bd9cc54c02a9d73401903d60855 Mon Sep 17 00:00:00 2001 From: Tiger Date: Tue, 9 Apr 2019 17:54:20 +1000 Subject: [PATCH 03/10] DRY up cluster.managed? checks To save us checking everywhere we may call to configure clusters, move the checks into the configure services themselves. --- .../clusters/gcp/finalize_creation_service.rb | 10 ++---- .../clusters/clusters/gcp/_form.html.haml | 2 +- .../platforms/kubernetes/_form.html.haml | 11 +++---- app/workers/cluster_configure_worker.rb | 2 +- app/workers/cluster_provision_worker.rb | 8 +---- spec/models/clusters/cluster_spec.rb | 6 ++++ .../gcp/finalize_creation_service_spec.rb | 33 ++++--------------- .../services/clusters/refresh_service_spec.rb | 6 ++++ spec/workers/cluster_configure_worker_spec.rb | 10 ++++++ spec/workers/cluster_provision_worker_spec.rb | 10 ------ 10 files changed, 39 insertions(+), 59 deletions(-) diff --git a/app/services/clusters/gcp/finalize_creation_service.rb b/app/services/clusters/gcp/finalize_creation_service.rb index 3ce4f60f6eb..5525c1b9b7f 100644 --- a/app/services/clusters/gcp/finalize_creation_service.rb +++ b/app/services/clusters/gcp/finalize_creation_service.rb @@ -12,7 +12,9 @@ def execute(provider) create_gitlab_service_account! configure_kubernetes cluster.save! - configure_kubernetes_resources_on_cluster + + ClusterConfigureWorker.perform_async(cluster.id) + rescue Google::Apis::ServerError, Google::Apis::ClientError, Google::Apis::AuthorizationError => e log_service_error(e.class.name, provider.id, e.message) provider.make_errored!(s_('ClusterIntegration|Failed to request to Google Cloud Platform: %{message}') % { message: e.message }) @@ -119,12 +121,6 @@ def log_service_error(exception, provider_id, message) message: message ) end - - def configure_kubernetes_resources_on_cluster - return unless cluster.managed? - - ClusterConfigureWorker.perform_async(cluster.id) - end end end end diff --git a/app/views/clusters/clusters/gcp/_form.html.haml b/app/views/clusters/clusters/gcp/_form.html.haml index 36101abfa45..0e0c7ff9087 100644 --- a/app/views/clusters/clusters/gcp/_form.html.haml +++ b/app/views/clusters/clusters/gcp/_form.html.haml @@ -76,7 +76,7 @@ .form-group = field.check_box :managed, { label: s_('ClusterIntegration|GitLab-managed cluster'), - label_class: 'label-bold' } + label_class: 'label-bold' } .form-text.text-muted = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-cluster'), target: '_blank' diff --git a/app/views/clusters/platforms/kubernetes/_form.html.haml b/app/views/clusters/platforms/kubernetes/_form.html.haml index a98a6a84ba6..1c796b8cb04 100644 --- a/app/views/clusters/platforms/kubernetes/_form.html.haml +++ b/app/views/clusters/platforms/kubernetes/_form.html.haml @@ -48,12 +48,11 @@ = s_('ClusterIntegration|This option will allow you to install applications on RBAC clusters.') .form-group - .form-check - = field.check_box :managed, { class: 'form-check-input', disabled: true }, 'managed', 'non-managed' - = field.label :managed, s_('ClusterIntegration|GitLab-managed cluster'), class: 'form-check-label label-bold' - .form-text.text-muted - = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') - = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-cluster'), target: '_blank' + = field.check_box :managed, { disabled: true, label: s_('ClusterIntegration|GitLab-managed cluster'), + label_class: 'label-bold' } + .form-text.text-muted + = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-cluster'), target: '_blank' .form-group = field.submit s_('ClusterIntegration|Save changes'), class: 'btn btn-success' diff --git a/app/workers/cluster_configure_worker.rb b/app/workers/cluster_configure_worker.rb index 22681157b62..37ea7dde7a1 100644 --- a/app/workers/cluster_configure_worker.rb +++ b/app/workers/cluster_configure_worker.rb @@ -5,7 +5,7 @@ class ClusterConfigureWorker include ClusterQueue def perform(cluster_id) - Clusters::Cluster.find_by_id(cluster_id).try do |cluster| + Clusters::Cluster.managed.find_by_id(cluster_id).try do |cluster| if cluster.project_type? || Feature.disabled?(:ci_preparing_state, default_enabled: true) Clusters::RefreshService.create_or_update_namespaces_for_cluster(cluster) end diff --git a/app/workers/cluster_provision_worker.rb b/app/workers/cluster_provision_worker.rb index 2c9a5920dd3..926ae2b7286 100644 --- a/app/workers/cluster_provision_worker.rb +++ b/app/workers/cluster_provision_worker.rb @@ -10,13 +10,7 @@ def perform(cluster_id) Clusters::Gcp::ProvisionService.new.execute(provider) if cluster.gcp? end - ClusterConfigureWorker.perform_async(cluster.id) if configure_kubernetes_resources?(cluster) + ClusterConfigureWorker.perform_async(cluster.id) if cluster.user? end end - - private - - def configure_kubernetes_resources?(cluster) - cluster.user? && cluster.managed? - end end diff --git a/spec/models/clusters/cluster_spec.rb b/spec/models/clusters/cluster_spec.rb index 894ef3fb956..e8cd19fc205 100644 --- a/spec/models/clusters/cluster_spec.rb +++ b/spec/models/clusters/cluster_spec.rb @@ -106,6 +106,12 @@ it { is_expected.to contain_exactly(cluster) } + context 'cluster is not managed' do + let!(:cluster) { create(:cluster, :not_managed, :provided_by_gcp, :project) } + + it { is_expected.to be_empty } + end + context 'kubernetes namespace exists' do before do create(:cluster_kubernetes_namespace, project: project, cluster: cluster) diff --git a/spec/services/clusters/gcp/finalize_creation_service_spec.rb b/spec/services/clusters/gcp/finalize_creation_service_spec.rb index 7ecb2e3d13a..2664649df47 100644 --- a/spec/services/clusters/gcp/finalize_creation_service_spec.rb +++ b/spec/services/clusters/gcp/finalize_creation_service_spec.rb @@ -42,6 +42,12 @@ expect(platform.password).to eq(password) expect(platform.token).to eq(token) end + + it 'calls ClusterConfigureWorker in a ascync fashion' do + expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id) + + subject + end end shared_examples 'error' do @@ -156,31 +162,4 @@ it_behaves_like 'kubernetes information not successfully fetched' end - - context 'when user changes how gitlab is managed' do - before do - stub_kubeclient_get_cluster_role_binding_error(api_url, 'gitlab-admin') - stub_kubeclient_create_cluster_role_binding(api_url) - end - - include_context 'kubernetes information successfully fetched' - - context 'with a gitlab-managed cluster' do - it 'configures Kubernetes resources' do - expect(ClusterConfigureWorker).to receive(:perform_async).with(cluster.id) - - subject - end - end - - context 'with a non gitlab-managed cluster' do - let(:cluster) { create(:cluster, :project, :providing_by_gcp, :not_managed) } - - it 'does not configure kubernetes resources' do - expect(ClusterConfigureWorker).not_to receive(:perform_async) - - subject - end - end - end end diff --git a/spec/services/clusters/refresh_service_spec.rb b/spec/services/clusters/refresh_service_spec.rb index 9e442ebf4e9..94c35228955 100644 --- a/spec/services/clusters/refresh_service_spec.rb +++ b/spec/services/clusters/refresh_service_spec.rb @@ -121,5 +121,11 @@ end end end + + context 'cluster is not managed' do + let!(:cluster) { create(:cluster, :project, :not_managed, projects: [project]) } + + include_examples 'does not create a kubernetes namespace' + end end end diff --git a/spec/workers/cluster_configure_worker_spec.rb b/spec/workers/cluster_configure_worker_spec.rb index bdb8e0e9c84..daf014ac574 100644 --- a/spec/workers/cluster_configure_worker_spec.rb +++ b/spec/workers/cluster_configure_worker_spec.rb @@ -68,6 +68,16 @@ it_behaves_like 'configured cluster' end + context 'when cluster is not managed' do + let(:cluster) { create(:cluster, :not_managed) } + + it 'does not configure the cluster' do + expect(Clusters::RefreshService).not_to receive(:create_or_update_namespaces_for_cluster) + + described_class.new.perform(cluster.id) + end + end + context 'when cluster does not exist' do it 'does not provision a cluster' do expect_any_instance_of(Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:execute) diff --git a/spec/workers/cluster_provision_worker_spec.rb b/spec/workers/cluster_provision_worker_spec.rb index 8e3e4283137..9cc2ad12bfc 100644 --- a/spec/workers/cluster_provision_worker_spec.rb +++ b/spec/workers/cluster_provision_worker_spec.rb @@ -29,16 +29,6 @@ described_class.new.perform(cluster.id) end - - context 'when cluster is not managed by GitLab' do - let(:cluster) { create(:cluster, :provided_by_user, :not_managed) } - - it 'does not configure kubernetes platform' do - expect(ClusterConfigureWorker).not_to receive(:perform_async) - - described_class.new.perform(cluster.id) - end - end end context 'when cluster does not exist' do -- GitLab From 71bd23aecbb86cb32587a34e6d23c5f3b41aa18d Mon Sep 17 00:00:00 2001 From: Tiger Date: Wed, 10 Apr 2019 13:25:39 +1000 Subject: [PATCH 04/10] Add docs for GitLab-managed cluster option https://gitlab.com/gitlab-org/gitlab-ce/issues/56557 --- .../clusters/clusters/gcp/_form.html.haml | 2 +- .../clusters/clusters/user/_form.html.haml | 2 +- .../platforms/kubernetes/_form.html.haml | 2 +- doc/user/group/clusters/index.md | 23 +++++++++++ doc/user/project/clusters/index.md | 40 ++++++++++++++++--- 5 files changed, 61 insertions(+), 8 deletions(-) diff --git a/app/views/clusters/clusters/gcp/_form.html.haml b/app/views/clusters/clusters/gcp/_form.html.haml index 0e0c7ff9087..70e2eaeaf3b 100644 --- a/app/views/clusters/clusters/gcp/_form.html.haml +++ b/app/views/clusters/clusters/gcp/_form.html.haml @@ -79,7 +79,7 @@ label_class: 'label-bold' } .form-text.text-muted = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') - = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-cluster'), target: '_blank' + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-clusters'), target: '_blank' .form-group = field.submit s_('ClusterIntegration|Create Kubernetes cluster'), diff --git a/app/views/clusters/clusters/user/_form.html.haml b/app/views/clusters/clusters/user/_form.html.haml index c47a1702344..f2fc5ac93fb 100644 --- a/app/views/clusters/clusters/user/_form.html.haml +++ b/app/views/clusters/clusters/user/_form.html.haml @@ -49,7 +49,7 @@ label_class: 'label-bold' } .form-text.text-muted = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') - = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-cluster'), target: '_blank' + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-clusters'), target: '_blank' .form-group = field.submit s_('ClusterIntegration|Add Kubernetes cluster'), class: 'btn btn-success' diff --git a/app/views/clusters/platforms/kubernetes/_form.html.haml b/app/views/clusters/platforms/kubernetes/_form.html.haml index 1c796b8cb04..8caa25a7b5e 100644 --- a/app/views/clusters/platforms/kubernetes/_form.html.haml +++ b/app/views/clusters/platforms/kubernetes/_form.html.haml @@ -52,7 +52,7 @@ label_class: 'label-bold' } .form-text.text-muted = s_('ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster.') - = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-cluster'), target: '_blank' + = link_to _('More information'), help_page_path('user/project/clusters/index.md', anchor: 'gitlab-managed-clusters'), target: '_blank' .form-group = field.submit s_('ClusterIntegration|Save changes'), class: 'btn btn-success' diff --git a/doc/user/group/clusters/index.md b/doc/user/group/clusters/index.md index 984881ef26c..0f71587830f 100644 --- a/doc/user/group/clusters/index.md +++ b/doc/user/group/clusters/index.md @@ -72,6 +72,29 @@ Add another cluster similar to the first one and make sure to [set an environment scope](#environment-scopes-premium) that will differentiate the new cluster from the rest. +## Gitlab-managed clusters + +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011) in GitLab 11.5. +> Became [optional](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26565) in GitLab 11.11. + +NOTE: **Note:** +Only available when creating clusters. Existing clusters not managed by GitLab +cannot become GitLab-managed later. + +You can choose to allow GitLab to manage your cluster for you. If your cluster is +managed by GitLab, resources for your projects will be automatically created. See the +[Access controls](../../project/clusters/index.md#access-controls) section for details on which resources will +be created. + +If you choose to manage your own cluster, project-specific resources will not be created +automatically. If you are using [Auto DevOps](../../../topics/autodevops/index.md), you will +need to explicitly provide the `KUBE_NAMESPACE` [deployment variable](../../project/clusters/index.md#deployment-variables) +that will be used by your deployment jobs. + +NOTE: **Note:** +If you [install applications](#installing-applications) on your cluster, GitLab will create +the resources required to run these even if you have chosen to manage your own cluster. + ## Base domain > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24580) in GitLab 11.8. diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 0677fe622f2..52b1708fe2d 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -70,6 +70,7 @@ new Kubernetes cluster to your project: - **Machine type** - The [machine type](https://cloud.google.com/compute/docs/machine-types) of the Virtual Machine instance that the cluster will be based on. - **RBAC-enabled cluster** - Leave this checked if using default GKE creation options, see the [RBAC section](#role-based-access-control-rbac) for more information. + - **GitLab-managed cluster** - Leave this checked if you want GitLab to manage namespaces and service accounts for this cluster. See the [Managed clusters section](#gitlab-managed-clusters) for more information. 1. Finally, click the **Create Kubernetes cluster** button. After a couple of minutes, your cluster will be ready to go. You can now proceed @@ -188,6 +189,9 @@ To add an existing Kubernetes cluster to your project: role binding. You can follow the [Google Cloud documentation](https://cloud.google.com/iam/docs/granting-changing-revoking-access) to grant access. + + - **GitLab-managed cluster** - Leave this checked if you want GitLab to manage namespaces and service accounts for this cluster. See the [Managed clusters section](#gitlab-managed-clusters) for more information. + - **Project namespace** (optional) - You don't have to fill it in; by leaving it blank, GitLab will create one for you. Also: - Each project should have a unique namespace. @@ -214,6 +218,29 @@ functionalities needed to successfully build and deploy a containerized application. Bear in mind that the same credentials are used for all the applications running on the cluster. +## Gitlab-managed clusters + +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011) in GitLab 11.5. +> Became [optional](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26565) in GitLab 11.11. + +NOTE: **Note:** +Only available when creating clusters. Existing clusters not managed by GitLab +cannot become GitLab-managed later. + +You can choose to allow GitLab to manage your cluster for you. If your cluster is +managed by GitLab, resources for your projects will be automatically created. See the +[Access controls](#access-controls) section for details on which resources will +be created. + +If you choose to manage your own cluster, project-specific resources will not be created +automatically. If you are using [Auto DevOps](../../../topics/autodevops/index.md), you will +need to explicitly provide the `KUBE_NAMESPACE` [deployment variable](#deployment-variables) +that will be used by your deployment jobs, otherwise a namespace will be created for you. + +NOTE: **Note:** +If you [install applications](#installing-applications) on your cluster, GitLab will create +the resources required to run these even if you have chosen to manage your own cluster. + ## Base domain > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24580) in GitLab 11.8. @@ -278,8 +305,8 @@ The following sections summarize which resources will be created on ABAC/RBAC cl | `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | | `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | | `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | -| Project namespace | `ServiceAccount` | Uses namespace of Project | Creating/Adding a new GKE Cluster | -| Project namespace | `Secret` | Token for project ServiceAccount | Creating/Adding a new GKE Cluster | +| Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster | +| Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster | ### Role-based access control (RBAC) @@ -290,9 +317,12 @@ The following sections summarize which resources will be created on ABAC/RBAC cl | `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | | `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | | `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | -| Project namespace | `ServiceAccount` | Uses namespace of Project | Creating/Adding a new GKE Cluster | -| Project namespace | `Secret` | Token for project ServiceAccount | Creating/Adding a new GKE Cluster | -| Project namespace | `RoleBinding` | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Creating/Adding a new GKE Cluster | +| Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster | +| Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster | +| Project namespace | `RoleBinding` | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Deploying to a cluster | + +NOTE: **Note:** +Project-specific resources are only created if your cluster is [managed by GitLab](#gitlab-managed-clusters). ### Security of GitLab Runners -- GitLab From 7c90f3ff857e7c659d2c6bc5352e6b0585460038 Mon Sep 17 00:00:00 2001 From: Tiger Date: Thu, 11 Apr 2019 08:48:56 +1000 Subject: [PATCH 05/10] Move managed cluster query logic to scope --- app/models/clusters/cluster.rb | 3 ++- app/services/clusters/refresh_service.rb | 4 ++-- spec/models/clusters/cluster_spec.rb | 24 ++++++++++++++++++------ 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb index c12dfd41876..f6d2082d257 100644 --- a/app/models/clusters/cluster.rb +++ b/app/models/clusters/cluster.rb @@ -94,13 +94,14 @@ class Cluster < ApplicationRecord scope :user_provided, -> { where(provider_type: ::Clusters::Cluster.provider_types[:user]) } scope :gcp_provided, -> { where(provider_type: ::Clusters::Cluster.provider_types[:gcp]) } scope :gcp_installed, -> { gcp_provided.includes(:provider_gcp).where(cluster_providers_gcp: { status: ::Clusters::Providers::Gcp.state_machines[:status].states[:created].value }) } + scope :managed, -> { where(managed: true) } scope :default_environment, -> { where(environment_scope: DEFAULT_ENVIRONMENT) } scope :missing_kubernetes_namespace, -> (kubernetes_namespaces) do subquery = kubernetes_namespaces.select('1').where('clusters_kubernetes_namespaces.cluster_id = clusters.id') - where(managed: true).where('NOT EXISTS (?)', subquery) + where('NOT EXISTS (?)', subquery) end scope :with_knative_installed, -> { joins(:application_knative).merge(Clusters::Applications::Knative.available) } diff --git a/app/services/clusters/refresh_service.rb b/app/services/clusters/refresh_service.rb index 76ad8dd0fb0..b02bb9c0247 100644 --- a/app/services/clusters/refresh_service.rb +++ b/app/services/clusters/refresh_service.rb @@ -22,9 +22,9 @@ def self.projects_with_missing_kubernetes_namespaces_for_cluster(cluster) def self.clusters_with_missing_kubernetes_namespaces_for_project(project) if Feature.enabled?(:ci_preparing_state, default_enabled: true) - project.clusters.missing_kubernetes_namespace(project.kubernetes_namespaces) + project.clusters.managed.missing_kubernetes_namespace(project.kubernetes_namespaces) else - project.all_clusters.missing_kubernetes_namespace(project.kubernetes_namespaces) + project.all_clusters.managed.missing_kubernetes_namespace(project.kubernetes_namespaces) end end diff --git a/spec/models/clusters/cluster_spec.rb b/spec/models/clusters/cluster_spec.rb index e8cd19fc205..e1506c06044 100644 --- a/spec/models/clusters/cluster_spec.rb +++ b/spec/models/clusters/cluster_spec.rb @@ -95,6 +95,24 @@ it { is_expected.to contain_exactly(cluster) } end + describe '.managed' do + subject do + described_class.managed + end + + context 'cluster is not managed' do + let!(:cluster) { create(:cluster, :not_managed) } + + it { is_expected.not_to include(cluster) } + end + + context 'cluster is managed' do + let!(:cluster) { create(:cluster) } + + it { is_expected.to include(cluster) } + end + end + describe '.missing_kubernetes_namespace' do let!(:cluster) { create(:cluster, :provided_by_gcp, :project) } let(:project) { cluster.project } @@ -106,12 +124,6 @@ it { is_expected.to contain_exactly(cluster) } - context 'cluster is not managed' do - let!(:cluster) { create(:cluster, :not_managed, :provided_by_gcp, :project) } - - it { is_expected.to be_empty } - end - context 'kubernetes namespace exists' do before do create(:cluster_kubernetes_namespace, project: project, cluster: cluster) -- GitLab From 406986b8499387e7ea6ee825544834098215d0e7 Mon Sep 17 00:00:00 2001 From: Tiger Date: Thu, 11 Apr 2019 09:02:27 +1000 Subject: [PATCH 06/10] Remove unneeded memoize --- app/models/deployment.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/models/deployment.rb b/app/models/deployment.rb index 945ddffa65f..92c7311014a 100644 --- a/app/models/deployment.rb +++ b/app/models/deployment.rb @@ -4,7 +4,6 @@ class Deployment < ApplicationRecord include AtomicInternalId include IidRoutes include AfterCommitQueue - include Gitlab::Utils::StrongMemoize belongs_to :project, required: true belongs_to :environment, required: true -- GitLab From ab4fe3c0b0640d8f669503ad751961cd7e55e3fa Mon Sep 17 00:00:00 2001 From: Tiger Date: Thu, 11 Apr 2019 12:39:28 +1000 Subject: [PATCH 07/10] API support for managed cluster flag --- doc/api/project_clusters.md | 1 + lib/api/project_clusters.rb | 1 + spec/requests/api/project_clusters_spec.rb | 2 ++ 3 files changed, 4 insertions(+) diff --git a/doc/api/project_clusters.md b/doc/api/project_clusters.md index f36e352da67..c831cc52a93 100644 --- a/doc/api/project_clusters.md +++ b/doc/api/project_clusters.md @@ -161,6 +161,7 @@ Parameters: | `name` | String | yes | The name of the cluster | | `domain` | String | no | The [base domain](../user/project/clusters/index.md#base-domain) of the cluster | | `enabled` | Boolean | no | Determines if cluster is active or not, defaults to true | +| `managed` | Boolean | no | Determines if GitLab will manage namespaces and service accounts for this cluster, defaults to true | | `platform_kubernetes_attributes[api_url]` | String | yes | The URL to access the Kubernetes API | | `platform_kubernetes_attributes[token]` | String | yes | The token to authenticate against Kubernetes | | `platform_kubernetes_attributes[ca_cert]` | String | no | TLS certificate (needed if API is using a self-signed TLS certificate | diff --git a/lib/api/project_clusters.rb b/lib/api/project_clusters.rb index b62ec887183..dcc8d94fb79 100644 --- a/lib/api/project_clusters.rb +++ b/lib/api/project_clusters.rb @@ -54,6 +54,7 @@ class ProjectClusters < Grape::API requires :name, type: String, desc: 'Cluster name' optional :enabled, type: Boolean, default: true, desc: 'Determines if cluster is active or not, defaults to true' optional :domain, type: String, desc: 'Cluster base domain' + optional :managed, type: Boolean, default: true, desc: 'Determines if GitLab will manage namespaces and service accounts for this cluster, defaults to true' requires :platform_kubernetes_attributes, type: Hash, desc: %q(Platform Kubernetes data) do requires :api_url, type: String, allow_blank: false, desc: 'URL to access the Kubernetes API' requires :token, type: String, desc: 'Token to authenticate against Kubernetes' diff --git a/spec/requests/api/project_clusters_spec.rb b/spec/requests/api/project_clusters_spec.rb index 94e6ca2c07c..5357be3cdee 100644 --- a/spec/requests/api/project_clusters_spec.rb +++ b/spec/requests/api/project_clusters_spec.rb @@ -189,6 +189,7 @@ { name: 'test-cluster', domain: 'domain.example.com', + managed: false, platform_kubernetes_attributes: platform_kubernetes_attributes } end @@ -220,6 +221,7 @@ expect(cluster_result.project).to eq(project) expect(cluster_result.name).to eq('test-cluster') expect(cluster_result.domain).to eq('domain.example.com') + expect(cluster_result.managed).to be_falsy expect(platform_kubernetes.rbac?).to be_truthy expect(platform_kubernetes.api_url).to eq(api_url) expect(platform_kubernetes.namespace).to eq(namespace) -- GitLab From bbbf316265ab60df8823d9994dadb9c3ced458f7 Mon Sep 17 00:00:00 2001 From: Tiger Date: Thu, 18 Apr 2019 12:27:52 +1000 Subject: [PATCH 08/10] Pass unmanaged group cluster credentials to runner Currently cluster credentials are made available to runners for project level clusters only to maintain backwards compatibility with the original Kubernetes integration behaviour. Add this functionality for group clusters, but only if they are not managed. https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26565 --- app/models/clusters/platforms/kubernetes.rb | 2 +- spec/models/clusters/platforms/kubernetes_spec.rb | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index a806367a49b..4d27aab289c 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -88,7 +88,7 @@ def predefined_variables(project:) if kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project) variables.concat(kubernetes_namespace.predefined_variables) - elsif cluster.project_type? + elsif cluster.project_type? || !cluster.managed? # From 11.5, every Clusters::Project should have at least one # Clusters::KubernetesNamespace, so once migration has been completed, # this 'else' branch will be removed. For more information, please see diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb index 0281dd2c303..e35d14f2282 100644 --- a/spec/models/clusters/platforms/kubernetes_spec.rb +++ b/spec/models/clusters/platforms/kubernetes_spec.rb @@ -331,6 +331,18 @@ { key: 'KUBE_TOKEN', value: kubernetes.token, public: false } ) end + + context 'the cluster is not managed' do + let!(:cluster) { create(:cluster, :group, :not_managed, platform_kubernetes: kubernetes) } + + it_behaves_like 'setting variables' + + it 'sets KUBE_TOKEN' do + expect(subject).to include( + { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true } + ) + end + end end context 'kubernetes namespace exists for the project' do -- GitLab From 5259e75d79568946e9e49f5420caec32122cd9ff Mon Sep 17 00:00:00 2001 From: Tiger Date: Wed, 1 May 2019 12:42:34 +1000 Subject: [PATCH 09/10] Update comment explaining unmanaged/project-level cluster behaviour --- app/models/clusters/platforms/kubernetes.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index 4d27aab289c..2ee100f77d0 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -89,10 +89,11 @@ def predefined_variables(project:) if kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project) variables.concat(kubernetes_namespace.predefined_variables) elsif cluster.project_type? || !cluster.managed? - # From 11.5, every Clusters::Project should have at least one - # Clusters::KubernetesNamespace, so once migration has been completed, - # this 'else' branch will be removed. For more information, please see - # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22433 + # As of 11.11 a user can create a cluster that they manage themselves, + # which replicates the existing project-level cluster behaviour. + # Once we have marked all project-level clusters that make use of this + # behaviour as "unmanaged", we can remove the `cluster.project_type?` + # check here. variables .append(key: 'KUBE_URL', value: api_url) .append(key: 'KUBE_TOKEN', value: token, public: false, masked: true) -- GitLab From cc457bcb0d3601e12a8402b7221f69f267f23e9f Mon Sep 17 00:00:00 2001 From: Tiger Date: Fri, 3 May 2019 09:39:42 +1000 Subject: [PATCH 10/10] Update gitlab.pot --- locale/gitlab.pot | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/locale/gitlab.pot b/locale/gitlab.pot index dda12b65e1a..96d18fca643 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -2014,10 +2014,10 @@ msgstr "" msgid "ClusterIntegration|Advanced options on this Kubernetes cluster's integration" msgstr "" -msgid "ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster." +msgid "ClusterIntegration|All data will be deleted and cannot be restored." msgstr "" -msgid "ClusterIntegration|All data will be deleted and cannot be restored." +msgid "ClusterIntegration|Allow GitLab to manage namespace and service accounts for this cluster." msgstr "" msgid "ClusterIntegration|Alternatively" -- GitLab