Commit 15af0a45 authored by Dmytro Zaporozhets's avatar Dmytro Zaporozhets

Merge branch '55447-validate-k8s-ca-cert' into 'master'

Validate k8s CA certificate at cluster creation

See merge request gitlab-org/gitlab-ce!24990
parents 8886924c 73e5d3a2
......@@ -43,6 +43,7 @@ module Clusters
# We expect to be `active?` only when enabled and cluster is created (the api_url is assigned)
validates :api_url, url: true, presence: true
validates :token, presence: true
validates :ca_cert, certificate: true, allow_blank: true, if: :ca_cert_changed?
validate :prevent_modification, on: :update
......
---
title: Validate kubernetes cluster CA certificate
merge_request: 24990
author:
type: changed
......@@ -30,4 +30,4 @@ TkIdFE47ZisEDhIdF6wC1izEMLeMEsPAO7/Y6MY4nRxsinSe95lRaw+yQpzx+mvJ
Q7n1kiHI9Pd5M3+CiQda0d/GO1o5ORJnUGJRvr9HKuNmE7Lif0As/N0AlywjzE7A
6Z8AEiWyRV1ffshu1k2UKmzvZuZeGGKRtrIjbJIRAtpRVtVZZGzhq5/sojCLoJ+u
texqFBUo/4mFRZa4pDItUdyOlDy2/LO/ag==
-----END CERTIFICATE-----
-----END CERTIFICATE-----
\ No newline at end of file
......@@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) }
let(:api_url) { 'https://kube.domain.com' }
let(:ca_pem) { 'CA PEM DATA' }
let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
let(:token) { 'token' }
let(:kubeconfig) do
......
......@@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
end
end
context 'ca_cert' do
let(:kubernetes) { build(:cluster_platform_kubernetes, ca_pem: ca_pem) }
context 'with a valid certificate' do
let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
it { is_expected.to be_truthy }
end
context 'with an invalid certificate' do
let(:ca_pem) { "invalid" }
it { is_expected.to be_falsey }
context 'but the certificate is not being updated' do
before do
allow(kubernetes).to receive(:ca_cert_changed?).and_return(false)
end
it { is_expected.to be_truthy }
end
end
context 'with no certificate' do
let(:ca_pem) { "" }
it { is_expected.to be_truthy }
end
end
describe 'when using reserved namespaces' do
subject { build(:cluster_platform_kubernetes, namespace: namespace) }
......@@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) }
let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) }
let(:api_url) { 'https://kube.domain.com' }
let(:ca_pem) { 'CA PEM DATA' }
let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
subject { kubernetes.predefined_variables(project: cluster.project) }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment