WIP : Create gitlab-deploy service account for a namespace51716-automatically-create-service-account-to-project-namespace-tk

It feels that we should materialize the namespace, maybe
on the cluster_projects table so that we can keep track
what namespaces we have created

1 files changed, 48 insertions, 0 deletions

diff --git a/app/services/clusters/kubernetes/create_project_namespace_service_account_service.rb b/app/services/clusters/kubernetes/create_project_namespace_service_account_service.rb
new file mode 100644
index 00000000000..6cb2cfee04b
--- /dev/null
+++ b/app/services/clusters/kubernetes/create_project_namespace_service_account_service.rb
@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Kubernetes
+    class CreateProjectNamespaceServiceAccountService
+      attr_reader :kubeclient, :namespace, :rbac
+
+      def initialize(kubeclient, namespace, rbac: true)
+        @kubeclient = kubeclient
+        @namespace = namespace
+        @rbac = rbac
+      end
+
+      def execute
+        kubeclient.create_service_account(service_account_resource)
+        kubeclient.create_secret(service_account_token_resource)
+        kubeclient.create_role_binding(role_binding_resource) if rbac?
+      end
+
+      private
+
+      def service_account_name
+        'gitlab-deploy'
+      end
+
+      def cluster_role_name
+        'edit'
+      end
+
+      def service_account_resource
+        Gitlab::Kubernetes::ServiceAccount.new(service_account_name, namespace).generate
+      end
+
+      def service_account_token_resource
+        Gitlab::Kubernetes::ServiceAccountToken.new(
+          service_account_token_name, service_account_name, namespace).generate
+      end
+
+      def role_binding_resource
+        Gitlab::Kubernetes::RoleBinding.new(
+          role_name: cluster_role_name,
+          namespace: namespace,
+          service_account_name: service_account_name
+        ).generate
+      end
+    end
+  end
+end