Fix deployment jobs using nil token53879-kube-token-nil

Unfortunately, it seems that the migration to
clusters_kubernetes_namespace still needs to create the new restricted
service accounts and then fetch the tokens. Until that is done, we
cannot use it and have to fall back to the main token from
clusters_platform_kubernetes.

6 files changed, 26 insertions, 3 deletions

diff --git a/app/models/clusters/kubernetes_namespace.rb b/app/models/clusters/kubernetes_namespace.rb
index ac7f9193b87..cbd52bfb48b 100644
--- a/app/models/clusters/kubernetes_namespace.rb
+++ b/app/models/clusters/kubernetes_namespace.rb
@@ -22,6 +22,8 @@ module Clusters
         key: Settings.attr_encrypted_db_key_base_truncated,
         algorithm: 'aes-256-cbc'
 
+    scope :has_service_account_token, -> { where.not(encrypted_service_account_token: nil) }
+
     def token_name
       "#{namespace}-token"
     end
diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb
index ea02ae6c9d8..9860abeecf7 100644
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -83,7 +83,7 @@ module Clusters
               .append(key: 'KUBE_CA_PEM_FILE', value: ca_pem, file: true)
           end
 
-          if kubernetes_namespace = cluster.kubernetes_namespaces.find_by(project: project)
+          if kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project)
             variables.concat(kubernetes_namespace.predefined_variables)
           else
             # From 11.5, every Clusters::Project should have at least one
diff --git a/changelogs/unreleased/53879-kube-token-nil.yml b/changelogs/unreleased/53879-kube-token-nil.yml
new file mode 100644
index 00000000000..61a0db15d84
--- /dev/null
+++ b/changelogs/unreleased/53879-kube-token-nil.yml
@@ -0,0 +1,5 @@
+---
+title: Fix deployment jobs using nil KUBE_TOKEN due to migration issue
+merge_request: 23009
+author:
+type: fixed
diff --git a/spec/factories/clusters/kubernetes_namespaces.rb b/spec/factories/clusters/kubernetes_namespaces.rb
index 3f10f0ecc74..3a4f5193550 100644
--- a/spec/factories/clusters/kubernetes_namespaces.rb
+++ b/spec/factories/clusters/kubernetes_namespaces.rb
@@ -13,7 +13,7 @@ FactoryBot.define do
     end
 
     trait :with_token do
-      service_account_token { Faker::Lorem.characters(10) }
+      service_account_token { FFaker::Lorem.characters(10) }
     end
   end
 end
diff --git a/spec/models/clusters/kubernetes_namespace_spec.rb b/spec/models/clusters/kubernetes_namespace_spec.rb
index 0dfeea5cd2f..c068c4d7739 100644
--- a/spec/models/clusters/kubernetes_namespace_spec.rb
+++ b/spec/models/clusters/kubernetes_namespace_spec.rb
@@ -8,6 +8,22 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
   it { is_expected.to belong_to(:cluster) }
   it { is_expected.to have_one(:platform_kubernetes) }
 
+  describe 'has_service_account_token' do
+    subject { described_class.has_service_account_token }
+
+    context 'namespace has service_account_token' do
+      let!(:namespace) { create(:cluster_kubernetes_namespace, :with_token) }
+
+      it { is_expected.to include(namespace) }
+    end
+
+    context 'namespace has no service_account_token' do
+      let!(:namespace) { create(:cluster_kubernetes_namespace) }
+
+      it { is_expected.not_to include(namespace) }
+    end
+  end
+
   describe 'namespace uniqueness validation' do
     let(:cluster_project) { create(:cluster_project) }
     let(:kubernetes_namespace) { build(:cluster_kubernetes_namespace, namespace: 'my-namespace') }
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 471f19f9b7c..74aa3315332 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -2414,7 +2414,7 @@ describe Project do
       end
 
       context 'when user configured kubernetes from CI/CD > Clusters and KubernetesNamespace migration has been executed' do
-        let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace) }
+        let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token) }
         let!(:cluster) { kubernetes_namespace.cluster }
         let(:project) { kubernetes_namespace.project }