diff options
author | Tiger <twatson@gitlab.com> | 2019-06-14 10:18:50 +1000 |
---|---|---|
committer | Tiger <twatson@gitlab.com> | 2019-06-17 21:21:13 +1000 |
commit | ddd271b6027b13bca02416ec3dda17d3ec7fd5be (patch) | |
tree | 4cd5f7e7347d8e94ec4720291083e229af6ec1a5 /app/models/clusters/cluster.rb | |
parent | b05de5a583e35931967dcc70d2f26f568c9cf0db (diff) | |
download | gitlab-ce-ddd271b6027b13bca02416ec3dda17d3ec7fd5be.tar.gz |
Don't use Kubernetes namespaces with no token63079-exclude-k8s-namespaces-with-no-service-account-token
Whenever we are selecting a namespace to use for a
deployment or to query a cluster we want to exclude
Kubernetes namespace records that don't have a token
set as they will not have the required permissions.
However when configuring clusters, we want to
use the original namespace record even if it has no
token, as a namespace has to be unique on a cluster.
Diffstat (limited to 'app/models/clusters/cluster.rb')
-rw-r--r-- | app/models/clusters/cluster.rb | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb index ccc877fb924..0206ce81c5f 100644 --- a/app/models/clusters/cluster.rb +++ b/app/models/clusters/cluster.rb @@ -193,15 +193,34 @@ module Clusters platform_kubernetes.kubeclient if kubernetes? end + ## + # This is subtly different to #find_or_initialize_kubernetes_namespace_for_project + # below because it will ignore any namespaces that have not got a service account + # token. This provides a guarantee that any namespace selected here can be used + # for cluster operations - a namespace needs to have a service account configured + # before it it can be used. + # + # This is used for selecting a namespace to use when querying a cluster, or + # generating variables to pass to CI. def kubernetes_namespace_for(project) - find_or_initialize_kubernetes_namespace_for_project(project).namespace + find_or_initialize_kubernetes_namespace_for_project( + project, scope: kubernetes_namespaces.has_service_account_token + ).namespace end - def find_or_initialize_kubernetes_namespace_for_project(project) + ## + # This is subtly different to #kubernetes_namespace_for because it will include + # namespaces that have yet to receive a service account token. This allows + # the namespace configuration process to be repeatable - if a namespace has + # already been created without a token we don't need to create another + # record entirely, just set the token on the pre-existing namespace. + # + # This is used for configuring cluster namespaces. + def find_or_initialize_kubernetes_namespace_for_project(project, scope: kubernetes_namespaces) attributes = { project: project } attributes[:cluster_project] = cluster_project if project_type? - kubernetes_namespaces.find_or_initialize_by(attributes).tap do |namespace| + scope.find_or_initialize_by(attributes).tap do |namespace| namespace.set_defaults end end |