summaryrefslogtreecommitdiff
path: root/app/models/clusters/cluster.rb
diff options
context:
space:
mode:
authorTiger <twatson@gitlab.com>2019-06-14 10:18:50 +1000
committerTiger <twatson@gitlab.com>2019-06-17 21:21:13 +1000
commitddd271b6027b13bca02416ec3dda17d3ec7fd5be (patch)
tree4cd5f7e7347d8e94ec4720291083e229af6ec1a5 /app/models/clusters/cluster.rb
parentb05de5a583e35931967dcc70d2f26f568c9cf0db (diff)
downloadgitlab-ce-ddd271b6027b13bca02416ec3dda17d3ec7fd5be.tar.gz
Don't use Kubernetes namespaces with no token63079-exclude-k8s-namespaces-with-no-service-account-token
Whenever we are selecting a namespace to use for a deployment or to query a cluster we want to exclude Kubernetes namespace records that don't have a token set as they will not have the required permissions. However when configuring clusters, we want to use the original namespace record even if it has no token, as a namespace has to be unique on a cluster.
Diffstat (limited to 'app/models/clusters/cluster.rb')
-rw-r--r--app/models/clusters/cluster.rb25
1 files changed, 22 insertions, 3 deletions
diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb
index ccc877fb924..0206ce81c5f 100644
--- a/app/models/clusters/cluster.rb
+++ b/app/models/clusters/cluster.rb
@@ -193,15 +193,34 @@ module Clusters
platform_kubernetes.kubeclient if kubernetes?
end
+ ##
+ # This is subtly different to #find_or_initialize_kubernetes_namespace_for_project
+ # below because it will ignore any namespaces that have not got a service account
+ # token. This provides a guarantee that any namespace selected here can be used
+ # for cluster operations - a namespace needs to have a service account configured
+ # before it it can be used.
+ #
+ # This is used for selecting a namespace to use when querying a cluster, or
+ # generating variables to pass to CI.
def kubernetes_namespace_for(project)
- find_or_initialize_kubernetes_namespace_for_project(project).namespace
+ find_or_initialize_kubernetes_namespace_for_project(
+ project, scope: kubernetes_namespaces.has_service_account_token
+ ).namespace
end
- def find_or_initialize_kubernetes_namespace_for_project(project)
+ ##
+ # This is subtly different to #kubernetes_namespace_for because it will include
+ # namespaces that have yet to receive a service account token. This allows
+ # the namespace configuration process to be repeatable - if a namespace has
+ # already been created without a token we don't need to create another
+ # record entirely, just set the token on the pre-existing namespace.
+ #
+ # This is used for configuring cluster namespaces.
+ def find_or_initialize_kubernetes_namespace_for_project(project, scope: kubernetes_namespaces)
attributes = { project: project }
attributes[:cluster_project] = cluster_project if project_type?
- kubernetes_namespaces.find_or_initialize_by(attributes).tap do |namespace|
+ scope.find_or_initialize_by(attributes).tap do |namespace|
namespace.set_defaults
end
end