Use separate Kubernetes namespaces per environment

Kubernetes deployments on new clusters will now have
a separate namespace per project environment, instead
of sharing a single namespace for the project.

Behaviour of existing clusters is unchanged.

All new functionality is controlled by the
:kubernetes_namespace_per_environment feature flag,
which is safe to enable/disable at any time.

6 files changed, 48 insertions, 86 deletions

diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb
index 8bb44b0ce40..97d39491b73 100644
--- a/app/models/clusters/cluster.rb
+++ b/app/models/clusters/cluster.rb
@@ -53,6 +53,7 @@ module Clusters
     validates :name, cluster_name: true
     validates :cluster_type, presence: true
     validates :domain, allow_blank: true, hostname: { allow_numeric_hostname: true }
+    validates :namespace_per_environment, inclusion: { in: [true, false] }
 
     validate :restrict_modification, on: :update
     validate :no_groups, unless: :group_type?
@@ -100,16 +101,6 @@ module Clusters
 
     scope :default_environment, -> { where(environment_scope: DEFAULT_ENVIRONMENT) }
 
-    scope :with_knative_installed, -> { joins(:application_knative).merge(Clusters::Applications::Knative.available) }
-
-    scope :preload_knative, -> {
-      preload(
-        :kubernetes_namespaces,
-        :platform_kubernetes,
-        :application_knative
-      )
-    }
-
     def self.ancestor_clusters_for_clusterable(clusterable, hierarchy_order: :asc)
       return [] if clusterable.is_a?(Instance)
 
@@ -177,36 +168,15 @@ module Clusters
       platform_kubernetes.kubeclient if kubernetes?
     end
 
-    ##
-    # This is subtly different to #find_or_initialize_kubernetes_namespace_for_project
-    # below because it will ignore any namespaces that have not got a service account
-    # token. This provides a guarantee that any namespace selected here can be used
-    # for cluster operations - a namespace needs to have a service account configured
-    # before it it can be used.
-    #
-    # This is used for selecting a namespace to use when querying a cluster, or
-    # generating variables to pass to CI.
-    def kubernetes_namespace_for(project)
-      find_or_initialize_kubernetes_namespace_for_project(
-        project, scope: kubernetes_namespaces.has_service_account_token
-      ).namespace
-    end
-
-    ##
-    # This is subtly different to #kubernetes_namespace_for because it will include
-    # namespaces that have yet to receive a service account token. This allows
-    # the namespace configuration process to be repeatable - if a namespace has
-    # already been created without a token we don't need to create another
-    # record entirely, just set the token on the pre-existing namespace.
-    #
-    # This is used for configuring cluster namespaces.
-    def find_or_initialize_kubernetes_namespace_for_project(project, scope: kubernetes_namespaces)
-      attributes = { project: project }
-      attributes[:cluster_project] = cluster_project if project_type?
+    def kubernetes_namespace_for(environment)
+      project = environment.project
+      persisted_namespace = Clusters::KubernetesNamespaceFinder.new(
+        self,
+        project: project,
+        environment_slug: environment.slug
+      ).execute
 
-      scope.find_or_initialize_by(attributes).tap do |namespace|
-        namespace.set_defaults
-      end
+      persisted_namespace&.namespace || Gitlab::Kubernetes::DefaultNamespace.new(self, project: project).from_environment_slug(environment.slug)
     end
 
     def allow_user_defined_namespace?
@@ -225,10 +195,6 @@ module Clusters
       end
     end
 
-    def knative_services_finder(project)
-      @knative_services_finder ||= KnativeServicesFinder.new(self, project)
-    end
-
     private
 
     def instance_domain
diff --git a/app/models/clusters/kubernetes_namespace.rb b/app/models/clusters/kubernetes_namespace.rb
index b0c4900546e..69a2b99fcb6 100644
--- a/app/models/clusters/kubernetes_namespace.rb
+++ b/app/models/clusters/kubernetes_namespace.rb
@@ -9,12 +9,12 @@ module Clusters
     belongs_to :cluster_project, class_name: 'Clusters::Project'
     belongs_to :cluster, class_name: 'Clusters::Cluster'
     belongs_to :project, class_name: '::Project'
+    belongs_to :environment, optional: true
     has_one :platform_kubernetes, through: :cluster
 
-    before_validation :set_defaults
-
     validates :namespace, presence: true
     validates :namespace, uniqueness: { scope: :cluster_id }
+    validates :environment_id, uniqueness: { scope: [:cluster_id, :project_id] }, allow_nil: true
 
     validates :service_account_name, presence: true
 
@@ -27,6 +27,7 @@ module Clusters
         algorithm: 'aes-256-cbc'
 
     scope :has_service_account_token, -> { where.not(encrypted_service_account_token: nil) }
+    scope :with_environment_slug, -> (slug) { joins(:environment).where(environments: { slug: slug }) }
 
     def token_name
       "#{namespace}-token"
@@ -42,34 +43,8 @@ module Clusters
       end
     end
 
-    def set_defaults
-      self.namespace ||= default_platform_kubernetes_namespace
-      self.namespace ||= default_project_namespace
-      self.service_account_name ||= default_service_account_name
-    end
-
     private
 
-    def default_service_account_name
-      return unless namespace
-
-      "#{namespace}-service-account"
-    end
-
-    def default_platform_kubernetes_namespace
-      platform_kubernetes&.namespace.presence
-    end
-
-    def default_project_namespace
-      Gitlab::NamespaceSanitizer.sanitize(project_slug) if project_slug
-    end
-
-    def project_slug
-      return unless project
-
-      "#{project.path}-#{project.id}".downcase
-    end
-
     def kubeconfig
       to_kubeconfig(
         url: api_url,
diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb
index 9296c28776b..37614fbe3ca 100644
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -51,11 +51,6 @@ module Clusters
       delegate :provided_by_user?, to: :cluster, allow_nil: true
       delegate :allow_user_defined_namespace?, to: :cluster, allow_nil: true
 
-      # This is just to maintain compatibility with KubernetesService, which
-      # will be removed in https://gitlab.com/gitlab-org/gitlab-ce/issues/39217.
-      # It can be removed once KubernetesService is gone.
-      delegate :kubernetes_namespace_for, to: :cluster, allow_nil: true
-
       alias_method :active?, :enabled?
 
       enum_with_nil authorization_type: {
@@ -66,7 +61,7 @@ module Clusters
 
       default_value_for :authorization_type, :rbac
 
-      def predefined_variables(project:)
+      def predefined_variables(project:, environment_name:)
         Gitlab::Ci::Variables::Collection.new.tap do |variables|
           variables.append(key: 'KUBE_URL', value: api_url)
 
@@ -77,15 +72,14 @@ module Clusters
           end
 
           if !cluster.managed?
-            project_namespace = namespace.presence || "#{project.path}-#{project.id}".downcase
+            namespace = Gitlab::Kubernetes::DefaultNamespace.new(cluster, project: project).from_environment_name(environment_name)
 
             variables
-              .append(key: 'KUBE_URL', value: api_url)
               .append(key: 'KUBE_TOKEN', value: token, public: false, masked: true)
-              .append(key: 'KUBE_NAMESPACE', value: project_namespace)
-              .append(key: 'KUBECONFIG', value: kubeconfig(project_namespace), public: false, file: true)
+              .append(key: 'KUBE_NAMESPACE', value: namespace)
+              .append(key: 'KUBECONFIG', value: kubeconfig(namespace), public: false, file: true)
 
-          elsif kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project)
+          elsif kubernetes_namespace = find_persisted_namespace(project, environment_name: environment_name)
             variables.concat(kubernetes_namespace.predefined_variables)
           end
 
@@ -111,6 +105,22 @@ module Clusters
 
       private
 
+      ##
+      # Environment slug can be predicted given an environment
+      # name, so even if the environment isn't persisted yet we
+      # still know what to look for.
+      def environment_slug(name)
+        Gitlab::Slug::Environment.new(name).generate
+      end
+
+      def find_persisted_namespace(project, environment_name:)
+        Clusters::KubernetesNamespaceFinder.new(
+          cluster,
+          project: project,
+          environment_slug: environment_slug(environment_name)
+        ).execute
+      end
+
       def kubeconfig(namespace)
         to_kubeconfig(
           url: api_url,
diff --git a/app/models/environment.rb b/app/models/environment.rb
index 513427ac2c5..1b53c4b45f9 100644
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -48,6 +48,7 @@ class Environment < ApplicationRecord
   end
   scope :in_review_folder, -> { where(environment_type: "review") }
   scope :for_name, -> (name) { where(name: name) }
+  scope :preload_cluster, -> { preload(last_deployment: :cluster) }
 
   ##
   # Search environments which have names like the given query.
@@ -170,7 +171,7 @@ class Environment < ApplicationRecord
 
   def deployment_namespace
     strong_memoize(:kubernetes_namespace) do
-      deployment_platform&.kubernetes_namespace_for(project)
+      deployment_platform.cluster.kubernetes_namespace_for(self) if deployment_platform
     end
   end
 
@@ -233,6 +234,12 @@ class Environment < ApplicationRecord
     end
   end
 
+  def knative_services_finder
+    if last_deployment&.cluster
+      Clusters::KnativeServicesFinder.new(last_deployment.cluster, self)
+    end
+  end
+
   private
 
   def generate_slug
diff --git a/app/models/project.rb b/app/models/project.rb
index 44b6e5a532c..960795b73cb 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1855,8 +1855,12 @@ class Project < ApplicationRecord
     end
   end
 
-  def deployment_variables(environment: nil)
-    deployment_platform(environment: environment)&.predefined_variables(project: self) || []
+  def deployment_variables(environment:)
+    platform = deployment_platform(environment: environment)
+
+    return [] unless platform.present?
+
+    platform.predefined_variables(project: self, environment_name: environment)
   end
 
   def auto_devops_variables
diff --git a/app/models/project_services/mock_deployment_service.rb b/app/models/project_services/mock_deployment_service.rb
index 1103cb11e73..6f2b0f7747f 100644
--- a/app/models/project_services/mock_deployment_service.rb
+++ b/app/models/project_services/mock_deployment_service.rb
@@ -24,7 +24,7 @@ class MockDeploymentService < Service
     %w()
   end
 
-  def predefined_variables(project:)
+  def predefined_variables(project:, environment_name:)
     []
   end