Limit GCP Kubernetes service to project namespace51716-automatically-create-service-account-to-project-namespace

This is needed to support RBAC on AutoDevOps, basically we:

- Creates a service account under project's namespace and assign it a
  different token
- If RBAC is enabled we create a RoleBinding for this new service
  account with edit access
- Service account name is exposed through environment variables on
  Platform::Kubernetes
- KUBE_TOKEN and KUBECONFIG are replaced with new credentials

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51716

1 files changed, 8 insertions, 3 deletions

diff --git a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
index 9e09345c8dc..89209ed8bfa 100644
--- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
+++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
@@ -4,10 +4,11 @@ module Clusters
   module Gcp
     module Kubernetes
       class FetchKubernetesTokenService
-        attr_reader :kubeclient
+        attr_reader :kubeclient, :namespace
 
-        def initialize(kubeclient)
+        def initialize(kubeclient, namespace)
           @kubeclient = kubeclient
+          @namespace = namespace
         end
 
         def execute
@@ -18,12 +19,16 @@ module Clusters
         private
 
         def get_secret
-          kubeclient.get_secret(SERVICE_ACCOUNT_TOKEN_NAME, SERVICE_ACCOUNT_NAMESPACE).as_json
+          kubeclient.get_secret(service_account_token_name, namespace).as_json
         rescue Kubeclient::HttpError => err
           raise err unless err.error_code == 404
 
           nil
         end
+
+        def service_account_token_name
+          SERVICE_ACCOUNT_TOKEN_NAME
+        end
       end
     end
   end