Always create `gitlab` service account and service account token regardless of ABAC/RBAC

This also solves the async nature of the automatic creation of default
service tokens for service accounts. It also makes explicit which
service account token we always use.

create cluster role binding only if the provider has legacy_abac
disabled.

4 files changed, 31 insertions, 32 deletions

diff --git a/app/services/clusters/gcp/finalize_creation_service.rb b/app/services/clusters/gcp/finalize_creation_service.rb
index 8170e732d48..3ae0a4a19d0 100644
--- a/app/services/clusters/gcp/finalize_creation_service.rb
+++ b/app/services/clusters/gcp/finalize_creation_service.rb
@@ -8,9 +8,8 @@ module Clusters
       def execute(provider)
         @provider = provider
 
-        create_gitlab_service_account!
-
         configure_provider
+        create_gitlab_service_account!
         configure_kubernetes
 
         cluster.save!
@@ -25,9 +24,7 @@ module Clusters
       private
 
       def create_gitlab_service_account!
-        if create_rbac_cluster?
-          Clusters::Gcp::Kubernetes::CreateServiceAccountService.new(kube_client).execute
-        end
+        Clusters::Gcp::Kubernetes::CreateServiceAccountService.new(kube_client, rbac: create_rbac_cluster?).execute
       end
 
       def configure_provider
@@ -47,9 +44,7 @@ module Clusters
       end
 
       def request_kubernetes_token
-        service_account_name = create_rbac_cluster? ? Clusters::Gcp::Kubernetes::SERVICE_ACCOUNT_NAME : 'default'
-
-        Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client, service_account_name).execute
+        Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client).execute
       end
 
       def authorization_type
diff --git a/app/services/clusters/gcp/kubernetes.rb b/app/services/clusters/gcp/kubernetes.rb
index 74ef68eb58f..21a09891ac4 100644
--- a/app/services/clusters/gcp/kubernetes.rb
+++ b/app/services/clusters/gcp/kubernetes.rb
@@ -4,6 +4,7 @@ module Clusters
   module Gcp
     module Kubernetes
       SERVICE_ACCOUNT_NAME = 'gitlab'
+      SERVICE_ACCOUNT_TOKEN_NAME = 'gitlab-token'
       CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin'
       CLUSTER_ROLE_NAME = 'cluster-admin'
     end
diff --git a/app/services/clusters/gcp/kubernetes/create_service_account_service.rb b/app/services/clusters/gcp/kubernetes/create_service_account_service.rb
index 8d87bd7b5c8..4c43b94d911 100644
--- a/app/services/clusters/gcp/kubernetes/create_service_account_service.rb
+++ b/app/services/clusters/gcp/kubernetes/create_service_account_service.rb
@@ -4,25 +4,32 @@ module Clusters
   module Gcp
     module Kubernetes
       class CreateServiceAccountService
-        attr_reader :kubeclient
+        attr_reader :kubeclient, :rbac
 
-        def initialize(kubeclient)
+        def initialize(kubeclient, rbac:)
           @kubeclient = kubeclient
+          @rbac = rbac
         end
 
         def execute
           kubeclient.create_service_account(service_account_resource)
-          kubeclient.create_cluster_role_binding(cluster_role_binding_resource)
+          kubeclient.create_secret(service_account_token_resource)
+          kubeclient.create_cluster_role_binding(cluster_role_binding_resource) if rbac
         end
 
         private
 
         def service_account_resource
-          Gitlab::Kubernetes::ServiceAccount.new(SERVICE_ACCOUNT_NAME, 'default').generate
+          Gitlab::Kubernetes::ServiceAccount.new(service_account_name, namespace).generate
+        end
+
+        def service_account_token_resource
+          Gitlab::Kubernetes::ServiceAccountToken.new(
+            SERVICE_ACCOUNT_TOKEN_NAME, service_account_name, namespace).generate
         end
 
         def cluster_role_binding_resource
-          subjects = [{ kind: 'ServiceAccount', name: SERVICE_ACCOUNT_NAME, namespace: 'default' }]
+          subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: namespace }]
 
           Gitlab::Kubernetes::ClusterRoleBinding.new(
             CLUSTER_ROLE_BINDING_NAME,
@@ -30,6 +37,14 @@ module Clusters
             subjects
           ).generate
         end
+
+        def service_account_name
+          SERVICE_ACCOUNT_NAME
+        end
+
+        def namespace
+          'default'
+        end
       end
     end
   end
diff --git a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
index c16ce451aaf..877dc1de89b 100644
--- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
+++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb
@@ -4,37 +4,25 @@ module Clusters
   module Gcp
     module Kubernetes
       class FetchKubernetesTokenService
-        attr_reader :kubeclient, :service_account_name
+        attr_reader :kubeclient
 
-        def initialize(kubeclient, service_account_name)
+        def initialize(kubeclient)
           @kubeclient = kubeclient
-          @service_account_name = service_account_name
         end
 
         def execute
-          read_secrets.each do |secret|
-            name = secret.dig('metadata', 'name')
-            if token_regex =~ name
-              token_base64 = secret.dig('data', 'token')
-              return Base64.decode64(token_base64) if token_base64
-            end
-          end
-
-          nil
+          token_base64 = get_secret&.dig('data', 'token')
+          Base64.decode64(token_base64) if token_base64
         end
 
         private
 
-        def token_regex
-          /#{service_account_name}-token/
-        end
-
-        def read_secrets
-          kubeclient.get_secrets.as_json
+        def get_secret
+          kubeclient.get_secret(SERVICE_ACCOUNT_TOKEN_NAME).as_json
         rescue Kubeclient::HttpError => err
           raise err unless err.error_code == 404
 
-          []
+          nil
         end
       end
     end