Enable Kubernetes RBAC for GitLab Managed Apps for existing clusters

author: Thong Kuah <tkuah@gitlab.com> 2018-09-06 10:03:38 +0000
committer: Kamil Trzciński <ayufan@ayufan.eu> 2018-09-06 10:03:38 +0000
commit: 6f2ad2b6041b8a007df7eb8c4f477c24cc153ac3 (patch)
tree: 7b190f17b6da295cf3599174f48c0fbc060ddbb1 /spec/models
parent: a2ea32dd44cc4a104e404325c73a77151913a946 (diff)
download: gitlab-ce-6f2ad2b6041b8a007df7eb8c4f477c24cc153ac3.tar.gz
7 files changed, 86 insertions, 18 deletions
diff --git a/spec/models/clusters/applications/helm_spec.rb b/spec/models/clusters/applications/helm_spec.rb
index e5b2bdc8a4e..2c37cd20ecc 100644
--- a/spec/models/clusters/applications/helm_spec.rb
+++ b/spec/models/clusters/applications/helm_spec.rb
@@ -47,5 +47,19 @@ describe Clusters::Applications::Helm do
       cert = OpenSSL::X509::Certificate.new(subject.files[:'cert.pem'])
       expect(cert.not_after).to be > 999.years.from_now
     end
+
+    describe 'rbac' do
+      context 'non rbac cluster' do
+        it { expect(subject).not_to be_rbac }
+      end
+
+      context 'rbac cluster' do
+        before do
+          helm.cluster.platform_kubernetes.rbac!
+        end
+
+        it { expect(subject).to be_rbac }
+      end
+    end
   end
 end
diff --git a/spec/models/clusters/applications/ingress_spec.rb b/spec/models/clusters/applications/ingress_spec.rb
index 21f75ced8c3..c55953c8d22 100644
--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -88,9 +88,18 @@ describe Clusters::Applications::Ingress do
       expect(subject.name).to eq('ingress')
       expect(subject.chart).to eq('stable/nginx-ingress')
       expect(subject.version).to eq('0.23.0')
+      expect(subject).not_to be_rbac
       expect(subject.files).to eq(ingress.files)
     end
 
+    context 'on a rbac enabled cluster' do
+      before do
+        ingress.cluster.platform_kubernetes.rbac!
+      end
+
+      it { is_expected.to be_rbac }
+    end
+
     context 'application failed to install previously' do
       let(:ingress) { create(:clusters_applications_ingress, :errored, version: 'nginx') }
 
diff --git a/spec/models/clusters/applications/jupyter_spec.rb b/spec/models/clusters/applications/jupyter_spec.rb
index 027b732681b..591a01d78a9 100644
--- a/spec/models/clusters/applications/jupyter_spec.rb
+++ b/spec/models/clusters/applications/jupyter_spec.rb
@@ -51,10 +51,19 @@ describe Clusters::Applications::Jupyter do
       expect(subject.name).to eq('jupyter')
       expect(subject.chart).to eq('jupyter/jupyterhub')
       expect(subject.version).to eq('v0.6')
+      expect(subject).not_to be_rbac
       expect(subject.repository).to eq('https://jupyterhub.github.io/helm-chart/')
       expect(subject.files).to eq(jupyter.files)
     end
 
+    context 'on a rbac enabled cluster' do
+      before do
+        jupyter.cluster.platform_kubernetes.rbac!
+      end
+
+      it { is_expected.to be_rbac }
+    end
+
     context 'application failed to install previously' do
       let(:jupyter) { create(:clusters_applications_jupyter, :errored, version: '0.0.1') }
 
diff --git a/spec/models/clusters/applications/prometheus_spec.rb b/spec/models/clusters/applications/prometheus_spec.rb
index 26b75c75e1d..f34b4ece8db 100644
--- a/spec/models/clusters/applications/prometheus_spec.rb
+++ b/spec/models/clusters/applications/prometheus_spec.rb
@@ -1,6 +1,8 @@
 require 'rails_helper'
 
 describe Clusters::Applications::Prometheus do
+  include KubernetesHelpers
+
   include_examples 'cluster application core specs', :clusters_applications_prometheus
   include_examples 'cluster application status specs', :cluster_application_prometheus
 
@@ -107,26 +109,14 @@ describe Clusters::Applications::Prometheus do
     end
 
     context 'cluster has kubeclient' do
-      let(:kubernetes_url) { 'http://example.com' }
-      let(:k8s_discover_response) do
-        {
-          resources: [
-            {
-              name: 'service',
-              kind: 'Service'
-            }
-          ]
-        }
-      end
-
-      let(:kube_client) { Kubeclient::Client.new(kubernetes_url) }
+      let(:kubernetes_url) { subject.cluster.platform_kubernetes.api_url }
+      let(:kube_client) { subject.cluster.kubeclient.core_client }
 
-      let(:cluster) { create(:cluster) }
-      subject { create(:clusters_applications_prometheus, cluster: cluster) }
+      subject { create(:clusters_applications_prometheus) }
 
       before do
-        allow(kube_client.rest_client).to receive(:get).and_return(k8s_discover_response.to_json)
-        allow(subject.cluster).to receive(:kubeclient).and_return(kube_client)
+        subject.cluster.platform_kubernetes.namespace = 'a-namespace'
+        stub_kubeclient_discover(subject.cluster.platform_kubernetes.api_url)
       end
 
       it 'creates proxy prometheus rest client' do
@@ -134,7 +124,7 @@ describe Clusters::Applications::Prometheus do
       end
 
       it 'creates proper url' do
-        expect(subject.prometheus_client.url).to eq('http://example.com/api/v1/namespaces/gitlab-managed-apps/service/prometheus-prometheus-server:80/proxy')
+        expect(subject.prometheus_client.url).to eq("#{kubernetes_url}/api/v1/namespaces/gitlab-managed-apps/services/prometheus-prometheus-server:80/proxy")
       end
 
       it 'copies options and headers from kube client to proxy client' do
@@ -164,9 +154,18 @@ describe Clusters::Applications::Prometheus do
       expect(subject.name).to eq('prometheus')
       expect(subject.chart).to eq('stable/prometheus')
       expect(subject.version).to eq('6.7.3')
+      expect(subject).not_to be_rbac
       expect(subject.files).to eq(prometheus.files)
     end
 
+    context 'on a rbac enabled cluster' do
+      before do
+        prometheus.cluster.platform_kubernetes.rbac!
+      end
+
+      it { is_expected.to be_rbac }
+    end
+
     context 'application failed to install previously' do
       let(:prometheus) { create(:clusters_applications_prometheus, :errored, version: '2.0.0') }
 
diff --git a/spec/models/clusters/applications/runner_spec.rb b/spec/models/clusters/applications/runner_spec.rb
index d84f125e246..eda8d519f60 100644
--- a/spec/models/clusters/applications/runner_spec.rb
+++ b/spec/models/clusters/applications/runner_spec.rb
@@ -46,10 +46,19 @@ describe Clusters::Applications::Runner do
       expect(subject.name).to eq('runner')
       expect(subject.chart).to eq('runner/gitlab-runner')
       expect(subject.version).to eq('0.1.31')
+      expect(subject).not_to be_rbac
       expect(subject.repository).to eq('https://charts.gitlab.io')
       expect(subject.files).to eq(gitlab_runner.files)
     end
 
+    context 'on a rbac enabled cluster' do
+      before do
+        gitlab_runner.cluster.platform_kubernetes.rbac!
+      end
+
+      it { is_expected.to be_rbac }
+    end
+
     context 'application failed to install previously' do
       let(:gitlab_runner) { create(:clusters_applications_runner, :errored, runner: ci_runner, version: '0.1.13') }
 
diff --git a/spec/models/clusters/cluster_spec.rb b/spec/models/clusters/cluster_spec.rb
index 6f66515b45f..2727191eb9b 100644
--- a/spec/models/clusters/cluster_spec.rb
+++ b/spec/models/clusters/cluster_spec.rb
@@ -13,6 +13,10 @@ describe Clusters::Cluster do
   it { is_expected.to delegate_method(:status_reason).to(:provider) }
   it { is_expected.to delegate_method(:status_name).to(:provider) }
   it { is_expected.to delegate_method(:on_creation?).to(:provider) }
+  it { is_expected.to delegate_method(:active?).to(:platform_kubernetes).with_prefix }
+  it { is_expected.to delegate_method(:rbac?).to(:platform_kubernetes).with_prefix }
+  it { is_expected.to delegate_method(:installed?).to(:application_helm).with_prefix }
+  it { is_expected.to delegate_method(:installed?).to(:application_ingress).with_prefix }
   it { is_expected.to respond_to :project }
 
   describe '.enabled' do
diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb
index ab7f89f9bf4..66198d5ee2b 100644
--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@@ -92,6 +92,30 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
     end
   end
 
+  describe '#kubeclient' do
+    subject { kubernetes.kubeclient }
+
+    let(:kubernetes) { build(:cluster_platform_kubernetes, :configured, namespace: 'a-namespace') }
+
+    it { is_expected.to be_an_instance_of(Gitlab::Kubernetes::KubeClient) }
+  end
+
+  describe '#rbac?' do
+    subject { kubernetes.rbac? }
+
+    let(:kubernetes) { build(:cluster_platform_kubernetes, :configured) }
+
+    context 'when authorization type is rbac' do
+      let(:kubernetes) { build(:cluster_platform_kubernetes, :rbac_enabled, :configured) }
+
+      it { is_expected.to be_truthy }
+    end
+
+    context 'when authorization type is nil' do
+      it { is_expected.to be_falsey }
+    end
+  end
+
   describe '#actual_namespace' do
     subject { kubernetes.actual_namespace }
author	Thong Kuah <tkuah@gitlab.com>	2018-09-06 10:03:38 +0000
committer	Kamil Trzciński <ayufan@ayufan.eu>	2018-09-06 10:03:38 +0000
commit	6f2ad2b6041b8a007df7eb8c4f477c24cc153ac3 (patch)
tree	7b190f17b6da295cf3599174f48c0fbc060ddbb1 /spec/models
parent	a2ea32dd44cc4a104e404325c73a77151913a946 (diff)
download	gitlab-ce-6f2ad2b6041b8a007df7eb8c4f477c24cc153ac3.tar.gz