diff options
author | Mayra Cabrera <mcabrera@gitlab.com> | 2018-09-21 17:23:33 -0500 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-09-26 21:47:29 -0300 |
commit | e5a512628b7889fad30242751f982251dffdc463 (patch) | |
tree | 7561cd92417c54e38628d67ca4ef7f0b2eefa0d5 /spec/services/clusters/gcp/services_account_service_spec.rb | |
parent | e255b88e51b956d92afb5e9b90a2749a60e63459 (diff) | |
download | gitlab-ce-e5a512628b7889fad30242751f982251dffdc463.tar.gz |
Limit GCP Kubernetes service to project namespace51716-automatically-create-service-account-to-project-namespace
This is needed to support RBAC on AutoDevOps, basically we:
- Creates a service account under project's namespace and assign it a
different token
- If RBAC is enabled we create a RoleBinding for this new service
account with edit access
- Service account name is exposed through environment variables on
Platform::Kubernetes
- KUBE_TOKEN and KUBECONFIG are replaced with new credentials
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51716
Diffstat (limited to 'spec/services/clusters/gcp/services_account_service_spec.rb')
-rw-r--r-- | spec/services/clusters/gcp/services_account_service_spec.rb | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/spec/services/clusters/gcp/services_account_service_spec.rb b/spec/services/clusters/gcp/services_account_service_spec.rb new file mode 100644 index 00000000000..f6f08eae666 --- /dev/null +++ b/spec/services/clusters/gcp/services_account_service_spec.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Clusters::Gcp::ServicesAccountService, '#execute' do + include GoogleApi::CloudPlatformHelpers + include KubernetesHelpers + + let(:endpoint) { '111.111.111.111' } + let(:api_url) { 'https://' + endpoint } + let(:cluster) { create(:cluster, :project, :providing_by_gcp, platform_kubernetes: create(:cluster_platform_kubernetes)) } + let(:username) { 'sample-username' } + let(:password) { 'sample-password' } + + let(:kubeclient) do + Gitlab::Kubernetes::KubeClient.new( + api_url, + ['api', 'apis/rbac.authorization.k8s.io'], + auth_options: { username: username, password: password } + ) + end + + subject { described_class.new(kubeclient, cluster).execute } + + context 'With an ABAC cluster' do + before do + stub_kubeclient_discover(api_url) + stub_kubeclient_create_service_account(api_url) + stub_kubeclient_create_secret(api_url) + end + + it 'creates default service account' do + subject + + expect(WebMock).to have_requested(:post, api_url + "/api/v1/namespaces/default/serviceaccounts").with( + body: hash_including( + kind: 'ServiceAccount', + metadata: { name: 'gitlab', namespace: 'default' } + ) + ) + end + end + + context 'With an RBAC cluster' do + let(:namespace) { "#{cluster.project.path}-#{cluster.project.id}" } + + before do + cluster.platform_kubernetes.rbac! + + stub_kubeclient_discover(api_url) + stub_kubeclient_create_service_account(api_url) + stub_kubeclient_create_secret(api_url) + + stub_kubeclient_create_namespace(api_url) + stub_kubeclient_get_namespace(api_url, namespace: namespace) + + stub_kubeclient_create_service_account(api_url, namespace: namespace) + stub_kubeclient_create_secret(api_url, namespace: namespace) + stub_kubeclient_create_role_binding(api_url, namespace: namespace) + end + + it 'creates namespaced service account' do + subject + + expect(WebMock).to have_requested(:post, api_url + "/api/v1/namespaces/#{namespace}/serviceaccounts").with( + body: hash_including( + kind: 'ServiceAccount', + metadata: { name: "gitlab-#{namespace}", namespace: namespace } + ) + ) + end + end +end |