1 files changed, 42 insertions, 30 deletions

diff --git a/lib/gitlab/kubernetes/kube_client.rb b/lib/gitlab/kubernetes/kube_client.rb
index 7c5525b982c..2110d586d30 100644
--- a/lib/gitlab/kubernetes/kube_client.rb
+++ b/lib/gitlab/kubernetes/kube_client.rb
@@ -19,7 +19,9 @@ module Gitlab
         apps: { group: 'apis/apps', version: 'v1' },
         extensions: { group: 'apis/extensions', version: 'v1beta1' },
         istio: { group: 'apis/networking.istio.io', version: 'v1alpha3' },
-        knative: { group: 'apis/serving.knative.dev', version: 'v1alpha1' }
+        knative: { group: 'apis/serving.knative.dev', version: 'v1alpha1' },
+        metrics: { group: 'apis/metrics.k8s.io', version: 'v1beta1' },
+        networking: { group: 'apis/networking.k8s.io', version: 'v1' }
       }.freeze
 
       SUPPORTED_API_GROUPS.each do |name, params|
@@ -33,7 +35,8 @@ module Gitlab
       end
 
       # Core API methods delegates to the core api group client
-      delegate :get_pods,
+      delegate :get_nodes,
+        :get_pods,
         :get_secrets,
         :get_config_map,
         :get_namespace,
@@ -56,9 +59,7 @@ module Gitlab
 
       # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
       # group client
-      delegate :create_cluster_role_binding,
-        :get_cluster_role_binding,
-        :update_cluster_role_binding,
+      delegate :update_cluster_role_binding,
         to: :rbac_client
 
       # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
@@ -70,9 +71,7 @@ module Gitlab
 
       # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
       # group client
-      delegate :create_role_binding,
-        :get_role_binding,
-        :update_role_binding,
+      delegate :update_role_binding,
         to: :rbac_client
 
       # non-entity methods that can only work with the core client
@@ -88,6 +87,14 @@ module Gitlab
         :update_gateway,
         to: :istio_client
 
+      # NetworkPolicy methods delegate to the apis/networking.k8s.io api
+      # group client
+      delegate :create_network_policy,
+        :get_network_policies,
+        :update_network_policy,
+        :delete_network_policy,
+        to: :networking_client
+
       attr_reader :api_prefix, :kubeclient_options
 
       DEFAULT_KUBECLIENT_OPTIONS = {
@@ -97,6 +104,31 @@ module Gitlab
         }
       }.freeze
 
+      def self.graceful_request(cluster_id)
+        { status: :connected, response: yield }
+      rescue *Gitlab::Kubernetes::Errors::CONNECTION
+        { status: :unreachable }
+      rescue *Gitlab::Kubernetes::Errors::AUTHENTICATION
+        { status: :authentication_failure }
+      rescue Kubeclient::HttpError => e
+        { status: kubeclient_error_status(e.message) }
+      rescue => e
+        Gitlab::ErrorTracking.track_exception(e, cluster_id: cluster_id)
+
+        { status: :unknown_failure }
+      end
+
+      # KubeClient uses the same error class
+      # For connection errors (eg. timeout) and
+      # for Kubernetes errors.
+      def self.kubeclient_error_status(message)
+        if message&.match?(/timed out|timeout/i)
+          :unreachable
+        else
+          :authentication_failure
+        end
+      end
+
       # We disable redirects through 'http_max_redirects: 0',
       # so that KubeClient does not follow redirects and
       # expose internal services.
@@ -125,19 +157,11 @@ module Gitlab
       end
 
       def create_or_update_cluster_role_binding(resource)
-        if cluster_role_binding_exists?(resource)
-          update_cluster_role_binding(resource)
-        else
-          create_cluster_role_binding(resource)
-        end
+        update_cluster_role_binding(resource)
       end
 
       def create_or_update_role_binding(resource)
-        if role_binding_exists?(resource)
-          update_role_binding(resource)
-        else
-          create_role_binding(resource)
-        end
+        update_role_binding(resource)
       end
 
       def create_or_update_service_account(resource)
@@ -164,18 +188,6 @@ module Gitlab
         Gitlab::UrlBlocker.validate!(api_prefix, allow_local_network: false)
       end
 
-      def cluster_role_binding_exists?(resource)
-        get_cluster_role_binding(resource.metadata.name)
-      rescue ::Kubeclient::ResourceNotFoundError
-        false
-      end
-
-      def role_binding_exists?(resource)
-        get_role_binding(resource.metadata.name, resource.metadata.namespace)
-      rescue ::Kubeclient::ResourceNotFoundError
-        false
-      end
-
       def service_account_exists?(resource)
         get_service_account(resource.metadata.name, resource.metadata.namespace)
       rescue ::Kubeclient::ResourceNotFoundError