1 files changed, 124 insertions, 0 deletions

diff --git a/spec/services/clusters/aws/finalize_creation_service_spec.rb b/spec/services/clusters/aws/finalize_creation_service_spec.rb
new file mode 100644
index 00000000000..8d7341483e3
--- /dev/null
+++ b/spec/services/clusters/aws/finalize_creation_service_spec.rb
@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Aws::FinalizeCreationService do
+  describe '#execute' do
+    let(:provider) { create(:cluster_provider_aws, :creating) }
+    let(:platform) { provider.cluster.platform_kubernetes }
+
+    let(:create_service_account_service) { double(execute: true) }
+    let(:fetch_token_service) { double(execute: gitlab_token) }
+    let(:kube_client) { double(create_config_map: true) }
+    let(:cluster_stack) { double(outputs: [endpoint_output, cert_output, node_role_output]) }
+    let(:node_auth_config_map) { double }
+
+    let(:endpoint_output) { double(output_key: 'ClusterEndpoint', output_value: api_url) }
+    let(:cert_output) { double(output_key: 'ClusterCertificate', output_value: Base64.encode64(ca_pem)) }
+    let(:node_role_output) { double(output_key: 'NodeInstanceRole', output_value: node_role) }
+
+    let(:api_url) { 'https://kubernetes.example.com' }
+    let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
+    let(:gitlab_token) { 'gitlab-token' }
+    let(:iam_token) { 'iam-token' }
+    let(:node_role) { 'arn::aws::iam::123456789012:role/node-role' }
+
+    subject { described_class.new.execute(provider) }
+
+    before do
+      allow(Clusters::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:gitlab_creator)
+        .with(kube_client, rbac: true)
+        .and_return(create_service_account_service)
+
+      allow(Clusters::Kubernetes::FetchKubernetesTokenService).to receive(:new)
+        .with(
+          kube_client,
+          Clusters::Kubernetes::GITLAB_ADMIN_TOKEN_NAME,
+          Clusters::Kubernetes::GITLAB_SERVICE_ACCOUNT_NAMESPACE)
+        .and_return(fetch_token_service)
+
+      allow(Gitlab::Kubernetes::KubeClient).to receive(:new)
+        .with(
+          api_url,
+          auth_options: { bearer_token: iam_token },
+          ssl_options: {
+            verify_ssl: OpenSSL::SSL::VERIFY_PEER,
+            cert_store: instance_of(OpenSSL::X509::Store)
+          },
+          http_proxy_uri: nil
+        )
+        .and_return(kube_client)
+
+      allow(provider.api_client).to receive(:describe_stacks)
+        .with(stack_name: provider.cluster.name)
+        .and_return(double(stacks: [cluster_stack]))
+
+      allow(Kubeclient::AmazonEksCredentials).to receive(:token)
+        .with(provider.credentials, provider.cluster.name)
+        .and_return(iam_token)
+
+      allow(Gitlab::Kubernetes::ConfigMaps::AwsNodeAuth).to receive(:new)
+        .with(node_role).and_return(double(generate: node_auth_config_map))
+    end
+
+    it 'configures the provider and platform' do
+      subject
+
+      expect(provider).to be_created
+      expect(platform.api_url).to eq(api_url)
+      expect(platform.ca_pem).to eq(ca_pem)
+      expect(platform.token).to eq(gitlab_token)
+      expect(platform).to be_rbac
+    end
+
+    it 'calls the create_service_account_service' do
+      expect(create_service_account_service).to receive(:execute).once
+
+      subject
+    end
+
+    it 'configures cluster node authentication' do
+      expect(kube_client).to receive(:create_config_map).with(node_auth_config_map).once
+
+      subject
+    end
+
+    describe 'error handling' do
+      shared_examples 'provision error' do |message|
+        it "sets the status to :errored with an appropriate error message" do
+          subject
+
+          expect(provider).to be_errored
+          expect(provider.status_reason).to include(message)
+        end
+      end
+
+      context 'failed to request stack details from AWS' do
+        before do
+          allow(provider.api_client).to receive(:describe_stacks)
+            .and_raise(Aws::CloudFormation::Errors::ServiceError.new(double, "Error message"))
+        end
+
+        include_examples 'provision error', 'Failed to fetch CloudFormation stack'
+      end
+
+      context 'failed to create auth config map' do
+        before do
+          allow(kube_client).to receive(:create_config_map)
+            .and_raise(Kubeclient::HttpError.new(500, 'Error', nil))
+        end
+
+        include_examples 'provision error', 'Failed to run Kubeclient'
+      end
+
+      context 'failed to save records' do
+        before do
+          allow(provider.cluster).to receive(:save!)
+            .and_raise(ActiveRecord::RecordInvalid)
+        end
+
+        include_examples 'provision error', 'Failed to configure EKS provider'
+      end
+    end
+  end
+end