1 files changed, 149 insertions, 129 deletions

diff --git a/spec/services/clusters/gcp/finalize_creation_service_spec.rb b/spec/services/clusters/gcp/finalize_creation_service_spec.rb
index 303d45495ef..efee158739d 100644
--- a/spec/services/clusters/gcp/finalize_creation_service_spec.rb
+++ b/spec/services/clusters/gcp/finalize_creation_service_spec.rb
@@ -1,156 +1,176 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
-describe Clusters::Gcp::FinalizeCreationService do
+describe Clusters::Gcp::FinalizeCreationService, '#execute' do
   include GoogleApi::CloudPlatformHelpers
   include KubernetesHelpers
 
-  describe '#execute' do
-    let(:cluster) { create(:cluster, :project, :providing_by_gcp) }
-    let(:provider) { cluster.provider }
-    let(:platform) { cluster.platform }
-    let(:gcp_project_id) { provider.gcp_project_id }
-    let(:zone) { provider.zone }
-    let(:cluster_name) { cluster.name }
+  let(:cluster) { create(:cluster, :project, :providing_by_gcp) }
+  let(:provider) { cluster.provider }
+  let(:platform) { cluster.platform }
+  let(:endpoint) { '111.111.111.111' }
+  let(:api_url) { 'https://' + endpoint }
+  let(:username) { 'sample-username' }
+  let(:password) { 'sample-password' }
+  let(:secret_name) { 'gitlab-token' }
+  let(:token) { 'sample-token' }
+  let(:namespace) { "#{cluster.project.path}-#{cluster.project.id}" }
 
-    subject { described_class.new.execute(provider) }
+  subject { described_class.new.execute(provider) }
 
-    shared_examples 'success' do
-      it 'configures provider and kubernetes' do
-        subject
+  shared_examples 'success' do
+    it 'configures provider and kubernetes' do
+      subject
 
-        expect(provider).to be_created
-      end
+      expect(provider).to be_created
     end
 
-    shared_examples 'error' do
-      it 'sets an error to provider object' do
-        subject
+    it 'properly configures database models' do
+      subject
 
-        expect(provider.reload).to be_errored
-      end
+      cluster.reload
+
+      expect(provider.endpoint).to eq(endpoint)
+      expect(platform.api_url).to eq(api_url)
+      expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert).strip)
+      expect(platform.username).to eq(username)
+      expect(platform.password).to eq(password)
+      expect(platform.token).to eq(token)
+    end
+
+    it 'creates kubernetes namespace model' do
+      subject
+
+      kubernetes_namespace = cluster.reload.kubernetes_namespace
+      expect(kubernetes_namespace).to be_persisted
+      expect(kubernetes_namespace.namespace).to eq(namespace)
+      expect(kubernetes_namespace.service_account_name).to eq("#{namespace}-service-account")
+      expect(kubernetes_namespace.service_account_token).to be_present
     end
+  end
+
+  shared_examples 'error' do
+    it 'sets an error to provider object' do
+      subject
 
-    context 'when succeeded to fetch gke cluster info' do
-      let(:endpoint) { '111.111.111.111' }
-      let(:api_url) { 'https://' + endpoint }
-      let(:username) { 'sample-username' }
-      let(:password) { 'sample-password' }
-      let(:secret_name) { 'gitlab-token' }
+      expect(provider.reload).to be_errored
+    end
+  end
 
+  shared_examples 'kubernetes information not successfully fetched' do
+    context 'when failed to fetch gke cluster info' do
       before do
-        stub_cloud_platform_get_zone_cluster(
-          gcp_project_id, zone, cluster_name,
-          {
-            endpoint: endpoint,
-            username: username,
-            password: password
-          }
-        )
+        stub_cloud_platform_get_zone_cluster_error(provider.gcp_project_id, provider.zone, cluster.name)
       end
 
-      context 'service account and token created' do
-        before do
-          stub_kubeclient_discover(api_url)
-          stub_kubeclient_create_service_account(api_url)
-          stub_kubeclient_create_secret(api_url)
-        end
-
-        shared_context 'kubernetes token successfully fetched' do
-          let(:token) { 'sample-token' }
-
-          before do
-            stub_kubeclient_get_secret(
-              api_url,
-              {
-                metadata_name: secret_name,
-                token: Base64.encode64(token)
-              } )
-          end
-        end
-
-        context 'provider legacy_abac is enabled' do
-          include_context 'kubernetes token successfully fetched'
-
-          it_behaves_like 'success'
-
-          it 'properly configures database models' do
-            subject
-
-            cluster.reload
-
-            expect(provider.endpoint).to eq(endpoint)
-            expect(platform.api_url).to eq(api_url)
-            expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert))
-            expect(platform.username).to eq(username)
-            expect(platform.password).to eq(password)
-            expect(platform).to be_abac
-            expect(platform.authorization_type).to eq('abac')
-            expect(platform.token).to eq(token)
-          end
-        end
-
-        context 'provider legacy_abac is disabled' do
-          before do
-            provider.legacy_abac = false
-          end
-
-          include_context 'kubernetes token successfully fetched'
-
-          context 'cluster role binding created' do
-            before do
-              stub_kubeclient_create_cluster_role_binding(api_url)
-            end
-
-            it_behaves_like 'success'
-
-            it 'properly configures database models' do
-              subject
-
-              cluster.reload
-
-              expect(provider.endpoint).to eq(endpoint)
-              expect(platform.api_url).to eq(api_url)
-              expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert))
-              expect(platform.username).to eq(username)
-              expect(platform.password).to eq(password)
-              expect(platform).to be_rbac
-              expect(platform.token).to eq(token)
-            end
-          end
-        end
-
-        context 'when token is empty' do
-          before do
-            stub_kubeclient_get_secret(api_url, token: '', metadata_name: secret_name)
-          end
-
-          it_behaves_like 'error'
-        end
-
-        context 'when failed to fetch kubernetes token' do
-          before do
-            stub_kubeclient_get_secret_error(api_url, secret_name)
-          end
-
-          it_behaves_like 'error'
-        end
-
-        context 'when service account fails to create' do
-          before do
-            stub_kubeclient_create_service_account_error(api_url)
-          end
-
-          it_behaves_like 'error'
-        end
+      it_behaves_like 'error'
+    end
+
+    context 'when token is empty' do
+      let(:token) { '' }
+
+      it_behaves_like 'error'
+    end
+
+    context 'when failed to fetch kubernetes token' do
+      before do
+        stub_kubeclient_get_secret_error(api_url, secret_name, namespace: 'default')
       end
+
+      it_behaves_like 'error'
     end
 
-    context 'when failed to fetch gke cluster info' do
+    context 'when service account fails to create' do
       before do
-        stub_cloud_platform_get_zone_cluster_error(gcp_project_id, zone, cluster_name)
+        stub_kubeclient_create_service_account_error(api_url, namespace: 'default')
       end
 
       it_behaves_like 'error'
     end
   end
+
+  shared_context 'kubernetes information successfully fetched' do
+    before do
+      stub_cloud_platform_get_zone_cluster(
+        provider.gcp_project_id, provider.zone, cluster.name,
+        {
+          endpoint: endpoint,
+          username: username,
+          password: password
+        }
+      )
+
+      stub_kubeclient_discover(api_url)
+      stub_kubeclient_get_namespace(api_url)
+      stub_kubeclient_create_namespace(api_url)
+      stub_kubeclient_create_service_account(api_url)
+      stub_kubeclient_create_secret(api_url)
+
+      stub_kubeclient_get_secret(
+        api_url,
+        {
+          metadata_name: secret_name,
+          token: Base64.encode64(token),
+          namespace: 'default'
+        }
+      )
+
+      stub_kubeclient_get_namespace(api_url, namespace: namespace)
+      stub_kubeclient_create_service_account(api_url, namespace: namespace)
+      stub_kubeclient_create_secret(api_url, namespace: namespace)
+
+      stub_kubeclient_get_secret(
+        api_url,
+        {
+          metadata_name: "#{namespace}-token",
+          token: Base64.encode64(token),
+          namespace: namespace
+        }
+      )
+    end
+  end
+
+  context 'With a legacy ABAC cluster' do
+    before do
+      provider.legacy_abac = true
+    end
+
+    include_context 'kubernetes information successfully fetched'
+
+    it_behaves_like 'success'
+
+    it 'uses ABAC authorization type' do
+      subject
+      cluster.reload
+
+      expect(platform).to be_abac
+      expect(platform.authorization_type).to eq('abac')
+    end
+
+    it_behaves_like 'kubernetes information not successfully fetched'
+  end
+
+  context 'With an RBAC cluster' do
+    before do
+      provider.legacy_abac = false
+
+      stub_kubeclient_create_cluster_role_binding(api_url)
+      stub_kubeclient_create_role_binding(api_url, namespace: namespace)
+    end
+
+    include_context 'kubernetes information successfully fetched'
+
+    it_behaves_like 'success'
+
+    it 'uses RBAC authorization type' do
+      subject
+      cluster.reload
+
+      expect(platform).to be_rbac
+      expect(platform.authorization_type).to eq('rbac')
+    end
+
+    it_behaves_like 'kubernetes information not successfully fetched'
+  end
 end