1 files changed, 110 insertions, 0 deletions

diff --git a/spec/services/clusters/kubernetes/fetch_kubernetes_token_service_spec.rb b/spec/services/clusters/kubernetes/fetch_kubernetes_token_service_spec.rb
new file mode 100644
index 00000000000..145528616ee
--- /dev/null
+++ b/spec/services/clusters/kubernetes/fetch_kubernetes_token_service_spec.rb
@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Kubernetes::FetchKubernetesTokenService do
+  include KubernetesHelpers
+
+  describe '#execute' do
+    let(:api_url) { 'http://111.111.111.111' }
+    let(:namespace) { 'my-namespace' }
+    let(:service_account_token_name) { 'gitlab-token' }
+
+    let(:kubeclient) do
+      Gitlab::Kubernetes::KubeClient.new(
+        api_url,
+        auth_options: { username: 'admin', password: 'xxx' }
+      )
+    end
+
+    subject { described_class.new(kubeclient, service_account_token_name, namespace, token_retry_delay: 0).execute }
+
+    before do
+      stub_kubeclient_discover(api_url)
+    end
+
+    context 'when params correct' do
+      let(:decoded_token) { 'xxx.token.xxx' }
+      let(:token) { Base64.encode64(decoded_token) }
+      context 'when the secret exists' do
+        before do
+          stub_kubeclient_get_secret(
+            api_url,
+            {
+              metadata_name: service_account_token_name,
+              namespace: namespace,
+              token: token
+            }
+          )
+        end
+
+        it { is_expected.to eq(decoded_token) }
+      end
+
+      context 'when there is a 500 error' do
+        before do
+          stub_kubeclient_get_secret_error(api_url, service_account_token_name, namespace: namespace, status: 500)
+        end
+
+        it { expect { subject }.to raise_error(Kubeclient::HttpError) }
+      end
+
+      context 'when the secret does not exist on the first try' do
+        before do
+          stub_kubeclient_get_secret_not_found_then_found(
+            api_url,
+            {
+              metadata_name: service_account_token_name,
+              namespace: namespace,
+              token: token
+            }
+          )
+        end
+
+        it 'retries and finds the token' do
+          expect(subject).to eq(decoded_token)
+        end
+      end
+
+      context 'when the secret permanently does not exist' do
+        before do
+          stub_kubeclient_get_secret_error(api_url, service_account_token_name, namespace: namespace, status: 404)
+        end
+
+        it { is_expected.to be_nil }
+      end
+
+      context 'when the secret is missing a token on the first try' do
+        before do
+          stub_kubeclient_get_secret_missing_token_then_with_token(
+            api_url,
+            {
+              metadata_name: service_account_token_name,
+              namespace: namespace,
+              token: token
+            }
+          )
+        end
+
+        it 'retries and finds the token' do
+          expect(subject).to eq(decoded_token)
+        end
+      end
+
+      context 'when the secret is permanently missing a token' do
+        before do
+          stub_kubeclient_get_secret(
+            api_url,
+            {
+              metadata_name: service_account_token_name,
+              namespace: namespace,
+              token: nil
+            }
+          )
+        end
+
+        it { is_expected.to be_nil }
+      end
+    end
+  end
+end