From 924ad021ef54fc4c8290415dd09d57b509774ab8 Mon Sep 17 00:00:00 2001
From: Mayra Cabrera <mcabrera@gitlab.com>
Date: Thu, 1 Nov 2018 11:21:53 -0600
Subject: Make small modification on RoleBinding service

- Changes RoleRef to use cluster-edit instead of simple edit, as this one
does not exists
- Also include minor comments from BE review regarding useless if/else
  branching.
---
 app/models/clusters/platforms/kubernetes.rb                   |  8 ++------
 app/services/clusters/gcp/kubernetes.rb                       |  2 +-
 .../clusters/gcp/kubernetes/create_service_account_service.rb | 11 +++++++----
 lib/gitlab/kubernetes/role_binding.rb                         | 11 ++++++-----
 spec/lib/gitlab/kubernetes/role_binding_spec.rb               |  3 ++-
 .../gcp/kubernetes/create_service_account_service_spec.rb     |  2 +-
 6 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb
index 78aa9216f4d..cd14137d08e 100644
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -85,7 +85,7 @@ module Clusters
           else
             # From 11.5, every Clusters::Project should have at least one
             # Clusters::KubernetesNamespace, so once migration has been completed,
-            # this else will be removed. For more information, please see
+            # this 'else' branch will be removed. For more information, please see
             # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22433
             config = YAML.dump(kubeconfig)
 
@@ -129,14 +129,10 @@ module Clusters
         to_kubeconfig(
           url: api_url,
           namespace: actual_namespace,
-          token: default_service_account_token,
+          token: token,
           ca_pem: ca_pem)
       end
 
-      def default_service_account_token
-        kubernetes_namespace&.service_account_token.presence || token
-      end
-
       def default_namespace
         kubernetes_namespace&.namespace.presence || fallback_default_namespace
       end
diff --git a/app/services/clusters/gcp/kubernetes.rb b/app/services/clusters/gcp/kubernetes.rb
index 88b85b14a5a..f9d5c716ef7 100644
--- a/app/services/clusters/gcp/kubernetes.rb
+++ b/app/services/clusters/gcp/kubernetes.rb
@@ -8,7 +8,7 @@ module Clusters
       GITLAB_ADMIN_TOKEN_NAME = 'gitlab-token'
       CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin'
       CLUSTER_ROLE_NAME = 'cluster-admin'
-      ROLE_BINDING_ROLE = 'edit'
+      ROLE_BINDING_ROLE_NAME = 'edit'
     end
   end
 end
diff --git a/app/services/clusters/gcp/kubernetes/create_service_account_service.rb b/app/services/clusters/gcp/kubernetes/create_service_account_service.rb
index 93c1fa08591..88312808981 100644
--- a/app/services/clusters/gcp/kubernetes/create_service_account_service.rb
+++ b/app/services/clusters/gcp/kubernetes/create_service_account_service.rb
@@ -4,13 +4,14 @@ module Clusters
   module Gcp
     module Kubernetes
       class CreateServiceAccountService
-        def initialize(kubeclient, service_account_name:, service_account_namespace:, token_name:, rbac:, namespace_creator: false)
+        def initialize(kubeclient, service_account_name:, service_account_namespace:, token_name:, rbac:, namespace_creator: false, role_binding_name: nil)
           @kubeclient = kubeclient
           @service_account_name = service_account_name
           @service_account_namespace = service_account_namespace
           @token_name = token_name
           @rbac = rbac
           @namespace_creator = namespace_creator
+          @role_binding_name = role_binding_name
         end
 
         def self.gitlab_creator(kubeclient, rbac:)
@@ -30,7 +31,8 @@ module Clusters
             service_account_namespace: service_account_namespace,
             token_name: "#{service_account_namespace}-token",
             rbac: rbac,
-            namespace_creator: true
+            namespace_creator: true,
+            role_binding_name: "gitlab-#{service_account_namespace}"
           )
         end
 
@@ -43,7 +45,7 @@ module Clusters
 
         private
 
-        attr_reader :kubeclient, :service_account_name, :service_account_namespace, :token_name, :rbac, :namespace_creator
+        attr_reader :kubeclient, :service_account_name, :service_account_namespace, :token_name, :rbac, :namespace_creator, :role_binding_name
 
         def ensure_project_namespace_exists
           Gitlab::Kubernetes::Namespace.new(
@@ -87,7 +89,8 @@ module Clusters
 
         def role_binding_resource
           Gitlab::Kubernetes::RoleBinding.new(
-            role_name: Clusters::Gcp::Kubernetes::ROLE_BINDING_ROLE,
+            name: role_binding_name,
+            role_name: Clusters::Gcp::Kubernetes::ROLE_BINDING_ROLE_NAME,
             namespace: service_account_namespace,
             service_account_name: service_account_name
           ).generate
diff --git a/lib/gitlab/kubernetes/role_binding.rb b/lib/gitlab/kubernetes/role_binding.rb
index 4f3ee040bf2..cb0cb42d007 100644
--- a/lib/gitlab/kubernetes/role_binding.rb
+++ b/lib/gitlab/kubernetes/role_binding.rb
@@ -3,9 +3,8 @@
 module Gitlab
   module Kubernetes
     class RoleBinding
-      attr_reader :role_name, :namespace, :service_account_name
-
-      def initialize(role_name:, namespace:, service_account_name:)
+      def initialize(name:, role_name:, namespace:, service_account_name:)
+        @name = name
         @role_name = role_name
         @namespace = namespace
         @service_account_name = service_account_name
@@ -21,14 +20,16 @@ module Gitlab
 
       private
 
+      attr_reader :name, :role_name, :namespace, :service_account_name
+
       def metadata
-        { name: "gitlab-#{namespace}", namespace: namespace }
+        { name: name, namespace: namespace }
       end
 
       def role_ref
         {
           apiGroup: 'rbac.authorization.k8s.io',
-          kind: 'Role',
+          kind: 'ClusterRole',
           name: role_name
         }
       end
diff --git a/spec/lib/gitlab/kubernetes/role_binding_spec.rb b/spec/lib/gitlab/kubernetes/role_binding_spec.rb
index da3f5d27b25..a1a59533bfb 100644
--- a/spec/lib/gitlab/kubernetes/role_binding_spec.rb
+++ b/spec/lib/gitlab/kubernetes/role_binding_spec.rb
@@ -20,7 +20,7 @@ describe Gitlab::Kubernetes::RoleBinding, '#generate' do
   let(:role_ref) do
     {
       apiGroup: 'rbac.authorization.k8s.io',
-      kind: 'Role',
+      kind: 'ClusterRole',
       name: role_name
     }
   end
@@ -35,6 +35,7 @@ describe Gitlab::Kubernetes::RoleBinding, '#generate' do
 
   subject do
     described_class.new(
+      name: "gitlab-#{namespace}",
       role_name: role_name,
       namespace: namespace,
       service_account_name: service_account_name
diff --git a/spec/services/clusters/gcp/kubernetes/create_service_account_service_spec.rb b/spec/services/clusters/gcp/kubernetes/create_service_account_service_spec.rb
index c32e85fed8c..588edff85d4 100644
--- a/spec/services/clusters/gcp/kubernetes/create_service_account_service_spec.rb
+++ b/spec/services/clusters/gcp/kubernetes/create_service_account_service_spec.rb
@@ -148,7 +148,7 @@ describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do
             metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" },
             roleRef: {
               apiGroup: 'rbac.authorization.k8s.io',
-              kind: 'Role',
+              kind: 'ClusterRole',
               name: 'edit'
             },
             subjects: [
-- 
cgit v1.2.1