debian-mirror-gitlab/spec/services/ci/generate_kubeconfig_service_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Ci::GenerateKubeconfigService, feature_category: :deployment_management do
  describe '#execute' do
    let_it_be(:group) { create(:group) }
    let_it_be(:project) { create(:project, group: group) }
    let_it_be(:pipeline) { create(:ci_empty_pipeline, project: project) }
    let_it_be(:build) { create(:ci_build, project: project, pipeline: pipeline) }

    let_it_be(:agent_project) { create(:project, group: group, name: 'project-containing-agent-config') }

    let_it_be(:project_agent_authorization) do
      agent = create(:cluster_agent, project: agent_project)
      create(:agent_ci_access_project_authorization, agent: agent, project: project)
    end

    let_it_be(:group_agent_authorization) do
      agent = create(:cluster_agent, project: agent_project)
      create(:agent_ci_access_group_authorization, agent: agent, group: group)
    end

    let(:template) do
      instance_double(
        Gitlab::Kubernetes::Kubeconfig::Template,
        add_cluster: nil,
        add_user: nil,
        add_context: nil
      )
    end

    let(:agent_authorizations) { [project_agent_authorization, group_agent_authorization] }
    let(:filter_service) do
      instance_double(
        ::Clusters::Agents::Authorizations::CiAccess::FilterService,
        execute: agent_authorizations
      )
    end

    subject(:execute) { described_class.new(pipeline, token: build.token, environment: nil).execute }

    before do
      allow(Gitlab::Kubernetes::Kubeconfig::Template).to receive(:new).and_return(template)
      allow(::Clusters::Agents::Authorizations::CiAccess::FilterService).to receive(:new).and_return(filter_service)
    end

    it 'returns a Kubeconfig Template' do
      expect(execute).to eq(template)
    end

    it 'adds a cluster' do
      expect(template).to receive(:add_cluster).with(
        name: 'gitlab',
        url: Gitlab::Kas.tunnel_url
      ).once

      execute
    end

    it "filters the pipeline's agents by `nil` environment" do
      expect(::Clusters::Agents::Authorizations::CiAccess::FilterService).to receive(:new).with(
        pipeline.cluster_agent_authorizations,
        environment: nil
      )

      execute
    end

    it 'adds user and context for all eligible agents', :aggregate_failures do
      agent_authorizations.each do |authorization|
        expect(template).to receive(:add_user).with(
          name: "agent:#{authorization.agent.id}",
          token: "ci:#{authorization.agent.id}:#{build.token}"
        )

        expect(template).to receive(:add_context).with(
          name: "#{agent_project.full_path}:#{authorization.agent.name}",
          namespace: 'production',
          cluster: 'gitlab',
          user: "agent:#{authorization.agent.id}"
        )
      end

      execute
    end

    context 'when environment is specified' do
      subject(:execute) { described_class.new(pipeline, token: build.token, environment: 'production').execute }

      it "filters the pipeline's agents by the specified environment" do
        expect(::Clusters::Agents::Authorizations::CiAccess::FilterService).to receive(:new).with(
          pipeline.cluster_agent_authorizations,
          environment: 'production'
        )

        execute
      end
    end
  end
end