Merge branch 'stop-using-basic-auth-for-gke-cluster-creation' into 'master'

Stop using basic auth for GKE cluster creation See merge request gitlab-org/gitlab!62518

Merge branch 'stop-using-basic-auth-for-gke-cluster-creation' into 'master'
Stop using basic auth for GKE cluster creation See merge request gitlab-org/gitlab!62518
0d13e293 · Thong Kuah · 560def32 · c1f0d4ad · 0d13e293 · 0d13e293
Commit 0d13e293 authored Jun 10, 2021 by Thong Kuah
4 changed files
--- a/app/services/clusters/gcp/finalize_creation_service.rb
+++ b/app/services/clusters/gcp/finalize_creation_service.rb
@@ -43,8 +43,6 @@ module Clusters
        cluster.build_platform_kubernetes(
          api_url: 'https://' + gke_cluster.endpoint,
          ca_cert: Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
-          username: gke_cluster.master_auth.username,
-          password: gke_cluster.master_auth.password,
          authorization_type: authorization_type,
          token: request_kubernetes_token)
      end
@@ -75,18 +73,16 @@ module Clusters
      def kube_client
        @kube_client ||= build_kube_client!(
          'https://' + gke_cluster.endpoint,
-          Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
+          Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate)
-          gke_cluster.master_auth.username,
-          gke_cluster.master_auth.password
        )
      end
-      def build_kube_client!(api_url, ca_pem, username, password)
+      def build_kube_client!(api_url, ca_pem)
-        raise "Incomplete settings" unless api_url && username && password
+        raise "Incomplete settings" unless api_url
        Gitlab::Kubernetes::KubeClient.new(
          api_url,
-          auth_options: { username: username, password: password },
+          auth_options: { bearer_token: provider.access_token },
          ssl_options: kubeclient_ssl_options(ca_pem),
          http_proxy_uri: ENV['http_proxy']
        )

--- a/lib/google_api/cloud_platform/client.rb
+++ b/lib/google_api/cloud_platform/client.rb
@@ -13,10 +13,6 @@ module GoogleApi
      LEAST_TOKEN_LIFE_TIME = 10.minutes
      CLUSTER_MASTER_AUTH_USERNAME = 'admin'
      CLUSTER_IPV4_CIDR_BLOCK = '/16'
-      # Don't upgrade to > 1.18 before we move away from Basic Auth
-      # See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/331582
-      # Possible solution: https://gitlab.com/groups/gitlab-org/-/epics/6049
-      GKE_VERSION = '1.18'
      CLUSTER_OAUTH_SCOPES = [
        "https://www.googleapis.com/auth/devstorage.read_only",
        "https://www.googleapis.com/auth/logging.write",
@@ -94,13 +90,11 @@ module GoogleApi
          cluster: {
            name: cluster_name,
            initial_node_count: cluster_size,
-            initial_cluster_version: GKE_VERSION,
            node_config: {
              machine_type: machine_type,
              oauth_scopes: CLUSTER_OAUTH_SCOPES
            },
            master_auth: {
-              username: CLUSTER_MASTER_AUTH_USERNAME,
              client_certificate_config: {
                issue_client_certificate: true
              }

--- a/spec/lib/google_api/cloud_platform/client_spec.rb
+++ b/spec/lib/google_api/cloud_platform/client_spec.rb
@@ -91,7 +91,6 @@ RSpec.describe GoogleApi::CloudPlatform::Client do
        cluster: {
          name: cluster_name,
          initial_node_count: cluster_size,
-          initial_cluster_version: '1.18',
          node_config: {
            machine_type: machine_type,
            oauth_scopes: [
@@ -101,7 +100,6 @@ RSpec.describe GoogleApi::CloudPlatform::Client do
            ]
          },
          master_auth: {
-            username: 'admin',
            client_certificate_config: {
              issue_client_certificate: true
            }

--- a/spec/services/clusters/gcp/finalize_creation_service_spec.rb
+++ b/spec/services/clusters/gcp/finalize_creation_service_spec.rb
@@ -11,8 +11,6 @@ RSpec.describe Clusters::Gcp::FinalizeCreationService, '#execute' do
  let(:platform) { cluster.platform }
  let(:endpoint) { '111.111.111.111' }
  let(:api_url) { 'https://' + endpoint }
-  let(:username) { 'sample-username' }
-  let(:password) { 'sample-password' }
  let(:secret_name) { 'gitlab-token' }
  let(:token) { 'sample-token' }
  let(:namespace) { "#{cluster.project.path}-#{cluster.project.id}" }
@@ -34,8 +32,6 @@ RSpec.describe Clusters::Gcp::FinalizeCreationService, '#execute' do
      expect(provider.endpoint).to eq(endpoint)
      expect(platform.api_url).to eq(api_url)
      expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert).strip)
-      expect(platform.username).to eq(username)
-      expect(platform.password).to eq(password)
      expect(platform.token).to eq(token)
    end
  end
@@ -83,7 +79,7 @@ RSpec.describe Clusters::Gcp::FinalizeCreationService, '#execute' do
  shared_context 'kubernetes information successfully fetched' do
    before do
      stub_cloud_platform_get_zone_cluster(
-        provider.gcp_project_id, provider.zone, cluster.name, { endpoint: endpoint, username: username, password: password }
+        provider.gcp_project_id, provider.zone, cluster.name, { endpoint: endpoint }
      )
      stub_kubeclient_discover(api_url)