Commit 0d13e293 authored by Thong Kuah's avatar Thong Kuah

Merge branch 'stop-using-basic-auth-for-gke-cluster-creation' into 'master'

Stop using basic auth for GKE cluster creation

See merge request gitlab-org/gitlab!62518
parents 560def32 c1f0d4ad
......@@ -43,8 +43,6 @@ module Clusters
cluster.build_platform_kubernetes(
api_url: 'https://' + gke_cluster.endpoint,
ca_cert: Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
username: gke_cluster.master_auth.username,
password: gke_cluster.master_auth.password,
authorization_type: authorization_type,
token: request_kubernetes_token)
end
......@@ -75,18 +73,16 @@ module Clusters
def kube_client
@kube_client ||= build_kube_client!(
'https://' + gke_cluster.endpoint,
Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
gke_cluster.master_auth.username,
gke_cluster.master_auth.password
Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate)
)
end
def build_kube_client!(api_url, ca_pem, username, password)
raise "Incomplete settings" unless api_url && username && password
def build_kube_client!(api_url, ca_pem)
raise "Incomplete settings" unless api_url
Gitlab::Kubernetes::KubeClient.new(
api_url,
auth_options: { username: username, password: password },
auth_options: { bearer_token: provider.access_token },
ssl_options: kubeclient_ssl_options(ca_pem),
http_proxy_uri: ENV['http_proxy']
)
......
......@@ -13,10 +13,6 @@ module GoogleApi
LEAST_TOKEN_LIFE_TIME = 10.minutes
CLUSTER_MASTER_AUTH_USERNAME = 'admin'
CLUSTER_IPV4_CIDR_BLOCK = '/16'
# Don't upgrade to > 1.18 before we move away from Basic Auth
# See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/331582
# Possible solution: https://gitlab.com/groups/gitlab-org/-/epics/6049
GKE_VERSION = '1.18'
CLUSTER_OAUTH_SCOPES = [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
......@@ -94,13 +90,11 @@ module GoogleApi
cluster: {
name: cluster_name,
initial_node_count: cluster_size,
initial_cluster_version: GKE_VERSION,
node_config: {
machine_type: machine_type,
oauth_scopes: CLUSTER_OAUTH_SCOPES
},
master_auth: {
username: CLUSTER_MASTER_AUTH_USERNAME,
client_certificate_config: {
issue_client_certificate: true
}
......
......@@ -91,7 +91,6 @@ RSpec.describe GoogleApi::CloudPlatform::Client do
cluster: {
name: cluster_name,
initial_node_count: cluster_size,
initial_cluster_version: '1.18',
node_config: {
machine_type: machine_type,
oauth_scopes: [
......@@ -101,7 +100,6 @@ RSpec.describe GoogleApi::CloudPlatform::Client do
]
},
master_auth: {
username: 'admin',
client_certificate_config: {
issue_client_certificate: true
}
......
......@@ -11,8 +11,6 @@ RSpec.describe Clusters::Gcp::FinalizeCreationService, '#execute' do
let(:platform) { cluster.platform }
let(:endpoint) { '111.111.111.111' }
let(:api_url) { 'https://' + endpoint }
let(:username) { 'sample-username' }
let(:password) { 'sample-password' }
let(:secret_name) { 'gitlab-token' }
let(:token) { 'sample-token' }
let(:namespace) { "#{cluster.project.path}-#{cluster.project.id}" }
......@@ -34,8 +32,6 @@ RSpec.describe Clusters::Gcp::FinalizeCreationService, '#execute' do
expect(provider.endpoint).to eq(endpoint)
expect(platform.api_url).to eq(api_url)
expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert).strip)
expect(platform.username).to eq(username)
expect(platform.password).to eq(password)
expect(platform.token).to eq(token)
end
end
......@@ -83,7 +79,7 @@ RSpec.describe Clusters::Gcp::FinalizeCreationService, '#execute' do
shared_context 'kubernetes information successfully fetched' do
before do
stub_cloud_platform_get_zone_cluster(
provider.gcp_project_id, provider.zone, cluster.name, { endpoint: endpoint, username: username, password: password }
provider.gcp_project_id, provider.zone, cluster.name, { endpoint: endpoint }
)
stub_kubeclient_discover(api_url)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment