Stop using basic auth for GKE cluster creation

Basic auth for the Kubernetes API server was removed in GKE 1.19. We were only using these credentials for bootstrapping, but were already able to use the user's OAuth credentials for the same purpose. Changelog: fixed

Stop using basic auth for GKE cluster creation
Basic auth for the Kubernetes API server was removed in GKE 1.19. We were only using these credentials for bootstrapping, but were already able to use the user's OAuth credentials for the same purpose. Changelog: fixed
c1f0d4ad · Hordur Freyr Yngvason · 9ea42ff2 · c1f0d4ad · c1f0d4ad · c1f0d4ad
Commit c1f0d4ad authored May 25, 2021 by Hordur Freyr Yngvason
4 changed files
--- a/app/services/clusters/gcp/finalize_creation_service.rb
+++ b/app/services/clusters/gcp/finalize_creation_service.rb
@@ -43,8 +43,6 @@ module Clusters
        cluster.build_platform_kubernetes(
          api_url: 'https://' + gke_cluster.endpoint,
          ca_cert: Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
-          username: gke_cluster.master_auth.username,
-          password: gke_cluster.master_auth.password,
          authorization_type: authorization_type,
          token: request_kubernetes_token)
      end
@@ -75,18 +73,16 @@ module Clusters
      def kube_client
        @kube_client ||= build_kube_client!(
          'https://' + gke_cluster.endpoint,
-          Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
-          gke_cluster.master_auth.username,
-          gke_cluster.master_auth.password
+          Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate)
        )
      end

-      def build_kube_client!(api_url, ca_pem, username, password)
-        raise "Incomplete settings" unless api_url && username && password
+      def build_kube_client!(api_url, ca_pem)
+        raise "Incomplete settings" unless api_url

        Gitlab::Kubernetes::KubeClient.new(
          api_url,
-          auth_options: { username: username, password: password },
+          auth_options: { bearer_token: provider.access_token },
          ssl_options: kubeclient_ssl_options(ca_pem),
          http_proxy_uri: ENV['http_proxy']
        )

--- a/lib/google_api/cloud_platform/client.rb
+++ b/lib/google_api/cloud_platform/client.rb
@@ -13,10 +13,6 @@ module GoogleApi
      LEAST_TOKEN_LIFE_TIME = 10.minutes
      CLUSTER_MASTER_AUTH_USERNAME = 'admin'
      CLUSTER_IPV4_CIDR_BLOCK = '/16'
-      # Don't upgrade to > 1.18 before we move away from Basic Auth
-      # See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/331582
-      # Possible solution: https://gitlab.com/groups/gitlab-org/-/epics/6049
-      GKE_VERSION = '1.18'
      CLUSTER_OAUTH_SCOPES = [
        "https://www.googleapis.com/auth/devstorage.read_only",
        "https://www.googleapis.com/auth/logging.write",
@@ -94,13 +90,11 @@ module GoogleApi
          cluster: {
            name: cluster_name,
            initial_node_count: cluster_size,
-            initial_cluster_version: GKE_VERSION,
            node_config: {
              machine_type: machine_type,
              oauth_scopes: CLUSTER_OAUTH_SCOPES
            },
            master_auth: {
-              username: CLUSTER_MASTER_AUTH_USERNAME,
              client_certificate_config: {
                issue_client_certificate: true
              }

--- a/spec/lib/google_api/cloud_platform/client_spec.rb
+++ b/spec/lib/google_api/cloud_platform/client_spec.rb
@@ -91,7 +91,6 @@ RSpec.describe GoogleApi::CloudPlatform::Client do
        cluster: {
          name: cluster_name,
          initial_node_count: cluster_size,
-          initial_cluster_version: '1.18',
          node_config: {
            machine_type: machine_type,
            oauth_scopes: [
@@ -101,7 +100,6 @@ RSpec.describe GoogleApi::CloudPlatform::Client do
            ]
          },
          master_auth: {
-            username: 'admin',
            client_certificate_config: {
              issue_client_certificate: true
            }

--- a/spec/services/clusters/gcp/finalize_creation_service_spec.rb
+++ b/spec/services/clusters/gcp/finalize_creation_service_spec.rb
@@ -11,8 +11,6 @@ RSpec.describe Clusters::Gcp::FinalizeCreationService, '#execute' do
  let(:platform) { cluster.platform }
  let(:endpoint) { '111.111.111.111' }
  let(:api_url) { 'https://' + endpoint }
-  let(:username) { 'sample-username' }
-  let(:password) { 'sample-password' }
  let(:secret_name) { 'gitlab-token' }
  let(:token) { 'sample-token' }
  let(:namespace) { "#{cluster.project.path}-#{cluster.project.id}" }
@@ -34,8 +32,6 @@ RSpec.describe Clusters::Gcp::FinalizeCreationService, '#execute' do
      expect(provider.endpoint).to eq(endpoint)
      expect(platform.api_url).to eq(api_url)
      expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert).strip)
-      expect(platform.username).to eq(username)
-      expect(platform.password).to eq(password)
      expect(platform.token).to eq(token)
    end
  end
@@ -83,7 +79,7 @@ RSpec.describe Clusters::Gcp::FinalizeCreationService, '#execute' do
  shared_context 'kubernetes information successfully fetched' do
    before do
      stub_cloud_platform_get_zone_cluster(
-        provider.gcp_project_id, provider.zone, cluster.name, { endpoint: endpoint, username: username, password: password }
+        provider.gcp_project_id, provider.zone, cluster.name, { endpoint: endpoint }
      )

      stub_kubeclient_discover(api_url)