Merge branch '58208-explicitly-set-masterauth' into 'master'

Explicitly set master_auth for new GKE clusters Closes #58208 See merge request gitlab-org/gitlab-ce!26018
2019-03-14 00:12:06 +00:00 · 2019-03-14 00:12:06 +00:00 · e820791982
commit e820791982
parent 1715622c05 86abef88b4
4 changed files with 33 additions and 0 deletions
--- a/changelogs/unreleased/58208-explicitly-set-masterauth.yml
+++ b/changelogs/unreleased/58208-explicitly-set-masterauth.yml
@ -0,0 +1,6 @@
+---
+title: Explicitly set master_auth setting to enable basic auth and client certificate
+  for new GKE clusters
+merge_request: 26018
+author:
+type: other
--- a/doc/user/project/clusters/index.md
+++ b/doc/user/project/clusters/index.md
@ -75,6 +75,14 @@ new Kubernetes cluster to your project:
 After a couple of minutes, your cluster will be ready to go. You can now proceed
 to install some [pre-defined applications](#installing-applications).

+NOTE: **Note:**
+GitLab requires basic authentication enabled and a client certificate issued for
+the cluster in order to setup an [initial service
+account](#access-controls). Starting from [GitLab
+11.10](https://gitlab.com/gitlab-org/gitlab-ce/issues/58208), the cluster
+creation process will explicitly request that basic authentication and
+client certificate is enabled.
+
 ## Adding an existing Kubernetes cluster

 To add an existing Kubernetes cluster to your project:
--- a/lib/google_api/cloud_platform/client.rb
+++ b/lib/google_api/cloud_platform/client.rb
@ -10,6 +10,7 @@ module GoogleApi
    class Client < GoogleApi::Auth
      SCOPE = 'https://www.googleapis.com/auth/cloud-platform'.freeze
      LEAST_TOKEN_LIFE_TIME = 10.minutes
+      CLUSTER_MASTER_AUTH_USERNAME = 'admin'.freeze

      class << self
        def session_key_for_token
@ -64,6 +65,12 @@ module GoogleApi
              "node_config": {
                "machine_type": machine_type
              },
+              "master_auth": {
+                "username": CLUSTER_MASTER_AUTH_USERNAME,
+                "client_certificate_config": {
+                  issue_client_certificate: true
+                }
+              },
              "legacy_abac": {
                "enabled": legacy_abac
              }
--- a/spec/lib/google_api/cloud_platform/client_spec.rb
+++ b/spec/lib/google_api/cloud_platform/client_spec.rb
@ -97,6 +97,12 @@ describe GoogleApi::CloudPlatform::Client do
              "node_config": {
                "machine_type": machine_type
              },
+              "master_auth": {
+                "username": "admin",
+                "client_certificate_config": {
+                  issue_client_certificate: true
+                }
+              },
              "legacy_abac": {
                "enabled": true
              }
@ -122,6 +128,12 @@ describe GoogleApi::CloudPlatform::Client do
                "node_config": {
                  "machine_type": machine_type
                },
+                "master_auth": {
+                  "username": "admin",
+                  "client_certificate_config": {
+                    issue_client_certificate: true
+                  }
+                },
                "legacy_abac": {
                  "enabled": false
                }