Skip to content

GraphQL: Allow specifying Google Cloud project

Pedro Pombeiro requested to merge pedropombeiro/441421/allow-specifying-gc-project into master

What does this MR do and why?

This MR does the following:

  • renames runnerCloudProvisioningOptions to runnerGoogleCloudProvisioningOptions and adds a union type.
  • adds a required cloudProjectId field to runnerGoogleCloudProvisioningOptions, given that this is a natural environmental value for this field. For example, #441115 (closed) will also require a project ID. In order to pass this field to the child objects, I'm using a hash. For the supporting services, the field is optional, in which case the project associated with the IAM integration is used.

EE: true

Closes #441421 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

We have two way to set up things: either using the gcp demo project (if you have access) or using a service account.

1️⃣ Set up using the gcp demo project

This is only available to members with access to the gcp demo project.

  1. In Cloud Run, there is a glgo instance running. Click on the details and copy the url.
  2. In ee/lib/google_cloud_platform/base_client.rb, replace the GLGO_BASE_URL constant with the url from (1.).
  3. In ee/lib/google_cloud_platform/jwt.rb, return a fixed string of your choice for #issuer. I used http://pedropombeiro.gdk.test:3000.
  4. Start your local GDK, access /oauth/discovery/keys and paste the content on a Gitlab.com snippet. Copy the url of the raw form of the snippet.
  5. In Cloud Run, create a new version to deploy and update the GLGO_KNOWN_ISSUERS env variable with the following string: ,<issuer string>;<url of the raw form of the snippet>

Don't forget to set up a Workload Identity Federation properly and get its url without the protocol.

2️⃣ Set up using a service account

  1. Create a service account that has the Compute Viewer role.
  2. Create a json file credentials and download it.
  3. In ee/lib/google_cloud_platform/compute/client.rb, in the #external_credentials function. Replace the method content with the path to the credentials file.

3️⃣ The client class in action

One last setup, there is a guard to make sure that the client class is used in the saas instance only. In ee/lib/google_cloud_platform/compute/client.rb, comment L133.

Now, that the set up is out of the way, let's play! 🕹

  1. Set up a project integration in some project, e.g. gitlab-org/playground

  2. Open http://gdk.test:3000/-/graphql-explorer and run the following query:

    {
  project(fullPath: "gitlab-org/playground") {
    id
    runnerCloudProvisioningOptions(
      provider: GOOGLE_CLOUD
      cloudProjectId: "dev-gcp-s3c-integrati-9abafed1"
    ) {
      ... on CiRunnerGoogleCloudProvisioningOptions {
        regions(first: 2) {
          nodes {
            name
            description
          }
          pageInfo {
            hasNextPage
            endCursor
          }
        }
        zones(region: "us-east1", first: 2) {
          nodes {
            name
            description
          }
          pageInfo {
            hasNextPage
            endCursor
          }
        }
        machineTypes(zone: "us-east1-b", first: 2) {
          nodes {
            name
            description
            zone
          }
          pageInfo {
            hasNextPage
            endCursor
          }
        }
      }
    }
  }
}

You should see the zones and regions requested. Since the project ID passed to machine types does not exist, an error should be returned.

Edited by Pedro Pombeiro

Merge request reports