Use WLIF integration in the Google Cloud Artifact Registry support
🎈 Context
In Add GoogleCloudPlatform::ArtifactRegistry integ... (!141127 - merged), we introduced a new integration: the google cloud artifact registry integration. At that time, this integration hosted two sets of settings (mainly parameters and credentials to connect to those google cloud services): the WLIF settings and the Artifact Registry settings.
Later, in Decision: Separate configurations across two pr... (#439036 - closed), we changed the approach and simply split the two sets of settings in two integrations: the artifact registry integration and the workload identity federation settings.
This MR is thus the last step:
- All artifact registry logic should use the wlif integration for all wlif related settings.
- The artifact registry integration should drop supporting those wlif related settings.
The related issue is: Refactor Artifact Registry integration to depen... (#439206 - closed)
🤔 What does this MR do and why?
- Remove fields
workload_identity_pool_project_number
,workload_identity_pool_id
,workload_identity_pool_provider_id
fromIntegrations::GoogleCloudPlatform::ArtifactRegistry
. - Update the Artifact Registry clients and services to stop using these fields. Instead, they will use those from
Integrations::GoogleCloudPlatform::WorkloadIdentityFederation
.- This unlocks a simplification at the clients classes level as all will require to receive an
Integrations::GoogleCloudPlatform::WorkloadIdentityFederation
instance. - Took this opportunity to rename the initializer argument from
project_integration
towlif_integration
.
- This unlocks a simplification at the clients classes level as all will require to receive an
- Updated the services layer that used those clients classes.
- Update all related specs.
The Google Cloud services support is still work in progress and is behind several feature flag + a saas only feature.
⚙ MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
🖥 Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
![]() |
![]() |
⚙ How to set up and validate locally
1️⃣ Setup
-
Create a new project.
-
Enable the related feature flags:
Feature.enable(:gcp_artifact_registry) # enables the artifact registry integration. Feature.enable(:google_cloud_workload_identity_federation) # enables the wlif integration. Feature.enable(:google_cloud_runner_provisioning) # enables the google cloud runner provisioning.
-
Follow the instructions in !142289 (merged)
-
Use the
Google Cloud Artifact Registry
andGoogle Cloud Identity and Access Management
project integrations. -
Simulate a SaaS instance in the local GDK.
2️⃣ Artifact Registry
The UI not being ready (yet) for this part let's use GraphQL to query the registry:
Artifact Registry, list docker images
query {
project(fullPath: "<project path>") {
id
googleCloudArtifactRegistryRepository {
artifacts {
nodes {
... on GoogleCloudArtifactRegistryDockerImage {
name
}
}
}
}
}
}
{
"data": {
"project": {
"id": "gid://gitlab/Project/<project_id>",
"googleCloudArtifactRegistryRepository": {
"artifacts": {
"nodes": [
{
"name": "projects/<google project id>/locations/<google location>/repositories/<repo>/dockerImages/<image>@sha256:<digest>"
},
// more here
]
}
}
}
}
}
Working
3️⃣ Cloud runner provisioning
Same situation, UI not ready yet, so let's try GraphQL :
provisioning options
query {
project(fullPath: "<project full path>") {
id
runnerCloudProvisioningOptions(provider: GOOGLE_CLOUD, cloudProjectId: "<google project id>") {
... on CiRunnerGoogleCloudProvisioningOptions {
regions {
nodes {
name
}
}
zones {
nodes {
name
}
}
machineTypes(zone: "us-east1-b") {
nodes {
name
}
}
}
}
}
}
{
"data": {
"project": {
"id": "gid://gitlab/Project/<project id>",
"runnerCloudProvisioningOptions": {
"regions": {
"nodes": [
{
"name": "africa-south1",
// more here
}
]
},
"zones": {
"nodes": [
{
"name": "africa-south1-c",
// more here
}
]
},
"machineTypes": {
"nodes": [
{
"name": "a2-highgpu-1g",
// more here
}
]
}
}
}
}
}
Working