Skip to content

Use WLIF integration in the Google Cloud Artifact Registry support

David Fernandez requested to merge 439206-GAR-integration-use-IAM-project-integration into master

🎈 Context

In Add GoogleCloudPlatform::ArtifactRegistry integ... (!141127 - merged), we introduced a new integration: the google cloud artifact registry integration. At that time, this integration hosted two sets of settings (mainly parameters and credentials to connect to those google cloud services): the WLIF settings and the Artifact Registry settings.

Later, in Decision: Separate configurations across two pr... (#439036 - closed), we changed the approach and simply split the two sets of settings in two integrations: the artifact registry integration and the workload identity federation settings.

This MR is thus the last step:

  • All artifact registry logic should use the wlif integration for all wlif related settings.
  • The artifact registry integration should drop supporting those wlif related settings.

The related issue is: Refactor Artifact Registry integration to depen... (#439206 - closed)

🤔 What does this MR do and why?

  • Remove fields workload_identity_pool_project_number, workload_identity_pool_id, workload_identity_pool_provider_id from Integrations::GoogleCloudPlatform::ArtifactRegistry.
  • Update the Artifact Registry clients and services to stop using these fields. Instead, they will use those from Integrations::GoogleCloudPlatform::WorkloadIdentityFederation.
    • This unlocks a simplification at the clients classes level as all will require to receive an Integrations::GoogleCloudPlatform::WorkloadIdentityFederation instance.
    • Took this opportunity to rename the initializer argument from project_integration to wlif_integration.
  • Updated the services layer that used those clients classes.
  • Update all related specs.

The Google Cloud services support is still work in progress and is behind several feature flag + a saas only feature.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

🖥 Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screenshot_2024-02-23_at_10.18.31 Screenshot_2024-02-27_at_17.49.55

How to set up and validate locally

1️⃣ Setup

  1. Create a new project.

  2. Enable the related feature flags:

    Feature.enable(:gcp_artifact_registry) # enables the artifact registry integration.
Feature.enable(:google_cloud_workload_identity_federation) # enables the wlif integration.
Feature.enable(:google_cloud_runner_provisioning) # enables the google cloud runner provisioning.

  3. Follow the instructions in !142289 (merged)

  4. Use the Google Cloud Artifact Registry and Google Cloud Identity and Access Management project integrations.

  5. Simulate a SaaS instance in the local GDK.

2️⃣ Artifact Registry

The UI not being ready (yet) for this part let's use GraphQL to query the registry:

Artifact Registry, list docker images 
query {
  project(fullPath: "<project path>") {
    id
    googleCloudArtifactRegistryRepository {
      artifacts {
        nodes {
          ... on GoogleCloudArtifactRegistryDockerImage {
            name
          }
        }
      }
    }
  }
}
{
  "data": {
    "project": {
      "id": "gid://gitlab/Project/<project_id>",
      "googleCloudArtifactRegistryRepository": {
        "artifacts": {
          "nodes": [
            {
              "name": "projects/<google project id>/locations/<google location>/repositories/<repo>/dockerImages/<image>@sha256:<digest>"
            },
            // more here
          ]
        }
      }
    }
  }
}

Working 🎉

3️⃣ Cloud runner provisioning

Same situation, UI not ready yet, so let's try GraphQL :

provisioning options 
query {
  project(fullPath: "<project full path>") {
    id
    runnerCloudProvisioningOptions(provider: GOOGLE_CLOUD, cloudProjectId: "<google project id>") {
      ... on CiRunnerGoogleCloudProvisioningOptions {
        regions {
          nodes {
            name
          }
        }
        zones {
          nodes {
            name
          }
        }
        machineTypes(zone: "us-east1-b") {
          nodes {
            name
          }
        }
      }
    }
  }
}
{
  "data": {
    "project": {
      "id": "gid://gitlab/Project/<project id>",
      "runnerCloudProvisioningOptions": {
        "regions": {
          "nodes": [
            {
              "name": "africa-south1",
              // more here
            }
          ]
        },
        "zones": {
          "nodes": [
            {
              "name": "africa-south1-c",
              // more here
            }
          ]
        },
        "machineTypes": {
          "nodes": [
            {
              "name": "a2-highgpu-1g",
              // more here
            }
          ]
        }
      }
    }
  }
}

Working 🎉

Edited by David Fernandez

Merge request reports