Draft: Allow generation of GCP service accounts within a Project

Update

This MR, while complete, will be split into multiple MRs on the request of reviewers.

What does this MR do and why?

• Continuation of !70715 (merged)
• Implements listing and generation of GCP service accounts within the project :: infrastructure section
• Generated service accounts and service account keys are stored as project CI variables
• Related issues:
  • incubation-engineering/five-minute-production/meta/-/issues/15

Screenshots or screen recordings

• Demo:
  • https://youtu.be/tEWCwgg5_Wg?list=PL05JrBw4t0Krf0LZbfg80yo08DW1c3C36&t=56
• Edge cases:
  • https://youtu.be/5XrqMmQpCT4?list=PL05JrBw4t0Krf0LZbfg80yo08DW1c3C36&t=50
  • https://youtu.be/8bKCXGjPukM?list=PL05JrBw4t0Krf0LZbfg80yo08DW1c3C36&t=34
• Test scenarios:
  • https://youtu.be/AqpP0ZEuZzI?list=PL05JrBw4t0Krf0LZbfg80yo08DW1c3C36&t=42

Reviewing this MR

You have two options:

1. Review the code
2. Review the code and test the functionality

Reviewing the code is easy, local setup is not required.

To review the functionality, several steps need to be taken to configure your local GDK.

Local Setup

1. Use a proper TLD

• This feature integrates with Google OAuth2
• Callback URLs need to be registered via the GCP console
• Google will not accept gdk.test, you will need a proper TLD
  • I use local-gitlab.com
• Setup your GDK for such a domain, update your /etc/hosts and possibly Nginx if used to proxy the GDK port

2. Setup Google Cloud

• Follow the instructions here: https://docs.gitlab.com/ee/integration/google.html
• For the GCP project that is used for OAuth2
  • Enable cloudresourcemanager API
  • Enable iam API

3. Configure GDK for Google OAuth2

• Update gdk.yml and add the Google OAuth2 config

  ---
  hostname: local-gitlab.com
  omniauth:
    google_oauth2:
      client_id: {google_oauth_client_id}
      client_secret: {google_oauth_client_secret}

• or, use the CLI to do the same

  $ gdk config set omniauth.google_oauth2.client_id '..'
  $ gdk config set omniauth.google_oauth2.client_secret '..'

• or, another option is to update the gdk/gitlab/config/gitlab.yml with google_oauth details
• then run: gdk reconfigure

4. Enable Feature Flag

Enable feature flag incubation_5mp_google_cloud

You should now be able to navigate to a project on your GHDK instance, select the infrastructure :: google cloud section and see the service accounts list and generate a service account.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.