Product Discovery: Change GKE integration to use Service Account Auth
Related implementation issue #35422 (closed)
As per https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/5605#note_193943327 it seems that the way we authenticate with Google right now for making calls to GCP is not preferred and probably Google will not allow us to create new OAuth tokens to support this.
While things are working today on GitLab.com it's possible our authentication choice will block on-prem customers from using the GKE features if Google rejects their request for OAuth application.
To fix this we need to refactor this code to authenticate with Google via a service account rather than using the the user's OAuth token.
Proposal
There are 2 possible ways we know how to do this today:
User provided service account
- We direct the user to create a service account with the correct permissions in their GCP project
- User provides us with the service account (upload the JSON into our UI probably)
This has the major downside that it is quite a few steps for the user compared to our old OAuth flow.
GitLab provided service account
Proposal originally described in https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/5605#note_204599687
- GitLab generates a service account in our own GCP project somewhere
- We tell the user the id of this service account
- User is directed to give this service accounts the right permissions to their GCP project