Modify default GKE OAuth Scopes

to minimally allow pulling images from private registry.

Modify default GKE OAuth Scopes
to minimally allow pulling images from private registry.
58566637 · Tan Yee Jian · Thong Kuah · f51fece8 · 58566637 · 58566637
Commit 58566637 authored Dec 15, 2019 by Tan Yee Jian Committed by Thong Kuah Dec 15, 2019
3 changed files
--- a/changelogs/unreleased/gke-oauth.yml
+++ b/changelogs/unreleased/gke-oauth.yml
+---
+title: Allow Gitlab GKE clusters to access Google Cloud Registry private images
+merge_request: 20662
+author: Tan Yee Jian
+type: fixed
--- a/lib/google_api/cloud_platform/client.rb
+++ b/lib/google_api/cloud_platform/client.rb
@@ -13,6 +13,11 @@ module GoogleApi
      LEAST_TOKEN_LIFE_TIME = 10.minutes
      CLUSTER_MASTER_AUTH_USERNAME = 'admin'
      CLUSTER_IPV4_CIDR_BLOCK = '/16'
+      CLUSTER_OAUTH_SCOPES = [
+        "https://www.googleapis.com/auth/devstorage.read_only",
+        "https://www.googleapis.com/auth/logging.write",
+        "https://www.googleapis.com/auth/monitoring"
+      ].freeze

      class << self
        def session_key_for_token
@@ -86,7 +91,8 @@ module GoogleApi
            name: cluster_name,
            initial_node_count: cluster_size,
            node_config: {
-              machine_type: machine_type
+              machine_type: machine_type,
+              oauth_scopes: CLUSTER_OAUTH_SCOPES
            },
            master_auth: {
              username: CLUSTER_MASTER_AUTH_USERNAME,
@@ -101,13 +107,17 @@ module GoogleApi
              use_ip_aliases: true,
              cluster_ipv4_cidr_block: CLUSTER_IPV4_CIDR_BLOCK
            },
-            addons_config: enable_addons.each_with_object({}) do |addon, hash|
-              hash[addon] = { disabled: false }
-            end
+            addons_config: make_addons_config(enable_addons)
          }
        }
      end

+      def make_addons_config(enable_addons)
+        enable_addons.each_with_object({}) do |addon, hash|
+          hash[addon] = { disabled: false }
+        end
+      end
+
      def token_life_time(expires_at)
        DateTime.strptime(expires_at, '%s').to_time.utc - Time.now.utc
      end

--- a/spec/lib/google_api/cloud_platform/client_spec.rb
+++ b/spec/lib/google_api/cloud_platform/client_spec.rb
@@ -92,7 +92,12 @@ describe GoogleApi::CloudPlatform::Client do
          name: cluster_name,
          initial_node_count: cluster_size,
          node_config: {
-            machine_type: machine_type
+            machine_type: machine_type,
+            oauth_scopes: [
+              "https://www.googleapis.com/auth/devstorage.read_only",
+              "https://www.googleapis.com/auth/logging.write",
+              "https://www.googleapis.com/auth/monitoring"
+            ]
          },
          master_auth: {
            username: 'admin',