GraphQL: Allow specifying Google Cloud project
What does this MR do and why?
This MR does the following:
- renames
runnerCloudProvisioningOptions
torunnerGoogleCloudProvisioningOptions
and adds a union type. - adds a required
cloudProjectId
field torunnerGoogleCloudProvisioningOptions
, given that this is a natural environmental value for this field. For example, #441115 (closed) will also require a project ID. In order to pass this field to the child objects, I'm using a hash. For the supporting services, the field is optional, in which case the project associated with the IAM integration is used.
EE: true
Closes #441421 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
We have two way to set up things: either using the gcp demo project (if you have access) or using a service account.
1️⃣ Set up using the gcp demo project
- In Cloud Run, there is a
glgo
instance running. Click on the details and copy the url. - In
ee/lib/google_cloud_platform/base_client.rb
, replace theGLGO_BASE_URL
constant with the url from (1.). - In
ee/lib/google_cloud_platform/jwt.rb
, return a fixed string of your choice for#issuer
. I usedhttp://pedropombeiro.gdk.test:3000
. - Start your local GDK, access
/oauth/discovery/keys
and paste the content on a Gitlab.com snippet. Copy the url of the raw form of the snippet. - In Cloud Run, create a new version to deploy and update the
GLGO_KNOWN_ISSUERS
env variable with the following string:,<issuer string>;<url of the raw form of the snippet>
Don't forget to set up a Workload Identity Federation properly and get its url without the protocol.
2️⃣ Set up using a service account
- Create a service account that has the
Compute Viewer
role. - Create a json file credentials and download it.
- In
ee/lib/google_cloud_platform/compute/client.rb
, in the#external_credentials
function. Replace the method content with the path to the credentials file.
3️⃣ The client class in action
One last setup, there is a guard to make sure that the client class is used in the saas instance only. In ee/lib/google_cloud_platform/compute/client.rb
, comment L133.
Now, that the set up is out of the way, let's play!
-
Set up a project integration in some project, e.g.
gitlab-org/playground
-
Open http://gdk.test:3000/-/graphql-explorer and run the following query:
{ project(fullPath: "gitlab-org/playground") { id runnerCloudProvisioningOptions( provider: GOOGLE_CLOUD cloudProjectId: "dev-gcp-s3c-integrati-9abafed1" ) { ... on CiRunnerGoogleCloudProvisioningOptions { regions(first: 2) { nodes { name description } pageInfo { hasNextPage endCursor } } zones(region: "us-east1", first: 2) { nodes { name description } pageInfo { hasNextPage endCursor } } machineTypes(zone: "us-east1-b", first: 2) { nodes { name description zone } pageInfo { hasNextPage endCursor } } } } } }
You should see the zones and regions requested. Since the project ID passed to machine types does not exist, an error should be returned.