Automatic merge of gitlab-org/gitlab-ce master

9b4af9b4 · GitLab Bot · d3cebe6c · 0c0abc61 · 9b4af9b4 · 9b4af9b4
Commit 9b4af9b4 authored Mar 14, 2019 by GitLab Bot
5 changed files
--- a/changelogs/unreleased/58208-explicitly-set-masterauth.yml
+++ b/changelogs/unreleased/58208-explicitly-set-masterauth.yml
+---
+title: Explicitly set master_auth setting to enable basic auth and client certificate
+  for new GKE clusters
+merge_request: 26018
+author:
+type: other
--- a/doc/topics/autodevops/index.md
+++ b/doc/topics/autodevops/index.md
@@ -704,6 +704,7 @@ also be customized, and you can easily use a [custom buildpack](#custom-buildpac
 | `INCREMENTAL_ROLLOUT_MODE`| From GitLab 11.4, this variable, if present, can be used to enable an [incremental rollout](#incremental-rollout-to-production-premium) of your application for the production environment.<br/>Set to: <ul><li>`manual`, for manual deployment jobs.</li><li>`timed`, for automatic rollout deployments with a 5 minute delay each one.</li></ul> |
 | `TEST_DISABLED`              | From GitLab 11.0, this variable can be used to disable the `test` job. If the variable is present, the job will not be created. |
 | `CODE_QUALITY_DISABLED`       | From GitLab 11.0, this variable can be used to disable the `codequality` job. If the variable is present, the job will not be created. |
+| `LICENSE_MANAGEMENT_DISABLED` | From GitLab 11.0, this variable can be used to disable the `license_management` job. If the variable is present, the job will not be created. |
 | `SAST_DISABLED`              | From GitLab 11.0, this variable can be used to disable the `sast` job. If the variable is present, the job will not be created. |
 | `DEPENDENCY_SCANNING_DISABLED` | From GitLab 11.0, this variable can be used to disable the `dependency_scanning` job. If the variable is present, the job will not be created. |
 | `CONTAINER_SCANNING_DISABLED` | From GitLab 11.0, this variable can be used to disable the `sast:container` job. If the variable is present, the job will not be created. |

--- a/doc/user/project/clusters/index.md
+++ b/doc/user/project/clusters/index.md
@@ -75,6 +75,14 @@ new Kubernetes cluster to your project:
 After a couple of minutes, your cluster will be ready to go. You can now proceed
 to install some [pre-defined applications](#installing-applications).

+NOTE: **Note:**
+GitLab requires basic authentication enabled and a client certificate issued for
+the cluster in order to setup an [initial service
+account](#access-controls). Starting from [GitLab
+11.10](https://gitlab.com/gitlab-org/gitlab-ce/issues/58208), the cluster
+creation process will explicitly request that basic authentication and
+client certificate is enabled.
+
 ## Adding an existing Kubernetes cluster

 To add an existing Kubernetes cluster to your project:

--- a/lib/google_api/cloud_platform/client.rb
+++ b/lib/google_api/cloud_platform/client.rb
@@ -10,6 +10,7 @@ module GoogleApi
    class Client < GoogleApi::Auth
      SCOPE = 'https://www.googleapis.com/auth/cloud-platform'.freeze
      LEAST_TOKEN_LIFE_TIME = 10.minutes
+      CLUSTER_MASTER_AUTH_USERNAME = 'admin'.freeze

      class << self
        def session_key_for_token
@@ -64,6 +65,12 @@ module GoogleApi
              "node_config": {
                "machine_type": machine_type
              },
+              "master_auth": {
+                "username": CLUSTER_MASTER_AUTH_USERNAME,
+                "client_certificate_config": {
+                  issue_client_certificate: true
+                }
+              },
              "legacy_abac": {
                "enabled": legacy_abac
              }

--- a/spec/lib/google_api/cloud_platform/client_spec.rb
+++ b/spec/lib/google_api/cloud_platform/client_spec.rb
@@ -97,6 +97,12 @@ describe GoogleApi::CloudPlatform::Client do
              "node_config": {
                "machine_type": machine_type
              },
+              "master_auth": {
+                "username": "admin",
+                "client_certificate_config": {
+                  issue_client_certificate: true
+                }
+              },
              "legacy_abac": {
                "enabled": true
              }
@@ -122,6 +128,12 @@ describe GoogleApi::CloudPlatform::Client do
                "node_config": {
                  "machine_type": machine_type
                },
+                "master_auth": {
+                  "username": "admin",
+                  "client_certificate_config": {
+                    issue_client_certificate: true
+                  }
+                },
                "legacy_abac": {
                  "enabled": false
                }