Expand KubernetesService to use username/passwordfeature/sm/35954-expand-kubernetesservice-to-use-username-password

2 files changed, 43 insertions, 10 deletions

diff --git a/app/models/project_services/kubernetes_service.rb b/app/models/project_services/kubernetes_service.rb
index 8ba07173c74..624cf6a44f9 100644
--- a/app/models/project_services/kubernetes_service.rb
+++ b/app/models/project_services/kubernetes_service.rb
@@ -15,17 +15,18 @@ class KubernetesService < DeploymentService
   # Bearer authentication
   # TODO:  user/password auth, client certificates
   prop_accessor :token
+  prop_accessor :username
+  prop_accessor :password
 
   # Provide a custom CA bundle for self-signed deployments
   prop_accessor :ca_pem
 
+  before_validation :enforce_namespace_to_lower_case
+
   with_options presence: true, if: :activated? do
     validates :api_url, url: true
-    validates :token
   end
 
-  before_validation :enforce_namespace_to_lower_case
-
   validates :namespace,
     allow_blank: true,
     length: 1..63,
@@ -35,8 +36,16 @@ class KubernetesService < DeploymentService
       message: Gitlab::Regex.kubernetes_namespace_regex_message
     }
 
+  validate :token_or_username, if: :activated?
+
   after_save :clear_reactive_cache!
 
+  def token_or_username
+    unless token.present? || (username.present? && password.present?)
+      errors.add(:base, "You need to spicify token or username/password")
+    end
+  end
+
   def initialize_properties
     self.properties = {} if properties.nil?
   end
@@ -75,7 +84,15 @@ class KubernetesService < DeploymentService
         { type: 'text',
           name: 'token',
           title: 'Token',
-          placeholder: 'Service token' }
+          placeholder: 'Service token',
+          help: 'Or you can use username/password instead of token' },
+        { type: 'text',
+          name: 'username',
+          title: 'Username',
+          placeholder: 'username' },
+        { type: 'password',
+          name: 'password',
+          title: 'Password' }
     ]
   end
 
@@ -103,6 +120,8 @@ class KubernetesService < DeploymentService
     variables = [
       { key: 'KUBE_URL', value: api_url, public: true },
       { key: 'KUBE_TOKEN', value: token, public: false },
+      { key: 'KUBE_USER_NAME', value: username, public: false },
+      { key: 'KUBE_PASSWORD', value: password, public: false },
       { key: 'KUBE_NAMESPACE', value: actual_namespace, public: true },
       { key: 'KUBECONFIG', value: config, public: false, file: true }
     ]
@@ -145,6 +164,8 @@ class KubernetesService < DeploymentService
       url: api_url,
       namespace: actual_namespace,
       token: token,
+      username: username,
+      password: password,
       ca_pem: ca_pem)
   end
 
@@ -157,7 +178,7 @@ class KubernetesService < DeploymentService
   end
 
   def build_kubeclient!(api_path: 'api', api_version: 'v1')
-    raise "Incomplete settings" unless api_url && actual_namespace && token
+    raise "Incomplete settings" unless api_url && actual_namespace && (token || (username && password))
 
     ::Kubeclient::Client.new(
       join_api_url(api_path),
@@ -190,7 +211,11 @@ class KubernetesService < DeploymentService
   end
 
   def kubeclient_auth_options
-    { bearer_token: token }
+    if token.present?
+      { bearer_token: token }
+    else
+      { username: username, password: password }
+    end
   end
 
   def join_api_url(api_path)
@@ -205,6 +230,8 @@ class KubernetesService < DeploymentService
   def terminal_auth
     {
       token: token,
+      username: username,
+      password: password,
       ca_pem: ca_pem,
       max_session_time: current_application_settings.terminal_max_session_time
     }
diff --git a/lib/gitlab/kubernetes.rb b/lib/gitlab/kubernetes.rb
index cdbdfa10d0e..a72004169c1 100644
--- a/lib/gitlab/kubernetes.rb
+++ b/lib/gitlab/kubernetes.rb
@@ -43,8 +43,12 @@ module Gitlab
       end
     end
 
-    def add_terminal_auth(terminal, token:, max_session_time:, ca_pem: nil)
-      terminal[:headers]['Authorization'] << "Bearer #{token}"
+    def add_terminal_auth(terminal, token:, username:, password:, max_session_time:, ca_pem: nil)
+      if token.present?
+        terminal[:headers]['Authorization'] << "Bearer #{token}"
+      else
+        terminal[:headers]['Authorization'] << "TODO: I have no idea how to use username: and password. Please help meeeeeeeeeeeeeeeeeeeeeee"
+      end
       terminal[:max_session_time] = max_session_time
       terminal[:ca_pem] = ca_pem if ca_pem.present?
     end
@@ -77,7 +81,9 @@ module Gitlab
       url.to_s
     end
 
-    def to_kubeconfig(url:, namespace:, token:, ca_pem: nil)
+    def to_kubeconfig(url:, namespace:, token:, username:, password:, ca_pem: nil)
+      auth = if token.present? ? { token: token } : { username: username, password: password }
+
       config = {
         apiVersion: 'v1',
         clusters: [
@@ -99,7 +105,7 @@ module Gitlab
         users: [
           {
             name: 'gitlab-deploy',
-            user: { token: token }
+            user: auth
           }
         ]
       }