Use basic auth to create cluster role binding

The alternative is the user has `container.admin` permissions.

This approach is preferred as this means the QA spec can be run by any
GitLabber and indeed any contributor who can create a GKE cluster.

1 files changed, 4 insertions, 1 deletions

diff --git a/qa/qa/service/kubernetes_cluster.rb b/qa/qa/service/kubernetes_cluster.rb
index d868515555c..35c03e3f48a 100644
--- a/qa/qa/service/kubernetes_cluster.rb
+++ b/qa/qa/service/kubernetes_cluster.rb
@@ -25,6 +25,7 @@ module QA
           gcloud container clusters
           create #{cluster_name}
           #{auth_options}
+          --enable-basic-auth
           --zone #{Runtime::Env.gcloud_zone}
           && gcloud container clusters
           get-credentials
@@ -33,6 +34,8 @@ module QA
         CMD
 
         @api_url = `kubectl config view --minify -o jsonpath='{.clusters[].cluster.server}'`
+        @master_auth = JSON.parse(`gcloud container clusters describe #{cluster_name} --zone #{Runtime::Env.gcloud_zone} --format 'json(masterAuth.username, masterAuth.password)'`)
+
         if rbac
           create_service_account
 
@@ -64,7 +67,7 @@ module QA
 
       def create_service_account
         shell('kubectl create -f -', stdin_data: service_account)
-        shell('kubectl create -f -', stdin_data: service_account_role_binding)
+        shell("kubectl --username #{@master_auth['masterAuth']['username']} --password #{@master_auth['masterAuth']['password']} create -f -", stdin_data: service_account_role_binding)
       end
 
       def service_account