Support clusterConstraints.gcp.nodes.requiredOauthScopes in schema (#423)

* Support clusterConstraints.gcp.nodes.requiredOauthScopes in schema

* Address review suggestsions: fix bug and set default value of []

Author: eshiroma

marketplace/deployer_util/config_helper.py

@@ -42,6 +42,8 @@
 
 WIDGET_TYPES = ['help']
 
+_OAUTH_SCOPE_PREFIX = 'https://www.googleapis.com/auth/'
+
 
 class InvalidName(Exception):
   pass
@@ -283,15 +285,17 @@ def __init__(self, dictionary):
     self._k8s_version = dictionary.get('k8sVersion', None)
     self._resources = None
     self._istio = None
+    self._gcp = None
 
     if 'resources' in dictionary:
       resources = dictionary['resources']
       if not isinstance(resources, list):
         raise InvalidSchema('clusterConstraints.resources must be a list')
       self._resources = [SchemaResourceConstraints(r) for r in resources]
 
-    if 'istio' in dictionary:
-      self._istio = SchemaIstio(dictionary['istio'])
+    self._istio = _maybe_get_and_apply(dictionary, 'istio',
+                                       lambda v: SchemaIstio(v))
+    self._gcp = _maybe_get_and_apply(dictionary, 'gcp', lambda v: SchemaGcp(v))
 
   @property
   def k8s_version(self):
@@ -305,6 +309,10 @@ def resources(self):
   def istio(self):
     return self._istio
 
+  @property
+  def gcp(self):
+    return self._gcp
+
 
 class SchemaResourceConstraints:
   """Accesses a single resource's constraints."""
@@ -400,6 +408,36 @@ def type(self):
     return self._type
 
 
+class SchemaGcp:
+  """Accesses top level GCP constraints."""
+
+  def __init__(self, dictionary):
+    self._nodes = _maybe_get_and_apply(dictionary, 'nodes',
+                                       lambda v: SchemaNodes(v))
+
+  @property
+  def nodes(self):
+    return self._nodes
+
+
+class SchemaNodes:
+  """Accesses GKE cluster node constraints."""
+
+  def __init__(self, dictionary):
+    self._required_oauth_scopes = dictionary.get('requiredOauthScopes', [])
+    if not isinstance(self._required_oauth_scopes, list):
+      raise InvalidSchema('nodes.requiredOauthScopes must be a list')
+    for scope in self._required_oauth_scopes:
+      if not scope.startswith(_OAUTH_SCOPE_PREFIX):
+        raise InvalidSchema(
+            'OAuth scope references must be fully-qualified (start with {})'
+            .format(_OAUTH_SCOPE_PREFIX))
+
+  @property
+  def required_oauth_scopes(self):
+    return self._required_oauth_scopes
+
+
 class SchemaImage:
   """Accesses an image definition."""
 
@@ -840,7 +878,7 @@ def _must_contain(value, valid_list, error_msg):
   """Validates that value in valid_list, or raises InvalidSchema."""
   if value not in valid_list:
     raise InvalidSchema("{}. Must be one of {}".format(error_msg,
-                                                       ', '.join(_ISTIO_TYPES)))
+                                                       ', '.join(valid_list)))
 
 
 def _property_must_have_type(prop, expected_type):

marketplace/deployer_util/config_helper_test.py

@@ -827,6 +827,42 @@ def test_istio_invalid_type(self):
                 type: INVALID_TYPE
           """)
 
+  def test_required_oauth_scopes_valid(self):
+    schema = config_helper.Schema.load_yaml("""
+      applicationApiVersion: v1beta1
+      properties:
+        simple:
+          type: string
+      x-google-marketplace:
+        clusterConstraints:
+          gcp:
+            nodes:
+              requiredOauthScopes:
+              - https://www.googleapis.com/auth/cloud-platform
+      """)
+    schema.validate()
+    self.assertEqual(
+        schema.x_google_marketplace.cluster_constraints.gcp.nodes
+        .required_oauth_scopes,
+        ["https://www.googleapis.com/auth/cloud-platform"])
+
+  def test_required_oauth_scopes_invalid_scope(self):
+    with self.assertRaisesRegexp(
+        config_helper.InvalidSchema,
+        "OAuth scope references must be fully-qualified"):
+      config_helper.Schema.load_yaml("""
+        applicationApiVersion: v1beta1
+        properties:
+          simple:
+            type: string
+        x-google-marketplace:
+          clusterConstraints:
+            gcp:
+              nodes:
+                requiredOauthScopes:
+                - cloud-platform
+        """)
+
   def test_deployer_service_account(self):
     schema = config_helper.Schema.load_yaml("""
         x-google-marketplace: