Make group clusters compatible with restricted namespace and service account
Follow up https://gitlab.com/gitlab-org/gitlab-ce/issues/51716
After https://gitlab.com/gitlab-org/gitlab-ce/issues/51716 / https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011, when a cluster is created or added, a restricted service account to the project's namespace is automatically generated on the Cluster side. But this is no longer compatible with our new feature group clusters (https://gitlab.com/gitlab-org/gitlab-ce/issues/34758). We need to make it compatible by creating project service account and namespace for every project that belongs to the Group
Some questions:
- What will happen if the cluster is added to an empty Group? As we can't know what project namespaces will be needed
- No project namespaces are created
- Should we create the namespace when the project is added to a Group and remove the namespace when project is removed?
- TBC, but yes
- Surely we cannot do this with instance clusters but that's another day
- Error handling and UX
- TBD but if GitLab fails to create project namespace and service account in a group cluster, when the project runs a CI job for that cluster - Moved to https://gitlab.com/gitlab-org/gitlab-ce/issues/54506
Edited by Thong Kuah