Group-level Kubernetes cluster configuration (#34758) · Issues · GitLab.org / GitLab FOSS

Group-level Kubernetes cluster configuration

Problem to solve

Currently, k8s clusters can only be configured at the project level. This can be limiting for teams that want to use the same cluster across all projects/department/company.

Further details

A single cluster configuration that can be leveraged group-wide.

Proposal

Add a new option for "Operations" at the group level that will allow users to access a kubernetes menu item.

The following have been discovered as part of https://gitlab.com/gitlab-org/gitlab-ee/issues/7412:

Only the following group-level applications will be available for MVC:

Tiller
Ingress

The following applications will be available post-mvc:

Runner https://gitlab.com/gitlab-org/gitlab-ce/issues/51988
Prometheus https://gitlab.com/gitlab-org/gitlab-ce/issues/51963
JupyterHub https://gitlab.com/gitlab-org/gitlab-ce/issues/51989

Group-level cluster will follow the same licensing approach as project-level clusters: CE will allow for 1 cluster at the group level (or sub-group level) and EE will allow for multiple cluster configuration.
For CE, having a cluster configured at the group level shall not affect the ability for related project to have project-level clusters setup, that is, if Group 1 has a cluster setup, project 1A can have a separate cluster setup (project 1A belonging to Group 1).
Adding a group-level cluster will automatically show that cluster to all children projects
Environment scope for CE will enforce * just as CE project-level cluster configuration does
Project-level cluster trumps group-level cluster, that is, if there's an env scope match, project level always wins.
Sub-groups will determine which cluster to use by looking at closest ancestor with a matching env scope pattern.
Namespace:
1. Remove the project namespace from group-level clusters completely
2. Don’t show it in the list when listing clusters, either at the group or project level
3. Don’t have the field when creating a group-level cluster
4. Don’t have it when editing a group-level cluster
5. But keep it when creating/editing a project-level cluster as there’s still reason to keep it
6. Even though project-level clusters could have custom project namespaces, don't show them in the list of clusters for consistency
7. The backend still needs to provide KUBE_NAMESPACE to CI/CD pipelines for group-level clusters. I suggest keeping the $PIPELINE_NAME-$PIPELINE_ID format
Managing the cluster can only be done by group maintainers/owners
Removing cluster at the group level will disable the access for its children projects

Discovery issue https://gitlab.com/gitlab-org/gitlab-ee/issues/7412

Follow-up issues:

Auto DevOps domain will be moved away from project configuration to cluster configuration, to be shown (possibly) along ingress information https://gitlab.com/gitlab-org/gitlab-ce/issues/52363
Support installing GitLab runner on group level cluster https://gitlab.com/gitlab-org/gitlab-ce/issues/51988
Show errors if project namespace/SA is missing https://gitlab.com/gitlab-org/gitlab-ce/issues/54506

User stories and mockups

Sidebar and empty state

EE/CE
As an owner or maintainer, I should see a `Kubernetes` tab in my group sidebar.
As an owner or maintainer, I should see an empty state with a call to action when I have no group clusters.

Environment scope

EE	CE
As an owner or maintainer, I can set the environment scope when creating my group cluster.	As an owner or maintainer, I cannot set the environment scope when creating my group cluster. The environment scope is `*`.

Applications and domain

EE/CE
As an owner or maintainer, I am able to install Helm Tiller and Ingress on my group level cluster. Note: The only difference between EE/CE mockups would be the ability to set an environment.
As an owner or maintainer, I am able to set a domain for both my group and project level clusters. I am able to set my domain regardless of whether I have installed Helm Tiller and/or Ingress.

Group	Project

Improvements: Alternative issues will be made for installing GitLab Runner, Prometheus, and Jupyterhub &114

Group clusters

EE	CE
As an owner or maintainer, I am able to add multiple group clusters to each group or subgroup.	As an owner or maintainer, I can only add one group cluster to each group or subgroup.
Add cluster button enabled	Add cluster button disabled

EE/CE
Group level clusters will be automatically added to projects within that group.

Cluster Overrides

CE
As a user who created a new group cluster, I will be warned if my cluster won't be active for any given project.

Improvement: Allow users to specify which projects they would like override. Create new issue

EE	CE
As an owner or maintainer, I can have multiple active cluster integrations at various levels on my project.	As an owner or maintainer, I can only have one active cluster integration on my project.

EE
If multiple clusters exist at the same level, my environment will first look for an exact match, then a partial match, then `*`
If there are multiple matches, my environment will choose the first match. Project -> Subgroup -> Group

If my environment has no match, it will continue up the chain to find a match. Project -> Subgroup -> Group

CE
As an owner or maintainer, I have the ability to add one project level cluster even if there are group clusters. This will override my group level integration for this project.
Add cluster button enabled

Possible improvement: Explore always keeping the create button enabled. In CE, this would mean owners and maintainers can add as many integrations as they want, but they must select one: either a group or a project level cluster. This removes confusion over why the user cannot create another integration. Create new issue

Editing group clusters

EE/CE
As an owner or maintainer, I can view a group cluster on my project. The cluster links to the group cluster page, and I must make any edits there.
As an owner or maintainer, I cannot remove a group level cluster from a specific project. I can only override the cluster with a project cluster.

Improvement: Allow users to exclude a group level cluster from a specific project. Create new issue

Auto DevOps project settings

EE/CE
As an owner or maintainer, I am no longer able to set a domain within my project Auto DevOps settings

What does success look like, and how can we measure that?

User no longer copy/paste the same cluster configuration in multiple projects but rather use a group-level cluster

Links / references

/label ~"feature proposal"

### Problem to solve

Currently, k8s clusters can only be configured at the project level. This can be limiting for teams that want to use the same cluster across all projects/department/company.

### Further details

A single cluster configuration that can be leveraged group-wide.

### Proposal

Add a new option for "Operations" at the group level that will allow users to access a kubernetes menu item.

The following have been discovered as part of https://gitlab.com/gitlab-org/gitlab-ee/issues/7412:

1. Only the following group-level applications will be available for MVC:
  * Tiller
  * Ingress
2. The following applications will be available post-mvc:
  * Runner https://gitlab.com/gitlab-org/gitlab-ce/issues/51988
  * Prometheus https://gitlab.com/gitlab-org/gitlab-ce/issues/51963
  * JupyterHub https://gitlab.com/gitlab-org/gitlab-ce/issues/51989
3. Group-level cluster will follow the same licensing approach as project-level clusters: CE will allow for 1 cluster at the group level (or sub-group level) and EE will allow for multiple cluster configuration.

4. For CE, having a cluster configured at the group level shall not affect the ability for related project to have project-level clusters setup, that is, if Group 1 has a cluster setup, project 1A can have a separate cluster setup (project 1A belonging to Group 1).

5. Adding a group-level cluster will automatically show that cluster to all children projects
7. Environment scope for CE will enforce `*` just as CE project-level cluster configuration does
8. Project-level cluster trumps group-level cluster, that is, if there's an env scope match, project level always wins.
9. Sub-groups will determine which cluster to use by looking at closest ancestor with a matching env scope pattern.
10. Namespace:
    1. Remove the project namespace from group-level clusters completely
    1. Don’t show it in the list when listing clusters, either at the group or project level
    1. Don’t have the field when creating a group-level cluster
    1. Don’t have it when editing a group-level cluster
    1. But keep it when creating/editing a project-level cluster as there’s still reason to keep it
    1. Even though project-level clusters could have custom project namespaces, don't show them in the list of clusters for consistency
    1. The backend still needs to provide `KUBE_NAMESPACE` to CI/CD pipelines for group-level clusters. I suggest keeping the `$PIPELINE_NAME-$PIPELINE_ID` format
11. Managing the cluster can only be done by group maintainers/owners
12. Removing cluster at the group level will disable the access for its children projects

Discovery issue https://gitlab.com/gitlab-org/gitlab-ee/issues/7412

### Follow-up issues:

* Auto DevOps domain will be moved away from project configuration to cluster configuration, to be shown (possibly) along ingress information https://gitlab.com/gitlab-org/gitlab-ce/issues/52363
* Support installing GitLab runner on group level cluster https://gitlab.com/gitlab-org/gitlab-ce/issues/51988
* Show errors if project namespace/SA is missing https://gitlab.com/gitlab-org/gitlab-ce/issues/54506

## User stories and mockups

### Sidebar and empty state
|EE/CE|
|--|
|As an owner or maintainer, I should see a `Kubernetes` tab in my group sidebar.|
|As an owner or maintainer, I should see an empty state with a call to action when I have no group clusters.|
|![group__operations--kubernetes-empty-state](https://gitlab.com/gitlab-org/gitlab-ee/uploads/df68d89c79ba537eb582a5135808a7d6/group__operations--kubernetes-empty-state.png)|

### Environment scope
|EE|CE|
|--|--|
|As an owner or maintainer, I can set the environment scope when creating my group cluster.|As an owner or maintainer, I cannot set the environment scope when creating my group cluster. The environment scope is `*`.|
|![EE-group__operations--kubernetes-create](https://gitlab.com/gitlab-org/gitlab-ee/uploads/6d78f340fcdc3d8d8a4038f90477e083/EE-group__operations--kubernetes-create.png)|![CE-group__operations--kubernetes-create](https://gitlab.com/gitlab-org/gitlab-ee/uploads/e0c09aeac3694bc1414990be9f1b6b85/CE-group__operations--kubernetes-create.png)|

### Applications and domain

|EE/CE|
|--|
|As an owner or maintainer, I am able to install Helm Tiller and Ingress on my group level cluster. **Note:** The only difference between EE/CE mockups would be the ability to set an environment.|
|As an owner or maintainer, I am able to set a domain for both my group and project level clusters. I am able to set my domain regardless of whether I have installed Helm Tiller and/or Ingress.|

|Group|Project|
|--|--|
|![CE-group__operations--kubernetes-domain-applications-installed](https://gitlab.com/gitlab-org/gitlab-ee/uploads/471d55280d44b92cc21e557ac33e9123/CE-group__operations--kubernetes-domain-applications-installed.png)|![CE-project__operations--kubernetes-domain-applications-installed](https://gitlab.com/gitlab-org/gitlab-ee/uploads/3b42c33b20e10fdc10dd82ff6c1b6b83/CE-project__operations--kubernetes-domain-applications-installed.png)|

**Improvements:** Alternative issues will be made for installing GitLab Runner, Prometheus, and Jupyterhub https://gitlab.com/groups/gitlab-org/-/epics/114

### Group clusters

|EE|CE|
|--|--|
|As an owner or maintainer, I am able to add multiple group clusters to each group or subgroup.|As an owner or maintainer, I can only add one group cluster to each group or subgroup.|
|![EE-group__operations--kubernetes-one-project](/uploads/a6ae702aeeccd313c56cf72fa158a211/EE-group__operations--kubernetes-one-project.png) Add cluster button enabled|![CE-group__operations--kubernetes-one-project](/uploads/570ffa177f93865ab54afcc2c28c0750/CE-group__operations--kubernetes-one-project.png) Add cluster button disabled|

### Cluster Overrides

|CE|
|--|
|As a user who created a new group cluster, I will be warned if my cluster won't be active for any given project.|
|![CE-group__operations--kubernetes-warning](https://gitlab.com/gitlab-org/gitlab-ee/uploads/18970bea64388f001fffd6f8e4a1c3ef/CE-group__operations--kubernetes-warning.png)|

**Improvement:** Allow users to specify which projects they would like override. *Create new issue*

|EE|CE|
|--|--|
|As an owner or maintainer, I can have multiple active cluster integrations at various levels on my project.|As an owner or maintainer, I can only have one active cluster integration on my project.|
|![EE-project__operations--kubernetes-two](/uploads/33f5efb25c0e09274ec0f40929b62b90/EE-project__operations--kubernetes-two.png)|![CE-project__operations--kubernetes-two](/uploads/19029015a473f0385815ca586e82f1de/CE-project__operations--kubernetes-two.png)|
|![EE-project__operations--kubernetes-four-2](/uploads/00215a95df8f6898aa864c406b51b5e4/EE-project__operations--kubernetes-four-2.png)|![CE-project__operations--kubernetes-four](/uploads/c8bf95c36c356d558c609dded79fd94b/CE-project__operations--kubernetes-four.png)|

|EE|
|--|
|If multiple clusters exist at the same level, my environment will first look for an exact match, then a partial match, then `*`|
|If there are multiple matches, my environment will choose the first match. Project -> Subgroup -> Group|
|![EE-project__operations--kubernetes-four-1](/uploads/dab69f2221bbbbb1bfcaa6af930aa978/EE-project__operations--kubernetes-four-1.png)|
|If my environment has no match, it will continue up the chain to find a match. Project -> Subgroup -> Group|

|CE|
|--|
As an owner or maintainer, I have the ability to add one project level cluster even if there are group clusters. This will override my group level integration for this project.|
|![CE-project__operations--kubernetes-one-group](/uploads/cb54982641bb36d0952fac2330b7ff80/CE-project__operations--kubernetes-one-group.png) Add cluster button enabled|
|![CE-project__operations--kubernetes-override-integration](https://gitlab.com/gitlab-org/gitlab-ee/uploads/d485a93a6208b024e95be33edd9b5ee6/CE-project__operations--kubernetes-override-integration.png)|

**Possible improvement:** Explore always keeping the create button enabled. In CE, this would mean owners and maintainers can add as many integrations as they want, but they must select one: either a group or a project level cluster. This removes confusion over why the user cannot create another integration. *Create new issue*

### Editing group clusters

|EE/CE|
|--|
|As an owner or maintainer, I can view a group cluster on my project. The cluster links to the group cluster page, and I must make any edits there.|
|As an owner or maintainer, I cannot remove a group level cluster from a specific project. I can only override the cluster with a project cluster.|
|![CE-project__operations--kubernetes-one-group](/uploads/cb54982641bb36d0952fac2330b7ff80/CE-project__operations--kubernetes-one-group.png)|

**Improvement:** Allow users to exclude a group level cluster from a specific project. *Create new issue*

### Auto DevOps project settings

|EE/CE|
|--|
|As an owner or maintainer, I am no longer able to set a domain within my project Auto DevOps settings|
|![CE-project__settings--ci-cd-autodevops](https://gitlab.com/gitlab-org/gitlab-ee/uploads/957416e9f26b785f5cdd9082444e3ec9/CE-project__settings--ci-cd-autodevops.png)|

### What does success look like, and how can we measure that?