Support Kubernetes RBAC for GitLab Managed Apps for creating new clusters

⚠ Merge the MR for supporting existing Kubernetes clusters first. 🚓

What does this MR do?

Enables support for users to create RBAC enabled clusters on GKE:-

• Allows users to install Helm into an RBAC cluster
• Allows users to install the other GitLab Managed apps (ingress, etc)

Adds documentation for enabling Kubernetes RBAC for GitLab Managed Apps for adding existing clusters and when creating new GKE clusters.

Notes and screenshot

This feature is hidden behind a feature flag (:rbac_clusters).

NOTE: GCP creates new GKE clusters with RBAC enabled by default since Kubernetes 1.6.

NOTE: We will still create clusters with legacy_abac: true still - which is very useful as we haven't enabled RBAC support for Auto DevOps.

What are the relevant issue numbers?

Closes #29398 (closed)

Development tasks

• Create new clusters with RBAC enabled (comes for free)
• create cluster via GCP client with legacy_abac false if :rbac_clusters FF enabled
  • new DB column cluster_providers_gcp legacy_abac, default to true
  • set cluster_providers_gcp legacy_abac to false
• Create a new service account gitlab regardless of abac/rbac
  • Create a secret ServiceAccountToken for the service account
• For a GKE provisioned cluster that has RBAC:
  • Provide cluster-admin privs to the new service account (enough privileges to the new service account in order to perform operations such as create pods, querying namespaces, creating service accounts.)
  • Get the token of the gitlab service account
• For a GKE provisioned cluster that has ABAC:
  • Get the token of the gitlab service account

• Write documentation about RBAC support for GitLab Managed Apps (behind a feature flag)
  • Enable feature flag
  • What are the limitations
  • What are the permissions involved
  • What is supported
  • What is created: service account, ServiceAccountToken and cluster-admin clusterrolebinding
• FE option for users to choose
• Link More information to these docs

Manual QA

• Create new RBAC cluster
  • Check they can install cluster applications
  • Check that helper applications (tiller, ingress, etc) are still working as expected
  • Provide apps read access outside the namespace (if not provided by default)
  • legacy_abac flag is disabled on GCP
  • [-] In theory, Auto Devops will still work !
• Check that creating new ABAC clusters should still work
  • legacy_abac flag is enabled on GCP
  • Check that we can install applications into an ABAC cluster still
  • Check that helper applications (tiller, ingress, etc) are still working as expected

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated
• Tests added for this feature/bug
• Conforms to the code review guidelines
• Conforms to the merge request performance guidelines
• Conforms to the style guides
• Conforms to the database guides

Closes #29398 (closed)