Move Kubernetes from service to Clusters page

Description

We have a Kubernetes service integration, which lets a user provide credentials for a k8s cluster to a project. We have an issue elsewhere to provide this at a group level. We even have an issue to create a Kubernetes cluster on GKE for GitLab group. But perhaps it's time to promote our Kubernetes integration from being just another service, to being first-class.

For example, we could have a page under CI/CD at the group level to list your clusters, and add new ones. When adding a new one, you could provide the credentials to an existing cluster, or create a new one on GKE. If you create multiple clusters, they'll be shown in a list.

Each cluster could have an environment (or wildcard pattern) to be accessible on. e.g. there could be a production cluster for production[/*], and a dev cluster * (the rest). Projects could override which clusters they use (perhaps using the existing service, or a new clusters page there). Perhaps as an admin, I'd be able to see which projects are making using of which clusters. Perhaps as an admin I'd be able to assign clusters to specific projects, although we have no precedence for this kind of control. (Project-specific runners are assigned at the project-level regardless of group, for example).

For each cluster, we could make it easy to install runners, Prometheus, NGINX ingress, Helm tiller, etc. Everything you need to use Auto DevOps. Ideally with one click, but possibly a la carte. We should show the status of each of these services, and let you upgrade them easily as well. Or have them optionally auto-updated.

For each cluster, we could make it easy to monitor the cluster, see when the cluster needs to be scaled, and provide an easy way to scale it (if it was created on GKE).

There may be other admin functions as well. Perhaps we need to be able to clean up orphaned pods (although I'd rather that just not happen). I don't exactly want to replace the Kubernetes dashboard, but I do want to make it so that it's unnecessary to use the k8s dashboard, except for rare circumstances.

To do this right, we really should use the master creds to create secrets for each projects/environment rather than sharing the same creds. But as a first iteration, we can share the creds.

Proposal

• Add Clusters menu at the group, personal namespace, and project levels.
• Show list of clusters (with great no-data graphic).
• When looking at a project, I should be able to see group clusters too
• Ideally when looking at a group, I can see all the project clusters (that I have access to).
• Button to add existing k8s cluster credentials.
• Button to create cluster on GKE (via OAuth). (Or single dialog with both choices.)
• For either existing or new cluster, provide an environment pattern for each cluster, much like environment-specific variables
• Cluster variables will only be sent to deploy jobs with matching environments
• If there are multiple clusters that match a given environment, the most-specific one wins. e.g. production/eu wins over production/*
• Indicate if a cluster is attached to protected environment(s). Restrict access appropriately. (Don't let Devs see details or create/edit them. Seeing the existence of them is OK.)
• For either existing or new cluster offer to:
  • Install Helm tiller (but required for all the following options): #36629
  • Install NGINX-ingress with Let's Encrypt
  • Install Runner: #32831 (moved)
  • Install Prometheus: #28916 (moved)
• Declare base domain(s) for ingress on cluster (needed by Auto Deploy)
• For GKE, allow automatically configuring Google DNS for base domain to ingress IP
• Hopefully we don't need to worry about "protected clusters" if we have "protected environments". Clusters attached to protected environments will automatically be protected. This may be more complicated if we let Developers view/edit cluster information.

Questions

• Should we have this available for personal namespaces as well?
• Proposal only includes group-level, does that mean we won't let people create clusters at the project level anymore? I suspect we'll still need to, so we can either leave the existing service integration, or make a Clusters menu at the project level as well.
• If we offer Clusters at both group and project level, we should have visibility across both. i.e. when looking at a project, I should be able to see group clusters too, and ideally when looking at a group, I can see all the project clusters (that I have access to).
• Should we provide DNS for them? e.g. *.$USER_OR_GROUP_PATH_SLUG.gitlab-apps.com Then providing their own DNS would be an option, but not required.

Links / references

• Monitoring of GKE cluster: https://gitlab.com/gitlab-org/gitlab-ce/issues/27890

Documentation blurb

Overview

What is it? Why should someone use this feature? What is the underlying (business) problem? How do you use this feature?

Use cases

Who is this for? Provide one or more use cases.

Feature checklist

Make sure these are completed before closing the issue, with a link to the relevant commit.

• Feature assurance
• Documentation
• Added to features.yml

/cc @dimitrieh @bikebilly @ayufan

changed the description

changed milestone to %Backlog

First class interface to Tiller.

Use Tiller to install Runner, Prometheus, NGINX Ingress.

Use Tiller for rollbacks? Variables?

marked this issue as related to #32638 (moved)

Installing a runner should be optional since people may want to use the instances shared runners, but still want to deploy to their own cluster. I wonder if there's any reason to make Prometheus optional though. Maybe because they have their own way of maintaining Prometheus, perhaps even a Prometheus instance per namespace or project. Or I suppose they might not want Prometheus at all; they have some other way of monitoring apps and don't care about our monitoring integration. Likewise with NGINX, they could have their own preferred ingress solution. But we should make it easy to stick with our defaults, while letting people do something custom.

I'm against using Tiller for rollbacks currently, as it's a lot more complicated (and somewhat more limited) than our current mechanism. Tiller's rollback mechanism treats variables differently than GitLab. Not better or worse; just different.

We should use Helm to install all of our components, so Helm tiller will be required if we install anything at all. This might conflict a bit with how we're using Tiller for Auto Deploy, where it installs tiller into each namespace rather than relying on a single Tiller instance. Perhaps we can detect Tiller in the main kube-system first? There are complications, such as tiller versions (we might inadvertently upgrade someone's global Tiller when they didn't want it upgraded).

marked this issue as related to #32638 (moved)

marked this issue as related to #35712 (moved)

mentioned in issue #35712 (moved)

changed the description

marked this issue as related to #27888 (closed)

marked this issue as related to #27890 (moved)

For all the optional pieces (runner, prometheus, etc.) I suggest we could start by installing them all without a choice and add the option to disable later. I expect the majority of people experimenting with this would be using test clusters. We would need messaging that made this clear though, so nobody does something unexpected to a production cluster.

mentioned in issue #27888 (closed)

Updated description with:

For either existing or new cluster, offer to:

• Install Helm tiller (but required for all the following options)
• Install NGINX-ingress with Let's Encrypt
• Install Runner: #32831 (moved)
• Install Prometheus: #28916 (moved)

and:

Should we provide DNS for them? e.g. *.$USER_OR_GROUP_PATH_SLUG.gitlab-apps.com Then providing their own DNS would be an option, but not required.

marked this issue as related to #27322 (moved)

mentioned in issue #35956

marked this issue as related to #35956

changed the description

Added questions:

• Should we have this available for personal namespaces as well?

• Proposal only includes group-level, does that mean we won't let people create clusters at the project level anymore? I suspect we'll still need to, so we can either leave the existing service integration, or make a Clusters menu at the project level as well.

• If we offer Clusters at both group and project level, we should have visibility across both. i.e. when looking at a project, I should be able to see group clusters too, and ideally when looking at a group, I can see all the project clusters (that I have access to).

I suspect this issue will obviate:

• Multiple cluster support: https://gitlab.com/gitlab-org/gitlab-ce/issues/27322

• Group-level Kubernetes: https://gitlab.com/gitlab-org/gitlab-ce/issues/34758

It's not explicitly called out (yet), but having a Clusters menu and only having one cluster in it is kind of silly.

If there are multiple clusters, how do we present this information to CI/CD jobs? My suggestion, which I'm not sure why isn't captured here yet, is to provide an environment pattern for each cluster, much like environment-specific variables. The trick though is only one cluster can be exposed to each job, as there's only one set of variables. Perhaps there's another way to solve this though, such as providing a variable with a list of clusters, then separate sets of variables based on the cluster name, but I'm not sure we really need to support multiple clusters per job. If you're deploying to multiple places, use separate jobs (and separate environment declarations).

Lastly, is there a need to access k8s outside of a deployment? Because right now, only deploy jobs declare environments, so for other jobs, we wouldn't know which creds to send (if there are multiple). I'd like to start by only making cluster creds available to deploy jobs and see if it's a problem.

changed milestone to %10.2

@dimitrieh Would love your thoughts on this upcoming issue.

Hopefully we don't need to worry about "protected clusters" if we have "protected environments". Clusters attached to protected environments will automatically be protected. This may be more complicated if we let Developers view/edit cluster information. Or if there isn't an exact match between the environment patterns. Imagining a cluster for *, and a protected environment of production. Should developers then have access to the * cluster? Yeah, they probably should. But if there's a protected environment of production/*, then the production/eu cluster should not be accessible to Developers. While this relationship might be effective, it might not be obvious/intuitive. Maybe we should add some UI element to let people know that a cluster if effectively protected, or attached to an protected branch, and maybe when writing the env pattern, show an indication in the form that it is protected. Then lastly, should a Developer be able to create a cluster attached to a protected environment? Probably not. You don't want a Developer being able to make a more specific cluster, say for production/eu/1 that then steals some other cred.

changed the description

@ayufan I've added a lot of complexity to the proposal. If it's too much, we can consider breaking this up into multiple milestone issues. But perhaps if we get mockups from @dimitrieh and work out all the complications early, we can set ourselves for getting it all done in a single release. /cc @grzesiek @filipa

This should actually be 10.3, but we don't have that milestone yet.

changed milestone to %Next 3-6 months

added deploy label

changed milestone to %10.3

The Prometheus team is planning to achieve the automatic deployment of Prometheus into a k8s cluster in 10.0 or 10.1. (Stretch in 10.0 https://gitlab.com/gitlab-org/gitlab-ce/issues/28916)

Our plan is to go ahead and put this on the Prometheus page, but are considering also adding it to the current K8s page as well. Do we expect a lot of churn on the k8s page leading up to 10.3?

mentioned in issue #36629

changed the description

Opened an issue for Helm Tiller installation: https://gitlab.com/gitlab-org/gitlab-ce/issues/36629

marked this issue as related to #36629

mentioned in issue #28916 (moved)

@dimitrieh brought up a good question "What about selecting an already existent gke cluster?"

We can already connect to an existing cluster using the k8s creds, but with OAuth, it might be more convenient to select an existing cluster from your GKE account rather than copying/pasting k8s creds.

mentioned in issue #35954 (closed)

mentioned in issue #27322 (moved)

@markpundsack I agree. Let's work on the mockups first and iterate on them. It's easier to understand how big and complex it will be :)

changed title from Move Kubernetes from service to page to Move Kubernetes from service to Clusters page

changed milestone to %10.2

A lot of UX was already done as part of https://gitlab.com/gitlab-org/gitlab-ce/issues/35954. More detail: https://gitlab.com/gitlab-org/gitlab-ce/issues/35954#note_41155066

changed milestone to %10.3

changed milestone to %10.2

added Deliverable label

@cperessini does it make sense for you to continue work on this since you worked on the issue Kamil linked? Feel free to assign to me if you don't have capacity and Ill take a look.

moved to gitlab#11290

Hey!

GitLab is moving all development for both GitLab Community Edition and Enterprise Edition into a single codebase. The current gitlab-ce repository will become a read-only mirror, without any proprietary code. All development is moved to the current gitlab-ee repository, which we will rename to just gitlab in the coming weeks. As part of this migration, issues will be moved to the current gitlab-ee project.

If you have any questions about all of this, please ask them in our dedicated FAQ issue.

https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

You can also find more information here:

• https://gitlab.com/gitlab-org/gitlab-ee/issues/13304
• https://about.gitlab.com/2019/08/23/a-single-codebase-for-gitlab-community-and-enterprise-edition/

Frequently Asked Questions

For an up to date list of questions and answers, please take a look at https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

What will we do with the repository names?

https://gitlab.com/gitlab-org/gitlab-ee/ will become https://gitlab.com/gitlab-org/gitlab, and https://gitlab.com/gitlab-org/gitlab-ce will become https://gitlab.com/gitlab-org/gitlab-foss.

Why rename gitlab-ce to gitlab-foss?

Using "gitlab" and "gitlab-ce" would be confusing, so we decided to rename gitlab-ce to gitlab-foss to make the purpose of this FOSS repository more clear

I created a merge requests for CE, and this got closed. What do I need to do?

You will need to create a merge request at https://gitlab.com/gitlab-org/gitlab-ee/. This link will eventually redirect to https://gitlab.com/gitlab-org/gitlab.

How does the licensing work in this new setup?

Everything in the ee/ directory is proprietary. Everything else is free and open source software. If your merge request does not change anything in the ee/ directory, the process of contributing changes is the same as when using the gitlab-ce repository.

Will you accept merge requests on the gitlab-ce/gitlab-foss project after it has been renamed?

No. Merge requests submitted to this project will be closed automatically.

Will I still be able to view old issues and merge requests in gitlab-ce/gitlab-foss?

Yes.

How will this affect users of GitLab CE using Omnibus?

No changes will be necessary, as the packages built remain the same.

How will this affect users of GitLab CE that build from source?

Once the project has been renamed, you will need to change your Git remotes to use this new URL. GitLab will take care of redirecting Git operations so there is no hard deadline, but we recommend doing this as soon as the projects have been renamed.

Where can I see a timeline of the remaining steps?

https://gitlab.com/gitlab-org/gitlab-ee/issues/13304

Will community contributions submitted to the new "gitlab" repository be available in the new gitlab-foss repository?

Yes, these changes will be synced to gitlab-foss automatically, several times per day.

locked this issue