trietsch/gitlab_group_cluster.tf

## gitlab_group_cluster.tf
/*
  Gitlab offers the option to configure Kubernetes clusters (either on group level or project level) to be able to view pods
  logs, and more all from the web UI. However, they advise to configure cluster-admin as a Cluster Role for the Serviceaccount
  that you use to set up access from Gitlab to your cluster.
  IMO, these permissions are too wide, as I'm not using Gitlab to manage deployments, that is done through Terraform in my case.
  This should have been documented somewhere in the Gitlab documentation, especially since Gitlab acknowledges that many users
  find the permissions too wide: https://about.gitlab.com/blog/2021/02/22/gitlab-kubernetes-agent-on-gitlab-com/

  The Terraform code below includes all RBAC permissions required to view your clusters in Gitlab, as well as view the
  deployment, including the number of pods. Furthermore, it allows for log viewing in Gitlab as well. Permissions are mainly
  based on trial-and-error, as well as educated guesses taken from the Kubernetes client in the Gitlab source code:
  https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/clusters/platforms/kubernetes.rb
*/

resource "kubernetes_service_account" "gitlab_admin" {
  metadata {
    name = "gitlab-admin"
    namespace = "kube-system"
  }
}

resource "kubernetes_cluster_role" "gitlab_cluster_role" {
  metadata {
    name = "gitlab-cluster-role"
  }

  # List cluster information
  rule {
    api_groups = [
      "",
      "metrics.k8s.io"]
    resources = [
      "nodes"]
    verbs = [
      "get",
      "list"]
  }

  # List and get pods + read logs
  rule {
    api_groups = [
      ""]
    verbs = [
      "get",
      "list"]
    resources = [
      "pods",
      "pods/log"]
  }

  # List and get deployments
  rule {
    api_groups = [
      "apps"]
    verbs = [
      "get",
      "list"]
    resources = [
      "deployments"]
  }

  rule {
    # unclear what api groups are used by Gitlab
    # networking.k8s.io does not work
    api_groups = [
      "*"]
    verbs = [
      "get",
      "list"]
    resources = [
      "ingresses"]
  }
}


resource "kubernetes_cluster_role_binding" "gitlab_admin" {
  metadata {
    name = "gitlab-admin"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind = "ClusterRole"
    name = kubernetes_cluster_role.gitlab_cluster_role.metadata.0.name
  }

  subject {
    kind = "ServiceAccount"
    name = "gitlab-admin"
    namespace = "kube-system"
  }
}

data "kubernetes_secret" "gitlab_admin" {
  metadata {
    name = kubernetes_service_account.gitlab_admin.default_secret_name
    namespace = "kube-system"
  }

  depends_on = [
    kubernetes_service_account.gitlab_admin,
    kubernetes_cluster_role_binding.gitlab_admin,
  ]
}

# Provider Google here is required for getting existing GKE cluster info
provider "google" {
  project = "<google_project_id>"
}

data "google_client_config" "client_config" {}

data "google_container_cluster" "gke_cluster" {
  project = "<google_project_id>"
  name = "<gke_cluster_name>"
  location = "<gke_zone>"
}

provider "gitlab" {
  token = "<gitlab_token>"
}

provider "kubernetes" {
  host = "https://${data.google_container_cluster.gke_cluster.endpoint}"
  token = data.google_client_config.client_config.access_token
  cluster_ca_certificate = base64decode(data.google_container_cluster.gke_cluster.master_auth[0].cluster_ca_certificate)
}

resource gitlab_group_cluster "group_cluster" {
  group = "<gitlab_group_name>"
  name = "<a_name_for_the_cluster_on_gitlab>"
  enabled = true
  managed = false
  kubernetes_api_url = "https://${data.google_container_cluster.gke_cluster.endpoint}"
  kubernetes_token = lookup(data.kubernetes_secret.gitlab_admin.data, "token")
  kubernetes_ca_cert = lookup(data.kubernetes_secret.gitlab_admin.data, "ca.crt")
  kubernetes_authorization_type = "rbac"
  environment_scope = "<fill_out>"
}
	/*
	Gitlab offers the option to configure Kubernetes clusters (either on group level or project level) to be able to view pods
	logs, and more all from the web UI. However, they advise to configure cluster-admin as a Cluster Role for the Serviceaccount
	that you use to set up access from Gitlab to your cluster.
	IMO, these permissions are too wide, as I'm not using Gitlab to manage deployments, that is done through Terraform in my case.
	This should have been documented somewhere in the Gitlab documentation, especially since Gitlab acknowledges that many users
	find the permissions too wide: https://about.gitlab.com/blog/2021/02/22/gitlab-kubernetes-agent-on-gitlab-com/

	The Terraform code below includes all RBAC permissions required to view your clusters in Gitlab, as well as view the
	deployment, including the number of pods. Furthermore, it allows for log viewing in Gitlab as well. Permissions are mainly
	based on trial-and-error, as well as educated guesses taken from the Kubernetes client in the Gitlab source code:
	https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/clusters/platforms/kubernetes.rb
	*/

	resource "kubernetes_service_account" "gitlab_admin" {
	metadata {
	name = "gitlab-admin"
	namespace = "kube-system"
	}
	}

	resource "kubernetes_cluster_role" "gitlab_cluster_role" {
	metadata {
	name = "gitlab-cluster-role"
	}

	# List cluster information
	rule {
	api_groups = [
	"",
	"metrics.k8s.io"]
	resources = [
	"nodes"]
	verbs = [
	"get",
	"list"]
	}

	# List and get pods + read logs
	rule {
	api_groups = [
	""]
	verbs = [
	"get",
	"list"]
	resources = [
	"pods",
	"pods/log"]
	}

	# List and get deployments
	rule {
	api_groups = [
	"apps"]
	verbs = [
	"get",
	"list"]
	resources = [
	"deployments"]
	}

	rule {
	# unclear what api groups are used by Gitlab
	# networking.k8s.io does not work
	api_groups = [
	"*"]
	verbs = [
	"get",
	"list"]
	resources = [
	"ingresses"]
	}
	}


	resource "kubernetes_cluster_role_binding" "gitlab_admin" {
	metadata {
	name = "gitlab-admin"
	}
	role_ref {
	api_group = "rbac.authorization.k8s.io"
	kind = "ClusterRole"
	name = kubernetes_cluster_role.gitlab_cluster_role.metadata.0.name
	}

	subject {
	kind = "ServiceAccount"
	name = "gitlab-admin"
	namespace = "kube-system"
	}
	}

	data "kubernetes_secret" "gitlab_admin" {
	metadata {
	name = kubernetes_service_account.gitlab_admin.default_secret_name
	namespace = "kube-system"
	}

	depends_on = [
	kubernetes_service_account.gitlab_admin,
	kubernetes_cluster_role_binding.gitlab_admin,
	]
	}

	# Provider Google here is required for getting existing GKE cluster info
	provider "google" {
	project = "<google_project_id>"
	}

	data "google_client_config" "client_config" {}

	data "google_container_cluster" "gke_cluster" {
	project = "<google_project_id>"
	name = "<gke_cluster_name>"
	location = "<gke_zone>"
	}

	provider "gitlab" {
	token = "<gitlab_token>"
	}

	provider "kubernetes" {
	host = "https://${data.google_container_cluster.gke_cluster.endpoint}"
	token = data.google_client_config.client_config.access_token
	cluster_ca_certificate = base64decode(data.google_container_cluster.gke_cluster.master_auth[0].cluster_ca_certificate)
	}

	resource gitlab_group_cluster "group_cluster" {
	group = "<gitlab_group_name>"
	name = "<a_name_for_the_cluster_on_gitlab>"
	enabled = true
	managed = false
	kubernetes_api_url = "https://${data.google_container_cluster.gke_cluster.endpoint}"
	kubernetes_token = lookup(data.kubernetes_secret.gitlab_admin.data, "token")
	kubernetes_ca_cert = lookup(data.kubernetes_secret.gitlab_admin.data, "ca.crt")
	kubernetes_authorization_type = "rbac"
	environment_scope = "<fill_out>"
	}