Support for Kubernetes onboarding

brettcurtis commented 9 months ago

This pull request will support onboarding of new teams into the Kubernetes cluster. It manages workload identity, google service accounts and Kubernetes service accounts as well as RBAC. Support for enabling Istio at the namespace level is included too.

Summary by CodeRabbit

New Features
- Introduced .coderabbit.yaml for advanced CodeRabbit settings including review workflows and chat auto-reply.
- Expanded documentation with new links and guidance for RBAC and workload identity on Kubernetes Engine.
- Added new Terraform configurations for global and regional onboarding of cloud resources and Kubernetes namespaces.
Documentation
- Updated README.md files with new provider versions and detailed module information.
- Provided comprehensive documentation for managing Google Cloud resources and Kubernetes configurations.
Refactor
- Updated pre-commit hooks to a newer version.
- Renamed and restructured modules in test fixtures to align with new naming conventions.
Tests
- Added integration tests for verifying project IAM bindings, service accounts, and keys.
Chores
- Modified code ownership settings to include new owners for automated code review processes.

coderabbitai[bot] commented 9 months ago

Walkthrough

The changes involve introducing a .coderabbit.yaml file for configuring CodeRabbit settings, updating code ownership in the .github/CODEOWNERS file, revising a pre-commit hook version, and significantly overhauling Terraform configurations for Google Cloud resources. These changes aim to streamline Kubernetes onboarding, project and cluster creation, and improve workflow efficiency for platform developers, potentially addressing issues related to repository management complexity and access controls.

Changes

File(s)	Change Summary
`.coderabbit.yaml`	Added configuration settings for CodeRabbit.
`.github/CODEOWNERS`	Updated code ownership to include `@coderabbitai[bot]` and `@osinfra-sa`.
`.pre-commit-config.yaml`	Updated `pre-commit-terraform` hook version from `v1.85.0` to `v1.86.0`.
`README.md`	Expanded documentation with RBAC and workload identity details for Kubernetes Engine.
`global/onboarding/...`	Added Terraform modules for service accounts and namespaces management in Google Cloud.
`regional/infra/README.md`	Updated provider versions for `google`, `google-beta`, and `random`.
`regional/onboarding/...`	Added Terraform configurations for Kubernetes namespaces, roles, role bindings, and service accounts management.
`test/fixtures/default_kubernetes_engine/...`	Renamed modules and updated configurations for Kubernetes engine testing.
`test/fixtures/default_onboarding/...`	Introduced configurations and modules for onboarding Kubernetes resources in tests.
`test/integration/default_kubernetes_engine/controls/...`	Added controls for verifying project IAM binding, service account, and service account key in integration tests.

Related issues

osinfra-io/github-organization-discussions#6 by brettcurtis: The changes in this PR seem to simplify the onboarding process for Kubernetes clusters, which aligns with the objectives of improving the workflow for platform developers and minimizing context switching. The introduction of new Terraform configurations could also streamline the creation of Google Cloud projects and clusters.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)

Tips

### Chat with CodeRabbit Bot (`@coderabbitai`) - You can directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit .` - `Generate unit-tests for this file.` - You can tag CodeRabbit on specific lines of code or entire files in the PR by tagging `@coderabbitai` in a comment. Examples: - `@coderabbitai generate unit tests for this file.` - `@coderabbitai modularize this function.` - You can tag `@coderabbitai` in a PR comment and ask questions about the PR and the codebase. Examples: - `@coderabbitai generate interesting stats about this repository from git and render them as a table.` - `@coderabbitai show all the console.log statements in this repository.` - `@coderabbitai read src/utils.ts and generate unit tests.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid.` - `@coderabbitai read the files in the src/scheduler package and generate README in the markdown format.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. ### CodeRabbit Commands (invoked as PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai help` to get help. Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. ### CodeRabbit Configration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - The JSON schema for the configuration file is available [here](https://coderabbit.ai/integrations/coderabbit-overrides.v2.json). - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json` ### CodeRabbit Discord Community Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback.

infracost[bot] commented 9 months ago

Infracost report

💰 Monthly cost will not change

Project	Cost change	New monthly cost
default_kubernetes_engine	$0	$113

Cost details

``` ────────────────────────────────── Project: default_kubernetes_engine Module path: test/fixtures/default_kubernetes_engine - module.regional.google_container_cluster.this -$73 - Cluster management fee -$73 - module.regional.google_container_node_pool.this["standard-pool"] -$39 - Instance usage (Linux/UNIX, on-demand, g1-small) -$39 - Standard provisioned storage (pd-standard) $0.00 - module.regional.google_kms_crypto_key.cluster_database_encryption -$0.60 - Key versions -$0.60 - Operations -$0.00 + module.test_kubernetes_engine.google_container_cluster.this +$73 + Cluster management fee +$73 + module.test_kubernetes_engine.google_container_node_pool.this["standard-pool"] +$39 + Instance usage (Linux/UNIX, on-demand, g1-small) +$39 + Standard provisioned storage (pd-standard) $0.00 + module.test_kubernetes_engine.google_kms_crypto_key.cluster_database_encryption +$0.60 + Key versions +$0.60 + Operations +$0.00 Monthly cost change for default_kubernetes_engine (Module path: test/fixtures/default_kubernetes_engine) Amount: $0.00 ($113 → $113) Percent: 0% ────────────────────────────────── Key: ~ changed, + added, - removed 23 cloud resources were detected: ∙ 3 were estimated, all of which include usage-based costs, see https://infracost.io/usage-file ∙ 20 were free, rerun with --show-skipped to see details ```

Governance checks

🟢 49 passed

48 FinOps policies and 1 Tagging policy passed.

_{View in Infracost Cloud. This comment will be updated when code changes.}

osinfra-io / terraform-google-kubernetes-engine