feat(t8s-cluster/rbac): use Users instead of the whole Group

[cwrau]

Summary by CodeRabbit

• Chores
  • Updated cluster authorization and role-based access control configuration.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily addresses issues with the healthchecks.io integration within the base-cluster Helm chart, ensuring that Alertmanager healthcheck URLs are correctly formatted for both scheduling and monitoring checks. Additionally, it updates an RBAC ClusterRoleBinding in the t8s-cluster to assign permissions to individual users instead of a group.

Highlights

• Healthchecks.io URL Fixes: Corrected the construction of healthchecks.io URLs for both scheduling and monitoring pings within the base-cluster Helm chart to ensure proper reporting.
• Dead Man's Switch Unregistration Logic: Refactored the unregistration script for the dead man's switch, standardizing the checkName generation and updating the API key variable for consistency.
• RBAC Update: Replaced a generic group with specific user entries in the teuto-clusterrolebinding for the t8s-cluster, granting permissions to individual users.

Changelog

• charts/base-cluster/templates/monitoring/deadMansSwitch/cronjob.yaml
  • Updated the healthchecks.io URL for scheduling pings to use the base-cluster.deadMansSwitch.checkName template.
• charts/base-cluster/templates/monitoring/deadMansSwitch/unregister.yaml
  • Changed the API key variable from apiKey to API_KEY.
  • Simplified the checkName generation by using the base-cluster.deadMansSwitch.checkName template.
  • Removed the conditional if .Values.monitoring.prometheus.enabled block for deleting the monitoring check, making it always attempt to delete both.
• charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml
  • Appended "-monitoring" to the healthchecks.io URL for monitoring pings.
• charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml
  • Replaced the teuto.net:staff group with three individual users (cwr@teuto.net, mw@teuto.net, st@teuto.net) in the teuto-staff ClusterRoleBinding.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@cwrau has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 20 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 839c6d5a-0511-44b6-8764-c75ae9ea54e9

📥 Commits

Reviewing files that changed from the base of the PR and between d874a56 and f8dac7c.

📒 Files selected for processing (1)

• charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml

📝 Walkthrough

Walkthrough

This pull request modifies a Kubernetes ClusterRoleBinding YAML resource to change access permissions from a group (teuto.net:staff) to three individual users, and adds an explicit cluster role name reference.

Changes

Cohort / File(s)	Summary
RBAC Configuration charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml	Modified subjects from a single Group (teuto.net:staff) to three individual Users (cwr@teuto.net, mw@teuto.net, st@teuto.net); added explicit name field to roleRef specifying cluster-admin.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat(t8s-cluster): add rbac for teuto staff #1498: This PR introduced the ClusterRoleBinding for the teuto.net:staff group that is now being modified to reference individual users instead.

Suggested reviewers

• tasches
• teutonet-bot
• marvinWolff

Poem

🐰 A group once held the key with pride,
Now three fine users stand inside,
With cluster-admin powers blessed,
The RBAC roles have been refreshed! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing a Group subject with individual User subjects in the RBAC ClusterRoleBinding configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/t8s-cluster/granular-rbac

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request fixes the Alertmanager healthchecks URL and refactors how the check name is generated. The changes for this are correct.

However, I've identified two issues:

1. In charts/base-cluster/templates/monitoring/deadMansSwitch/unregister.yaml, removing the conditional check for deleting the monitoring healthcheck exposes a bug in the deleteCheck function. The function is not robust and will cause the pre-delete hook to fail if a check doesn't exist. This should be fixed to prevent deployment issues.
2. In charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml, a ClusterRoleBinding is changed from using a group to a list of hardcoded users. This is a significant step back for maintainability and security best practices. This change seems unrelated to the PR's main goal and I strongly recommend reverting it.

Please keep pull requests focused on a single logical change to make them easier to review and manage.

[coderabbitai]

🧹 Nitpick comments (1)

charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml (1)

9-14: Consider parameterizing subjects via values.yaml for maintainability.

Hardcoding user emails in the template requires template modifications when users need to be added or removed. The base-cluster chart demonstrates a more maintainable pattern using the base-cluster.rbac.subjects helper that reads from .Values.rbac.accounts (see charts/base-cluster/templates/rbac/roleBindings.yaml).

Consider either:

1. Creating a similar helper function for t8s-cluster, or
2. Reading from a values configuration like .Values.rbac.teutoStaff

♻️ Suggested approach using values

In values.yaml:

rbac:
  teutoStaff:
    - cwr@teuto.net
    - mw@teuto.net
    - st@teuto.net

Then in the template:

 subjects:
-  - kind: User
-    name: cwr@teuto.net
-  - kind: User
-    name: mw@teuto.net
-  - kind: User
-    name: st@teuto.net
+  {{- range .Values.rbac.teutoStaff }}
+  - kind: User
+    name: {{ . }}
+  {{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml`
around lines 9 - 14, The template currently hardcodes user subjects
(cwr@teuto.net, mw@teuto.net, st@teuto.net) in teuto-clusterrolebinding.yaml;
change this to read from values instead (e.g. .Values.rbac.teutoStaff) or create
a helper similar to base-cluster.rbac.subjects that maps each account to a
subject object and use that helper in the teuto ClusterRoleBinding template so
adding/removing users only requires updating values.yaml; update values.yaml
with an rbac.teutoStaff array and replace the hardcoded entries in the template
to iterate over that array (or call the new helper) to generate subjects.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml`:
- Around line 9-14: The template currently hardcodes user subjects
(cwr@teuto.net, mw@teuto.net, st@teuto.net) in teuto-clusterrolebinding.yaml;
change this to read from values instead (e.g. .Values.rbac.teutoStaff) or create
a helper similar to base-cluster.rbac.subjects that maps each account to a
subject object and use that helper in the teuto ClusterRoleBinding template so
adding/removing users only requires updating values.yaml; update values.yaml
with an rbac.teutoStaff array and replace the hardcoded entries in the template
to iterate over that array (or call the new helper) to generate subjects.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a2e79235-0f5f-424d-be96-91145ef84698

📥 Commits

Reviewing files that changed from the base of the PR and between d874a56 and 81ccf7e.

📒 Files selected for processing (4)

• charts/base-cluster/templates/monitoring/deadMansSwitch/cronjob.yaml
• charts/base-cluster/templates/monitoring/deadMansSwitch/unregister.yaml
• charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml
• charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml

[Copilot]

Pull request overview

This PR updates the Dead Man’s Switch / Healthchecks integration so Alertmanager pings the intended *-monitoring check and aligns check-name generation across templates. It also includes an unrelated RBAC subject change in the t8s-cluster chart.

Changes:

• Fix Alertmanager Healthchecks ping URL to target the -monitoring check.
• Reuse the shared base-cluster.deadMansSwitch.checkName helper in cronjob/unregister templates and fix an API key variable reference.
• Change teuto-staff ClusterRoleBinding subjects from a group to three individual users.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml	Changes RBAC binding subjects (Group → Users).
charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml	Adjusts healthchecks webhook URL to ping the -monitoring check.
charts/base-cluster/templates/monitoring/deadMansSwitch/unregister.yaml	Uses shared checkName helper; fixes API key variable usage for API calls.
charts/base-cluster/templates/monitoring/deadMansSwitch/cronjob.yaml	Uses shared checkName helper for the scheduling ping URL.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[cwrau]

@coderabbitai update the descriptions release notes

[coderabbitai]

@cwrau Sure! I'll regenerate the PR summary and release notes now.

✅ Actions performed

Summary regeneration triggered.

[marvinWolff]

This excludes everyone except us from the on-call service. This can't be merged withouth furhter discussion