staff api and postgres
openshift v4
single namespace
seperate release names for third party charts
internal registry option
placeos image version update
gcp https layer 7 lb
secret generation
search-ingest & frontend load image name change
GKE now deploys with a layer 7 load balancer which requires the name of a cloud armor security policy in the inventory file, creating this policy in k8s-terraform is on the todo but it is a simple manual process in the meantime
Security policy when deploying to GKE adds a rules allowing all to the namespace, denying the GCP VPC IP ranges and allowing pod to pod in namespace. This is to allow the load balancer while denying any other namespaces or compute resources.
If there is a way to identify the internal IP of the load balancer or the range it sits n it would be preferable to allow only that.
See: https://stackoverflow.com/a/54281975
Opening new PR for this-
GKE now deploys with a layer 7 load balancer which requires the name of a cloud armor security policy in the inventory file, creating this policy in k8s-terraform is on the todo but it is a simple manual process in the meantime
Security policy when deploying to GKE adds a rules allowing all to the namespace, denying the GCP VPC IP ranges and allowing pod to pod in namespace. This is to allow the load balancer while denying any other namespaces or compute resources. If there is a way to identify the internal IP of the load balancer or the range it sits n it would be preferable to allow only that. See: https://stackoverflow.com/a/54281975
Other environments keep the deny all, allow ingress policies. This is defined by setting the ansible variable "gke" when running the network policy playbook. (noted in ansible readme) commit: https://github.com/place-labs/k8s-helm/pull/53/commits/2d868f49fd6e89de08e8369c0cc4164af7a2eba2
** There are a few issues to resolve with the new charts & gcp changes