12292fa57a
* Fix a bunch issues with GCP blueprints for private gke. * Tracking issue kubeflow/gcp-blueprints#33 * Fix the setters on firewall rules. They should be partial setters so we don't lose the suffixes. * Add a firewall rule to allow cert-manager webhooks this is necessary to work with private GKE ref https://docs.cert-manager.io/en/release-0.11/getting-started/webhook.html#running-on-private-gke-clusters * Add kpt/kustomize function to configure the transform to replace images with the mirror'd image versions. * Update image mirroring configs * Instead of using "*" to match all images we list out image prefixes to match so we are a bit more intentional. * We want to include gcr.io images in order to support working with VPC-SC. For VPC-SC gcr.io images need to be mirror'd as well because they are unlikely to be within the perimeter * Use the locations gcr.io/${PROJECT}/mirror It looks like the mirror'ing pipeline includes the registry name * Change the release channel on the cluster to be upper case * Per https://github.com/GoogleCloudPlatform/k8s-config-connector/issues/194 we need release channels to be upper case otherwise updates fail. * centraldashboard v3 kustomization.yaml needs an image stanza * Without this we end up deploying using tag "latest" which isn't what we want. * Use CNRM to enable services kubeflow/gcp-blueprints#31 * Remove cert-manager ACME challenge from excluded paths for JWT validation * We no longer use cert-manager so we no longer need to allow that path. * We need to add a default network route in order to allow cloudnat to access the outbound interet access * Need to access jwks * Give routes and nat resources unique names based on the KF name. * Route to public internet should be higher priority so google apis take precedence. * * Regenerate tests. |
||
|---|---|---|
| .. | ||
| gcp/template | ||
| mirror-images | ||