Support for Open Policy Agent Gatekeeper (#97)

osinfra-io · Oct 12, 2024 · 8cce1d6 · 8cce1d6
1 parent 316b247
commit 8cce1d6
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 15 deletions.
diff --git a/.gitignore b/.gitignore
@@ -18,9 +18,6 @@ crash.log
 # be included in version control.
 local.tfvars
 
-# Provider.tf is used for local development of modules and shouldn't be added to repos.
-provider.tf
-
 # Ignore override files as they are usually used to override ressources locally
 override.tf
 override.tf.json

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -3,7 +3,7 @@
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: check-yaml
       - id: end-of-file-fixer
@@ -29,7 +29,7 @@ repos:
       - id: terraform_docs
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.2.255
+    rev: 3.2.257
     hooks:
       - id: checkov
         verbose: true

diff --git a/README.md b/README.md
@@ -87,7 +87,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 6.4.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 6.6.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
 
 ### Modules

diff --git a/regional/README.md b/regional/README.md
@@ -11,7 +11,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 6.4.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 6.6.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
 
 ## Modules

diff --git a/regional/main.tf b/regional/main.tf
@@ -249,8 +249,13 @@ resource "google_container_node_pool" "this" {
     disk_size_gb      = each.value.disk_size_gb
     disk_type         = each.value.disk_type
     image_type        = each.value.image_type
-    labels            = var.labels
-    machine_type      = each.value.machine_type
+
+    kubelet_config {
+      insecure_kubelet_readonly_port_enabled = "FALSE"
+    }
+
+    labels       = var.labels
+    machine_type = each.value.machine_type
 
     metadata = {
       "disable-legacy-endpoints" = true

diff --git a/regional/onboarding/README.md b/regional/onboarding/README.md
@@ -11,8 +11,8 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 6.4.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.32.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 6.6.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.33.0 |
 
 ## Modules
 

diff --git a/regional/onboarding/main.tf b/regional/onboarding/main.tf
@@ -14,10 +14,11 @@ resource "kubernetes_namespace_v1" "this" {
   for_each = merge(
     var.namespaces,
     {
-      "cert-manager"  = { istio_injection = "disabled" },
-      "datadog"       = { istio_injection = "disabled" },
-      "istio-ingress" = { istio_injection = "enabled" },
-      "istio-system"  = { istio_injection = "disabled" }
+      "cert-manager"      = { istio_injection = "disabled" },
+      "datadog"           = { istio_injection = "disabled" },
+      "gatekeeper-system" = { istio_injection = "disabled" },
+      "istio-ingress"     = { istio_injection = "enabled" },
+      "istio-system"      = { istio_injection = "disabled" }
     }
   )