From 762d71c32b80fef37e32724ed878548e14f86435 Mon Sep 17 00:00:00 2001
From: Robert Bailey <robertbailey@google.com>
Date: Tue, 9 Jul 2019 21:43:41 -0700
Subject: [PATCH] Explicitly disable creation of the client certificate on GKE,
 which is the default starting with 1.12. Also remove the output variables for
 client key and client certificate.

---
 build/cluster.tf             | 17 +++++------------
 build/modules/gke/cluster.tf |  7 ++++++-
 build/modules/gke/outputs.tf | 10 ----------
 3 files changed, 11 insertions(+), 23 deletions(-)

diff --git a/build/cluster.tf b/build/cluster.tf
index 849bc5671c..50b09e4a07 100644
--- a/build/cluster.tf
+++ b/build/cluster.tf
@@ -78,9 +78,14 @@ resource "google_container_cluster" "primary" {
   provider = "google-beta"
 
   # Setting an empty username and password explicitly disables basic auth
+  # TODO(roberthbailey): Remove the entire master_auth block when switching to 1.12.
   master_auth {
     username = "${local.username}"
     password = "${var.password}"
+
+    client_certificate_config {
+      issue_client_certificate = false
+    }
   }
   enable_legacy_abac = "${lookup(var.cluster, "legacyAbac")}"
   node_pool = [
@@ -177,18 +182,6 @@ resource "google_compute_network" "default" {
   name    = "agones-network-${lookup(var.cluster, "name")}"
 }
 
-
-
-# The following outputs allow authentication and connectivity to the GKE Cluster
-# by using certificate-based authentication.
-output "client_certificate" {
-  value = "${google_container_cluster.primary.master_auth.0.client_certificate}"
-}
-
-output "client_key" {
-  value = "${google_container_cluster.primary.master_auth.0.client_key}"
-}
-
 output "cluster_ca_certificate" {
   value = "${google_container_cluster.primary.master_auth.0.cluster_ca_certificate}"
 }
diff --git a/build/modules/gke/cluster.tf b/build/modules/gke/cluster.tf
index c903cb3823..f63db41d17 100644
--- a/build/modules/gke/cluster.tf
+++ b/build/modules/gke/cluster.tf
@@ -55,9 +55,14 @@ resource "google_container_cluster" "primary" {
   project  = "${lookup(var.cluster, "project")}"
   provider = "google-beta"
   # Setting an empty username and password explicitly disables basic auth
+  # TODO(roberthbailey): Remove the entire master_auth block when switching to 1.12.
   master_auth {
     username = "${local.username}"
     password = "${var.password}"
+
+    client_certificate_config {
+      issue_client_certificate = false
+    }
   }
   remove_default_node_pool = true
   enable_legacy_abac = "${lookup(var.cluster, "legacyAbac")}"
@@ -166,4 +171,4 @@ resource "google_compute_firewall" "default" {
 resource "google_compute_network" "default" {
   project = "${lookup(var.cluster, "project")}"
   name    = "agones-network-${lookup(var.cluster, "name")}"
-}
\ No newline at end of file
+}
diff --git a/build/modules/gke/outputs.tf b/build/modules/gke/outputs.tf
index ce1e098d88..8ba0452ecf 100644
--- a/build/modules/gke/outputs.tf
+++ b/build/modules/gke/outputs.tf
@@ -12,16 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# The following outputs allow authentication and connectivity to the GKE Cluster
-# by using certificate-based authentication.
-output "client_certificate" {
-  value = "${google_container_cluster.primary.master_auth.0.client_certificate}"
-}
-
-output "client_key" {
-  value = "${google_container_cluster.primary.master_auth.0.client_key}"
-}
-
 output "cluster_ca_certificate" {
   value = "${base64decode(google_container_cluster.primary.master_auth.0.cluster_ca_certificate)}"
 }