diff --git a/CHANGELOG.md b/CHANGELOG.md index c79f4a65d1..9e36d5a74f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,13 +12,14 @@ Extending the adopted spec, each change should have a link to its corresponding ### Added -* Add `enable_basic_auth` set to `true` by default. This will cause a - plan change for existing users. Enabling it will require them to set - a username and password. [#40] * Add `basic_auth_username` set to `""` by default. [#40] * Add `basic_auth_password` set to `""` by default. [#40] * Add `issue_client_certificate` set to `false` by default. [#40] +### Changed + +* Disabled Basic Authentication by default. [#40] + ## [v1.0.1] - 2019-04-04 ### Added diff --git a/README.md b/README.md index 437a3c34fe..f9e23e3e33 100644 --- a/README.md +++ b/README.md @@ -101,11 +101,10 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| basic\_auth\_password | Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true | string | `""` | no | -| basic\_auth\_username | Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true | string | `""` | no | +| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | +| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | -| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index 5e2425fee8..53d2892271 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -39,8 +39,8 @@ resource "google_container_cluster" "primary" { master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { - username = "${local.cluster_basic_auth_username}" - password = "${local.cluster_basic_auth_password}" + username = "${var.basic_auth_username}" + password = "${var.basic_auth_password}" client_certificate_config { issue_client_certificate = "${var.issue_client_certificate}" diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index e79644cecc..55882b1b86 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -39,8 +39,8 @@ resource "google_container_cluster" "zonal_primary" { master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { - username = "${local.cluster_basic_auth_username}" - password = "${local.cluster_basic_auth_password}" + username = "${var.basic_auth_username}" + password = "${var.basic_auth_password}" client_certificate_config { issue_client_certificate = "${var.issue_client_certificate}" diff --git a/autogen/main.tf b/autogen/main.tf index 0a984de2f0..9f23ab70e9 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -145,9 +145,6 @@ locals { cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}" - - cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}" - cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}" } /****************************************** diff --git a/autogen/variables.tf b/autogen/variables.tf index 942d937777..ac74db880e 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -234,18 +234,13 @@ variable "master_ipv4_cidr_block" { } {% endif %} -variable "enable_basic_auth" { - description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials" - default = "false" -} - variable "basic_auth_username" { - description = "Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true" + description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." default = "" } variable "basic_auth_password" { - description = "Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true" + description = "The password to be used with Basic Authentication." default = "" } diff --git a/cluster_regional.tf b/cluster_regional.tf index 5333b206d0..25c0a5f779 100644 --- a/cluster_regional.tf +++ b/cluster_regional.tf @@ -39,8 +39,8 @@ resource "google_container_cluster" "primary" { master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { - username = "${local.cluster_basic_auth_username}" - password = "${local.cluster_basic_auth_password}" + username = "${var.basic_auth_username}" + password = "${var.basic_auth_password}" client_certificate_config { issue_client_certificate = "${var.issue_client_certificate}" diff --git a/cluster_zonal.tf b/cluster_zonal.tf index 1fe696d80f..f4d2c3ca2c 100644 --- a/cluster_zonal.tf +++ b/cluster_zonal.tf @@ -39,8 +39,8 @@ resource "google_container_cluster" "zonal_primary" { master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { - username = "${local.cluster_basic_auth_username}" - password = "${local.cluster_basic_auth_password}" + username = "${var.basic_auth_username}" + password = "${var.basic_auth_password}" client_certificate_config { issue_client_certificate = "${var.issue_client_certificate}" diff --git a/docs/upgrading_to_v1.0.md b/docs/upgrading_to_v1.0.md deleted file mode 100644 index 1492e769a2..0000000000 --- a/docs/upgrading_to_v1.0.md +++ /dev/null @@ -1,33 +0,0 @@ -# Upgrading to terraform-google-kubernetes-engine v1.0 - -The v1.0 release of terraform-google-kubernetes-engine is a backwards incompatible release. - -## Migration Instructions - -### Re-enabling Kubernetes Basic Authentication - -Starting with version 1.12, clusters will have basic authentication and client certificate issuance disabled by default in GKE. In previous versions of *terraform-google-kubernetes-engine* basic auth was silently enabled. It is now disabled by default. - -**Re-enabling Kubernetes basic authentication:** - -**Note:** enabling basic auth will cause terraform to store your basic auth credentials in state file. It is important to use a backend that supports encryption at rest. [Read more](https://www.terraform.io/docs/state/sensitive-data.html) - -```hcl -module "enabling-basic-auth" { - source = "terraform-google-modules/kubernetes-engine/google" - project_id = "${var.project_id}" - name = "cluster-with-basic-auth" - - enable_basic_auth = "true" - basic_auth_username = "admin" - basic_auth_password = "s3crets!" - - regional = "true" - region = "${var.region}" - network = "${var.network}" - subnetwork = "${var.subnetwork}" - ip_range_pods = "${var.ip_range_pods}" - ip_range_services = "${var.ip_range_services}" - service_account = "${var.compute_engine_service_account}" -} -``` diff --git a/docs/upgrading_to_v2.0.md b/docs/upgrading_to_v2.0.md new file mode 100644 index 0000000000..daa2d50451 --- /dev/null +++ b/docs/upgrading_to_v2.0.md @@ -0,0 +1,47 @@ +# Upgrading to v2.0 + +The v2.0 release of *kubernetes-engine* is a backwards incompatible +release. + +## Migration Instructions + +### Enabling Kubernetes Basic Authentication + +Starting with GKE v1.12, clusters will have Basic Authentication and +client certificate issuance disabled by default. In previous versions +of *kubernetes-engine*, Basic Authentication was enabled and configured with the username `"admin"` and an automatically generated password. Basic Authentication is now disabled by default and requires credentials to be provided to remain enabled. + +Using Basic Authentication causes Terraform to store the credentials in +a state file. It is important to use a Terraform Backend which supports encryption at rest, like the [GCS Backend][gcs-backend]. The +[Sensitive Data in State article][sensitive-data] provides more context +and recommendations on how to handle scenarios like this. + +```hcl +terraform { + backend "gcs" { + bucket = "terraform-state" + } +} + +module "enabling-basic-auth" { + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 2.0" + + project_id = "${var.project_id}" + name = "cluster-with-basic-auth" + + basic_auth_username = "admin" + basic_auth_password = "s3crets!" + + regional = "true" + region = "${var.region}" + network = "${var.network}" + subnetwork = "${var.subnetwork}" + ip_range_pods = "${var.ip_range_pods}" + ip_range_services = "${var.ip_range_services}" + service_account = "${var.compute_engine_service_account}" +} +``` + +[gsc-backend]: https://www.terraform.io/docs/backends/types/gcs.html +[sensitive-data]: https://www.terraform.io/docs/state/sensitive-data.html diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf index 479b4f0022..550ed7ce1d 100644 --- a/examples/disable_client_cert/main.tf +++ b/examples/disable_client_cert/main.tf @@ -24,18 +24,17 @@ provider "google" { } module "gke" { - source = "../../" - project_id = "${var.project_id}" - name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" - region = "${var.region}" - network = "${var.network}" - network_project_id = "${var.network_project_id}" - subnetwork = "${var.subnetwork}" - ip_range_pods = "${var.ip_range_pods}" - ip_range_services = "${var.ip_range_services}" - service_account = "${var.compute_engine_service_account}" + source = "../../" - enable_basic_auth = false + project_id = "${var.project_id}" + name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" + region = "${var.region}" + network = "${var.network}" + network_project_id = "${var.network_project_id}" + subnetwork = "${var.subnetwork}" + ip_range_pods = "${var.ip_range_pods}" + ip_range_services = "${var.ip_range_services}" + service_account = "${var.compute_engine_service_account}" issue_client_certificate = false } diff --git a/main.tf b/main.tf index 2662d00747..e96d301c43 100644 --- a/main.tf +++ b/main.tf @@ -145,9 +145,6 @@ locals { cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}" - - cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}" - cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}" } /****************************************** @@ -164,6 +161,7 @@ data "google_container_engine_versions" "zone" { // // data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone. // - zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}" - project = "${var.project_id}" -} \ No newline at end of file + zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}" + + project = "${var.project_id}" +} diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index cb33931cb3..1379a60ac8 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -106,11 +106,10 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| basic\_auth\_password | Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true | string | `""` | no | -| basic\_auth\_username | Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true | string | `""` | no | +| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | +| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | -| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index 1096395181..dfa9ae5e0d 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -39,8 +39,8 @@ resource "google_container_cluster" "primary" { master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { - username = "${local.cluster_basic_auth_username}" - password = "${local.cluster_basic_auth_password}" + username = "${var.basic_auth_username}" + password = "${var.basic_auth_password}" client_certificate_config { issue_client_certificate = "${var.issue_client_certificate}" diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index c06a874806..372ff73639 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -39,8 +39,8 @@ resource "google_container_cluster" "zonal_primary" { master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { - username = "${local.cluster_basic_auth_username}" - password = "${local.cluster_basic_auth_password}" + username = "${var.basic_auth_username}" + password = "${var.basic_auth_password}" client_certificate_config { issue_client_certificate = "${var.issue_client_certificate}" diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 28652f9644..7d38486404 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -145,9 +145,6 @@ locals { cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}" - - cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}" - cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}" } /****************************************** @@ -164,6 +161,7 @@ data "google_container_engine_versions" "zone" { // // data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone. // - zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}" - project = "${var.project_id}" -} \ No newline at end of file + zone = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}" + + project = "${var.project_id}" +} diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index cec95e31a0..9986daf1c7 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -232,18 +232,13 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } -variable "enable_basic_auth" { - description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials" - default = "false" -} - variable "basic_auth_username" { - description = "Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true" + description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." default = "" } variable "basic_auth_password" { - description = "Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true" + description = "The password to be used with Basic Authentication." default = "" } diff --git a/variables.tf b/variables.tf index 922468fc4a..e5a9837669 100644 --- a/variables.tf +++ b/variables.tf @@ -217,18 +217,13 @@ variable "service_account" { default = "" } -variable "enable_basic_auth" { - description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials" - default = "false" -} - variable "basic_auth_username" { - description = "Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true" + description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." default = "" } variable "basic_auth_password" { - description = "Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true" + description = "The password to be used with Basic Authentication." default = "" }