Merge pull request #40 from terraform-google-modules/37-disable-clien…

…t-cert

Support for disabling basic auth / client cert

.kitchen.yml

@@ -37,6 +37,19 @@ suites:
           backend: local
     provisioner:
       name: terraform
+  - name: "disable_client_cert"
+    driver:
+      name: "terraform"
+      command_timeout: 1800
+      root_module_directory: test/fixtures/disable_client_cert
+    verifier:
+      name: terraform
+      color: false
+      systems:
+        - name: disable_client_cert
+          backend: local
+    provisioner:
+      name: terraform
   - name: "node_pool"
     driver:
       name: "terraform"

CHANGELOG.md

@@ -10,10 +10,17 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [v2.0.0] - 2019-YY-ZZ
 
+### Added
+
+* Add `basic_auth_username` set to `""` by default. [#40]
+* Add `basic_auth_password` set to `""` by default. [#40]
+* Add `issue_client_certificate` set to `false` by default. [#40]
+
 ### Changed
 
 * The `service_account` variable defaults  to `"create"` which causes a
   cluster-specific service account to be created.
+* Disabled Basic Authentication by default. [#40]
 
 ## [v1.0.1] - 2019-04-04
 
@@ -40,7 +47,9 @@ Extending the adopted spec, each change should have a link to its corresponding
 * Added `disable_legacy_metadata_endpoints` parameter. [#114]
 
 ### Changed
-* Set `horizontal_pod_autoscaling` to `true` by default. Fixes [#42]. [#54]
+
+* Set `horizontal_pod_autoscaling` to `true` by default.
+  Fixes [#42]. [#54]
 * Update simple-zonal example GKE version to supported version. [#49]
 * Drop explicit version from simple_zonal example. [#74]
 * Remove explicit versions from test cases and examples. [#62]
@@ -113,6 +122,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 [#46]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/46
 [#43]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/43
 [#42]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/42
+[#40]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/40
 [#38]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/38
 [#33]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/33
 [#31]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/31

README.md

@@ -106,6 +106,8 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
+| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
@@ -114,6 +116,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
+| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no |
 | kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no |

autogen/cluster_regional.tf

@@ -38,6 +38,15 @@ resource "google_container_cluster" "primary" {
 
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
+  master_auth {
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
+
+    client_certificate_config {
+      issue_client_certificate = "${var.issue_client_certificate}"
+    }
+  }
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"

autogen/cluster_zonal.tf

@@ -38,6 +38,15 @@ resource "google_container_cluster" "zonal_primary" {
 
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
+  master_auth {
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
+
+    client_certificate_config {
+      issue_client_certificate = "${var.issue_client_certificate}"
+    }
+  }
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"

autogen/variables.tf

@@ -233,3 +233,18 @@ variable "master_ipv4_cidr_block" {
   default      = "10.0.0.0/28"
 }
 {% endif %}
+
+variable "basic_auth_username" {
+  description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
+  default = ""
+}
+
+variable "basic_auth_password" {
+  description = "The password to be used with Basic Authentication."
+  default = ""
+}
+
+variable "issue_client_certificate" {
+  description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
+  default = "false"
+}

cluster_regional.tf

@@ -38,6 +38,15 @@ resource "google_container_cluster" "primary" {
 
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
+  master_auth {
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
+
+    client_certificate_config {
+      issue_client_certificate = "${var.issue_client_certificate}"
+    }
+  }
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"

cluster_zonal.tf

@@ -38,6 +38,15 @@ resource "google_container_cluster" "zonal_primary" {
 
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
+  master_auth {
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
+
+    client_certificate_config {
+      issue_client_certificate = "${var.issue_client_certificate}"
+    }
+  }
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"

docs/upgrading_to_v2.0.md

@@ -41,3 +41,77 @@ module "kubernetes_engine" {
   service_account = "${module.project_factory.service_account_email}"
 }
 ```
+
+### Enabling Kubernetes Basic Authentication
+
+Starting with GKE v1.12, clusters will by default disable the Basic
+Authentication method of authenticating. In previous versions of
+*kubernetes-engine*, Basic Authentication was enabled and configured
+with the username `"admin"` and an automatically generated password if
+the managed version of Kubernetes was less than v1.12.
+Basic Authentication is now requires credentials to be provided to be
+enabled.
+
+Using Basic Authentication causes Terraform to store the credentials in
+a state file. It is important to use a Terraform Backend which supports
+encryption at rest, like the [GCS Backend][gcs-backend]. The
+[Sensitive Data in State article][sensitive-data] provides more context
+and recommendations on how to handle scenarios like this.
+
+```hcl
+terraform {
+  backend "gcs" {
+    bucket = "terraform-state"
+  }
+}
+
+module "enabling-basic-auth" {
+  source  = "terraform-google-modules/kubernetes-engine/google"
+  version = "~> 2.0"
+
+  project_id = "${var.project_id}"
+  name       = "cluster-with-basic-auth"
+
+  basic_auth_username = "admin"
+  basic_auth_password = "s3crets!"
+
+  regional          = "true"
+  region            = "${var.region}"
+  network           = "${var.network}"
+  subnetwork        = "${var.subnetwork}"
+  ip_range_pods     = "${var.ip_range_pods}"
+  ip_range_services = "${var.ip_range_services}"
+  service_account   = "${var.compute_engine_service_account}"
+}
+```
+
+### Enabling Kubernetes Client Certificate
+
+Starting with GKE v1.12, clusters will disable by default the client
+certificate method of authenticating. In previous versions
+of *kubernetes-engine*, client certificate authentication was enabled
+if the managed version of Kubernetes was less than v1.12. Client
+certificate authentication must now be explicitly enabled.
+
+```hcl
+module "enabling-client-certificate" {
+  source  = "terraform-google-modules/kubernetes-engine/google"
+  version = "~> 2.0"
+
+  project_id = "${var.project_id}"
+  name       = "cluster-with-client-certificate"
+
+  issue_client_certificate = "true"
+
+  regional          = "true"
+  region            = "${var.region}"
+  network           = "${var.network}"
+  subnetwork        = "${var.subnetwork}"
+  ip_range_pods     = "${var.ip_range_pods}"
+  ip_range_services = "${var.ip_range_services}"
+  service_account   = "${var.compute_engine_service_account}"
+}
+```
+
+[gsc-backend]: https://www.terraform.io/docs/backends/types/gcs.html
+[sensitive-data]: https://www.terraform.io/docs/state/sensitive-data.html

examples/disable_client_cert/README.md

@@ -0,0 +1,49 @@
+# Disable Client Certificate
+
+This example illustrates how to create a simple cluster and disable deprecated security features:
+
+* basic auth
+* client certificate
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
+| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| credentials\_path | The path to the GCP credentials JSON file | string | n/a | yes |
+| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
+| ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
+| network | The VPC network to host the cluster in | string | n/a | yes |
+| network\_project\_id | The GCP project housing the VPC network to host the cluster in | string | n/a | yes |
+| project\_id | The project ID to host the cluster in | string | n/a | yes |
+| region | The region to host the cluster in | string | n/a | yes |
+| subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate |  |
+| client\_token |  |
+| cluster\_name | Cluster name |
+| ip\_range\_pods | The secondary IP range used for pods |
+| ip\_range\_services | The secondary IP range used for services |
+| kubernetes\_endpoint |  |
+| location |  |
+| master\_kubernetes\_version | The master Kubernetes version |
+| network |  |
+| project\_id |  |
+| region |  |
+| subnetwork |  |
+| zones | List of zones in which the cluster resides |
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/disable_client_cert/main.tf

@@ -0,0 +1,41 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type = "disable-cluster-cert"
+}
+
+provider "google" {
+  credentials = "${file(var.credentials_path)}"
+  region      = "${var.region}"
+}
+
+module "gke" {
+  source = "../../"
+
+  project_id               = "${var.project_id}"
+  name                     = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  region                   = "${var.region}"
+  network                  = "${var.network}"
+  network_project_id       = "${var.network_project_id}"
+  subnetwork               = "${var.subnetwork}"
+  ip_range_pods            = "${var.ip_range_pods}"
+  ip_range_services        = "${var.ip_range_services}"
+  service_account          = "${var.compute_engine_service_account}"
+  issue_client_certificate = false
+}
+
+data "google_client_config" "default" {}

examples/disable_client_cert/outputs.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  sensitive = true
+  value     = "${module.gke.endpoint}"
+}
+
+output "client_token" {
+  sensitive = true
+  value     = "${base64encode(data.google_client_config.default.access_token)}"
+}
+
+output "ca_certificate" {
+  value = "${module.gke.ca_certificate}"
+}

examples/disable_client_cert/test_outputs.tf

@@ -0,0 +1 @@
+../../test/fixtures/all_examples/test_outputs.tf