rebasing / merge conflicts

README.md

@@ -105,7 +105,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | basic\_auth\_username | Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true | string | `""` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"true"` | no |
+| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
 | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no |
@@ -342,4 +342,4 @@ are as follows:
 is a compiled language so there is no standard linter.
 * Terraform - terraform has a built-in linter in the 'terraform validate'
 command.
-* Dockerfiles - hadolint. Can be found in homebrew
+* Dockerfiles - hadolint. Can be found in homebrew

autogen/variables.tf

@@ -236,7 +236,7 @@ variable "master_ipv4_cidr_block" {
 
 variable "enable_basic_auth" {
   description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials"
-  default = "true"
+  default = "false"
 }
 
 variable "basic_auth_username" {

examples/disable_client_cert/README.md

@@ -46,4 +46,4 @@ To provision this example, run the following from within this directory:
 - `terraform init` to get the plugins
 - `terraform plan` to see the infrastructure plan
 - `terraform apply` to apply the infrastructure build
-- `terraform destroy` to destroy the built infrastructure
+- `terraform destroy` to destroy the built infrastructure

main.tf

@@ -156,6 +156,7 @@ locals {
 data "google_container_engine_versions" "region" {
   provider = "google-beta"
   region   = "${var.region}"
+  project  = "${var.project_id}"
 }
 
 data "google_container_engine_versions" "zone" {

modules/private-cluster/README.md

@@ -106,8 +106,11 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| basic\_auth\_password | Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true | string | `""` | no |
+| basic\_auth\_username | Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true | string | `""` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
+| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
@@ -116,6 +119,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
+| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no |
 | kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no |

modules/private-cluster/cluster_regional.tf

@@ -38,6 +38,15 @@ resource "google_container_cluster" "primary" {
 
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
+  master_auth {
+    username = "${local.cluster_basic_auth_username}"
+    password = "${local.cluster_basic_auth_password}"
+
+    client_certificate_config {
+      issue_client_certificate = "${var.issue_client_certificate}"
+    }
+  }
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"

modules/private-cluster/cluster_zonal.tf

@@ -38,6 +38,15 @@ resource "google_container_cluster" "zonal_primary" {
 
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
+  master_auth {
+    username = "${local.cluster_basic_auth_username}"
+    password = "${local.cluster_basic_auth_password}"
+
+    client_certificate_config {
+      issue_client_certificate = "${var.issue_client_certificate}"
+    }
+  }
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"

modules/private-cluster/main.tf

@@ -145,6 +145,9 @@ locals {
   cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
   cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
   cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+
+  cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}"
+  cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}"
 }
 
 /******************************************

modules/private-cluster/outputs.tf

@@ -110,5 +110,5 @@ output "node_pools_versions" {
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value = "${local.service_account}"
-}
+  value       = "${local.service_account}"
+}

modules/private-cluster/variables.tf

@@ -129,7 +129,6 @@ variable "disable_legacy_metadata_endpoints" {
   default     = "true"
 }
 
-
 variable "node_pools" {
   type        = "list"
   description = "List of maps containing node pools"
@@ -217,17 +216,38 @@ variable "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account"
   default     = ""
 }
+
 variable "enable_private_endpoint" {
-  description  = "(Beta) Whether the master's internal IP address is used as the cluster endpoint"
-  default      = false
+  description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint"
+  default     = false
 }
 
 variable "enable_private_nodes" {
-  description  = "(Beta) Whether nodes have internal IP addresses only"
-  default      = false
+  description = "(Beta) Whether nodes have internal IP addresses only"
+  default     = false
 }
 
 variable "master_ipv4_cidr_block" {
-  description  = "(Beta) The IP range in CIDR notation to use for the hosted master network"
-  default      = "10.0.0.0/28"
-}
+  description = "(Beta) The IP range in CIDR notation to use for the hosted master network"
+  default     = "10.0.0.0/28"
+}
+
+variable "enable_basic_auth" {
+  description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials"
+  default     = "false"
+}
+
+variable "basic_auth_username" {
+  description = "Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true"
+  default     = ""
+}
+
+variable "basic_auth_password" {
+  description = "Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true"
+  default     = ""
+}
+
+variable "issue_client_certificate" {
+  description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
+  default     = "false"
+}

outputs.tf

@@ -110,5 +110,5 @@ output "node_pools_versions" {
 
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
-  value = "${local.service_account}"
-}
+  value       = "${local.service_account}"
+}