feat: Add support for setting var.istio_auth (#462)

* add istio mtls support * docs * fix test * keep istio config flat * lint * fix examples * fix examples
terraform-google-modules · Mar 30, 2020 · fff4272 · fff4272
1 parent f48eb32
commit fff4272
Show file tree

Hide file tree

Showing 20 changed files with 61 additions and 4 deletions.
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -147,6 +147,7 @@ resource "google_container_cluster" "primary" {
 
     istio_config {
       disabled = ! var.istio
+      auth     = var.istio_auth
     }
 
     dynamic "cloudrun_config" {

diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -393,6 +393,12 @@ variable "istio" {
   default     = false
 }
 
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl
@@ -116,7 +116,9 @@ module "gke" {
   master_ipv4_cidr_block = var.master_ipv4_cidr_block
 
   // Istio is recommended for pod-to-pod communications.
-  istio    = var.istio
+  istio      = var.istio
+  istio_auth = var.istio_auth
+
   cloudrun = var.cloudrun
 
   default_max_pods_per_node = var.default_max_pods_per_node

diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl
@@ -231,6 +231,12 @@ variable "istio" {
   default     = false
 }
 
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
+}
+
 variable "default_max_pods_per_node" {
   description = "The maximum number of pods to schedule per node"
   default     = 110

diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
@@ -187,6 +187,7 @@ Then perform the following commands on the root folder:
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |

diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -132,6 +132,7 @@ resource "google_container_cluster" "primary" {
 
     istio_config {
       disabled = ! var.istio
+      auth     = var.istio_auth
     }
 
     dynamic "cloudrun_config" {

diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
@@ -386,6 +386,12 @@ variable "istio" {
   default     = false
 }
 
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -165,6 +165,7 @@ Then perform the following commands on the root folder:
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |

diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -132,6 +132,7 @@ resource "google_container_cluster" "primary" {
 
     istio_config {
       disabled = ! var.istio
+      auth     = var.istio_auth
     }
 
     dynamic "cloudrun_config" {

diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -386,6 +386,12 @@ variable "istio" {
   default     = false
 }
 
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -144,6 +144,7 @@ Then perform the following commands on the root folder:
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |

diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -132,6 +132,7 @@ resource "google_container_cluster" "primary" {
 
     istio_config {
       disabled = ! var.istio
+      auth     = var.istio_auth
     }
 
     dynamic "cloudrun_config" {

diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -362,6 +362,12 @@ variable "istio" {
   default     = false
 }
 
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md
@@ -218,6 +218,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |

diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf
@@ -112,7 +112,9 @@ module "gke" {
   master_ipv4_cidr_block = var.master_ipv4_cidr_block
 
   // Istio is recommended for pod-to-pod communications.
-  istio    = var.istio
+  istio      = var.istio
+  istio_auth = var.istio_auth
+
   cloudrun = var.cloudrun
 
   default_max_pods_per_node = var.default_max_pods_per_node

diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf
@@ -231,6 +231,12 @@ variable "istio" {
   default     = false
 }
 
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
+}
+
 variable "default_max_pods_per_node" {
   description = "The maximum number of pods to schedule per node"
   default     = 110

diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md
@@ -218,6 +218,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |

diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf
@@ -112,7 +112,9 @@ module "gke" {
   master_ipv4_cidr_block = var.master_ipv4_cidr_block
 
   // Istio is recommended for pod-to-pod communications.
-  istio    = var.istio
+  istio      = var.istio
+  istio_auth = var.istio_auth
+
   cloudrun = var.cloudrun
 
   default_max_pods_per_node = var.default_max_pods_per_node

diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf
@@ -231,6 +231,12 @@ variable "istio" {
   default     = false
 }
 
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
+}
+
 variable "default_max_pods_per_node" {
   description = "The maximum number of pods to schedule per node"
   default     = 110

diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb
@@ -56,7 +56,7 @@
             "disabled" => true,
           },
           "networkPolicyConfig" => {},
-          "istioConfig" => {},
+          "istioConfig" => {"auth"=>"AUTH_MUTUAL_TLS"},
           "cloudRunConfig" => {},
         })
       end