diff --git a/README.md b/README.md index b3759e4404..437a3c34fe 100644 --- a/README.md +++ b/README.md @@ -105,7 +105,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | basic\_auth\_username | Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true | string | `""` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | -| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"true"` | no | +| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | @@ -342,4 +342,4 @@ are as follows: is a compiled language so there is no standard linter. * Terraform - terraform has a built-in linter in the 'terraform validate' command. -* Dockerfiles - hadolint. Can be found in homebrew \ No newline at end of file +* Dockerfiles - hadolint. Can be found in homebrew diff --git a/autogen/variables.tf b/autogen/variables.tf index a4a839c4bd..942d937777 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -236,7 +236,7 @@ variable "master_ipv4_cidr_block" { variable "enable_basic_auth" { description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials" - default = "true" + default = "false" } variable "basic_auth_username" { diff --git a/examples/disable_client_cert/README.md b/examples/disable_client_cert/README.md index b303823565..4e6a7e24b1 100644 --- a/examples/disable_client_cert/README.md +++ b/examples/disable_client_cert/README.md @@ -46,4 +46,4 @@ To provision this example, run the following from within this directory: - `terraform init` to get the plugins - `terraform plan` to see the infrastructure plan - `terraform apply` to apply the infrastructure build -- `terraform destroy` to destroy the built infrastructure \ No newline at end of file +- `terraform destroy` to destroy the built infrastructure diff --git a/main.tf b/main.tf index 99bac5c48d..4bbe43ea02 100644 --- a/main.tf +++ b/main.tf @@ -156,6 +156,7 @@ locals { data "google_container_engine_versions" "region" { provider = "google-beta" region = "${var.region}" + project = "${var.project_id}" } data "google_container_engine_versions" "zone" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index ec9c4f6d8c..cb33931cb3 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -106,8 +106,11 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| basic\_auth\_password | Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true | string | `""` | no | +| basic\_auth\_username | Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true | string | `""` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | +| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | @@ -116,6 +119,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | +| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no | | kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no | diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index 53a3e2804b..0ae0f198a0 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -38,6 +38,15 @@ resource "google_container_cluster" "primary" { master_authorized_networks_config = ["${var.master_authorized_networks_config}"] + master_auth { + username = "${local.cluster_basic_auth_username}" + password = "${local.cluster_basic_auth_password}" + + client_certificate_config { + issue_client_certificate = "${var.issue_client_certificate}" + } + } + addons_config { http_load_balancing { disabled = "${var.http_load_balancing ? 0 : 1}" diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 05f2f0932c..ebe5743a13 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -38,6 +38,15 @@ resource "google_container_cluster" "zonal_primary" { master_authorized_networks_config = ["${var.master_authorized_networks_config}"] + master_auth { + username = "${local.cluster_basic_auth_username}" + password = "${local.cluster_basic_auth_password}" + + client_certificate_config { + issue_client_certificate = "${var.issue_client_certificate}" + } + } + addons_config { http_load_balancing { disabled = "${var.http_load_balancing ? 0 : 1}" diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 3e93de103c..dbca87cdec 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -145,6 +145,9 @@ locals { cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}" + + cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}" + cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}" } /****************************************** diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 455f69790a..6b9d5895ab 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -110,5 +110,5 @@ output "node_pools_versions" { output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." - value = "${local.service_account}" -} \ No newline at end of file + value = "${local.service_account}" +} diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 5bef1d19cf..cec95e31a0 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -129,7 +129,6 @@ variable "disable_legacy_metadata_endpoints" { default = "true" } - variable "node_pools" { type = "list" description = "List of maps containing node pools" @@ -217,17 +216,38 @@ variable "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account" default = "" } + variable "enable_private_endpoint" { - description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" - default = false + description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" + default = false } variable "enable_private_nodes" { - description = "(Beta) Whether nodes have internal IP addresses only" - default = false + description = "(Beta) Whether nodes have internal IP addresses only" + default = false } variable "master_ipv4_cidr_block" { - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" - default = "10.0.0.0/28" -} \ No newline at end of file + description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + default = "10.0.0.0/28" +} + +variable "enable_basic_auth" { + description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials" + default = "false" +} + +variable "basic_auth_username" { + description = "Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true" + default = "" +} + +variable "basic_auth_password" { + description = "Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true" + default = "" +} + +variable "issue_client_certificate" { + description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + default = "false" +} diff --git a/outputs.tf b/outputs.tf index 455f69790a..6b9d5895ab 100644 --- a/outputs.tf +++ b/outputs.tf @@ -110,5 +110,5 @@ output "node_pools_versions" { output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." - value = "${local.service_account}" -} \ No newline at end of file + value = "${local.service_account}" +}