Adding cert/basic auth tests

Author: coryodaniel

.kitchen.yml

@@ -37,6 +37,18 @@ suites:
           backend: local
     provisioner:
       name: terraform
+  - name: "disable_client_cert"
+    driver:
+      name: "terraform"
+      command_timeout: 1800
+      root_module_directory: test/fixtures/disable_client_cert
+    verifier:
+      name: terraform
+      systems:
+        - name: disable_client_cert
+          backend: local
+    provisioner:
+      name: terraform      
   - name: "node_pool"
     driver:
       name: "terraform"

README.md

@@ -222,9 +222,10 @@ make generate_docs
 
 Integration tests are run though [test-kitchen](https://github.com/test-kitchen/test-kitchen), [kitchen-terraform](https://github.com/newcontext-oss/kitchen-terraform), and [InSpec](https://github.com/inspec/inspec).
 
-Six test-kitchen instances are defined:
+Seven test-kitchen instances are defined:
 
 - `deploy_service`
+- `disable_client_cert`
 - `node_pool`
 - `shared_vpc`
 - `simple_regional`

examples/disable_client_cert/README.md

@@ -0,0 +1,16 @@
+# Disable Client Certificate
+
+This example illustrates how to create a simple cluster and disable deprecate security features:
+
+* basic auth
+* client certificate
+
+[^]: (autogen_docs_start)
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/disable_client_cert/main.tf

@@ -0,0 +1,44 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type = "disable-cluster-cert"
+}
+
+provider "google" {
+  credentials = "${file(var.credentials_path)}"
+  region      = "${var.region}"
+}
+
+module "gke" {
+  source             = "../../"
+  project_id         = "${var.project_id}"
+  name               = "${local.cluster_type}-cluster"
+  region             = "${var.region}"
+  network            = "${var.network}"
+  network_project_id = "${var.network_project_id}"
+  subnetwork         = "${var.subnetwork}"
+  ip_range_pods      = "${var.ip_range_pods}"
+  ip_range_services  = "${var.ip_range_services}"
+  kubernetes_version = "1.11.5-gke.4"
+  node_version       = "1.11.5-gke.4"
+  service_account    = "${var.compute_engine_service_account}"
+
+  enable_basic_auth = false
+  issue_client_certificate = false
+}
+
+data "google_client_config" "default" {}

examples/disable_client_cert/outputs.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  sensitive = true
+  value     = "${module.gke.endpoint}"
+}
+
+output "client_token" {
+  sensitive = true
+  value     = "${base64encode(data.google_client_config.default.access_token)}"
+}
+
+output "ca_certificate" {
+  value = "${module.gke.ca_certificate}"
+}

examples/disable_client_cert/test_outputs.tf

@@ -0,0 +1,67 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// These outputs are used to test the module with kitchen-terraform
+// They do not need to be included in real-world uses of this module
+
+output "project_id" {
+  value = "${var.project_id}"
+}
+
+output "credentials_path" {
+  value = "${var.credentials_path}"
+}
+
+output "region" {
+  value = "${module.gke.region}"
+}
+
+output "cluster_name" {
+  description = "Cluster name"
+  value       = "${module.gke.name}"
+}
+
+output "network" {
+  value = "${var.network}"
+}
+
+output "subnetwork" {
+  value = "${var.subnetwork}"
+}
+
+output "location" {
+  value = "${module.gke.location}"
+}
+
+output "ip_range_pods" {
+  description = "The secondary IP range used for pods"
+  value       = "${var.ip_range_pods}"
+}
+
+output "ip_range_services" {
+  description = "The secondary IP range used for services"
+  value       = "${var.ip_range_services}"
+}
+
+output "zones" {
+  description = "List of zones in which the cluster resides"
+  value       = "${module.gke.zones}"
+}
+
+output "master_kubernetes_version" {
+  description = "The master Kubernetes version"
+  value       = "${module.gke.master_version}"
+}

examples/disable_client_cert/variables.tf

@@ -0,0 +1,51 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the cluster in"
+}
+
+variable "credentials_path" {
+  description = "The path to the GCP credentials JSON file"
+}
+
+variable "region" {
+  description = "The region to host the cluster in"
+}
+
+variable "network" {
+  description = "The VPC network to host the cluster in"
+}
+
+variable "network_project_id" {
+  description = "The GCP project housing the VPC network to host the cluster in"
+}
+
+variable "subnetwork" {
+  description = "The subnetwork to host the cluster in"
+}
+
+variable "ip_range_pods" {
+  description = "The secondary ip range to use for pods"
+}
+
+variable "ip_range_services" {
+  description = "The secondary ip range to use for pods"
+}
+
+variable "compute_engine_service_account" {
+  description = "Service account to associate to the nodes in the cluster"
+}

test/fixtures/disable_client_cert/example.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "example" {
+  source = "../../../examples/disable_client_cert"
+
+  project_id                     = "${var.project_id}"
+  credentials_path               = "${local.credentials_path}"
+  region                         = "${var.region}"
+  network                        = "${google_compute_network.main.name}"
+  network_project_id             = "${var.project_id}"
+  subnetwork                     = "${google_compute_subnetwork.main.name}"
+  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
+  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
+  compute_engine_service_account = "${var.compute_engine_service_account}"
+}

test/fixtures/disable_client_cert/network.tf

@@ -0,0 +1,52 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  credentials_path = "${path.module}/${var.credentials_path_relative}"
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+provider "google" {
+  credentials = "${file(local.credentials_path)}"
+  project     = "${var.project_id}"
+}
+
+resource "google_compute_network" "main" {
+  name                    = "cft-gke-test-${random_string.suffix.result}"
+  auto_create_subnetworks = "false"
+}
+
+resource "google_compute_subnetwork" "main" {
+  name          = "cft-gke-test-${random_string.suffix.result}"
+  ip_cidr_range = "10.0.0.0/17"
+  region        = "${var.region}"
+  network       = "${google_compute_network.main.self_link}"
+
+  secondary_ip_range {
+    range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
+    ip_cidr_range = "192.168.0.0/18"
+  }
+
+  secondary_ip_range {
+    range_name    = "cft-gke-test-services-${random_string.suffix.result}"
+    ip_cidr_range = "192.168.64.0/18"
+  }
+}

test/fixtures/disable_client_cert/outputs.tf

@@ -0,0 +1 @@
+../shared/outputs.tf

test/fixtures/disable_client_cert/terraform.tfvars

@@ -0,0 +1 @@
+../shared/terraform.tfvars

test/fixtures/disable_client_cert/variables.tf

@@ -0,0 +1 @@
+../shared/variables.tf

test/integration/disable_client_cert/controls/gcloud.rb

@@ -0,0 +1,51 @@
+# Copyright 2018 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+project_id = attribute('project_id')
+location = attribute('location')
+cluster_name = attribute('cluster_name')
+
+credentials_path = attribute('credentials_path')
+ENV['CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE'] = credentials_path
+
+control "gcloud" do
+  title "Google Compute Engine GKE configuration"
+  describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do
+    its(:exit_status) { should eq 0 }
+    its(:stderr) { should eq '' }
+
+    let!(:data) do
+      if subject.exit_status == 0
+        JSON.parse(subject.stdout)
+      else
+        {}
+      end
+    end
+
+    describe "cluster" do
+      it "is running" do
+        expect(data['status']).to eq 'RUNNING'
+      end
+
+      it "does not have a client certificate" do
+        expect(data['masterAuth']['clientCertificate']).to be_nil
+      end
+
+      it "does not have a basic auth enabled" do
+        expect(data['masterAuth']['username']).to be_nil
+        expect(data['masterAuth']['password']).to be_nil
+      end
+    end
+  end
+end