Adding cert/basic auth tests

Author: coryodaniel

.kitchen.yml

@@ -36,6 +36,18 @@ suites:
           backend: local
     provisioner:
       name: terraform
+  - name: "disable_client_cert"
+    driver:
+      name: "terraform"
+      command_timeout: 1800
+      root_module_directory: test/fixtures/disable_client_cert
+    verifier:
+      name: terraform
+      systems:
+        - name: disable_client_cert
+          backend: local
+    provisioner:
+      name: terraform      
   - name: "node_pool"
     driver:
       name: "terraform"

README.md

@@ -88,11 +88,10 @@ Then perform the following commands on the root folder:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| basic\_auth\_password | Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true | string | `` | no |
-| basic\_auth\_username | Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true | string | `` | no |
+| basic\_auth\_password | Kubernetes HTTP Basic auth password. Defaults to empty string. Only used if `enable_basic_auth` is true | string | `` | no |
+| basic\_auth\_username | Kubernetes HTTP Basic auth username. Defaults to empty string. Only used if `enable_basic_auth` is true | string | `` | no |
 | description | The description of the cluster | string | `` | no |
 <<<<<<< HEAD
-<<<<<<< HEAD
 | horizontal_pod_autoscaling | Enable horizontal pod autoscaling addon | string | `false` | no |
 | http_load_balancing | Enable httpload balancer addon | string | `true` | no |
 | ip_masq_link_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `false` | no |
@@ -107,16 +106,13 @@ Then perform the following commands on the root folder:
 | monitoring_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `monitoring.googleapis.com` | no |
 =======
 | enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials. Default: true | string | `true` | no |
-=======
-| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `true` | no |
->>>>>>> Removing redundant default copy in docs
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `false` | no |
 | http\_load\_balancing | Enable httpload balancer addon | string | `true` | no |
 | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `false` | no |
 | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `60s` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | - | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | - | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `false` | no |
+| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! Default: false | string | `false` | no |
 | kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `false` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `latest` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `logging.googleapis.com` | no |
@@ -238,9 +234,10 @@ make generate_docs
 
 Integration tests are run though [test-kitchen](https://github.com/test-kitchen/test-kitchen), [kitchen-terraform](https://github.com/newcontext-oss/kitchen-terraform), and [InSpec](https://github.com/inspec/inspec).
 
-Six test-kitchen instances are defined:
+Seven test-kitchen instances are defined:
 
 - `deploy_service`
+- `disable_client_cert`
 - `node_pool`
 - `shared_vpc`
 - `simple_regional`

examples/disable_client_cert/README.md

@@ -0,0 +1,16 @@
+# Disable Client Certificate
+
+This example illustrates how to create a simple cluster and disable deprecate security features:
+
+* basic auth
+* client certificate
+
+[^]: (autogen_docs_start)
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/disable_client_cert/main.tf

@@ -0,0 +1,44 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type = "disable-cluster-cert"
+}
+
+provider "google" {
+  credentials = "${file(var.credentials_path)}"
+  region      = "${var.region}"
+}
+
+module "gke" {
+  source             = "../../"
+  project_id         = "${var.project_id}"
+  name               = "${local.cluster_type}-cluster"
+  region             = "${var.region}"
+  network            = "${var.network}"
+  network_project_id = "${var.network_project_id}"
+  subnetwork         = "${var.subnetwork}"
+  ip_range_pods      = "${var.ip_range_pods}"
+  ip_range_services  = "${var.ip_range_services}"
+  kubernetes_version = "1.11.5-gke.4"
+  node_version       = "1.11.5-gke.4"
+  service_account    = "${var.compute_engine_service_account}"
+
+  enable_basic_auth = false
+  issue_client_certificate = false
+}
+
+data "google_client_config" "default" {}

examples/disable_client_cert/outputs.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  sensitive = true
+  value     = "${module.gke.endpoint}"
+}
+
+output "client_token" {
+  sensitive = true
+  value     = "${base64encode(data.google_client_config.default.access_token)}"
+}
+
+output "ca_certificate" {
+  value = "${module.gke.ca_certificate}"
+}

examples/disable_client_cert/test_outputs.tf

@@ -0,0 +1,67 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// These outputs are used to test the module with kitchen-terraform
+// They do not need to be included in real-world uses of this module
+
+output "project_id" {
+  value = "${var.project_id}"
+}
+
+output "credentials_path" {
+  value = "${var.credentials_path}"
+}
+
+output "region" {
+  value = "${module.gke.region}"
+}
+
+output "cluster_name" {
+  description = "Cluster name"
+  value       = "${module.gke.name}"
+}
+
+output "network" {
+  value = "${var.network}"
+}
+
+output "subnetwork" {
+  value = "${var.subnetwork}"
+}
+
+output "location" {
+  value = "${module.gke.location}"
+}
+
+output "ip_range_pods" {
+  description = "The secondary IP range used for pods"
+  value       = "${var.ip_range_pods}"
+}
+
+output "ip_range_services" {
+  description = "The secondary IP range used for services"
+  value       = "${var.ip_range_services}"
+}
+
+output "zones" {
+  description = "List of zones in which the cluster resides"
+  value       = "${module.gke.zones}"
+}
+
+output "master_kubernetes_version" {
+  description = "The master Kubernetes version"
+  value       = "${module.gke.master_version}"
+}

examples/disable_client_cert/variables.tf

@@ -0,0 +1,51 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the cluster in"
+}
+
+variable "credentials_path" {
+  description = "The path to the GCP credentials JSON file"
+}
+
+variable "region" {
+  description = "The region to host the cluster in"
+}
+
+variable "network" {
+  description = "The VPC network to host the cluster in"
+}
+
+variable "network_project_id" {
+  description = "The GCP project housing the VPC network to host the cluster in"
+}
+
+variable "subnetwork" {
+  description = "The subnetwork to host the cluster in"
+}
+
+variable "ip_range_pods" {
+  description = "The secondary ip range to use for pods"
+}
+
+variable "ip_range_services" {
+  description = "The secondary ip range to use for pods"
+}
+
+variable "compute_engine_service_account" {
+  description = "Service account to associate to the nodes in the cluster"
+}

test/fixtures/disable_client_cert/example.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "example" {
+  source = "../../../examples/disable_client_cert"
+
+  project_id                     = "${var.project_id}"
+  credentials_path               = "${local.credentials_path}"
+  region                         = "${var.region}"
+  network                        = "${google_compute_network.main.name}"
+  network_project_id             = "${var.project_id}"
+  subnetwork                     = "${google_compute_subnetwork.main.name}"
+  ip_range_pods                  = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}"
+  ip_range_services              = "${google_compute_subnetwork.main.secondary_ip_range.1.range_name}"
+  compute_engine_service_account = "${var.compute_engine_service_account}"
+}

test/fixtures/disable_client_cert/network.tf

@@ -0,0 +1,52 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  credentials_path = "${path.module}/${var.credentials_path_relative}"
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+provider "google" {
+  credentials = "${file(local.credentials_path)}"
+  project     = "${var.project_id}"
+}
+
+resource "google_compute_network" "main" {
+  name                    = "cft-gke-test-${random_string.suffix.result}"
+  auto_create_subnetworks = "false"
+}
+
+resource "google_compute_subnetwork" "main" {
+  name          = "cft-gke-test-${random_string.suffix.result}"
+  ip_cidr_range = "10.0.0.0/17"
+  region        = "${var.region}"
+  network       = "${google_compute_network.main.self_link}"
+
+  secondary_ip_range {
+    range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
+    ip_cidr_range = "192.168.0.0/18"
+  }
+
+  secondary_ip_range {
+    range_name    = "cft-gke-test-services-${random_string.suffix.result}"
+    ip_cidr_range = "192.168.64.0/18"
+  }
+}

test/fixtures/disable_client_cert/outputs.tf

@@ -0,0 +1 @@
+../shared/outputs.tf

test/fixtures/disable_client_cert/terraform.tfvars

@@ -0,0 +1 @@
+../shared/terraform.tfvars

test/fixtures/disable_client_cert/variables.tf

@@ -0,0 +1 @@
+../shared/variables.tf