Added upgrade guide v1.0

coryodaniel · aaron-lane · commit b7b0769e3c8d · 2019-04-05T11:20:49.000-04:00
* Set basic auth to disabled by default
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -44,7 +44,9 @@ Extending the adopted spec, each change should have a link to its corresponding
 * Added `disable_legacy_metadata_endpoints` parameter. [#114]
 
 ### Changed
-* Set `horizontal_pod_autoscaling` to `true` by default. Fixes [#42]. [#54]
+
+* Set `horizontal_pod_autoscaling` to `true` by default.
+  Fixes [#42]. [#54]
 * Update simple-zonal example GKE version to supported version. [#49]
 * Drop explicit version from simple_zonal example. [#74]
 * Remove explicit versions from test cases and examples. [#62]
diff --git a/docs/upgrading_to_v1.0.md b/docs/upgrading_to_v1.0.md
@@ -0,0 +1,33 @@
+# Upgrading to terraform-google-kubernetes-engine v1.0
+
+The v1.0 release of terraform-google-kubernetes-engine is a backwards incompatible release.
+
+## Migration Instructions
+
+### Re-enabling Kubernetes Basic Authentication
+
+Starting with version 1.12, clusters will have basic authentication and client certificate issuance disabled by default in GKE. In previous versions of *terraform-google-kubernetes-engine* basic auth was silently enabled. It is now disabled by default.
+
+**Re-enabling Kubernetes basic authentication:**
+
+**Note:** enabling basic auth will cause terraform to store your basic auth credentials in state file. It is important to use a backend that supports encryption at rest. [Read more](https://www.terraform.io/docs/state/sensitive-data.html)
+
+```hcl
+module "enabling-basic-auth" {
+  source = "terraform-google-modules/kubernetes-engine/google"
+  project_id        = "${var.project_id}"
+  name              = "cluster-with-basic-auth"
+
+  enable_basic_auth = "true"
+  basic_auth_username = "admin"
+  basic_auth_password = "s3crets!"
+
+  regional          = "true"
+  region            = "${var.region}"
+  network           = "${var.network}"
+  subnetwork        = "${var.subnetwork}"
+  ip_range_pods     = "${var.ip_range_pods}"
+  ip_range_services = "${var.ip_range_services}"
+  service_account   = "${var.compute_engine_service_account}"
+}
+```
diff --git a/variables.tf b/variables.tf
@@ -219,7 +219,7 @@ variable "service_account" {
 
 variable "enable_basic_auth" {
   description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials"
-  default     = "true"
+  default     = "false"
 }
 
 variable "basic_auth_username" {

Original file line number	Diff line number	Diff line change
`@@ -219,7 +219,7 @@ variable "service_account" {`
`219`	`219`
`220`	`220`	`variable "enable_basic_auth" {`
`221`	`221`	`description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials"`
`222`		`- default = "true"`
	`222`	`+ default = "false"`
`223`	`223`	`}`
`224`	`224`
`225`	`225`	`variable "basic_auth_username" {`