Support for disabling basic auth / client cert #40
Conversation
|
Could you add some minor tests to cover this? |
coryodaniel
force-pushed
the
37-disable-client-cert
branch
from
67ca995
to
b1e9db0
Compare
Jberlinsky
requested review from
aaron-lane,
adrienthebo and
Jberlinsky
as code owners
coryodaniel
force-pushed
the
37-disable-client-cert
branch
2 times, most recently
from
f4f0b46
to
7fa630e
Compare
coryodaniel
force-pushed
the
37-disable-client-cert
branch
2 times, most recently
from
028a6f1
to
5c8f0cb
Compare
|
@coryodaniel Please fix merge conflicts and requested changes. |
|
I believe I got all requested changes in. I'll resolve the merge conflicts first thing tomorrow AM. |
|
@coryodaniel Please investigate why tests are failing and fix. /cc @Jberlinsky |
|
@coryodaniel we're getting failures in CI on this branch, but they're unrelated to your work on this pull request. I've opened #74 to fix this issue. |
|
Interesting. Should I wait and rebase off master once it’s in or do you want to point the PR at this branch?
Thanks,
Cory O’Daniel
… On Jan 28, 2019, at 4:33 PM, Adrien Thebo ***@***.***> wrote:
@coryodaniel we're getting failures in CI on this branch, but they're unrelated to your work on this pull request. I've opened #74 to fix this issue.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
@coryodaniel I've seen other pull requests have their reviews dismissed upon rebase, which might be good in some cases but may not be ideal here. Let's get that code into master so that we're merging into a clean build, merge master into this branch, and when CI goes green we can merge into master. |
coryodaniel
force-pushed
the
37-disable-client-cert
branch
from
0266d26
to
ab4802a
Compare
aaron-lane
force-pushed
the
37-disable-client-cert
branch
from
ab4802a
to
ee58d26
Compare
aaron-lane
force-pushed
the
37-disable-client-cert
branch
from
ee58d26
to
5c64fa2
Compare
|
Agreed! I’m out of town til the 9th. I’ll rebase and make the changes as soon as I’m off vacay! 🌴
Thanks,
Cory O’Daniel
… On Mar 26, 2019, at 11:34 AM, Olivier Cervello ***@***.***> wrote:
@ocervell commented on this pull request.
In main.tf:
> @@ -143,6 +143,9 @@ locals {
cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+
+ cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}"
+ cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}"
}
Based on those two lines, if enable_basic_auth is true and basic_auth_username and basic_auth_password are not specified by the user, based on the google_container_resource behaviour, Basic Auth will be disabled (counter-intuitive): maybe in that case we can generate default credentials ?
locals {
basic_auth_username = "${var.basic_auth_username == "" ? "admin" : var.basic_auth_username}"
basic_auth_password = "${var.basic_auth_password == "" ? resource.random_string.password.result : var.basic_auth_password}"
}
resource "random_string" "password" {
length = 16
special = true
}
and change the above to:
cluster_basic_auth_username = "${var.basic_auth_enabled ? local.basic_auth_username : ""}"
cluster_basic_auth_password = "${var.basic_auth_enabled ? local.basic_auth_password : ""}"
In autogen/main.tf:
> @@ -143,6 +143,9 @@ locals {
cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+
+ cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}"
+ cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}"
Same comment as below.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
aaron-lane
force-pushed
the
37-disable-client-cert
branch
2 times, most recently
from
c0be695
to
2232089
Compare
* [Added] `enable_basic_auth` variable. defaults to `false`<sup>1</sup> * [Added] `basic_auth_username` variable. defaults to `""` * [Added] `basic_auth_password` variable. defaults to `""` * [Added] `issue_client_certificate` variable. defaults to `true`<sup>2</sup> Notes: 1. This will cause a plan change for existing users. Enabling it will require them to set a username and password. 2. This is enabled by default, despite being a poor security practice because changing this value is destructive to the cluster and we decided to err on not trigger *destroy* plan changes to existing users.
* Replace outputs w/ symlink * disable color in tests * adding suffix
* Set basic auth to disabled by default
aaron-lane
force-pushed
the
37-disable-client-cert
branch
from
2232089
to
022561a
Compare
|
Some notes on functionality I wanted to revisit since its been a while since this was originally created:
Auth credential changes do seem to disrupt access to the k8s API via kubectl and the GCP console @aaron-lane Should we default the username to |
aaron-lane
dismissed
Jberlinsky’s stale review
Satisfied request to autogenerate content.
|
@coryodaniel: thanks for the review! With respect to only We could investigate if the provider can be enhanced to identify this invalid case while planning. |
|
It's a pretty straightforward presence rule. Not sure if provider validation supports conditional presence. |
| @@ -10,10 +10,17 @@ Extending the adopted spec, each change should have a link to its corresponding | |||
|
|
|||
| ## [v2.0.0] - 2019-YY-ZZ | |||
There was a problem hiding this comment.
Did we not release v2.0.0 yet?
Closes #37
enable_basic_authvariable. defaults tofalse1basic_auth_usernamevariable. defaults to""basic_auth_passwordvariable. defaults to""issue_client_certificatevariable. defaults totrue2Notes:
This will cause a plan change for existing users. Enabling it will
require them to set a username and password.
This is enabled by default, despite being a poor security practice
because changing this value is destructive to the cluster and we decided
to err on not trigger destroy plan changes to existing users.