Comments (6)
-
For basic auth, I think we should go with
enable_basic_auth = false
as the default going forward. This will generate a diff for existing module users, but that is acceptable as they can choose to either explicitly encode the desire to enable basic auth or require the new version. -
Client certificates sound slightly more destructive and we use them internally, so let's start by adding an
enable_client_certificate
variable with a default oftrue
.
Also, as per the docs it does seem to be possible to enable cluster cert but disable basic auth so we need to support that scenario: https://www.terraform.io/docs/providers/google/r/container_cluster.html#client_certificate_config
from terraform-google-kubernetes-engine.
Yes, I think it's a good idea to add this. Do you think we would want it as a default?
from terraform-google-kubernetes-engine.
Yes I think it makes sense to disable both by default. When creating a cluster via the GCP console, both options have recommendations to disable them. Also, they will be disabled by default in 1.12.
from terraform-google-kubernetes-engine.
So I looked into this a few notes/questions:
Our best practices guide says to name variables in the positive. Defaulting to disabled basic auth (enable_basic_auth = false
) will be a breaking change for deployed clusters. Enabling it by default requires a username and password. The default pw for GKE is 'admin', but the password is random.
So:
- Do we want to enable basic auth by default but, change their password using tf
resource "random"
- Do we want to name this in the negative? Default:
disable_basic_auth = false
to prevent breakage?
Disabling client certificates is a destructive change. My assumption is we should name this in the positive and enable it by default. This is a catch-22 since its destructive to change. If we enable client certs by default, its not destructive to current users, but opts new users into a bad practice with the chance of being destructive if they did not notice the variable. If we disable it by default, its destructive to current users, but sets the module up for best practices.
It may also be worth noting, to set the certificate explicitly, its a nested setting that also requires the username and password be set. So its technically not possible to make this non-breaking for current users, because as soon as the certificate setting is set, the username and password has to be as well.
For setting basic auth, which do you prefer?
enable_basic_auth = true
basic_auth_username = "xxx"
basic_auth_password = "xxx"
basic_auth {
username = "xxx"
password = "yyy"
}
The later would assume if the map is empty, it is disabled.
from terraform-google-kubernetes-engine.
Yep, I got that support in my first pass! Thanks for the input, sounds like a good approach to me.
from terraform-google-kubernetes-engine.
Fixed by #40.
from terraform-google-kubernetes-engine.
Related Issues (20)
- There don't appear to be any guidelines on getting a PR approved. HOT 1
- Safer Cluster Access with IAP Bastion Host exposes cluster external endpoint HOT 1
- Private Cluster Config In modules/beta-private-cluster-update-variant Causes Cluster Recreation HOT 5
- CI: E0216 in output
- Logs for Firewall policies for safer cluster update variant are not configurable HOT 1
- Add Stateful High Availability (HA) Operator HOT 1
- Initial E0222 response causes JSON parse failure for later content
- Add tpu_topology to placement_policy. HOT 1
- No changes detected when adding `observability_metrics` inputs to existing cluster modules. HOT 4
- configure_ip_masq config and non_masquerade_cidrs are invalid for Autopilot Clusters and should be replaced with EgressNATPolicy HOT 1
- Unable to apply anthos service mesh module facing ERROR: (gcloud.container.clusters.get-credentials) You do not currently │ have an active account selected. HOT 3
- No Option for specifying image_type in auto_provisioning_defaults HOT 2
- Missing `node_pools` variable in beta-private-cluster documentation HOT 1
- Add upgrade_settings for NAP created node pools HOT 1
- Add option to attach roles just on the created SA instead of at the project level in workload-identity module HOT 1
- enable managed data plane annotation on ASM submodule HOT 1
- getting TLS handshake error. HOT 1
- Cannot create Node pool - Error 400 HOT 1
- Add `enable_l4_ibl_subsetting` for `safer-cluster-update-variant` clusters HOT 1
- Consider using provider-defined functions to simplify data transformations in modules HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-google-kubernetes-engine.