From 8bf46f498d0425b55275db05bfa8a1d377a6d597 Mon Sep 17 00:00:00 2001
From: Anton Kachurin <anton.kachurin@t-systems.com>
Date: Wed, 22 Sep 2021 10:51:55 +0300
Subject: [PATCH] [CCE] Fix `authenticating_proxy` cluster auth mode

Make `authenticating_proxy_ca` deprecated.

Add `authenticating_proxy` argument containing all `ca`, `cert`,
and `private_key` for configuring authenticating proxy auth mode.
---
 docs/resources/cce_cluster_v3.md              | 11 ++++
 ...ce_opentelekomcloud_cce_cluster_v3_test.go | 65 +++++++++++-------
 ...esource_opentelekomcloud_cce_cluster_v3.go | 66 +++++++++++++++++--
 .../cce-auth-proxy-63baf6c8c7e08aae.yaml      |  8 +++
 4 files changed, 123 insertions(+), 27 deletions(-)
 create mode 100644 releasenotes/notes/cce-auth-proxy-63baf6c8c7e08aae.yaml

diff --git a/docs/resources/cce_cluster_v3.md b/docs/resources/cce_cluster_v3.md
index ee86df874..9001e78b6 100644
--- a/docs/resources/cce_cluster_v3.md
+++ b/docs/resources/cce_cluster_v3.md
@@ -124,6 +124,17 @@ The following arguments are supported:
   Defaults to `rbac`. Changing this parameter will create a new cluster resource.
 
 * `authenticating_proxy_ca` - (Optional) CA root certificate provided in the `authenticating_proxy` mode.
+  Deprecated, use `authenticating_proxy` instead.
+
+* `authenticating_proxy` - (Optional) Authenticating proxy configuration. Required if `authentication_mode` is set to `authenticating_proxy`.
+  * `ca` - X509 CA certificate configured in `authenticating_proxy` mode. The maximum size of the certificate is 1 MB.
+  * `cert` - Client certificate issued by the X509 CA certificate configured in `authenticating_proxy` mode.
+  This certificate is used for authentication from kube-apiserver to the extended API server.
+  * `private_key` - Private key of the client certificate issued by the X509 CA certificate configured in `authenticating_proxy` mode.
+  This key is used for authentication from kube-apiserver to the extended API server.
+
+~>
+  The private key used by the Kubernetes cluster does not support password encryption. Use an unencrypted private key.
 
 * `multi_az` - (Optional) Enable multiple AZs for the cluster, only when using HA flavors. Changing this parameter will create a new cluster resource.
 
diff --git a/opentelekomcloud/acceptance/cce/resource_opentelekomcloud_cce_cluster_v3_test.go b/opentelekomcloud/acceptance/cce/resource_opentelekomcloud_cce_cluster_v3_test.go
index 0cc25e8b8..ab533d656 100644
--- a/opentelekomcloud/acceptance/cce/resource_opentelekomcloud_cce_cluster_v3_test.go
+++ b/opentelekomcloud/acceptance/cce/resource_opentelekomcloud_cce_cluster_v3_test.go
@@ -281,31 +281,52 @@ resource "opentelekomcloud_cce_cluster_v3" "cluster_1" {
   container_network_type  = "overlay_l2"
   kubernetes_svc_ip_range = "10.247.0.0/16"
   authentication_mode     = "authenticating_proxy"
-  authenticating_proxy_ca = <<EOT
+  authenticating_proxy {
+    ca = <<EOT
 -----BEGIN CERTIFICATE-----
-MIIDpTCCAo2gAwIBAgIJAKdmmOBYnFvoMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
-BAYTAnh4MQswCQYDVQQIDAJ4eDELMAkGA1UEBwwCeHgxCzAJBgNVBAoMAnh4MQsw
-CQYDVQQLDAJ4eDELMAkGA1UEAwwCeHgxGTAXBgkqhkiG9w0BCQEWCnh4QDE2My5j
-b20wHhcNMTcxMjA0MDM0MjQ5WhcNMjAxMjAzMDM0MjQ5WjBpMQswCQYDVQQGEwJ4
-eDELMAkGA1UECAwCeHgxCzAJBgNVBAcMAnh4MQswCQYDVQQKDAJ4eDELMAkGA1UE
-CwwCeHgxCzAJBgNVBAMMAnh4MRkwFwYJKoZIhvcNAQkBFgp4eEAxNjMuY29tMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwZ5UJULAjWr7p6FVwGRQRjFN
-2s8tZ/6LC3X82fajpVsYqF1xqEuUDndDXVD09E4u83MS6HO6a3bIVQDp6/klnYld
-iE6Vp8HH5BSKaCWKVg8lGWg1UM9wZFnlryi14KgmpIFmcu9nA8yV/6MZAe6RSDmb
-3iyNBmiZ8aZhGw2pI1YwR+15MVqFFGB+7ExkziROi7L8CFCyCezK2/oOOvQsH1dz
-Q8z1JXWdg8/9Zx7Ktvgwu5PQM3cJtSHX6iBPOkMU8Z8TugLlTqQXKZOEgwajwvQ5
-mf2DPkVgM08XAgaLJcLigwD513koAdtJd5v+9irw+5LAuO3JclqwTvwy7u/YwwID
-AQABo1AwTjAdBgNVHQ4EFgQUo5A2tIu+bcUfvGTD7wmEkhXKFjcwHwYDVR0jBBgw
-FoAUo5A2tIu+bcUfvGTD7wmEkhXKFjcwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQsFAAOCAQEAWJ2rS6Mvlqk3GfEpboezx2J3X7l1z8Sxoqg6ntwB+rezvK3mc9H0
-83qcVeUcoH+0A0lSHyFN4FvRQL6X1hEheHarYwJK4agb231vb5erasuGO463eYEG
-r4SfTuOm7SyiV2xxbaBKrXJtpBp4WLL/s+LF+nklKjaOxkmxUX0sM4CTA7uFJypY
-c8Tdr8lDDNqoUtMD8BrUCJi+7lmMXRcC3Qi3oZJW76ja+kZA5mKVFPd1ATih8TbA
-i34R7EQDtFeiSvBdeKRsPp8c0KT8H1B4lXNkkCQs2WX5p4lm99+ZtLD4glw8x6Ic
-i1YhgnQbn5E0hz55OLu5jvOkKQjPCW+9Aa==
+MIICZjCCAc+gAwIBAgIUZtMIBg4MdR/h8yPITTx5+B0Xj0swDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA5MjExNDEyMThaFw0zMTA5
+MTkxNDEyMThaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANSP54SyxRLkWjnGkLQcUOSxM6FUfk8k+PvSgq9xF0CeO8BR
+NbY+y/+Jr9l1k0XRjAajIe/pdD4Yta24ox9yH5+ay+eKIFjdr2DAsyD5SSnW+A3o
+e1eYAwZhWWgGRgq8VG6yik1vm1nsJW8crj+3k/N0kjiLYFGRTelpSThnesb3AgMB
+AAGjUzBRMB0GA1UdDgQWBBT2daqVn+fyu7qoWflS7WwQ9EosODAfBgNVHSMEGDAW
+gBT2daqVn+fyu7qoWflS7WwQ9EosODAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4GBAEoaBV1HA5wSDEGu1blKUtda13IxBg3ZpHWxwOpDS3gwXYzEOPAL
+jgKvjKkLJaJnTp8V+YtO1xBhB272ZgWbr22Cer8TQZchNc16I2qLp+O9AQuPqVYO
+15xHZN4yCgCVYcSlUm/HW2tJ3lAmilxkEFvJJcK1uLh7vqMflmcPSLe5
 -----END CERTIFICATE-----
 EOT
-}`, common.DataSourceSubnet, clusterName)
+    cert = <<EOT
+-----BEGIN CERTIFICATE-----
+MIIByDCCATECFAzNYuav3B0dfSfIe7L8pDJ0t0LuMA0GCSqGSIb3DQEBCwUAMEUx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjEwOTIxMTQzMDM3WhcNMzEwOTE5MTQz
+MDM3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAw
+SAJBALcrRkYvf/pLJQQp21KCPk56AuWh0UxbMd75NOZQWrY1QFXTRJ0xYHAGa/LG
+LgposjKO9BELu+AYe+UoIJVwdAkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBwHUAE
+Pzs5sfqJgJe0YDNZSC+V/+NZ67AYTDBzYt35dNEqUxbnsOaoMjuWr5a9/mkcIHPT
+aXLd7Y85Iko9GDXrW4Xw58ZAqQO6nLSTvZ3LX5zxpmIY8RKw31bTnZbJWnzlV5UU
+AmXWUWcptcu8WYcWfgrzP8Kob5znC1svHsKm0g==
+-----END CERTIFICATE-----
+EOT
+    private_key = <<EOT
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBALcrRkYvf/pLJQQp21KCPk56AuWh0UxbMd75NOZQWrY1QFXTRJ0x
+YHAGa/LGLgposjKO9BELu+AYe+UoIJVwdAkCAwEAAQJBAJXeLHOErdum3DSZ4r+R
+nVUsc25bhhpJi3Z6xJOlL3NgoDaAWEapQZ+jGs/XPCu14Skxwy5s9wgXznsfxIav
+qWECIQDeVgWmBcvNz2FmQD8V1pIfQoec3hpTH3bVA06Rhg0j7QIhANLnGVpiCI+s
+Pgqeqr93J1HojrcD9u5C9kahdt57GgUNAiBI5E7pxVCx4uF90mZcVIKHeRpY1YAv
+7ErbP0BM+XPpaQIgNaUu37yb7N+lEFJ3oCgQylbbJlZN0yEZP7IGaGTro2kCIQCc
+qYYLFv6yuySapSHrdOaPXnXrhMY4BE0EpzAuh+opxw==
+-----END RSA PRIVATE KEY-----
+EOT
+  }
+}
+`, common.DataSourceSubnet, clusterName)
 
 	testAccCCEClusterV3InvalidSubnet = fmt.Sprintf(`
 %s
diff --git a/opentelekomcloud/services/cce/resource_opentelekomcloud_cce_cluster_v3.go b/opentelekomcloud/services/cce/resource_opentelekomcloud_cce_cluster_v3.go
index 5b330bc46..0a64b0003 100644
--- a/opentelekomcloud/services/cce/resource_opentelekomcloud_cce_cluster_v3.go
+++ b/opentelekomcloud/services/cce/resource_opentelekomcloud_cce_cluster_v3.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@@ -49,7 +50,10 @@ func ResourceCCEClusterV3() *schema.Resource {
 			Delete: schema.DefaultTimeout(30 * time.Minute),
 		},
 
-		CustomizeDiff: validateCCEClusterNetwork,
+		CustomizeDiff: customdiff.All(
+			validateCCEClusterNetwork,
+			validateAuthProxy,
+		),
 
 		Schema: map[string]*schema.Schema{
 			"region": {
@@ -142,10 +146,36 @@ func ResourceCCEClusterV3() *schema.Resource {
 				ForceNew: true,
 				Default:  "x509",
 			},
-			"authenticating_proxy_ca": {
-				Type:     schema.TypeString,
+			"authenticating_proxy": {
+				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"ca": {
+							Type:     schema.TypeString,
+							Required: true,
+							ForceNew: true,
+						},
+						"cert": {
+							Type:     schema.TypeString,
+							Required: true,
+							ForceNew: true,
+						},
+						"private_key": {
+							Type:     schema.TypeString,
+							Required: true,
+							ForceNew: true,
+						},
+					},
+				},
+			},
+			"authenticating_proxy_ca": {
+				Type:       schema.TypeString,
+				Optional:   true,
+				ForceNew:   true,
+				Deprecated: "Please use `authenticating_proxy` instead",
 			},
 			"kubernetes_svc_ip_range": {
 				Type:     schema.TypeString,
@@ -291,9 +321,13 @@ func resourceCCEClusterV3Create(ctx context.Context, d *schema.ResourceData, met
 		}
 	}
 
-	authProxy := make(map[string]string)
+	authProxy := map[string]string{}
 	if ca, ok := d.GetOk("authenticating_proxy_ca"); ok {
-		authProxy["ca"] = common.Base64IfNot(ca.(string))
+		authProxy = map[string]string{
+			"ca": common.Base64IfNot(ca.(string)),
+		}
+	} else if _, ok := d.GetOk("authenticating_proxy"); ok {
+		authProxy = getAuthProxy(d)
 	}
 
 	createOpts := clusters.CreateOpts{
@@ -766,3 +800,25 @@ func isAuthRequired(err error) bool {
 	}
 	return false
 }
+
+func getAuthProxy(d *schema.ResourceData) map[string]string {
+	if d.Get("authenticating_proxy.#").(int) == 0 {
+		return nil
+	}
+	resMap := map[string]string{
+		"ca":         common.Base64IfNot(d.Get("authenticating_proxy.0.ca").(string)),
+		"cert":       common.Base64IfNot(d.Get("authenticating_proxy.0.cert").(string)),
+		"privateKey": common.Base64IfNot(d.Get("authenticating_proxy.0.private_key").(string)),
+	}
+	return resMap
+}
+
+func validateAuthProxy(_ context.Context, d *schema.ResourceDiff, _ interface{}) error {
+	if d.Get("authentication_mode") != "authenticating_proxy" {
+		return nil
+	}
+	if d.Get("authenticating_proxy.#").(int) == 0 {
+		return fmt.Errorf("`authenticating_proxy` fields needs to be set if auth mode is `authenticating_proxy`")
+	}
+	return nil
+}
diff --git a/releasenotes/notes/cce-auth-proxy-63baf6c8c7e08aae.yaml b/releasenotes/notes/cce-auth-proxy-63baf6c8c7e08aae.yaml
new file mode 100644
index 000000000..e79f8b5b6
--- /dev/null
+++ b/releasenotes/notes/cce-auth-proxy-63baf6c8c7e08aae.yaml
@@ -0,0 +1,8 @@
+---
+enhancements:
+  - |
+    **[CCE]** Add ``authenticating_proxy`` argument to ``resource/opentelekomcloud_cce_cluster_v3`` (`#1418 <https://github.com/opentelekomcloud/terraform-provider-opentelekomcloud/pull/1418>`_)
+deprecations:
+  - |
+    **[CCE]** Mark ``authenticating_proxy_ca`` argument of ``resource/opentelekomcloud_cce_cluster_v3`` as deprecated,
+    as passing only CA is not enough in current CCE version  (`#1418 <https://github.com/opentelekomcloud/terraform-provider-opentelekomcloud/pull/1418>`_)