github.com/hugorut/terraform@v1.1.3/website/docs/language/settings/backends/kubernetes.mdx

github.com/hugorut/terraform@v1.1.3/website/docs/language/settings/backends/kubernetes.mdx (about)

     1  ---
     2  page_title: 'Backend Type: Kubernetes'
     3  description: Terraform can store state remotely in Kubernetes and lock that state.
     4  ---
     5  
     6  # kubernetes
     7  
     8  -> **Note:** This backend is limited by Kubernetes' maximum Secret size of 1MB. See [Secret restrictions](https://kubernetes.io/docs/concepts/configuration/secret/#restrictions) for details.
     9  
    10  Stores the state in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/).
    11  
    12  This backend supports [state locking](/language/state/locking), with locking done using a Lease resource.
    13  
    14  ## Example Configuration
    15  
    16  ```hcl
    17  terraform {
    18    backend "kubernetes" {
    19      secret_suffix    = "state"
    20      config_path      = "~/.kube/config"
    21    }
    22  }
    23  ```
    24  
    25  This assumes the user/service account running terraform has [permissions](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) to read/write secrets in the [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) used to store the secret.
    26  
    27  If the `config_path` or `config_paths` attribute is set the backend will attempt to use a [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) to gain access to the cluster.
    28  
    29  If the `in_cluster_config` flag is set the backend will attempt to use a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) to access the cluster. This can be used if Terraform is being run from within a pod running in the Kubernetes cluster.
    30  
    31  For most use cases either `in_cluster_config`, `config_path`, or `config_paths` will need to be set. If all flags are set the configuration at `config_path` will be used.
    32  
    33  Note that for the access credentials we recommend using a [partial configuration](/language/settings/backends/configuration#partial-configuration).
    34  
    35  ## Example Referencing
    36  
    37  ```hcl
    38  data "terraform_remote_state" "foo" {
    39    backend = "kubernetes"
    40    config = {
    41      secret_suffix    = "state"
    42      load_config_file = true
    43    }
    44  }
    45  ```
    46  
    47  ## Configuration variables
    48  
    49  The following configuration options are supported:
    50  
    51  * `secret_suffix` - (Required) Suffix used when creating secrets. Secrets will be named in the format: `tfstate-{workspace}-{secret_suffix}`.
    52  * `labels` - (Optional) Map of additional labels to be applied to the secret and lease.
    53  * `namespace` - (Optional) Namespace to store the secret and lease in. Can be sourced from `KUBE_NAMESPACE`.
    54  * `in_cluster_config` - (Optional) Used to authenticate to the cluster from inside a pod. Can be sourced from `KUBE_IN_CLUSTER_CONFIG`.
    55  * `host` - (Optional) The hostname (in form of URI) of Kubernetes master. Can be sourced from `KUBE_HOST`. Defaults to `https://localhost`.
    56  * `username` - (Optional) The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_USER`.
    57  * `password` - (Optional) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_PASSWORD`.
    58  * `insecure` - (Optional) Whether server should be accessed without verifying the TLS certificate. Can be sourced from `KUBE_INSECURE`. Defaults to `false`.
    59  * `client_certificate` - (Optional) PEM-encoded client certificate for TLS authentication. Can be sourced from `KUBE_CLIENT_CERT_DATA`.
    60  * `client_key` - (Optional) PEM-encoded client certificate key for TLS authentication. Can be sourced from `KUBE_CLIENT_KEY_DATA`.
    61  * `cluster_ca_certificate` - (Optional) PEM-encoded root certificates bundle for TLS authentication. Can be sourced from `KUBE_CLUSTER_CA_CERT_DATA`.
    62  * `config_path` - (Optional) Path to the kube config file. Can be sourced from `KUBE_CONFIG_PATH`.
    63  * `config_paths` - (Optional) List of paths to kube config files. Can be sourced from `KUBE_CONFIG_PATHS`.
    64  * `config_context` - (Optional) Context to choose from the config file. Can be sourced from `KUBE_CTX`.
    65  * `config_context_auth_info` - (Optional) Authentication info context of the kube config (name of the kubeconfig user, `--user` flag in `kubectl`). Can be sourced from `KUBE_CTX_AUTH_INFO`.
    66  * `config_context_cluster` - (Optional) Cluster context of the kube config (name of the kubeconfig cluster, `--cluster` flag in `kubectl`). Can be sourced from `KUBE_CTX_CLUSTER`.
    67  * `token` - (Optional) Token of your service account.  Can be sourced from `KUBE_TOKEN`.
    68  * `exec` - (Optional) Configuration block to use an [exec-based credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins), e.g. call an external command to receive user credentials.
    69    * `api_version` - (Required) API version to use when decoding the ExecCredentials resource, e.g. `client.authentication.k8s.io/v1beta1`.
    70    * `command` - (Required) Command to execute.
    71    * `args` - (Optional) List of arguments to pass when executing the plugin.
    72    * `env` - (Optional) Map of environment variables to set when executing the plugin.