github.com/muratcelep/terraform@v1.1.0-beta2-not-internal-4/website/docs/language/settings/backends/kubernetes.html.md

github.com/muratcelep/terraform@v1.1.0-beta2-not-internal-4/website/docs/language/settings/backends/kubernetes.html.md (about)

     1  ---
     2  layout: "language"
     3  page_title: "Backend Type: Kubernetes"
     4  sidebar_current: "docs-backends-types-standard-kubernetes"
     5  description: |-
     6    Terraform can store state remotely in Kubernetes and lock that state.
     7  ---
     8  
     9  # kubernetes
    10  
    11  -> **Note:** This backend is limited by Kubernetes' maximum Secret size of 1MB. See [Secret restrictions](https://kubernetes.io/docs/concepts/configuration/secret/#restrictions) for details.
    12  
    13  **Kind: Standard (with locking)**
    14  
    15  Stores the state in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) with locking done using a Lease resource.
    16  
    17  ## Example Configuration
    18  
    19  ```hcl
    20  terraform {
    21    backend "kubernetes" {
    22      secret_suffix    = "state"
    23      config_path      = "~/.kube/config"
    24    }
    25  }
    26  ```
    27  
    28  This assumes the user/service account running terraform has [permissions](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) to read/write secrets in the [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) used to store the secret.
    29  
    30  If the `config_path` or `config_paths` attribute is set the backend will attempt to use a [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) to gain access to the cluster.  
    31  
    32  If the `in_cluster_config` flag is set the backend will attempt to use a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) to access the cluster. This can be used if Terraform is being run from within a pod running in the Kubernetes cluster. 
    33  
    34  For most use cases either `in_cluster_config`, `config_path`, or `config_paths` will need to be set. If all flags are set the configuration at `config_path` will be used.
    35  
    36  Note that for the access credentials we recommend using a [partial configuration](/docs/language/settings/backends/configuration.html#partial-configuration).
    37  
    38  
    39  ## Example Referencing
    40  
    41  ```hcl
    42  data "terraform_remote_state" "foo" {
    43    backend = "kubernetes"
    44    config = {
    45      secret_suffix    = "state"
    46      load_config_file = true
    47    }
    48  }
    49  ```
    50  
    51  ## Configuration variables
    52  
    53  The following configuration options are supported:
    54  
    55  * `secret_suffix` - (Required) Suffix used when creating secrets. Secrets will be named in the format: `tfstate-{workspace}-{secret_suffix}`.
    56  * `labels` - (Optional) Map of additional labels to be applied to the secret and lease.
    57  * `namespace` - (Optional) Namespace to store the secret and lease in. Can be sourced from `KUBE_NAMESPACE`.
    58  * `in_cluster_config` - (Optional) Used to authenticate to the cluster from inside a pod. Can be sourced from `KUBE_IN_CLUSTER_CONFIG`.
    59  * `host` - (Optional) The hostname (in form of URI) of Kubernetes master. Can be sourced from `KUBE_HOST`. Defaults to `https://localhost`.
    60  * `username` - (Optional) The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_USER`.
    61  * `password` - (Optional) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_PASSWORD`.
    62  * `insecure` - (Optional) Whether server should be accessed without verifying the TLS certificate. Can be sourced from `KUBE_INSECURE`. Defaults to `false`.
    63  * `client_certificate` - (Optional) PEM-encoded client certificate for TLS authentication. Can be sourced from `KUBE_CLIENT_CERT_DATA`.
    64  * `client_key` - (Optional) PEM-encoded client certificate key for TLS authentication. Can be sourced from `KUBE_CLIENT_KEY_DATA`.
    65  * `cluster_ca_certificate` - (Optional) PEM-encoded root certificates bundle for TLS authentication. Can be sourced from `KUBE_CLUSTER_CA_CERT_DATA`.
    66  * `config_path` - (Optional) Path to the kube config file. Can be sourced from `KUBE_CONFIG_PATH`.
    67  * `config_paths` - (Optional) List of paths to kube config files. Can be sourced from `KUBE_CONFIG_PATHS`.
    68  * `config_context` - (Optional) Context to choose from the config file. Can be sourced from `KUBE_CTX`.
    69  * `config_context_auth_info` - (Optional) Authentication info context of the kube config (name of the kubeconfig user, `--user` flag in `kubectl`). Can be sourced from `KUBE_CTX_AUTH_INFO`.
    70  * `config_context_cluster` - (Optional) Cluster context of the kube config (name of the kubeconfig cluster, `--cluster` flag in `kubectl`). Can be sourced from `KUBE_CTX_CLUSTER`.
    71  * `token` - (Optional) Token of your service account.  Can be sourced from `KUBE_TOKEN`.
    72  * `exec` - (Optional) Configuration block to use an [exec-based credential plugin] (https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins), e.g. call an external command to receive user credentials.
    73    * `api_version` - (Required) API version to use when decoding the ExecCredentials resource, e.g. `client.authentication.k8s.io/v1beta1`.
    74    * `command` - (Required) Command to execute.
    75    * `args` - (Optional) List of arguments to pass when executing the plugin.
    76    * `env` - (Optional) Map of environment variables to set when executing the plugin.