Add kubernetes backend to website

hashicorp · Jun 20, 2019 · 22012ae · 22012ae
1 parent 5f236e2
commit 22012ae
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 0 deletions.
diff --git a/website/docs/backends/types/kubernetes.html.md b/website/docs/backends/types/kubernetes.html.md
@@ -0,0 +1,77 @@
+---
+layout: "backend-types"
+page_title: "Backend Type: Kubernetes"
+sidebar_current: "docs-backends-types-standard-kubernetes"
+description: |-
+  Terraform can store state remotely in Kubernetes and lock that state.
+---
+
+# kubernetes
+
+**Kind: Standard (with locking)**
+
+Stores the state in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/)
+with locking done in the same secret.
+
+## Example Configuration
+
+```hcl
+terraform {
+  backend "kubernetes" {
+    key              = "state"
+    load_config_file = true
+  }
+}
+```
+
+This assumes the user/service account running terraform has [permissions](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) to read/write secrets
+in the [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) 
+used to store the secret.
+
+If the `load_config_file` flag is set the backend will attempt to use a [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) to
+gain access to the cluster.  
+If the `service_account` flag is set the backend will attempt to use a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) to 
+access the cluster. This can be used if Terraform is being ran from within a pod
+running in the Kubernetes cluster. 
+
+For most use cases either `service_account` or `load_config_file` will need to be set to `true`. 
+If both flags are set the configuration from `load_config_file` will be used.
+
+Note that for the access credentials we recommend using a
+[partial configuration](/docs/backends/config.html#partial-configuration).
+
+
+
+## Example Referencing
+
+```hcl
+data "terraform_remote_state" "foo" {
+  backend = "kubernetes"
+  config = {
+    key              = "state"
+    load_config_file = true
+  }
+}
+```
+
+## Configuration variables
+
+The following configuration options are supported:
+
+* `key` - (Required) Used to name the secret in Kubernetes and added as a label.
+* `namespace` - (Optional) Namespace to store the secret in. Can be sourced from `KUBE_NAMESPACE`.
+* `service_account` - (Optional) Use a service account assigned to a pod to access the cluster. Can be sourced from `KUBE_SERVICE_ACCOUNT`.
+* `load_config_file` - (Optional) Use a kubeconfig file to access the cluster. Can be sourced from `KUBE_LOAD_CONFIG_FILE`.
+* `host` - (Optional) The hostname (in form of URI) of Kubernetes master. Can be sourced from `KUBE_HOST`. Defaults to `https://localhost`.
+* `username` - (Optional) The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_USER`.
+* `password` - (Optional) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_PASSWORD`.
+* `insecure` - (Optional) Whether server should be accessed without verifying the TLS certificate. Can be sourced from `KUBE_INSECURE`. Defaults to `false`.
+* `client_certificate` - (Optional) PEM-encoded client certificate for TLS authentication. Can be sourced from `KUBE_CLIENT_CERT_DATA`.
+* `client_key` - (Optional) PEM-encoded client certificate key for TLS authentication. Can be sourced from `KUBE_CLIENT_KEY_DATA`.
+* `cluster_ca_certificate` - (Optional) PEM-encoded root certificates bundle for TLS authentication. Can be sourced from `KUBE_CLUSTER_CA_CERT_DATA`.
+* `config_path` - (Optional) Path to the kube config file. Can be sourced from `KUBE_CONFIG` or `KUBECONFIG`. Defaults to `~/.kube/config`.
+* `config_context` - (Optional) Context to choose from the config file. Can be sourced from `KUBE_CTX`.
+* `config_context_auth_info` - (Optional) Authentication info context of the kube config (name of the kubeconfig user, `--user` flag in `kubectl`). Can be sourced from `KUBE_CTX_AUTH_INFO`.
+* `config_context_cluster` - (Optional) Cluster context of the kube config (name of the kubeconfig cluster, `--cluster` flag in `kubectl`). Can be sourced from `KUBE_CTX_CLUSTER`.
+* `token` - (Optional) Token of your service account.  Can be sourced from `KUBE_TOKEN`.
+
diff --git a/website/docs/state/workspaces.html.md b/website/docs/state/workspaces.html.md
@@ -29,6 +29,7 @@ Multiple workspaces are currently supported by the following backends:
  * [Consul](/docs/backends/types/consul.html)
  * [GCS](/docs/backends/types/gcs.html)
  * [Local](/docs/backends/types/local.html)
+ * [Kubernetes](/docs/backends/types/kubernetes.html)
  * [Manta](/docs/backends/types/manta.html)
  * [Postgres](/docs/backends/types/pg.html)
  * [Remote](/docs/backends/types/remote.html)

diff --git a/website/layouts/backend-types.erb b/website/layouts/backend-types.erb
@@ -48,6 +48,9 @@
                   <li<%= sidebar_current("docs-backends-types-standard-http") %>>
                     <a href="/docs/backends/types/http.html">http</a>
                   </li>
+                  <li<%= sidebar_current("docs-backends-types-standard-kubernetes") %>>
+                    <a href="/docs/backends/types/kubernetes.html">kubernetes</a>
+                  </li>
                   <li<%= sidebar_current("docs-backends-types-standard-manta") %>>
                     <a href="/docs/backends/types/manta.html">manta</a>
                   </li>