From 22012aebd638686a8d920c732dfa4e8fc60318c2 Mon Sep 17 00:00:00 2001 From: Dan Ramich Date: Fri, 30 Nov 2018 14:59:14 -0700 Subject: [PATCH] Add kubernetes backend to website --- .../docs/backends/types/kubernetes.html.md | 77 +++++++++++++++++++ website/docs/state/workspaces.html.md | 1 + website/layouts/backend-types.erb | 3 + 3 files changed, 81 insertions(+) create mode 100644 website/docs/backends/types/kubernetes.html.md diff --git a/website/docs/backends/types/kubernetes.html.md b/website/docs/backends/types/kubernetes.html.md new file mode 100644 index 000000000000..cd18c1148f7f --- /dev/null +++ b/website/docs/backends/types/kubernetes.html.md @@ -0,0 +1,77 @@ +--- +layout: "backend-types" +page_title: "Backend Type: Kubernetes" +sidebar_current: "docs-backends-types-standard-kubernetes" +description: |- + Terraform can store state remotely in Kubernetes and lock that state. +--- + +# kubernetes + +**Kind: Standard (with locking)** + +Stores the state in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) +with locking done in the same secret. + +## Example Configuration + +```hcl +terraform { + backend "kubernetes" { + key = "state" + load_config_file = true + } +} +``` + +This assumes the user/service account running terraform has [permissions](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) to read/write secrets +in the [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) +used to store the secret. + +If the `load_config_file` flag is set the backend will attempt to use a [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) to +gain access to the cluster. +If the `service_account` flag is set the backend will attempt to use a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) to +access the cluster. This can be used if Terraform is being ran from within a pod +running in the Kubernetes cluster. + +For most use cases either `service_account` or `load_config_file` will need to be set to `true`. +If both flags are set the configuration from `load_config_file` will be used. + +Note that for the access credentials we recommend using a +[partial configuration](/docs/backends/config.html#partial-configuration). + + + +## Example Referencing + +```hcl +data "terraform_remote_state" "foo" { + backend = "kubernetes" + config = { + key = "state" + load_config_file = true + } +} +``` + +## Configuration variables + +The following configuration options are supported: + +* `key` - (Required) Used to name the secret in Kubernetes and added as a label. +* `namespace` - (Optional) Namespace to store the secret in. Can be sourced from `KUBE_NAMESPACE`. +* `service_account` - (Optional) Use a service account assigned to a pod to access the cluster. Can be sourced from `KUBE_SERVICE_ACCOUNT`. +* `load_config_file` - (Optional) Use a kubeconfig file to access the cluster. Can be sourced from `KUBE_LOAD_CONFIG_FILE`. +* `host` - (Optional) The hostname (in form of URI) of Kubernetes master. Can be sourced from `KUBE_HOST`. Defaults to `https://localhost`. +* `username` - (Optional) The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_USER`. +* `password` - (Optional) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_PASSWORD`. +* `insecure` - (Optional) Whether server should be accessed without verifying the TLS certificate. Can be sourced from `KUBE_INSECURE`. Defaults to `false`. +* `client_certificate` - (Optional) PEM-encoded client certificate for TLS authentication. Can be sourced from `KUBE_CLIENT_CERT_DATA`. +* `client_key` - (Optional) PEM-encoded client certificate key for TLS authentication. Can be sourced from `KUBE_CLIENT_KEY_DATA`. +* `cluster_ca_certificate` - (Optional) PEM-encoded root certificates bundle for TLS authentication. Can be sourced from `KUBE_CLUSTER_CA_CERT_DATA`. +* `config_path` - (Optional) Path to the kube config file. Can be sourced from `KUBE_CONFIG` or `KUBECONFIG`. Defaults to `~/.kube/config`. +* `config_context` - (Optional) Context to choose from the config file. Can be sourced from `KUBE_CTX`. +* `config_context_auth_info` - (Optional) Authentication info context of the kube config (name of the kubeconfig user, `--user` flag in `kubectl`). Can be sourced from `KUBE_CTX_AUTH_INFO`. +* `config_context_cluster` - (Optional) Cluster context of the kube config (name of the kubeconfig cluster, `--cluster` flag in `kubectl`). Can be sourced from `KUBE_CTX_CLUSTER`. +* `token` - (Optional) Token of your service account. Can be sourced from `KUBE_TOKEN`. + diff --git a/website/docs/state/workspaces.html.md b/website/docs/state/workspaces.html.md index 568d4f8236c9..52547eafc5b9 100644 --- a/website/docs/state/workspaces.html.md +++ b/website/docs/state/workspaces.html.md @@ -29,6 +29,7 @@ Multiple workspaces are currently supported by the following backends: * [Consul](/docs/backends/types/consul.html) * [GCS](/docs/backends/types/gcs.html) * [Local](/docs/backends/types/local.html) + * [Kubernetes](/docs/backends/types/kubernetes.html) * [Manta](/docs/backends/types/manta.html) * [Postgres](/docs/backends/types/pg.html) * [Remote](/docs/backends/types/remote.html) diff --git a/website/layouts/backend-types.erb b/website/layouts/backend-types.erb index 315470890f34..760baa48734a 100644 --- a/website/layouts/backend-types.erb +++ b/website/layouts/backend-types.erb @@ -48,6 +48,9 @@ > http + > + kubernetes + > manta