Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configuration data source #1641

Closed
0x2b3bfa0 opened this issue Mar 14, 2022 · 5 comments
Closed

Configuration data source #1641

0x2b3bfa0 opened this issue Mar 14, 2022 · 5 comments

Comments

@0x2b3bfa0
Copy link

0x2b3bfa0 commented Mar 14, 2022

Description

A kubernetes_config data source exposing the data from kubectl config view --raw (source) would allow the retrieval of configuration values, like the server address for the current cluster.

Potential Terraform Configuration

data "kubernetes_config" "example" {}

output "configuration" {
  value     = data.kubernetes_config.example
  sensitive = true
}

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@alexsomesan
Copy link
Member

Can you provide a more elaborate example of what a use-case of this feature would look like?

Also, this carries a set of serious security concerns.

@0x2b3bfa0
Copy link
Author

0x2b3bfa0 commented Mar 24, 2022

Use Case — Service Account

If I recall correctly, the server address can only be retrieved from the kubeconfig file. This address is necessary to create a new standalone kubeconfig file for a service account.

Actual...
terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.8.0"
    }
  }
}

provider "kubernetes" {
  config_path = pathexpand("~/.kube/config")
}

resource "kubernetes_service_account" "example" {
  metadata {
    name = "example"
  }
}

data "kubernetes_secret" "example" {
  metadata {
    name = kubernetes_service_account.example.default_secret_name
  }
}

output "kubeconfig" {
  sensitive = true
  value     = yamlencode({
    apiVersion        = "v1"
    kind              = "Config"
    "current-context" = "cluster"

    clusters = [{
      name = "cluster"
      cluster = {
        "certificate-authority-data" = base64encode(data.kubernetes_secret.example.data["ca.crt"])
        server                       = { for cluster in yamldecode(file(pathexpand("~/.kube/config")))["clusters"] : cluster["name"] => cluster["cluster"] }[{ for context in yamldecode(file(pathexpand("~/.kube/config")))["contexts"] : context["name"] => context["context"]["cluster"] }[yamldecode(file(pathexpand("~/.kube/config")))["current-context"]]]["server"]
      }
    }]

    contexts = [{
      name = "cluster"
      context = {
        cluster   = "cluster"
        namespace = data.kubernetes_secret.example.data["namespace"]
        user      = kubernetes_service_account.example.metadata.0.name
      }
    }]

    users = [{
      name = kubernetes_service_account.example.metadata.0.name
      user = {
        token = data.kubernetes_secret.example.data["token"]
      }
    }]
  })
}
Desired...
terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.8.0"
    }
  }
}

provider "kubernetes" {
  config_path = pathexpand("~/.kube/config")
}

resource "kubernetes_service_account" "example" {
  metadata {
    name = "example"
  }
}

data "kubernetes_secret" "example" {
  metadata {
    name = kubernetes_service_account.example.default_secret_name
  }
}

data "kubernetes_config" "example" {}

output "kubeconfig" {
  sensitive = true
  value     = yamlencode({
    apiVersion        = "v1"
    kind              = "Config"
    "current-context" = "cluster"

    clusters = [{
      name = "cluster"
      cluster = {
        "certificate-authority-data" = base64encode(data.kubernetes_secret.example.data["ca.crt"])
        server                       = data.kubernetes_config.example...
      }
    }]

    contexts = [{
      name = "cluster"
      context = {
        cluster   = "cluster"
        namespace = data.kubernetes_secret.example.data["namespace"]
        user      = kubernetes_service_account.example.metadata.0.name
      }
    }]

    users = [{
      name = kubernetes_service_account.example.metadata.0.name
      user = {
        token = data.kubernetes_secret.example.data["token"]
      }
    }]
  })
}

@0x2b3bfa0
Copy link
Author

Also, this carries a set of serious security concerns

I'm particularly interested in the security implications of this feature. What kind of concerns do you have in mind?

@0x2b3bfa0
Copy link
Author

In the interest of security, the maintainers will not approve data sources that provide the ability to reference or export the AWS credentials of the running provider. — AWS provider documentation

This feature request is potentially similar in risk. Would it be better to filter out secrets from the output?

@github-actions
Copy link

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

@github-actions github-actions bot added the stale label Apr 20, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants