-
Notifications
You must be signed in to change notification settings - Fork 985
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configuration data source #1641
Comments
Can you provide a more elaborate example of what a use-case of this feature would look like? Also, this carries a set of serious security concerns. |
Use Case — Service AccountIf I recall correctly, the Actual...terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.8.0"
}
}
}
provider "kubernetes" {
config_path = pathexpand("~/.kube/config")
}
resource "kubernetes_service_account" "example" {
metadata {
name = "example"
}
}
data "kubernetes_secret" "example" {
metadata {
name = kubernetes_service_account.example.default_secret_name
}
}
output "kubeconfig" {
sensitive = true
value = yamlencode({
apiVersion = "v1"
kind = "Config"
"current-context" = "cluster"
clusters = [{
name = "cluster"
cluster = {
"certificate-authority-data" = base64encode(data.kubernetes_secret.example.data["ca.crt"])
server = { for cluster in yamldecode(file(pathexpand("~/.kube/config")))["clusters"] : cluster["name"] => cluster["cluster"] }[{ for context in yamldecode(file(pathexpand("~/.kube/config")))["contexts"] : context["name"] => context["context"]["cluster"] }[yamldecode(file(pathexpand("~/.kube/config")))["current-context"]]]["server"]
}
}]
contexts = [{
name = "cluster"
context = {
cluster = "cluster"
namespace = data.kubernetes_secret.example.data["namespace"]
user = kubernetes_service_account.example.metadata.0.name
}
}]
users = [{
name = kubernetes_service_account.example.metadata.0.name
user = {
token = data.kubernetes_secret.example.data["token"]
}
}]
})
} Desired...terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.8.0"
}
}
}
provider "kubernetes" {
config_path = pathexpand("~/.kube/config")
}
resource "kubernetes_service_account" "example" {
metadata {
name = "example"
}
}
data "kubernetes_secret" "example" {
metadata {
name = kubernetes_service_account.example.default_secret_name
}
}
data "kubernetes_config" "example" {}
output "kubeconfig" {
sensitive = true
value = yamlencode({
apiVersion = "v1"
kind = "Config"
"current-context" = "cluster"
clusters = [{
name = "cluster"
cluster = {
"certificate-authority-data" = base64encode(data.kubernetes_secret.example.data["ca.crt"])
server = data.kubernetes_config.example...
}
}]
contexts = [{
name = "cluster"
context = {
cluster = "cluster"
namespace = data.kubernetes_secret.example.data["namespace"]
user = kubernetes_service_account.example.metadata.0.name
}
}]
users = [{
name = kubernetes_service_account.example.metadata.0.name
user = {
token = data.kubernetes_secret.example.data["token"]
}
}]
})
} |
I'm particularly interested in the security implications of this feature. What kind of concerns do you have in mind? |
This feature request is potentially similar in risk. Would it be better to filter out secrets from the output? |
Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you! |
Description
A
kubernetes_config
data source exposing the data fromkubectl config view --raw
(source) would allow the retrieval of configuration values, like theserver
address for the current cluster.Potential Terraform Configuration
Community Note
The text was updated successfully, but these errors were encountered: