- The OpenTofu Language
- OpenTofu Settings
- Backends
- kubernetes
Backend Type: kubernetes
This backend is limited by Kubernetes' maximum Secret size of 1MB. See Secret restrictions for details.
Stores the state in a Kubernetes secret.
This backend supports state locking, with locking done using a Lease resource.
Example Configuration
This assumes the user/service account running OpenTofu has permissions to read/write secrets in the namespace used to store the secret.
If the config_path
or config_paths
attribute is set the backend will attempt to use a kubeconfig file to gain access to the cluster.
If the in_cluster_config
flag is set the backend will attempt to use a service account to access the cluster. This can be used if OpenTofu is being run from within a pod running in the Kubernetes cluster.
For most use cases either in_cluster_config
, config_path
, or config_paths
will need to be set. If all flags are set the configuration at config_path
will be used.
Note that for the access credentials we recommend using a partial configuration.
Example Referencing
Configuration Variables
We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config
or hardcode these values directly in your configuration, OpenTofu will include these values in both the .terraform
subdirectory and in plan files. Refer to Credentials and Sensitive Data for details.
The following configuration options are supported:
secret_suffix
- (Required) Suffix used when creating secrets. Secrets will be named in the format:tfstate-{workspace}-{secret_suffix}
.labels
- (Optional) Map of additional labels to be applied to the secret and lease.namespace
- (Optional) Namespace to store the secret and lease in. Can be sourced fromKUBE_NAMESPACE
.in_cluster_config
- (Optional) Used to authenticate to the cluster from inside a pod. Can be sourced fromKUBE_IN_CLUSTER_CONFIG
.host
- (Optional) The hostname (in form of URI) of Kubernetes master. Can be sourced fromKUBE_HOST
. Defaults tohttps://localhost
.username
- (Optional) The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced fromKUBE_USER
.password
- (Optional) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced fromKUBE_PASSWORD
.insecure
- (Optional) Whether server should be accessed without verifying the TLS certificate. Can be sourced fromKUBE_INSECURE
. Defaults tofalse
.client_certificate
- (Optional) PEM-encoded client certificate for TLS authentication. Can be sourced fromKUBE_CLIENT_CERT_DATA
.client_key
- (Optional) PEM-encoded client certificate key for TLS authentication. Can be sourced fromKUBE_CLIENT_KEY_DATA
.cluster_ca_certificate
- (Optional) PEM-encoded root certificates bundle for TLS authentication. Can be sourced fromKUBE_CLUSTER_CA_CERT_DATA
.config_path
- (Optional) Path to the kube config file. Can be sourced fromKUBE_CONFIG_PATH
.config_paths
- (Optional) List of paths to kube config files. Can be sourced fromKUBE_CONFIG_PATHS
.config_context
- (Optional) Context to choose from the config file. Can be sourced fromKUBE_CTX
.config_context_auth_info
- (Optional) Authentication info context of the kube config (name of the kubeconfig user,--user
flag inkubectl
). Can be sourced fromKUBE_CTX_AUTH_INFO
.config_context_cluster
- (Optional) Cluster context of the kube config (name of the kubeconfig cluster,--cluster
flag inkubectl
). Can be sourced fromKUBE_CTX_CLUSTER
.token
- (Optional) Token of your service account. Can be sourced fromKUBE_TOKEN
.exec
- (Optional) Configuration block to use an exec-based credential plugin, e.g. call an external command to receive user credentials.api_version
- (Required) API version to use when decoding the ExecCredentials resource, e.g.client.authentication.k8s.io/v1beta1
.command
- (Required) Command to execute.args
- (Optional) List of arguments to pass when executing the plugin.env
- (Optional) Map of environment variables to set when executing the plugin.