The resource provides mechanisms to inject containers with sensitive information, such as passwords, while keeping containers agnostic of Kubernetes. Secrets can be used to store sensitive information either as individual properties or coarse-grained entries like entire files or JSON blobs. The resource will by default create a secret which is available to any pod in the specified (or default) namespace.
resource "kubernetes_secret" "example" {
metadata {
name = "basic-auth"
}
data = {
username = "admin"
password = "P4ssw0rd"
}
type = "kubernetes.io/basic-auth"
}
resource "kubernetes_secret" "example" {
metadata {
name = "docker-cfg"
}
data = {
".dockerconfigjson" = "${file("${path.module}/.docker/config.json")}"
}
type = "kubernetes.io/dockerconfigjson"
}
resource "kubernetes_secret" "example" {
metadata {
name = "docker-cfg"
}
type = "kubernetes.io/dockerconfigjson"
data = {
".dockerconfigjson" = jsonencode({
auths = {
"${var.registry_server}" = {
"username" = var.registry_username
"password" = var.registry_password
"email" = var.registry_email
"auth" = base64encode("${var.registry_username}:${var.registry_password}")
}
}
})
}
}
This is equivalent to the following kubectl command:
$ kubectl create secret docker-registry docker-cfg --docker-server=${registry_server} --docker-username=${registry_username} --docker-password=${registry_password} --docker-email=${registry_email}
resource "kubernetes_secret" "example" {
metadata {
annotations = {
"kubernetes.io/service-account.name" = "my-service-account"
}
generate_name = "my-service-account-"
}
type = "kubernetes.io/service-account-token"
wait_for_service_account_token = true
}
The following arguments are supported:
data
- (Optional) A map of the secret data.binary_data
- (Optional) A map base64 encoded map of the secret data.metadata
- (Required) Standard secret's metadata. For more info see Kubernetes referencetype
- (Optional) The secret type. Defaults to Opaque
. For more info see Kubernetes referenceimmutable
- (Optional) Ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time.wait_for_service_account_token
- (Optional) Terraform will wait for the service account token to be created. Defaults to true
.metadata
annotations
- (Optional) An unstructured key value map stored with the secret that may be used to store arbitrary metadata.generate_name
- (Optional) Prefix, used by the server, to generate a unique name ONLY IF the name
field has not been provided. This value will also be combined with a unique suffix. For more info see Kubernetes referencelabels
- (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the secret. May match selectors of replication controllers and services.name
- (Optional) Name of the secret, must be unique. Cannot be updated. For more info see Kubernetes referencenamespace
- (Optional) Namespace defines the space within which name of the secret must be unique.generation
- A sequence number representing a specific generation of the desired state.resource_version
- An opaque value that represents the internal version of this secret that can be used by clients to determine when secret has changed. For more info see Kubernetes referenceuid
- The unique in time and space value for this secret. For more info see Kubernetes referencekubernetes_secret
provides the following configuration options:
create
- Default 1 minute
Secret can be imported using its namespace and name, e.g.
$ terraform import kubernetes_secret.example default/my-secret