Creates a Kubernetes Secrets Backend for Vault.
The Kubernetes Secrets Engine for Vault generates Kubernetes service account tokens, and optionally service accounts, role bindings, and roles.
resource "vault_kubernetes_secret_backend" "config" {
path = "kubernetes"
description = "kubernetes secrets engine description"
default_lease_ttl_seconds = 43200
max_lease_ttl_seconds = 86400
kubernetes_host = "https://127.0.0.1:61233"
kubernetes_ca_cert = file("/path/to/cert")
service_account_jwt = file("/path/to/token")
disable_local_ca_jwt = false
}
This resource directly accepts all vault_mount
fields.
Additionally, the following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
kubernetes_host
- (Optional) The Kubernetes API URL to connect to. Required if the
standard pod environment variables KUBERNETES_SERVICE_HOST
or KUBERNETES_SERVICE_PORT
are not set on the host that Vault is running on.
kubernetes_ca_cert
- (Optional) A PEM-encoded CA certificate used by the
secrets engine to verify the Kubernetes API server certificate. Defaults to the local
pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
Vault is running.
service_account_jwt
- (Optional) The JSON web token of the service account used by the
secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
is running in Kubernetes.
disable_local_ca_jwt
- (Optional) Disable defaulting to the local CA certificate and
service account JWT when Vault is running in a Kubernetes pod.
No additional attributes are exported by this resource.
The Kubernetes secret backend can be imported using its path
e.g.
$ terraform import vault_kubernetes_secret_backend.config kubernetes