In this post I will describe the exploration I did after running into a problem trying to setup temporary auth to my kubernetes cluster with Terraform. I will first describe the problem(s) and several ways to solve them.
Preamble
I auth to my homelab k8s cluster using PEM keys. Being a long time Terraform user I almost always auth to a provider using environment variables. This allows me to decouple auth from the HCL, prevent secrets from getting into the statefile, and often allows completely avoiding defining a particular provider block, relying on the "empty default configuration".
Terraform Cloud (TFC) (recently rebranded to HCP TF) allows setting variables outside of the code and in the web ui instead (WS Vars). You can set WS Vars as either type terraform or type env. Type terraform behaves exactly like setting -var myname=drew. Only problem is that type env vars cannot be multi-line which breaks PEM validity.
Solutions
Ephemeral Variables!
Starting Terraform v1.10 HashiCorp introduced ephemeral resource types as well as ephemeral variables. This allows me to set the PEM in a WS Var type terraform but not expose to the statefile. It does require me to hardcode the provider version and auth.
variable "kube_client_key" {
description = "Private key data for authenticating to k8s."
ephemeral = true
}
provider "kubernetes" {
client_certificate = var.kube_client_certificate
client_key = var.kube_client_key
}
Base64 & TF_VAR_
You can pass the multi-line content base64 encoded then leverage terraform's base64decode() function in a TF_VAR_. This allows using an env variable but still requires hardcoding the auth. This solution doesn't make much sense for me but it is an option
provider "kubernetes" {
client_key = base64decode(var.kubekey)
}
Dynamic K8s Access
You can setup a trust between TFC and your k8s cluster. This is my end game but on the back burner while I figure out how I plan to organize somethings
E1it3 Hax
This last option is totally unexpected but actually quite interesting. Turns out that part of TFC's implementation is that WS Vars that are type terraform are also written to agents as environment variables. This means that you can create a WS Var in TFC that matches the naming convention of the expected provider env var and it will still work. This does not require you to create Terraform HCL for the vars but it does surface a warning. You can suppress the warning by providing a empty variable with the same name and NOT defining it in the provider block.
To suppress the warning just insert a variable with the corresponding name and a default value:
variable "KUBE_CLIENT_KEY_DATA" {
default = ""
}
Salutation
I hope this is helpful to you. Choose the solution that fits your use-case best!
Top comments (0)