Kubernetes state backend uses private label keys

[sftim]

Terraform Version

v1.5.6

Terraform Configuration Files

n/a

Debug Output

n/a

Expected Behavior

When storing state into Kubernetes, Terraform (and clones) should use label and annotation keys prefixed with a DNS domain.

Plausible example:

...
   metadata:
     labels:
        app.kubernetes.io/managed-by: terraform
        state.terraform.io/used-for-state-storage: "true"
        state.terraform.io/name-suffix: tfstate
        state.terraform.io/workspace-name: default

Actual Behavior

Actual example:

...
   metadata:
     labels:
        app.kubernetes.io/managed-by: terraform
        tfstate: "true"
        tfstateSecretSuffix: tfstate
        tfstateWorkspace: default

Steps to Reproduce

• Set up a Kubernetes cluster
• Set up Terraform to store state into that cluster
• apply some infrastructure code
• kubectl get secrets --all-namespaces

Additional Context

To learn about Kubernetes' conventions for labels (and annotations), see https://github.com/kubernetes/community/blob/586e54c54a4225612e8a2e956a0e36509604b548/contributors/devel/sig-architecture/api-conventions.md#label-selector-and-annotation-conventions

References

No response

[sftim]

Using a private label may conflict with a cluster operator's policy; for example, they might have an allow list of private labels. Obviously it's feasible to fix this by forking Terraform to make a binary that complies with that policy, but using a prefixed key in the official upstream code is a better approach.

[crw]

An FYI ping to official codeowners @jrhouston @alexsomesan.