From 33af7010fb8d2f5f03af7d4e1478a3751927f270 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 30 Jan 2026 19:43:06 +1100
Subject: [PATCH] chore: add rancher role

- add kubernetes role for rancher
- add policy to enable access to bootstrap-password
---
 config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml   |  6 ++++++
 .../au/syd1/rancher/bootstrap-password/read.yaml       | 10 ++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
 create mode 100644 policies/kv/service/kubernetes/au/syd1/rancher/bootstrap-password/read.yaml

diff --git a/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml b/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
new file mode 100644
index 0000000..9f2d250
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - rancher
+bound_service_account_namespaces:
+  - default
+token_ttl: 60
+audience: vault
diff --git a/policies/kv/service/kubernetes/au/syd1/rancher/bootstrap-password/read.yaml b/policies/kv/service/kubernetes/au/syd1/rancher/bootstrap-password/read.yaml
new file mode 100644
index 0000000..39032f8
--- /dev/null
+++ b/policies/kv/service/kubernetes/au/syd1/rancher/bootstrap-password/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading ExternalDNS TSIG keys
+---
+rules:
+  - path: "kv/data/service/kubernetes/au/syd1/rancher/bootstrap-password"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - rancher