From 7da23d47fe8a42f02aee80d4bc91894ed2db17d7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 18 Jul 2026 14:34:54 +1000 Subject: [PATCH] Grant vault deployer access to import + manage the rancher engine (#91) ## Why Wiring the new Rancher token secrets engine into Vault. The deployer registers the plugin (sudo-protected `sys/plugins/catalog`) and configures the engine via the ranchervaultsecret provider, so it needs catalog + engine-path access. Mirrors #88 (gpg). ## Changes - Add `policies/rancher/admin.yaml` granting the `tf_vault` approle and `woodpecker_terraform_vault` k8s role: catalog sudo on `vault-plugin-secrets-rancher`, and manage on `rancher/{config,service-accounts,roles}`. ## Merge order Part 1 of 4. Merge before the plugin-import and backend PRs so apply doesn't 403. (Puppet install + this policy first, then import, then backend.) --------- Co-authored-by: Ben Vincent Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/91 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- policies/rancher/admin.yaml | 45 +++++++++++++++++++++++ policies/sys/plugins/catalog/rancher.yaml | 19 ++++++++++ 2 files changed, 64 insertions(+) create mode 100644 policies/rancher/admin.yaml create mode 100644 policies/sys/plugins/catalog/rancher.yaml diff --git a/policies/rancher/admin.yaml b/policies/rancher/admin.yaml new file mode 100644 index 0000000..07b6bca --- /dev/null +++ b/policies/rancher/admin.yaml @@ -0,0 +1,45 @@ +# Allow the vault deployer to manage the rancher secrets engine: its connection +# config, seeded (auto-rotated) service-account tokens, and token-minting roles. +# +# Scoped to rancher/* only. The plugin-catalog grant needed to import the plugin +# lives under policies/sys/plugins/catalog/ so a code owner of this policy path +# cannot grant themselves access outside the rancher mount. +--- +rules: + # Engine connection config. + - path: "rancher/config" + capabilities: + - create + - read + - update + - delete + # Seeded, auto-rotated service-account tokens (+ manual rotate). + - path: "rancher/service-accounts/*" + capabilities: + - create + - read + - update + - delete + - list + - path: "rancher/service-accounts" + capabilities: + - read + - list + # Token-minting roles. + - path: "rancher/roles/*" + capabilities: + - create + - read + - update + - delete + - list + - path: "rancher/roles" + capabilities: + - read + - list + +auth: + approle: + - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/sys/plugins/catalog/rancher.yaml b/policies/sys/plugins/catalog/rancher.yaml new file mode 100644 index 0000000..139a0b3 --- /dev/null +++ b/policies/sys/plugins/catalog/rancher.yaml @@ -0,0 +1,19 @@ +# Allow the vault deployer to import (register/deregister) the rancher secrets +# plugin in the catalog. sys/plugins/catalog is sudo-protected, so this lives +# under policies/sys/ where only a sys code owner can grant it — keeping the +# rancher engine policy (policies/rancher/) scoped to rancher/* paths. +--- +rules: + - path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher" + capabilities: + - create + - read + - update + - delete + - sudo + +auth: + approle: + - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault