Grant vault deployer access to import + manage the rancher engine (#91)
ci/woodpecker/push/apply Pipeline was successful
ci/woodpecker/push/apply Pipeline was successful
## Why Wiring the new Rancher token secrets engine into Vault. The deployer registers the plugin (sudo-protected `sys/plugins/catalog`) and configures the engine via the ranchervaultsecret provider, so it needs catalog + engine-path access. Mirrors #88 (gpg). ## Changes - Add `policies/rancher/admin.yaml` granting the `tf_vault` approle and `woodpecker_terraform_vault` k8s role: catalog sudo on `vault-plugin-secrets-rancher`, and manage on `rancher/{config,service-accounts,roles}`. ## Merge order Part 1 of 4. Merge before the plugin-import and backend PRs so apply doesn't 403. (Puppet install + this policy first, then import, then backend.) --------- Co-authored-by: Ben Vincent <neotheo@gmail.com> Reviewed-on: #91 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
This commit was merged in pull request #91.
This commit is contained in:
@@ -0,0 +1,45 @@
|
|||||||
|
# Allow the vault deployer to manage the rancher secrets engine: its connection
|
||||||
|
# config, seeded (auto-rotated) service-account tokens, and token-minting roles.
|
||||||
|
#
|
||||||
|
# Scoped to rancher/* only. The plugin-catalog grant needed to import the plugin
|
||||||
|
# lives under policies/sys/plugins/catalog/ so a code owner of this policy path
|
||||||
|
# cannot grant themselves access outside the rancher mount.
|
||||||
|
---
|
||||||
|
rules:
|
||||||
|
# Engine connection config.
|
||||||
|
- path: "rancher/config"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- read
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
# Seeded, auto-rotated service-account tokens (+ manual rotate).
|
||||||
|
- path: "rancher/service-accounts/*"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- read
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- list
|
||||||
|
- path: "rancher/service-accounts"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
|
- list
|
||||||
|
# Token-minting roles.
|
||||||
|
- path: "rancher/roles/*"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- read
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- list
|
||||||
|
- path: "rancher/roles"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
|
- list
|
||||||
|
|
||||||
|
auth:
|
||||||
|
approle:
|
||||||
|
- tf_vault
|
||||||
|
k8s/au/syd1:
|
||||||
|
- woodpecker_terraform_vault
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
# Allow the vault deployer to import (register/deregister) the rancher secrets
|
||||||
|
# plugin in the catalog. sys/plugins/catalog is sudo-protected, so this lives
|
||||||
|
# under policies/sys/ where only a sys code owner can grant it — keeping the
|
||||||
|
# rancher engine policy (policies/rancher/) scoped to rancher/* paths.
|
||||||
|
---
|
||||||
|
rules:
|
||||||
|
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- read
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- sudo
|
||||||
|
|
||||||
|
auth:
|
||||||
|
approle:
|
||||||
|
- tf_vault
|
||||||
|
k8s/au/syd1:
|
||||||
|
- woodpecker_terraform_vault
|
||||||
Reference in New Issue
Block a user