Add auth and state access for terraform-rancher
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful

Mirrors the terraform-authentik runner setup (#78/#81/#82) for the new
terraform-rancher repo, which manages Rancher's Authentik OIDC auth via the
rancher2 provider.

- AppRole terraform_rancher + k8s auth role woodpecker_terraform_rancher.
- Consul secret backend role + ACL policy granting write to the
  infra/terraform/rancher/ state prefix.
- Vault policies: read the Rancher admin API token
  (kv/service/terraform/rancher) and the keycloakoidc client secret
  (kv/kubernetes/namespace/cattle-system/default/oauth-credentials), plus the
  consul_root state creds.
This commit is contained in:
2026-07-15 21:29:58 +10:00
parent 0dba5e00a6
commit 7f4e79a7e2
6 changed files with 57 additions and 0 deletions
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-rancher"
capabilities:
- read
auth:
approle:
- terraform_rancher
k8s/au/syd1:
- woodpecker_terraform_rancher
@@ -0,0 +1,18 @@
# Allow the Terraform Rancher runner to read:
# - its own Rancher admin API token (rancher2 provider auth), and
# - the OAuth2/OIDC client secret backing the Rancher keycloakoidc AuthConfig
# (same secret Authentik sets on the provider).
---
rules:
- path: "kv/data/service/terraform/rancher"
capabilities:
- read
- path: "kv/data/kubernetes/namespace/cattle-system/default/oauth-credentials"
capabilities:
- read
auth:
approle:
- terraform_rancher
k8s/au/syd1:
- woodpecker_terraform_rancher