Add auth and state access for terraform-rancher
Mirrors the terraform-authentik runner setup (#78/#81/#82) for the new terraform-rancher repo, which manages Rancher's Authentik OIDC auth via the rancher2 provider. - AppRole terraform_rancher + k8s auth role woodpecker_terraform_rancher. - Consul secret backend role + ACL policy granting write to the infra/terraform/rancher/ state prefix. - Vault policies: read the Rancher admin API token (kv/service/terraform/rancher) and the keycloakoidc client secret (kv/kubernetes/namespace/cattle-system/default/oauth-credentials), plus the consul_root state creds.
This commit is contained in:
@@ -0,0 +1,18 @@
|
||||
# Allow the Terraform Rancher runner to read:
|
||||
# - its own Rancher admin API token (rancher2 provider auth), and
|
||||
# - the OAuth2/OIDC client secret backing the Rancher keycloakoidc AuthConfig
|
||||
# (same secret Authentik sets on the provider).
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/terraform/rancher"
|
||||
capabilities:
|
||||
- read
|
||||
- path: "kv/data/kubernetes/namespace/cattle-system/default/oauth-credentials"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- terraform_rancher
|
||||
k8s/au/syd1:
|
||||
- woodpecker_terraform_rancher
|
||||
Reference in New Issue
Block a user