Add auth and state access for terraform-rancher (#86)
ci/woodpecker/push/apply Pipeline was successful
ci/woodpecker/push/apply Pipeline was successful
## Why The new `terraform-rancher` repo (manages Rancher's Authentik OIDC auth via the rancher2 provider) needs Vault auth + Consul state, mirroring the terraform-authentik runner (#78/#81/#82). ## Change - `AppRole/terraform_rancher` + k8s auth role `woodpecker_terraform_rancher` (SA terraform-rancher in the woodpecker ns). - Consul secret-backend role + ACL policy (`resources/secret_backend/consul_root/au/syd1/terraform-rancher.hcl`) granting write to the `infra/terraform/rancher/` state prefix. - Vault policies: read the Rancher admin API token (`kv/service/terraform/rancher`) and the keycloakoidc client secret (`kv/kubernetes/namespace/cattle-system/default/oauth-credentials`), plus the consul_root state creds. Scoped the OAuth read to the `cattle-system` path specifically (rather than the `+` wildcard the authentik policy uses) since the Rancher runner only needs its own app's secret. ## Validation pre-commit (terragrunt-hcl-fmt + yamllint) passed. CI plan will confirm. Reviewed-on: #86 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
This commit was merged in pull request #86.
This commit is contained in:
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 120
|
||||||
|
token_max_ttl: 120
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.25.102/32"
|
||||||
|
- "198.18.26.91/32"
|
||||||
|
- "198.18.27.40/32"
|
||||||
|
use_deterministic_role_id: true
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- terraform-rancher
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- woodpecker
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: https://kubernetes.default.svc.cluster.local
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
consul_roles:
|
||||||
|
- terraform-rancher
|
||||||
|
ttl: 120
|
||||||
|
max_ttl: 300
|
||||||
|
datacenters: []
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
rules:
|
||||||
|
- path: "consul_root/au/syd1/creds/terraform-rancher"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
|
|
||||||
|
auth:
|
||||||
|
approle:
|
||||||
|
- terraform_rancher
|
||||||
|
k8s/au/syd1:
|
||||||
|
- woodpecker_terraform_rancher
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
# Allow the Terraform Rancher runner to read:
|
||||||
|
# - its own Rancher admin API token (rancher2 provider auth), and
|
||||||
|
# - the OAuth2/OIDC client secret backing the Rancher keycloakoidc AuthConfig
|
||||||
|
# (same secret Authentik sets on the provider).
|
||||||
|
---
|
||||||
|
rules:
|
||||||
|
- path: "kv/data/service/terraform/rancher"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
|
- path: "kv/data/kubernetes/namespace/cattle-system/default/oauth-credentials"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
|
|
||||||
|
auth:
|
||||||
|
approle:
|
||||||
|
- terraform_rancher
|
||||||
|
k8s/au/syd1:
|
||||||
|
- woodpecker_terraform_rancher
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
key_prefix "infra/terraform/rancher/" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
session_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user