Mount the rancher secrets engine + seed a service account + roles
Deploys the Rancher token secrets engine into the cluster, mirroring the litellm and gpg wiring. The plugin is registered separately (config/plugins) and the deployer policy is granted separately; this mounts and configures the engine. - Add rancher_secret_backend module (mount + config via the ranchervaultsecret provider): rancher_url https://rancher.k8s.syd1.au.unkin.net. - Add rancher_secret_backend_service_account module: seeds an auto-rotated token (90d TTL / 45d rotation), reading the seed token from KV at secret_backend/rancher/service_account/<name> (keys: token, token_name). - Add rancher_secret_backend_role module + a 'ci' role (1h/8h scoped creds). - Wire config.hcl discovery, module variables, main.tf module blocks, the terragrunt inputs, and the rancher provider in root.hcl. Prereq: populate kv/service/vault/au/syd1/secret_backend/rancher/service_account/admin with a live Rancher admin token before apply.
This commit is contained in:
@@ -0,0 +1,9 @@
|
||||
# A role that mints short-lived Rancher tokens from the "admin" service account.
|
||||
# Reading rancher/creds/ci returns a lease-bound token deleted from Rancher on
|
||||
# revoke. Minted tokens inherit the admin service account's RBAC; only cluster
|
||||
# and TTL are scoped per-token.
|
||||
---
|
||||
service_account: admin
|
||||
description: "CI/CD ephemeral Rancher token"
|
||||
ttl: 3600 # seconds (1h)
|
||||
max_ttl: 28800 # seconds (8h)
|
||||
Reference in New Issue
Block a user