Commit Graph

2 Commits

Author SHA1 Message Date
Ben Vincent 78a205259d Scope rancher policy to rancher/*; move catalog grant under sys/plugins
ci/woodpecker/pr/plan Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).

- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
  roles}.
- Move the sudo-protected plugin-catalog grant to
  policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
  owned by a sys code owner.
2026-07-18 14:23:59 +10:00
Ben Vincent 6f27546207 Grant vault deployer access to import + manage the rancher engine
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
The rancher token secrets engine is registered ('imported') into the catalog by
terraform-vault (sys/plugins/catalog, sudo-protected) and configured via the
ranchervaultsecret provider, so the deployer needs catalog access plus write on
the engine's config/service-accounts/roles paths. Without this, apply 403s on
plugin registration and on rancher/* writes.

- Add policies/rancher/admin.yaml granting the tf_vault approle and the
  woodpecker_terraform_vault k8s role: catalog sudo on the plugin, and manage on
  rancher/{config,service-accounts,roles}.
2026-07-17 23:37:31 +10:00