Add auth and state access for terraform-rancher #86
Reference in New Issue
Block a user
Delete Branch "benvin/terraform-rancher"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
The new
terraform-rancherrepo (manages Rancher's Authentik OIDC auth via the rancher2 provider) needs Vault auth + Consul state, mirroring the terraform-authentik runner (#78/#81/#82).Change
AppRole/terraform_rancher+ k8s auth rolewoodpecker_terraform_rancher(SA terraform-rancher in the woodpecker ns).resources/secret_backend/consul_root/au/syd1/terraform-rancher.hcl) granting write to theinfra/terraform/rancher/state prefix.kv/service/terraform/rancher) and the keycloakoidc client secret (kv/kubernetes/namespace/cattle-system/default/oauth-credentials), plus the consul_root state creds.Scoped the OAuth read to the
cattle-systempath specifically (rather than the+wildcard the authentik policy uses) since the Rancher runner only needs its own app's secret.Validation
pre-commit (terragrunt-hcl-fmt + yamllint) passed. CI plan will confirm.