Grant vault deployer access to import + manage the rancher engine #91
Reference in New Issue
Block a user
Delete Branch "benvin/rancher-deployer-policy"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
Wiring the new Rancher token secrets engine into Vault. The deployer registers the plugin (sudo-protected
sys/plugins/catalog) and configures the engine via the ranchervaultsecret provider, so it needs catalog + engine-path access. Mirrors #88 (gpg).Changes
policies/rancher/admin.yamlgranting thetf_vaultapprole andwoodpecker_terraform_vaultk8s role: catalog sudo onvault-plugin-secrets-rancher, and manage onrancher/{config,service-accounts,roles}.Merge order
Part 1 of 4. Merge before the plugin-import and backend PRs so apply doesn't 403. (Puppet install + this policy first, then import, then backend.)
The rancher token secrets engine is registered ('imported') into the catalog by terraform-vault (sys/plugins/catalog, sudo-protected) and configured via the ranchervaultsecret provider, so the deployer needs catalog access plus write on the engine's config/service-accounts/roles paths. Without this, apply 403s on plugin registration and on rancher/* writes. - Add policies/rancher/admin.yaml granting the tf_vault approle and the woodpecker_terraform_vault k8s role: catalog sudo on the plugin, and manage on rancher/{config,service-accounts,roles}.View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.