7f4e79a7e2
Mirrors the terraform-authentik runner setup (#78/#81/#82) for the new terraform-rancher repo, which manages Rancher's Authentik OIDC auth via the rancher2 provider. - AppRole terraform_rancher + k8s auth role woodpecker_terraform_rancher. - Consul secret backend role + ACL policy granting write to the infra/terraform/rancher/ state prefix. - Vault policies: read the Rancher admin API token (kv/service/terraform/rancher) and the keycloakoidc client secret (kv/kubernetes/namespace/cattle-system/default/oauth-credentials), plus the consul_root state creds.
19 lines
535 B
YAML
19 lines
535 B
YAML
# Allow the Terraform Rancher runner to read:
|
|
# - its own Rancher admin API token (rancher2 provider auth), and
|
|
# - the OAuth2/OIDC client secret backing the Rancher keycloakoidc AuthConfig
|
|
# (same secret Authentik sets on the provider).
|
|
---
|
|
rules:
|
|
- path: "kv/data/service/terraform/rancher"
|
|
capabilities:
|
|
- read
|
|
- path: "kv/data/kubernetes/namespace/cattle-system/default/oauth-credentials"
|
|
capabilities:
|
|
- read
|
|
|
|
auth:
|
|
approle:
|
|
- terraform_rancher
|
|
k8s/au/syd1:
|
|
- woodpecker_terraform_rancher
|