87e3ada14f
ci/woodpecker/push/apply Pipeline was successful
## Why Deploy the new Rancher token secrets engine into the cluster (the last of the 4 wiring PRs), mirroring the litellm/gpg pattern. Users can then `vault read rancher/creds/<role>` for short-lived, cluster-scoped Rancher tokens, backed by a seeded admin token the engine auto-rotates before Rancher's 90-day cap. ## Changes - Add `rancher_secret_backend` module — mount + config via the ranchervaultsecret provider (rancher_url `https://rancher.k8s.syd1.au.unkin.net`). - Add `rancher_secret_backend_service_account` module — seeds an auto-rotated token (90d TTL / 45d rotation); the seed token is read from KV, not git. - Add `rancher_secret_backend_role` module + a `ci` role (1h/8h, cluster+TTL scoped). - Wire `config.hcl` discovery, module variables, `main.tf` blocks, terragrunt inputs, and the `rancher` provider in `root.hcl`. - Config: `config/rancher_secret_backend/rancher.yaml`, `.../service_account/rancher/admin.yaml`, `.../role/rancher/ci.yaml`. ## Prerequisite Populate `kv/service/vault/au/syd1/secret_backend/rancher/service_account/admin` with a live Rancher admin token (keys: `token`, optional `token_name`) **before** apply, exactly as litellm's `master_key` is seeded in KV. ## Merge order Part 4 of 4 (last). Requires: puppet install (#483) → deployer policy (#91) → plugin import (#92) → this. The `plan` needs the KV seed present, so seed KV first. --------- Co-authored-by: Ben Vincent <neotheo@gmail.com> Reviewed-on: #93 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
88 lines
3.3 KiB
HCL
88 lines
3.3 KiB
HCL
include "root" {
|
|
path = find_in_parent_folders("root.hcl")
|
|
expose = true
|
|
}
|
|
|
|
include "config" {
|
|
path = "${get_repo_root()}/config/config.hcl"
|
|
expose = true
|
|
}
|
|
|
|
include "policies" {
|
|
path = "${get_repo_root()}/policies/policies.hcl"
|
|
expose = true
|
|
}
|
|
|
|
include "resources" {
|
|
path = "${get_repo_root()}/resources/resources.hcl"
|
|
expose = true
|
|
}
|
|
|
|
locals {
|
|
# Extract country and region from path
|
|
path_parts = split("/", dirname(get_terragrunt_dir()))
|
|
country = basename(dirname(get_terragrunt_dir())) # "au"
|
|
region = basename(get_terragrunt_dir()) # "syd1"
|
|
|
|
# Include configuration from config.hcl
|
|
config = include.config.locals.config
|
|
|
|
# Include policies from policies.hcl
|
|
policies = include.policies.locals
|
|
|
|
# Include resources from resources.hcl
|
|
resources = include.resources.locals
|
|
|
|
# Create sanitized backend name mapping for Consul providers
|
|
# Provider aliases can't contain slashes, so replace them with underscores
|
|
consul_backend_aliases = {
|
|
for backend_name, _ in local.config.consul_secret_backend :
|
|
backend_name => replace(backend_name, "/", "_")
|
|
}
|
|
}
|
|
|
|
terraform {
|
|
source = "../../../modules/vault_cluster"
|
|
}
|
|
|
|
inputs = {
|
|
country = local.country
|
|
region = local.region
|
|
|
|
# Pass configuration maps to vault_cluster module
|
|
auth_approle_backend = local.config.auth_approle_backend
|
|
auth_approle_role = local.config.auth_approle_role
|
|
auth_ldap_backend = local.config.auth_ldap_backend
|
|
auth_ldap_group = local.config.auth_ldap_group
|
|
auth_kubernetes_backend = local.config.auth_kubernetes_backend
|
|
auth_kubernetes_role = local.config.auth_kubernetes_role
|
|
kv_secret_backend = local.config.kv_secret_backend
|
|
transit_secret_backend = local.config.transit_secret_backend
|
|
transit_secret_backend_key = local.config.transit_secret_backend_key
|
|
ssh_secret_backend = local.config.ssh_secret_backend
|
|
ssh_secret_backend_role = local.config.ssh_secret_backend_role
|
|
pki_secret_backend = local.config.pki_secret_backend
|
|
pki_secret_backend_role = local.config.pki_secret_backend_role
|
|
consul_secret_backend = local.config.consul_secret_backend
|
|
consul_secret_backend_role = local.config.consul_secret_backend_role
|
|
kubernetes_secret_backend = local.config.kubernetes_secret_backend
|
|
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
|
|
pki_mount_only = local.config.pki_mount_only
|
|
litellm_secret_backend = local.config.litellm_secret_backend
|
|
litellm_secret_backend_role = local.config.litellm_secret_backend_role
|
|
plugins = local.config.plugins
|
|
gpg_secret_backend = local.config.gpg_secret_backend
|
|
gpg_key = local.config.gpg_key
|
|
|
|
rancher_secret_backend = local.config.rancher_secret_backend
|
|
rancher_secret_backend_service_account = local.config.rancher_secret_backend_service_account
|
|
rancher_secret_backend_role = local.config.rancher_secret_backend_role
|
|
|
|
# Pass policy maps to vault_cluster module
|
|
policy_auth_map = local.policies.policy_auth_map
|
|
policy_rules_map = local.policies.policy_rules_map
|
|
|
|
# Pass sanitized consul backend aliases for provider configuration
|
|
consul_backend_aliases = local.consul_backend_aliases
|
|
}
|