87e3ada14f
ci/woodpecker/push/apply Pipeline was successful
## Why Deploy the new Rancher token secrets engine into the cluster (the last of the 4 wiring PRs), mirroring the litellm/gpg pattern. Users can then `vault read rancher/creds/<role>` for short-lived, cluster-scoped Rancher tokens, backed by a seeded admin token the engine auto-rotates before Rancher's 90-day cap. ## Changes - Add `rancher_secret_backend` module — mount + config via the ranchervaultsecret provider (rancher_url `https://rancher.k8s.syd1.au.unkin.net`). - Add `rancher_secret_backend_service_account` module — seeds an auto-rotated token (90d TTL / 45d rotation); the seed token is read from KV, not git. - Add `rancher_secret_backend_role` module + a `ci` role (1h/8h, cluster+TTL scoped). - Wire `config.hcl` discovery, module variables, `main.tf` blocks, terragrunt inputs, and the `rancher` provider in `root.hcl`. - Config: `config/rancher_secret_backend/rancher.yaml`, `.../service_account/rancher/admin.yaml`, `.../role/rancher/ci.yaml`. ## Prerequisite Populate `kv/service/vault/au/syd1/secret_backend/rancher/service_account/admin` with a live Rancher admin token (keys: `token`, optional `token_name`) **before** apply, exactly as litellm's `master_key` is seeded in KV. ## Merge order Part 4 of 4 (last). Requires: puppet install (#483) → deployer policy (#91) → plugin import (#92) → this. The `plan` needs the KV seed present, so seed KV first. --------- Co-authored-by: Ben Vincent <neotheo@gmail.com> Reviewed-on: #93 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
66 lines
1.6 KiB
HCL
66 lines
1.6 KiB
HCL
# Generate root backend.tf
|
|
generate "backend" {
|
|
path = "backend.tf"
|
|
if_exists = "overwrite"
|
|
contents = <<EOF
|
|
locals {
|
|
vault_addr = "https://vault.service.consul:8200"
|
|
}
|
|
|
|
provider "vault" {
|
|
address = local.vault_addr
|
|
}
|
|
|
|
# The LiteLLM secrets engine is managed through its own provider, which talks to
|
|
# the same Vault server. Token falls back to the VAULT_TOKEN environment variable.
|
|
provider "litellm" {
|
|
address = local.vault_addr
|
|
}
|
|
|
|
# The gpg secrets engine's keys are managed through its own provider (same Vault
|
|
# server; token falls back to VAULT_TOKEN).
|
|
provider "gpg" {
|
|
address = local.vault_addr
|
|
}
|
|
|
|
# The rancher token secrets engine is managed through its own provider (same
|
|
# Vault server; token falls back to VAULT_TOKEN).
|
|
provider "rancher" {
|
|
address = local.vault_addr
|
|
}
|
|
|
|
terraform {
|
|
backend "consul" {
|
|
address = "https://consul.service.consul"
|
|
path = "infra/terraform/vault/${path_relative_to_include()}/state"
|
|
scheme = "https"
|
|
lock = true
|
|
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
|
|
}
|
|
required_version = ">= 1.10"
|
|
required_providers {
|
|
vault = {
|
|
source = "hashicorp/vault"
|
|
version = "5.6.0"
|
|
}
|
|
consul = {
|
|
source = "hashicorp/consul"
|
|
version = "2.23.0"
|
|
}
|
|
litellm = {
|
|
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
|
version = "0.1.0"
|
|
}
|
|
gpg = {
|
|
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
|
version = "0.1.0"
|
|
}
|
|
rancher = {
|
|
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
|
|
version = "0.1.0"
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
}
|