Get credential from Cattle's service account

[mcanevet]

It would be great to be able to authenticate to Cattle API using a Service Account in case we use Terraform inside of Cattle.
If you add the label io.rancher.container.create_agent: 'true' to a service, you'll get CATTLE_URL, CATTLE_ACCESS_KEY and CATTLE_SECRET_KEY automatically set. The problem is that we are not using this environment variable by default by RANCHER_URL, RANCHER_ACCESS_KEY and RANCHER_SECRET_KEY. Maybe we have to support both and deprecate the RANCHER_* ones.
The only thing missing then would be to automatically fetch the current environment so that we don't have to specify it on stack creation for example.
Also, there is at least 4 agent roles: environment default?, user, agent and environmentAdmin. I can't find the documentation about that, but a quick look at cattle's code shows that. I'm not sure which one we need. Each one seams to create its own environment variable, for example with io.rancher.container.agent.role=environmentAdmin,agent, you'll have the environment variables CATTLE_ENVIRONMENT_ADMIN_ACCESS_KEY, CATTLE_ENVIRONMENT_ADMIN_SECRET_KEY, CATTLE_AGENT_ACCESS_KEY and CATTLE_AGENT_SECRET_KEY set. The agent role we need would have an impact on the default environment variable to use.

[mcanevet]

@cloudnautique is there any documentation about the roles somewhere? Or do you know which role we would need to have Service Account keys that would allow to deploy a stack with terraform run in the orchestrator? The only doc I found is https://rancher.com/docs/rancher/v1.6/en/rancher-services/service-accounts/, but it does not explain the roles...

[cloudnautique]

I wouldn't deprecate the RANCHER_* variables as that is our official way of documenting the use of our keys and CLI tools.

agent has limited scope and is typically safe in that they can subscribe to and handle events. environmentAdmin lets you get CA Certs and is used by our LB. environment is scoped to the environment and has the ability to deploy stacks in the Rancher environment it is running in. I'm not sure about user.

In general to deploy things outside the environment you are running in, you will need admin keys to create environment keys in the API. The admin keys, I believe would have to be delivered via secret.

I'm not sure I follow the use case really, but yeah...

[mcanevet]

@cloudnautique my goal is to deploy a lightweight CI/CD in every environment (drone CI for example) so that my users can use it to deploy their stacks describe in Terraform DSL. With in-cluster authentication, they would not even need to configure credentials in the Terraform code.
Of course I will not be able to use every resources type (for example rancher_environment), but I'd like to be able to use at least rancher_stack and if possible rancher_certificate (for this one I'd need an environmentAdmin role I guess).
Right now I'm stuck with: Error getting environment client: Unknow schema type [project].

[mcanevet]

According to @raphink the line who causes this is https://github.com/terraform-providers/terraform-provider-rancher/blob/master/rancher/config.go#L41.
We may have to refactor the configuration to use in-cluster keys...