Rancher
Rancher is the management plane for Roche’s CaaS (Container-as-a-Service) Kubernetes clusters. It provides the web UI and API for cluster access, project management, namespace creation, and kubeconfig provisioning. The roche-data project rdt_model is managed through Rancher.
Connection Details
Section titled “Connection Details”| Property | Value |
|---|---|
| URL | https://rancher.emea.roche.com |
| Cluster | caasawsprod (Cloud Prod, eu-central-1) |
| Cluster ID | c-2dhbr |
| Project | rdt_model (c-2dhbr:p-r4z25) |
| Auth method | Bearer token (Rancher API key) |
| User | RXPMODE1 (service account) |
| Token name | token-pwj8f |
| Token expiry | 2026-08-04 (89 days from creation) |
| Network | Roche corporate network (VPN required) |
| Access task | A13 (shared with CaaS) |
| GitHub issue | #28 |
Environment Variables
Section titled “Environment Variables”| Variable | Source | Description |
|---|---|---|
RANCHER_BEARER_TOKEN | Vault common/caas | Rancher API bearer token (token-XXXXX:secretkey) |
RANCHER_URL | Vault common/caas | Rancher management plane URL |
RANCHER_ACCESS_KEY | Vault common/caas | Token ID portion (token-XXXXX) |
RANCHER_SECRET_KEY | Vault common/caas | Secret portion of the token |
RANCHER_USER | Vault common/caas | Rancher user (RXPMODE1) |
RANCHER_TOKEN_EXPIRES | Vault common/caas | Token expiry date |
CAAS_PROJECT | Vault common/caas | Project name (rdt_model) |
Critical: API Access Pattern
Section titled “Critical: API Access Pattern”Correct way to verify the token
Section titled “Correct way to verify the token”# CORRECT — use cluster-scoped k8s proxy pathcurl -sk -H "Authorization: Bearer $RANCHER_BEARER_TOKEN" \ "https://rancher.emea.roche.com/k8s/clusters/c-2dhbr/api/v1/namespaces/rdt-model-dev"# Returns 200 with namespace JSON = token is valid
# WRONG — returns 401 for cluster-scoped tokens even when validcurl -sk -H "Authorization: Bearer $RANCHER_BEARER_TOKEN" \ "https://rancher.emea.roche.com/v3/clusters"# 401 does NOT mean the token is broken!API paths that work with cluster-scoped tokens
Section titled “API paths that work with cluster-scoped tokens”| Method | Path | Purpose |
|---|---|---|
GET | /k8s/clusters/c-2dhbr/api/v1/namespaces/{ns} | Get namespace (connectivity check) |
GET | /k8s/clusters/c-2dhbr/api/v1/namespaces/{ns}/pods | List pods |
POST | /k8s/clusters/c-2dhbr/api/v1/namespaces/{ns}/secrets | Create secrets |
POST | /k8s/clusters/c-2dhbr/apis/apps/v1/namespaces/{ns}/deployments | Create deployments |
GET | /k8s/clusters/c-2dhbr/apis/apps/v1/namespaces/{ns}/deployments/{name} | Get deployment |
API paths that DO NOT work with cluster-scoped tokens (always 401)
Section titled “API paths that DO NOT work with cluster-scoped tokens (always 401)”| Path | Why it fails |
|---|---|
/v3/clusters | Requires global scope |
/v3/projects | Requires global scope |
/v3/clusters/c-2dhbr?action=generateKubeconfig | Requires global scope |
Kubeconfig Generation
Section titled “Kubeconfig Generation”Since cluster-scoped tokens can’t call generateKubeconfig, we build kubeconfigs manually. They are stored in Vault at secret/{env}/kubeconfig.
The kubeconfig uses:
- Server:
https://rancher.emea.roche.com/k8s/clusters/c-2dhbr(Rancher k8s proxy) - Auth: bearer token (same
RANCHER_BEARER_TOKEN) - TLS:
insecure-skip-tls-verify: true(Rancher proxy uses its own cert, not the cluster CA) - Namespace: per-environment (
rdt-model-dev,rdt-model-test,rdt-model-prod)
apiVersion: v1kind: Configclusters:- cluster: insecure-skip-tls-verify: true server: https://rancher.emea.roche.com/k8s/clusters/c-2dhbr name: caasawsprodcontexts:- context: cluster: caasawsprod namespace: rdt-model-dev # or rdt-model-test / rdt-model-prod user: rxpmode1 name: rdt-model-devcurrent-context: rdt-model-devusers:- name: rxpmode1 user: token: <RANCHER_BEARER_TOKEN>Token Management
Section titled “Token Management”Rancher tokens have a fixed expiry (89 days). To renew:
- Log in to https://rancher.emea.roche.com as
RXPMODE1 - User Avatar → Account & API Keys
- Click Create API Key
- Description:
MODEL - Scope: select cluster
c-2dhbr(caasawsprod) - Expiry: 89 days (or max allowed)
- Copy the bearer token (
token-XXXXX:secretkey) - Update Vault:
Terminal window export VAULT_ADDR=https://vault.service.roche.comexport VAULT_NAMESPACE=rdt-model-prdvault login -method=oidc role=defaultvault kv patch secret/common/caas \RANCHER_ACCESS_KEY="token-XXXXX" \RANCHER_SECRET_KEY="<secret>" \RANCHER_BEARER_TOKEN="token-XXXXX:<secret>" \RANCHER_TOKEN_EXPIRES="<expiry-date>" - Regenerate kubeconfigs and update Vault + GitHub secrets
Current token expires: 2026-08-04 — rotate before this date.
CLI Modules
Section titled “CLI Modules”Rancher is not directly consumed by CLI modules at runtime. It is used for:
| Consumer | Usage |
|---|---|
| Developer setup | Kubeconfig provisioning for kubectl access |
GitHub Actions deploy.yml | Deploys OPA pods to CaaS via kubeconfig |
check-rancher.sh | Validates API access (uses cluster-scoped path) |
check-caas.sh | Uses kubeconfig for namespace and RBAC checks |
Access Verification
Section titled “Access Verification”Script: scripts/access/check-rancher.sh
Required tools: curl, (optional) kubectl
Checks performed:
- Roche CA certificate installation
- Rancher API reachability (
GET /v3— expects 200 or 401) - Authenticated access via
/k8s/clusters/c-2dhbr/api/v1/namespaces/rdt-model-dev - Token validity (200 = valid, 401 = expired, 403 = valid but no namespace access)