feat(bootstrap): merge rancher-auth into bootstrap module

Fold rancher2_bootstrap into the bootstrap module so callers only need
one module call to provision the VM and set the Rancher admin password.

Changes:
- Add rancher/rancher2 ~> 13.1 to required_providers
- Add rancher2_bootstrap resource (initial_password + password)
- Add bootstrap_password input variable
- Add admin_token output (sensitive)
- Remove unused rancher2 ~> 3.0 provider declaration
- Update rancher_admin_password description to reflect permanent-password role

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Hiran Adikari

modules/bootstrap/main.tf

@@ -10,7 +10,7 @@ terraform {
     }
     rancher2 = {
       source  = "rancher/rancher2"
-      version = "~> 3.0"
+      version = "~> 13.1"
     }
     tls = {
       source  = "hashicorp/tls"
@@ -156,7 +156,10 @@ resource "harvester_ippool" "rancher_ips" {
   }
 }
 
-# Note: The Helm and Rancher2 bootstrap logic below would fail because the Helm provider cannot dynamically access the Masquerade Kubeconfig.
-# Because the user explicitly pointed out their cloud-init script gracefully handled Helm inside Harvester, we will pivot to that!
-# The user's cloud-init handles cert-manager and rancher installations.
-# Therefore, Phase 1 and 2 will connect directly to the resulting Rancher URL.
+# Rancher is installed inside the VM by cloud-init (cert-manager + Helm).
+# rancher2_bootstrap waits for Rancher to be reachable and sets the permanent admin
+# password. Re-run `terraform apply` if Rancher is still starting up on first attempt.
+resource "rancher2_bootstrap" "admin" {
+  initial_password = var.bootstrap_password
+  password         = var.rancher_admin_password
+}

modules/bootstrap/outputs.tf

@@ -7,3 +7,9 @@ output "rancher_lb_ip" {
   value       = harvester_loadbalancer.rancher_lb.ip_address
   description = "The IP address of the LoadBalancer exposing Rancher"
 }
+
+output "admin_token" {
+  value       = rancher2_bootstrap.admin.token
+  description = "Rancher admin API token for use by downstream phases"
+  sensitive   = true
+}

modules/bootstrap/variables.tf

@@ -56,9 +56,15 @@ variable "rancher_hostname" {
   description = "FQDN for the Rancher UI"
 }
 
+variable "bootstrap_password" {
+  type        = string
+  description = "Temporary password set by the Rancher Helm chart during cloud-init install"
+  sensitive   = true
+}
+
 variable "rancher_admin_password" {
   type        = string
-  description = "Bootstrap password for Rancher Admin user"
+  description = "Permanent admin password to configure on the Rancher instance"
   sensitive   = true
 }