From 6bfc63ca31821f7213fa9d099ec6764e57403e36 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 8 Feb 2026 19:19:33 +1100
Subject: [PATCH] feat: enable plugins for vault/openbao (#447)

- install openbao-plugins
- add plugin_directory

Reviewed-on: https://git.unkin.net/unkin/puppet-prod/pulls/447
---
 hieradata/roles/infra/storage/vault.yaml | 4 ++++
 site/profiles/manifests/vault/server.pp  | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml
index fcce710..af0f104 100644
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@@ -2,6 +2,7 @@
 profiles::vault::server::members_role: roles::infra::storage::vault
 profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
+profiles::vault::server::plugin_dir: /opt/openbao-plugins
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
 vault::package_name: openbao
@@ -23,3 +24,6 @@ profiles::nginx::simpleproxy::proxy_scheme: 'http'
 profiles::nginx::simpleproxy::proxy_host: '127.0.0.1'
 profiles::nginx::simpleproxy::proxy_port: 8200
 profiles::nginx::simpleproxy::proxy_path: '/'
+
+profiles::packages::include:
+  openbao-plugins: {}
diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp
index d73a4a3..de37771 100644
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@@ -11,6 +11,7 @@ class profiles::vault::server (
   Stdlib::Port  $cluster_port       = 8201,
   Boolean   $manage_storage_dir     = false,
   Stdlib::Absolutepath $data_dir    = '/opt/vault',
+  Stdlib::Absolutepath $plugin_dir  = '/opt/vault_plugins',
   Stdlib::Absolutepath $bin_dir     = '/usr/bin',
   Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
   Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
@@ -64,7 +65,8 @@ class profiles::vault::server (
       },
       api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
       extra_config       => {
-        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        cluster_addr     => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        plugin_directory => $plugin_dir,
       },
       listener           => [
         {