Add a plugin-import module + config/plugins for catalog registration
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful

Registering a plugin in the catalog is a distinct concern from mounting an
engine, so give it its own module and config directory instead of folding
sha256/command into each engine's backend module.

- Add a generic 'plugin' module (vault_plugin: type/name/command/sha256/
  plugin_version) that imports a binary into the catalog.
- Add a config/plugins/ discovery group (filename = catalog name) and wire it
  through vault_cluster (plugins variable + module) and the syd1 environment.
- Add config/plugins/vault-plugin-secrets-gpg.yaml pinning the released v0.1.0
  binary sha256. Other engines can now register their plugin by dropping a file
  here; their *_secret_backend module just mounts the registered type.
This commit is contained in:
2026-07-17 22:58:30 +10:00
parent 8bb071ae46
commit 0287a87db7
8 changed files with 90 additions and 0 deletions
+12
View File
@@ -315,6 +315,18 @@ variable "litellm_secret_backend_role" {
default = {}
}
variable "plugins" {
description = "Map of plugins to import (register) in the catalog, keyed by catalog name"
type = map(object({
name = string
type = optional(string, "secret")
command = optional(string)
sha256 = string
version = optional(string)
}))
default = {}
}
variable "policy_auth_map" {
description = "Map of auth mounts -> auth roles -> policy names"
type = map(map(list(string)))