Register and mount the GPG secrets engine at gpg/
Puppet installs the openbao-plugin-secrets-gpg RPM onto the OpenBao nodes; this registers that binary in the plugin catalog and enables the secrets engine so gpg/ is actually usable (encrypt/decrypt/sign/verify). - Add a gpg_secret_backend module using the standard vault provider: vault_plugin (catalog register with a pinned sha256) + vault_mount. - Wire it through vault_cluster (variable + module) and the config discovery (config.hcl + syd1 terragrunt input), mirroring litellm_secret_backend. - Add config/gpg_secret_backend/gpg.yaml pinning the released v0.1.0 binary sha256 (0e92d740...a7b20). Puppet installs the RPM floating, so this sha must be bumped in lockstep on any plugin upgrade. Granting non-root access to gpg/* (auth roles + policies) is a follow-up, scoped to whoever consumes the engine.
This commit is contained in:
@@ -198,5 +198,10 @@ locals {
|
||||
})
|
||||
if startswith(file_path, "litellm_secret_backend_role/")
|
||||
}
|
||||
gpg_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "gpg_secret_backend/")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
# config/gpg_secret_backend/gpg.yaml
|
||||
# Registers the vault-plugin-secrets-gpg plugin and mounts it at "gpg".
|
||||
# The binary is installed on the OpenBao nodes by Puppet
|
||||
# (openbao-plugin-secrets-gpg RPM -> /opt/openbao-plugins/vault-plugin-secrets-gpg).
|
||||
#
|
||||
# sha256 pins the released v0.1.0 binary; bump it in lockstep with any RPM
|
||||
# upgrade or OpenBao will refuse to launch the plugin.
|
||||
description: "GPG/OpenPGP secrets engine (sign/verify/encrypt/decrypt)"
|
||||
sha256: "0e92d7408795688badb55789bc1604e8f1dd4d71998656c7f831991fce9a7b20"
|
||||
Reference in New Issue
Block a user