Register and mount the GPG secrets engine at gpg/
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful

Puppet installs the openbao-plugin-secrets-gpg RPM onto the OpenBao nodes; this
registers that binary in the plugin catalog and enables the secrets engine so
gpg/ is actually usable (encrypt/decrypt/sign/verify).

- Add a gpg_secret_backend module using the standard vault provider:
  vault_plugin (catalog register with a pinned sha256) + vault_mount.
- Wire it through vault_cluster (variable + module) and the config discovery
  (config.hcl + syd1 terragrunt input), mirroring litellm_secret_backend.
- Add config/gpg_secret_backend/gpg.yaml pinning the released v0.1.0 binary
  sha256 (0e92d740...a7b20). Puppet installs the RPM floating, so this sha
  must be bumped in lockstep on any plugin upgrade.

Granting non-root access to gpg/* (auth roles + policies) is a follow-up,
scoped to whoever consumes the engine.
This commit is contained in:
2026-07-16 22:54:27 +10:00
parent 8bb071ae46
commit 0c188118a5
8 changed files with 94 additions and 0 deletions
+12
View File
@@ -334,6 +334,18 @@ module "litellm_secret_backend_role" {
depends_on = [module.litellm_secret_backend]
}
module "gpg_secret_backend" {
source = "./modules/gpg_secret_backend"
for_each = var.gpg_secret_backend
path = each.key
plugin = each.value.plugin
command = each.value.command
sha256 = each.value.sha256
description = each.value.description
}
module "vault_policy" {
source = "./modules/vault_policy"