Register and mount the GPG secrets engine at gpg/
Puppet installs the openbao-plugin-secrets-gpg RPM onto the OpenBao nodes; this registers that binary in the plugin catalog and enables the secrets engine so gpg/ is actually usable (encrypt/decrypt/sign/verify). - Add a gpg_secret_backend module using the standard vault provider: vault_plugin (catalog register with a pinned sha256) + vault_mount. - Wire it through vault_cluster (variable + module) and the config discovery (config.hcl + syd1 terragrunt input), mirroring litellm_secret_backend. - Add config/gpg_secret_backend/gpg.yaml pinning the released v0.1.0 binary sha256 (0e92d740...a7b20). Puppet installs the RPM floating, so this sha must be bumped in lockstep on any plugin upgrade. Granting non-root access to gpg/* (auth roles + policies) is a follow-up, scoped to whoever consumes the engine.
This commit is contained in:
@@ -315,6 +315,17 @@ variable "litellm_secret_backend_role" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "gpg_secret_backend" {
|
||||
description = "Map of GPG/OpenPGP secret engines to register + mount (path => plugin sha256 + config)"
|
||||
type = map(object({
|
||||
plugin = optional(string, "vault-plugin-secrets-gpg")
|
||||
command = optional(string, "vault-plugin-secrets-gpg")
|
||||
sha256 = string
|
||||
description = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_auth_map" {
|
||||
description = "Map of auth mounts -> auth roles -> policy names"
|
||||
type = map(map(list(string)))
|
||||
|
||||
Reference in New Issue
Block a user