Mount the gpg engine and manage a 'pass' key
Mount the gpg secrets engine (the plugin is registered separately via the plugin module + config/plugins, #89) and manage OpenPGP keys with the gpgvaultsecret provider. - gpg_secret_backend module: mounts the registered plugin type; depends_on the plugin module so the mount waits for catalog registration. - gpg_key module (via the gpgvaultsecret provider, registered in root.hcl): create/configure keys; wired through vault_cluster + config discovery (config/gpg_key/<backend>/<name>.yaml). - config/gpg_secret_backend/gpg.yaml mounts at gpg/; config/gpg_key/gpg/pass.yaml is an rsa-4096 'pass' key for password-store (private key stays in Vault; clients decrypt via gpg/decrypt/pass). Rebased onto master after the access (#88) and plugin-import (#89) PRs merged.
This commit is contained in:
@@ -17,6 +17,12 @@ provider "litellm" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
# The gpg secrets engine's keys are managed through its own provider (same Vault
|
||||
# server; token falls back to VAULT_TOKEN).
|
||||
provider "gpg" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
terraform {
|
||||
backend "consul" {
|
||||
address = "https://consul.service.consul"
|
||||
@@ -39,6 +45,10 @@ terraform {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
gpg = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
Reference in New Issue
Block a user