Puppet installs the openbao-plugin-secrets-gpg RPM onto the OpenBao nodes; this
registers that binary in the plugin catalog and enables the secrets engine so
gpg/ is actually usable (encrypt/decrypt/sign/verify).
- Add a gpg_secret_backend module using the standard vault provider:
vault_plugin (catalog register with a pinned sha256) + vault_mount.
- Wire it through vault_cluster (variable + module) and the config discovery
(config.hcl + syd1 terragrunt input), mirroring litellm_secret_backend.
- Add config/gpg_secret_backend/gpg.yaml pinning the released v0.1.0 binary
sha256 (0e92d740...a7b20). Puppet installs the RPM floating, so this sha
must be bumped in lockstep on any plugin upgrade.
Granting non-root access to gpg/* (auth roles + policies) is a follow-up,
scoped to whoever consumes the engine.