1 Commits

Author SHA1 Message Date
unkinben 9c4d20da9e Mount the gpg engine and manage a 'pass' key
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Mount the gpg secrets engine (the plugin is registered separately via the
plugin module + config/plugins, #89) and manage OpenPGP keys with the
gpgvaultsecret provider.

- gpg_secret_backend module: mounts the registered plugin type; depends_on the
  plugin module so the mount waits for catalog registration.
- gpg_key module (via the gpgvaultsecret provider, registered in root.hcl):
  create/configure keys; wired through vault_cluster + config discovery
  (config/gpg_key/<backend>/<name>.yaml).
- config/gpg_secret_backend/gpg.yaml mounts at gpg/; config/gpg_key/gpg/pass.yaml
  is an rsa-4096 'pass' key for password-store (private key stays in Vault;
  clients decrypt via gpg/decrypt/pass).

Rebased onto master after the access (#88) and plugin-import (#89) PRs merged.
2026-07-17 23:13:24 +10:00
@@ -1,11 +0,0 @@
# config/plugins/vault-plugin-secrets-rancher.yaml
# Imports (registers) the rancher secrets plugin in the catalog. Filename =
# catalog name = mount type. The binary is installed on the OpenBao nodes by
# Puppet (openbao-plugin-secrets-rancher RPM ->
# /opt/openbao-plugins/vault-plugin-secrets-rancher).
#
# sha256 pins the released v0.1.0 binary; bump it in lockstep with any RPM
# upgrade or OpenBao will refuse to launch the plugin.
type: secret
command: vault-plugin-secrets-rancher
sha256: "d2b17f45b5fa9e6549443fec3ba22f17ef575d2d811c14324187dc9904ec574a"