Register + mount the GPG secrets engine at gpg/ #87

Merged
benvin merged 1 commits from benvin/gpg-secret-backend into master 2026-07-17 23:19:38 +10:00
Owner

Complete the deploy of the vault-plugin-secrets-gpg engine. Puppet (puppet-prod #480) installs the openbao-plugin-secrets-gpg RPM onto the OpenBao nodes; this registers that binary in the plugin catalog and enables the secrets engine so gpg/ is actually usable.

  • Add a gpg_secret_backend module using the standard hashicorp/vault provider (already required at 5.6.0): vault_plugin (catalog register with a pinned sha256) + vault_mount (enable at the mount path).
  • Wire it through vault_cluster (new gpg_secret_backend variable + module block) and the config discovery (config.hcl group + syd1 terragrunt input), mirroring litellm_secret_backend.
  • Add config/gpg_secret_backend/gpg.yaml mounting at gpg/ and pinning the released v0.1.0 binary sha256 (0e92d740…a7b20, extracted from the published RPM). Puppet installs the RPM floating, so this sha must be bumped in lockstep on any plugin upgrade or OpenBao rejects the binary.

Validated locally with tofu validate + tofu fmt. Granting non-root access to gpg/* (auth roles + policies) is a follow-up scoped to whoever consumes the engine (e.g. passv from CI).

Complete the deploy of the [vault-plugin-secrets-gpg](https://git.unkin.net/unkin/vault-plugin-secrets-gpg) engine. Puppet ([puppet-prod #480](https://git.unkin.net/unkin/puppet-prod/pulls/480)) installs the `openbao-plugin-secrets-gpg` RPM onto the OpenBao nodes; this registers that binary in the plugin catalog and enables the secrets engine so `gpg/` is actually usable. - Add a `gpg_secret_backend` module using the standard `hashicorp/vault` provider (already required at 5.6.0): `vault_plugin` (catalog register with a pinned sha256) + `vault_mount` (enable at the mount path). - Wire it through `vault_cluster` (new `gpg_secret_backend` variable + module block) and the config discovery (`config.hcl` group + syd1 terragrunt input), mirroring `litellm_secret_backend`. - Add `config/gpg_secret_backend/gpg.yaml` mounting at `gpg/` and pinning the released v0.1.0 binary sha256 (`0e92d740…a7b20`, extracted from the published RPM). Puppet installs the RPM floating, so this sha must be bumped in lockstep on any plugin upgrade or OpenBao rejects the binary. Validated locally with `tofu validate` + `tofu fmt`. Granting non-root access to `gpg/*` (auth roles + policies) is a follow-up scoped to whoever consumes the engine (e.g. passv from CI).
Author
Owner

Updated: also manage OpenPGP keys from Terraform (dogfooding the new gpgvaultsecret provider v0.1.0) and add the first key.

  • New gpg_key module (wraps the provider's gpg_key resource), wired through vault_cluster + config discovery (config/gpg_key/<backend>/<name>.yaml), depends_on the mount.
  • gpg provider registered in root.hcl.
  • config/gpg_key/gpg/pass.yaml: an rsa-4096 pass key for password-store. Private key stays in Vault; clients import the public key and decrypt via gpg/decrypt/pass.
Updated: also manage OpenPGP keys from Terraform (dogfooding the new gpgvaultsecret provider v0.1.0) and add the first key. - New `gpg_key` module (wraps the provider's `gpg_key` resource), wired through `vault_cluster` + config discovery (`config/gpg_key/<backend>/<name>.yaml`), `depends_on` the mount. - `gpg` provider registered in `root.hcl`. - `config/gpg_key/gpg/pass.yaml`: an rsa-4096 `pass` key for password-store. Private key stays in Vault; clients import the public key and decrypt via `gpg/decrypt/pass`.
Author
Owner

Updated: plugin catalog registration split out into #89 (new plugin module + config/plugins/). This PR is now mount + key onlygpg_secret_backend just mounts the already-registered plugin type (dropped the vault_plugin resource and sha256/command inputs).

Merge order: #88 (access) → #89 (plugin import) → #87 (this). Since the repo is squash-only, once #89 lands I'll rebase this branch onto master to clear the trivial config.hcl/terragrunt.hcl insertions.

Updated: **plugin catalog registration split out into #89** (new `plugin` module + `config/plugins/`). This PR is now **mount + key only** — `gpg_secret_backend` just mounts the already-registered plugin type (dropped the `vault_plugin` resource and `sha256`/`command` inputs). Merge order: **#88 (access) → #89 (plugin import) → #87 (this)**. Since the repo is squash-only, once #89 lands I'll rebase this branch onto master to clear the trivial `config.hcl`/`terragrunt.hcl` insertions.
unkinben added 1 commit 2026-07-17 23:13:32 +10:00
Mount the gpg engine and manage a 'pass' key
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
9c4d20da9e
Mount the gpg secrets engine (the plugin is registered separately via the
plugin module + config/plugins, #89) and manage OpenPGP keys with the
gpgvaultsecret provider.

- gpg_secret_backend module: mounts the registered plugin type; depends_on the
  plugin module so the mount waits for catalog registration.
- gpg_key module (via the gpgvaultsecret provider, registered in root.hcl):
  create/configure keys; wired through vault_cluster + config discovery
  (config/gpg_key/<backend>/<name>.yaml).
- config/gpg_secret_backend/gpg.yaml mounts at gpg/; config/gpg_key/gpg/pass.yaml
  is an rsa-4096 'pass' key for password-store (private key stays in Vault;
  clients decrypt via gpg/decrypt/pass).

Rebased onto master after the access (#88) and plugin-import (#89) PRs merged.
unkinben force-pushed benvin/gpg-secret-backend from ea8daea587 to 9c4d20da9e 2026-07-17 23:13:32 +10:00 Compare
benvin merged commit 933de177fa into master 2026-07-17 23:19:38 +10:00
benvin deleted branch benvin/gpg-secret-backend 2026-07-17 23:19:38 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/terraform-vault#87