Add LiteLLM dynamic secrets engine implementation #1

Merged
benvin merged 3 commits from benvin/initial-implementation into main 2026-07-03 13:04:56 +10:00
Owner

Why

Populate the newly-created repo with the LiteLLM dynamic secrets engine: a
Vault/OpenBao plugin that mints LiteLLM virtual keys scoped by model, spending
limit, and lease TTL, so key lifetimes are owned by Vault (revoke the lease,
revoke the key).

Changes

  • Add the secrets backend: config, roles/<name>, creds/<name> paths and a
    revocable litellm_key secret type (revoke deletes the key; renew re-syncs the
    expiry).
  • Add the LiteLLM API client (generate/update/delete/info) with master-key auth.
  • Add unit tests against a mock LiteLLM proxy.
  • Add a docker-compose e2e that runs the full lifecycle against both Vault and
    OpenBao
    , proving the same binary works on each.
  • Add Makefile, woodpecker CI (build/test/pre-commit), and pre-commit config.
## Why Populate the newly-created repo with the LiteLLM dynamic secrets engine: a Vault/OpenBao plugin that mints LiteLLM virtual keys scoped by model, spending limit, and lease TTL, so key lifetimes are owned by Vault (revoke the lease, revoke the key). ## Changes - Add the secrets backend: `config`, `roles/<name>`, `creds/<name>` paths and a revocable `litellm_key` secret type (revoke deletes the key; renew re-syncs the expiry). - Add the LiteLLM API client (generate/update/delete/info) with master-key auth. - Add unit tests against a mock LiteLLM proxy. - Add a docker-compose e2e that runs the full lifecycle against **both Vault and OpenBao**, proving the same binary works on each. - Add Makefile, woodpecker CI (build/test/pre-commit), and pre-commit config.
unkinben added 1 commit 2026-07-03 12:32:55 +10:00
Add LiteLLM dynamic secrets engine implementation
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
51e8681731
Populate the repo with the Vault/OpenBao dynamic secrets engine that mints
LiteLLM virtual keys scoped by model, spending limit, and lease TTL.

- Secrets backend: config, roles, creds paths and a revocable litellm_key type
- LiteLLM API client (generate/update/delete/info) with master-key auth
- Unit tests (mock LiteLLM) and a docker-compose e2e against both Vault and
  OpenBao proving the same binary works on each
- Makefile, woodpecker CI (build/test/pre-commit), pre-commit config
unkinben force-pushed benvin/initial-implementation from ab3b02a48e to 51e8681731 2026-07-03 12:32:55 +10:00 Compare
unkinben added 1 commit 2026-07-03 12:43:09 +10:00
Add on-tag RPM build (nfpm) and upload to artifactapi
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
f388709c78
Publish the plugin as an installable RPM so hosts can drop it into the Vault/
OpenBao plugin directory. On a tag, build the binary, package it with nfpm
(mirroring the rpmbuilder approach), and upload the RPM to artifactapi's local
rpm-internal repository.

- Add packaging/nfpm.yaml installing the binary to /opt/vault-plugins/ plus a
  preinstall script that creates the directory
- Add scripts/build-rpm.sh and make rpm / rpm-package targets
- Add .woodpecker/release.yml (event: tag): build -> nfpm package -> PUT to
  artifactapi remotes/rpm-internal/files/
unkinben added 1 commit 2026-07-03 12:51:11 +10:00
Probe for an existing RPM before uploading to artifactapi
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
023a6f03e2
Avoid a failed/confusing re-upload by checking whether the package is already
published before PUTting it. artifactapi has no HEAD route (returns 405), so the
guard uses a GET against the served path (RPMs are stored under Packages/): a
200 means it exists and the upload is skipped, anything else proceeds.

Also point at the reachable artifactapi host (artifactapi.k8s.syd1.au.unkin.net,
as used by rpmbuilder) instead of the unresolvable artifactapi3 name.
benvin merged commit 0edc93f6db into main 2026-07-03 13:04:56 +10:00
Sign in to join this conversation.
No Reviewers
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/vault-plugin-secrets-litellm#1