Konubinix' opinionated web of thoughts

Plugin System | Vault by HashiCorp


Plugin System | Vault by HashiCorp

Vault’s plugins are completely separate, standalone applications that Vault executes and communicates with over RPC.

There are two components that a Vault operator needs to configure before external plugins can be run, the plugin directory and the plugin catalog entry.

Upon adding a new plugin, the plugin name, SHA256 sum of the executable, and the command that should be used to run the plugin must be provided

Warning: A Vault operator should take care to lock down the permissions on this directory to ensure a plugin can not be modified by an unauthorized user between the time of the SHA check and the time of plugin execution.

Like Vault, plugins support the use of mlock when available

Note: If Vault is configured with mlock enabled, then the Vault executable and each plugin executable in your plugins directory must be given the ability to use the mlock syscall

from https://www.vaultproject.io/docs/configuration#disable_mlock

sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) Note: Since each plugin runs as a separate process, you need to do the same for each plugin in your plugins directory.

Advanced topic! Plugin development is a highly advanced topic in Vault, and is not required knowledge for day-to-day usage. If you don’t plan on writing any plugins, we recommend not reading this section of the documentation.

In theory, because the plugin interface is – http, you could even develop a plugin using a completely different programming language! (Disclaimer, you would also have to re-implement the plugin API which is not a trivial amount of work.)

Notes pointant ici