Plugin System | Vault by HashiCorp
Fleeting- Référence externe : https://www.vaultproject.io/docs/internals/plugins
Plugin System | Vault by HashiCorp
Vault’s plugins are completely separate, standalone applications that Vault executes and communicates with over RPC.
There are two components that a Vault operator needs to configure before external plugins can be run, the plugin directory and the plugin catalog entry.
Upon adding a new plugin, the plugin name, SHA256 sum of the executable, and the command that should be used to run the plugin must be provided
Warning: A Vault operator should take care to lock down the permissions on this directory to ensure a plugin can not be modified by an unauthorized user between the time of the SHA check and the time of plugin execution.
Like Vault, plugins support the use of mlock when available
Note: If Vault is configured with mlock enabled, then the Vault executable and each plugin executable in your plugins directory must be given the ability to use the mlock syscall
from https://www.vaultproject.io/docs/configuration#disable_mlock
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) Note: Since each plugin runs as a separate process, you need to do the same for each plugin in your plugins directory.
Advanced topic! Plugin development is a highly advanced topic in Vault, and is not required knowledge for day-to-day usage. If you don’t plan on writing any plugins, we recommend not reading this section of the documentation.
In theory, because the plugin interface is – http, you could even develop a plugin using a completely different programming language! (Disclaimer, you would also have to re-implement the plugin API which is not a trivial amount of work.)