repository | should fork | description |
---|---|---|
github.com/hashicorp/go-kms-wrapping |
Yes | Low level cryptography for barrier. Also has support for auto-unseal with some external KMS providers. Connects to transit plugin, hence hashicorp/vault/api dependency needs to be updated in go-kms-wrapping/wrappers/transit . |
github.com/hashicorp/consul-template |
Yes | Template renderer similar to e.g., k8s templating used in agent ; connects back to Vault API so requires hashicorp/vault/api which needs to be replaced. |
github.com/hashicorp/vault-testing-stepwise |
Either fork or move in repo | Testing helpers for stepwise/CRUD tests of plugins. Was split into external repo for unknown reasons, maybe to help now-removed testing of out-of-repo builtin plugins? |
github.com/hashicorp/go-secure-stdlib |
Yes | This library is used in many places for parsing (at the CLI and plugin level) and contains many useful utility functions. They were originally forked out of Vault so Boundary could use them. |
Plugins are largely self explanatory. My view is we should likely remove these if no maintainer steps up, but if we get a willing maintainer, we should consider building them as external, stand-alone plugins if possible (perhaps not possible with database plugins), but if not, built it into our binary.
The only place where this might cause issue is the jwt
auth plugin is used for some tests (TestAgent_ExitAfterAuth
), so might be better off being forked rather than removed entirely. Or, the obvious case where someone is using these plugins directly, which we wouldn't be able to tell from looking at our code base. :-)
Additionally, we should consider removing any builtin, deprecated plugins if they exist.
Auth plugins allow the specified external service (e.g., ALI cloud, Azure, ...) to control the exchange credentials valid on its service for tokens valid on the Bao instance. E.g., the vault-plugin-auth-kerberos
plugin uses the Kerberos protocol to authenticate the client and then issue a Bao token which the client uses on subsequent requests.
repository |
---|
github.com/hashicorp/vault-plugin-auth-alicloud |
github.com/hashicorp/vault-plugin-auth-azure |
github.com/hashicorp/vault-plugin-auth-centrify |
github.com/hashicorp/vault-plugin-auth-cf |
github.com/hashicorp/vault-plugin-auth-gcp |
github.com/hashicorp/vault-plugin-auth-jwt |
github.com/hashicorp/vault-plugin-auth-kerberos |
github.com/hashicorp/vault-plugin-auth-kubernetes |
github.com/hashicorp/vault-plugin-auth-oci |
Database plugins allow Bao to issue credentials valid on the database server of the specified type (e.g., redis, couchdb, ...). This allows anyone with a Vault token (from authentication) to authenticate to the specified database instance (usually, one plugin per database instance I believe). Handles creation and expiration/revocation of temporary, dynamically generated credentials.
The core database plugin itself is a secrets plugin, but it has various backend providers behind the scenes which help support creating credentials particular databases.
repository |
---|
github.com/hashicorp/vault-plugin-database-couchbase |
github.com/hashicorp/vault-plugin-database-elasticsearch |
github.com/hashicorp/vault-plugin-database-mongodbatlas |
github.com/hashicorp/vault-plugin-database-redis |
github.com/hashicorp/vault-plugin-database-redis-elasticache |
github.com/hashicorp/vault-plugin-database-snowflake |
Various other types of secrets engines; these hand out secrets of various sorts. E.g., the vault-plugin-secrets-alicloud
plugin allows anyone with a Vault token to get a short lived credential to operate in the cloud environment. Or the PKI plugin (builtin, not listed below), which mints fresh leaf certificates.
repository |
---|
github.com/hashicorp/vault-plugin-secrets-ad |
github.com/hashicorp/vault-plugin-secrets-alicloud |
github.com/hashicorp/vault-plugin-secrets-azure |
github.com/hashicorp/vault-plugin-secrets-gcp |
github.com/hashicorp/vault-plugin-secrets-gcpkms |
github.com/hashicorp/vault-plugin-secrets-kubernetes |
github.com/hashicorp/vault-plugin-secrets-mongodbatlas |
github.com/hashicorp/vault-plugin-secrets-openldap |
github.com/hashicorp/vault-plugin-secrets-terraform |
Storage plugins are all presently under openbao/physical
; none are external-repo. Some of these could be candidates for removal, e.g., aerospike
, alicloudoss
, azure
, cassandra
, cockroachdb
, couchdb
, dynamodb
, etcd
, or foundationdb
We also need to fork the Vault SSH helper if we plan on supporting the SSH secret Engine:
https://github.com/hashicorp/vault-ssh-helper