The module lifecycle stageGeneral Availability

Connecting plugins to Stronghold involves two steps: configuring the list of plugins to download and registering plugins.

Configuring the plugin list

Configure the plugin list in ModuleConfig.

Example:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: stronghold
spec:
  enabled: true
  version: 1
  settings:
    plugins:
      - name: "vault-plugin-secrets-github"
        url: "https://github.com/martinbaillie/vault-plugin-secrets-github/releases/download/v2.3.2/vault-plugin-secrets-github-linux-amd64"
        sha256: "72cb1f2775ee2abf12ffb725e469d0377fe7bbb93cd7aaa6921c141eddecab87"
      - name: "vault-plugin-auth-any"
        url: "https://plugins.example.local/myplugins/vault-plugin-auth-any-v1.0.0-linux-amd64"
        sha256: "c943b505b39b53e1f4cb07f2a3455b59eac523ebf600cb04813b9ad28a848b21"
        ignoreFailure: true
        insecureSkipVerify: false
        ca: |
          -----BEGIN CERTIFICATE-----
          MIIDDTCCAfWgAwIBAgIJAOb7PcmW8W9MMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
          BAMTCWxvY2FsaG9zdDAeFw0yNjA1MjAwMDAwMDBaFw0yNjA2MjAwMDAwMDBaMBQx
          EjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
          ggEBAKHh4g5i1R+3+9XdG0RFLiX1x5T2PvQ92E/78vR6+Bn09+G0P+C6143+wLn
          j96/E8rHbHr4R6L0f62/OJZh8JnZ/qRqE1N8oNc06Vh9Y7X8EzF4nZ4KgX/3y6L
          vXD251Qm7g==
          -----END CERTIFICATE-----

Adding or removing plugins triggers a Stronghold restart. If a plugin fails to download or validate, Stronghold startup is blocked. Plugins with the ignoreFailure flag set are exempt; however, if the checksum check fails, the plugin is considered not loaded (and is removed).

Registering a plugin

Register a plugin in Stronghold via the CLI (d8 stronghold) by specifying the run command (which corresponds to the plugin name in ModuleConfig), SHA256 checksum, version, and plugin name:

# Get the SHA256 checksum of the plugin binary
PLUGIN_SHA=$(sha256sum <plugin_binary> | awk '{print $1;}')

d8 stronghold plugin register                     \
   -command <command_to_run_plugin_binary>        \
   -sha256 "${PLUGIN_SHA}"                        \
   -version "<semantic_version>"                  \
   <plugin_type>                                  \
   <plugin_name>

Example: registering a secret-type plugin named mykv:

d8 stronghold plugin register  \
    -command mykvplugin        \
    -sha256 ${PLUGIN_SHA}      \
    -version "v1.0.1"          \
    secret                     \
    mykv

# Success! Registered plugin: mykv

After registering a plugin, enable it as a secrets or auth engine at the desired path:

d8 stronghold <secrets | auth> enable \
  -path <mount_path>   \
  <plugin_name>
  • secrets — for secret-type plugins (e.g., KV, database);
  • auth — for authentication plugins;
  • -path — mount path (e.g., kv, github);
  • plugin_name — the name the plugin was registered under.

Example: enable the registered plugin mykv at path test-kv:

d8 stronghold secrets enable -path test-kv mykv

Disabling a plugin

  1. Disable all secrets and auth methods that use the plugin.

  2. Deregister the plugin:

    d8 stronghold plugin deregister secrets my-custom-plugin

  3. Remove the plugin from the configuration in ModuleConfig.