GatePlane Documentation

0. Prepare Vault/OpenBao

3 min read

🧰 Prerequisites

A self-hosted Vault (community or enterprise) or an OpenBao instance is needed to set up the GatePlane Plugins. Install options are available in each respective documentation (see for Vault/OpenBao) for host and containerized deployments, both for single node and high-available setups.

Additionally, a plugin directory needs to be set under Vault/OpenBao configuration’s plugin_directory directive (see for: Vault/OpenBao).

🚀 How to Install

Downloading and Verifying the Plugins

To register a plugin, it needs to be compiled and located in the Vault/OpenBao plugin directory.

The latest binaries can be downloaded from the Github Releases Page. As SHA256 checksums are needed by Vault/OpenBao to register plugins, the checksums.txt file can also be downloaded for quick reference. Additionally, the plugin version SemVer should be noted, as always provided in the Release description (e.g: v0.1.0-base0.1.0).

Finally, the builds can be verified using the slsa-verifier project’s verify-artifact command.

Registering to Plugin Catalog

Using CLI tools

As Vault/OpenBao documentation points out (see for Vault/OpenBao), a vault register command should be issued to enable the plugins, before they can be used.

vault and bao CLI tools

vault will be used in the examples as the CLI tool that interacts with Vault/OpenBao deployments, which is interchangeable with bao.

If using OpenBao, an alias can be set to use copy-paste from this page, like: alias vault='bao'

Registering the gateplane-policy-gate plugin.

vault plugin register -sha256=<SHA256 found in the 'checksums.txt'> \
    -version="<SemVer found in the Github Release>" \
    auth \  # All GatePlane plugins are of type "auth"
    gateplane-policy-gate

Using GatePlane Terraform modules

GatePlane provides helper Terraform modules, that can be used in Infrastructure-as-Code environments.

This helps keeping version handling at check, while also avoiding manual tinkering with high privileged tokens (like ones allowing plugin registration).

In this case, the GatePlane Setup Terraform module can be used.

module "gateplane_setup" {
  source = "github.com/gateplane-io/terraform-gateplane-setup?ref=0.2.0"
 
  policy_gate_plugin = {
    filename = "gateplane-policy-gate"  // The name of the binary for Policy Gate
    version  = "v0.1.0-base0.1.0"       // The version provided in Github Release Page
    sha256   = "01ba4..."               // The SHA256 checksum found in the 'checksums.txt'
  }
 
  okta_group_gate_plugin = {
    filename = "gateplane-okta-group-gate"  // The name of the binary for Okta Group Gate
    version  = "v0.1.0-base0.1.0"           // The version provided in Github Release Page
    sha256   = "4355a..."                   // The SHA256 checksum found in the 'checksums.txt'
  }
 
  plugin_directory = "/etc/vault/plugins"   // The value provided in the 'plugin_directory' configuration key
}

Verifying that the plugin is loaded

To find out whether the plugin has been registered, the Plugin Catalog can be listed as below:

$ vault plugin list | grep gateplane
gateplane-okta-group-gate       auth        v0.1.0-base0.1.0
gateplane-policy-gate           auth        v0.1.0-base0.1.0

Hint

If using the Terraform module, failure to register the plugin will result in a failed run.