API-driven Plugin Management
External plugins are the components in OpenBao that can be implemented separately from OpenBao's built-in plugins. Refer to the plugin system overview for an introduction to OpenBao's plugin system.
Plugin distribution methods
OpenBao supports two methods for distributing external plugins:
- Manual management - Manual download of plugin binaries
- OCI-based distribution - Automatic download from container registries with declarative configuration. See the OCI Plugin configuration reference for complete documentation.
Both methods require the plugin to be registered in OpenBao before it can be used.
Registering external plugins via the API
Before an external plugin can be mounted, it needs to be registered in the plugin catalog to ensure the plugin invoked by OpenBao is authentic and maintains integrity:
$ bao plugin register -sha256=<SHA256 Hex value of the plugin binary> \
secret \ # type
passthrough-plugin
Success! Registered plugin: passthrough-plugin
Enabling/Disabling external plugins via the API
After the plugin is registered, it can be mounted by specifying the registered plugin name:
$ bao secrets enable -path=my-secrets passthrough-plugin
Success! Enabled the passthrough-plugin secrets engine at: my-secrets/
Listing secrets engines will display secrets engines that are mounted as plugins:
$ bao secrets list
Path Type Accessor Plugin Default TTL Max TTL Force No Cache Replication Behavior Description
my-secrets/ plugin plugin_deb84140 passthrough-plugin system system false replicated
Disabling an external plugins is identical to disabling a built-in plugin:
$ bao secrets disable my-secrets
Upgrading plugins
Upgrade instructions can be found in the Upgrading Plugins - Guides page.