feat(seal): add support for ocikms

defaults/main.yml

@@ -348,6 +348,14 @@ vault_gkms_key_ring: 'vault'
 vault_gkms_crypto_key: 'vault_key'
 vault_gkms_copy_sa: true
 
+# ocikms seal
+vault_ocikms: false
+vault_ocikms_backend: vault_seal_ocikms.j2
+vault_ocikms_auth_type_api_key: false
+vault_ocikms_key_id: "{{ lookup('env','VAULT_OCIKMS_SEAL_KEY_ID') | default('', false) }}"
+vault_ocikms_crypto_endpoint: "{{ lookup('env','VAULT_OCIKMS_CRYPTO_ENDPOINT') | default('', false) }}"
+vault_ocikms_management_endpoint: "{{ lookup('env','VAULT_OCIKMS_MANAGEMENT_ENDPOINT') | default('', false) }}"
+
 # pkcs11 seal
 vault_enterprise_premium_hsm: false
 # WARNING: the following variable is deprecated as this section will become

templates/vault_main_configuration.hcl.j2

@@ -111,6 +111,10 @@ ui = {{ vault_ui | bool | lower }}
   {% include vault_backend_gkms with context %}
 {% endif %}
 
+{% if vault_ocikms | bool -%}
+  {% include vault_ocikms_backend with context %}
+{% endif %}
+
 {% if vault_telemetry_enabled | bool -%}
 telemetry {
   {% if vault_statsite_address is defined %}

templates/vault_seal_ocikms.j2

@@ -0,0 +1,10 @@
+seal "ocikms" {
+  key_id = "{{ vault_ocikms_key_id }}"
+  auth_type_api_key = "{{ vault_ocikms_auth_type_api_key }}"
+{% if vault_ocikms_crypto_endpoint is string and vault_ocikms_crypto_endpoint|length %}
+  crypto_endpoint = "{{ vault_ocikms_crypto_endpoint }}"
+{% endif %}
+{% if vault_ocikms_management_endpoint is string and vault_ocikms_management_endpoint|length %}
+  management_endpoint = "{{ vault_ocikms_management_endpoint }}"
+{% endif %}
+}