use BUILD_MINIMAL env to build minimal Vault with few storage options and plugins (#27394)

2025-10-29 17:52:32 +00:00 · 2024-06-12 09:53:49 -07:00
parent c4fcb4a086
commit 83111c010c
12 changed files with 417 additions and 217 deletions
--- a/6
+++ b/6
@@ -22,6 +22,12 @@ ifneq ($(FDB_ENABLED), )
 	BUILD_TAGS+=foundationdb
 endif

+# Set BUILD_MINIMAL to a non-empty value to build a minimal version of Vault with only core features.
+BUILD_MINIMAL ?=
+ifneq ($(strip $(BUILD_MINIMAL)),)
+	BUILD_TAGS+=minimal
+endif
+
 default: dev

 # bin generates the releasable binaries for Vault
--- a/changelog/27394.txt
+++ b/changelog/27394.txt
@@ -0,0 +1,4 @@
+```release-note:feature
+**Vault Minimal Version**: Add the ability to build a minimal version of Vault
+with only core features using the BUILD_MINIMAL environment variable.
+```
--- a/command/commands.go
+++ b/command/commands.go
@@ -10,48 +10,18 @@ import (

 	"github.com/hashicorp/cli"
 	hcpvlib "github.com/hashicorp/vault-hcp-lib"
-	credAliCloud "github.com/hashicorp/vault-plugin-auth-alicloud"
-	credCF "github.com/hashicorp/vault-plugin-auth-cf"
-	credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
 	credOIDC "github.com/hashicorp/vault-plugin-auth-jwt"
-	credKerb "github.com/hashicorp/vault-plugin-auth-kerberos"
-	credOCI "github.com/hashicorp/vault-plugin-auth-oci"
 	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
 	"github.com/hashicorp/vault/audit"
-	credAws "github.com/hashicorp/vault/builtin/credential/aws"
 	credCert "github.com/hashicorp/vault/builtin/credential/cert"
-	credGitHub "github.com/hashicorp/vault/builtin/credential/github"
-	credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
-	credOkta "github.com/hashicorp/vault/builtin/credential/okta"
 	credToken "github.com/hashicorp/vault/builtin/credential/token"
 	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
 	logicalDb "github.com/hashicorp/vault/builtin/logical/database"
 	"github.com/hashicorp/vault/builtin/plugin"
 	_ "github.com/hashicorp/vault/helper/builtinplugins"
-	physAerospike "github.com/hashicorp/vault/physical/aerospike"
-	physAliCloudOSS "github.com/hashicorp/vault/physical/alicloudoss"
-	physAzure "github.com/hashicorp/vault/physical/azure"
-	physCassandra "github.com/hashicorp/vault/physical/cassandra"
-	physCockroachDB "github.com/hashicorp/vault/physical/cockroachdb"
-	physConsul "github.com/hashicorp/vault/physical/consul"
-	physCouchDB "github.com/hashicorp/vault/physical/couchdb"
-	physDynamoDB "github.com/hashicorp/vault/physical/dynamodb"
-	physEtcd "github.com/hashicorp/vault/physical/etcd"
-	physFoundationDB "github.com/hashicorp/vault/physical/foundationdb"
-	physGCS "github.com/hashicorp/vault/physical/gcs"
-	physManta "github.com/hashicorp/vault/physical/manta"
-	physMSSQL "github.com/hashicorp/vault/physical/mssql"
-	physMySQL "github.com/hashicorp/vault/physical/mysql"
-	physOCI "github.com/hashicorp/vault/physical/oci"
-	physPostgreSQL "github.com/hashicorp/vault/physical/postgresql"
 	physRaft "github.com/hashicorp/vault/physical/raft"
-	physS3 "github.com/hashicorp/vault/physical/s3"
-	physSpanner "github.com/hashicorp/vault/physical/spanner"
-	physSwift "github.com/hashicorp/vault/physical/swift"
-	physZooKeeper "github.com/hashicorp/vault/physical/zookeeper"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/physical"
-	physFile "github.com/hashicorp/vault/sdk/physical/file"
 	physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
 	sr "github.com/hashicorp/vault/serviceregistration"
 	csr "github.com/hashicorp/vault/serviceregistration/consul"
@@ -160,6 +130,23 @@ const (
 )

 var (
+	physicalBackends = map[string]physical.Factory{
+		"inmem_ha":               physInmem.NewInmemHA,
+		"inmem_transactional_ha": physInmem.NewTransactionalInmemHA,
+		"inmem_transactional":    physInmem.NewTransactionalInmem,
+		"inmem":                  physInmem.NewInmem,
+		"raft":                   physRaft.NewRaftBackend,
+	}
+
+	loginHandlers = map[string]LoginHandler{
+		"cert":  &credCert.CLIHandler{},
+		"oidc":  &credOIDC.CLIHandler{},
+		"token": &credToken.CLIHandler{},
+		"userpass": &credUserpass.CLIHandler{
+			DefaultMount: "userpass",
+		},
+	}
+
 	auditBackends = map[string]audit.Factory{
 		"file":   audit.NewFileBackend,
 		"socket": audit.NewSocketBackend,
@@ -178,66 +165,15 @@ var (
 		"kv": logicalKv.Factory,
 	}

-	physicalBackends = map[string]physical.Factory{
-		"aerospike":              physAerospike.NewAerospikeBackend,
-		"alicloudoss":            physAliCloudOSS.NewAliCloudOSSBackend,
-		"azure":                  physAzure.NewAzureBackend,
-		"cassandra":              physCassandra.NewCassandraBackend,
-		"cockroachdb":            physCockroachDB.NewCockroachDBBackend,
-		"consul":                 physConsul.NewConsulBackend,
-		"couchdb_transactional":  physCouchDB.NewTransactionalCouchDBBackend,
-		"couchdb":                physCouchDB.NewCouchDBBackend,
-		"dynamodb":               physDynamoDB.NewDynamoDBBackend,
-		"etcd":                   physEtcd.NewEtcdBackend,
-		"file_transactional":     physFile.NewTransactionalFileBackend,
-		"file":                   physFile.NewFileBackend,
-		"foundationdb":           physFoundationDB.NewFDBBackend,
-		"gcs":                    physGCS.NewBackend,
-		"inmem_ha":               physInmem.NewInmemHA,
-		"inmem_transactional_ha": physInmem.NewTransactionalInmemHA,
-		"inmem_transactional":    physInmem.NewTransactionalInmem,
-		"inmem":                  physInmem.NewInmem,
-		"manta":                  physManta.NewMantaBackend,
-		"mssql":                  physMSSQL.NewMSSQLBackend,
-		"mysql":                  physMySQL.NewMySQLBackend,
-		"oci":                    physOCI.NewBackend,
-		"postgresql":             physPostgreSQL.NewPostgreSQLBackend,
-		"s3":                     physS3.NewS3Backend,
-		"spanner":                physSpanner.NewBackend,
-		"swift":                  physSwift.NewSwiftBackend,
-		"raft":                   physRaft.NewRaftBackend,
-		"zookeeper":              physZooKeeper.NewZooKeeperBackend,
-	}
-
 	serviceRegistrations = map[string]sr.Factory{
 		"consul":     csr.NewServiceRegistration,
 		"kubernetes": ksr.NewServiceRegistration,
 	}
-
-	loginHandlers = map[string]LoginHandler{
-		"alicloud": &credAliCloud.CLIHandler{},
-		"aws":      &credAws.CLIHandler{},
-		"cert":     &credCert.CLIHandler{},
-		"cf":       &credCF.CLIHandler{},
-		"gcp":      &credGcp.CLIHandler{},
-		"github":   &credGitHub.CLIHandler{},
-		"kerberos": &credKerb.CLIHandler{},
-		"ldap":     &credLdap.CLIHandler{},
-		"oci":      &credOCI.CLIHandler{},
-		"oidc":     &credOIDC.CLIHandler{},
-		"okta":     &credOkta.CLIHandler{},
-		"pcf":      &credCF.CLIHandler{}, // Deprecated.
-		"radius": &credUserpass.CLIHandler{
-			DefaultMount: "radius",
-		},
-		"token": &credToken.CLIHandler{},
-		"userpass": &credUserpass.CLIHandler{
-			DefaultMount: "userpass",
-		},
-	}
 )

 func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) map[string]cli.CommandFactory {
+	extendAddonCommands()
+
 	getBaseCommand := func() *BaseCommand {
 		return &BaseCommand{
 			UI:             ui,
--- a/command/commands_full.go
+++ b/command/commands_full.go
@@ -0,0 +1,96 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !minimal
+
+package command
+
+import (
+	"maps"
+
+	credAliCloud "github.com/hashicorp/vault-plugin-auth-alicloud"
+	credCF "github.com/hashicorp/vault-plugin-auth-cf"
+	credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
+	credKerb "github.com/hashicorp/vault-plugin-auth-kerberos"
+	credOCI "github.com/hashicorp/vault-plugin-auth-oci"
+	credAws "github.com/hashicorp/vault/builtin/credential/aws"
+	credGitHub "github.com/hashicorp/vault/builtin/credential/github"
+	credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
+	credOkta "github.com/hashicorp/vault/builtin/credential/okta"
+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
+	_ "github.com/hashicorp/vault/helper/builtinplugins"
+	physAerospike "github.com/hashicorp/vault/physical/aerospike"
+	physAliCloudOSS "github.com/hashicorp/vault/physical/alicloudoss"
+	physAzure "github.com/hashicorp/vault/physical/azure"
+	physCassandra "github.com/hashicorp/vault/physical/cassandra"
+	physCockroachDB "github.com/hashicorp/vault/physical/cockroachdb"
+	physConsul "github.com/hashicorp/vault/physical/consul"
+	physCouchDB "github.com/hashicorp/vault/physical/couchdb"
+	physDynamoDB "github.com/hashicorp/vault/physical/dynamodb"
+	physEtcd "github.com/hashicorp/vault/physical/etcd"
+	physFoundationDB "github.com/hashicorp/vault/physical/foundationdb"
+	physGCS "github.com/hashicorp/vault/physical/gcs"
+	physManta "github.com/hashicorp/vault/physical/manta"
+	physMSSQL "github.com/hashicorp/vault/physical/mssql"
+	physMySQL "github.com/hashicorp/vault/physical/mysql"
+	physOCI "github.com/hashicorp/vault/physical/oci"
+	physPostgreSQL "github.com/hashicorp/vault/physical/postgresql"
+	physS3 "github.com/hashicorp/vault/physical/s3"
+	physSpanner "github.com/hashicorp/vault/physical/spanner"
+	physSwift "github.com/hashicorp/vault/physical/swift"
+	physZooKeeper "github.com/hashicorp/vault/physical/zookeeper"
+	"github.com/hashicorp/vault/sdk/physical"
+	physFile "github.com/hashicorp/vault/sdk/physical/file"
+)
+
+func newFullAddonCommands() (map[string]physical.Factory, map[string]LoginHandler) {
+	addonPhysicalBackends := map[string]physical.Factory{
+		"aerospike":             physAerospike.NewAerospikeBackend,
+		"alicloudoss":           physAliCloudOSS.NewAliCloudOSSBackend,
+		"azure":                 physAzure.NewAzureBackend,
+		"cassandra":             physCassandra.NewCassandraBackend,
+		"cockroachdb":           physCockroachDB.NewCockroachDBBackend,
+		"consul":                physConsul.NewConsulBackend,
+		"couchdb_transactional": physCouchDB.NewTransactionalCouchDBBackend,
+		"couchdb":               physCouchDB.NewCouchDBBackend,
+		"dynamodb":              physDynamoDB.NewDynamoDBBackend,
+		"etcd":                  physEtcd.NewEtcdBackend,
+		"file_transactional":    physFile.NewTransactionalFileBackend,
+		"file":                  physFile.NewFileBackend,
+		"foundationdb":          physFoundationDB.NewFDBBackend,
+		"gcs":                   physGCS.NewBackend,
+		"manta":                 physManta.NewMantaBackend,
+		"mssql":                 physMSSQL.NewMSSQLBackend,
+		"mysql":                 physMySQL.NewMySQLBackend,
+		"oci":                   physOCI.NewBackend,
+		"postgresql":            physPostgreSQL.NewPostgreSQLBackend,
+		"s3":                    physS3.NewS3Backend,
+		"spanner":               physSpanner.NewBackend,
+		"swift":                 physSwift.NewSwiftBackend,
+		"zookeeper":             physZooKeeper.NewZooKeeperBackend,
+	}
+	addonLoginHandlers := map[string]LoginHandler{
+		"alicloud": &credAliCloud.CLIHandler{},
+		"aws":      &credAws.CLIHandler{},
+		"cf":       &credCF.CLIHandler{},
+		"gcp":      &credGcp.CLIHandler{},
+		"github":   &credGitHub.CLIHandler{},
+		"kerberos": &credKerb.CLIHandler{},
+		"ldap":     &credLdap.CLIHandler{},
+		"oci":      &credOCI.CLIHandler{},
+		"okta":     &credOkta.CLIHandler{},
+		"pcf":      &credCF.CLIHandler{}, // Deprecated.
+		"radius": &credUserpass.CLIHandler{
+			DefaultMount: "radius",
+		},
+	}
+
+	return addonPhysicalBackends, addonLoginHandlers
+}
+
+func extendAddonCommands() {
+	addonPhysicalBackends, addonLoginHandlers := newFullAddonCommands()
+
+	maps.Copy(physicalBackends, addonPhysicalBackends)
+	maps.Copy(loginHandlers, addonLoginHandlers)
+}
--- a/command/commands_full_test.go
+++ b/command/commands_full_test.go
@@ -0,0 +1,45 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise && !minimal
+
+package command
+
+import (
+	"maps"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Test_extendAddonCommands tests extendAddonCommands() extends physical and logical backends with
+// those generated by newFullAddonCommands()
+func Test_extendAddonCommands(t *testing.T) {
+	expMinPhysicalBackends := maps.Clone(physicalBackends)
+	expMinLoginHandlers := maps.Clone(loginHandlers)
+
+	expAddonPhysicalBackends, expAddonLoginHandlers := newFullAddonCommands()
+
+	extendAddonCommands()
+
+	require.Equal(t, len(expMinPhysicalBackends)+len(expAddonPhysicalBackends), len(physicalBackends),
+		"extended total physical backends mismatch total of minimal and full addon physical backends")
+	require.Equal(t, len(expMinLoginHandlers)+len(expAddonLoginHandlers), len(loginHandlers),
+		"extended total login handlers mismatch total of minimal and full addon login handlers")
+
+	for k := range expMinPhysicalBackends {
+		require.Contains(t, physicalBackends, k, "expected to contain minimal physical backend")
+	}
+
+	for k := range expAddonPhysicalBackends {
+		require.Contains(t, physicalBackends, k, "expected to contain full addon physical backend")
+	}
+
+	for k := range expMinLoginHandlers {
+		require.Contains(t, loginHandlers, k, "expected to contain minimal login handler")
+	}
+
+	for k := range expAddonLoginHandlers {
+		require.Contains(t, loginHandlers, k, "expected to contain full addon login handler")
+	}
+}
--- a/command/commands_min.go
+++ b/command/commands_min.go
@@ -0,0 +1,14 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build minimal
+
+package command
+
+import (
+	_ "github.com/hashicorp/vault/helper/builtinplugins"
+)
+
+func extendAddonCommands() {
+	// No-op
+}
--- a/command/commands_test.go
+++ b/command/commands_test.go
@@ -26,8 +26,6 @@ func Test_Commands_HCPInit(t *testing.T) {

 	for n, tst := range tests {
 		t.Run(n, func(t *testing.T) {
-			t.Parallel()
-
 			mockUi := cli.NewMockUi()
 			commands := initCommands(mockUi, nil, nil)
 			if tst.expectError {
--- a/helper/builtinplugins/registry.go
+++ b/helper/builtinplugins/registry.go
@@ -6,54 +6,14 @@ package builtinplugins
 import (
 	"context"

-	credAliCloud "github.com/hashicorp/vault-plugin-auth-alicloud"
-	credAzure "github.com/hashicorp/vault-plugin-auth-azure"
-	credCF "github.com/hashicorp/vault-plugin-auth-cf"
-	credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
 	credJWT "github.com/hashicorp/vault-plugin-auth-jwt"
-	credKerb "github.com/hashicorp/vault-plugin-auth-kerberos"
-	credKube "github.com/hashicorp/vault-plugin-auth-kubernetes"
-	credOCI "github.com/hashicorp/vault-plugin-auth-oci"
-	dbCouchbase "github.com/hashicorp/vault-plugin-database-couchbase"
-	dbElastic "github.com/hashicorp/vault-plugin-database-elasticsearch"
-	dbMongoAtlas "github.com/hashicorp/vault-plugin-database-mongodbatlas"
-	dbRedis "github.com/hashicorp/vault-plugin-database-redis"
-	dbRedisElastiCache "github.com/hashicorp/vault-plugin-database-redis-elasticache"
-	dbSnowflake "github.com/hashicorp/vault-plugin-database-snowflake"
-	logicalAd "github.com/hashicorp/vault-plugin-secrets-ad/plugin"
-	logicalAlicloud "github.com/hashicorp/vault-plugin-secrets-alicloud"
-	logicalAzure "github.com/hashicorp/vault-plugin-secrets-azure"
-	logicalGcp "github.com/hashicorp/vault-plugin-secrets-gcp/plugin"
-	logicalGcpKms "github.com/hashicorp/vault-plugin-secrets-gcpkms"
-	logicalKube "github.com/hashicorp/vault-plugin-secrets-kubernetes"
 	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
-	logicalMongoAtlas "github.com/hashicorp/vault-plugin-secrets-mongodbatlas"
-	logicalLDAP "github.com/hashicorp/vault-plugin-secrets-openldap"
-	logicalTerraform "github.com/hashicorp/vault-plugin-secrets-terraform"
 	credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
-	credAws "github.com/hashicorp/vault/builtin/credential/aws"
 	credCert "github.com/hashicorp/vault/builtin/credential/cert"
-	credGitHub "github.com/hashicorp/vault/builtin/credential/github"
-	credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
-	credOkta "github.com/hashicorp/vault/builtin/credential/okta"
-	credRadius "github.com/hashicorp/vault/builtin/credential/radius"
 	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
-	logicalAws "github.com/hashicorp/vault/builtin/logical/aws"
-	logicalConsul "github.com/hashicorp/vault/builtin/logical/consul"
-	logicalNomad "github.com/hashicorp/vault/builtin/logical/nomad"
 	logicalPki "github.com/hashicorp/vault/builtin/logical/pki"
-	logicalRabbit "github.com/hashicorp/vault/builtin/logical/rabbitmq"
 	logicalSsh "github.com/hashicorp/vault/builtin/logical/ssh"
-	logicalTotp "github.com/hashicorp/vault/builtin/logical/totp"
 	logicalTransit "github.com/hashicorp/vault/builtin/logical/transit"
-	dbCass "github.com/hashicorp/vault/plugins/database/cassandra"
-	dbHana "github.com/hashicorp/vault/plugins/database/hana"
-	dbInflux "github.com/hashicorp/vault/plugins/database/influxdb"
-	dbMongo "github.com/hashicorp/vault/plugins/database/mongodb"
-	dbMssql "github.com/hashicorp/vault/plugins/database/mssql"
-	dbMysql "github.com/hashicorp/vault/plugins/database/mysql"
-	dbPostgres "github.com/hashicorp/vault/plugins/database/postgresql"
-	dbRedshift "github.com/hashicorp/vault/plugins/database/redshift"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -93,104 +53,29 @@ func removedFactory(ctx context.Context, config *logical.BackendConfig) (logical
 	return removedBackend, nil
 }

-func newRegistry() *registry {
-	reg := &registry{
+func newMinimalRegistry() *registry {
+	return &registry{
 		credentialBackends: map[string]credentialBackend{
-			"alicloud": {Factory: credAliCloud.Factory},
-			"app-id": {
-				Factory:           removedFactory,
-				DeprecationStatus: consts.Removed,
-			},
-			"approle":    {Factory: credAppRole.Factory},
-			"aws":        {Factory: credAws.Factory},
-			"azure":      {Factory: credAzure.Factory},
-			"cert":       {Factory: credCert.Factory},
-			"cf":         {Factory: credCF.Factory},
-			"gcp":        {Factory: credGcp.Factory},
-			"github":     {Factory: credGitHub.Factory},
-			"jwt":        {Factory: credJWT.Factory},
-			"kerberos":   {Factory: credKerb.Factory},
-			"kubernetes": {Factory: credKube.Factory},
-			"ldap":       {Factory: credLdap.Factory},
-			"oci":        {Factory: credOCI.Factory},
-			"oidc":       {Factory: credJWT.Factory},
-			"okta":       {Factory: credOkta.Factory},
-			"pcf": {
-				Factory:           credCF.Factory,
-				DeprecationStatus: consts.Deprecated,
-			},
-			"radius":   {Factory: credRadius.Factory},
+			"approle":  {Factory: credAppRole.Factory},
+			"cert":     {Factory: credCert.Factory},
+			"jwt":      {Factory: credJWT.Factory},
+			"oidc":     {Factory: credJWT.Factory},
 			"userpass": {Factory: credUserpass.Factory},
 		},
-		databasePlugins: map[string]databasePlugin{
-			// These four plugins all use the same mysql implementation but with
-			// different username settings passed by the constructor.
-			"mysql-database-plugin":        {Factory: dbMysql.New(dbMysql.DefaultUserNameTemplate)},
-			"mysql-aurora-database-plugin": {Factory: dbMysql.New(dbMysql.DefaultLegacyUserNameTemplate)},
-			"mysql-rds-database-plugin":    {Factory: dbMysql.New(dbMysql.DefaultLegacyUserNameTemplate)},
-			"mysql-legacy-database-plugin": {Factory: dbMysql.New(dbMysql.DefaultLegacyUserNameTemplate)},
-
-			"cassandra-database-plugin":         {Factory: dbCass.New},
-			"couchbase-database-plugin":         {Factory: dbCouchbase.New},
-			"elasticsearch-database-plugin":     {Factory: dbElastic.New},
-			"hana-database-plugin":              {Factory: dbHana.New},
-			"influxdb-database-plugin":          {Factory: dbInflux.New},
-			"mongodb-database-plugin":           {Factory: dbMongo.New},
-			"mongodbatlas-database-plugin":      {Factory: dbMongoAtlas.New},
-			"mssql-database-plugin":             {Factory: dbMssql.New},
-			"postgresql-database-plugin":        {Factory: dbPostgres.New},
-			"redshift-database-plugin":          {Factory: dbRedshift.New},
-			"redis-database-plugin":             {Factory: dbRedis.New},
-			"redis-elasticache-database-plugin": {Factory: dbRedisElastiCache.New},
-			"snowflake-database-plugin":         {Factory: dbSnowflake.New},
-		},
+		databasePlugins: map[string]databasePlugin{},
 		logicalBackends: map[string]logicalBackend{
-			"ad": {
-				Factory:           logicalAd.Factory,
-				DeprecationStatus: consts.Deprecated,
-			},
-			"alicloud": {Factory: logicalAlicloud.Factory},
-			"aws":      {Factory: logicalAws.Factory},
-			"azure":    {Factory: logicalAzure.Factory},
-			"cassandra": {
-				Factory:           removedFactory,
-				DeprecationStatus: consts.Removed,
-			},
-			"consul":     {Factory: logicalConsul.Factory},
-			"gcp":        {Factory: logicalGcp.Factory},
-			"gcpkms":     {Factory: logicalGcpKms.Factory},
-			"kubernetes": {Factory: logicalKube.Factory},
-			"kv":         {Factory: logicalKv.Factory},
-			"mongodb": {
-				Factory:           removedFactory,
-				DeprecationStatus: consts.Removed,
-			},
-			// The mongodbatlas secrets engine is not the same as the database plugin equivalent
-			// (`mongodbatlas-database-plugin`), and thus will not be deprecated at this time.
-			"mongodbatlas": {Factory: logicalMongoAtlas.Factory},
-			"mssql": {
-				Factory:           removedFactory,
-				DeprecationStatus: consts.Removed,
-			},
-			"mysql": {
-				Factory:           removedFactory,
-				DeprecationStatus: consts.Removed,
-			},
-			"nomad":    {Factory: logicalNomad.Factory},
-			"openldap": {Factory: logicalLDAP.Factory},
-			"ldap":     {Factory: logicalLDAP.Factory},
-			"pki":      {Factory: logicalPki.Factory},
-			"postgresql": {
-				Factory:           removedFactory,
-				DeprecationStatus: consts.Removed,
-			},
-			"rabbitmq":  {Factory: logicalRabbit.Factory},
-			"ssh":       {Factory: logicalSsh.Factory},
-			"terraform": {Factory: logicalTerraform.Factory},
-			"totp":      {Factory: logicalTotp.Factory},
-			"transit":   {Factory: logicalTransit.Factory},
+			"kv":      {Factory: logicalKv.Factory},
+			"pki":     {Factory: logicalPki.Factory},
+			"ssh":     {Factory: logicalSsh.Factory},
+			"transit": {Factory: logicalTransit.Factory},
 		},
 	}
+}
+
+func newRegistry() *registry {
+	reg := newMinimalRegistry()
+
+	extendAddonPlugins(reg)

 	entAddExtPlugins(reg)

--- a/helper/builtinplugins/registry_full.go
+++ b/helper/builtinplugins/registry_full.go
@@ -0,0 +1,149 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !minimal
+
+package builtinplugins
+
+import (
+	"maps"
+
+	credAliCloud "github.com/hashicorp/vault-plugin-auth-alicloud"
+	credAzure "github.com/hashicorp/vault-plugin-auth-azure"
+	credCF "github.com/hashicorp/vault-plugin-auth-cf"
+	credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
+	credKerb "github.com/hashicorp/vault-plugin-auth-kerberos"
+	credKube "github.com/hashicorp/vault-plugin-auth-kubernetes"
+	credOCI "github.com/hashicorp/vault-plugin-auth-oci"
+	dbCouchbase "github.com/hashicorp/vault-plugin-database-couchbase"
+	dbElastic "github.com/hashicorp/vault-plugin-database-elasticsearch"
+	dbMongoAtlas "github.com/hashicorp/vault-plugin-database-mongodbatlas"
+	dbRedis "github.com/hashicorp/vault-plugin-database-redis"
+	dbRedisElastiCache "github.com/hashicorp/vault-plugin-database-redis-elasticache"
+	dbSnowflake "github.com/hashicorp/vault-plugin-database-snowflake"
+	logicalAd "github.com/hashicorp/vault-plugin-secrets-ad/plugin"
+	logicalAlicloud "github.com/hashicorp/vault-plugin-secrets-alicloud"
+	logicalAzure "github.com/hashicorp/vault-plugin-secrets-azure"
+	logicalGcp "github.com/hashicorp/vault-plugin-secrets-gcp/plugin"
+	logicalGcpKms "github.com/hashicorp/vault-plugin-secrets-gcpkms"
+	logicalKube "github.com/hashicorp/vault-plugin-secrets-kubernetes"
+	logicalMongoAtlas "github.com/hashicorp/vault-plugin-secrets-mongodbatlas"
+	logicalLDAP "github.com/hashicorp/vault-plugin-secrets-openldap"
+	logicalTerraform "github.com/hashicorp/vault-plugin-secrets-terraform"
+	credAws "github.com/hashicorp/vault/builtin/credential/aws"
+	credGitHub "github.com/hashicorp/vault/builtin/credential/github"
+	credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
+	credOkta "github.com/hashicorp/vault/builtin/credential/okta"
+	credRadius "github.com/hashicorp/vault/builtin/credential/radius"
+	logicalAws "github.com/hashicorp/vault/builtin/logical/aws"
+	logicalConsul "github.com/hashicorp/vault/builtin/logical/consul"
+	logicalNomad "github.com/hashicorp/vault/builtin/logical/nomad"
+	logicalRabbit "github.com/hashicorp/vault/builtin/logical/rabbitmq"
+	logicalTotp "github.com/hashicorp/vault/builtin/logical/totp"
+	dbCass "github.com/hashicorp/vault/plugins/database/cassandra"
+	dbHana "github.com/hashicorp/vault/plugins/database/hana"
+	dbInflux "github.com/hashicorp/vault/plugins/database/influxdb"
+	dbMongo "github.com/hashicorp/vault/plugins/database/mongodb"
+	dbMssql "github.com/hashicorp/vault/plugins/database/mssql"
+	dbMysql "github.com/hashicorp/vault/plugins/database/mysql"
+	dbPostgres "github.com/hashicorp/vault/plugins/database/postgresql"
+	dbRedshift "github.com/hashicorp/vault/plugins/database/redshift"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+)
+
+func newFullAddonRegistry() *registry {
+	return &registry{
+		credentialBackends: map[string]credentialBackend{
+			"alicloud": {Factory: credAliCloud.Factory},
+			"app-id": {
+				Factory:           removedFactory,
+				DeprecationStatus: consts.Removed,
+			},
+			"aws":        {Factory: credAws.Factory},
+			"azure":      {Factory: credAzure.Factory},
+			"cf":         {Factory: credCF.Factory},
+			"gcp":        {Factory: credGcp.Factory},
+			"github":     {Factory: credGitHub.Factory},
+			"kerberos":   {Factory: credKerb.Factory},
+			"kubernetes": {Factory: credKube.Factory},
+			"ldap":       {Factory: credLdap.Factory},
+			"oci":        {Factory: credOCI.Factory},
+			"okta":       {Factory: credOkta.Factory},
+			"pcf": {
+				Factory:           credCF.Factory,
+				DeprecationStatus: consts.Deprecated,
+			},
+			"radius": {Factory: credRadius.Factory},
+		},
+		databasePlugins: map[string]databasePlugin{
+			// These four plugins all use the same mysql implementation but with
+			// different username settings passed by the constructor.
+			"mysql-database-plugin":        {Factory: dbMysql.New(dbMysql.DefaultUserNameTemplate)},
+			"mysql-aurora-database-plugin": {Factory: dbMysql.New(dbMysql.DefaultLegacyUserNameTemplate)},
+			"mysql-rds-database-plugin":    {Factory: dbMysql.New(dbMysql.DefaultLegacyUserNameTemplate)},
+			"mysql-legacy-database-plugin": {Factory: dbMysql.New(dbMysql.DefaultLegacyUserNameTemplate)},
+
+			"cassandra-database-plugin":         {Factory: dbCass.New},
+			"couchbase-database-plugin":         {Factory: dbCouchbase.New},
+			"elasticsearch-database-plugin":     {Factory: dbElastic.New},
+			"hana-database-plugin":              {Factory: dbHana.New},
+			"influxdb-database-plugin":          {Factory: dbInflux.New},
+			"mongodb-database-plugin":           {Factory: dbMongo.New},
+			"mongodbatlas-database-plugin":      {Factory: dbMongoAtlas.New},
+			"mssql-database-plugin":             {Factory: dbMssql.New},
+			"postgresql-database-plugin":        {Factory: dbPostgres.New},
+			"redshift-database-plugin":          {Factory: dbRedshift.New},
+			"redis-database-plugin":             {Factory: dbRedis.New},
+			"redis-elasticache-database-plugin": {Factory: dbRedisElastiCache.New},
+			"snowflake-database-plugin":         {Factory: dbSnowflake.New},
+		},
+		logicalBackends: map[string]logicalBackend{
+			"ad": {
+				Factory:           logicalAd.Factory,
+				DeprecationStatus: consts.Deprecated,
+			},
+			"alicloud": {Factory: logicalAlicloud.Factory},
+			"aws":      {Factory: logicalAws.Factory},
+			"azure":    {Factory: logicalAzure.Factory},
+			"cassandra": {
+				Factory:           removedFactory,
+				DeprecationStatus: consts.Removed,
+			},
+			"consul":     {Factory: logicalConsul.Factory},
+			"gcp":        {Factory: logicalGcp.Factory},
+			"gcpkms":     {Factory: logicalGcpKms.Factory},
+			"kubernetes": {Factory: logicalKube.Factory},
+			"mongodb": {
+				Factory:           removedFactory,
+				DeprecationStatus: consts.Removed,
+			},
+			"mongodbatlas": {Factory: logicalMongoAtlas.Factory},
+			"mssql": {
+				Factory:           removedFactory,
+				DeprecationStatus: consts.Removed,
+			},
+			"mysql": {
+				Factory:           removedFactory,
+				DeprecationStatus: consts.Removed,
+			},
+			"nomad":    {Factory: logicalNomad.Factory},
+			"openldap": {Factory: logicalLDAP.Factory},
+			"ldap":     {Factory: logicalLDAP.Factory},
+			"postgresql": {
+				Factory:           removedFactory,
+				DeprecationStatus: consts.Removed,
+			},
+			"rabbitmq":  {Factory: logicalRabbit.Factory},
+			"terraform": {Factory: logicalTerraform.Factory},
+			"totp":      {Factory: logicalTotp.Factory},
+		},
+	}
+}
+
+func extendAddonPlugins(reg *registry) {
+	addonReg := newFullAddonRegistry()
+
+	maps.Copy(reg.credentialBackends, addonReg.credentialBackends)
+	maps.Copy(reg.databasePlugins, addonReg.databasePlugins)
+	maps.Copy(reg.logicalBackends, addonReg.logicalBackends)
+}
--- a/helper/builtinplugins/registry_full_test.go
+++ b/helper/builtinplugins/registry_full_test.go
@@ -0,0 +1,30 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise && !minimal
+
+package builtinplugins
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Test_newRegistry tests that newRegistry() returns a registry with
+// the expected minimal registry extended with full addon registry
+func Test_newRegistry(t *testing.T) {
+	actual := newRegistry()
+	expMinimal := newMinimalRegistry()
+	expFullAddon := newFullAddonRegistry()
+
+	require.Equal(t, len(expMinimal.credentialBackends)+len(expFullAddon.credentialBackends), len(actual.credentialBackends),
+		"newRegistry() total auth backends mismatch total of minimal and full addon registries")
+	require.Equal(t, len(expMinimal.databasePlugins)+len(expFullAddon.databasePlugins), len(actual.databasePlugins),
+		"newRegistry() total database plugins mismatch total of minimal and full addon registries")
+	require.Equal(t, len(expMinimal.logicalBackends)+len(expFullAddon.logicalBackends), len(actual.logicalBackends),
+		"newRegistry() total logical backends mismatch total of minimal and full addon registries")
+
+	assertRegistrySubset(t, actual, expMinimal, "common")
+	assertRegistrySubset(t, actual, expFullAddon, "full addon")
+}
--- a/helper/builtinplugins/registry_min.go
+++ b/helper/builtinplugins/registry_min.go
@@ -0,0 +1,10 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build minimal
+
+package builtinplugins
+
+func extendAddonPlugins(_ *registry) {
+	// No-op
+}
--- a/helper/builtinplugins/registry_testing_util.go
+++ b/helper/builtinplugins/registry_testing_util.go
@@ -0,0 +1,27 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package builtinplugins
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func assertRegistrySubset(t *testing.T, r, subset *registry, subsetName string) {
+	t.Helper()
+
+	for k := range subset.credentialBackends {
+		require.Contains(t, r.credentialBackends, k, fmt.Sprintf("expected to contain %s auth backend", subsetName))
+	}
+
+	for k := range subset.databasePlugins {
+		require.Contains(t, r.databasePlugins, k, fmt.Sprintf("expected to contain %s database plugin", subsetName))
+	}
+
+	for k := range subset.logicalBackends {
+		require.Contains(t, r.logicalBackends, k, fmt.Sprintf("expected to contain %s logical backend", subsetName))
+	}
+}