bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
ee14d3a2d018ffaa859de81020abc4cbf18cfe33
bluejay-infra/apps-gx10/openbao/openbao.yaml
Andrew Stoltz 4f7a5f3d20 fix(openbao): use arm64-resolving :2.5.5 tag (GX10 aarch64; amd64 digest won't pull) 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 13:42:17 -05:00

163 lines
4.4 KiB
YAML
Raw Blame History

# OpenBao GX10 prod (ADR-206 / Phase-1). Integrated Raft; transit auto-unseal -> noc1 seal-bao.
# Secrets openbao-tls (listener cert) + openbao-seal (seal stanza incl. transit token) are
# created OUT-OF-BAND (not in git): keys live in noc1/1P, never committed. ArgoCD prune:false.
apiVersion: v1
kind: Namespace
metadata:
name: openbao
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: openbao
namespace: openbao
---
apiVersion: v1
kind: Service
metadata:
name: openbao
namespace: openbao
labels:
app.kubernetes.io/name: openbao
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: openbao
ports:
- name: api
port: 8200
targetPort: 8200
- name: cluster
port: 8201
targetPort: 8201
---
apiVersion: v1
kind: ConfigMap
metadata:
name: openbao-config
namespace: openbao
data:
main.hcl: |
ui = true
disable_mlock = true
storage "raft" {
path = "/openbao/data"
node_id = "gx10-1"
}
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_cert_file = "/openbao/tls/tls.crt"
tls_key_file = "/openbao/tls/tls.key"
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: openbao-seal-ca
namespace: openbao
data:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIBxDCCAWqgAwIBAgIRAPY357G6ow6zMAL5+4bS2kkwCgYIKoZIzj0EAwIwQDEa
MBgGA1UEChMRSUFtV29ya2luIEFDTUUgQ0ExIjAgBgNVBAMTGUlBbVdvcmtpbiBB
Q01FIENBIFJvb3QgQ0EwHhcNMjYwMzA4MTgwNzExWhcNMzYwMzA1MTgwNzExWjBA
MRowGAYDVQQKExFJQW1Xb3JraW4gQUNNRSBDQTEiMCAGA1UEAxMZSUFtV29ya2lu
IEFDTUUgQ0EgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ2n04X1
JZo5Zdq/i1Idv8+fqwZyAzBh7whbqj0SWsJL8UWRabCMqYCs7+dXO0xRSzqkwFDL
x+vooOai8RgRNhajRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/
AgEBMB0GA1UdDgQWBBRnuPPQR6iM/H6vOluiU3Sygayz8jAKBggqhkjOPQQDAgNI
ADBFAiEArQK9dYPGmAZsdYnjziuFVVE5NKZUcceYvGfGC+tLXUsCIAudF2zJrCRq
3mK50ZZET/fwTkJwiEF4824mjP8p1CKM
-----END CERTIFICATE-----
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: openbao
namespace: openbao
labels:
app.kubernetes.io/name: openbao
spec:
serviceName: openbao
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: openbao
template:
metadata:
labels:
app.kubernetes.io/name: openbao
spec:
serviceAccountName: openbao
securityContext:
runAsNonRoot: true
runAsUser: 100
runAsGroup: 1000
fsGroup: 1000
containers:
- name: openbao
image: ghcr.io/openbao/openbao:2.5.5 # arm64-resolving tag (GX10 is aarch64; the amd64 digest won't pull here)
command: ["bao", "server", "-config=/openbao/config/main.hcl", "-config=/openbao/seal/seal.hcl"]
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: BAO_CLUSTER_ADDR
value: "https://$(POD_IP):8201"
- name: BAO_API_ADDR
value: "https://openbao.openbao.svc.cluster.local:8200"
ports:
- name: api
containerPort: 8200
- name: cluster
containerPort: 8201
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readinessProbe:
httpGet:
path: /v1/sys/health?standbyok=true&uninitcode=204&sealedcode=204&perfstandbyok=true&drsecondarycode=204
port: 8200
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 6
volumeMounts:
- name: config
mountPath: /openbao/config
- name: seal
mountPath: /openbao/seal
- name: tls
mountPath: /openbao/tls
- name: seal-ca
mountPath: /openbao/seal-ca
- name: data
mountPath: /openbao/data
volumes:
- name: config
configMap:
name: openbao-config
- name: seal
secret:
secretName: openbao-seal
- name: tls
secret:
secretName: openbao-tls
- name: seal-ca
configMap:
name: openbao-seal-ca
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: local-path
resources:
requests:
storage: 2Gi
Reference in New Issue View Git Blame Copy Permalink