diff --git a/clusters/cl01tl/helm/blocky/values.yaml b/clusters/cl01tl/helm/blocky/values.yaml index 4c614b37a..e62edcb8d 100644 --- a/clusters/cl01tl/helm/blocky/values.yaml +++ b/clusters/cl01tl/helm/blocky/values.yaml @@ -141,6 +141,7 @@ blocky: objects IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl + openbao IN CNAME traefik-cl01tl paperless-ngx IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl postiz-spotlight IN CNAME traefik-cl01tl diff --git a/clusters/cl01tl/helm/gatus/values.yaml b/clusters/cl01tl/helm/gatus/values.yaml index 906ac5401..e9f856cfe 100644 --- a/clusters/cl01tl/helm/gatus/values.yaml +++ b/clusters/cl01tl/helm/gatus/values.yaml @@ -266,6 +266,9 @@ gatus: - name: vault url: https://vault.alexlebens.net <<: *defaults + - name: openbao + url: https://openbao.alexlebens.net + <<: *defaults - name: backrest url: https://backrest.alexlebens.net <<: *defaults diff --git a/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml b/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml index 960d8045b..7d5961b84 100644 --- a/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml +++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml @@ -567,6 +567,25 @@ spec: resyncPeriod: 6h url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/ntfy.json +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: grafana-dashboard-openbao + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: grafana-dashboard-openbao + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + instanceSelector: + matchLabels: + app: grafana-main + contentCacheDuration: 6h + folderUID: grafana-folder-platform + resyncPeriod: 6h + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/openbao.json + --- apiVersion: grafana.integreatly.org/v1beta1 kind: GrafanaDashboard diff --git a/clusters/cl01tl/helm/homepage/values.yaml b/clusters/cl01tl/helm/homepage/values.yaml index 18d6b9315..0c8612fa9 100644 --- a/clusters/cl01tl/helm/homepage/values.yaml +++ b/clusters/cl01tl/helm/homepage/values.yaml @@ -637,6 +637,18 @@ homepage: app.kubernetes.io/instance in ( vault ) + - Secrets: + icon: sh-openbao.webp + description: OpenBao + href: https://openbao.alexlebens.net + siteMonitor: http://openbao.openbao:8200 + statusStyle: dot + namespace: openbao + app: openbao + podSelector: >- + app.kubernetes.io/instance in ( + openbao + ) - Backups: icon: sh-backrest-light.webp description: Backrest diff --git a/clusters/cl01tl/helm/openbao/Chart.lock b/clusters/cl01tl/helm/openbao/Chart.lock new file mode 100644 index 000000000..e42514b76 --- /dev/null +++ b/clusters/cl01tl/helm/openbao/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: openbao + repository: https://openbao.github.io/openbao-helm + version: 0.27.1 +- name: app-template + repository: https://bjw-s-labs.github.io/helm-charts/ + version: 4.6.2 +digest: sha256:2a48dda8dad91d967fceeec4c50d3358f58b0255ba823e04bea726bf187f8f40 +generated: "2026-04-15T19:55:47.720376-05:00" diff --git a/clusters/cl01tl/helm/openbao/Chart.yaml b/clusters/cl01tl/helm/openbao/Chart.yaml new file mode 100644 index 000000000..8aa8b1d00 --- /dev/null +++ b/clusters/cl01tl/helm/openbao/Chart.yaml @@ -0,0 +1,30 @@ +apiVersion: v2 +name: openbao +version: 1.0.0 +description: OpenBao +keywords: + - openbao + - secrets +home: https://docs.alexlebens.dev/applications/openbao/ +sources: + - https://github.com/openbao/openbao + - https://github.com/lrstanley/vault-unseal + - https://quay.io/repository/openbao/openbao?tab=tags + - https://quay.io/repository/openbao/openbao-csi-provider?tab=tags + - https://github.com/openbao/openbao-snapshot-agent/pkgs/container/openbao-snapshot-agent + - https://github.com/lrstanley/vault-unseal/pkgs/container/vault-unseal + - https://github.com/openbao/openbao-helm/tree/main/charts/openbao + - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template +maintainers: + - name: alexlebens +dependencies: + - name: openbao + version: 0.27.1 + repository: https://openbao.github.io/openbao-helm + - name: app-template + alias: unseal + repository: https://bjw-s-labs.github.io/helm-charts/ + version: 4.6.2 +icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/openbao.png +# renovate: datasource=github-releases depName=openbao/openbao +appVersion: v2.5.2 diff --git a/clusters/cl01tl/helm/openbao/templates/external-secret.yaml b/clusters/cl01tl/helm/openbao/templates/external-secret.yaml new file mode 100644 index 000000000..e0a72e2bd --- /dev/null +++ b/clusters/cl01tl/helm/openbao/templates/external-secret.yaml @@ -0,0 +1,166 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openbao-snapshot-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: openbao-snapshot-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_REGION + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_REGION + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_SECRET_KEY + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/openbao-backups + property: BUCKET + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openbao-unseal-config-1 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: openbao-unseal-config-1 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + key: /cl01tl/openbao/unseal + property: ENVIRONMENT + - secretKey: NODES + remoteRef: + key: /cl01tl/openbao/unseal + property: NODES + - secretKey: TOKENS + remoteRef: + key: /cl01tl/openbao/unseal + property: TOKENS_1 + - secretKey: NOTIFY_QUEUE_URLS + remoteRef: + key: /cl01tl/openbao/unseal + property: NOTIFY_QUEUE_URLS + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openbao-unseal-config-2 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: openbao-unseal-config-2 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + key: /cl01tl/openbao/unseal + property: ENVIRONMENT + - secretKey: NODES + remoteRef: + key: /cl01tl/openbao/unseal + property: NODES + - secretKey: TOKENS + remoteRef: + key: /cl01tl/openbao/unseal + property: TOKENS_2 + - secretKey: NOTIFY_QUEUE_URLS + remoteRef: + key: /cl01tl/openbao/unseal + property: NOTIFY_QUEUE_URLS + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openbao-unseal-config-3 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: openbao-unseal-config-3 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + key: /cl01tl/openbao/unseal + property: ENVIRONMENT + - secretKey: NODES + remoteRef: + key: /cl01tl/openbao/unseal + property: NODES + - secretKey: TOKENS + remoteRef: + key: /cl01tl/openbao/unseal + property: TOKENS_3 + - secretKey: NOTIFY_QUEUE_URLS + remoteRef: + key: /cl01tl/openbao/unseal + property: NOTIFY_QUEUE_URLS + +# --- +# apiVersion: external-secrets.io/v1 +# kind: ExternalSecret +# metadata: +# name: openbao-token +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: openbao-token +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: openbao +# data: +# - secretKey: token +# remoteRef: +# key: /cl01tl/openbao/token +# property: token +# - secretKey: unseal_key_1 +# remoteRef: +# key: /cl01tl/openbao/token +# property: unseal_key_1 +# - secretKey: unseal_key_2 +# remoteRef: +# key: /cl01tl/openbao/token +# property: unseal_key_2 +# - secretKey: unseal_key_3 +# remoteRef: +# key: /cl01tl/openbao/token +# property: unseal_key_3 +# - secretKey: unseal_key_4 +# remoteRef: +# key: /cl01tl/openbao/token +# property: unseal_key_4 +# - secretKey: unseal_key_5 +# remoteRef: +# key: /cl01tl/openbao/token +# property: unseal_key_5 diff --git a/clusters/cl01tl/helm/openbao/templates/ingress.yaml b/clusters/cl01tl/helm/openbao/templates/ingress.yaml new file mode 100644 index 000000000..d23c33b46 --- /dev/null +++ b/clusters/cl01tl/helm/openbao/templates/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: openbao-tailscale + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: openbao-tailscale + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} + tailscale.com/proxy-class: no-metrics + annotations: + tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" +spec: + ingressClassName: tailscale + tls: + - hosts: + - openbao-cl01tl + secretName: openbao-cl01tl + rules: + - host: openbao-cl01tl + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: openbao-active + port: + number: 8200 diff --git a/clusters/cl01tl/helm/openbao/values.yaml b/clusters/cl01tl/helm/openbao/values.yaml new file mode 100644 index 000000000..02f07a61b --- /dev/null +++ b/clusters/cl01tl/helm/openbao/values.yaml @@ -0,0 +1,182 @@ +openbao: + global: + serverTelemetry: + prometheusOperator: true + injector: + enabled: false + server: + updateStrategyType: RollingUpdate + image: + registry: quay.io + repository: openbao/openbao + tag: 2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878 + resources: + requests: + cpu: 50m + memory: 500Mi + gateway: + tlsRoute: + enabled: true + hosts: + - vault.alexlebens.net + apiVersion: gateway.networking.k8s.io/v1 + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + authDelegator: + enabled: true + livenessProbe: + enabled: true + dataStorage: + size: 1Gi + storageClass: ceph-block + auditStorage: + enabled: true + size: 10Gi + storageClass: ceph-block + standalone: + enabled: false + ha: + enabled: true + replicas: 3 + raft: + enabled: true + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + telemetry { + unauthenticated_metrics_access = "true" + } + } + + storage "raft" { + path = "/openbao/data" + retry_join { + leader_api_addr = "http://openbao-0.openbao-internal:8201" + } + retry_join { + leader_api_addr = "http://openbao-1.openbao-internal:8201" + } + retry_join { + leader_api_addr = "http://openbao-2.openbao-internal:8201" + } + } + + service_registration "kubernetes" {} + + telemetry { + prometheus_retention_time = "30s" + disable_hostname = true + } + csi: + enabled: true + image: + registry: quay.io + repository: openbao/openbao-csi-provider + tag: 2.0.1@sha256:a3bd5e8183da778b5dc79ee1a3d7313ac77dc599b623b4106a91b19362674f27 + resources: + requests: + cpu: 50m + memory: 100Mi + agent: + image: + registry: quay.io + repository: openbao/openbao + tag: 2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878 + resources: + requests: + cpu: 10m + memory: 100Mi + serverTelemetry: + serviceMonitor: + enabled: true + prometheusRules: + enabled: true + rules: + - alert: vault-HighResponseTime + annotations: + message: The response time of Vault is over 500ms on average over the last 5 minutes. + expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + for: 5m + labels: + severity: warning + - alert: vault-HighResponseTime + annotations: + message: The response time of Vault is over 1s on average over the last 5 minutes. + expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + for: 5m + labels: + severity: critical + snapshotAgent: + enabled: true + schedule: 0 4 * * * + image: + repository: ghcr.io/openbao/openbao-snapshot-agent + tag: 0.3.0@sha256:d7a8ca9d26b12cf226ce093b9051f243c53aefbb8a419b3dc0b554e7575c931c + s3CredentialsSecret: openbao-snapshot-secret + config: + s3Host: garage-main.garage:3900 + s3Bucket: openbao-backups + s3Uri: s3://openbao-backups + s3ExpireDays: "30" + s3cmdExtraFlag: "-v" + baoAuthPath: kubernetes + baoRole: bao-snapshot +unseal: + global: + fullnameOverride: openbao-unseal + controllers: + unseal-1: + type: deployment + replicas: 1 + strategy: Recreate + containers: + main: + image: + repository: ghcr.io/lrstanley/vault-unseal + tag: 1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef + envFrom: + - secretRef: + name: openbao-unseal-config-1 + resources: + requests: + cpu: 1m + memory: 10Mi + unseal-2: + type: deployment + replicas: 1 + strategy: Recreate + containers: + main: + image: + repository: ghcr.io/lrstanley/vault-unseal + tag: 1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef + envFrom: + - secretRef: + name: openbao-unseal-config-2 + resources: + requests: + cpu: 1m + memory: 10Mi + unseal-3: + type: deployment + replicas: 1 + strategy: Recreate + containers: + main: + image: + repository: ghcr.io/lrstanley/vault-unseal + tag: 1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef + envFrom: + - secretRef: + name: openbao-unseal-config-3 + resources: + requests: + cpu: 1m + memory: 10Mi diff --git a/clusters/cl01tl/helm/secrets-store-csi-driver/Chart.lock b/clusters/cl01tl/helm/secrets-store-csi-driver/Chart.lock new file mode 100644 index 000000000..1489891de --- /dev/null +++ b/clusters/cl01tl/helm/secrets-store-csi-driver/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: secrets-store-csi-driver + repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts + version: 1.5.6 +digest: sha256:8bebc25b54a231446dce2d67b9cd65024a1458fc106ee93dcfd539759edf2ca5 +generated: "2026-04-15T17:29:48.143994-05:00" diff --git a/clusters/cl01tl/helm/secrets-store-csi-driver/Chart.yaml b/clusters/cl01tl/helm/secrets-store-csi-driver/Chart.yaml new file mode 100644 index 000000000..d9c9e637b --- /dev/null +++ b/clusters/cl01tl/helm/secrets-store-csi-driver/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: secrets-store-csi-driver +version: 1.0.0 +description: Secrets Store CSI driver +keywords: + - secrets-store-csi-driver + - secrets +home: https://docs.alexlebens.dev/applications/secrets-store-csi-driver/ +sources: + - https://github.com/kubernetes-sigs/secrets-store-csi-driver + - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fcsi-secrets-store%2Fdriver + - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fcsi-secrets-store%2Fdriver-crds + - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fsig-storage%2Fcsi-node-driver-registrar + - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fsig-storage%2Flivenessprobe + - https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/main/charts/secrets-store-csi-driver +maintainers: + - name: alexlebens +dependencies: + - name: secrets-store-csi-driver + version: 1.5.6 + repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts +icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png +# renovate: datasource=github-releases depName=kubernetes-sigs/secrets-store-csi-driver +appVersion: 0.8.1 diff --git a/clusters/cl01tl/helm/secrets-store-csi-driver/values.yaml b/clusters/cl01tl/helm/secrets-store-csi-driver/values.yaml new file mode 100644 index 000000000..30e7cd058 --- /dev/null +++ b/clusters/cl01tl/helm/secrets-store-csi-driver/values.yaml @@ -0,0 +1,41 @@ +secrets-store-csi-driver: + linux: + enabled: true + image: + repository: registry.k8s.io/csi-secrets-store/driver + tag: v1.5.6@sha256:6df2b3b3817136d2ade3d53306dbbd98385c1c01e8b3c373192c0e5b8d183f7b + crds: + enabled: true + image: + repository: registry.k8s.io/csi-secrets-store/driver-crds + tag: v1.5.6@sha256:d40d9212beb62ee0f9f09b75d024ed807816879f38e75eca309497c3df89568c + driver: + resources: + limits: + cpu: null + memory: null + requests: + cpu: 10m + memory: 100Mi + registrarImage: + repository: registry.k8s.io/sig-storage/csi-node-driver-registrar + tag: v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70 + registrar: + resources: + limits: + cpu: null + memory: null + requests: + cpu: 10m + memory: 20Mi + livenessProbeImage: + repository: registry.k8s.io/sig-storage/livenessprobe + tag: v2.18.0@sha256:c4cc074199c045dd73ab85f28897e2a32f4d6f38ffdba4f3b13b8007ccbd3570 + livenessProbe: + resources: + limits: + cpu: null + memory: null + requests: + cpu: 10m + memory: 20Mi diff --git a/hosts/ps08rp/blocky/config.yml b/hosts/ps08rp/blocky/config.yml index 40e63bc4c..0a96949a0 100644 --- a/hosts/ps08rp/blocky/config.yml +++ b/hosts/ps08rp/blocky/config.yml @@ -118,6 +118,7 @@ customDNS: objects IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl + openbao IN CNAME traefik-cl01tl paperless-ngx IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl postiz-spotlight IN CNAME traefik-cl01tl diff --git a/hosts/ps09rp/blocky/config.yml b/hosts/ps09rp/blocky/config.yml index 8058549a4..fda4757cb 100644 --- a/hosts/ps09rp/blocky/config.yml +++ b/hosts/ps09rp/blocky/config.yml @@ -139,6 +139,7 @@ customDNS: objects IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl + openbao IN CNAME traefik-cl01tl paperless-ngx IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl postiz-spotlight IN CNAME traefik-cl01tl