alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 8 Actions 1 Activity

chore: Update manifests after change

Browse Source
This commit is contained in:
Gitea
2026-04-16 01:01:11 +00:00
parent 8ae5854379
commit 52d7dfcc53
58 changed files with 1939 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
clusters/cl01tl/manifests/openbao/ClusterRole-openbao-csi-provider-clusterrole.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: openbao-csi-provider-clusterrole
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create

16
clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-csi-provider-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: openbao-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openbao-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: openbao-csi-provider
namespace: openbao

17
clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-server-binding.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: openbao-server-binding
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: openbao
namespace: openbao

43
clusters/cl01tl/manifests/openbao/ConfigMap-openbao-config.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: openbao-config
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
data:
extraconfig-from-values.hcl: |2-
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/openbao/data"
retry_join {
leader_api_addr = "http://openbao-0.openbao-internal:8201"
}
retry_join {
leader_api_addr = "http://openbao-1.openbao-internal:8201"
}
retry_join {
leader_api_addr = "http://openbao-2.openbao-internal:8201"
}
}
service_registration "kubernetes" {}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}

22
clusters/cl01tl/manifests/openbao/ConfigMap-openbao-csi-provider-agent-config.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: openbao-csi-provider-agent-config
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
data:
config.hcl: |
vault {
"address" = "http://openbao.openbao.svc:8200"
}
cache {}
listener "unix" {
address = "/var/run/vault/agent.sock"
tls_disable = true
}

19
clusters/cl01tl/manifests/openbao/ConfigMap-openbao-snapshot.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: openbao-snapshot
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
data:
S3_HOST: garage-main.garage:3900
S3_BUCKET: openbao-backups
S3CMD_EXTRA_FLAG: -v
S3_URI: s3://openbao-backups
S3_EXPIRE_DAYS: "30"
BAO_AUTH_PATH: kubernetes
BAO_ROLE: bao-snapshot
BAO_ADDR: http://openbao-active.openbao.svc:8200

63
clusters/cl01tl/manifests/openbao/CronJob-openbao-snapshot.yaml Normal file
View File

@@ -0,0 +1,63 @@
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
name: openbao-snapshot
namespace: openbao
spec:
schedule: "0 4 * * *"
jobTemplate:
metadata:
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: snapshot-agent
spec:
template:
metadata:
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: snapshot-agent
spec:
restartPolicy: OnFailure
serviceAccountName: openbao-snapshot
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 100
fsGroup: 1000
containers:
- name: bao-snapshot
envFrom:
- configMapRef:
name: openbao-snapshot
env:
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: AWS_SECRET_ACCESS_KEY
name: openbao-snapshot-secret
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: AWS_ACCESS_KEY_ID
name: openbao-snapshot-secret
image: ghcr.io/openbao/openbao-snapshot-agent:0.3.0@sha256:d7a8ca9d26b12cf226ce093b9051f243c53aefbb8a419b3dc0b554e7575c931c
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- name: snapshot-dir
mountPath: /bao-snapshots
imagePullPolicy: IfNotPresent
volumes:
- name: snapshot-dir
emptyDir: {}

105
clusters/cl01tl/manifests/openbao/DaemonSet-openbao-csi-provider.yaml Normal file
View File

@@ -0,0 +1,105 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: openbao-csi-provider
namespace: openbao
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
template:
metadata:
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
spec:
serviceAccountName: openbao-csi-provider
containers:
- name: openbao-csi-provider
resources:
requests:
cpu: 50m
memory: 100Mi
image: "quay.io/openbao/openbao-csi-provider:2.0.1@sha256:a3bd5e8183da778b5dc79ee1a3d7313ac77dc599b623b4106a91b19362674f27"
imagePullPolicy: IfNotPresent
args:
- --endpoint=/provider/openbao.sock
- --debug=false
- --hmac-secret-name=openbao-csi-provider-hmac-key
env:
- name: VAULT_ADDR
value: "unix:///var/run/vault/agent.sock"
volumeMounts:
- name: providervol
mountPath: "/provider"
- name: agent-unix-socket
mountPath: /var/run/vault
livenessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
- name: openbao-agent
image: "quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 10m
memory: 100Mi
command:
- bao
args:
- agent
- -config=/etc/vault/config.hcl
ports:
- containerPort: 8200
env:
- name: BAO_LOG_LEVEL
value: "info"
- name: BAO_LOG_FORMAT
value: "standard"
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 100
runAsGroup: 1000
volumeMounts:
- name: agent-config
mountPath: /etc/vault/config.hcl
subPath: config.hcl
readOnly: true
- name: agent-unix-socket
mountPath: /var/run/vault
volumes:
- name: providervol
hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
- name: agent-config
configMap:
name: openbao-csi-provider-agent-config
- name: agent-unix-socket
emptyDir:
medium: Memory

45
clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-1.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: openbao-unseal-unseal-1
labels:
app.kubernetes.io/controller: unseal-1
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: unseal-4.6.2
namespace: openbao
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/controller: unseal-1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
template:
metadata:
labels:
app.kubernetes.io/controller: unseal-1
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- envFrom:
- secretRef:
name: openbao-unseal-config-1
image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef
name: main
resources:
requests:
cpu: 1m
memory: 10Mi

45
clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-2.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: openbao-unseal-unseal-2
labels:
app.kubernetes.io/controller: unseal-2
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: unseal-4.6.2
namespace: openbao
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/controller: unseal-2
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
template:
metadata:
labels:
app.kubernetes.io/controller: unseal-2
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- envFrom:
- secretRef:
name: openbao-unseal-config-2
image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef
name: main
resources:
requests:
cpu: 1m
memory: 10Mi

45
clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-3.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: openbao-unseal-unseal-3
labels:
app.kubernetes.io/controller: unseal-3
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: unseal-4.6.2
namespace: openbao
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/controller: unseal-3
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
template:
metadata:
labels:
app.kubernetes.io/controller: unseal-3
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- envFrom:
- secretRef:
name: openbao-unseal-config-3
image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef
name: main
resources:
requests:
cpu: 1m
memory: 10Mi

30
clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-snapshot-secret.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-snapshot-secret
namespace: openbao
labels:
app.kubernetes.io/name: openbao-snapshot-secret
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_REGION
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_SECRET_KEY
- secretKey: BUCKET
remoteRef:
key: /garage/home-infra/openbao-backups
property: BUCKET

30
clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-1.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-unseal-config-1
namespace: openbao
labels:
app.kubernetes.io/name: openbao-unseal-config-1
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
key: /cl01tl/openbao/unseal
property: ENVIRONMENT
- secretKey: NODES
remoteRef:
key: /cl01tl/openbao/unseal
property: NODES
- secretKey: TOKENS
remoteRef:
key: /cl01tl/openbao/unseal
property: TOKENS_1
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS

30
clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-2.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-unseal-config-2
namespace: openbao
labels:
app.kubernetes.io/name: openbao-unseal-config-2
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
key: /cl01tl/openbao/unseal
property: ENVIRONMENT
- secretKey: NODES
remoteRef:
key: /cl01tl/openbao/unseal
property: NODES
- secretKey: TOKENS
remoteRef:
key: /cl01tl/openbao/unseal
property: TOKENS_2
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS

30
clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-3.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-unseal-config-3
namespace: openbao
labels:
app.kubernetes.io/name: openbao-unseal-config-3
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
key: /cl01tl/openbao/unseal
property: ENVIRONMENT
- secretKey: NODES
remoteRef:
key: /cl01tl/openbao/unseal
property: NODES
- secretKey: TOKENS
remoteRef:
key: /cl01tl/openbao/unseal
property: TOKENS_3
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS

29
clusters/cl01tl/manifests/openbao/Ingress-openbao-tailscale.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: openbao-tailscale
namespace: openbao
labels:
app.kubernetes.io/name: openbao-tailscale
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
tailscale.com/proxy-class: no-metrics
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
ingressClassName: tailscale
tls:
- hosts:
- openbao-cl01tl
secretName: openbao-cl01tl
rules:
- host: openbao-cl01tl
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: openbao-active
port:
number: 8200

38
clusters/cl01tl/manifests/openbao/Pod-openbao-server-test.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: v1
kind: Pod
metadata:
name: openbao-server-test
namespace: openbao
annotations:
"helm.sh/hook": test
spec:
containers:
- name: openbao-server-test
image: quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878
imagePullPolicy: IfNotPresent
env:
- name: VAULT_ADDR
value: http://openbao.openbao.svc:8200
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'bao status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
bao status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'bao status' output"
exit 1
fi
exit 0
volumeMounts:
volumes:
restartPolicy: Never

17
clusters/cl01tl/manifests/openbao/PodDisruptionBudget-openbao.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server

29
clusters/cl01tl/manifests/openbao/PrometheusRule-openbao.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
release: prometheus
spec:
groups:
- name: openbao
rules:
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 500ms on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
for: 5m
labels:
severity: warning
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 1s on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
for: 5m
labels:
severity: critical

18
clusters/cl01tl/manifests/openbao/Role-openbao-csi-provider-role.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: openbao-csi-provider-role
namespace: openbao
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
- openbao-csi-provider-hmac-key
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]

14
clusters/cl01tl/manifests/openbao/Role-openbao-discovery-role.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: openbao
name: openbao-discovery-role
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "update", "patch"]

17
clusters/cl01tl/manifests/openbao/RoleBinding-openbao-csi-provider-rolebinding.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: openbao-csi-provider-rolebinding
namespace: openbao
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openbao-csi-provider-role
subjects:
- kind: ServiceAccount
name: openbao-csi-provider
namespace: openbao

18
clusters/cl01tl/manifests/openbao/RoleBinding-openbao-discovery-rolebinding.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: openbao-discovery-rolebinding
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openbao-discovery-role
subjects:
- kind: ServiceAccount
name: openbao
namespace: openbao

26
clusters/cl01tl/manifests/openbao/Service-openbao-active.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: openbao-active
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
openbao-active: "true"
spec:
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
appProtocol: HTTP
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server
openbao-active: "true"

26
clusters/cl01tl/manifests/openbao/Service-openbao-internal.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: openbao-internal
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
openbao-internal: "true"
spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: "http"
port: 8200
targetPort: 8200
appProtocol: HTTP
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server

25
clusters/cl01tl/manifests/openbao/Service-openbao-standby.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Service
metadata:
name: openbao-standby
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
appProtocol: HTTP
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server
openbao-active: "false"

24
clusters/cl01tl/manifests/openbao/Service-openbao.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
appProtocol: HTTP
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server

9
clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-csi-provider.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: openbao-csi-provider
namespace: openbao
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm

10
clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-snapshot.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: openbao-snapshot
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm

10
clusters/cl01tl/manifests/openbao/ServiceAccount-openbao.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm

31
clusters/cl01tl/manifests/openbao/ServiceMonitor-openbao.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
release: prometheus
spec:
selector:
matchLabels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
openbao-active: "true"
endpoints:
- port: http
interval: 30s
scrapeTimeout: 10s
scheme: http
path: /v1/sys/metrics
params:
format:
- prometheus
tlsConfig:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- openbao

162
clusters/cl01tl/manifests/openbao/StatefulSet-openbao.yaml Normal file
View File

@@ -0,0 +1,162 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: openbao
namespace: openbao
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
serviceName: openbao-internal
podManagementPolicy: OrderedReady
replicas: 3
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server
template:
metadata:
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: "openbao"
component: server
topologyKey: kubernetes.io/hostname
terminationGracePeriodSeconds: 10
serviceAccountName: openbao
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 100
fsGroup: 1000
hostNetwork: false
volumes:
- name: config
configMap:
name: openbao-config
- name: home
emptyDir: {}
containers:
- name: openbao
resources:
requests:
cpu: 50m
memory: 500Mi
image: "quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878"
imagePullPolicy: IfNotPresent
command:
- "/bin/sh"
- "-ec"
args:
- "cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[ -n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\" /tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl \n"
securityContext:
allowPrivilegeEscalation: false
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: BAO_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BAO_ADDR
value: "http://127.0.0.1:8200"
- name: BAO_API_ADDR
value: "http://$(POD_IP):8200"
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_CLUSTER_ADDR
value: "https://$(HOSTNAME).openbao-internal:8201"
- name: HOME
value: "/home/openbao"
volumeMounts:
- name: audit
mountPath: /openbao/audit
- name: data
mountPath: /openbao/data
- name: config
mountPath: /openbao/config
- name: home
mountPath: /home/openbao
ports:
- containerPort: 8200
name: http
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: http-rep
readinessProbe:
exec:
command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"]
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
livenessProbe:
httpGet:
path: "/v1/sys/health?standbyok=true"
port: 8200
scheme: HTTP
failureThreshold: 2
initialDelaySeconds: 60
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
lifecycle:
preStop:
exec:
command: ["/bin/sh", "-c", "sleep 5 && kill -SIGTERM $(pidof bao)"]
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: ceph-block
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audit
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: ceph-block

22
clusters/cl01tl/manifests/openbao/TLSRoute-openbao.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
hostnames:
- "vault.alexlebens.net"
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
rules:
- backendRefs:
- name: openbao-active
port: 8200