alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Activity

feat: add openbao
Some checks failed
lint-test-docker / lint-docker-compose (pull_request) Successful in 1m19s
Details
lint-test-helm / lint-helm (pull_request) Failing after 1m34s
Details
lint-test-helm / validate-kubeconform (pull_request) Has been skipped
Details

Browse Source
This commit is contained in:
Alex Lebens
2026-04-15 19:46:16 -05:00
parent 5bfd7ce82d
commit 9bd7556071
13 changed files with 519 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -141,6 +141,7 @@ blocky:
objects IN CNAME traefik-cl01tl objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl
openbao IN CNAME traefik-cl01tl
paperless-ngx IN CNAME traefik-cl01tl paperless-ngx IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl
postiz-spotlight IN CNAME traefik-cl01tl postiz-spotlight IN CNAME traefik-cl01tl

3
clusters/cl01tl/helm/gatus/values.yaml
View File

@@ -266,6 +266,9 @@ gatus:
- name: vault - name: vault
url: https://vault.alexlebens.net url: https://vault.alexlebens.net
<<: *defaults <<: *defaults
- name: openbao
url: https://openbao.alexlebens.net
<<: *defaults
- name: backrest - name: backrest
url: https://backrest.alexlebens.net url: https://backrest.alexlebens.net
<<: *defaults <<: *defaults

19
clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
View File

@@ -567,6 +567,25 @@ spec:
resyncPeriod: 6h resyncPeriod: 6h
url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/ntfy.json url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/ntfy.json
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
name: grafana-dashboard-openbao
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-openbao
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
instanceSelector:
matchLabels:
app: grafana-main
contentCacheDuration: 6h
folderUID: grafana-folder-platform
resyncPeriod: 6h
url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/openbao.json
--- ---
apiVersion: grafana.integreatly.org/v1beta1 apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard kind: GrafanaDashboard

12
clusters/cl01tl/helm/homepage/values.yaml
View File

@@ -637,6 +637,18 @@ homepage:
app.kubernetes.io/instance in ( app.kubernetes.io/instance in (
vault vault
) )
- Secrets:
icon: sh-openbao.webp
description: OpenBao
href: https://openbao.alexlebens.net
siteMonitor: http://openbao.openbao:8200
statusStyle: dot
namespace: openbao
app: openbao
podSelector: >-
app.kubernetes.io/instance in (
openbao
)
- Backups: - Backups:
icon: sh-backrest-light.webp icon: sh-backrest-light.webp
description: Backrest description: Backrest

34
clusters/cl01tl/helm/openbao/Chart.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: v2
name: openbao
version: 1.0.0
description: OpenBao
keywords:
- openbao
- secrets
home: https://docs.alexlebens.dev/applications/openbao/
sources:
- https://github.com/openbao/openbao
- https://github.com/lrstanley/vault-unseal
- https://quay.io/repository/openbao/openbao?tab=tags
- https://quay.io/repository/openbao/openbao-csi-provider?tab=tags
- https://github.com/openbao/openbao-snapshot-agent/pkgs/container/openbao-snapshot-agent
- https://github.com/lrstanley/vault-unseal/pkgs/container/vault-unseal
- https://github.com/openbao/openbao-helm/tree/main/charts/openbao
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: vault
version: 0.32.0
repository: https://openbao.github.io/openbao-helm
- name: app-template
alias: unseal
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/openbao.png
# renovate: datasource=github-releases depName=openbao/openbao
appVersion: v2.5.2

166
clusters/cl01tl/helm/openbao/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,166 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-snapshot-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: openbao-snapshot-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_REGION
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_SECRET_KEY
- secretKey: BUCKET
remoteRef:
key: /garage/home-infra/openbao-backups
property: BUCKET
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-unseal-config-1
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: openbao-unseal-config-1
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
key: /cl01tl/openbao/unseal
property: ENVIRONMENT
- secretKey: NODES
remoteRef:
key: /cl01tl/openbao/unseal
property: NODES
- secretKey: TOKENS
remoteRef:
key: /cl01tl/openbao/unseal
property: TOKENS_1
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-unseal-config-2
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: openbao-unseal-config-2
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
key: /cl01tl/openbao/unseal
property: ENVIRONMENT
- secretKey: NODES
remoteRef:
key: /cl01tl/openbao/unseal
property: NODES
- secretKey: TOKENS
remoteRef:
key: /cl01tl/openbao/unseal
property: TOKENS_2
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-unseal-config-3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: openbao-unseal-config-3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
key: /cl01tl/openbao/unseal
property: ENVIRONMENT
- secretKey: NODES
remoteRef:
key: /cl01tl/openbao/unseal
property: NODES
- secretKey: TOKENS
remoteRef:
key: /cl01tl/openbao/unseal
property: TOKENS_3
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS
# ---
# apiVersion: external-secrets.io/v1
# kind: ExternalSecret
# metadata:
# name: openbao-token
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: openbao-token
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: openbao
# data:
# - secretKey: token
# remoteRef:
# key: /cl01tl/openbao/token
# property: token
# - secretKey: unseal_key_1
# remoteRef:
# key: /cl01tl/openbao/token
# property: unseal_key_1
# - secretKey: unseal_key_2
# remoteRef:
# key: /cl01tl/openbao/token
# property: unseal_key_2
# - secretKey: unseal_key_3
# remoteRef:
# key: /cl01tl/openbao/token
# property: unseal_key_3
# - secretKey: unseal_key_4
# remoteRef:
# key: /cl01tl/openbao/token
# property: unseal_key_4
# - secretKey: unseal_key_5
# remoteRef:
# key: /cl01tl/openbao/token
# property: unseal_key_5

29
clusters/cl01tl/helm/openbao/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: openbao-tailscale
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: openbao-tailscale
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
tailscale.com/proxy-class: no-metrics
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
ingressClassName: tailscale
tls:
- hosts:
- openbao-cl01tl
secretName: openbao-cl01tl
rules:
- host: openbao-cl01tl
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: openbao-active
port:
number: 8200

182
clusters/cl01tl/helm/openbao/values.yaml Normal file
View File

@@ -0,0 +1,182 @@
openbao:
global:
serverTelemetry:
prometheusOperator: true
injector:
enabled: false
server:
updateStrategyType: RollingUpdate
image:
registry: quay.io
repository: openbao/openbao
tag: 2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878
resources:
requests:
cpu: 50m
memory: 500Mi
gateway:
tlsRoute:
enabled: true
hosts:
- vault.alexlebens.net
apiVersion: gateway.networking.k8s.io/v1
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
authDelegator:
enabled: true
livenessProbe:
enabled: true
dataStorage:
size: 1Gi
storageClass: ceph-block
auditStorage:
enabled: true
size: 10Gi
storageClass: ceph-block
standalone:
enabled: false
ha:
enabled: true
replicas: 3
raft:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/openbao/data"
retry_join {
leader_api_addr = "http://openbao-0.openbao-internal:8201"
}
retry_join {
leader_api_addr = "http://openbao-1.openbao-internal:8201"
}
retry_join {
leader_api_addr = "http://openbao-2.openbao-internal:8201"
}
}
service_registration "kubernetes" {}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
csi:
enabled: true
image:
registry: quay.io
repository: openbao/openbao-csi-provider
tag: 2.0.1@sha256:a3bd5e8183da778b5dc79ee1a3d7313ac77dc599b623b4106a91b19362674f27
resources:
requests:
cpu: 50m
memory: 100Mi
agent:
image:
registry: quay.io
repository: openbao/openbao
tag: 2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878
resources:
requests:
cpu: 10m
memory: 100Mi
serverTelemetry:
serviceMonitor:
enabled: true
prometheusRules:
enabled: true
rules:
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 500ms on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
for: 5m
labels:
severity: warning
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 1s on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
for: 5m
labels:
severity: critical
snapshotAgent:
enabled: true
schedule: 0 4 * * *
image:
repository: ghcr.io/openbao/openbao-snapshot-agent
tag: 0.3.0@sha256:d7a8ca9d26b12cf226ce093b9051f243c53aefbb8a419b3dc0b554e7575c931c
s3CredentialsSecret: openbao-snapshot-secret
config:
s3Host: garage-main.garage:3900
s3Bucket: openbao-backups
s3Uri: s3://openbao-backups
s3ExpireDays: "30"
s3cmdExtraFlag: "-v"
baoAuthPath: kubernetes
baoRole: bao-snapshot
unseal:
global:
fullnameOverride: openbao-unseal
controllers:
unseal-1:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef
envFrom:
- secretRef:
name: openbao-unseal-config-1
resources:
requests:
cpu: 1m
memory: 10Mi
unseal-2:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef
envFrom:
- secretRef:
name: openbao-unseal-config-2
resources:
requests:
cpu: 1m
memory: 10Mi
unseal-3:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef
envFrom:
- secretRef:
name: openbao-unseal-config-3
resources:
requests:
cpu: 1m
memory: 10Mi

6
clusters/cl01tl/helm/secrets-store-csi-driver/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: secrets-store-csi-driver
repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
version: 1.5.6
digest: sha256:8bebc25b54a231446dce2d67b9cd65024a1458fc106ee93dcfd539759edf2ca5
generated: "2026-04-15T17:29:48.143994-05:00"

24
clusters/cl01tl/helm/secrets-store-csi-driver/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v2
name: secrets-store-csi-driver
version: 1.0.0
description: Secrets Store CSI driver
keywords:
- secrets-store-csi-driver
- secrets
home: https://docs.alexlebens.dev/applications/secrets-store-csi-driver/
sources:
- https://github.com/kubernetes-sigs/secrets-store-csi-driver
- https://explore.ggcr.dev/?repo=registry.k8s.io%2Fcsi-secrets-store%2Fdriver
- https://explore.ggcr.dev/?repo=registry.k8s.io%2Fcsi-secrets-store%2Fdriver-crds
- https://explore.ggcr.dev/?repo=registry.k8s.io%2Fsig-storage%2Fcsi-node-driver-registrar
- https://explore.ggcr.dev/?repo=registry.k8s.io%2Fsig-storage%2Flivenessprobe
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/main/charts/secrets-store-csi-driver
maintainers:
- name: alexlebens
dependencies:
- name: secrets-store-csi-driver
version: 1.5.6
repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
# renovate: datasource=github-releases depName=kubernetes-sigs/secrets-store-csi-driver
appVersion: 0.8.1

41
clusters/cl01tl/helm/secrets-store-csi-driver/values.yaml Normal file
View File

@@ -0,0 +1,41 @@
secrets-store-csi-driver:
linux:
enabled: true
image:
repository: registry.k8s.io/csi-secrets-store/driver
tag: v1.5.6@sha256:6df2b3b3817136d2ade3d53306dbbd98385c1c01e8b3c373192c0e5b8d183f7b
crds:
enabled: true
image:
repository: registry.k8s.io/csi-secrets-store/driver-crds
tag: v1.5.6@sha256:d40d9212beb62ee0f9f09b75d024ed807816879f38e75eca309497c3df89568c
driver:
resources:
limits:
cpu: null
memory: null
requests:
cpu: 10m
memory: 100Mi
registrarImage:
repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
tag: v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70
registrar:
resources:
limits:
cpu: null
memory: null
requests:
cpu: 10m
memory: 20Mi
livenessProbeImage:
repository: registry.k8s.io/sig-storage/livenessprobe
tag: v2.18.0@sha256:c4cc074199c045dd73ab85f28897e2a32f4d6f38ffdba4f3b13b8007ccbd3570
livenessProbe:
resources:
limits:
cpu: null
memory: null
requests:
cpu: 10m
memory: 20Mi

1
hosts/ps08rp/blocky/config.yml
View File

@@ -118,6 +118,7 @@ customDNS:
objects IN CNAME traefik-cl01tl objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl
openbao IN CNAME traefik-cl01tl
paperless-ngx IN CNAME traefik-cl01tl paperless-ngx IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl
postiz-spotlight IN CNAME traefik-cl01tl postiz-spotlight IN CNAME traefik-cl01tl

1
hosts/ps09rp/blocky/config.yml
View File

@@ -139,6 +139,7 @@ customDNS:
objects IN CNAME traefik-cl01tl objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl
openbao IN CNAME traefik-cl01tl
paperless-ngx IN CNAME traefik-cl01tl paperless-ngx IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl
postiz-spotlight IN CNAME traefik-cl01tl postiz-spotlight IN CNAME traefik-cl01tl