openbao: global: serverTelemetry: prometheusOperator: true injector: enabled: false server: updateStrategyType: RollingUpdate image: registry: quay.io repository: openbao/openbao tag: 2.5.3@sha256:fdc6da21ca6963560c32336fd7feb9cf2d5e52668f1a1647205a4b41171f0806 resources: requests: cpu: 50m memory: 500Mi gateway: tlsRoute: enabled: true hosts: - bao.alexlebens.net apiVersion: gateway.networking.k8s.io/v1 parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: traefik-gateway namespace: traefik httpRoute: enabled: true hosts: - bao.alexlebens.net parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: traefik-gateway namespace: traefik authDelegator: enabled: true livenessProbe: enabled: true dataStorage: size: 1Gi storageClass: ceph-block auditStorage: enabled: true size: 10Gi storageClass: ceph-block standalone: enabled: false ha: enabled: true replicas: 3 raft: enabled: true config: | ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" telemetry { unauthenticated_metrics_access = "true" } } storage "raft" { path = "/openbao/data" retry_join { leader_api_addr = "http://openbao-0.openbao-internal:8200" } retry_join { leader_api_addr = "http://openbao-1.openbao-internal:8200" } retry_join { leader_api_addr = "http://openbao-2.openbao-internal:8200" } } audit "file" "to-stdout" { options { file_path = "/openbao/audit/openbao_audit.log" log_raw = "true" } } service_registration "kubernetes" {} telemetry { prometheus_retention_time = "30s" disable_hostname = true } csi: enabled: true image: registry: quay.io repository: openbao/openbao-csi-provider tag: 2.0.2@sha256:3cb312e88c62c926caec03bf69497a16805a29daabb5ad2c7a236ab43bb241db resources: requests: cpu: 50m memory: 100Mi pod: tolerations: - key: node-role.kubernetes.io/control-plane operator: Exists effect: NoSchedule agent: image: registry: quay.io repository: openbao/openbao tag: 2.5.3@sha256:fdc6da21ca6963560c32336fd7feb9cf2d5e52668f1a1647205a4b41171f0806 resources: requests: cpu: 10m memory: 100Mi serverTelemetry: serviceMonitor: enabled: true prometheusRules: enabled: true rules: - alert: openBao-HighResponseTime annotations: message: The response time of OpenBao is over 500ms on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 for: 5m labels: severity: warning - alert: openBao-HighResponseTime annotations: message: The response time of OpenBao is over 1s on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 for: 5m labels: severity: critical - alert: openBao-Sealed expr: vault_core_unsealed == 0 for: 1m labels: severity: critical annotations: summary: OpenBao sealed (instance {{ $labels.instance }}) description: "OpenBao instance is sealed on {{ $labels.instance }}\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" - alert: OpenBao-TooManyPendingTokens expr: avg(vault_token_create_count - vault_token_store_count) > 0 for: 5m labels: severity: warning annotations: summary: OpenBao too many pending tokens (instance {{ $labels.instance }}) description: "Too many pending tokens on {{ $labels.instance }}: {{ $value }} tokens created but not yet stored.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" - alert: OpenBao-TooManyInfinityTokens expr: vault_token_count_by_ttl{creation_ttl="+Inf"} > 3 for: 5m labels: severity: warning annotations: summary: OpenBao too many infinity tokens (instance {{ $labels.instance }}) description: "Too many non-expiring tokens on {{ $labels.instance }}: {{ $value }} tokens with infinite TTL.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" - alert: OpenBao-ClusterHealth expr: sum(vault_core_active) / count(vault_core_active) <= 0.5 and count(vault_core_active) > 0 for: 0m labels: severity: critical annotations: summary: OpenBao cluster health (instance {{ $labels.instance }}) description: "OpenBao cluster is not healthy: only {{ $value | humanizePercentage }} of nodes are active.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" snapshotAgent: enabled: true schedule: 0 4 * * * image: repository: ghcr.io/openbao/openbao-snapshot-agent tag: 0.3.0@sha256:d7a8ca9d26b12cf226ce093b9051f243c53aefbb8a419b3dc0b554e7575c931c s3CredentialsSecret: openbao-snapshot-secret config: s3Host: garage-main.garage:3900 s3Bucket: openbao-backups s3Uri: s3://openbao-backups s3ExpireDays: "30" s3cmdExtraFlag: "-v --no-ssl" baoAuthPath: kubernetes baoRole: bao-snapshot unseal: global: fullnameOverride: openbao-unseal controllers: unseal-1: type: deployment replicas: 1 strategy: Recreate containers: main: image: repository: ghcr.io/lrstanley/vault-unseal tag: 1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa envFrom: - secretRef: name: openbao-unseal-config-1 - secretRef: name: openbao-ntfy-unseal-config resources: requests: cpu: 1m memory: 10Mi unseal-2: type: deployment replicas: 1 strategy: Recreate containers: main: image: repository: ghcr.io/lrstanley/vault-unseal tag: 1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa envFrom: - secretRef: name: openbao-unseal-config-2 - secretRef: name: openbao-ntfy-unseal-config resources: requests: cpu: 1m memory: 10Mi unseal-3: type: deployment replicas: 1 strategy: Recreate containers: main: image: repository: ghcr.io/lrstanley/vault-unseal tag: 1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa envFrom: - secretRef: name: openbao-unseal-config-3 - secretRef: name: openbao-ntfy-unseal-config resources: requests: cpu: 1m memory: 10Mi rclone-openbao-backups-remote: nameOverride: openbao-backups-remote-rclone cronJob: suspend: false schedule: 0 1 * * * rclone: source: bucketName: openbao-backups destination: bucketName: openbao-backups prune: enabled: true ageToPrune: 90d secret: externalSecret: source: credentials: path: /garage/home-infra/openbao-backups config: path: /garage/config destination: credentials: path: /garage/home-infra/openbao-backups config: path: /garage/config rclone-openbao-backups-external: nameOverride: openbao-backups-external-rclone cronJob: suspend: false schedule: 10 1 * * * rclone: source: bucketName: openbao-backups destination: bucketName: openbao-backups-6e088aad5fad110b providerType: DigitalOcean prune: enabled: true ageToPrune: 90d secret: externalSecret: source: credentials: path: /garage/home-infra/openbao-backups config: path: /garage/config destination: credentials: path: /digital-ocean/home-infra/openbao-backups config: path: /digital-ocean/config endpointProperty: ENDPOINT