infrastructure/clusters/cl01tl/manifests/openbao/StatefulSet-openbao.yaml

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: openbao
  namespace: openbao
  labels:
    app.kubernetes.io/name: openbao
    app.kubernetes.io/instance: openbao
    app.kubernetes.io/managed-by: Helm
spec:
  serviceName: openbao-internal
  podManagementPolicy: OrderedReady
  replicas: 3
  updateStrategy:
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/name: openbao
      app.kubernetes.io/instance: openbao
      component: server
  template:
    metadata:
      labels:
        helm.sh/chart: openbao-0.27.1
        app.kubernetes.io/name: openbao
        app.kubernetes.io/instance: openbao
        component: server
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app.kubernetes.io/name: openbao
                  app.kubernetes.io/instance: "openbao"
                  component: server
              topologyKey: kubernetes.io/hostname
      terminationGracePeriodSeconds: 10
      serviceAccountName: openbao
      securityContext:
        seccompProfile:
          type: RuntimeDefault
        runAsNonRoot: true
        runAsGroup: 1000
        runAsUser: 100
        fsGroup: 1000
      hostNetwork: false
      volumes:
        - name: config
          configMap:
            name: openbao-config
        - name: home
          emptyDir: {}
      containers:
        - name: openbao
          resources:
            requests:
              cpu: 50m
              memory: 500Mi
          image: "quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878"
          imagePullPolicy: IfNotPresent
          command:
            - "/bin/sh"
            - "-ec"
          args:
            - "cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[ -n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\" /tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl \n"
          securityContext:
            allowPrivilegeEscalation: false
          env:
            - name: HOST_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: BAO_K8S_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: BAO_K8S_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: BAO_ADDR
              value: "http://127.0.0.1:8200"
            - name: BAO_API_ADDR
              value: "http://$(POD_IP):8200"
            - name: SKIP_CHOWN
              value: "true"
            - name: SKIP_SETCAP
              value: "true"
            - name: HOSTNAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: BAO_CLUSTER_ADDR
              value: "https://$(HOSTNAME).openbao-internal:8201"
            - name: HOME
              value: "/home/openbao"
          volumeMounts:
            - name: audit
              mountPath: /openbao/audit
            - name: data
              mountPath: /openbao/data
            - name: config
              mountPath: /openbao/config
            - name: home
              mountPath: /home/openbao
          ports:
            - containerPort: 8200
              name: http
            - containerPort: 8201
              name: https-internal
            - containerPort: 8202
              name: http-rep
          readinessProbe:
            exec:
              command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"]
            failureThreshold: 2
            initialDelaySeconds: 5
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
          livenessProbe:
            httpGet:
              path: "/v1/sys/health?standbyok=true"
              port: 8200
              scheme: HTTP
            failureThreshold: 2
            initialDelaySeconds: 60
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
          lifecycle:
            preStop:
              exec:
                command: ["/bin/sh", "-c", "sleep 5 && kill -SIGTERM $(pidof bao)"]
  volumeClaimTemplates:
    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
        storageClassName: ceph-block
    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: audit
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
        storageClassName: ceph-block