infra/k8s/operators/openbao/bundle.yaml

636 lines
16 KiB
YAML
Raw Normal View History

2024-08-27 05:50:51 +00:00
# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao
namespace: openbao
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider
namespace: openbao
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider-role
namespace: openbao
rules:
- apiGroups:
- ""
resourceNames:
- openbao-csi-provider-hmac-key
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
---
2024-08-27 05:50:51 +00:00
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-discovery-role
namespace: openbao
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider-clusterrole
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider-rolebinding
namespace: openbao
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openbao-csi-provider-role
subjects:
- kind: ServiceAccount
name: openbao-csi-provider
namespace: openbao
---
apiVersion: rbac.authorization.k8s.io/v1
2024-08-27 05:50:51 +00:00
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-discovery-rolebinding
namespace: openbao
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openbao-discovery-role
subjects:
- kind: ServiceAccount
name: openbao
namespace: openbao
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openbao-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: openbao-csi-provider
namespace: openbao
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
2024-08-27 05:50:51 +00:00
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-server-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: openbao
namespace: openbao
---
apiVersion: v1
data:
extraconfig-from-values.hcl: |2-
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true"
#}
}
storage "raft" {
path = "/openbao/data"
}
service_registration "kubernetes" {}
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-config
namespace: openbao
---
apiVersion: v1
data:
config.hcl: |
vault {
"address" = "http://openbao.openbao.svc:8200"
}
cache {}
listener "unix" {
address = "/var/run/vault/agent.sock"
tls_disable = true
}
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
helm.sh/chart: openbao-0.4.0
name: openbao-csi-provider-agent-config
namespace: openbao
---
apiVersion: v1
2024-08-27 05:50:51 +00:00
kind: Service
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao
namespace: openbao
spec:
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
publishNotReadyAddresses: true
selector:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
openbao-active: "true"
name: openbao-active
namespace: openbao
spec:
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
publishNotReadyAddresses: true
selector:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
openbao-active: "true"
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
openbao-internal: "true"
name: openbao-internal
namespace: openbao
spec:
clusterIP: None
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
publishNotReadyAddresses: true
selector:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-standby
namespace: openbao
spec:
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
publishNotReadyAddresses: true
selector:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
openbao-active: "false"
---
2024-08-30 06:20:33 +00:00
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-ui
helm.sh/chart: openbao-0.4.0
name: openbao-ui
namespace: openbao
spec:
ports:
- name: http
port: 8200
targetPort: 8200
publishNotReadyAddresses: true
selector:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
type: ClusterIP
---
2024-08-27 05:50:51 +00:00
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
name: openbao
namespace: openbao
spec:
podManagementPolicy: Parallel
replicas: 3
selector:
matchLabels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
serviceName: openbao-internal
template:
metadata:
annotations: null
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
helm.sh/chart: openbao-0.4.0
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
topologyKey: kubernetes.io/hostname
containers:
- args:
- "cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[
-n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\"
/tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\"
/tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh bao server
-config=/tmp/storageconfig.hcl \n"
command:
- /bin/sh
- -ec
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: BAO_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BAO_ADDR
value: http://127.0.0.1:8200
- name: BAO_API_ADDR
value: http://$(POD_IP):8200
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_CLUSTER_ADDR
value: https://$(HOSTNAME).openbao-internal:8201
- name: HOME
value: /home/openbao
- name: BAO_LOG_LEVEL
value: debug
2024-08-30 06:20:33 +00:00
image: git.janky.solutions/jankysolutions/infra/openbao:latest
2024-08-27 05:50:51 +00:00
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- sleep 5 && kill -SIGTERM $(pidof bao)
name: openbao
ports:
- containerPort: 8200
name: http
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: http-rep
readinessProbe:
exec:
command:
- /bin/sh
- -ec
- bao status -tls-skip-verify
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /openbao/data
name: data
- mountPath: /openbao/config
name: config
- mountPath: /home/openbao
name: home
hostNetwork: false
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 100
serviceAccountName: openbao
terminationGracePeriodSeconds: 10
volumes:
- configMap:
name: openbao-config
name: config
- emptyDir: {}
name: home
updateStrategy:
type: OnDelete
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao
namespace: openbao
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider
namespace: openbao
spec:
selector:
matchLabels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao-csi-provider
template:
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao-csi-provider
spec:
containers:
- args:
- --endpoint=/provider/vault.sock
- --debug=true
- --hmac-secret-name=openbao-csi-provider-hmac-key
env:
- name: VAULT_ADDR
value: unix:///var/run/vault/agent.sock
image: git.janky.solutions/jankysolutions/infra/openbao-csi-provider:latest
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 2
httpGet:
path: /health/ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
name: openbao-csi-provider
readinessProbe:
failureThreshold: 2
httpGet:
path: /health/ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
volumeMounts:
- mountPath: /provider
name: providervol
- mountPath: /var/run/vault
name: agent-unix-socket
- args:
- agent
- -config=/etc/vault/config.hcl
command:
- bao
env:
- name: VAULT_LOG_LEVEL
value: debug
- name: VAULT_LOG_FORMAT
value: standard
image: git.janky.solutions/jankysolutions/infra/openbao:latest
imagePullPolicy: IfNotPresent
name: openbao-agent
ports:
- containerPort: 8200
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 100
volumeMounts:
- mountPath: /etc/vault/config.hcl
name: agent-config
readOnly: true
subPath: config.hcl
- mountPath: /var/run/vault
name: agent-unix-socket
serviceAccountName: openbao-csi-provider
volumes:
- hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
name: providervol
- configMap:
name: openbao-csi-provider-agent-config
name: agent-config
- emptyDir:
medium: Memory
name: agent-unix-socket
updateStrategy:
type: RollingUpdate
---
2024-08-27 05:50:51 +00:00
apiVersion: v1
kind: Pod
metadata:
annotations:
helm.sh/hook: test
name: openbao-server-test
namespace: openbao
spec:
containers:
- command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'bao status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
bao status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'bao status' output"
exit 1
fi
exit 0
env:
- name: VAULT_ADDR
value: http://openbao.openbao.svc:8200
2024-08-30 06:20:33 +00:00
image: git.janky.solutions/jankysolutions/infra/openbao:latest
2024-08-27 05:50:51 +00:00
imagePullPolicy: IfNotPresent
name: openbao-server-test
volumeMounts: null
restartPolicy: Never
volumes: null