2024-08-27 05:50:51 +00:00
|
|
|
# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten
|
|
|
|
apiVersion: v1
|
|
|
|
kind: ServiceAccount
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao
|
|
|
|
namespace: openbao
|
|
|
|
---
|
2024-09-09 17:02:04 +00:00
|
|
|
apiVersion: v1
|
|
|
|
kind: ServiceAccount
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao-csi-provider
|
|
|
|
name: openbao-csi-provider
|
|
|
|
namespace: openbao
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
kind: Role
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao-csi-provider
|
|
|
|
name: openbao-csi-provider-role
|
|
|
|
namespace: openbao
|
|
|
|
rules:
|
|
|
|
- apiGroups:
|
|
|
|
- ""
|
|
|
|
resourceNames:
|
|
|
|
- openbao-csi-provider-hmac-key
|
|
|
|
resources:
|
|
|
|
- secrets
|
|
|
|
verbs:
|
|
|
|
- get
|
|
|
|
- apiGroups:
|
|
|
|
- ""
|
|
|
|
resources:
|
|
|
|
- secrets
|
|
|
|
verbs:
|
|
|
|
- create
|
|
|
|
---
|
2024-08-27 05:50:51 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
kind: Role
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao-discovery-role
|
|
|
|
namespace: openbao
|
|
|
|
rules:
|
|
|
|
- apiGroups:
|
|
|
|
- ""
|
|
|
|
resources:
|
|
|
|
- pods
|
|
|
|
verbs:
|
|
|
|
- get
|
|
|
|
- watch
|
|
|
|
- list
|
|
|
|
- update
|
|
|
|
- patch
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2024-09-09 17:02:04 +00:00
|
|
|
kind: ClusterRole
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao-csi-provider
|
|
|
|
name: openbao-csi-provider-clusterrole
|
|
|
|
rules:
|
|
|
|
- apiGroups:
|
|
|
|
- ""
|
|
|
|
resources:
|
|
|
|
- serviceaccounts/token
|
|
|
|
verbs:
|
|
|
|
- create
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
kind: RoleBinding
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao-csi-provider
|
|
|
|
name: openbao-csi-provider-rolebinding
|
|
|
|
namespace: openbao
|
|
|
|
roleRef:
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
kind: Role
|
|
|
|
name: openbao-csi-provider-role
|
|
|
|
subjects:
|
|
|
|
- kind: ServiceAccount
|
|
|
|
name: openbao-csi-provider
|
|
|
|
namespace: openbao
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2024-08-27 05:50:51 +00:00
|
|
|
kind: RoleBinding
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao-discovery-rolebinding
|
|
|
|
namespace: openbao
|
|
|
|
roleRef:
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
kind: Role
|
|
|
|
name: openbao-discovery-role
|
|
|
|
subjects:
|
|
|
|
- kind: ServiceAccount
|
|
|
|
name: openbao
|
|
|
|
namespace: openbao
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
kind: ClusterRoleBinding
|
2024-09-09 17:02:04 +00:00
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao-csi-provider
|
|
|
|
name: openbao-csi-provider-clusterrolebinding
|
|
|
|
roleRef:
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
kind: ClusterRole
|
|
|
|
name: openbao-csi-provider-clusterrole
|
|
|
|
subjects:
|
|
|
|
- kind: ServiceAccount
|
|
|
|
name: openbao-csi-provider
|
|
|
|
namespace: openbao
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
kind: ClusterRoleBinding
|
2024-08-27 05:50:51 +00:00
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao-server-binding
|
|
|
|
roleRef:
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
kind: ClusterRole
|
|
|
|
name: system:auth-delegator
|
|
|
|
subjects:
|
|
|
|
- kind: ServiceAccount
|
|
|
|
name: openbao
|
|
|
|
namespace: openbao
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
|
|
data:
|
|
|
|
extraconfig-from-values.hcl: |2-
|
|
|
|
|
|
|
|
disable_mlock = true
|
|
|
|
ui = true
|
|
|
|
|
|
|
|
listener "tcp" {
|
|
|
|
tls_disable = 1
|
|
|
|
address = "[::]:8200"
|
|
|
|
cluster_address = "[::]:8201"
|
|
|
|
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
|
|
|
|
#telemetry {
|
|
|
|
# unauthenticated_metrics_access = "true"
|
|
|
|
#}
|
|
|
|
}
|
|
|
|
|
|
|
|
storage "raft" {
|
|
|
|
path = "/openbao/data"
|
|
|
|
}
|
|
|
|
|
|
|
|
service_registration "kubernetes" {}
|
|
|
|
kind: ConfigMap
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao-config
|
|
|
|
namespace: openbao
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
2024-09-09 17:02:04 +00:00
|
|
|
data:
|
|
|
|
config.hcl: |
|
|
|
|
vault {
|
|
|
|
"address" = "http://openbao.openbao.svc:8200"
|
|
|
|
}
|
|
|
|
|
|
|
|
cache {}
|
|
|
|
|
|
|
|
listener "unix" {
|
|
|
|
address = "/var/run/vault/agent.sock"
|
|
|
|
tls_disable = true
|
|
|
|
}
|
|
|
|
kind: ConfigMap
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao-csi-provider
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao-csi-provider-agent-config
|
|
|
|
namespace: openbao
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
2024-08-27 05:50:51 +00:00
|
|
|
kind: Service
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao
|
|
|
|
namespace: openbao
|
|
|
|
spec:
|
|
|
|
ports:
|
|
|
|
- name: http
|
|
|
|
port: 8200
|
|
|
|
targetPort: 8200
|
|
|
|
- name: https-internal
|
|
|
|
port: 8201
|
|
|
|
targetPort: 8201
|
|
|
|
publishNotReadyAddresses: true
|
|
|
|
selector:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
component: server
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
|
|
kind: Service
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
openbao-active: "true"
|
|
|
|
name: openbao-active
|
|
|
|
namespace: openbao
|
|
|
|
spec:
|
|
|
|
ports:
|
|
|
|
- name: http
|
|
|
|
port: 8200
|
|
|
|
targetPort: 8200
|
|
|
|
- name: https-internal
|
|
|
|
port: 8201
|
|
|
|
targetPort: 8201
|
|
|
|
publishNotReadyAddresses: true
|
|
|
|
selector:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
component: server
|
|
|
|
openbao-active: "true"
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
|
|
kind: Service
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
openbao-internal: "true"
|
|
|
|
name: openbao-internal
|
|
|
|
namespace: openbao
|
|
|
|
spec:
|
|
|
|
clusterIP: None
|
|
|
|
ports:
|
|
|
|
- name: http
|
|
|
|
port: 8200
|
|
|
|
targetPort: 8200
|
|
|
|
- name: https-internal
|
|
|
|
port: 8201
|
|
|
|
targetPort: 8201
|
|
|
|
publishNotReadyAddresses: true
|
|
|
|
selector:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
component: server
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
|
|
kind: Service
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao-standby
|
|
|
|
namespace: openbao
|
|
|
|
spec:
|
|
|
|
ports:
|
|
|
|
- name: http
|
|
|
|
port: 8200
|
|
|
|
targetPort: 8200
|
|
|
|
- name: https-internal
|
|
|
|
port: 8201
|
|
|
|
targetPort: 8201
|
|
|
|
publishNotReadyAddresses: true
|
|
|
|
selector:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
component: server
|
|
|
|
openbao-active: "false"
|
|
|
|
---
|
2024-08-30 06:20:33 +00:00
|
|
|
apiVersion: v1
|
|
|
|
kind: Service
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao-ui
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao-ui
|
|
|
|
namespace: openbao
|
|
|
|
spec:
|
|
|
|
ports:
|
|
|
|
- name: http
|
|
|
|
port: 8200
|
|
|
|
targetPort: 8200
|
|
|
|
publishNotReadyAddresses: true
|
|
|
|
selector:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
component: server
|
|
|
|
type: ClusterIP
|
|
|
|
---
|
2024-08-27 05:50:51 +00:00
|
|
|
apiVersion: apps/v1
|
|
|
|
kind: StatefulSet
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
name: openbao
|
|
|
|
namespace: openbao
|
|
|
|
spec:
|
|
|
|
podManagementPolicy: Parallel
|
|
|
|
replicas: 3
|
|
|
|
selector:
|
|
|
|
matchLabels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
component: server
|
|
|
|
serviceName: openbao-internal
|
|
|
|
template:
|
|
|
|
metadata:
|
|
|
|
annotations: null
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
component: server
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
spec:
|
|
|
|
affinity:
|
|
|
|
podAntiAffinity:
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
- labelSelector:
|
|
|
|
matchLabels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
component: server
|
|
|
|
topologyKey: kubernetes.io/hostname
|
|
|
|
containers:
|
|
|
|
- args:
|
|
|
|
- "cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[
|
|
|
|
-n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[
|
|
|
|
-n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[
|
|
|
|
-n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[
|
|
|
|
-n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[
|
|
|
|
-n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\"
|
|
|
|
/tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\"
|
|
|
|
/tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh bao server
|
|
|
|
-config=/tmp/storageconfig.hcl \n"
|
|
|
|
command:
|
|
|
|
- /bin/sh
|
|
|
|
- -ec
|
|
|
|
env:
|
|
|
|
- name: HOST_IP
|
|
|
|
valueFrom:
|
|
|
|
fieldRef:
|
|
|
|
fieldPath: status.hostIP
|
|
|
|
- name: POD_IP
|
|
|
|
valueFrom:
|
|
|
|
fieldRef:
|
|
|
|
fieldPath: status.podIP
|
|
|
|
- name: BAO_K8S_POD_NAME
|
|
|
|
valueFrom:
|
|
|
|
fieldRef:
|
|
|
|
fieldPath: metadata.name
|
|
|
|
- name: BAO_K8S_NAMESPACE
|
|
|
|
valueFrom:
|
|
|
|
fieldRef:
|
|
|
|
fieldPath: metadata.namespace
|
|
|
|
- name: BAO_ADDR
|
|
|
|
value: http://127.0.0.1:8200
|
|
|
|
- name: BAO_API_ADDR
|
|
|
|
value: http://$(POD_IP):8200
|
|
|
|
- name: SKIP_CHOWN
|
|
|
|
value: "true"
|
|
|
|
- name: SKIP_SETCAP
|
|
|
|
value: "true"
|
|
|
|
- name: HOSTNAME
|
|
|
|
valueFrom:
|
|
|
|
fieldRef:
|
|
|
|
fieldPath: metadata.name
|
|
|
|
- name: BAO_CLUSTER_ADDR
|
|
|
|
value: https://$(HOSTNAME).openbao-internal:8201
|
|
|
|
- name: HOME
|
|
|
|
value: /home/openbao
|
2024-09-10 07:32:41 +00:00
|
|
|
- name: BAO_LOG_LEVEL
|
|
|
|
value: debug
|
2024-08-30 06:20:33 +00:00
|
|
|
image: git.janky.solutions/jankysolutions/infra/openbao:latest
|
2024-08-27 05:50:51 +00:00
|
|
|
imagePullPolicy: IfNotPresent
|
|
|
|
lifecycle:
|
|
|
|
preStop:
|
|
|
|
exec:
|
|
|
|
command:
|
|
|
|
- /bin/sh
|
|
|
|
- -c
|
|
|
|
- sleep 5 && kill -SIGTERM $(pidof bao)
|
|
|
|
name: openbao
|
|
|
|
ports:
|
|
|
|
- containerPort: 8200
|
|
|
|
name: http
|
|
|
|
- containerPort: 8201
|
|
|
|
name: https-internal
|
|
|
|
- containerPort: 8202
|
|
|
|
name: http-rep
|
|
|
|
readinessProbe:
|
|
|
|
exec:
|
|
|
|
command:
|
|
|
|
- /bin/sh
|
|
|
|
- -ec
|
|
|
|
- bao status -tls-skip-verify
|
|
|
|
failureThreshold: 2
|
|
|
|
initialDelaySeconds: 5
|
|
|
|
periodSeconds: 5
|
|
|
|
successThreshold: 1
|
|
|
|
timeoutSeconds: 3
|
|
|
|
securityContext:
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
volumeMounts:
|
|
|
|
- mountPath: /openbao/data
|
|
|
|
name: data
|
|
|
|
- mountPath: /openbao/config
|
|
|
|
name: config
|
|
|
|
- mountPath: /home/openbao
|
|
|
|
name: home
|
|
|
|
hostNetwork: false
|
|
|
|
securityContext:
|
|
|
|
fsGroup: 1000
|
|
|
|
runAsGroup: 1000
|
|
|
|
runAsNonRoot: true
|
|
|
|
runAsUser: 100
|
|
|
|
serviceAccountName: openbao
|
|
|
|
terminationGracePeriodSeconds: 10
|
|
|
|
volumes:
|
|
|
|
- configMap:
|
|
|
|
name: openbao-config
|
|
|
|
name: config
|
|
|
|
- emptyDir: {}
|
|
|
|
name: home
|
|
|
|
updateStrategy:
|
|
|
|
type: OnDelete
|
|
|
|
volumeClaimTemplates:
|
|
|
|
- metadata:
|
|
|
|
name: data
|
|
|
|
spec:
|
|
|
|
accessModes:
|
|
|
|
- ReadWriteOnce
|
|
|
|
resources:
|
|
|
|
requests:
|
|
|
|
storage: 10Gi
|
|
|
|
---
|
|
|
|
apiVersion: policy/v1
|
|
|
|
kind: PodDisruptionBudget
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
helm.sh/chart: openbao-0.4.0
|
|
|
|
name: openbao
|
|
|
|
namespace: openbao
|
|
|
|
spec:
|
|
|
|
maxUnavailable: 1
|
|
|
|
selector:
|
|
|
|
matchLabels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao
|
|
|
|
component: server
|
|
|
|
---
|
2024-09-09 17:02:04 +00:00
|
|
|
apiVersion: apps/v1
|
|
|
|
kind: DaemonSet
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/managed-by: Helm
|
|
|
|
app.kubernetes.io/name: openbao-csi-provider
|
|
|
|
name: openbao-csi-provider
|
|
|
|
namespace: openbao
|
|
|
|
spec:
|
|
|
|
selector:
|
|
|
|
matchLabels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao-csi-provider
|
|
|
|
template:
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app.kubernetes.io/instance: openbao
|
|
|
|
app.kubernetes.io/name: openbao-csi-provider
|
|
|
|
spec:
|
|
|
|
containers:
|
|
|
|
- args:
|
|
|
|
- --endpoint=/provider/vault.sock
|
|
|
|
- --debug=true
|
|
|
|
- --hmac-secret-name=openbao-csi-provider-hmac-key
|
|
|
|
env:
|
|
|
|
- name: VAULT_ADDR
|
|
|
|
value: unix:///var/run/vault/agent.sock
|
2024-09-10 07:32:41 +00:00
|
|
|
image: git.janky.solutions/jankysolutions/infra/openbao-csi-provider:latest
|
2024-09-09 17:02:04 +00:00
|
|
|
imagePullPolicy: IfNotPresent
|
|
|
|
livenessProbe:
|
|
|
|
failureThreshold: 2
|
|
|
|
httpGet:
|
|
|
|
path: /health/ready
|
|
|
|
port: 8080
|
|
|
|
initialDelaySeconds: 5
|
|
|
|
periodSeconds: 5
|
|
|
|
successThreshold: 1
|
|
|
|
timeoutSeconds: 3
|
|
|
|
name: openbao-csi-provider
|
|
|
|
readinessProbe:
|
|
|
|
failureThreshold: 2
|
|
|
|
httpGet:
|
|
|
|
path: /health/ready
|
|
|
|
port: 8080
|
|
|
|
initialDelaySeconds: 5
|
|
|
|
periodSeconds: 5
|
|
|
|
successThreshold: 1
|
|
|
|
timeoutSeconds: 3
|
|
|
|
volumeMounts:
|
|
|
|
- mountPath: /provider
|
|
|
|
name: providervol
|
|
|
|
- mountPath: /var/run/vault
|
|
|
|
name: agent-unix-socket
|
|
|
|
- args:
|
|
|
|
- agent
|
|
|
|
- -config=/etc/vault/config.hcl
|
|
|
|
command:
|
|
|
|
- bao
|
|
|
|
env:
|
|
|
|
- name: VAULT_LOG_LEVEL
|
2024-09-10 07:32:41 +00:00
|
|
|
value: debug
|
2024-09-09 17:02:04 +00:00
|
|
|
- name: VAULT_LOG_FORMAT
|
|
|
|
value: standard
|
2024-09-10 07:32:41 +00:00
|
|
|
image: git.janky.solutions/jankysolutions/infra/openbao:latest
|
2024-09-09 17:02:04 +00:00
|
|
|
imagePullPolicy: IfNotPresent
|
|
|
|
name: openbao-agent
|
|
|
|
ports:
|
|
|
|
- containerPort: 8200
|
|
|
|
securityContext:
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
readOnlyRootFilesystem: true
|
|
|
|
runAsGroup: 1000
|
|
|
|
runAsNonRoot: true
|
|
|
|
runAsUser: 100
|
|
|
|
volumeMounts:
|
|
|
|
- mountPath: /etc/vault/config.hcl
|
|
|
|
name: agent-config
|
|
|
|
readOnly: true
|
|
|
|
subPath: config.hcl
|
|
|
|
- mountPath: /var/run/vault
|
|
|
|
name: agent-unix-socket
|
|
|
|
serviceAccountName: openbao-csi-provider
|
|
|
|
volumes:
|
|
|
|
- hostPath:
|
|
|
|
path: /etc/kubernetes/secrets-store-csi-providers
|
|
|
|
name: providervol
|
|
|
|
- configMap:
|
|
|
|
name: openbao-csi-provider-agent-config
|
|
|
|
name: agent-config
|
|
|
|
- emptyDir:
|
|
|
|
medium: Memory
|
|
|
|
name: agent-unix-socket
|
|
|
|
updateStrategy:
|
|
|
|
type: RollingUpdate
|
|
|
|
---
|
2024-08-27 05:50:51 +00:00
|
|
|
apiVersion: v1
|
|
|
|
kind: Pod
|
|
|
|
metadata:
|
|
|
|
annotations:
|
|
|
|
helm.sh/hook: test
|
|
|
|
name: openbao-server-test
|
|
|
|
namespace: openbao
|
|
|
|
spec:
|
|
|
|
containers:
|
|
|
|
- command:
|
|
|
|
- /bin/sh
|
|
|
|
- -c
|
|
|
|
- |
|
|
|
|
echo "Checking for sealed info in 'bao status' output"
|
|
|
|
ATTEMPTS=10
|
|
|
|
n=0
|
|
|
|
until [ "$n" -ge $ATTEMPTS ]
|
|
|
|
do
|
|
|
|
echo "Attempt" $n...
|
|
|
|
bao status -format yaml | grep -E '^sealed: (true|false)' && break
|
|
|
|
n=$((n+1))
|
|
|
|
sleep 5
|
|
|
|
done
|
|
|
|
if [ $n -ge $ATTEMPTS ]; then
|
|
|
|
echo "timed out looking for sealed info in 'bao status' output"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
exit 0
|
|
|
|
env:
|
|
|
|
- name: VAULT_ADDR
|
|
|
|
value: http://openbao.openbao.svc:8200
|
2024-08-30 06:20:33 +00:00
|
|
|
image: git.janky.solutions/jankysolutions/infra/openbao:latest
|
2024-08-27 05:50:51 +00:00
|
|
|
imagePullPolicy: IfNotPresent
|
|
|
|
name: openbao-server-test
|
|
|
|
volumeMounts: null
|
|
|
|
restartPolicy: Never
|
|
|
|
volumes: null
|