From 129d0d5b02833672debb1e4e6569f113597e37cc Mon Sep 17 00:00:00 2001 From: Finn Date: Mon, 26 Aug 2024 22:50:51 -0700 Subject: [PATCH] Initial openbao --- k8s/operators/openbao/bundle.yaml | 406 +++++++++++++++++++++++ k8s/operators/openbao/kustomization.yaml | 6 + k8s/operators/openbao/namespace.yaml | 4 + 3 files changed, 416 insertions(+) create mode 100644 k8s/operators/openbao/bundle.yaml create mode 100644 k8s/operators/openbao/kustomization.yaml create mode 100644 k8s/operators/openbao/namespace.yaml diff --git a/k8s/operators/openbao/bundle.yaml b/k8s/operators/openbao/bundle.yaml new file mode 100644 index 0000000..8920670 --- /dev/null +++ b/k8s/operators/openbao/bundle.yaml @@ -0,0 +1,406 @@ +# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + name: openbao + namespace: openbao +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + name: openbao-discovery-role + namespace: openbao +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + name: openbao-discovery-rolebinding + namespace: openbao +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: openbao-discovery-role +subjects: +- kind: ServiceAccount + name: openbao + namespace: openbao +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + name: openbao-server-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: openbao + namespace: openbao +--- +apiVersion: v1 +data: + extraconfig-from-values.hcl: |2- + + disable_mlock = true + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} + } + + storage "raft" { + path = "/openbao/data" + } + + service_registration "kubernetes" {} +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + name: openbao-config + namespace: openbao +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + name: openbao + namespace: openbao +spec: + ports: + - name: http + port: 8200 + targetPort: 8200 + - name: https-internal + port: 8201 + targetPort: 8201 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + component: server +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + openbao-active: "true" + name: openbao-active + namespace: openbao +spec: + ports: + - name: http + port: 8200 + targetPort: 8200 + - name: https-internal + port: 8201 + targetPort: 8201 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + component: server + openbao-active: "true" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + openbao-internal: "true" + name: openbao-internal + namespace: openbao +spec: + clusterIP: None + ports: + - name: http + port: 8200 + targetPort: 8200 + - name: https-internal + port: 8201 + targetPort: 8201 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + component: server +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + name: openbao-standby + namespace: openbao +spec: + ports: + - name: http + port: 8200 + targetPort: 8200 + - name: https-internal + port: 8201 + targetPort: 8201 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + component: server + openbao-active: "false" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + name: openbao + namespace: openbao +spec: + podManagementPolicy: Parallel + replicas: 3 + selector: + matchLabels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + component: server + serviceName: openbao-internal + template: + metadata: + annotations: null + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + component: server + helm.sh/chart: openbao-0.4.0 + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + component: server + topologyKey: kubernetes.io/hostname + containers: + - args: + - "cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[ + -n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[ + -n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[ + -n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[ + -n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ + -n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\" + /tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\" + /tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh bao server + -config=/tmp/storageconfig.hcl \n" + command: + - /bin/sh + - -ec + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: BAO_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: BAO_K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: BAO_ADDR + value: http://127.0.0.1:8200 + - name: BAO_API_ADDR + value: http://$(POD_IP):8200 + - name: SKIP_CHOWN + value: "true" + - name: SKIP_SETCAP + value: "true" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: BAO_CLUSTER_ADDR + value: https://$(HOSTNAME).openbao-internal:8201 + - name: HOME + value: /home/openbao + image: quay.io/openbao/openbao:2.0.0-alpha20240329 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/sh + - -c + - sleep 5 && kill -SIGTERM $(pidof bao) + name: openbao + ports: + - containerPort: 8200 + name: http + - containerPort: 8201 + name: https-internal + - containerPort: 8202 + name: http-rep + readinessProbe: + exec: + command: + - /bin/sh + - -ec + - bao status -tls-skip-verify + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /openbao/data + name: data + - mountPath: /openbao/config + name: config + - mountPath: /home/openbao + name: home + hostNetwork: false + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 100 + serviceAccountName: openbao + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + name: openbao-config + name: config + - emptyDir: {} + name: home + updateStrategy: + type: OnDelete + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: openbao-0.4.0 + name: openbao + namespace: openbao +spec: + maxUnavailable: 1 + selector: + matchLabels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + component: server +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + helm.sh/hook: test + name: openbao-server-test + namespace: openbao +spec: + containers: + - command: + - /bin/sh + - -c + - | + echo "Checking for sealed info in 'bao status' output" + ATTEMPTS=10 + n=0 + until [ "$n" -ge $ATTEMPTS ] + do + echo "Attempt" $n... + bao status -format yaml | grep -E '^sealed: (true|false)' && break + n=$((n+1)) + sleep 5 + done + if [ $n -ge $ATTEMPTS ]; then + echo "timed out looking for sealed info in 'bao status' output" + exit 1 + fi + + exit 0 + env: + - name: VAULT_ADDR + value: http://openbao.openbao.svc:8200 + image: quay.io/openbao/openbao:2.0.0-alpha20240329 + imagePullPolicy: IfNotPresent + name: openbao-server-test + volumeMounts: null + restartPolicy: Never + volumes: null diff --git a/k8s/operators/openbao/kustomization.yaml b/k8s/operators/openbao/kustomization.yaml new file mode 100644 index 0000000..0c52546 --- /dev/null +++ b/k8s/operators/openbao/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: openbao +resources: + - namespace.yaml + - bundle.yaml diff --git a/k8s/operators/openbao/namespace.yaml b/k8s/operators/openbao/namespace.yaml new file mode 100644 index 0000000..5ab71c1 --- /dev/null +++ b/k8s/operators/openbao/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openbao