JankySolutions/infra
2
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages 12 Wiki Activity Actions

Initial openbao

Browse source
This commit is contained in:
Finn 2024-08-26 22:50:51 -07:00
parent b8e56eab20
commit 129d0d5b02
3 changed files with 416 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

406
k8s/operators/openbao/bundle.yaml Normal file
View file

@ -0,0 +1,406 @@
# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao
namespace: openbao
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-discovery-role
namespace: openbao
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-discovery-rolebinding
namespace: openbao
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openbao-discovery-role
subjects:
- kind: ServiceAccount
name: openbao
namespace: openbao
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-server-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: openbao
namespace: openbao
---
apiVersion: v1
data:
extraconfig-from-values.hcl: |2-
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true"
#}
}
storage "raft" {
path = "/openbao/data"
}
service_registration "kubernetes" {}
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-config
namespace: openbao
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao
namespace: openbao
spec:
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
publishNotReadyAddresses: true
selector:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
openbao-active: "true"
name: openbao-active
namespace: openbao
spec:
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
publishNotReadyAddresses: true
selector:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
openbao-active: "true"
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
openbao-internal: "true"
name: openbao-internal
namespace: openbao
spec:
clusterIP: None
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
publishNotReadyAddresses: true
selector:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao-standby
namespace: openbao
spec:
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
publishNotReadyAddresses: true
selector:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
openbao-active: "false"
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
name: openbao
namespace: openbao
spec:
podManagementPolicy: Parallel
replicas: 3
selector:
matchLabels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
serviceName: openbao-internal
template:
metadata:
annotations: null
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
helm.sh/chart: openbao-0.4.0
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
topologyKey: kubernetes.io/hostname
containers:
- args:
- "cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[
-n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\"
/tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\"
/tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh bao server
-config=/tmp/storageconfig.hcl \n"
command:
- /bin/sh
- -ec
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: BAO_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BAO_ADDR
value: http://127.0.0.1:8200
- name: BAO_API_ADDR
value: http://$(POD_IP):8200
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_CLUSTER_ADDR
value: https://$(HOSTNAME).openbao-internal:8201
- name: HOME
value: /home/openbao
image: quay.io/openbao/openbao:2.0.0-alpha20240329
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- sleep 5 && kill -SIGTERM $(pidof bao)
name: openbao
ports:
- containerPort: 8200
name: http
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: http-rep
readinessProbe:
exec:
command:
- /bin/sh
- -ec
- bao status -tls-skip-verify
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /openbao/data
name: data
- mountPath: /openbao/config
name: config
- mountPath: /home/openbao
name: home
hostNetwork: false
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 100
serviceAccountName: openbao
terminationGracePeriodSeconds: 10
volumes:
- configMap:
name: openbao-config
name: config
- emptyDir: {}
name: home
updateStrategy:
type: OnDelete
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
name: openbao
namespace: openbao
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
---
apiVersion: v1
kind: Pod
metadata:
annotations:
helm.sh/hook: test
name: openbao-server-test
namespace: openbao
spec:
containers:
- command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'bao status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
bao status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'bao status' output"
exit 1
fi
exit 0
env:
- name: VAULT_ADDR
value: http://openbao.openbao.svc:8200
image: quay.io/openbao/openbao:2.0.0-alpha20240329
imagePullPolicy: IfNotPresent
name: openbao-server-test
volumeMounts: null
restartPolicy: Never
volumes: null

6
k8s/operators/openbao/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: openbao
resources:
- namespace.yaml
- bundle.yaml

4
k8s/operators/openbao/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: openbao