# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 name: openbao namespace: openbao --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-csi-provider name: openbao-csi-provider namespace: openbao --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-csi-provider name: openbao-csi-provider-role namespace: openbao rules: - apiGroups: - "" resourceNames: - openbao-csi-provider-hmac-key resources: - secrets verbs: - get - apiGroups: - "" resources: - secrets verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 name: openbao-discovery-role namespace: openbao rules: - apiGroups: - "" resources: - pods verbs: - get - watch - list - update - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-csi-provider name: openbao-csi-provider-clusterrole rules: - apiGroups: - "" resources: - serviceaccounts/token verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-csi-provider name: openbao-csi-provider-rolebinding namespace: openbao roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: openbao-csi-provider-role subjects: - kind: ServiceAccount name: openbao-csi-provider namespace: openbao --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 name: openbao-discovery-rolebinding namespace: openbao roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: openbao-discovery-role subjects: - kind: ServiceAccount name: openbao namespace: openbao --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-csi-provider name: openbao-csi-provider-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: openbao-csi-provider-clusterrole subjects: - kind: ServiceAccount name: openbao-csi-provider namespace: openbao --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 name: openbao-server-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: openbao namespace: openbao --- apiVersion: v1 data: extraconfig-from-values.hcl: |2- disable_mlock = true ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" # Enable unauthenticated metrics access (necessary for Prometheus Operator) #telemetry { # unauthenticated_metrics_access = "true" #} } storage "raft" { path = "/openbao/data" } service_registration "kubernetes" {} kind: ConfigMap metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 name: openbao-config namespace: openbao --- apiVersion: v1 data: config.hcl: | vault { "address" = "http://openbao.openbao.svc:8200" } cache {} listener "unix" { address = "/var/run/vault/agent.sock" tls_disable = true } kind: ConfigMap metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-csi-provider helm.sh/chart: openbao-0.7.0 name: openbao-csi-provider-agent-config namespace: openbao --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 name: openbao namespace: openbao spec: ports: - name: http port: 8200 targetPort: 8200 - name: https-internal port: 8201 targetPort: 8201 publishNotReadyAddresses: true selector: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 openbao-active: "true" name: openbao-active namespace: openbao spec: ports: - name: http port: 8200 targetPort: 8200 - name: https-internal port: 8201 targetPort: 8201 publishNotReadyAddresses: true selector: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server openbao-active: "true" --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 openbao-internal: "true" name: openbao-internal namespace: openbao spec: clusterIP: None ports: - name: http port: 8200 targetPort: 8200 - name: https-internal port: 8201 targetPort: 8201 publishNotReadyAddresses: true selector: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 name: openbao-standby namespace: openbao spec: ports: - name: http port: 8200 targetPort: 8200 - name: https-internal port: 8201 targetPort: 8201 publishNotReadyAddresses: true selector: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server openbao-active: "false" --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-ui helm.sh/chart: openbao-0.7.0 name: openbao-ui namespace: openbao spec: ports: - name: http port: 8200 targetPort: 8200 publishNotReadyAddresses: true selector: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server type: ClusterIP --- apiVersion: apps/v1 kind: StatefulSet metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao name: openbao namespace: openbao spec: podManagementPolicy: Parallel replicas: 3 selector: matchLabels: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server serviceName: openbao-internal template: metadata: annotations: null labels: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server helm.sh/chart: openbao-0.7.0 spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server topologyKey: kubernetes.io/hostname containers: - args: - "cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[ -n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\" /tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl \n" command: - /bin/sh - -ec env: - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: BAO_K8S_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: BAO_K8S_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: BAO_ADDR value: http://127.0.0.1:8200 - name: BAO_API_ADDR value: http://$(POD_IP):8200 - name: SKIP_CHOWN value: "true" - name: SKIP_SETCAP value: "true" - name: HOSTNAME valueFrom: fieldRef: fieldPath: metadata.name - name: BAO_CLUSTER_ADDR value: https://$(HOSTNAME).openbao-internal:8201 - name: HOME value: /home/openbao image: git.janky.solutions/jankysolutions/infra/openbao:latest imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /bin/sh - -c - sleep 5 && kill -SIGTERM $(pidof bao) name: openbao ports: - containerPort: 8200 name: http - containerPort: 8201 name: https-internal - containerPort: 8202 name: http-rep readinessProbe: exec: command: - /bin/sh - -ec - bao status -tls-skip-verify failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 securityContext: allowPrivilegeEscalation: false volumeMounts: - mountPath: /openbao/data name: data - mountPath: /openbao/config name: config - mountPath: /home/openbao name: home hostNetwork: false securityContext: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true runAsUser: 100 serviceAccountName: openbao terminationGracePeriodSeconds: 10 volumes: - configMap: name: openbao-config name: config - emptyDir: {} name: home updateStrategy: type: OnDelete volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao helm.sh/chart: openbao-0.7.0 name: openbao namespace: openbao spec: maxUnavailable: 1 selector: matchLabels: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-csi-provider name: openbao-csi-provider namespace: openbao spec: selector: matchLabels: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao-csi-provider template: metadata: labels: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao-csi-provider spec: containers: - args: - --endpoint=/provider/vault.sock - --debug=true - --hmac-secret-name=openbao-csi-provider-hmac-key env: - name: VAULT_ADDR value: unix:///var/run/vault/agent.sock image: git.janky.solutions/jankysolutions/infra/openbao-csi-provider:latest imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 httpGet: path: /health/ready port: 8080 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 name: openbao-csi-provider readinessProbe: failureThreshold: 2 httpGet: path: /health/ready port: 8080 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 volumeMounts: - mountPath: /provider name: providervol - mountPath: /var/run/vault name: agent-unix-socket - args: - agent - -config=/etc/vault/config.hcl command: - bao env: - name: BAO_LOG_LEVEL value: debug - name: BAO_LOG_FORMAT value: standard image: git.janky.solutions/jankysolutions/infra/openbao:latest imagePullPolicy: IfNotPresent name: openbao-agent ports: - containerPort: 8200 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 100 volumeMounts: - mountPath: /etc/vault/config.hcl name: agent-config readOnly: true subPath: config.hcl - mountPath: /var/run/vault name: agent-unix-socket serviceAccountName: openbao-csi-provider volumes: - hostPath: path: /etc/kubernetes/secrets-store-csi-providers name: providervol - configMap: name: openbao-csi-provider-agent-config name: agent-config - emptyDir: medium: Memory name: agent-unix-socket updateStrategy: type: RollingUpdate --- apiVersion: v1 kind: Pod metadata: annotations: helm.sh/hook: test name: openbao-server-test namespace: openbao spec: containers: - command: - /bin/sh - -c - | echo "Checking for sealed info in 'bao status' output" ATTEMPTS=10 n=0 until [ "$n" -ge $ATTEMPTS ] do echo "Attempt" $n... bao status -format yaml | grep -E '^sealed: (true|false)' && break n=$((n+1)) sleep 5 done if [ $n -ge $ATTEMPTS ]; then echo "timed out looking for sealed info in 'bao status' output" exit 1 fi exit 0 env: - name: VAULT_ADDR value: http://openbao.openbao.svc:8200 image: git.janky.solutions/jankysolutions/infra/openbao:latest imagePullPolicy: IfNotPresent name: openbao-server-test volumeMounts: null restartPolicy: Never volumes: null