Add ESO OpenBao GitOps add-ons

2026-06-25 20:08:36 +02:00
parent 0f0b14001e
commit 693dc71833
12 changed files with 353 additions and 6 deletions
--- a/docs/argocd-gitops.md
+++ b/docs/argocd-gitops.md
@@ -174,3 +174,41 @@ ClusterRoleBindings, or other cluster-admin resources.

 If a tenant needs a cluster-scoped platform resource, create a new
 platform-owned workplan instead of broadening the tenant project by default.
+
+## Platform Add-ons
+
+External Secrets Operator is a platform-owned add-on because it installs CRDs,
+webhooks, and cluster RBAC. Tenant Applications must not install or upgrade it.
+
+The GitOps contract uses:
+
+- `railiance-platform-addons` AppProject for cluster add-ons.
+- `external-secrets` ArgoCD Application for the public Helm chart.
+- `openbao-secretstore` ArgoCD Application for the OpenBao
+  `ClusterSecretStore`.
+- OpenBao Kubernetes auth role `external-secrets-issue-core` for the
+  issue-core pilot.
+
+The initial `ClusterSecretStore/openbao` is intentionally limited to the
+`issue-core` namespace. Broaden it only with a new platform review when another
+tenant is ready to consume OpenBao through ESO.
+
+Configure the OpenBao side without printing token values:
+
+```bash
+OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token \
+  make openbao-configure-external-secrets-issue-core
+```
+
+The helper keeps Kubernetes auth in local-reviewer mode: OpenBao rereads its
+own mounted service-account token and CA file instead of storing an expiring
+reviewer JWT.
+
+Then sync ArgoCD and verify:
+
+```bash
+make argocd-bootstrap-deploy
+make argocd-status
+kubectl -n external-secrets get deploy,pod
+kubectl get clustersecretstore.external-secrets.io openbao
+```