Add ESO OpenBao GitOps add-ons

This commit is contained in:
2026-06-25 20:08:36 +02:00
parent 0f0b14001e
commit 693dc71833
12 changed files with 353 additions and 6 deletions

View File

@@ -10,7 +10,7 @@ topic_slug: railiance
planning_priority: high
planning_order: 4
created: "2026-06-19"
updated: "2026-06-19"
updated: "2026-06-25"
state_hub_workstream_id: "e57e487b-8557-439d-8093-0457c73ede93"
---
@@ -149,6 +149,21 @@ platform/operators/argocd/repositories/<repo-name>
External Secrets Operator for values that become Kubernetes Secrets, CSI for
file-reference workloads, and no OpenBao injector in the current deployment.
## Follow-up Progress (2026-06-25)
- Added a platform-owned `railiance-platform-addons` AppProject for
cluster-scoped add-ons.
- Added the `external-secrets` ArgoCD Application for External Secrets
Operator and the `openbao-secretstore` Application for
`ClusterSecretStore/openbao`.
- Added the least-privilege OpenBao policy and Kubernetes auth role helper for
the issue-core ESO pilot. The role binds only the
`external-secrets/external-secrets` service account and reads only
`platform/workloads/issue-core/issue-core/*`.
- Limited the initial `ClusterSecretStore/openbao` to the `issue-core`
namespace; broaden only through a later platform review.
## Target State
- `argocd/bootstrap/` contains the two AppProjects and root app-of-apps