# Railiance S3 OpenBao platform secrets service. # # This file intentionally contains no secret material. OpenBao initialization # creates unseal keys and the initial root token; handle those outside Git # during the bootstrap ceremony documented in docs/openbao.md. global: namespace: openbao tlsDisable: true injector: enabled: false server: enabled: true logLevel: info logFormat: json image: registry: quay.io repository: openbao/openbao pullPolicy: IfNotPresent resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi ingress: enabled: false authDelegator: enabled: true # Single-node Railiance01 bootstrap. Remove this override and scale # server.ha.replicas when Railiance02/03 join with distributed storage. affinity: "" readinessProbe: enabled: true path: /v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204 port: 8200 livenessProbe: enabled: true path: /v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204 port: 8200 initialDelaySeconds: 60 networkPolicy: enabled: true ingress: - from: - namespaceSelector: {} ports: - port: 8200 protocol: TCP - port: 8201 protocol: TCP dataStorage: enabled: true size: 5Gi storageClass: local-path accessMode: ReadWriteOnce auditStorage: enabled: true size: 2Gi storageClass: local-path accessMode: ReadWriteOnce standalone: enabled: false ha: enabled: true replicas: 1 disruptionBudget: enabled: false raft: enabled: true setNodeId: true config: | ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" telemetry { unauthenticated_metrics_access = "true" } } storage "raft" { path = "/openbao/data" } service_registration "kubernetes" {} telemetry { prometheus_retention_time = "30s" disable_hostname = true } serviceAccount: create: true name: openbao serviceDiscovery: enabled: true ui: enabled: true serviceType: ClusterIP activeOpenbaoPodOnly: false csi: enabled: false