Files
railiance-platform/helm/openbao-values.yaml
tegwick 06844c2669 NET-WP-0020 T4: prepared transit auto-unseal seal stanza (disabled by default)
Commented seal "transit" stanza in the OpenBao server config plus an
'Auto-Unseal via Transit Seal' doc section covering provisioning, seal
migration, pod-restart proof, and the net-kingdom console evidence flags.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 22:08:47 +02:00

151 lines
3.6 KiB
YAML

# Railiance S3 OpenBao platform secrets service.
#
# This file intentionally contains no secret material. OpenBao initialization
# creates unseal keys and the initial root token; handle those outside Git
# during the bootstrap ceremony documented in docs/openbao.md.
global:
namespace: openbao
tlsDisable: true
injector:
enabled: false
server:
enabled: true
logLevel: info
logFormat: json
image:
registry: quay.io
repository: openbao/openbao
tag: "2.5.4"
pullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Public browser ingress is owned by helm/openbao-ui-overlay-k8s.yaml so the
# KeyCape login overlay gateway can inject overlay assets.
ingress:
enabled: false
authDelegator:
enabled: true
# Single-node Railiance01 bootstrap. Remove this override and scale
# server.ha.replicas when Railiance02/03 join with distributed storage.
affinity: ""
readinessProbe:
enabled: true
path: /v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204
port: 8200
livenessProbe:
enabled: true
path: /v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204
port: 8200
initialDelaySeconds: 60
networkPolicy:
enabled: true
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
dataStorage:
enabled: true
size: 5Gi
storageClass: local-path
accessMode: ReadWriteOnce
auditStorage:
enabled: true
size: 2Gi
storageClass: local-path
accessMode: ReadWriteOnce
standalone:
enabled: false
ha:
enabled: true
replicas: 1
disruptionBudget:
enabled: false
raft:
enabled: true
setNodeId: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/openbao/data"
}
# auto-unseal-transit custody model (net-kingdom NET-WP-0020 T4).
# Disabled by default: shamir seal + manual/SOPS-held unseal applies.
# To enable: provision an external transit OpenBao (or cloud KMS),
# create the unseal key, put the transit token in a k8s secret exposed
# as BAO_SEAL_TRANSIT_TOKEN via server.extraSecretEnvironmentVars
# (token never in Git), uncomment, upgrade the release, then run the
# seal migration: bao operator unseal -migrate (threshold shares).
# Select `auto-unseal-transit` in the net-kingdom bootstrap console and
# set openbao_transit_seal_configured / openbao_auto_unseal_verified
# after a pod-restart unseal proof.
# seal "transit" {
# address = "https://<transit-openbao-host>:8200"
# key_name = "railiance-openbao-unseal"
# mount_path = "transit/"
# }
audit "file" "file" {
description = "Default file audit device on the OpenBao audit PVC."
options {
file_path = "/openbao/audit/openbao-audit.log"
}
}
service_registration "kubernetes" {}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
serviceAccount:
create: true
name: openbao
serviceDiscovery:
enabled: true
ui:
enabled: true
serviceType: ClusterIP
activeOpenbaoPodOnly: false
csi:
enabled: false