Commented seal "transit" stanza in the OpenBao server config plus an 'Auto-Unseal via Transit Seal' doc section covering provisioning, seal migration, pod-restart proof, and the net-kingdom console evidence flags. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
151 lines
3.6 KiB
YAML
151 lines
3.6 KiB
YAML
# Railiance S3 OpenBao platform secrets service.
|
|
#
|
|
# This file intentionally contains no secret material. OpenBao initialization
|
|
# creates unseal keys and the initial root token; handle those outside Git
|
|
# during the bootstrap ceremony documented in docs/openbao.md.
|
|
|
|
global:
|
|
namespace: openbao
|
|
tlsDisable: true
|
|
|
|
injector:
|
|
enabled: false
|
|
|
|
server:
|
|
enabled: true
|
|
logLevel: info
|
|
logFormat: json
|
|
|
|
image:
|
|
registry: quay.io
|
|
repository: openbao/openbao
|
|
tag: "2.5.4"
|
|
pullPolicy: IfNotPresent
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
|
|
# Public browser ingress is owned by helm/openbao-ui-overlay-k8s.yaml so the
|
|
# KeyCape login overlay gateway can inject overlay assets.
|
|
ingress:
|
|
enabled: false
|
|
|
|
authDelegator:
|
|
enabled: true
|
|
|
|
# Single-node Railiance01 bootstrap. Remove this override and scale
|
|
# server.ha.replicas when Railiance02/03 join with distributed storage.
|
|
affinity: ""
|
|
|
|
readinessProbe:
|
|
enabled: true
|
|
path: /v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204
|
|
port: 8200
|
|
|
|
livenessProbe:
|
|
enabled: true
|
|
path: /v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204
|
|
port: 8200
|
|
initialDelaySeconds: 60
|
|
|
|
networkPolicy:
|
|
enabled: true
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- port: 8200
|
|
protocol: TCP
|
|
- port: 8201
|
|
protocol: TCP
|
|
|
|
dataStorage:
|
|
enabled: true
|
|
size: 5Gi
|
|
storageClass: local-path
|
|
accessMode: ReadWriteOnce
|
|
|
|
auditStorage:
|
|
enabled: true
|
|
size: 2Gi
|
|
storageClass: local-path
|
|
accessMode: ReadWriteOnce
|
|
|
|
standalone:
|
|
enabled: false
|
|
|
|
ha:
|
|
enabled: true
|
|
replicas: 1
|
|
disruptionBudget:
|
|
enabled: false
|
|
raft:
|
|
enabled: true
|
|
setNodeId: true
|
|
config: |
|
|
ui = true
|
|
|
|
listener "tcp" {
|
|
tls_disable = 1
|
|
address = "[::]:8200"
|
|
cluster_address = "[::]:8201"
|
|
|
|
telemetry {
|
|
unauthenticated_metrics_access = "true"
|
|
}
|
|
}
|
|
|
|
storage "raft" {
|
|
path = "/openbao/data"
|
|
}
|
|
|
|
# auto-unseal-transit custody model (net-kingdom NET-WP-0020 T4).
|
|
# Disabled by default: shamir seal + manual/SOPS-held unseal applies.
|
|
# To enable: provision an external transit OpenBao (or cloud KMS),
|
|
# create the unseal key, put the transit token in a k8s secret exposed
|
|
# as BAO_SEAL_TRANSIT_TOKEN via server.extraSecretEnvironmentVars
|
|
# (token never in Git), uncomment, upgrade the release, then run the
|
|
# seal migration: bao operator unseal -migrate (threshold shares).
|
|
# Select `auto-unseal-transit` in the net-kingdom bootstrap console and
|
|
# set openbao_transit_seal_configured / openbao_auto_unseal_verified
|
|
# after a pod-restart unseal proof.
|
|
# seal "transit" {
|
|
# address = "https://<transit-openbao-host>:8200"
|
|
# key_name = "railiance-openbao-unseal"
|
|
# mount_path = "transit/"
|
|
# }
|
|
|
|
audit "file" "file" {
|
|
description = "Default file audit device on the OpenBao audit PVC."
|
|
|
|
options {
|
|
file_path = "/openbao/audit/openbao-audit.log"
|
|
}
|
|
}
|
|
|
|
service_registration "kubernetes" {}
|
|
|
|
telemetry {
|
|
prometheus_retention_time = "30s"
|
|
disable_hostname = true
|
|
}
|
|
|
|
serviceAccount:
|
|
create: true
|
|
name: openbao
|
|
serviceDiscovery:
|
|
enabled: true
|
|
|
|
ui:
|
|
enabled: true
|
|
serviceType: ClusterIP
|
|
activeOpenbaoPodOnly: false
|
|
|
|
csi:
|
|
enabled: false
|