No description
- Shell 100%
| .gitignore | ||
| kustomization.yaml | ||
| make-unseal-key.sh | ||
| Readme.md | ||
| unseal-keys.yaml | ||
| values.yaml | ||
OpenBao on OKD or Openshift
Should work on plain k8s also ;-)
install
- Edit:
- kustomization.yaml:
mainly namespace, repo and version - values.yaml:
the main part are the two variables at the top of the file: url & storageclass
-
Generate the sealed-secrets (or secrets) for the static unseal:
# for sealed-secret ./make-unseal-key.sh -n my-openbao-namespace -t sealed -s my-sealed-secret-namespace # for plain secrets ./make-unseal-key.sh -n my-openbao-namespace -t raw -s my-sealed-secret-namespaceYou have to make this only once per installation. These are the static unseal keys for openbao
-
After this you can rollout the deployment with:
oc kustomize . --enable-helm | oc apply -f - -
Now you will get a statefulset with 3 replicas, but you have to initialize the cluster one time:
# init first cluster member kubectl exec -ti openbao-dev-0 -- bao operator initWrite down the initial root token you get (don't loose it!)
# let the other two members join the cluster kubectl exec -ti openbao-dev-1 -- bao operator raft join http://openbao-dev-0.openbao-dev-internal:8200 # wait for openbao-dev-1 readiness (1/1) kubectl exec -ti openbao-dev-2 -- bao operator raft join http://openbao-dev-0.openbao-dev-internal:8200 # cluster ready? oc exec -ti openbao-dev-0 -- bao statususe
You can now use the web frontend via your configured URL as TLS service.
If you want to use the
baocommandline you have to setVAULT_ADDRto your URL
Peter Pfläging peter@pflaeging.net