mirror of
https://github.com/cozystack/cozystack.git
synced 2026-03-02 22:59:06 +00:00
022ddf73a8
## What this PR does Adds OpenBAO (open-source Vault fork) as a new managed PaaS application in Cozystack. **Structure follows existing app patterns (qdrant, nats):** - System chart with vendored upstream `openbao/openbao` (chart v0.25.3, appVersion v2.5.0) - App chart with standalone/HA mode switching based on replicas count - TLS via cert-manager self-signed certificates per instance - ApplicationDefinition, PackageSource, PaaS bundle entry - E2E test with init/unseal workflow **Key design decisions:** - `replicas: 1` → standalone mode with file storage; `replicas > 1` → HA with Raft integrated storage and retry_join with TLS peer verification - TLS enabled by default — each instance gets a self-signed Certificate with DNS SANs covering services and pod addresses - `disable_mlock = true` in HCL config since default security context drops IPC_LOCK capability - Injector and CSI provider disabled (cluster-scoped components, not safe per-tenant) - No auto-init/unseal — OpenBAO requires manual initialization by design - E2E test performs full lifecycle: deploy, wait for certificate + API, init, unseal, verify readiness, cleanup ### Release note ```release-note [apps] Add OpenBAO as a managed secrets management service with standalone and HA Raft modes, TLS enabled by default ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Added OpenBAO managed secrets management service with high-availability and standalone deployment options * Integrated monitoring and dashboards for operational visibility * Enabled configurable external access and web UI * Added automated snapshot backup capability <!-- end of auto-generated comment: release notes by coderabbit.ai -->