dbbf5c7ec4
Containing the initial package for Openbao application. Contains a
working package of openbao-helm, openbao-manager-helm,
python3-k8sapp-openbao, and stx-openbao-helm.
Test Plan:
PASS Packages are successfully built, and the application tarball is
created.
PASS Application is uploaded and applied with no errors
PASS Application is configured for sanity testing
PASS Application passes aware/unaware test for sanity
PASS Application functions when network access is restricted to
internal registry
Story: 2011244
Task: 51378
Change-Id: I10910b3cc00c3e45ebce0df20bbee53af3d8543b
Signed-off-by: Tae Park <tae.park@windriver.com>
185 lines
6.2 KiB
YAML
185 lines
6.2 KiB
YAML
#
|
|
# Copyright (c) 2024 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
# Values migrated from openbao helm chart
|
|
|
|
openbao:
|
|
name: openbao
|
|
fullname: stx-openbao
|
|
|
|
server:
|
|
version: 2.1.0
|
|
ha:
|
|
replicas: 1
|
|
|
|
# Openbao Manager specific values
|
|
manager:
|
|
image:
|
|
repository: starlingx/stx-vault-manager
|
|
tag: stx.10.0-v1.29.6-1
|
|
pullPolicy: IfNotPresent
|
|
|
|
chart: openbao_1.0.1
|
|
|
|
imagePullSecrets: []
|
|
|
|
# Rate at which openbao-manager checks status of openbao servers.
|
|
# After initialization of the raft, Openbao manager will loop forever
|
|
# checking the pods for openbao servers that need to be unsealed.
|
|
# This value is the sleep, in seconds, between intervals. Value
|
|
# must be a positive integer
|
|
statusCheckRate: 5
|
|
|
|
# After initial configuration, in combination with statusCheckRate,
|
|
# the amount of time to wait before unsealing a recovering openbao
|
|
# server. The option is intended to allow the active openbao server
|
|
# time to start sending heartbeats to the recovering pod before
|
|
# unsealing the server.
|
|
#
|
|
# A value of 0 indicates no wait time: unseal the openbao server without
|
|
# delay. The wait time is statusCheckRate * unsealWaitIntervals.
|
|
# Default is 5 s/interval * 3 intervals == 15 seconds.
|
|
#
|
|
unsealWaitIntervals: 3
|
|
|
|
api:
|
|
# Network timeout for queries to openbao server /sys/health endpoint
|
|
#
|
|
# The maximum time in seconds to wait for a server to respond to
|
|
# health query. This applies for the HA recovery situations, not the
|
|
# initialization of openbao cluster. Unsetting the value is not
|
|
# recommended, and defaults to timeout of 120 seconds.
|
|
#
|
|
# openbao-manager will appear to hang if healthQueryTimeout is
|
|
# over-large. This setting affects the logs, since openbao-manager will
|
|
# issue a log when the 'sealed' status toggles between true/false and
|
|
# the 'unknown' value
|
|
healthQueryTimeout: 2
|
|
|
|
# Network timeout for openbao API operations against /sys/unseal
|
|
#
|
|
# The maximum time in seconds to wait for a server to respond to
|
|
# the unseal request.
|
|
unsealOpTimeout: 10
|
|
|
|
# Network timeout for queries to openbao server /sys/rekey/init
|
|
# and /sys/rekey/verify
|
|
#
|
|
# The maximum time in seconds to wait for a server to respond to
|
|
# the query.
|
|
rekeyStatusTimeout: 2
|
|
|
|
# Network timeout for openbao API operations against /sys/rekey/init
|
|
# and /sys/rekey/verify
|
|
#
|
|
# The maximum time in seconds to wait for a server to respond to
|
|
# the request.
|
|
rekeyOpTimeout: 10
|
|
|
|
rekey:
|
|
# During upgrade of the application from PVC storage to storage
|
|
# using kubernetes, enable openbao rekey to run automatically to
|
|
# resecure the openbao with new shards.
|
|
# See also openbao documentation:
|
|
# https://openbao.org/docs/concepts/seal/#rekeying
|
|
# https://openbao.org/api-docs/system/rekey
|
|
#
|
|
enableOnPVCConversion: true
|
|
|
|
k8s:
|
|
# The major/minor version of kubectl client binary to use. Must
|
|
# exist within the openbao manager image for example
|
|
# client_version: v1.28
|
|
client_version: ""
|
|
|
|
waitTermination:
|
|
# During upgrade of the application from PVC storage to storage
|
|
# using kubernetes, wait for previous version of openbao manager
|
|
# to terminate before proceding with the conversion of storage from PVC to
|
|
# kubernetes secrets.
|
|
#
|
|
# The maximum tries before proceding with the conversion of storage
|
|
# from PVC to kubernetes secrets.
|
|
maxTries: 12
|
|
|
|
# Number of seconds slept between each tries before proceding with
|
|
# the conversion of storage from PVC to kubernetes secrets.
|
|
sleepTime: 5
|
|
|
|
# Labeling pods for StarlingX core management. Setting 'true' will schedule pods to be run on
|
|
# application cores, while setting 'false' will schedule pods to be run on platform cores.
|
|
labels:
|
|
isApplication: false
|
|
|
|
# Request openbao-manager to pause on startup.
|
|
#
|
|
# The pause feature allows execution of openbao-manager to be suspended
|
|
# for external operations or for debugging. A pause_on_trap file will
|
|
# be created with the content of this value. Values may include a
|
|
# positive integer matching a call of exit_on_trap
|
|
#
|
|
# pause: 1
|
|
|
|
# Debugging option to improve log reading, allow more verbose logging
|
|
# DEBUG: 1
|
|
# INFO: 2
|
|
# WARNING: 3
|
|
# ERROR: 4
|
|
# FATAL: 5
|
|
log:
|
|
defaultLogLevel: 2
|
|
|
|
# All options related to openbao manager healthcheck funtion
|
|
healthcheck:
|
|
# Disables the healthcheck function. It will always return as "healthy"
|
|
# When this is set to true
|
|
disableHC: false
|
|
|
|
# Enables the network excuse of the healthcheck function. When enabled,
|
|
# healthcheck function will always return as "healthy" when openbao manager
|
|
# is accessing openbao REST API
|
|
enableNetwork: true
|
|
|
|
# Enables the initialization excuse of the healthcheck funtion. When
|
|
# enabled, healthcheck function will always return as "healthy" when openbao
|
|
# manager is initializing
|
|
enableInit: true
|
|
|
|
# Enables the pause excuse of the healthcheck function. when enabled,
|
|
# healthcheck function will always return as "healthy" when openbao manager
|
|
# is paused during exit_on_trap by the pause option.
|
|
enablePause: true
|
|
|
|
# Maximum threshold in seconds, between the last heartbeat and healthcheck.
|
|
# If the time passed between the last heartbeat and the latest healthcheck
|
|
# passes the threshold value, then the healthcheck will fail if no excuses
|
|
# were found.
|
|
heartbeatThreshold: 30
|
|
|
|
# All options related to openbao manager liveness probe. Consult the kubernetes
|
|
# documentation to find more details on each options.
|
|
livenessProbe:
|
|
|
|
# Number of seconds before the first probe is initiated
|
|
initialDelaySeconds: 0
|
|
|
|
# Number of seconds between each probe
|
|
periodSeconds: 10
|
|
|
|
# Number of seconds before the probe times out
|
|
timeoutSeconds: 1
|
|
|
|
# Number of successful probes required for the pod to be considered
|
|
# successful.
|
|
successThreshold: 1
|
|
|
|
# Number of failed probes required for the pod to be considered failed
|
|
failureThreshold: 3
|
|
|
|
# Number of seconds to wait from triggering the shutdown on the container,
|
|
# and the forced stop of the container by the container runtime.
|
|
terminationGracePeriodSeconds: 30
|