Initial upload

2025-05-21 15:04:28 +02:00 · 2025-05-21 15:04:28 +02:00 · dc5fab84fa
commit dc5fab84fa
parent bcb837e79e
115 changed files with 17102 additions and 0 deletions
--- a/otc/ABC/stacks/ref-implementation/openbao/manifests/role.yaml
+++ b/otc/ABC/stacks/ref-implementation/openbao/manifests/role.yaml
@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault-token-role
+  namespace: openbao
+rules:
+  - apiGroups: [""] # "" indicates the core API group
+    resources: ["secrets"]
+    verbs: ["create"]
--- a/otc/ABC/stacks/ref-implementation/openbao/manifests/rolebinding.yaml
+++ b/otc/ABC/stacks/ref-implementation/openbao/manifests/rolebinding.yaml
@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-token-rolebinding
+  namespace: openbao
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault-token-role
+subjects:
+  - kind: ServiceAccount
+    name: openbao
+    namespace: openbao
--- a/otc/ABC/stacks/ref-implementation/openbao/values.yaml
+++ b/otc/ABC/stacks/ref-implementation/openbao/values.yaml
@ -0,0 +1,34 @@
+server:
+  postStart:
+    - sh
+    - -c
+    - |
+      echo --- unseal workaround
+
+      sleep 10
+      bao operator init >> /tmp/init.txt
+      cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
+      echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt
+      echo $(grep "Unseal Key 1:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key1.txt
+      echo $(grep "Unseal Key 2:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key2.txt
+      echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
+      echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
+      echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
+      rm /tmp/init.txt
+      
+
+      echo --- provide OpenBAO secret to ESO
+
+      if [[ "$(uname -m)" == "x86_64" ]]; then
+        wget "https://dl.k8s.io/release/$(wget https://dl.k8s.io/release/stable.txt -q -O -)/bin/linux/amd64/kubectl" -O /tmp/kubectl_eso
+      else
+        wget "https://dl.k8s.io/release/$(wget https://dl.k8s.io/release/stable.txt -q -O -)/bin/linux/arm64/kubectl" -O /tmp/kubectl_eso
+      fi
+      chmod +x /tmp/kubectl_eso
+
+      /tmp/kubectl_eso create secret generic vault-token --from-literal=token="$(cat /openbao/data/initial_token.txt)" -n openbao
+
+      rm /tmp/kubectl_eso
+
+ui:
+  enabled: true