Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 39 additions & 1 deletion cli/cmd/install_openbao.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ type InstallOpenBaoOpts struct {
Timeout time.Duration
AgeKeyFile string
Yes bool
OpenBaoImage string
BankVaultsImage string
OperatorImage string
OperatorChartRepo string
}

func (c *InstallOpenBaoCmd) RunE(_ *cobra.Command, _ []string) error {
Expand Down Expand Up @@ -74,6 +78,18 @@ func (c *InstallOpenBaoCmd) RunE(_ *cobra.Command, _ []string) error {
Timeout: c.Opts.Timeout,
AgeRecipient: recipient,
AgeKeyPath: keyPath,
// Optional GHCR credentials for the private OpenBao/bank-vaults image
// mirror. When both are set the installer creates a pull secret and
// wires it onto the openbao ServiceAccount; when unset, behavior is
// unchanged.
RegistryUser: os.Getenv("OMS_REGISTRY_USER"),
RegistryPassword: os.Getenv("OMS_REGISTRY_PASSWORD"),
// Image/chart overrides for mirrored OCI registries. Defaults are set on
// the flags (the installer's Default* values).
OpenBaoImage: c.Opts.OpenBaoImage,
BankVaultsImage: c.Opts.BankVaultsImage,
OperatorImage: c.Opts.OperatorImage,
OperatorChartRepo: c.Opts.OperatorChartRepo,
}

inst, err := installer.NewOpenBaoInstaller(cfg)
Expand Down Expand Up @@ -128,11 +144,29 @@ func AddInstallOpenBaoCmd(install *cobra.Command, opts *GlobalOptions) {
5. Wait for initialization to complete
6. Extract and encrypt unseal keys + password as SOPS DR backup

The command is idempotent and safe to re-run.`),
The command is idempotent and safe to re-run.

By default the OpenBao, bank-vaults, and operator images and the operator
Helm chart are pulled from the private Codesphere registry mirror. Use the
--openbao-image, --bank-vaults-image, --operator-image and
--operator-chart-repo flags to repoint them at your own mirrored OCI
registry.

Because the default registry is private, set both environment variables
below: the installer creates an image pull secret (with an entry for every
registry host the configured images live on), attaches it to the openbao
ServiceAccount and operator pod, and uses the credentials to authenticate
the operator chart pull. Leave them unset only on clusters with node-level
registry access or fully public images.

Environment variables:
OMS_REGISTRY_USER Registry username (e.g. GitHub user for ghcr.io)
OMS_REGISTRY_PASSWORD Registry token/PAT (read:packages for ghcr.io)`),
Example: formatExamples("install openbao", []packageio.Example{
{Cmd: "--dr-backup-path ./backups/cluster-1.enc.json", Desc: "Fresh bootstrap with DR backup saved locally"},
{Cmd: "--dr-backup-path ./backups/cluster-1.enc.json --secrets-engine my-engine --bao-user myuser", Desc: "Custom engine and user"},
{Cmd: "--dr-backup-path ./backups/cluster-1.enc.json --timeout 10m", Desc: "Extended timeout for slower clusters"},
{Cmd: "--dr-backup-path ./backups/cluster-1.enc.json --openbao-image my-mirror.example.com/openbao/openbao:2.5.4 --operator-chart-repo oci://my-mirror.example.com/bank-vaults/helm-charts", Desc: "Use a mirrored OCI registry (set OMS_REGISTRY_USER/OMS_REGISTRY_PASSWORD)"},
}),
},
Opts: &InstallOpenBaoOpts{GlobalOptions: opts},
Expand All @@ -146,6 +180,10 @@ func AddInstallOpenBaoCmd(install *cobra.Command, opts *GlobalOptions) {
openbao.cmd.Flags().DurationVar(&openbao.Opts.Timeout, "timeout", 5*time.Minute, "Timeout for waiting on initialization")
openbao.cmd.Flags().StringVarP(&openbao.Opts.AgeKeyFile, "age-key-file", "k", "", "Path to age private key file for SOPS encryption/decryption (auto-detected if not set)")
openbao.cmd.Flags().BoolVarP(&openbao.Opts.Yes, "yes", "y", false, "Auto-approve re-initialization of an existing deployment when no DR backup is found")
openbao.cmd.Flags().StringVar(&openbao.Opts.OpenBaoImage, "openbao-image", installer.DefaultOpenBaoImage, "OpenBao server image (override for a mirrored OCI registry)")
openbao.cmd.Flags().StringVar(&openbao.Opts.BankVaultsImage, "bank-vaults-image", installer.DefaultBankVaultsImage, "Bank-Vaults configurer image (override for a mirrored OCI registry)")
openbao.cmd.Flags().StringVar(&openbao.Opts.OperatorImage, "operator-image", installer.DefaultOperatorImage, "Bank-Vaults operator pod image (override for a mirrored OCI registry)")
openbao.cmd.Flags().StringVar(&openbao.Opts.OperatorChartRepo, "operator-chart-repo", installer.DefaultBankVaultsChartRepo, "OCI repo hosting the vault-operator Helm chart (override for a mirrored OCI registry)")

util.MarkFlagRequired(openbao.cmd, "dr-backup-path")

Expand Down
44 changes: 34 additions & 10 deletions docs/oms_install_openbao.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,23 @@ This command performs the full lifecycle:

The command is idempotent and safe to re-run.

By default the OpenBao, bank-vaults, and operator images and the operator
Helm chart are pulled from the private Codesphere registry mirror. Use the
--openbao-image, --bank-vaults-image, --operator-image and
--operator-chart-repo flags to repoint them at your own mirrored OCI
registry.

Because the default registry is private, set both environment variables
below: the installer creates an image pull secret (with an entry for every
registry host the configured images live on), attaches it to the openbao
ServiceAccount and operator pod, and uses the credentials to authenticate
the operator chart pull. Leave them unset only on clusters with node-level
registry access or fully public images.

Environment variables:
OMS_REGISTRY_USER Registry username (e.g. GitHub user for ghcr.io)
OMS_REGISTRY_PASSWORD Registry token/PAT (read:packages for ghcr.io)

```
oms install openbao [flags]
```
Expand All @@ -32,21 +49,28 @@ $ oms install openbao --dr-backup-path ./backups/cluster-1.enc.json --secrets-en
# Extended timeout for slower clusters
$ oms install openbao --dr-backup-path ./backups/cluster-1.enc.json --timeout 10m

# Use a mirrored OCI registry (set OMS_REGISTRY_USER/OMS_REGISTRY_PASSWORD)
$ oms install openbao --dr-backup-path ./backups/cluster-1.enc.json --openbao-image my-mirror.example.com/openbao/openbao:2.5.4 --operator-chart-repo oci://my-mirror.example.com/bank-vaults/helm-charts

```

### Options

```
-k, --age-key-file string Path to age private key file for SOPS encryption/decryption (auto-detected if not set)
--bao-user string Username for the userpass auth method (ignored on restore, uses DR backup value) (default "admin")
--dr-backup-path string Path for SOPS-encrypted DR backup file (required)
-h, --help help for openbao
-n, --namespace string Kubernetes namespace for OpenBao deployment (default "vault")
--replicas int Number of OpenBao replicas (1 for single-node, odd number >= 3 for HA) (default 3)
--secrets-engine string Name of the KV-v2 secrets engine to provision (default "cs-secrets-engine")
--storage-size string PVC storage size for each OpenBao replica (default "10Gi")
--timeout duration Timeout for waiting on initialization (default 5m0s)
-y, --yes Auto-approve re-initialization of an existing deployment when no DR backup is found
-k, --age-key-file string Path to age private key file for SOPS encryption/decryption (auto-detected if not set)
--bank-vaults-image string Bank-Vaults configurer image (override for a mirrored OCI registry) (default "ghcr.io/codesphere-cloud/docker/banzaicloud/bank-vaults:1.19.0")
--bao-user string Username for the userpass auth method (ignored on restore, uses DR backup value) (default "admin")
--dr-backup-path string Path for SOPS-encrypted DR backup file (required)
-h, --help help for openbao
-n, --namespace string Kubernetes namespace for OpenBao deployment (default "vault")
--openbao-image string OpenBao server image (override for a mirrored OCI registry) (default "ghcr.io/codesphere-cloud/docker/quay.io/openbao/openbao-cs-patched:2.5.4")
--operator-chart-repo string OCI repo hosting the vault-operator Helm chart (override for a mirrored OCI registry) (default "oci://ghcr.io/codesphere-cloud/docker/ghcr.io/bank-vaults/helm-charts")
--operator-image string Bank-Vaults operator pod image (override for a mirrored OCI registry) (default "ghcr.io/codesphere-cloud/docker/ghcr.io/bank-vaults/vault-operator:1.24.0")
--replicas int Number of OpenBao replicas (1 for single-node, odd number >= 3 for HA) (default 3)
--secrets-engine string Name of the KV-v2 secrets engine to provision (default "cs-secrets-engine")
--storage-size string PVC storage size for each OpenBao replica (default "10Gi")
--timeout duration Timeout for waiting on initialization (default 5m0s)
-y, --yes Auto-approve re-initialization of an existing deployment when no DR backup is found
```

### SEE ALSO
Expand Down
4 changes: 4 additions & 0 deletions internal/installer/manifests/openbao/vault-cr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ kind: ServiceAccount
metadata:
name: openbao
namespace: {{ .Namespace }}
{{- if .ImagePullSecretName }}
imagePullSecrets:
- name: {{ .ImagePullSecretName }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Expand Down
Loading
Loading