refactor/openbao-instance #312

johnride · 2026-05-29T21:34:05Z

johnride commented

2026-05-29 21:34:05 +00:00

No description provided.

johnride added 3 commits 2026-05-29 21:34:06 +00:00

docs(fleet): manual staging deploy is interim; drop premature CD workflow d687b29f35

Full in-cluster CD is blocked on headless OpenBao auth (Zitadel machine
identity), so the clickable deploy-staging workflow + its runner would be
dead config. Drop it; document the manual operator deploy (same secure
OpenBao-config path) until the auth flow lands.

feat(openbao): optional cert-manager ingress TLS 1f525cd5d1

OpenbaoScore.tls_issuer: Some(issuer) adds the cert-manager
cluster-issuer annotation + tls block (edge TLS, listener stays plain);
None keeps plain HTTP. Option<String> not bool — cert-manager needs the
issuer name. Rendering extracted to values() and covered by tests.

refactor(openbao): share OpenbaoInstance across deploy + setup scores

Run Check Script / check (pull_request) Successful in 2m21s

Details

7638611b9f

namespace/release/pod were duplicated as independent literals across
OpenbaoScore (hardcoded) and OpenbaoSetupScore (defaults) — pod was a
derived fact (`{release}-0`) stored as a literal that rots if release
changes, and namespace agreement was by coincidence. Introduce
OpenbaoInstance { namespace, release } with a derived pod(); both scores
take it. Only the shared identity moves; per-score knobs (host, tls,
kv_mount, policies, …) stay on their owner.

johnride merged commit 03bc98cd38 into feat/fleet-cd-staging-deploy

2026-05-29 21:50:47 +00:00

johnride deleted branch refactor/openbao-instance

2026-05-29 21:50:47 +00:00

johnride referenced this issue from a commit

2026-05-29 21:50:48 +00:00

Merge pull request 'refactor/openbao-instance' (#312) from refactor/openbao-instance into feat/fleet-cd-staging-deploy

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: NationTech/harmony#312