refactor/openbao-instance #312

Merged

johnride merged 3 commits from refactor/openbao-instance into feat/fleet-cd-staging-deploy

2026-05-29 21:50:47 +00:00

Author	SHA1	Message	Date
Jean-Gabriel Gill-Couture	7638611b9f	refactor(openbao): share OpenbaoInstance across deploy + setup scores All checks were successful Run Check Script / check (pull_request) Successful in 2m21s Details namespace/release/pod were duplicated as independent literals across OpenbaoScore (hardcoded) and OpenbaoSetupScore (defaults) — pod was a derived fact (`{release}-0`) stored as a literal that rots if release changes, and namespace agreement was by coincidence. Introduce OpenbaoInstance { namespace, release } with a derived pod(); both scores take it. Only the shared identity moves; per-score knobs (host, tls, kv_mount, policies, …) stay on their owner.	2026-05-29 17:32:26 -04:00
Jean-Gabriel Gill-Couture	1f525cd5d1	feat(openbao): optional cert-manager ingress TLS OpenbaoScore.tls_issuer: Some(issuer) adds the cert-manager cluster-issuer annotation + tls block (edge TLS, listener stays plain); None keeps plain HTTP. Option<String> not bool — cert-manager needs the issuer name. Rendering extracted to values() and covered by tests.	2026-05-29 17:02:23 -04:00
Jean-Gabriel Gill-Couture	d687b29f35	docs(fleet): manual staging deploy is interim; drop premature CD workflow Full in-cluster CD is blocked on headless OpenBao auth (Zitadel machine identity), so the clickable deploy-staging workflow + its runner would be dead config. Drop it; document the manual operator deploy (same secure OpenBao-config path) until the auth flow lands.	2026-05-29 16:07:01 -04:00

Author

SHA1

Message

Date

Jean-Gabriel Gill-Couture

7638611b9f

refactor(openbao): share OpenbaoInstance across deploy + setup scores

Run Check Script / check (pull_request) Successful in 2m21s

Details

namespace/release/pod were duplicated as independent literals across
OpenbaoScore (hardcoded) and OpenbaoSetupScore (defaults) — pod was a
derived fact (`{release}-0`) stored as a literal that rots if release
changes, and namespace agreement was by coincidence. Introduce
OpenbaoInstance { namespace, release } with a derived pod(); both scores
take it. Only the shared identity moves; per-score knobs (host, tls,
kv_mount, policies, …) stay on their owner.

2026-05-29 17:32:26 -04:00

Jean-Gabriel Gill-Couture

1f525cd5d1

feat(openbao): optional cert-manager ingress TLS

OpenbaoScore.tls_issuer: Some(issuer) adds the cert-manager
cluster-issuer annotation + tls block (edge TLS, listener stays plain);
None keeps plain HTTP. Option<String> not bool — cert-manager needs the
issuer name. Rendering extracted to values() and covered by tests.

2026-05-29 17:02:23 -04:00

Jean-Gabriel Gill-Couture

d687b29f35

docs(fleet): manual staging deploy is interim; drop premature CD workflow

Full in-cluster CD is blocked on headless OpenBao auth (Zitadel machine
identity), so the clickable deploy-staging workflow + its runner would be
dead config. Drop it; document the manual operator deploy (same secure
OpenBao-config path) until the auth flow lands.

2026-05-29 16:07:01 -04:00

refactor/openbao-instance #312

3 Commits