feat/fleet-staging-openbao #313

Open

johnride wants to merge 11 commits from feat/fleet-staging-openbao into master

pull from: feat/fleet-staging-openbao

merge into: NationTech:master

NationTech:master

NationTech:feat/fleet-ch2-operator-recovery

NationTech:feat/fleet-device-exec-logs

NationTech:feat/zitadel-web-pkce-and-human-user

NationTech:feat/jwt-bearer-openbao-auth

NationTech:feat/fleet-ch5-graceful-deploy-upgrade

NationTech:feat/fleet-ch4-agent-upgrade

NationTech:feat/fleet-ch3-log-streaming

NationTech:feat/add-claims-for-openbao

NationTech:refactor/move-zitadel-jwt-to-module

NationTech:feat/fleet-operator-real-data

NationTech:docs/fleet-secrets-device-access

NationTech:chore/fleet-operator-prune-mock-dtos

NationTech:chore/rename-release-to-publish

NationTech:refactor/config-namespace-env-var

NationTech:feat/auth-add-next-url-redirect

NationTech:pr/harmony-sso-example

NationTech:feat/unified-config-and-secrets

NationTech:ci/fleet-argo-cd

NationTech:ci/fleet-operator-release-pipeline

NationTech:feat/on-device-key-gen

NationTech:feat/install-gitea

NationTech:feat/v0-3-logs-companion

NationTech:refactor/smoke-companion-minimal

NationTech:feat/smoke-test-contract

NationTech:feat/iobench-redpanda-profile

NationTech:feat/v0-3-dashboard-role-enforcement

NationTech:feat/v0-3-init-containers

NationTech:feat/v0-3-operator-restart-baseline

NationTech:feat/fleet-e2e-x86

NationTech:feat/ceph-score

NationTech:feat/opnsense-bootstrap-score

NationTech:feat/fleet-e2e

NationTech:feat/fleet-e2e-harness-and-ping

NationTech:feat/dashboard-auth

NationTech:feat/fleet-operator-web-frontend

NationTech:feat/deploy_fleet_server_side

NationTech:feat/openwebui

NationTech:feat/iot-aggregation-scale

NationTech:feat/iot-operator-helm-chart

NationTech:feat/removesideeffect

NationTech:feat/test-alert-receivers-sttest

NationTech:feat/brocade-client-add-vlans

NationTech:feat/agent-desired-state

NationTech:feat/opnsense-dns-implementation

NationTech:feat/named-config-instances

NationTech:worktree-bridge-cse_012j1jB37XfjXvDGHUjHrKSj

NationTech:chore/leftover-adr

NationTech:feat/config_e2e_zitadel_openbao

NationTech:example/vllm

NationTech:feat/config_sqlite

NationTech:chore/roadmap

NationTech:feature/kvm-module

NationTech:feat/rustfs

NationTech:feat/harmony_assets

NationTech:feat/brocade_assisted_setup

NationTech:feat/cluster_alerting_score

NationTech:e2e-tests-multicluster

NationTech:fix/refactor_alert_receivers

NationTech:feat/change-node-readiness-strategy

NationTech:feat/zitadel

NationTech:feat/improve-inventory-discovery

NationTech:fix/monitoring_abstractions_openshift

NationTech:feat/nats-jetstream

NationTech:adr-nats-creds

NationTech:feat/st_test

NationTech:feat/dockerAutoinstall

NationTech:chore/cleanup_hacluster

NationTech:doc/cert-management

NationTech:feat/certificate_management

NationTech:adr/017-staleness-failover

NationTech:fix/nats_non_root

NationTech:feat/rebuild_inventory

NationTech:fix/opnsense_update

NationTech:feat/unshedulable_control_planes

NationTech:feat/worker_okd_install

NationTech:doc-and-braindump

NationTech:fix/pxe_install

NationTech:switch-client

NationTech:okd_enable_user_workload_monitoring

NationTech:configure-switch

NationTech:fix/clippy

NationTech:feat/gen-ca-cert

NationTech:feat/okd_default_ingress_class

NationTech:fix/add_routes_to_domain

NationTech:secrets-prompt-editor

NationTech:feat/multisiteApplication

NationTech:feat/ceph-install-score

NationTech:feat/ceph-osd-score

NationTech:feat/ceph_validate_health

NationTech:better-indicatif-progress-grouped

NationTech:feat/crd-alertmanager-configs

NationTech:better-cli

NationTech:opnsense_upgrade

NationTech:feat/monitoring-application-feature

NationTech:dev/postgres

NationTech:feat/cd/localdeploymentdemo

NationTech:feat/webhook_receiver

NationTech:feat/kube-prometheus

NationTech:feat/init_k8s_tenant

NationTech:feat/discord-webhook-receiver

NationTech:feat/kube-prometheus-monitor

NationTech:feat/tenantScore

NationTech:feat/teams-integration

NationTech:feat/slack-notifs

NationTech:monitoring

NationTech:runtime-profiles

Conversation 0 Commits 11 Files Changed 18 +813 -443

johnride commented 2026-05-30 02:41:26 +00:00

Owner

Copy Link

No description provided.

johnride added 2 commits 2026-05-30 02:41:27 +00:00

feat(fleet-staging): add OpenBao + seed FleetDeploySecrets; route operator creds through the deploy crate ... 0400e9d454

fleet_staging_install now deploys OpenBao (co-located in fleet-staging,
cert-manager TLS at secrets-stg.<base>), configures it (fleet-deployer
read policy), and seeds the operator's FleetDeploySecrets so the operator
can be upgraded alone via 'harmony-fleet-deploy --from-tag'. Behavior of
the existing bring-up is unchanged.

Credential-TOML construction moved out of the example into
OperatorCredentials::zitadel_jwt (deploy crate) so all callers share it.
New openbao::cached_root_token() lets the seed reuse the root token setup
already cached. Seeding mirrors the harmony_sso port-forward pattern.

refactor(fleet-staging): use tracing instead of println for output ... fac83d853d

Swap env_logger for tracing_subscriber (its fmt bridges the framework's
log:: deploy-progress output) and route the install banner + step logs
through tracing::info! — no raw println.

johnride added 1 commit 2026-05-30 09:04:47 +00:00

feat: Use tracing instead of logger in harmon_cli and work on fleet_staging_install refactor to use harmony_cli properly, still some more work to do 199e285e52

johnride added 2 commits 2026-05-30 12:41:00 +00:00

refactor(harmony_cli): defer topology prep so --list/declined runs are no-ops ... af3205d353

`Maestro::initialize` (hence `topology.ensure_ready()`) ran before `init`'s
`--list` / confirmation short-circuits, so merely listing a binary's scores —
or declining to run them — still prepared the topology (cert-manager install,
etc.). Build the maestro unprepared and call `prepare_topology()` only once we
commit to interpreting. Expose `Maestro::prepare_topology`; add tests proving
`--list` skips prep while the run path triggers it.

feat: Example openbao now can do openbao setup and better readme 4fef957edb

johnride added 2 commits 2026-05-30 15:13:53 +00:00

fix(harmony_cli): drop ANSI colour codes around log emojis ... 44aa83199a

`console::style(emoji).green()/.yellow()/.red()/.blue()` embedded raw ANSI
escapes in the message string. `console` force-emits them off its own TTY
detection, which disagrees with the tracing writer, so they leaked as literal
`\x1b[..m` garbage around the emoji. Emit plain emojis — the glyph already
conveys status and the tracing fmt layer still colours the level.

fix(openbao): scope unseal-keys cache file per instance ... 57d056fced

The root token + unseal keys were written to a single fixed
`~/.local/share/harmony/openbao/unseal-keys.json`, so deploying a second
OpenBao instance (different namespace/release) overwrote the first's keys —
after which the first could never be unsealed. Key the file by
namespace+release (`unseal-keys-<ns>-<release>.json`); `cached_root_token`
now takes the `OpenbaoInstance` to read the right one.

johnride added 1 commit 2026-05-31 13:06:25 +00:00

feat: fleet deploy uses configuration from configclient for all settings, update the 0_3 plan d39aa15152

johnride added 3 commits 2026-06-01 15:42:36 +00:00

refactor(fleet-deploy): rename HARMONY_SECRET_NAMESPACE to HARMONY_CONFIG_NAMESPACE ... f7299ebe2b

The env var name was a misnomer — ConfigClient resolves both config and
secrets, not just secrets. The struct field was already config_namespace.
Legacy SecretManager keeps the old var; this forces migration to
ConfigClient for new code.

fix(openbao): remove extra blank line in example ... 2e9052b217

Pre-existing formatting issue caught by cargo fmt --check.

Merge pull request 'refactor(fleet-deploy): rename HARMONY_SECRET_NAMESPACE to HARMONY_CONFIG_NAMESPACE' (#314) from refactor/config-namespace-env-var into feat/fleet-staging-openbao ... 5c2e1fa401

Reviewed-on: #314

All checks were successful

Hide all checks

Run Check Script / check (pull_request) Successful in 2m17s

Details

This pull request has changes conflicting with the target branch.

• examples/fleet_staging_install/src/main.rs
• fleet/harmony-fleet-deploy/src/main.rs
• fleet/harmony-fleet-deploy/src/secrets.rs

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin feat/fleet-staging-openbao:feat/fleet-staging-openbao

git checkout feat/fleet-staging-openbao

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

Architecture Decision Record

Good first issue

RFC

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

johnride jvtrudel reda stremblay

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: NationTech/harmony#313

No description provided.