Jean-Gabriel Gill-Couture
4fef957edb
Some checks failed
Run Check Script / check (pull_request) Failing after 51s
37 lines
1.6 KiB
Markdown
37 lines
1.6 KiB
Markdown
# example-openbao
|
|
|
|
Installs a standalone OpenBao instance and makes it immediately usable as a
|
|
`harmony_config` store: deploy → init → unseal → KV v2. Depending on your
|
|
environment it either spins up a local k3d cluster or targets the remote
|
|
cluster `KUBECONFIG` points at.
|
|
|
|
Configuration comes from `ConfigClient` (`HARMONY_CONFIG_OpenbaoInstallConfig`
|
|
env JSON → OpenBao → interactive prompt). The only required field is `host`.
|
|
|
|
```bash
|
|
# Non-interactive: provide the config as JSON.
|
|
export HARMONY_CONFIG_OpenbaoInstallConfig='{
|
|
"host": "secrets-stg.cb1.nationtech.io",
|
|
"namespace": "openbao",
|
|
"release": "openbao",
|
|
"openshift": true,
|
|
"tls_issuer": "letsencrypt-prod"
|
|
}'
|
|
cargo run -p example-openbao -- --yes
|
|
```
|
|
|
|
`cargo run -p example-openbao -- --list` lists the scores without touching the
|
|
cluster. Run without `HARMONY_CONFIG_*` to be prompted for each field.
|
|
|
|
Optional features compose from config presence:
|
|
|
|
| Config field(s) | Effect |
|
|
|---------------------------------|------------------------------------------------------------|
|
|
| `tls_issuer` | cert-manager edge TLS on the ingress (omit for plain HTTP) |
|
|
| `oidc_issuer` + `oidc_audience` | JWT auth + a `harmony` role scoped to `secret/harmony/*` |
|
|
|
|
After it runs, point `harmony_config` at it with `OPENBAO_URL=https://<host>`
|
|
and `OPENBAO_TOKEN=<cached root token>` (the root token is at
|
|
`~/.local/share/harmony/openbao/unseal-keys.json`). Once `oidc_*` is set, SSO
|
|
callers can authenticate via `HARMONY_SSO_*` instead of the root token.
|