Jean-Gabriel Gill-Couture
2e9052b217
Pre-existing formatting issue caught by cargo fmt --check.
example-openbao
Installs a standalone OpenBao instance and makes it immediately usable as a
harmony_config store: deploy → init → unseal → KV v2. Depending on your
environment it either spins up a local k3d cluster or targets the remote
cluster KUBECONFIG points at.
Configuration comes from ConfigClient (HARMONY_CONFIG_OpenbaoInstallConfig
env JSON → OpenBao → interactive prompt). The only required field is host.
# Non-interactive: provide the config as JSON.
export HARMONY_CONFIG_OpenbaoInstallConfig='{
"host": "secrets-stg.cb1.nationtech.io",
"namespace": "openbao",
"release": "openbao",
"openshift": true,
"tls_issuer": "letsencrypt-prod"
}'
cargo run -p example-openbao -- --yes
cargo run -p example-openbao -- --list lists the scores without touching the
cluster. Run without HARMONY_CONFIG_* to be prompted for each field.
Optional features compose from config presence:
| Config field(s) | Effect |
|---|---|
tls_issuer |
cert-manager edge TLS on the ingress (omit for plain HTTP) |
oidc_issuer + oidc_audience |
JWT auth + a harmony role scoped to secret/harmony/* |
After it runs, point harmony_config at it with OPENBAO_URL=https://<host>
and OPENBAO_TOKEN=<cached root token> (the root token is at
~/.local/share/harmony/openbao/unseal-keys.json). Once oidc_* is set, SSO
callers can authenticate via HARMONY_SSO_* instead of the root token.