NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity
Files
feat/jwt-bearer-openbao-auth
harmony/examples/openbao
History

README.md

example-openbao

Installs a standalone OpenBao instance and makes it immediately usable as a harmony_config store: deploy → init → unseal → KV v2. Depending on your environment it either spins up a local k3d cluster or targets the remote cluster KUBECONFIG points at.

Configuration comes from ConfigClient (HARMONY_CONFIG_OpenbaoInstallConfig env JSON → OpenBao → interactive prompt). The only required field is host.

# Non-interactive: provide the config as JSON.
export HARMONY_CONFIG_OpenbaoInstallConfig='{
  "host": "secrets-stg.cb1.nationtech.io",
  "namespace": "openbao",
  "release": "openbao",
  "openshift": true,
  "tls_issuer": "letsencrypt-prod"
}'
cargo run -p example-openbao -- --yes

cargo run -p example-openbao -- --list lists the scores without touching the cluster. Run without HARMONY_CONFIG_* to be prompted for each field.

Optional features compose from config presence:

Config field(s) Effect
tls_issuer cert-manager edge TLS on the ingress (omit for plain HTTP)
oidc_issuer + oidc_audience JWT auth + a harmony role scoped to secret/harmony/*

After it runs, point harmony_config at it with OPENBAO_URL=https://<host> and OPENBAO_TOKEN=<cached root token> (the root token is at ~/.local/share/harmony/openbao/unseal-keys.json). Once oidc_* is set, SSO callers can authenticate via HARMONY_SSO_* instead of the root token.