Initialize OpenBao Service

[norbertgruszka]

Summary

Initialize OpenBao Service. The goal is to provide users with an option to setup HA OpenBao Cluster using Appcat.

Initial implementation contains:

• Auto generated Kubernetes API
• Deployment step
• HCL generator
• Self-signed TLS certificates

The service is not yet ready for production use. Further development will follow.

How to test?

1. Create kindev environment with at least 3 nodes. For now, the OpenBao Cluster starts in HA.
2. Create newvshnopenbaos.vshn.appcat.vshn.io resource.

apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNOpenBao
metadata:
  name: openbao-test
spec:
  parameters:
    security:
      deletionProtection: false
  writeConnectionSecretToRef:
    name: "openbao-test"

3. Search for newly created namespace with openbao name included. Use bao operator init -tls-skip-verify to initialize the cluster manually with kubectl exec command.
4. The cluster should be operational.

Checklist

• Update tests.
• Link this PR to related issues.
• Merge with /merge comment.

Component PR: vshn/component-appcat#1128

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/672215

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/672411

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/672412

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/672986

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/672990

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/675964

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/675972

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/678330

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/678806

[Kidswiss]

The code looks good. Just a few remarks.

I haven't tested it yet, but will do some tests later.

Search for newly created namespace with openbao name included. Use bao operator init -tls-skip-verify to initialize the cluster manually with kubectl exec command.

One idea: this should probably be a post-install hook in the helm chart, since it's still part of the provisioning.

[Kidswiss]

Should probably be defined before release.

[norbertgruszka]

The Version field was just a placeholder. The version is set in Components Appcat.

[Kidswiss]

Is this really just a string? Or only a placeholder? Usually settings are modelled with a map[string]any

[norbertgruszka]

That was a placeholder too, so I removed it for now. We'll add it back later probably with better defined type.

[Kidswiss]

I guess common.CreateCertificate() wasn't flexible enough to handle this?

I'm wondering if it would make sense to refactor it make it more flexible.

[norbertgruszka]

I didn't know common.CreateCertificate() exists. I think we were looking at Redis and certificates are created differently there.

I update the code, now it's using common.CreateCertificate()

[Kidswiss]

Yeah, some older services might not use the common library because they were migrated from legacy crossplane compositions and are thus stuck in a kind of limbo.

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/680229

[github-actions]

• Check out Your new Comp-Functions diff at: https://git.vshn.net/appcat/comp-func-pipelines/-/pipelines/680341

[Kidswiss]

I tried to create an instance, but I struggle to get the cluster initialized properly.

My steps:

k -n vshn-openbao-openbao-test-v54vf exec -it openbao-test-v54vf-0 -- sh

bao operator init -tls-skip-verify
bao operator unseal -tls-skip-verify

k -n vshn-openbao-openbao-test-v54vf exec -it openbao-test-v54vf-1 -- sh

bao operator unseal -tls-skip-verify
Unseal Key (will be hidden):
Error unsealing: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/unseal
Code: 400. Errors:

* Vault is not initialized

The first pod looks fine, the others throw this error. According to the openbao docs bao operator init has to be run only once.

Checking the config within the pod I see this:

cat userconfig/openbao-hcl-config/config.hcl
ui           = true
log_level    = "info"
log_format   = "json"
cluster_name = "openbao-test-v54vf"
api_addr     = "https://openbao-test-v54vf:8200"
cluster_addr = "https://openbao-test-v54vf:8201"

listener "tcp" {
  address         = "[::]:8200"
  cluster_address = "[::]:8201"
  tls_disable     = false
  tls_cert_file   = "/openbao/userconfig/openbao-tls/tls.crt"
  tls_key_file    = "/openbao/userconfig/openbao-tls/tls.key"
}

storage "raft" {
  path = "/openbao/data"
}

Isn't there supposed to be something to tell the instance where its peers are?

[Kidswiss]

This one seems unused. At least according to the linter.

[Kidswiss]

Does the helm chart you're using already deploy PDBs? If not setting the labels to match the pods and then calling common.AddPDBSettings() will automagically deploy them. But I think the instances parameter needs to be set for them to work...

[Kidswiss]

I'm wondering why the config is provided via an external file?