From dce1cec6acc93fb0ef308fbb9e66b9feb6da341d Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@sunbeam.pt>
Date: Sun, 5 Apr 2026 20:33:19 +0100
Subject: [PATCH] fix(openbao): create placeholder secret before waiting for
 pod

On a clean cluster, the OpenBao pod can't start because it mounts
the openbao-keys secret as a volume, but that secret doesn't exist
until init runs. Create a placeholder secret in WaitPodRunning so
the pod can mount it and start. InitOrUnsealOpenBao overwrites it
with real values during initialization.
---
 src/workflows/seed/steps/openbao_init.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/workflows/seed/steps/openbao_init.rs b/src/workflows/seed/steps/openbao_init.rs
index e79a146c..fbf7b960 100644
--- a/src/workflows/seed/steps/openbao_init.rs
+++ b/src/workflows/seed/steps/openbao_init.rs
@@ -88,6 +88,16 @@ impl StepBody for WaitPodRunning {
             None => return Ok(ExecutionResult::next()),
         };
 
+        // Ensure openbao-keys secret exists (even as placeholder) so the pod
+        // can mount it. InitOrUnsealOpenBao will overwrite with real values.
+        if k::kube_get_secret_field("data", "openbao-keys", "key").await.is_err() {
+            let placeholder = std::collections::HashMap::from([
+                ("key".to_string(), "placeholder".to_string()),
+                ("root-token".to_string(), "placeholder".to_string()),
+            ]);
+            let _ = k::create_secret("data", "openbao-keys", placeholder).await;
+        }
+
         let _ = secrets::wait_pod_running("data", &ob_pod, 300).await;
 
         Ok(ExecutionResult::next())