studio/cli
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 4 Wiki Activity

fix(openbao): create placeholder secret before waiting for pod

Browse Source 
On a clean cluster, the OpenBao pod can't start because it mounts
the openbao-keys secret as a volume, but that secret doesn't exist
until init runs. Create a placeholder secret in WaitPodRunning so
the pod can mount it and start. InitOrUnsealOpenBao overwrites it
with real values during initialization.
This commit is contained in:
Sienna Meridian Satterwhite
2026-04-05 20:33:19 +01:00
parent 70b1f84caa
commit dce1cec6ac
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/workflows/seed/steps/openbao_init.rs
View File

@@ -88,6 +88,16 @@ impl StepBody for WaitPodRunning {
None => return Ok(ExecutionResult::next()),
};
// Ensure openbao-keys secret exists (even as placeholder) so the pod
// can mount it. InitOrUnsealOpenBao will overwrite with real values.
if k::kube_get_secret_field("data", "openbao-keys", "key").await.is_err() {
let placeholder = std::collections::HashMap::from([
("key".to_string(), "placeholder".to_string()),
("root-token".to_string(), "placeholder".to_string()),
]);
let _ = k::create_secret("data", "openbao-keys", placeholder).await;
}
let _ = secrets::wait_pod_running("data", &ob_pod, 300).await;
Ok(ExecutionResult::next())