base/data/openbao-values.yaml

# OpenBao Helm values — standalone single-instance mode.
# Root token + unseal key stored in K8s secret `openbao-keys` (created by init script).

global:
  tlsDisable: true

injector:
  enabled: true
  agentDefaults:
    cpuLimit: "250m"
    cpuRequest: "50m"
    memLimit: "64Mi"
    memRequest: "32Mi"

server:
  image:
    registry: quay.io
    repository: openbao/openbao

  # Disable anti-affinity — single-node cluster.
  affinity: ""

  standalone:
    enabled: true
    config: |
      ui = true
      listener "tcp" {
        tls_disable = 1
        address     = "[::]:8200"
      }
      storage "file" {
        path = "/openbao/data"
      }

  dataStorage:
    enabled: true
    size: 1Gi

  resources:
    limits:
      memory: 128Mi
    requests:
      memory: 64Mi
      cpu: 50m

  # Auto-unseal sidecar: reads unseal key from K8s secret and unseals on restart.
  extraContainers:
    - name: auto-unseal
      image: quay.io/openbao/openbao
      command: ["/bin/sh", "-c"]
      args:
        - |
          export BAO_ADDR=http://127.0.0.1:8200
          echo "auto-unseal: waiting for openbao to start..."
          until bao status -format=json 2>/dev/null; do sleep 2; done
          while true; do
            if [ -f /openbao/unseal/key ]; then
              SEALED=$(bao status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true')
              if [ "$SEALED" = "1" ]; then
                echo "auto-unseal: unsealing..."
                bao operator unseal "$(cat /openbao/unseal/key)"
              fi
            fi
            sleep 15
          done
      volumeMounts:
        - name: userconfig-openbao-keys
          mountPath: /openbao/unseal
          readOnly: true
      resources:
        limits:
          memory: 32Mi
        requests:
          memory: 16Mi
          cpu: 10m

  extraVolumes:
    - type: secret
      name: openbao-keys
      path: openbao-unseal
      optional: true
feat: bring up local dev stack — all services running - Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations, OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars - SeaweedFS: added s3.json credentials file via -s3.config CLI flag - OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret - OpenSearch: increased memory to 1.5Gi / JVM 1g heap - Gitea: SSL_MODE disable, S3 bucket creation fixed - Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk) - LiveKit: API keys in values, hostPort conflict resolved - Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs - All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node Full stack running: postgres, valkey, openbao, opensearch, seaweedfs, kratos, hydra, gitea, livekit, hive (placeholder), login-ui 2026-02-28 22:08:38 +00:00			`# OpenBao Helm values — standalone single-instance mode.`
			# Root token + unseal key stored in K8s secret `openbao-keys` (created by init script).

			`global:`
			`tlsDisable: true`

			`injector:`
			`enabled: true`
			`agentDefaults:`
			`cpuLimit: "250m"`
			`cpuRequest: "50m"`
			`memLimit: "64Mi"`
			`memRequest: "32Mi"`

			`server:`
			`image:`
			`registry: quay.io`
			`repository: openbao/openbao`

feat(infra): data, storage, devtools, and ory layer updates - data: CNPG cluster tuning, OpenBao values, OpenSearch deployment fixes, OpenSearch PVC, barman vault secret for S3 backup credentials - storage: SeaweedFS filer updates (s3.json via secret subPath), PVC for filer persistent storage - devtools: Gitea values (SSH service, custom theme), gitea-theme-cm ConfigMap - ory: add kratos-selfservice-urls.yaml for self-service flow URLs - media: LiveKit values updated (TURN config, STUN, resource limits) - vso: kustomization cleanup 2026-03-06 12:07:28 +00:00			`# Disable anti-affinity — single-node cluster.`
			`affinity: ""`

feat: bring up local dev stack — all services running - Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations, OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars - SeaweedFS: added s3.json credentials file via -s3.config CLI flag - OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret - OpenSearch: increased memory to 1.5Gi / JVM 1g heap - Gitea: SSL_MODE disable, S3 bucket creation fixed - Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk) - LiveKit: API keys in values, hostPort conflict resolved - Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs - All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node Full stack running: postgres, valkey, openbao, opensearch, seaweedfs, kratos, hydra, gitea, livekit, hive (placeholder), login-ui 2026-02-28 22:08:38 +00:00			`standalone:`
			`enabled: true`
			`config: \|`
			`ui = true`
			`listener "tcp" {`
			`tls_disable = 1`
			`address = "[::]:8200"`
			`}`
			`storage "file" {`
			`path = "/openbao/data"`
			`}`

			`dataStorage:`
			`enabled: true`
			`size: 1Gi`

			`resources:`
			`limits:`
			`memory: 128Mi`
			`requests:`
			`memory: 64Mi`
			`cpu: 50m`

			`# Auto-unseal sidecar: reads unseal key from K8s secret and unseals on restart.`
			`extraContainers:`
			`- name: auto-unseal`
			`image: quay.io/openbao/openbao`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`export BAO_ADDR=http://127.0.0.1:8200`
			`echo "auto-unseal: waiting for openbao to start..."`
			`until bao status -format=json 2>/dev/null; do sleep 2; done`
			`while true; do`
			`if [ -f /openbao/unseal/key ]; then`
			`SEALED=$(bao status -format=json 2>/dev/null \| grep '"sealed"' \| grep -c 'true')`
			`if [ "$SEALED" = "1" ]; then`
			`echo "auto-unseal: unsealing..."`
			`bao operator unseal "$(cat /openbao/unseal/key)"`
			`fi`
			`fi`
			`sleep 15`
			`done`
			`volumeMounts:`
			`- name: userconfig-openbao-keys`
			`mountPath: /openbao/unseal`
			`readOnly: true`
			`resources:`
			`limits:`
			`memory: 32Mi`
			`requests:`
			`memory: 16Mi`
			`cpu: 10m`

			`extraVolumes:`
			`- type: secret`
			`name: openbao-keys`
			`path: openbao-unseal`
			`optional: true`