From 361661e965ee4ff66b719cdcd5f0187feb9c7a3a Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@r3t.io>
Date: Mon, 2 Mar 2026 18:32:02 +0000
Subject: [PATCH] fix(data): remove empty data field from OpenBao placeholder
 Secret

kubectl apply --server-side was managing the `data: {}` field, which
caused it to wipe the key/root-token entries written by the seed script
on subsequent applies. Removing the field entirely means server-side
apply never touches data, so seed-written keys survive re-applies.
---
 base/data/openbao-keys-placeholder.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/base/data/openbao-keys-placeholder.yaml b/base/data/openbao-keys-placeholder.yaml
index 61dada4..bbd2ca3 100644
--- a/base/data/openbao-keys-placeholder.yaml
+++ b/base/data/openbao-keys-placeholder.yaml
@@ -1,9 +1,10 @@
-# Placeholder secret — replaced by the init script after `bao operator init`.
-# Exists so the auto-unseal sidecar's volume mount doesn't block pod startup.
+# Placeholder secret — seed script writes real key/root-token data after init.
+# Exists so the auto-unseal sidecar volume mount doesn't block pod startup.
+# `data` is intentionally omitted so server-side apply never manages (or wipes)
+# the key fields written by the seed script.
 apiVersion: v1
 kind: Secret
 metadata:
   name: openbao-keys
   namespace: data
 type: Opaque
-data: {}