# OpenBao Helm values — standalone single-instance mode.
# Root token + unseal key stored in K8s secret `openbao-keys` (created by init script).

global:
  tlsDisable: true

injector:
  enabled: true
  agentDefaults:
    cpuLimit: "250m"
    cpuRequest: "50m"
    memLimit: "64Mi"
    memRequest: "32Mi"

server:
  image:
    registry: quay.io
    repository: openbao/openbao

  # Disable anti-affinity — single-node cluster.
  affinity: ""

  standalone:
    enabled: true
    config: |
      ui = true
      listener "tcp" {
        tls_disable = 1
        address     = "[::]:8200"
      }
      storage "file" {
        path = "/openbao/data"
      }

  dataStorage:
    enabled: true
    size: 1Gi

  resources:
    limits:
      memory: 128Mi
    requests:
      memory: 64Mi
      cpu: 50m

  # Auto-unseal sidecar: reads unseal key from K8s secret and unseals on restart.
  extraContainers:
    - name: auto-unseal
      image: quay.io/openbao/openbao
      command: ["/bin/sh", "-c"]
      args:
        - |
          export BAO_ADDR=http://127.0.0.1:8200
          echo "auto-unseal: waiting for openbao to start..."
          until bao status -format=json 2>/dev/null; do sleep 2; done
          while true; do
            if [ -f /openbao/unseal/key ]; then
              SEALED=$(bao status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true')
              if [ "$SEALED" = "1" ]; then
                echo "auto-unseal: unsealing..."
                bao operator unseal "$(cat /openbao/unseal/key)"
              fi
            fi
            sleep 15
          done
      volumeMounts:
        - name: userconfig-openbao-keys
          mountPath: /openbao/unseal
          readOnly: true
      resources:
        limits:
          memory: 32Mi
        requests:
          memory: 16Mi
          cpu: 10m

  extraVolumes:
    - type: secret
      name: openbao-keys
      path: openbao-unseal
      optional: true