sbbb/base/data/openbao-keys-placeholder.yaml

# Placeholder secret — seed script writes real key/root-token data after init.
# Exists so the auto-unseal sidecar volume mount doesn't block pod startup.
# `data` is intentionally omitted so server-side apply never manages (or wipes)
# the key fields written by the seed script.
apiVersion: v1
kind: Secret
metadata:
  name: openbao-keys
  namespace: data
type: Opaque