From 5f70d010ad88fff894a5e3fff9bd21ed82155b11 Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 11:57:53 +0530 Subject: [PATCH 01/15] feat(secrets): openbao deployment automation using helm charts --- modules/secrets/certificates.tf | 254 +++++++++++++++++++++++++++++ modules/secrets/config/openbao.hcl | 30 ++++ modules/secrets/namespace.tf | 10 ++ modules/secrets/openbao.tf | 75 +++++++++ modules/secrets/secrets.tf | 18 ++ modules/secrets/variables.tf | 98 +++++++++++ 6 files changed, 485 insertions(+) create mode 100644 modules/secrets/certificates.tf create mode 100644 modules/secrets/config/openbao.hcl create mode 100644 modules/secrets/namespace.tf create mode 100644 modules/secrets/openbao.tf create mode 100644 modules/secrets/secrets.tf create mode 100644 modules/secrets/variables.tf diff --git a/modules/secrets/certificates.tf b/modules/secrets/certificates.tf new file mode 100644 index 0000000..92df5ac --- /dev/null +++ b/modules/secrets/certificates.tf @@ -0,0 +1,254 @@ +// Certificate Authority to be used with OpenBao Cluster +resource "kubernetes_manifest" "certificate_authority" { + manifest = { + "apiVersion" = "cert-manager.io/v1" + "kind" = "Certificate" + "metadata" = { + "name" = var.certificate_authority_name + "namespace" = kubernetes_namespace.namespace.metadata[0].name + "labels" = { + "app" = var.app_name + "component" = "certificate-authority" + } + } + "spec" = { + "isCA" = true + "subject" = { + "organizations" = [var.organization_name] + "countries" = [var.country_name] + "organizationalUnits" = [var.app_name] + } + "commonName" = var.certificate_authority_name + "secretName" = var.certificate_authority_name + "duration" = "70128h" + "privateKey" = { + "algorithm" = "ECDSA" + "size" = 256 + } + "issuerRef" = { + "name" = "${var.cluster_issuer_name}" + "kind" = "ClusterIssuer" + "group" = "cert-manager.io" + } + } + } + + wait { + condition { + type = "Ready" + status = "True" + } + } + + timeouts { + create = "5m" + update = "5m" + delete = "5m" + } +} + +// Issuer for the OpenBao Cluster +resource "kubernetes_manifest" "issuer" { + manifest = { + "apiVersion" = "cert-manager.io/v1" + "kind" = "Issuer" + "metadata" = { + "name" = var.issuer_name + "namespace" = kubernetes_namespace.namespace.metadata[0].name + "labels" = { + "app" = var.app_name + "component" = "issuer" + } + } + "spec" = { + "ca" = { + "secretName" = kubernetes_manifest.certificate_authority.manifest.spec.secretName + } + } + } + + wait { + condition { + type = "Ready" + status = "True" + } + } + + timeouts { + create = "5m" + update = "5m" + delete = "5m" + } +} + +// Internal Certificate for OpenBao Cluster +resource "kubernetes_manifest" "internal_certificate" { + manifest = { + "apiVersion" = "cert-manager.io/v1" + "kind" = "Certificate" + "metadata" = { + "name" = var.internal_certificate_name + "namespace" = kubernetes_namespace.namespace.metadata[0].name + "labels" = { + "app" = var.app_name + "component" = "internal-certificate" + } + } + "spec" = { + "dnsNames" = [ + "${var.host_name}.${var.domain}", + "localhost", + "127.0.0.1", + "*.${kubernetes_namespace.namespace.metadata[0].name}.svc.cluster.local", + "openbao-internal", + "openbao-internal.${kubernetes_namespace.namespace.metadata[0].name}.svc", + "openbao-internal.${kubernetes_namespace.namespace.metadata[0].name}.svc.cluster.local", + "*.openbao-internal.${kubernetes_namespace.namespace.metadata[0].name}.svc.cluster.local", + ] + "subject" = { + "organizations" = [var.organization_name] + "countries" = [var.country_name] + "organizationalUnits" = [var.app_name] + } + "commonName" = var.internal_certificate_name + "secretName" = var.internal_certificate_name + "issuerRef" = { + "name" = kubernetes_manifest.issuer.manifest.metadata.name + } + } + } + + wait { + condition { + type = "Ready" + status = "True" + } + } + timeouts { + create = "5m" + update = "5m" + delete = "5m" + } +} + +// Kubernetes Secret for Cloudflare Tokens +resource "kubernetes_secret" "cloudflare_token" { + metadata { + name = "cloudflare-token" + namespace = kubernetes_namespace.namespace.metadata[0].name + labels = { + "app" = var.app_name + "component" = "secret" + } + } + + data = { + cloudflare-token = var.cloudflare_token + } + + type = "Opaque" +} + +// Cloudflare Issuer for Openbao Ingress Service +resource "kubernetes_manifest" "public_issuer" { + manifest = { + "apiVersion" = "cert-manager.io/v1" + "kind" = "Issuer" + "metadata" = { + "name" = var.cloudflare_issuer_name + "namespace" = kubernetes_namespace.namespace.metadata[0].name + "labels" = { + "app" = var.app_name + "component" = "cloudflare-issuer" + } + } + "spec" = { + "acme" = { + "email" = var.cloudflare_email + "server" = var.acme_server + "privateKeySecretRef" = { + "name" = var.cloudflare_issuer_name + } + "solvers" = [ + { + "dns01" = { + "cloudflare" = { + "email" = var.cloudflare_email + "apiTokenSecretRef" = { + "name" = "cloudflare-token" + "key" = "cloudflare-token" + } + } + } + } + ] + } + } + } + + depends_on = [kubernetes_secret.cloudflare_token] + + wait { + condition { + type = "Ready" + status = "True" + } + } + + timeouts { + create = "5m" + update = "5m" + delete = "5m" + } +} + +// Certificate to be used for OpenBao Ingress +resource "kubernetes_manifest" "ingress_certificate" { + + manifest = { + "apiVersion" = "cert-manager.io/v1" + "kind" = "Certificate" + "metadata" = { + "name" = var.ingress_certificate_name + "namespace" = kubernetes_namespace.namespace.metadata[0].name + "labels" = { + "app" = var.app_name + "component" = "ingress-certificate" + } + } + "spec" = { + "duration" = "2160h" + "renewBefore" = "360h" + "subject" = { + "organizations" = [var.organization_name] + "countries" = [var.country_name] + "organizationalUnits" = [var.app_name] + } + "privateKey" = { + "algorithm" = "RSA" + "encoding" = "PKCS1" + "size" = "2048" + } + "dnsNames" = ["${var.host_name}.${var.domain}"] + "secretName" = var.ingress_certificate_name + "issuerRef" = { + "name" = kubernetes_manifest.public_issuer.manifest.metadata.name + "kind" = "Issuer" + "group" = "cert-manager.io" + } + } + } + + wait { + condition { + type = "Ready" + status = "True" + } + } + + timeouts { + create = "5m" + update = "5m" + delete = "5m" + } +} diff --git a/modules/secrets/config/openbao.hcl b/modules/secrets/config/openbao.hcl new file mode 100644 index 0000000..b1bdaf9 --- /dev/null +++ b/modules/secrets/config/openbao.hcl @@ -0,0 +1,30 @@ +ui = true + +listener "tcp" { + tls_disable = 0 + address = "[::]:8200" + cluster_address = "[::]:8201" + + # TLS Configuration + tls_cert_file = "/openbao/userconfig/${cert_secret_name}/tls.crt" + tls_key_file = "/openbao/userconfig/${cert_secret_name}/tls.key" + tls_client_ca_file = "/openbao/userconfig/${cert_secret_name}/ca.crt" +} + +storage "raft" { + path = "/openbao/data" + retry_join { + auto_join = "provider=k8s namespace=${namespace} label_selector=\"app.kubernetes.io/instance=openbao,component=server\"" + auto_join_scheme = "https" + + leader_ca_cert_file = "/openbao/userconfig/${cert_secret_name}/ca.crt" + leader_tls_servername = "openbao-internal.${namespace}.svc" + } +} + +seal "static" { + current_key_id = "k3d-local-v1" + current_key = "env://OPENBAO_STATIC_UNSEAL_KEY" +} + +service_registration "kubernetes" {} diff --git a/modules/secrets/namespace.tf b/modules/secrets/namespace.tf new file mode 100644 index 0000000..9c8a9da --- /dev/null +++ b/modules/secrets/namespace.tf @@ -0,0 +1,10 @@ +// Namespace configuration for OpenBao Secrets Management Solution +resource "kubernetes_namespace" "namespace" { + metadata { + name = var.namespace + labels = { + app = var.app_name + component = "namespace" + } + } +} diff --git a/modules/secrets/openbao.tf b/modules/secrets/openbao.tf new file mode 100644 index 0000000..f68477b --- /dev/null +++ b/modules/secrets/openbao.tf @@ -0,0 +1,75 @@ +resource "helm_release" "openbao" { + name = "openbao" + repository = "https://openbao.github.io/openbao-helm" + chart = "openbao" + version = "0.25.6" + + namespace = kubernetes_namespace.namespace.metadata[0].name + create_namespace = false + + wait = true + timeout = 600 + + values = [ + yamlencode({ + global = { + enabled = true + tlsDisable = false + } + + server = { + extraSecretEnvironmentVars = [ + { + envName = "OPENBAO_STATIC_UNSEAL_KEY" + secretName = kubernetes_secret.static_unseal_key.metadata[0].name + secretKey = "OPENBAO_STATIC_UNSEAL_KEY" + } + ] + + extraVolumes = [ + { + type = "secret" + name = kubernetes_manifest.internal_certificate.manifest.spec.secretName + } + ] + + ha = { + enabled = true + replicas = 3 + raft = { + enabled = true + setNodeId = true + + config = templatefile("${path.module}/config/openbao.hcl", { + namespace = kubernetes_namespace.namespace.metadata[0].name, + cert_secret_name = kubernetes_manifest.internal_certificate.manifest.spec.secretName + }) + } + } + + dataStorage = { + enabled = true + size = "5Gi" + mountPath = "/openbao/data" + storageClass = "local-path" + } + + authDelegator = { + enabled = true + } + + serviceAccount = { + create = true + serviceDiscovery = { + enabled = true + } + } + + ui = { + enabled = true + serviceType = "ClusterIP" + } + } + }) + ] +} diff --git a/modules/secrets/secrets.tf b/modules/secrets/secrets.tf new file mode 100644 index 0000000..30d512f --- /dev/null +++ b/modules/secrets/secrets.tf @@ -0,0 +1,18 @@ +resource "random_id" "static_unseal_key" { + byte_length = 32 +} + +resource "kubernetes_secret" "static_unseal_key" { + metadata { + name = "openbao-static-unseal-key" + namespace = kubernetes_namespace.namespace.metadata[0].name + labels = { + app = var.app_name + component = "secret" + } + } + + data = { + "OPENBAO_STATIC_UNSEAL_KEY" = random_id.static_unseal_key.b64_std + } +} diff --git a/modules/secrets/variables.tf b/modules/secrets/variables.tf new file mode 100644 index 0000000..2a999b4 --- /dev/null +++ b/modules/secrets/variables.tf @@ -0,0 +1,98 @@ +# --------------- GENERAL VARIABLES --------------- # +variable "app_name" { + description = "App name for deploying OpenBao Secrets Management Solution" + type = string + default = "openbao" +} + +variable "organization_name" { + description = "Organization name for deploying OpenBao Secrets Management Solution" + type = string + default = "cloud" +} + +variable "country_name" { + description = "Country name for deploying OpenBao Secrets Management Solution" + type = string + default = "India" +} + +# --------------- NAMESPACE VARIABLES --------------- # +variable "namespace" { + description = "Namespace to be used for deploying OpenBao Secrets Management Solution" + type = string + default = "secrets" +} + +variable "observability_namespace" { + description = "Namespace where all components for observability are deployed" + type = string + nullable = false +} + +# --------------- CERTIFICATE VARIABLES --------------- # +variable "cluster_issuer_name" { + description = "Name for the Cluster Issuer to be used to generate internal self signed certificates" + type = string + nullable = false +} + +variable "certificate_authority_name" { + description = "Name of the Certificate Authority to be associated with OpenBao Secrets Management Solution" + type = string + default = "secrets-certificate-authority" +} + +variable "issuer_name" { + description = "Name of the Issuer to be associated with OpenBao Secrets Management Solution" + type = string + default = "secrets-certificate-issuer" +} + +variable "internal_certificate_name" { + description = "Name of the Internal Certificate to be associated with OpenBao Secrets Management Solution" + type = string + default = "secrets-internal-certificate" +} + +variable "cloudflare_token" { + description = "Token for generating Ingress Certificates to be associated with OpenBao Secrets Management Solution" + type = string + nullable = false +} + +variable "cloudflare_email" { + description = "Email for generating Ingress Certificates to be associated with OpenBao Secrets Management Solution" + type = string + nullable = false +} + +variable "cloudflare_issuer_name" { + description = "Name of the Cloudflare Issuer to be associated with OpenBao Secrets Management Solution" + type = string + default = "secrets-cloudflare-issuer" +} + +variable "acme_server" { + description = "URL for the ACME Server to be used, defaults to production URL for LetsEncrypt" + type = string + default = "https://acme-v02.api.letsencrypt.org/directory" +} + +variable "ingress_certificate_name" { + description = "Name of the Ingress Certificate to be associated with OpenBao Secrets Management Solution" + type = string + default = "secrets-ingress-certificate" +} + +variable "host_name" { + description = "Host name for which Ingress Certificate is to be generated for" + type = string + default = "secrets" +} + +variable "domain" { + description = "Domain for which Ingress Certificate is to be generated for" + type = string + nullable = false +} From b2465b9bdcb56d11a3626538fa21a641f0b33d7b Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 11:58:19 +0530 Subject: [PATCH 02/15] feat(secrets): configurator job to automate setting up the cluster --- modules/secrets/config/configurator.sh | 76 ++++++++++++++++++++++++++ modules/secrets/configmap.tf | 16 ++++++ modules/secrets/job.tf | 61 +++++++++++++++++++++ modules/secrets/serviceaccount.tf | 47 ++++++++++++++++ 4 files changed, 200 insertions(+) create mode 100644 modules/secrets/config/configurator.sh create mode 100644 modules/secrets/configmap.tf create mode 100644 modules/secrets/job.tf create mode 100644 modules/secrets/serviceaccount.tf diff --git a/modules/secrets/config/configurator.sh b/modules/secrets/config/configurator.sh new file mode 100644 index 0000000..307cd9f --- /dev/null +++ b/modules/secrets/config/configurator.sh @@ -0,0 +1,76 @@ +#!/bin/sh +set -e + +# Installing required dependencies +echo "Installing required dependencies..." +apk add --no-cache curl jq + +# Required Environment Variables +NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) +K8S_API="https://kubernetes.default.svc" +K8S_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) +K8S_CACERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + +# OpenBao TLS Setup +BAO_ADDR="https://openbao-internal.$NAMESPACE.svc:8200" +BAO_CACERT="/openbao/userconfig/${cert_secret_name}/ca.crt" + +export BAO_ADDR=$BAO_ADDR +export BAO_CACERT=$BAO_CACERT + +# Wait for OpenBao API to respond over HTTPS +echo "Waiting for OpenBao API at $BAO_ADDR..." +until curl -s --cacert "$BAO_CACERT" "$BAO_ADDR/v1/sys/health" | grep -q 'initialized'; do + echo "Still waiting..." + sleep 5 +done + +# Initialize the Cluster +if ! bao operator init -status > /dev/null 2>&1; then + echo "Initializing OpenBao Cluster..." + bao operator init -format=json > /tmp/keys.json + + ROOT_TOKEN=$(jq -r '.root_token' /tmp/keys.json) + export BAO_TOKEN=$ROOT_TOKEN + + # Save Keys to K8s Secret + echo "Persisting recovery keys to Kubernetes..." + B64_DATA=$(cat /tmp/keys.json | base64 | tr -d '\n') + + curl -s --cacert "$K8S_CACERT" \ + -X POST \ + -H "Authorization: Bearer $K8S_TOKEN" \ + -H "Content-Type: application/json" \ + -d "{ + \"apiVersion\": \"v1\", + \"kind\": \"Secret\", + \"metadata\": { \"name\": \"bao-init-recovery\" }, + \"data\": { \"keys.json\": \"$B64_DATA\" } + }" \ + "$K8S_API/api/v1/namespaces/$NAMESPACE/secrets" + + # Configure Kubernetes Auth for External Secrets Operator + echo "Configuring Kubernetes Auth..." + bao auth enable kubernetes + bao write auth/kubernetes/config \ + kubernetes_host="$K8S_API" \ + kubernetes_ca_cert="@$K8S_CACERT" \ + disable_iss_validation=true + + # Setup ESO Access + bao secrets enable -path=secret kv-v2 + bao policy write eso-policy - < Date: Wed, 11 Mar 2026 11:58:36 +0530 Subject: [PATCH 03/15] feat(infrastructure): secrets module deployment --- infrastructure/main.tf | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/infrastructure/main.tf b/infrastructure/main.tf index c09b011..6ff32da 100644 --- a/infrastructure/main.tf +++ b/infrastructure/main.tf @@ -33,6 +33,22 @@ module "observability" { depends_on = [module.cluster-issuer] } +# OpenBao Secrets Management Solution deployment +module "secrets" { + source = "git::https://github.com/necro-cloud/modules//modules/secrets?ref=task/110/openbao-deployment" + + // Certificates Details + cluster_issuer_name = module.cluster-issuer.cluster-issuer-name + cloudflare_token = var.cloudflare_token + cloudflare_email = var.cloudflare_email + domain = var.domain + + // Observability details + observability_namespace = module.observability.observability_namespace + + depends_on = [module.observability] +} + # Garage Deployment for an S3 compatible object storage solution module "garage" { source = "git::https://github.com/necro-cloud/modules//modules/garage?ref=main" From 78070635cd4f06f0996629506aeb32340ae43ba6 Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 12:22:45 +0530 Subject: [PATCH 04/15] feat(secrets): ingress setup for openbao --- modules/secrets/ingress.tf | 44 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 modules/secrets/ingress.tf diff --git a/modules/secrets/ingress.tf b/modules/secrets/ingress.tf new file mode 100644 index 0000000..6c0dcdf --- /dev/null +++ b/modules/secrets/ingress.tf @@ -0,0 +1,44 @@ +// Kubernetes Ingress for OpenBao UI +resource "kubernetes_ingress_v1" "api_ingress" { + metadata { + name = "openbao-ui-ingress" + namespace = kubernetes_namespace.namespace.metadata[0].name + labels = { + app = var.app_name + component = "ingress" + } + annotations = { + "nginx.ingress.kubernetes.io/proxy-ssl-verify" : "on" + "nginx.ingress.kubernetes.io/proxy-ssl-secret" : "${kubernetes_namespace.namespace.metadata[0].name}/${kubernetes_manifest.internal_certificate.manifest.spec.secretName}" + "nginx.ingress.kubernetes.io/proxy-ssl-name" : "openbao-internal.${kubernetes_namespace.namespace.metadata[0].name}.svc.cluster.local" + "nginx.ingress.kubernetes.io/backend-protocol" : "HTTPS" + "nginx.ingress.kubernetes.io/rewrite-target" : "/" + "nginx.ingress.kubernetes.io/proxy-body-size" : 0 + "nginx.ingress.kubernetes.io/client-body-buffer-size" : "500M" + } + } + + spec { + ingress_class_name = "nginx" + tls { + hosts = ["${var.host_name}.${var.domain}"] + secret_name = kubernetes_manifest.ingress_certificate.manifest.spec.secretName + } + rule { + host = "${var.host_name}.${var.domain}" + http { + path { + path = "/" + backend { + service { + name = "openbao-active" + port { + number = 8200 + } + } + } + } + } + } + } +} From f7b5b9c845d8d093159671a18496a448eee55054 Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 12:24:12 +0530 Subject: [PATCH 05/15] feat(secrets): ingress setup for openbao --- modules/secrets/ingress.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/secrets/ingress.tf b/modules/secrets/ingress.tf index 6c0dcdf..b47a921 100644 --- a/modules/secrets/ingress.tf +++ b/modules/secrets/ingress.tf @@ -1,5 +1,5 @@ // Kubernetes Ingress for OpenBao UI -resource "kubernetes_ingress_v1" "api_ingress" { +resource "kubernetes_ingress_v1" "ui_ingress" { metadata { name = "openbao-ui-ingress" namespace = kubernetes_namespace.namespace.metadata[0].name From 32216107f88a693187618dcac2a815b38f13fdd4 Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 12:37:51 +0530 Subject: [PATCH 06/15] feat(secrets): resource requests and limits with pod spread constraints --- modules/secrets/openbao.tf | 44 ++++++++++++++++++++++++++++++++++++ modules/secrets/variables.tf | 2 +- 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/modules/secrets/openbao.tf b/modules/secrets/openbao.tf index f68477b..f9c1ced 100644 --- a/modules/secrets/openbao.tf +++ b/modules/secrets/openbao.tf @@ -18,6 +18,50 @@ resource "helm_release" "openbao" { } server = { + + resources = { + requests = { + memory = "256Mi" + cpu = "100m" + } + limits = { + memory = "512Mi" + cpu = "500m" + } + } + + affinity = { + nodeAffinity = { + requiredDuringSchedulingIgnoredDuringExecution = { + nodeSelectorTerms = [ + { + matchExpressions = [ + { + key = "worker" + operator = "Exists" + } + ] + } + ] + } + } + } + + topologySpreadConstraints = [ + { + maxSkew = 1 + topologyKey = "kubernetes.io/hostname" + whenUnsatisfiable = "DoNotSchedule" + labelSelector = { + matchLabels = { + "app.kubernetes.io/name" = "openbao" + "app.kubernetes.io/instance" = "openbao" + "component" = "server" + } + } + } + ] + extraSecretEnvironmentVars = [ { envName = "OPENBAO_STATIC_UNSEAL_KEY" diff --git a/modules/secrets/variables.tf b/modules/secrets/variables.tf index 2a999b4..938b990 100644 --- a/modules/secrets/variables.tf +++ b/modules/secrets/variables.tf @@ -21,7 +21,7 @@ variable "country_name" { variable "namespace" { description = "Namespace to be used for deploying OpenBao Secrets Management Solution" type = string - default = "secrets" + default = "openbao" } variable "observability_namespace" { From 91c49054f0182404bebd1939caf13cbee42b8512 Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 13:02:08 +0530 Subject: [PATCH 07/15] feat(openbao): network policy implementation --- infrastructure/main.tf | 8 ++ modules/secrets/networkpolicy.tf | 154 +++++++++++++++++++++++++++++++ modules/secrets/openbao.tf | 10 +- modules/secrets/variables.tf | 43 +++++++++ 4 files changed, 210 insertions(+), 5 deletions(-) create mode 100644 modules/secrets/networkpolicy.tf diff --git a/infrastructure/main.tf b/infrastructure/main.tf index 6ff32da..a4fc984 100644 --- a/infrastructure/main.tf +++ b/infrastructure/main.tf @@ -45,6 +45,14 @@ module "secrets" { // Observability details observability_namespace = module.observability.observability_namespace + + // Granting required namespaces access to the OpenBao cluster + access_namespaces = "external-secrets,cloud" + + // Whitelisting Kubernetes API Endpoints in the Network Policy + kubernetes_api_ip = one(flatten(data.kubernetes_endpoints_v1.kubernetes_api_endpoint.subset[*].address[*].ip)) + kubernetes_api_protocol = one(flatten(data.kubernetes_endpoints_v1.kubernetes_api_endpoint.subset[*].port[*].protocol)) + kubernetes_api_port = one(flatten(data.kubernetes_endpoints_v1.kubernetes_api_endpoint.subset[*].port[*].port)) depends_on = [module.observability] } diff --git a/modules/secrets/networkpolicy.tf b/modules/secrets/networkpolicy.tf new file mode 100644 index 0000000..7b3156e --- /dev/null +++ b/modules/secrets/networkpolicy.tf @@ -0,0 +1,154 @@ +// Network policy to restrict network access to the OpenBao Cluster +resource "kubernetes_network_policy" "openbao_network_access_policy" { + metadata { + name = "openbao-network-access-policy" + namespace = kubernetes_namespace.namespace.metadata[0].name + labels = { + app = var.app_name + component = "networkpolicy" + } + } + + spec { + pod_selector { + match_labels = { + "app.kubernetes.io/name" = "openbao" + "component" = "server" + } + } + + policy_types = ["Ingress", "Egress"] + + # -------------- INGRESS RULES -------------- # + # Rule 1: Allow Raft replication and internal API communication between OpenBao Pods + ingress { + from { + pod_selector { + match_labels = { + "app.kubernetes.io/name" = "openbao" + "component" = "server" + } + } + } + ports { + protocol = "TCP" + port = 8200 + } + ports { + protocol = "TCP" + port = 8201 + } + } + + # Rule 2: Allow ingress from trusted namespaces + ingress { + from { + namespace_selector { + match_expressions { + key = "kubernetes.io/metadata.name" + operator = "In" + values = split(",", var.access_namespaces) + } + } + pod_selector { + match_labels = { + "openbao-access" = "true" + } + } + } + ports { + protocol = "TCP" + port = 8200 + } + } + + # Rule 3: Allow NGINX Ingress Controller to reach the active leader + ingress { + from { + namespace_selector { + match_labels = { + "kubernetes.io/metadata.name" = "ingress-nginx" + } + } + } + ports { + protocol = "TCP" + port = 8200 + } + } + + # Rule 4: Allow OpenTelemetry Collector to scrape metrics from the API port + ingress { + from { + namespace_selector { + match_labels = { + "kubernetes.io/metadata.name" = var.observability_namespace + } + } + pod_selector { + match_labels = { + "app.kubernetes.io/instance" = "otel-collector" + } + } + } + ports { + protocol = "TCP" + port = 8200 + } + } + + # -------------- EGRESS RULES -------------- # + # Rule 1: Allow egress to other OpenBao pods for Raft consensus + egress { + to { + pod_selector { + match_labels = { + "app.kubernetes.io/name" = "openbao" + "component" = "server" + } + } + } + ports { + protocol = "TCP" + port = 8201 + } + } + + # Rule 2: Allow DNS resolution to KubeDNS + egress { + to { + namespace_selector { + match_labels = { + "kubernetes.io/metadata.name" = "kube-system" + } + } + pod_selector { + match_labels = { + "k8s-app" = "kube-dns" + } + } + } + ports { + protocol = "UDP" + port = 53 + } + ports { + protocol = "TCP" + port = 53 + } + } + + # Rule 3: Allow egress to the Kubernetes API for Discovery and Auth + egress { + to { + ip_block { + cidr = "${var.kubernetes_api_ip}/32" + } + } + ports { + protocol = var.kubernetes_api_protocol + port = var.kubernetes_api_port + } + } + } +} diff --git a/modules/secrets/openbao.tf b/modules/secrets/openbao.tf index f9c1ced..a5c7d61 100644 --- a/modules/secrets/openbao.tf +++ b/modules/secrets/openbao.tf @@ -1,8 +1,8 @@ resource "helm_release" "openbao" { - name = "openbao" - repository = "https://openbao.github.io/openbao-helm" - chart = "openbao" - version = "0.25.6" + name = var.openbao_configuration.name + repository = var.openbao_configuration.repository + chart = var.openbao_configuration.chart + version = var.openbao_configuration.version namespace = kubernetes_namespace.namespace.metadata[0].name create_namespace = false @@ -79,7 +79,7 @@ resource "helm_release" "openbao" { ha = { enabled = true - replicas = 3 + replicas = var.cluster_size raft = { enabled = true setNodeId = true diff --git a/modules/secrets/variables.tf b/modules/secrets/variables.tf index 938b990..207dbc3 100644 --- a/modules/secrets/variables.tf +++ b/modules/secrets/variables.tf @@ -30,6 +30,30 @@ variable "observability_namespace" { nullable = false } +variable "access_namespaces" { + description = "Namespaces requiring accesses to the OpenBao Cluster in a comma seperated list" + type = string + nullable = false +} + +# -------------- OPENBAO DEPLOYMENT VARIABLES -------------- # +variable "openbao_configuration" { + description = "Dictionary filled with OpenBao Configuration Details" + type = map(string) + default = { + "name" = "openbao" + "repository" = "https://openbao.github.io/openbao-helm" + "chart" = "openbao" + "version" = "0.25.6" + } +} + +variable "cluster_size" { + description = "Number of pods to be deployed for High Availability for OpenBao Secrets Management Solution" + type = number + default = 3 +} + # --------------- CERTIFICATE VARIABLES --------------- # variable "cluster_issuer_name" { description = "Name for the Cluster Issuer to be used to generate internal self signed certificates" @@ -96,3 +120,22 @@ variable "domain" { type = string nullable = false } + +# --------------- NETWORK POLICY VARIABLES --------------- # +variable "kubernetes_api_ip" { + description = "IP Address for the Kubernetes API" + type = string + nullable = false +} + +variable "kubernetes_api_protocol" { + description = "Protocol for the Kubernetes API" + type = string + nullable = false +} + +variable "kubernetes_api_port" { + description = "Port for the Kubernetes API" + type = number + nullable = false +} From a456f5fbbc5d598e21adbf36476a93dbcc26a8b6 Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 13:08:13 +0530 Subject: [PATCH 08/15] feat(openbao): network policy implementation --- modules/secrets/networkpolicy.tf | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/modules/secrets/networkpolicy.tf b/modules/secrets/networkpolicy.tf index 7b3156e..3a9750d 100644 --- a/modules/secrets/networkpolicy.tf +++ b/modules/secrets/networkpolicy.tf @@ -62,7 +62,29 @@ resource "kubernetes_network_policy" "openbao_network_access_policy" { } } - # Rule 3: Allow NGINX Ingress Controller to reach the active leader + # Rule 3: Allow ingress from configurator job + ingress { + from { + namespace_selector { + match_expressions { + key = "kubernetes.io/metadata.name" + operator = "In" + values = [kubernetes_namespace.namespace.metadata[0].name] + } + } + pod_selector { + match_labels = { + "created-by" = "configurator" + } + } + } + ports { + protocol = "TCP" + port = 8200 + } + } + + # Rule 4: Allow NGINX Ingress Controller to reach the active leader ingress { from { namespace_selector { @@ -77,7 +99,7 @@ resource "kubernetes_network_policy" "openbao_network_access_policy" { } } - # Rule 4: Allow OpenTelemetry Collector to scrape metrics from the API port + # Rule 5: Allow OpenTelemetry Collector to scrape metrics from the API port ingress { from { namespace_selector { From ed810d844d4949ef5195e714ce37aff1e27e98fb Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 13:16:18 +0530 Subject: [PATCH 09/15] fix(openbao): network policy fixes for cluster --- modules/secrets/networkpolicy.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/secrets/networkpolicy.tf b/modules/secrets/networkpolicy.tf index 3a9750d..466caa6 100644 --- a/modules/secrets/networkpolicy.tf +++ b/modules/secrets/networkpolicy.tf @@ -130,6 +130,10 @@ resource "kubernetes_network_policy" "openbao_network_access_policy" { } } } + ports { + protocol = "TCP" + port = 8200 + } ports { protocol = "TCP" port = 8201 From ca82cfabc33a581e559f7cef1f7975ad16d245ad Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 13:25:22 +0530 Subject: [PATCH 10/15] feat(openbao): variabalizing configurator --- modules/secrets/job.tf | 2 +- modules/secrets/variables.tf | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/modules/secrets/job.tf b/modules/secrets/job.tf index f3e03fc..d29cdc3 100644 --- a/modules/secrets/job.tf +++ b/modules/secrets/job.tf @@ -23,7 +23,7 @@ resource "kubernetes_job" "configurator" { container { name = "configurator" - image = "quay.io/openbao/openbao:2.5.1" + image = "${var.configurator_repository}/${var.configurator_image}:${var.configurator_tag}" command = ["/bin/sh", "/scripts/configurator.sh"] volume_mount { diff --git a/modules/secrets/variables.tf b/modules/secrets/variables.tf index 207dbc3..018d3cb 100644 --- a/modules/secrets/variables.tf +++ b/modules/secrets/variables.tf @@ -121,6 +121,25 @@ variable "domain" { nullable = false } +# --------------- OPENBAO CONFIGURATION VARIABLES --------------- # +variable "configurator_repository" { + description = "Repository to be used for deployment of OpenBao Configurator" + type = string + default = "quay.io/openbao" +} + +variable "configurator_image" { + description = "Docker image to be used for deployment of OpenBao Configurator" + type = string + default = "openbao" +} + +variable "configurator_tag" { + description = "Docker tag to be used for deployment of OpenBao Configurator" + type = string + default = "2.5.1" +} + # --------------- NETWORK POLICY VARIABLES --------------- # variable "kubernetes_api_ip" { description = "IP Address for the Kubernetes API" From 26dc50e316bbaee541f1f8da7445a7c549105245 Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 13:46:03 +0530 Subject: [PATCH 11/15] feat(openbao): adding comments --- modules/secrets/configmap.tf | 1 + modules/secrets/job.tf | 11 +++++++++-- modules/secrets/openbao.tf | 23 ++++++++++++++++++++--- modules/secrets/secrets.tf | 1 + modules/secrets/serviceaccount.tf | 3 +++ 5 files changed, 34 insertions(+), 5 deletions(-) diff --git a/modules/secrets/configmap.tf b/modules/secrets/configmap.tf index 614315e..e078c9f 100644 --- a/modules/secrets/configmap.tf +++ b/modules/secrets/configmap.tf @@ -1,3 +1,4 @@ +// Configurator Script uploaded as a configmap resource "kubernetes_config_map" "configurator_script" { metadata { name = "openbao-configurator-script" diff --git a/modules/secrets/job.tf b/modules/secrets/job.tf index d29cdc3..c41a6ac 100644 --- a/modules/secrets/job.tf +++ b/modules/secrets/job.tf @@ -1,3 +1,4 @@ +// Configurator Job for the OpenBao Cluster resource "kubernetes_job" "configurator" { metadata { name = "openbao-configurator" @@ -18,6 +19,8 @@ resource "kubernetes_job" "configurator" { } } spec { + + // Service Account to be used for the configurator job service_account_name = kubernetes_service_account.configurator.metadata[0].name restart_policy = "OnFailure" @@ -25,12 +28,14 @@ resource "kubernetes_job" "configurator" { name = "configurator" image = "${var.configurator_repository}/${var.configurator_image}:${var.configurator_tag}" command = ["/bin/sh", "/scripts/configurator.sh"] - + + // Load the configurator script as a volume volume_mount { name = "scripts" mount_path = "/scripts" } - + + // Load the TLS certificates used by the cluster as a volume volume_mount { name = "tls" mount_path = "/openbao/userconfig/${kubernetes_manifest.internal_certificate.manifest.spec.secretName}" @@ -38,6 +43,7 @@ resource "kubernetes_job" "configurator" { } } + // Volume for the configurator script volume { name = "scripts" config_map { @@ -46,6 +52,7 @@ resource "kubernetes_job" "configurator" { } } + // Volume for the TLS certificates used by the cluster volume { name = "tls" secret { diff --git a/modules/secrets/openbao.tf b/modules/secrets/openbao.tf index a5c7d61..7328c0e 100644 --- a/modules/secrets/openbao.tf +++ b/modules/secrets/openbao.tf @@ -1,9 +1,11 @@ +// OpenBao Deployment Configuration resource "helm_release" "openbao" { name = var.openbao_configuration.name repository = var.openbao_configuration.repository chart = var.openbao_configuration.chart version = var.openbao_configuration.version - + + // Deploy it in the same namespace namespace = kubernetes_namespace.namespace.metadata[0].name create_namespace = false @@ -19,6 +21,7 @@ resource "helm_release" "openbao" { server = { + // Resource Requests and Limits resources = { requests = { memory = "256Mi" @@ -30,6 +33,7 @@ resource "helm_release" "openbao" { } } + // Node Affinity for worker nodes affinity = { nodeAffinity = { requiredDuringSchedulingIgnoredDuringExecution = { @@ -46,7 +50,8 @@ resource "helm_release" "openbao" { } } } - + + // Topology Spread Constraints topologySpreadConstraints = [ { maxSkew = 1 @@ -61,7 +66,8 @@ resource "helm_release" "openbao" { } } ] - + + // Environment variable for unsealing the cluster extraSecretEnvironmentVars = [ { envName = "OPENBAO_STATIC_UNSEAL_KEY" @@ -70,6 +76,7 @@ resource "helm_release" "openbao" { } ] + // TLS Certificates Mounting extraVolumes = [ { type = "secret" @@ -77,13 +84,17 @@ resource "helm_release" "openbao" { } ] + // High availability configuration ha = { enabled = true replicas = var.cluster_size + + // Raft Storage Configuration raft = { enabled = true setNodeId = true + // Config loaded as a configuration file config = templatefile("${path.module}/config/openbao.hcl", { namespace = kubernetes_namespace.namespace.metadata[0].name, cert_secret_name = kubernetes_manifest.internal_certificate.manifest.spec.secretName @@ -91,6 +102,7 @@ resource "helm_release" "openbao" { } } + // Data Storage Configuration dataStorage = { enabled = true size = "5Gi" @@ -98,10 +110,14 @@ resource "helm_release" "openbao" { storageClass = "local-path" } + // Enable Auth Delegator + // for Kubernetes Authentication authDelegator = { enabled = true } + // Enable permissions for + // Service Discovery serviceAccount = { create = true serviceDiscovery = { @@ -109,6 +125,7 @@ resource "helm_release" "openbao" { } } + // UI Service ui = { enabled = true serviceType = "ClusterIP" diff --git a/modules/secrets/secrets.tf b/modules/secrets/secrets.tf index 30d512f..b1630c0 100644 --- a/modules/secrets/secrets.tf +++ b/modules/secrets/secrets.tf @@ -1,3 +1,4 @@ +// Static Unsealing key to be used for OpenBao Auto-Unsealing resource "random_id" "static_unseal_key" { byte_length = 32 } diff --git a/modules/secrets/serviceaccount.tf b/modules/secrets/serviceaccount.tf index e02d7e7..b04edde 100644 --- a/modules/secrets/serviceaccount.tf +++ b/modules/secrets/serviceaccount.tf @@ -1,3 +1,4 @@ +// Service account to be used by the Configurator Job resource "kubernetes_service_account" "configurator" { metadata { name = "openbao-configurator" @@ -9,6 +10,7 @@ resource "kubernetes_service_account" "configurator" { } } +// Allow the Configurator Job to create Kubernetes Secrets resource "kubernetes_role" "configurator" { metadata { name = "openbao-configurator-role" @@ -25,6 +27,7 @@ resource "kubernetes_role" "configurator" { } } +// Binding the role to the Service Account resource "kubernetes_role_binding" "configurator" { metadata { name = "openbao-configurator-binding" From 8b90c3fd8fc36ddd6ed9fc8c638e4c41ec31a5e6 Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 13:47:30 +0530 Subject: [PATCH 12/15] feat(openbao): module rename --- modules/{secrets => openbao}/certificates.tf | 0 modules/{secrets => openbao}/config/configurator.sh | 0 modules/{secrets => openbao}/config/openbao.hcl | 0 modules/{secrets => openbao}/configmap.tf | 0 modules/{secrets => openbao}/ingress.tf | 0 modules/{secrets => openbao}/job.tf | 0 modules/{secrets => openbao}/namespace.tf | 0 modules/{secrets => openbao}/networkpolicy.tf | 0 modules/{secrets => openbao}/openbao.tf | 0 modules/{secrets => openbao}/secrets.tf | 0 modules/{secrets => openbao}/serviceaccount.tf | 0 modules/{secrets => openbao}/variables.tf | 0 12 files changed, 0 insertions(+), 0 deletions(-) rename modules/{secrets => openbao}/certificates.tf (100%) rename modules/{secrets => openbao}/config/configurator.sh (100%) rename modules/{secrets => openbao}/config/openbao.hcl (100%) rename modules/{secrets => openbao}/configmap.tf (100%) rename modules/{secrets => openbao}/ingress.tf (100%) rename modules/{secrets => openbao}/job.tf (100%) rename modules/{secrets => openbao}/namespace.tf (100%) rename modules/{secrets => openbao}/networkpolicy.tf (100%) rename modules/{secrets => openbao}/openbao.tf (100%) rename modules/{secrets => openbao}/secrets.tf (100%) rename modules/{secrets => openbao}/serviceaccount.tf (100%) rename modules/{secrets => openbao}/variables.tf (100%) diff --git a/modules/secrets/certificates.tf b/modules/openbao/certificates.tf similarity index 100% rename from modules/secrets/certificates.tf rename to modules/openbao/certificates.tf diff --git a/modules/secrets/config/configurator.sh b/modules/openbao/config/configurator.sh similarity index 100% rename from modules/secrets/config/configurator.sh rename to modules/openbao/config/configurator.sh diff --git a/modules/secrets/config/openbao.hcl b/modules/openbao/config/openbao.hcl similarity index 100% rename from modules/secrets/config/openbao.hcl rename to modules/openbao/config/openbao.hcl diff --git a/modules/secrets/configmap.tf b/modules/openbao/configmap.tf similarity index 100% rename from modules/secrets/configmap.tf rename to modules/openbao/configmap.tf diff --git a/modules/secrets/ingress.tf b/modules/openbao/ingress.tf similarity index 100% rename from modules/secrets/ingress.tf rename to modules/openbao/ingress.tf diff --git a/modules/secrets/job.tf b/modules/openbao/job.tf similarity index 100% rename from modules/secrets/job.tf rename to modules/openbao/job.tf diff --git a/modules/secrets/namespace.tf b/modules/openbao/namespace.tf similarity index 100% rename from modules/secrets/namespace.tf rename to modules/openbao/namespace.tf diff --git a/modules/secrets/networkpolicy.tf b/modules/openbao/networkpolicy.tf similarity index 100% rename from modules/secrets/networkpolicy.tf rename to modules/openbao/networkpolicy.tf diff --git a/modules/secrets/openbao.tf b/modules/openbao/openbao.tf similarity index 100% rename from modules/secrets/openbao.tf rename to modules/openbao/openbao.tf diff --git a/modules/secrets/secrets.tf b/modules/openbao/secrets.tf similarity index 100% rename from modules/secrets/secrets.tf rename to modules/openbao/secrets.tf diff --git a/modules/secrets/serviceaccount.tf b/modules/openbao/serviceaccount.tf similarity index 100% rename from modules/secrets/serviceaccount.tf rename to modules/openbao/serviceaccount.tf diff --git a/modules/secrets/variables.tf b/modules/openbao/variables.tf similarity index 100% rename from modules/secrets/variables.tf rename to modules/openbao/variables.tf From 5597f0decc0f1003142cb16b10b4d42e26dd7b2e Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 13:48:11 +0530 Subject: [PATCH 13/15] feat(openbao): module rename --- infrastructure/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/main.tf b/infrastructure/main.tf index a4fc984..9192b61 100644 --- a/infrastructure/main.tf +++ b/infrastructure/main.tf @@ -35,7 +35,7 @@ module "observability" { # OpenBao Secrets Management Solution deployment module "secrets" { - source = "git::https://github.com/necro-cloud/modules//modules/secrets?ref=task/110/openbao-deployment" + source = "git::https://github.com/necro-cloud/modules//modules/openbao?ref=task/110/openbao-deployment" // Certificates Details cluster_issuer_name = module.cluster-issuer.cluster-issuer-name From b4959c11237ddf5df653b089c8b06f1749a2e175 Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 13:54:50 +0530 Subject: [PATCH 14/15] docs(openbao): README update --- README.md | 11 +++--- modules/openbao/README.md | 71 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 5 deletions(-) create mode 100644 modules/openbao/README.md diff --git a/README.md b/README.md index 5413cc0..66c28ef 100644 --- a/README.md +++ b/README.md @@ -16,8 +16,9 @@ The following modules have been implemented and their usage instructions written 1. [Helm](modules/helm) 2. [Cluster Issuer for internal certificates](modules/cluster-issuer) 3. [Observability](modules/observability) -4. [Garage Storage](modules/garage) -5. [Cloudnative PG PostgreSQL Database](modules/cnpg) -6. [FerretDB (MongoDB) Database](modules/ferretdb) -7. [Valkey In Memory Database](modules/valkey) -8. [Keycloak Identity Management](modules/keycloak) +4. [OpenBao Secrets Management](modules/openbao) +5. [Garage Storage](modules/garage) +6. [Cloudnative PG PostgreSQL Database](modules/cnpg) +7. [FerretDB (MongoDB) Database](modules/ferretdb) +8. [Valkey In Memory Database](modules/valkey) +9. [Keycloak Identity Management](modules/keycloak) diff --git a/modules/openbao/README.md b/modules/openbao/README.md new file mode 100644 index 0000000..7778a56 --- /dev/null +++ b/modules/openbao/README.md @@ -0,0 +1,71 @@ +## necronizer's cloud openbao module + +OpenTofu Module to deploy [OpenBao](https://openbao.org/) Secrets Management Solution on the Kubernetes Cluster. + +Required Modules to deploy OpenBao Secrets Manageemnt Solution: +1. [Cluster Issuer](../cluster-issuer) +2. [Observability](../observability) + +## Providers + +| Name | Version | +|------|---------| +| [helm](#provider\_helm) | 3.1.1 | +| [kubernetes](#provider\_kubernetes) | 2.38.0 | +| [random](#provider\_random) | 3.7.2 | + +## Resources + +| Name | Type | +|------|------| +| [helm_release.openbao](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [kubernetes_config_map.configurator_script](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | +| [kubernetes_ingress_v1.ui_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource | +| [kubernetes_job.configurator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/job) | resource | +| [kubernetes_manifest.certificate_authority](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | +| [kubernetes_manifest.ingress_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | +| [kubernetes_manifest.internal_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | +| [kubernetes_manifest.issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | +| [kubernetes_manifest.public_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | +| [kubernetes_namespace.namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_network_policy.openbao_network_access_policy](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | +| [kubernetes_role.configurator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource | +| [kubernetes_role_binding.configurator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_secret.cloudflare_token](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [kubernetes_secret.static_unseal_key](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [kubernetes_service_account.configurator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource | +| [random_id.static_unseal_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_namespaces](#input\_access\_namespaces) | Namespaces requiring accesses to the OpenBao Cluster in a comma seperated list | `string` | +| [acme\_server](#input\_acme\_server) | URL for the ACME Server to be used, defaults to production URL for LetsEncrypt | `string` | `"https://acme-v02 +| [app\_name](#input\_app\_name) | App name for deploying OpenBao Secrets Management Solution | `string` | `"openbao"` | no | +| [certificate\_authority\_name](#input\_certificate\_authority\_name) | Name of the Certificate Authority to be associated with OpenBao +| [cloudflare\_email](#input\_cloudflare\_email) | Email for generating Ingress Certificates to be associated with OpenBao Secrets Management Solu +| [cloudflare\_issuer\_name](#input\_cloudflare\_issuer\_name) | Name of the Cloudflare Issuer to be associated with OpenBao Secrets Management Solution | `string` | `"secrets-cloudflare-issuer"` | no | +| [cloudflare\_token](#input\_cloudflare\_token) | Token for generating Ingress Certificates to be associated with OpenBao Secrets Management Solution | `string` | n/a | yes | +| [cluster\_issuer\_name](#input\_cluster\_issuer\_name) | Name for the Cluster Issuer to be used to generate internal self signed certificates | `string` | n/a | yes | +| [cluster\_size](#input\_cluster\_size) | Number of pods to be deployed for High Availability for OpenBao Secrets Management Solution | `number` | `3` | no | +| [configurator\_image](#input\_configurator\_image) | Docker image to be used for deployment of OpenBao Configurator | `string` | `"openbao"` | no | +| [configurator\_repository](#input\_configurator\_repository) | Repository to be used for deployment of OpenBao Configurator | `string` | `"quay.io/openbao"` | no | +| [configurator\_tag](#input\_configurator\_tag) | Docker tag to be used for deployment of OpenBao Configurator | `string` | `"2.5.1"` | no | +| [country\_name](#input\_country\_name) | Country name for deploying OpenBao Secrets Management Solution | `string` | `"India"` | no | +| [domain](#input\_domain) | Domain for which Ingress Certificate is to be generated for | `string` | n/a | yes | +| [host\_name](#input\_host\_name) | Host name for which Ingress Certificate is to be generated for | `string` | `"secrets"` | no | +| [ingress\_certificate\_name](#input\_ingress\_certificate\_name) | Name of the Ingress Certificate to be associated with OpenBao Secrets Management Solution | `string` | `"secrets-ingress-certificate"` | no | +| [internal\_certificate\_name](#input\_internal\_certificate\_name) | Name of the Internal Certificate to be associated with OpenBao Secrets Management Solution | `string` | `"secrets-internal-certificate"` | no | +| [issuer\_name](#input\_issuer\_name) | Name of the Issuer to be associated with OpenBao Secrets Management Solution | `string` | `"secrets-certificate-issuer"` | no | +| [kubernetes\_api\_ip](#input\_kubernetes\_api\_ip) | IP Address for the Kubernetes API | `string` | n/a | yes | +| [kubernetes\_api\_port](#input\_kubernetes\_api\_port) | Port for the Kubernetes API | `number` | n/a | yes | +| [kubernetes\_api\_protocol](#input\_kubernetes\_api\_protocol) | Protocol for the Kubernetes API | `string` | n/a | yes | +| [namespace](#input\_namespace) | Namespace to be used for deploying OpenBao Secrets Management Solution | `string` | `"openbao"` | no | +| [observability\_namespace](#input\_observability\_namespace) | Namespace where all components for observability are deployed | `string` | n/a | yes | +| [openbao\_configuration](#input\_openbao\_configuration) | Dictionary filled with OpenBao Configuration Details | `map(string)` | 
{
  "chart": "openbao",
  "name": "openbao",
  "repository": "https://openbao.github.io/openbao-helm",
  "version": "0.25.6"
}
| no | +| [organization\_name](#input\_organization\_name) | Organization name for deploying OpenBao Secrets Management Solution | `string` | `"cloud"` | no | + +## Outputs + +No outputs. From e13b6e3f25d6ffc6f535b0be4fa8bda1a82e223e Mon Sep 17 00:00:00 2001 From: khatrivarun Date: Wed, 11 Mar 2026 14:01:23 +0530 Subject: [PATCH 15/15] [INF] All modules switch to main branch --- infrastructure/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/main.tf b/infrastructure/main.tf index 9192b61..87fbaf1 100644 --- a/infrastructure/main.tf +++ b/infrastructure/main.tf @@ -35,7 +35,7 @@ module "observability" { # OpenBao Secrets Management Solution deployment module "secrets" { - source = "git::https://github.com/necro-cloud/modules//modules/openbao?ref=task/110/openbao-deployment" + source = "git::https://github.com/necro-cloud/modules//modules/openbao?ref=main" // Certificates Details cluster_issuer_name = module.cluster-issuer.cluster-issuer-name