feat: add flexible docker-compose architecture with profiles
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- Add OpenBao services to docker-compose.yml with profiles (openbao, full) - Add docker-compose.build.yml for local builds vs registry pulls - Make PostgreSQL and Valkey optional via profiles (database, cache) - Create example compose files for common deployment scenarios: - docker/docker-compose.example.turnkey.yml (all bundled) - docker/docker-compose.example.external.yml (all external) - docker/docker.example.hybrid.yml (mixed deployment) - Update documentation: - Enhance .env.example with profiles and external service examples - Update README.md with deployment mode quick starts - Add deployment scenarios to docs/OPENBAO.md - Create docker/DOCKER-COMPOSE-GUIDE.md with comprehensive guide - Clean up repository structure: - Move shell scripts to scripts/ directory - Move documentation to docs/ directory - Move docker compose examples to docker/ directory - Configure for external Authentik with internal services: - Comment out Authentik services (using external OIDC) - Comment out unused volumes for disabled services - Keep postgres, valkey, openbao as internal services This provides a flexible deployment architecture supporting turnkey, production (all external), and hybrid configurations via Docker Compose profiles. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -206,6 +206,68 @@ OPENBAO_ROLE_ID=<from-external-vault>
|
||||
OPENBAO_SECRET_ID=<from-external-vault>
|
||||
```
|
||||
|
||||
### Deployment Scenarios
|
||||
|
||||
OpenBao can be deployed in three modes using Docker Compose profiles:
|
||||
|
||||
#### Bundled OpenBao (Development/Turnkey)
|
||||
|
||||
**Use Case:** Local development, testing, demo environments
|
||||
|
||||
```bash
|
||||
# .env
|
||||
COMPOSE_PROFILES=full # or openbao
|
||||
OPENBAO_ADDR=http://openbao:8200
|
||||
|
||||
# Start services
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
OpenBao automatically initializes with 4 Transit keys and AppRole authentication. API reads credentials from `/openbao/init/approle-credentials` volume.
|
||||
|
||||
#### External OpenBao/Vault (Production)
|
||||
|
||||
**Use Case:** Production with managed HashiCorp Vault or external OpenBao
|
||||
|
||||
```bash
|
||||
# .env
|
||||
COMPOSE_PROFILES= # Empty - disable bundled OpenBao
|
||||
OPENBAO_ADDR=https://vault.example.com:8200
|
||||
OPENBAO_ROLE_ID=your-role-id
|
||||
OPENBAO_SECRET_ID=your-secret-id
|
||||
OPENBAO_REQUIRED=true # Fail startup if unavailable
|
||||
|
||||
# Or use docker-compose.example.external.yml
|
||||
cp docker/docker-compose.example.external.yml docker-compose.override.yml
|
||||
|
||||
# Start services
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
**Requirements for External Vault:**
|
||||
|
||||
- Transit secrets engine enabled at `/transit`
|
||||
- Four named encryption keys created (see Transit Encryption Keys section)
|
||||
- AppRole authentication configured with Transit-only policy
|
||||
- Network connectivity from API container to Vault endpoint
|
||||
|
||||
#### Fallback Mode (No OpenBao)
|
||||
|
||||
**Use Case:** Development without secrets management, testing graceful degradation
|
||||
|
||||
```bash
|
||||
# .env
|
||||
COMPOSE_PROFILES=database,cache # Exclude openbao profile
|
||||
ENCRYPTION_KEY=your-64-char-hex-key # For AES-256-GCM fallback
|
||||
|
||||
# Start services
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
API automatically falls back to AES-256-GCM encryption using `ENCRYPTION_KEY`. This provides encryption at rest without Transit infrastructure. Logs will show ERROR-level warnings about OpenBao unavailability.
|
||||
|
||||
**Note:** Fallback mode uses `aes:iv:tag:encrypted` ciphertext format instead of `vault:v1:...` format.
|
||||
|
||||
---
|
||||
|
||||
## Transit Encryption Keys
|
||||
|
||||
Reference in New Issue
Block a user