mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(devops): enable OpenBao in Swarm and fix healthchecks

Browse Source 
- Enable OpenBao + init sidecar in Swarm compose (was commented out)
- Fix healthcheck to accept uninitialized/sealed vault states
  (add ?uninitcode=200&sealedcode=200 to /v1/sys/health)
- Replace nc-based healthcheck with wget in dev compose
- Add ORCHESTRATOR_URL env var to API service in Swarm compose
- Uncomment OpenBao volumes in Swarm compose

The healthcheck was returning HTTP 501 for uninitialized vault,
causing Swarm to restart OpenBao before init sidecar could run.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-11 19:38:34 -06:00
parent 6a5a4e4de8
commit b3c0f51dc9
3 changed files with 65 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docker-compose.openbao.yml
View File

@@ -40,7 +40,7 @@ services:
- wget - wget
- --spider - --spider
- --quiet - --quiet
- http://localhost:8200/v1/sys/health?standbyok=true - http://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200
interval: 10s interval: 10s
timeout: 5s timeout: 5s
retries: 5 retries: 5

91
docker-compose.swarm.yml
View File

@@ -80,38 +80,59 @@ services:
condition: on-failure condition: on-failure
# ====================== # ======================
# OpenBao Secrets Vault - COMMENTED OUT # OpenBao Secrets Vault
# ====================== # ======================
# IMPORTANT: OpenBao CANNOT run in swarm mode due to port binding conflicts. openbao:
# Deploy OpenBao as a standalone container instead: image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
# docker compose -f docker-compose.openbao.yml up -d command: server -config=/openbao/config/config.hcl
# env_file: .env
# Alternative: Use external HashiCorp Vault or managed secrets service environment:
# OPENBAO_ADDR: http://0.0.0.0:8200
# openbao: volumes:
# image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest} - openbao_data:/openbao/data
# env_file: .env - openbao_logs:/openbao/logs
# environment: - openbao_init:/openbao/init
# OPENBAO_ADDR: ${OPENBAO_ADDR:-http://0.0.0.0:8200} cap_add:
# OPENBAO_DEV_ROOT_TOKEN_ID: ${OPENBAO_DEV_ROOT_TOKEN_ID:-root} - IPC_LOCK
# volumes: healthcheck:
# - openbao_data:/openbao/data test:
# - openbao_logs:/openbao/logs [
# - openbao_init:/openbao/init "CMD",
# cap_add: "wget",
# - IPC_LOCK "--spider",
# healthcheck: "--quiet",
# test: "http://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200",
# ["CMD", "wget", "--spider", "--quiet", "http://localhost:8200/v1/sys/health?standbyok=true"] ]
# interval: 10s interval: 10s
# timeout: 5s timeout: 5s
# retries: 5 retries: 5
# start_period: 30s start_period: 30s
# networks: networks:
# - internal - internal
# deploy: deploy:
# restart_policy: restart_policy:
# condition: on-failure condition: on-failure
# ======================
# OpenBao Init Sidecar
# ======================
# Auto-initializes and unseals OpenBao on first run.
# The init script has built-in retry logic (waits for OpenBao API).
openbao-init:
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
command: /openbao/init.sh
env_file: .env
environment:
VAULT_ADDR: http://openbao:8200
volumes:
- openbao_init:/openbao/init
networks:
- internal
deploy:
restart_policy:
condition: on-failure
max_attempts: 5
delay: 10s
# ====================== # ======================
# Authentik - COMMENTED OUT (Using External Authentik) # Authentik - COMMENTED OUT (Using External Authentik)
@@ -302,6 +323,7 @@ services:
JWT_EXPIRATION: ${JWT_EXPIRATION:-24h} JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT:-http://ollama:11434} OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT:-http://ollama:11434}
OPENBAO_ADDR: ${OPENBAO_ADDR:-http://openbao:8200} OPENBAO_ADDR: ${OPENBAO_ADDR:-http://openbao:8200}
ORCHESTRATOR_URL: ${ORCHESTRATOR_URL:-http://orchestrator:3001}
ENCRYPTION_KEY: ${ENCRYPTION_KEY} ENCRYPTION_KEY: ${ENCRYPTION_KEY}
healthcheck: healthcheck:
test: test:
@@ -403,10 +425,9 @@ services:
volumes: volumes:
postgres_data: postgres_data:
valkey_data: valkey_data:
# OpenBao volumes - commented out (using standalone deployment) openbao_data:
# openbao_data: openbao_logs:
# openbao_logs: openbao_init:
# openbao_init:
# Authentik volumes - commented out (using external Authentik) # Authentik volumes - commented out (using external Authentik)
# authentik_postgres_data: # authentik_postgres_data:
# authentik_redis_data: # authentik_redis_data:

9
docker/docker-compose.yml
View File

@@ -87,7 +87,14 @@ services:
cap_add: cap_add:
- IPC_LOCK - IPC_LOCK
healthcheck: healthcheck:
test: ["CMD-SHELL", "nc -z 127.0.0.1 8200 || exit 1"] test:
[
"CMD",
"wget",
"--spider",
"--quiet",
"http://127.0.0.1:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200",
]
interval: 10s interval: 10s
timeout: 5s timeout: 5s
retries: 5 retries: 5