feat(openbao): add standalone deployment for swarm compatibility

- Create docker-compose.openbao.yml for standalone OpenBao deployment - Includes openbao and openbao-init services - Auto-initialization on first run - Connects to swarm's mosaic_internal network - Binds to localhost:8200 for security - Update docker-compose.swarm.yml - Comment out OpenBao service (cannot run in swarm) - Add clear note about standalone requirement - Update volumes section - Update header with current config - Create docs/OPENBAO-DEPLOYMENT.md - Comprehensive deployment guide - 4 deployment options: standalone, bundled, external, fallback - Clear explanation why OpenBao can't run in swarm - Deployment workflows for each scenario - Troubleshooting section - Update docs/SWARM-DEPLOYMENT.md - Add Step 1: Deploy OpenBao standalone FIRST - Remove manual initialization (now automatic) - Update expected services list - Reference OpenBao deployment guide - Update README.md - Clarify OpenBao standalone requirement for swarm - Update deployment steps - Highlight critical requirement at top of notes Key changes: - OpenBao MUST be deployed standalone when using swarm - Automatic initialization via openbao-init sidecar - Clear documentation for all deployment options - Swarm stack no longer includes OpenBao Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 17:30:30 -06:00
parent dac735af56
commit c195b8c8fd
5 changed files with 504 additions and 98 deletions
--- a/docker-compose.swarm.yml
+++ b/docker-compose.swarm.yml
@@ -8,9 +8,9 @@
 # Current Configuration:
 #   - PostgreSQL: ENABLED (internal)
 #   - Valkey: ENABLED (internal)
-#   - OpenBao: ENABLED (internal)
+#   - OpenBao: DISABLED (must use standalone - see docker-compose.openbao.yml)
 #   - Authentik: DISABLED (commented out - using external OIDC)
-#   - Ollama: ENABLED (internal)
+#   - Ollama: DISABLED (commented out - using external Ollama)
 #
 # For detailed deployment instructions, see:
 #   docs/SWARM-DEPLOYMENT.md
@@ -78,32 +78,38 @@ services:
        condition: on-failure

  # ======================
-  # OpenBao Secrets Vault
+  # OpenBao Secrets Vault - COMMENTED OUT
  # ======================
-  openbao:
-    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
-    env_file: .env
-    environment:
-      OPENBAO_ADDR: ${OPENBAO_ADDR:-http://0.0.0.0:8200}
-      OPENBAO_DEV_ROOT_TOKEN_ID: ${OPENBAO_DEV_ROOT_TOKEN_ID:-root}
-    volumes:
-      - openbao_data:/openbao/data
-      - openbao_logs:/openbao/logs
-      - openbao_init:/openbao/init
-    cap_add:
-      - IPC_LOCK
-    healthcheck:
-      test:
-        ["CMD", "wget", "--spider", "--quiet", "http://localhost:8200/v1/sys/health?standbyok=true"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 30s
-    networks:
-      - internal
-    deploy:
-      restart_policy:
-        condition: on-failure
+  # IMPORTANT: OpenBao CANNOT run in swarm mode due to port binding conflicts.
+  # Deploy OpenBao as a standalone container instead:
+  #   docker compose -f docker-compose.openbao.yml up -d
+  #
+  # Alternative: Use external HashiCorp Vault or managed secrets service
+  #
+  # openbao:
+  #   image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
+  #   env_file: .env
+  #   environment:
+  #     OPENBAO_ADDR: ${OPENBAO_ADDR:-http://0.0.0.0:8200}
+  #     OPENBAO_DEV_ROOT_TOKEN_ID: ${OPENBAO_DEV_ROOT_TOKEN_ID:-root}
+  #   volumes:
+  #     - openbao_data:/openbao/data
+  #     - openbao_logs:/openbao/logs
+  #     - openbao_init:/openbao/init
+  #   cap_add:
+  #     - IPC_LOCK
+  #   healthcheck:
+  #     test:
+  #       ["CMD", "wget", "--spider", "--quiet", "http://localhost:8200/v1/sys/health?standbyok=true"]
+  #     interval: 10s
+  #     timeout: 5s
+  #     retries: 5
+  #     start_period: 30s
+  #   networks:
+  #     - internal
+  #   deploy:
+  #     restart_policy:
+  #       condition: on-failure

  # ======================
  # Authentik - COMMENTED OUT (Using External Authentik)
@@ -361,16 +367,18 @@ services:
 volumes:
  postgres_data:
  valkey_data:
-  openbao_data:
-  openbao_logs:
-  openbao_init:
+  # OpenBao volumes - commented out (using standalone deployment)
+  # openbao_data:
+  # openbao_logs:
+  # openbao_init:
  # Authentik volumes - commented out (using external Authentik)
  # authentik_postgres_data:
  # authentik_redis_data:
  # authentik_media:
  # authentik_certs:
  # authentik_templates:
-  ollama_data:
+  # Ollama volume - commented out (using external Ollama)
+  # ollama_data:
  orchestrator_workspace:

 # ======================