feat(#357): Add OpenBao to Docker Compose with turnkey setup
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Implements secure credential storage using OpenBao Transit encryption. Features: - Auto-initialization on first run (1-of-1 Shamir key for dev) - Auto-unseal on container restart with verification and retry logic - Transit secrets engine with 4 named encryption keys - AppRole authentication with Transit-only policy - Localhost-only API binding for security - Comprehensive integration test suite (22 tests, all passing) Security: - API bound to 127.0.0.1 (localhost only, no external access) - Unseal verification with 3-attempt retry logic - Sanitized error messages in tests (no secret leakage) - Volume-based secret reading (doesn't require running container) Files: - docker/openbao/config.hcl: Server configuration - docker/openbao/init.sh: Auto-init/unseal script - docker/docker-compose.yml: OpenBao and init services - tests/integration/openbao.test.ts: Full test coverage - .env.example: OpenBao configuration variables Closes #357 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -68,11 +68,65 @@ services:
|
||||
networks:
|
||||
- mosaic-network
|
||||
|
||||
openbao:
|
||||
image: quay.io/openbao/openbao:2
|
||||
container_name: mosaic-openbao
|
||||
restart: unless-stopped
|
||||
user: root
|
||||
ports:
|
||||
- "127.0.0.1:${OPENBAO_PORT:-8200}:8200"
|
||||
volumes:
|
||||
- openbao_data:/openbao/data
|
||||
- openbao_init:/openbao/init
|
||||
- ./openbao/config.hcl:/openbao/config/config.hcl:ro
|
||||
environment:
|
||||
VAULT_ADDR: http://0.0.0.0:8200
|
||||
SKIP_SETCAP: "true"
|
||||
entrypoint: ["/bin/sh", "-c"]
|
||||
command: ["bao server -config=/openbao/config/config.hcl"]
|
||||
cap_add:
|
||||
- IPC_LOCK
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "nc -z 127.0.0.1 8200 || exit 1"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
networks:
|
||||
- mosaic-network
|
||||
labels:
|
||||
com.mosaic.service: "secrets"
|
||||
com.mosaic.description: "OpenBao secrets management"
|
||||
|
||||
openbao-init:
|
||||
image: quay.io/openbao/openbao:2
|
||||
container_name: mosaic-openbao-init
|
||||
restart: unless-stopped
|
||||
user: root
|
||||
volumes:
|
||||
- openbao_init:/openbao/init
|
||||
- ./openbao/init.sh:/init.sh:ro
|
||||
environment:
|
||||
VAULT_ADDR: http://openbao:8200
|
||||
command: /init.sh
|
||||
depends_on:
|
||||
openbao:
|
||||
condition: service_healthy
|
||||
networks:
|
||||
- mosaic-network
|
||||
labels:
|
||||
com.mosaic.service: "secrets-init"
|
||||
com.mosaic.description: "OpenBao auto-initialization sidecar"
|
||||
|
||||
volumes:
|
||||
postgres_data:
|
||||
name: mosaic-postgres-data
|
||||
valkey_data:
|
||||
name: mosaic-valkey-data
|
||||
openbao_data:
|
||||
name: mosaic-openbao-data
|
||||
openbao_init:
|
||||
name: mosaic-openbao-init
|
||||
|
||||
networks:
|
||||
mosaic-network:
|
||||
|
||||
Reference in New Issue
Block a user