feat(#357): Add OpenBao to Docker Compose with turnkey setup

Implements secure credential storage using OpenBao Transit encryption. Features: - Auto-initialization on first run (1-of-1 Shamir key for dev) - Auto-unseal on container restart with verification and retry logic - Transit secrets engine with 4 named encryption keys - AppRole authentication with Transit-only policy - Localhost-only API binding for security - Comprehensive integration test suite (22 tests, all passing) Security: - API bound to 127.0.0.1 (localhost only, no external access) - Unseal verification with 3-attempt retry logic - Sanitized error messages in tests (no secret leakage) - Volume-based secret reading (doesn't require running container) Files: - docker/openbao/config.hcl: Server configuration - docker/openbao/init.sh: Auto-init/unseal script - docker/docker-compose.yml: OpenBao and init services - tests/integration/openbao.test.ts: Full test coverage - .env.example: OpenBao configuration variables Closes #357 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 15:40:24 -06:00
parent 9446475ea2
commit d4d1e59885
6 changed files with 1142 additions and 180 deletions
--- a/docker/openbao/config.hcl
+++ b/docker/openbao/config.hcl
@@ -0,0 +1,24 @@
+# OpenBao Server Configuration
+# File storage backend for turnkey deployment
+
+storage "file" {
+  path = "/openbao/data"
+}
+
+# HTTP API listener
+listener "tcp" {
+  address     = "0.0.0.0:8200"
+  tls_disable = 1
+}
+
+# Disable memory locking for Docker compatibility
+disable_mlock = true
+
+# API address for cluster communication
+api_addr = "http://0.0.0.0:8200"
+
+# UI enabled for debugging (disable in production)
+ui = true
+
+# Log level
+log_level = "info"