mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity
952 Commits 72 Branches 4 Tags
chore/ms22-prd-tracking
Commit Graph

5 Commits

Author SHA1 Message Date
Jason Woltje
7073057e8d fix: bump openbao 2.5.0→2.5.1 (CVE-2026-24051 otel/sdk PATH hijack) (#589)
All checks were successful
ci/woodpecker/push/infra Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-01 03:14:49 +00:00
Jason Woltje
7c7ad59002 Remove extra docker-compose and .env.exmple files.
All checks were successful
ci/woodpecker/push/infra Pipeline was successful
Details
2026-02-16 22:08:02 -06:00
Jason Woltje
dce975bf4e fix(#363): Update OpenBao image to fix CRITICAL CVE-2025-68121 + 4 HIGH CVEs 
Pin OpenBao base image from unpinned :2 tag to :2.5.0 (latest stable,
released 2026-02-04) in both the Dockerfile and the dev docker-compose.

CVEs resolved:
- CVE-2025-68121 (CRITICAL): Go stdlib crypto/tls session resumption
- CVE-2024-8185 (HIGH): DoS via Raft join requests
- CVE-2024-9180 (HIGH): Root namespace privilege escalation
- CVE-2025-59043 (HIGH): DoS via malicious JSON
- CVE-2025-64761 (HIGH): Identity group root escalation

All fixed in OpenBao >= 2.4.4; v2.5.0 includes all patches plus new
features (horizontal read scalability, OCI plugin distribution).

Files changed:
- docker/openbao/Dockerfile: FROM tag 2 -> 2.5.0
- docker/docker-compose.yml: openbao + openbao-init image tags 2 -> 2.5.0

The production/swarm compose files use the custom-built
git.mosaicstack.dev/mosaic/stack-openbao image which is built FROM
this Dockerfile, so they inherit the fix on next CI build.

Fixes #363
 2026-02-12 12:36:08 -06:00
Jason Woltje
a61f9262e6 fix(ci): Add missing OpenBao Dockerfile
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details 
The docker-build-openbao pipeline step was failing because the Dockerfile
was missing from docker/openbao/.

Created a minimal Dockerfile that:
- Uses official quay.io/openbao/openbao:2 as base
- Copies config.hcl and init.sh into the image
- Exposes port 8200
- Preserves the default entrypoint from base image

This allows Kaniko to build the stack-openbao image for Swarm deployment.

Fixes pipeline #325 docker-build-openbao failure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 02:20:02 -06:00
Jason Woltje
d4d1e59885 feat(#357): Add OpenBao to Docker Compose with turnkey setup
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details 
Implements secure credential storage using OpenBao Transit encryption.

Features:
- Auto-initialization on first run (1-of-1 Shamir key for dev)
- Auto-unseal on container restart with verification and retry logic
- Transit secrets engine with 4 named encryption keys
- AppRole authentication with Transit-only policy
- Localhost-only API binding for security
- Comprehensive integration test suite (22 tests, all passing)

Security:
- API bound to 127.0.0.1 (localhost only, no external access)
- Unseal verification with 3-attempt retry logic
- Sanitized error messages in tests (no secret leakage)
- Volume-based secret reading (doesn't require running container)

Files:
- docker/openbao/config.hcl: Server configuration
- docker/openbao/init.sh: Auto-init/unseal script
- docker/docker-compose.yml: OpenBao and init services
- tests/integration/openbao.test.ts: Full test coverage
- .env.example: OpenBao configuration variables

Closes #357

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-07 15:40:24 -06:00