- Add MOSAIC_TELEMETRY_* variables to .env.example with descriptions
- Pass telemetry env vars to api service in production compose
- Pass telemetry env vars to coordinator service in dev and swarm composes
- Swarm composes default to production URL (https://tel-api.mosaicstack.dev)
- Dev compose includes commented-out telemetry-api service placeholder
- All compose files default MOSAIC_TELEMETRY_ENABLED to false for safety
Refs #374
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The base openbao image's docker-entrypoint.sh injects -dev-root-token-id
and -dev-listen-address flags when it sees 'server' as $1, causing the
server to exit immediately (code 0). Override entrypoint with dumb-init
and call bao directly to avoid the dev-mode flag injection.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The CMD exec form drops everything after & in the healthcheck URL,
causing uninitcode=200 and sealedcode=200 params to be lost. Without
them, OpenBao returns 501 when uninitialized, healthcheck fails, and
Swarm kills the container before the init sidecar can reach it.
Switch to CMD-SHELL with single-quoted URL to preserve query params.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pin OpenBao base image from unpinned :2 tag to :2.5.0 (latest stable,
released 2026-02-04) in both the Dockerfile and the dev docker-compose.
CVEs resolved:
- CVE-2025-68121 (CRITICAL): Go stdlib crypto/tls session resumption
- CVE-2024-8185 (HIGH): DoS via Raft join requests
- CVE-2024-9180 (HIGH): Root namespace privilege escalation
- CVE-2025-59043 (HIGH): DoS via malicious JSON
- CVE-2025-64761 (HIGH): Identity group root escalation
All fixed in OpenBao >= 2.4.4; v2.5.0 includes all patches plus new
features (horizontal read scalability, OCI plugin distribution).
Files changed:
- docker/openbao/Dockerfile: FROM tag 2 -> 2.5.0
- docker/docker-compose.yml: openbao + openbao-init image tags 2 -> 2.5.0
The production/swarm compose files use the custom-built
git.mosaicstack.dev/mosaic/stack-openbao image which is built FROM
this Dockerfile, so they inherit the fix on next CI build.
Fixes#363
- Enable OpenBao + init sidecar in Swarm compose (was commented out)
- Fix healthcheck to accept uninitialized/sealed vault states
(add ?uninitcode=200&sealedcode=200 to /v1/sys/health)
- Replace nc-based healthcheck with wget in dev compose
- Add ORCHESTRATOR_URL env var to API service in Swarm compose
- Uncomment OpenBao volumes in Swarm compose
The healthcheck was returning HTTP 501 for uninitialized vault,
causing Swarm to restart OpenBao before init sidecar could run.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements secure credential storage using OpenBao Transit encryption.
Features:
- Auto-initialization on first run (1-of-1 Shamir key for dev)
- Auto-unseal on container restart with verification and retry logic
- Transit secrets engine with 4 named encryption keys
- AppRole authentication with Transit-only policy
- Localhost-only API binding for security
- Comprehensive integration test suite (22 tests, all passing)
Security:
- API bound to 127.0.0.1 (localhost only, no external access)
- Unseal verification with 3-attempt retry logic
- Sanitized error messages in tests (no secret leakage)
- Volume-based secret reading (doesn't require running container)
Files:
- docker/openbao/config.hcl: Server configuration
- docker/openbao/init.sh: Auto-init/unseal script
- docker/docker-compose.yml: OpenBao and init services
- tests/integration/openbao.test.ts: Full test coverage
- .env.example: OpenBao configuration variables
Closes#357
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
