The docker-build-openbao pipeline step was failing because the Dockerfile
was missing from docker/openbao/.
Created a minimal Dockerfile that:
- Uses official quay.io/openbao/openbao:2 as base
- Copies config.hcl and init.sh into the image
- Exposes port 8200
- Preserves the default entrypoint from base image
This allows Kaniko to build the stack-openbao image for Swarm deployment.
Fixes pipeline #325 docker-build-openbao failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements secure credential storage using OpenBao Transit encryption.
Features:
- Auto-initialization on first run (1-of-1 Shamir key for dev)
- Auto-unseal on container restart with verification and retry logic
- Transit secrets engine with 4 named encryption keys
- AppRole authentication with Transit-only policy
- Localhost-only API binding for security
- Comprehensive integration test suite (22 tests, all passing)
Security:
- API bound to 127.0.0.1 (localhost only, no external access)
- Unseal verification with 3-attempt retry logic
- Sanitized error messages in tests (no secret leakage)
- Volume-based secret reading (doesn't require running container)
Files:
- docker/openbao/config.hcl: Server configuration
- docker/openbao/init.sh: Auto-init/unseal script
- docker/docker-compose.yml: OpenBao and init services
- tests/integration/openbao.test.ts: Full test coverage
- .env.example: OpenBao configuration variables
Closes#357
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Added explicit package update/upgrade step to patch CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, and CVE-2025-61729 in Go stdlib components from Alpine Linux packages (likely LLVM or transitive dependencies).
The fix ensures all base image packages are up-to-date before pgvector build, capturing any security patches released for Alpine components.
Fixes#181
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
