Jason Woltje
f4e759c07a
Some checks failed
ci/woodpecker/push/infra Pipeline failed
The base openbao image's docker-entrypoint.sh injects -dev-root-token-id and -dev-listen-address flags when it sees 'server' as $1, causing the server to exit immediately (code 0). Override entrypoint with dumb-init and call bao directly to avoid the dev-mode flag injection. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
96 lines
2.6 KiB
YAML
96 lines
2.6 KiB
YAML
# ==============================================
|
|
# OpenBao Standalone Deployment - Portainer Version
|
|
# ==============================================
|
|
#
|
|
# This file is optimized for Portainer deployment:
|
|
# - No env_file directive (define variables in Portainer's environment editor)
|
|
# - Port exposed on all interfaces (Portainer limitation)
|
|
# - All environment variables explicitly defined
|
|
#
|
|
# Usage in Portainer:
|
|
# 1. Stacks -> Add Stack
|
|
# 2. Name: mosaic-openbao
|
|
# 3. Paste this file content
|
|
# 4. Add environment variables in "Environment variables" section:
|
|
# - IMAGE_TAG=dev
|
|
# - OPENBAO_PORT=8200
|
|
# 5. Deploy
|
|
#
|
|
# SECURITY NOTE: Port 8200 will be exposed on 0.0.0.0 (all interfaces)
|
|
# Use firewall rules to restrict access if needed.
|
|
# ==============================================
|
|
|
|
services:
|
|
# ======================
|
|
# OpenBao Secrets Vault
|
|
# ======================
|
|
openbao:
|
|
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
|
|
container_name: mosaic-openbao
|
|
entrypoint: ["dumb-init", "--"]
|
|
command: ["bao", "server", "-config=/openbao/config/config.hcl"]
|
|
environment:
|
|
OPENBAO_ADDR: http://0.0.0.0:8200
|
|
ports:
|
|
- "${OPENBAO_PORT:-8200}:8200"
|
|
volumes:
|
|
- openbao_data:/openbao/data
|
|
- openbao_logs:/openbao/logs
|
|
- openbao_init:/openbao/init
|
|
cap_add:
|
|
- IPC_LOCK
|
|
healthcheck:
|
|
test:
|
|
[
|
|
"CMD-SHELL",
|
|
"wget --spider --quiet 'http://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200'",
|
|
]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 30s
|
|
restart: unless-stopped
|
|
networks:
|
|
- mosaic_internal
|
|
|
|
# ======================
|
|
# OpenBao Init Sidecar
|
|
# ======================
|
|
# Auto-initializes and unseals OpenBao on first run
|
|
openbao-init:
|
|
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
|
|
container_name: mosaic-openbao-init
|
|
command: /openbao/init.sh
|
|
environment:
|
|
OPENBAO_ADDR: http://openbao:8200
|
|
volumes:
|
|
- openbao_init:/openbao/init
|
|
depends_on:
|
|
- openbao
|
|
restart: "no"
|
|
networks:
|
|
- mosaic_internal
|
|
|
|
# ======================
|
|
# Volumes
|
|
# ======================
|
|
volumes:
|
|
openbao_data:
|
|
name: mosaic-openbao-data
|
|
driver: local
|
|
openbao_logs:
|
|
name: mosaic-openbao-logs
|
|
driver: local
|
|
openbao_init:
|
|
name: mosaic-openbao-init
|
|
driver: local
|
|
|
|
# ======================
|
|
# Networks
|
|
# ======================
|
|
# Connect to the swarm stack's internal network
|
|
networks:
|
|
mosaic_internal:
|
|
external: true
|
|
name: mosaic_internal
|