stack/docker-compose.openbao.yml

# ==============================================
# OpenBao Standalone Deployment
# ==============================================
#
# IMPORTANT: This file deploys OpenBao as a STANDALONE container.
# Do NOT include this in docker stack deploy - it will fail due to port binding conflicts.
#
# Usage:
#   docker compose -f docker-compose.openbao.yml up -d
#
# This is required when:
#   - Using Docker Swarm (stateful services don't work well in swarm)
#   - You want OpenBao isolated from the main stack
#
# Alternative: Use external HashiCorp Vault or managed secrets service
# ==============================================

services:
  # ======================
  # OpenBao Secrets Vault
  # ======================
  openbao:
    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
    container_name: mosaic-openbao
    command: server -config=/openbao/config/config.hcl
    env_file: .env
    environment:
      OPENBAO_ADDR: http://0.0.0.0:8200
    ports:
      - "127.0.0.1:${OPENBAO_PORT:-8200}:8200" # Localhost only for security
    volumes:
      - openbao_data:/openbao/data
      - openbao_logs:/openbao/logs
      - openbao_init:/openbao/init
    cap_add:
      - IPC_LOCK
    healthcheck:
      test:
        - CMD
        - wget
        - --spider
        - --quiet
        - http://localhost:8200/v1/sys/health?standbyok=true
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    restart: unless-stopped
    networks:
      - mosaic_internal

  # ======================
  # OpenBao Init Sidecar
  # ======================
  # Auto-initializes and unseals OpenBao on first run
  openbao-init:
    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
    container_name: mosaic-openbao-init
    env_file: .env
    command: /openbao/init.sh
    environment:
      OPENBAO_ADDR: http://openbao:8200
    volumes:
      - openbao_init:/openbao/init
    depends_on:
      openbao:
        condition: service_healthy
    restart: "no"
    networks:
      - mosaic_internal

# ======================
# Volumes
# ======================
volumes:
  openbao_data:
    name: mosaic-openbao-data
    driver: local
  openbao_logs:
    name: mosaic-openbao-logs
    driver: local
  openbao_init:
    name: mosaic-openbao-init
    driver: local

# ======================
# Networks
# ======================
# Connect to the swarm stack's internal network
networks:
  mosaic_internal:
    external: true
    name: mosaic_internal