Jason Woltje
d4d1e59885
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Implements secure credential storage using OpenBao Transit encryption. Features: - Auto-initialization on first run (1-of-1 Shamir key for dev) - Auto-unseal on container restart with verification and retry logic - Transit secrets engine with 4 named encryption keys - AppRole authentication with Transit-only policy - Localhost-only API binding for security - Comprehensive integration test suite (22 tests, all passing) Security: - API bound to 127.0.0.1 (localhost only, no external access) - Unseal verification with 3-attempt retry logic - Sanitized error messages in tests (no secret leakage) - Volume-based secret reading (doesn't require running container) Files: - docker/openbao/config.hcl: Server configuration - docker/openbao/init.sh: Auto-init/unseal script - docker/docker-compose.yml: OpenBao and init services - tests/integration/openbao.test.ts: Full test coverage - .env.example: OpenBao configuration variables Closes #357 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
25 lines
451 B
HCL
25 lines
451 B
HCL
# OpenBao Server Configuration
|
|
# File storage backend for turnkey deployment
|
|
|
|
storage "file" {
|
|
path = "/openbao/data"
|
|
}
|
|
|
|
# HTTP API listener
|
|
listener "tcp" {
|
|
address = "0.0.0.0:8200"
|
|
tls_disable = 1
|
|
}
|
|
|
|
# Disable memory locking for Docker compatibility
|
|
disable_mlock = true
|
|
|
|
# API address for cluster communication
|
|
api_addr = "http://0.0.0.0:8200"
|
|
|
|
# UI enabled for debugging (disable in production)
|
|
ui = true
|
|
|
|
# Log level
|
|
log_level = "info"
|