fix(openbao): improve install command#430
Open
Jcing95 wants to merge 7 commits into
Open
Conversation
Jcing95
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances the oms install openbao workflow to support deploying OpenBao into a configurable Kubernetes namespace while avoiding Helm ownership conflicts when the (cluster-scoped) Bank-Vaults Operator is already installed elsewhere. It also adjusts the install flow to create the target namespace explicitly, improves DR-restore handling of unseal keys, and introduces an interactive confirmation for destructive fresh initialization.
Changes:
- Add
--namespace/-n,--age-key-file/-k, and--yes/-yflags to the CLI and document them. - Update the OpenBao installer to be namespace-aware, skip operator redeploy when already present cluster-wide, ensure namespace creation before applying the Vault CR, and refine initialization/cleanup logic.
- Enable
preFlightChecks: truein the Vault CR manifest and update installer tests accordingly.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
NOTICE |
Fix jsonpatch/v2 license URL. |
internal/tmpl/NOTICE |
Keep NOTICE template in sync with corrected license URL. |
internal/installer/openbao.go |
Namespace-aware install flow, operator redeploy avoidance, DR restore secret handling, new pod readiness wait, expanded cleanup. |
internal/installer/openbao_test.go |
Update/add tests for new operator deployment behavior and manifest expectations. |
internal/installer/manifests/openbao/vault-cr.yaml |
Enable bank-vaults unseal preFlightChecks. |
docs/oms_install_openbao.md |
Document new CLI flags (--namespace, --age-key-file, --yes). |
cli/cmd/install_openbao.go |
Wire new flags, set SOPS key file env var, add destructive-operation confirmation prompt. |
Comments suppressed due to low confidence (1)
internal/installer/openbao.go:618
hasExistingDeploymentlists PVCs in the target namespace. If the namespace doesn't exist yet (common for a new--namespace), the List call can return a NotFound error and currently bubbles up, aborting the install during the confirmation check. It should treat a NotFound namespace as “no existing deployment” and return (false, nil).
// Vault CR gone but PVCs may linger (e.g. CR was manually deleted).
pvcList, err := o.Clientset.CoreV1().PersistentVolumeClaims(o.Config.Namespace).List(
o.ctx, metav1.ListOptions{LabelSelector: "vault_cr=openbao"},
)
if err != nil {
return false, fmt.Errorf("listing PVCs: %w", err)
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Jcing95
force-pushed
the
openbao/improve-idempotency
branch
2 times, most recently
from
3614c52 to
8ac7141
Compare
Signed-off-by: Jcing95 <23337729+Jcing95@users.noreply.github.com>
Jcing95
force-pushed
the
openbao/improve-idempotency
branch
from
42eba86 to
6044373
Compare
| } | ||
|
|
||
| // NewOpenBaoInstaller constructs an OpenBaoInstaller with real Kubernetes and Helm clients. | ||
| func NewOpenBaoInstaller(cfg OpenBaoInstallerConfig) (*OpenBaoInstaller, error) { |
Comment on lines
+590
to
+594
| for i := range pvcList.Items { | ||
| delErr = o.Clientset.CoreV1().PersistentVolumeClaims(o.Config.Namespace).Delete( | ||
| o.ctx, pvcList.Items[i].Name, metav1.DeleteOptions{}, | ||
| ) | ||
| if delErr != nil && !k8serrors.IsNotFound(delErr) { |
| openbao.cmd.Flags().StringVar(&openbao.Opts.StorageSize, "storage-size", "10Gi", "PVC storage size for each OpenBao replica") | ||
| openbao.cmd.Flags().DurationVar(&openbao.Opts.Timeout, "timeout", 5*time.Minute, "Timeout for waiting on initialization") | ||
| openbao.cmd.Flags().StringVarP(&openbao.Opts.AgeKeyFile, "age-key-file", "k", "", "Path to age private key file for SOPS encryption/decryption (auto-detected if not set)") | ||
| openbao.cmd.Flags().BoolVarP(&openbao.Opts.Yes, "yes", "y", false, "Auto-approve fresh initialization when no DR backup is found") |
| --secrets-engine string Name of the KV-v2 secrets engine to provision (default "cs-secrets-engine") | ||
| --storage-size string PVC storage size for each OpenBao replica (default "10Gi") | ||
| --timeout duration Timeout for waiting on initialization (default 5m0s) | ||
| -y, --yes Auto-approve fresh initialization when no DR backup is found |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--namespace/-nflag tooms install openbaoto allow deploying OpenBao to a custom Kubernetes namespace (defaults tovaultfor backward compatibility)os.Setenvreturn value flagged by the linter