Option to use openbao

Alain Thioliererequested to merge
ath/openbao into main

What does this MR do and why?

Add the possibility to deploy openbao as an opt-in option, instead of Hashicorp vault. The default remains Hashicorp vault. The organization with the variant value and the creation of chained kustomizations is meant to ease the definition of other configurations, like the integration with a KMS.

Openbao is deployed with the existing vault-operator, thanks to a Kyverno policy which sets the "vault-active" label according to the "openbao-active" label set on the vault pods : at the moment, bank-vaults operator doesn't support the customization of the pod selector configured on the vault service, and openbao doesn't support the customization of the labels that it sets on the vault server pods. An issue exists on bank-vaults side to add this customization : https://github.com/bank-vaults/vault-operator/issues/746. This kyverno policy can be removed when this configuration becomes possible.

It works well with openbao 2.3.1.

At the moment, only fresh install has been tested, not the migration from Hashicorp Vault to Openbao.

Closes #1237 (closed)

Related reference(s)

Test coverage

  • Full deployment of a management cluster, which requires a working vault/openbao.
  • Checking that the openbao GUI work correctly and it integrated with Keycloak in the same way as Hashicorp Vault.
  • Deleting the active openbao pod, to check that the openbao-active: true is moved to another pod, and that the kyverno policy sets vault-active: true on the new active pod. Then the Vault service remains reachable.

CI configuration

CI pipelines perform an update for both management and workload clusters, this update will NOT perform a ClusterAPI rolling update (deletion and creation of new K8s nodes) by default.

For some cases, it may be relevant to perform more complex tests.

Theses features can be activated in an MR by adding one of these labels to the MR and will apply to the next pipelines.

  • adding the label ci-featuretest-rolling-update pipelines will perform a node rolling update in the -update jobs (without version upgrades)
  • adding the label ci-featuretest-upgrade-from-1.1.1 pipelines will perform an upgrade from Sylva 1.1.1 to your dev branch (including a k8s version upgrade resulting in a node rolling update)

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon Meaning Available values
☁️ Infra Provider capd, capo, capm3
🚀 Bootstrap Provider kubeadm (alias kadm), rke2, okd, ck8s
🐧 Node OS ubuntu, suse, na, leapmicro
🛠️ Deployment Options light-deploy, dev-sources, ha, misc, maxsurge-0, logging, no-logging
🎬 Pipeline Scenarios Available scenario list and description
  • 🎬 preview ☁️ capd 🚀 kadm 🐧 ubuntu
  • 🎬 preview ☁️ capo 🚀 rke2 🐧 suse
  • 🎬 preview ☁️ capm3 🚀 rke2 🐧 ubuntu
  • ☁️ capd 🚀 kadm 🛠️ light-deploy 🐧 ubuntu
  • ☁️ capd 🚀 rke2 🛠️ light-deploy 🐧 suse
  • ☁️ capo 🚀 rke2 🐧 suse
  • ☁️ capo 🚀 rke2 🐧 leapmicro
  • ☁️ capo 🚀 kadm 🐧 ubuntu
  • ☁️ capo 🚀 rke2 🎬 rolling-update 🛠️ ha 🐧 ubuntu
  • ☁️ capo 🚀 kadm 🎬 wkld-k8s-upgrade 🐧 ubuntu
  • ☁️ capo 🚀 rke2 🎬 rolling-update-no-wkld 🛠️ ha 🐧 suse
  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ ha 🐧 ubuntu
  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ ha,misc 🐧 ubuntu
  • ☁️ capo 🚀 rke2 🛠️ ha,misc 🐧 ubuntu
  • ☁️ capo 🚀 rke2 🛠️ openbao 🐧 suse
  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ openbao 🐧 ubuntu
  • ☁️ capm3 🚀 rke2 🐧 suse
  • ☁️ capm3 🚀 kadm 🐧 ubuntu
  • ☁️ capm3 🚀 ck8s 🐧 ubuntu
  • ☁️ capm3 🚀 kadm 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 ubuntu
  • ☁️ capm3 🚀 rke2 🎬 wkld-k8s-upgrade 🛠️ ha 🐧 suse
  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 ubuntu
  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ ha 🐧 suse
  • ☁️ capm3 🚀 rke2 🛠️ misc,ha 🐧 suse
  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ ha,misc 🐧 suse
  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 suse
  • ☁️ capm3 🚀 ck8s 🎬 rolling-update 🛠️ ha 🐧 ubuntu
  • ☁️ capm3 🚀 rke2|okd 🎬 no-update 🐧 ubuntu|na

Global config for deployment pipelines

  • autorun pipelines

  • allow failure on pipelines

  • record sylvactl events

Notes:

  • Enabling autorun will make deployment pipelines to be run automatically without human interaction
  • Disabling allow failure will make deployment pipelines mandatory for pipeline success.
  • if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited by Alain Thioliere

Merge request reports