Openbao Module

[Shrinidhi-59]

Description

This PR includes openbao module which is used to store controlplane secrets with auto unseal feature

Module Details

• It creates a random static secret
• The secret is then stored in a kubernetes secret
• Creates PVC for server
• Deploys openbao using helm release
• Creates serviceaccount, role and rolebinding for init job
• Creates init job. Init job checks the server pod, initializes it in not already done, creates a kubernetes secret names ${RELEASE_NAME}-init-keys where it stores root key and recovery keys. It takes care of joining the replica servers to raft cluster and auto unsealing them if any. Additionally it enables kubernetes auth method and also creates read-write and read policies for controlplane-service and release-pod respectively.

Related issues

Task Id: https://app.clickup.com/t/86d0h99tt

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Checklist

• I have created feat/bugfix branch out of master branch
• Code passes linting/formatting checks
• Changes to resources have been tested in our dev environments
• I have made corresponding changes to the documentation

Testing

1. Deployed openbao with 1 server
   Release Link: https://facetsdemo.console.facets.cloud/capc/stack/infra-dev/releases/cluster/62e38a777ae44900010ef721/dialog/release-details/68ec9af3d4c8a2079dffa4da

server was auto-unsealed, manually added secrets

2. Increased the server replica to 2
   Release Link: https://facetsdemo.console.facets.cloud/capc/stack/infra-dev/releases/cluster/62e38a777ae44900010ef721/dialog/release-details/68ec9e4ad4c8a2079dffa994

Server 2 was auto-unsealed and secrets were also synced from server 1

3. Deplyed with 2 replicas (Initial deployment with 2 replicas)
   Release Link: https://facetsdemo.console.facets.cloud/capc/stack/infra-dev/releases/cluster/62e38a777ae44900010ef721/dialog/release-details/68eca348d4c8a2079dffb300

servers were auto-unsealed

Reviewer instructions

Summary by CodeRabbit

• New Features

  • Added an OpenBao facet and a deployable OpenBao module for Helm-based Kubernetes deployments with automatic initialization/unseal, HA or standalone modes, Raft/File storage options, UI toggle, TLS support, configurable resources, policies/RBAC, and exported deployment outputs (service/UI URLs, health check, secret names, replica count, sensitive credentials).
  • Added facet metadata (display name, description, icon).

• Documentation

  • Added a comprehensive README with architecture, setup examples, configuration reference, security guidance, operations, troubleshooting, and limitations.

[coderabbitai]

Walkthrough

Adds OpenBao support: new intent facet, module facet schema, Terraform module (Helm release, PVC, secrets, RBAC, init Job with init/unseal/join logic), variables/outputs, outputs schema, and README documentation.

Changes

Cohort / File(s)	Summary
Intent facet intents/openbao/facets.yaml	New intent facet declaring OpenBao metadata: name, type, displayName, description, iconUrl.
Module facet schema modules/openbao/default/1.0/facets.yaml	New module facet YAML defining metadata, spec schema (deployment parameters, storage, UI, unseal_secret_name, advanced openbao values), inputs/outputs, validated IaC files, and sample configuration including policy examples.
Terraform implementation modules/openbao/default/1.0/main.tf	New Terraform module implementing OpenBao deployment: random_id.unseal_key, kubernetes_secret.unseal_key, PVC module, helm_release.openbao, kubernetes_service_account.openbao_init, kubernetes_role.openbao_init, kubernetes_role_binding.openbao_init, kubernetes_job_v1.openbao_init (leader detection, init/unseal/join, policy & k8s-auth setup), and data.kubernetes_secret_v1.openbao_init_keys; lifecycle and dependency wiring for HA/standalone.
Module variables modules/openbao/default/1.0/variables.tf	Added instance_name, complex instance object (metadata/spec with defaults and nested openbao values), environment, and inputs variables plus validation blocks for replicas, storage_type, namespace, and release_name.
Module outputs modules/openbao/default/1.0/outputs.tf	Added output_attributes locals and outputs: namespace, release_name, service names/URLs, ui toggle/URL, health_check_url, unseal/init secret names, storage_type, server_replicas, auto_unseal flag, and sensitive root_token/recovery_keys sourced via data secret.
Outputs schema outputs/openbao/output.facets.yaml	New outputs facets YAML defining public-facing attributes and types (namespace, release_name, service_url, ui_enabled/ui_url, health_check_url, unseal/init secret names, storage_type, server_replicas, sensitive root_token/recovery_keys, and secrets list).
Documentation modules/openbao/default/1.0/README.md	New README describing architecture, Helm deployment with static seal auto-unseal and init Job, configuration reference, usage examples (basic/HA), outputs, security/operational guidance, troubleshooting, and prerequisites.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant TF as Terraform
  participant K8s as Kubernetes API
  participant Helm as Helm
  participant InitJob as openbao_init Job
  participant Pods as OpenBao Pods
  participant Secret as K8s Secret

  User->>TF: apply (openbao module)
  TF->>K8s: create Namespace, PVC, Secret (unseal_key), SA, Role, RoleBinding, Job (init)
  TF->>Helm: install/upgrade helm_release (chart values)
  Helm->>K8s: create StatefulSet/Deployments, Services
  K8s-->>TF: resource readiness

  rect rgb(237,247,237)
    note right of InitJob: Initialization & unseal flow
    InitJob->>Pods: detect leader / initialize cluster
    InitJob->>Secret: write root token & recovery keys
    alt HA (raft)
      InitJob->>Pods: join peers to Raft cluster
    end
    InitJob->>Pods: unseal nodes, enable k8s auth, create policies
  end

  TF->>K8s: read data.kubernetes_secret_v1.openbao_init_keys
  TF-->>User: outputs (service URLs, secret refs, sensitive tokens)

Loading

Suggested reviewers

• rr0hit
• anshulsao
• vishnukv-facets
• ishaankalra
• pramodh-ayyappan
• unni-facets

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "Openbao Module" directly and clearly describes the main change in the changeset, which is the introduction of a comprehensive OpenBao module. The title is concise, specific, and unambiguous—a reader scanning commit history would immediately understand that this PR adds a new OpenBao module with related Terraform configurations and documentation. The title appropriately captures the primary change without requiring excessive detail or annotation.
Description Check	✅ Passed	The pull request description is mostly complete and includes substantive content in all major sections of the template. It provides a clear summary of the OpenBao module's functionality, references a related ClickUp task, marks the type of change as "New feature," includes comprehensive manual testing details with release links and screenshots demonstrating successful single-server and multi-replica deployments, and confirms the branch creation step. However, several checklist items remain unchecked (linting/formatting, dev environment testing, and documentation updates), and the reviewer instructions section is left empty, which could benefit from clarification.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch module-openbao

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3812a8a and 476638d.

📒 Files selected for processing (1)

• modules/openbao/default/1.0/main.tf (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

modules/openbao/default/1.0/main.tf

[medium] 223-234: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

---

[high] 223-234: Ensure Terraform module sources use a tag with a version number

(CKV_TF_2)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 12

🧹 Nitpick comments (4)

modules/openbao/default/1.0/facets.yaml (2)

5-6: Clouds limited to azure.

If this module is Kubernetes-only, consider omitting clouds or listing all supported (aws, gcp, azure) to avoid artificial constraints.

---

123-130: Sample config alignment with README.

Ensure kind/flavor/version here match README examples to prevent user confusion (README uses different values).

outputs/openbao/output.facets.yaml (1)

45-49: Consider structuring recovery_keys as an array.

If recovery keys are multiple values, model as type: array (strings) instead of a JSON string to improve UX. Keep listing in secrets for sensitivity.

modules/openbao/default/1.0/variables.tf (1)

19-19: Chart version default: consider surfacing validation.

Optionally validate chart_version format (e.g., semver) to catch typos early.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0aba984 and 6be7b56.

📒 Files selected for processing (7)

• intents/openbao/facets.yaml (1 hunks)
• modules/openbao/default/1.0/README.md (1 hunks)
• modules/openbao/default/1.0/facets.yaml (1 hunks)
• modules/openbao/default/1.0/main.tf (1 hunks)
• modules/openbao/default/1.0/outputs.tf (1 hunks)
• modules/openbao/default/1.0/variables.tf (1 hunks)
• outputs/openbao/output.facets.yaml (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

modules/openbao/default/1.0/main.tf

[medium] 222-233: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

---

[high] 222-233: Ensure Terraform module sources use a tag with a version number

(CKV_TF_2)

🪛 markdownlint-cli2 (0.18.1)

modules/openbao/default/1.0/README.md

19-19: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

109-109: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (3)

intents/openbao/facets.yaml (1)

1-5: Looks good; facet metadata is clear and consistent.

No issues spotted.

modules/openbao/default/1.0/main.tf (1)

557-559: Verify BAO service and pod naming assumptions

Assumes:

• Service ${release_name}-openbao
• Headless service ${release_name}-internal
• Pod names ${release_name}-0, ${release_name}-1, …

Confirm these match the OpenBao Helm chart or live cluster (e.g. via helm template or kubectl get svc,sts,pods -n <namespace>). If they differ, update BAO_ADDR and the raft join URL accordingly.

modules/openbao/default/1.0/outputs.tf (1)

5-9: Verify OpenBao service naming
The Terraform outputs assume the Kubernetes Service is named ${lookup(local.spec, "release_name", "openbao")}-openbao. Confirm the deployed Helm chart actually creates a Service with that exact suffix or make the suffix configurable.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

modules/openbao/default/1.0/main.tf (2)

275-279: RBAC verb mix blocks kubectl wait.

The init job runs kubectl wait, which requires watch on pods. The current rule lacks watch and instead grants create on pods (not needed). Result: the job hits a forbidden error and never completes. Replace the verbs with ["get", "list", "watch"] for pods, and keep create only on the pods/exec subresource if required. Example:

   rule {
     api_groups = [""]
-    resources  = ["pods", "pods/exec"]
-    verbs      = ["get", "list", "create"]
+    resources  = ["pods"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["pods/exec"]
+    verbs      = ["create"]
   }

This grants the minimum set the script needs and lets kubectl wait succeed.

---

354-558: Init job container lacks bash/jq; script fails immediately.

Image alpine/k8s:1.28.3 doesn’t ship /bin/bash or jq. The job invokes both, so it errors before doing any initialization. Switch to /bin/sh and install jq (or choose an image that already has them). For example:

-          image = "alpine/k8s:1.28.3"
-          command = ["/bin/bash", "-c"]
+          image = "alpine/k8s:1.28.3"
+          command = ["/bin/sh", "-c"]
           args = [<<-EOF
-            set -e
+            set -e
+            apk add --no-cache jq >/dev/null 2>&1 || true

Alternatively use a distro with bash+jq preinstalled. Without this fix, the init workflow never runs.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6be7b56 and ccacc8b.

📒 Files selected for processing (2)

• modules/openbao/default/1.0/facets.yaml (1 hunks)
• modules/openbao/default/1.0/main.tf (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• modules/openbao/default/1.0/facets.yaml

🧰 Additional context used

🪛 Checkov (3.2.334)

modules/openbao/default/1.0/main.tf

[medium] 222-233: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

---

[high] 222-233: Ensure Terraform module sources use a tag with a version number

(CKV_TF_2)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8e8afb2 and 3812a8a.

📒 Files selected for processing (2)

• modules/openbao/default/1.0/README.md (1 hunks)
• modules/openbao/default/1.0/facets.yaml (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

modules/openbao/default/1.0/README.md

19-19: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (4)

modules/openbao/default/1.0/facets.yaml (2)

168-171: Outputs facet type appears correctly aligned.

The outputs section now references type: '@outputs/openbao', which aligns with the expected outputs facet name. This appears to address the previous review concern about the facet type/name mismatch. Assuming the outputs facet at outputs/openbao/output.facets.yaml declares name: openbao, this should resolve correctly.

---

18-157: Schema spec and samples are well-structured.

The spec section comprehensively defines all configuration options with appropriate types, defaults, and constraints. The sample policies demonstrate realistic usage patterns with proper HCL formatting and escape handling. The defaults (chart 0.18.4, 1 replica, raft storage, 10Gi) appear reasonable for both standalone and HA deployments.

Also applies to: 177-204

modules/openbao/default/1.0/README.md (2)

73-204: Documentation accurately reflects module design and is well-organized.

The usage examples, configuration reference tables, and output descriptions align properly with the facets.yaml schema. Parameters (namespace, release_name, storage_type, server_replicas, server_resources, openbao.policies, openbao.values) are correctly documented with defaults matching the schema. The three example scenarios (standalone, HA, custom policies) progressively build complexity and demonstrate the module's range. Outputs section lists expected sensitive and non-sensitive values, and the policy configuration explanation correctly describes the service-account/role/policy binding pattern.

---

206-347: Security and operations guidance is production-ready and thorough.

The Security Considerations section appropriately emphasizes backup of the unseal key, token rotation, RBAC scoping, and network-level controls. The Operations section provides practical kubectl commands for common tasks (accessing, authenticating, scaling, backup, recovery). Prerequisites are clear, limitations are realistic, and troubleshooting scenarios address real failure modes (pod readiness, RBAC, network connectivity, Raft joining). The advanced configuration section offers flexibility for custom Helm values and explains storage backend trade-offs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language specifier to ASCII diagram fence.

Per markdownlint (MD040), fenced code blocks must have a language specifier. The ASCII diagram block should use ```text instead of just ```.

Apply this diff to fix the markdown lint violation:

-```
+```text
 ┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

19-19: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In modules/openbao/default/1.0/README.md around lines 19 to 44, the ASCII
diagram fenced block is missing a language specifier which violates markdownlint
MD040; update the opening fence from ``` to ```text (and ensure the closing
fence remains ```), so the block becomes a fenced code block with the "text"
language specifier to satisfy the linter.