From 0b42a219eb487903b53184ae5b9b0392de2e8fce Mon Sep 17 00:00:00 2001
From: Lumpiasty <arek.dzski@gmail.com>
Date: Sun, 16 Feb 2025 02:45:09 +0100
Subject: [PATCH] Use signed tls cert in openbao container

---
 infra/controllers/openbao.yaml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/infra/controllers/openbao.yaml b/infra/controllers/openbao.yaml
index 8161387..5e359bc 100644
--- a/infra/controllers/openbao.yaml
+++ b/infra/controllers/openbao.yaml
@@ -35,7 +35,38 @@ spec:
         enabled: true
         raft:
           enabled: true
+          config: |
+            ui = true
+
+            listener "tcp" {
+              tls_disable = 0
+              address = "[::]:8200"
+              cluster_address = "[::]:8201"
+              # Enable unauthenticated metrics access (necessary for Prometheus Operator)
+              #telemetry {
+              #  unauthenticated_metrics_access = "true"
+              #}
+
+              # Enable TLS
+              tls_cert_file = "/tls/tls.crt"
+              tls_key_file = "/tls/tls.key"
+            }
+
+            storage "raft" {
+              path = "/openbao/data"
+            }
+
+            service_registration "kubernetes" {}
         replicas: 1
+      # Mount TLS cert to container
+      volumes:
+        - name: tls
+          secret:
+            secretName: openbao-lumpiasty-xyz
+      volumeMounts:
+        - name: tls
+          mountPath: /tls
+          readOnly: true
       service:
         enabled: true
         type: LoadBalancer