---
apiVersion: v1
kind: Namespace
metadata:
  name: openbao
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: openbao
  namespace: openbao
spec:
  interval: 24h
  url: https://openbao.github.io/openbao-helm
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: openbao
  namespace: openbao
spec:
  interval: 30m
  chart:
    spec:
      chart: openbao
      version: 0.25.6
      sourceRef:
        kind: HelmRepository
        name: openbao
        namespace: openbao
      interval: 12h
  values:
    global:
      tlsDisable: false
    server:
      ha:
        enabled: true
        raft:
          enabled: true
          config: |
            ui = true

            listener "tcp" {
              tls_disable = 0
              address = "[::]:8200"
              cluster_address = "[::]:8201"
              # Enable unauthenticated metrics access (necessary for Prometheus Operator)
              #telemetry {
              #  unauthenticated_metrics_access = "true"
              #}

              # Enable TLS
              tls_cert_file = "/tls/tls.crt"
              tls_key_file = "/tls/tls.key"
            }

            storage "raft" {
              path = "/openbao/data"
            }

            service_registration "kubernetes" {}
        replicas: 1
      # Disable chart's data storage setting and add data volume manually
      dataStorage:
        enabled: false
      volumes:
        # Mount TLS cert to container
        - name: tls
          secret:
            secretName: openbao-lumpiasty-xyz
        - name: data
          persistentVolumeClaim:
            claimName: openbao-volume-lvmhdd
      volumeMounts:
        - name: tls
          mountPath: /tls
          readOnly: true
        - name: data
          mountPath: /openbao/data
      service:
        enabled: true
        type: LoadBalancer
        ipFamilyPolicy: RequireDualStack
    csi:
      enabled: true
    injector:
      affinity: ""