Add openbao proxy
Related to: gitlab#494888
What does this merge request do and why?
We have to start OpenBao behind the proxy by default - sample proxy confirugartion - gitlab!162431 (merged)
How to set up and validate locally
You can configure the OpenBao to run locally in GDK.
To configure:
- Set the
BAO_ADDR
variable in your environment
export BAO_ADDR='http://gdk.test:8200'
- Run
gdk config set openbao.enabled true
. - Run
gdk config set openbao_proxy.enabled true
. - Run
gdk reconfigure
. - Run
rake openbao/config.hcl
to create a configuration file - Run
openbao/proxy_config.hcl
to create a proxy configuration file - Run
gdk start openbao
. - Run
gdk bao configure
to unseal the vault
=> "✅ OpenBao has been unsealed successfully"
=> "The root token is: s.xxxxxxxxxxxxxxx"
- Set the
BAO_TOKEN
variable in your environment to usebao
CLI. Runexport BAO_TOKEN=s.xxxxxxxx
- Run
bao auth enable approle
- Run
bao write auth/approle/role/project_secret_engines_manager token_policies=manage_projects_secret_engines
- Run
bao read -field=role_id auth/approle/role/project_secret_engines_manager/role-id \> openbao/roleid
- Run
bao write -field=wrapping_token -f -wrap-ttl=1h auth/approle/role/project_secret_engines_manager/secret-id > openbao/secretid
- Run OpenBaoProxy with
gdk start openbao-proxy
Impacted categories
The following categories relate to this merge request:
-
gdk-reliability - e.g. When a GDK action fails to complete. -
gdk-usability - e.g. Improvements or suggestions around how the GDK functions. -
gdk-performance - e.g. When a GDK action is slow or times out.
Merge request checklist
-
This change is backward compatible. If not, please include steps to communicate to our users. -
Tests added for new functionality. If not, please raise an issue to follow-up. -
Documentation added/updated, if needed. -
Announcement added, if change is notable. -
gdk doctor
test added, if needed. -
Add the ~highlight
label if this MR should be included in theCHANGELOG.md
.
Edited by Dmytro Biryukov