feat: add OpenBao agent injector component#23
feat: add OpenBao agent injector component#23Soypete wants to merge 3 commits intocatalystcommunity:mainfrom
Conversation
todpunk
left a comment
todpunk
left a comment
There was a problem hiding this comment.
Good foundation — the component structure, Helm lifecycle handling (deploy/upgrade/failed cleanup), and dependency wiring all follow existing patterns well. ParseConfig uses GetString() correctly and the HelmClient interface matches what other components do.
A few things to address before merge:
Tests (blocking)
We need tests for every feature per project policy. At minimum: config parsing (defaults, overrides, missing external_vault_addr), install with mock helm client (fresh, upgrade, failed release cleanup), and error paths. Other components have this pattern that can be followed.
CSIL schema missing
types.gen.go has the "Code generated by csilgen; DO NOT EDIT" header but there's no .csil file in csil/v1/components/. Either the schema file was accidentally left out or the generated header is misleading — please add the schema and regenerate since none of these files should be altered by anything post generation.
OpenBao address error silently swallowed
In install.go, if GetPrimaryOpenBAOAddress() fails, the error is dropped and the user later gets a generic "external_vault_addr is required" message with no indication why auto-detection failed. Please surface the underlying error.
Hardcoded http:// and port 8200
fmt.Sprintf("http://%s:8200", addr) will break silently with TLS or non-default ports. Try deriving protocol/port from config rather than hardcoding. The rest of the stack should already have that in config.
Minor
Configshould have aValidate()method called fromParseConfig()to match the pattern used by other components- Extra blank line after the
openbaoInjectorCompregistration inregistry/init.go - Adding
openbao-injectorto thek8sComponentsmap re-aligned existing entries — just add the new line without changing whitespace onexternal-dnsandvelero
Soypete
force-pushed
the
feat/openbao-agent-injector-clean
branch
from
846971c to
9ae9183
Compare
todpunk
left a comment
todpunk
left a comment
There was a problem hiding this comment.
Some bits haven't been fixed yet:
- Hardcoded http:// and port 8200 - Still present at install.go:264, which we should be deriving from env vars
- k8sComponents whitespace was all adjusted. We only want to add the new line, the indentation of the rest hasn't been addressed
Soypete
force-pushed
the
feat/openbao-agent-injector-clean
branch
2 times, most recently
from
9e85585 to
f317dd9
Compare
Adds openbao-injector as a new foundry component that installs the OpenBao agent injector via Helm. The injector registers a MutatingWebhookConfiguration so pods annotated with vault.hashicorp.com/agent-inject can receive secrets from OpenBao at runtime without storing them in k8s Secrets. Also adds docs/pod-secrets.md covering how to annotate pods, source injected files in dash-compatible containers, and configure Kubernetes auth in OpenBao. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Soypete
force-pushed
the
feat/openbao-agent-injector-clean
branch
from
f317dd9 to
52ebbf5
Compare
- Add configure_k8s_auth boolean and k8s_auth_roles array to CSIL config - Add K8sClient and OpenBAOClient interfaces to openbaoinjector types - Add CreateServiceAccount, GetServiceAccountToken, GetClusterCACert, ApplyClusterRoleBinding, GetKubernetesHost methods to k8s/client.go - Add EnableAuth, WriteAuthConfig, WriteRole methods to openbao/client.go - Add configureKubernetesAuth function that: - Creates vault-reviewer SA in kube-system - Creates ClusterRoleBinding with system:auth-delegator role - Gets SA token and cluster CA from k8s client - Enables kubernetes auth in OpenBao - Writes auth config with disable_iss_validation=true - Creates roles for configured apps - Update registry/init.go and install.go to use new signature
2 participants
Summary
openbao-injectoras a new foundry component (foundry component install openbao-injector)server.enabled=false)MutatingWebhookConfigurationso pods withvault.hashicorp.com/agent-inject: "true"annotations automatically receive secrets mounted from OpenBaostackConfig.GetPrimaryOpenBAOAddress()docs/pod-secrets.mdcovering pod annotation patterns, dash-compatible entrypoints, Kubernetes auth setup, and troubleshootingTest plan
foundry component install openbao-injectorsucceedskubectl get mutatingwebhookconfigurations | grep openbaoshows the webhookvault.hashicorp.com/agent-inject: "true"annotation gets avault-agent-initinit container/vault/secrets/🤖 Generated with Claude Code