apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: openbao-data
  namespace: openbao
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  storageClassName: cephfs-hyper
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: openbao-config
  namespace: openbao
data:
  bao.hcl: |
    ui = true

    listener "tcp" {
      address     = "[::]:8200"
      tls_disable = 1
    }

    storage "file" {
      path = "/openbao/data"
    }

    disable_mlock = true
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: openbao
  namespace: openbao
spec:
  replicas: 1
  selector:
    matchLabels:
      app: openbao
  template:
    metadata:
      labels:
        app: openbao
    spec:
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
      initContainers:
        - name: fix-permissions
          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              mkdir -p /openbao/file
              chown -R 100:1000 /openbao/file
              chmod -R ug+rwX /openbao/file
          securityContext:
            runAsUser: 0
          volumeMounts:
            - name: data
              mountPath: /openbao/file
      containers:
        - name: openbao
          image: ghcr.io/openbao/openbao:2.4.3
          imagePullPolicy: IfNotPresent
          args:
            - "server"
            - "-config=/openbao/config/bao.hcl"
          ports:
            - containerPort: 8200
              name: http
          volumeMounts:
            - name: config
              mountPath: /openbao/config
            - name: data
              mountPath: /openbao/file
      volumes:
        - name: config
          configMap:
            name: openbao-config
        - name: data
          persistentVolumeClaim:
            claimName: openbao-data
---
apiVersion: v1
kind: Service
metadata:
  name: openbao
  namespace: openbao
spec:
  selector:
    app: openbao
  ports:
    - port: 8200
      targetPort: 8200
  type: ClusterIP