feat: add support for Raft HA in OpenBao

jackhodgkiss · jackhodgkiss · commit 351935933be9 · 2025-05-13T18:29:21.000+01:00
Add support for deploying `OpenBao` with Raft storage backend configured
in a high available manner.
diff --git a/roles/openbao/README.md b/roles/openbao/README.md
@@ -23,7 +23,7 @@ Role variables
     * `openbao_cluster_name`: OpenBao cluster name (e.g. "prod_cluster")
     * `openbao_config_dir`: Directory into which to bind mount OpenBao configuration
   * Optional
-    * `openbao_bind_address`: Which IP address should OpenBao bind to (default: "127.0.0.1")
+    * `openbao_bind_addr`: Which IP address should OpenBao bind to (default: "127.0.0.1")
     * `openbao_api_addr`: OpenBao [API addr](https://openbao.org/docs/configuration/#high-availability-parameters) - Full URL including protocol and port (default: "http://127.0.0.1:8200")
     * `openbao_init_addr`: OpenBao init addr (used only for initialisation purposes) - full URL including protocol and port (default: "http://127.0.0.1:8200")
     * `openbao_docker_name`: Docker - under which name to run the OpenBao image (default: "bao")
@@ -38,6 +38,7 @@ Role variables
     * `openbao_write_keys_file`: Whether to write the root token and unseal keys to a file. Default `false`
     * `openbao_write_keys_file_host`: Host on which to write root token and unseal keys. Default `localhost`
     * `openbao_write_keys_file_path`: Path of file to write root token and unseal keys. Default `bao-keys.json`
+    * `openbao_raft_leaders`: List of IPs belonging to Raft leaders. Expected that the first and only entry is the IP address of the first OpenBao instance as this would be initialised whereas as the others will not.
 
 Root and unseal keys
 --------------------
diff --git a/roles/openbao/defaults/main.yml b/roles/openbao/defaults/main.yml
@@ -7,47 +7,52 @@ openbao_docker_name: "openbao"
 openbao_docker_image: "openbao/openbao"
 openbao_docker_tag: "latest"
 
+openbao_config_dir: ""
+
 openbao_cluster_name: ""
-openbao_protocol: "{{ 'https' if openbao_tls_key and openbao_tls_cert else 'http' }}"
-# Allow openbao_vip_url and openbao_vip_address for backwards compatibility.
-openbao_vip_address: "{{ openbao_vip_url | default(openbao_bind_address) }}"
-openbao_api_addr: "{{ openbao_protocol ~ '://' ~ openbao_vip_address ~ ':8200' }}"
-openbao_bind_address: "127.0.0.1"
-openbao_init_addr: "http://127.0.0.1:8200"
+
 openbao_tls_key: ""
 openbao_tls_cert: ""
 
-openbao_config_dir: ""
+openbao_protocol: "{{ 'https' if openbao_tls_key and openbao_tls_cert else 'http' }}"
+
+openbao_api_addr: "{{ openbao_bind_addr ~ ':' ~ openbao_api_port }}"
+openbao_bind_addr: "127.0.0.1"
+openbao_init_addr: "{{ openbao_api_addr }}"
+openbao_cluster_addr: "{{ openbao_bind_addr ~ ':' ~ openbao_cluster_port }}"
+
+openbao_api_port: 8200
+openbao_cluster_port: 8201
+
+openbao_raft_leaders: []
 
 openbao_config: >
   {
     "cluster_name": "{{ openbao_cluster_name }}",
     "ui": false,
-    "api_addr": "{{ openbao_api_addr }}",
-    "cluster_addr": "http://127.0.0.1:8201",
+    "api_addr": "{{ openbao_protocol }}://{{ openbao_api_addr }}",
+    "cluster_addr": "{{ openbao_protocol }}://{{ openbao_cluster_addr }}",
     "listener": [{
       "tcp": {
-        "address": "{{ openbao_bind_address }}:8200",
+        "address": "{{ openbao_bind_addr }}:{{ openbao_api_port }}",
         {% if openbao_tls_key and openbao_tls_cert %}
         "tls_min_version": "tls12",
         "tls_key_file": "/openbao/config/{{ openbao_tls_key }}",
         "tls_cert_file": "/openbao/config/{{ openbao_tls_cert }}"
         {% else %}
         "tls_disable": "true"
         {% endif %}
-      }{% if openbao_bind_address != '127.0.0.1' %},
-    },
-    {
-      "tcp": {
-        "address": "127.0.0.1:8200",
-        "tls_disable": "true"
       }
-    {% endif %}
     }],
     "storage": {
-    "raft": {
-       "node_id": "raft_{{ ansible_facts.nodename }}",
-       "path": "/openbao/file"
+      "raft": {
+        "node_id": "raft_{{ ansible_facts.nodename }}",
+        "path": "/openbao/file",
+        {% if openbao_raft_leaders | length > 0 %}
+        "retry_join": {
+          "leader_api_addr": "{{ openbao_protocol }}://{{ openbao_raft_leaders | first }}:{{ openbao_api_port }}"
+        }
+        {% endif %}
       }
     },
     "telemetry": {
diff --git a/tests/test_openbao.yml b/tests/test_openbao.yml
@@ -5,7 +5,7 @@
   vars:
     openbao_config_dir: "/etc/openbao"
     openbao_log_keys: true
-    openbao_api_addr: "{{ 'http' ~ '://' ~ '127.0.0.1' ~ ':8200' }}"
+    openbao_bind_addr: "{{ 'http' ~ '://' ~ '127.0.0.1' ~ ':8200' }}"
     openbao_set_keys_fact: true
     openbao_write_keys_file: true
   tasks:
