fix(openbao): bump audit PVC to 10Gi + document fail-closed mode

devantler · claude · devantler · commit 35f0210acca1 · 2026-05-28T23:04:04.000+02:00
OpenBao's file audit backend does not rotate, and OpenBao fails CLOSED
on audit-write errors (every API request blocks once the volume is
full). The chart default of 1Gi would silently degrade to a fully
sealed cluster after a few months at this cluster's request volume.

Changes:

- auditStorage.size: 1Gi -&gt; 10Gi.
  10Gi gives multi-year headroom for this cluster's traffic
  (~700 KB/day from current ESO + vault-snapshot use). Variable
  override matches the dataStorage idiom so fork operators can tune
  per-cluster.
- Inline comment documents:
  * the failure mode (fail-closed, blocks API);
  * the rotation strategy until the observability stack ships the
    audit stream off-PVC (a manual SIGHUP rotate from the openbao
    pod);
  * the metric to monitor while we're still file-backed.

This is a tactical sizing/documentation fix. Proper rotation +
shipping happens in the observability rollout (per the
observability-production-ready memory) -- promtail will consume
audit.log and the PVC sizing becomes irrelevant. Tracked as a
follow-up to this PR.

Validation:
  $ ksail workload validate                          → 256 files validated
  $ ksail --config ksail.prod.yaml workload validate → 256 files validated

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/k8s/bases/infrastructure/controllers/openbao/helm-release.yaml b/k8s/bases/infrastructure/controllers/openbao/helm-release.yaml
@@ -63,7 +63,21 @@ spec:
         size: ${openbao_storage_size:=1Gi}
       auditStorage:
         enabled: true
-        size: 1Gi
+        # 10Gi (up from the chart default 1Gi). The file audit backend
+        # does not rotate, and OpenBao FAILS CLOSED on audit-write
+        # errors (every API request blocks once the volume is full).
+        # 10Gi gives multi-year headroom for this cluster's request
+        # volume (~700 KB/day from current ESO + vault-snapshot
+        # traffic). Once the observability stack lands, promtail will
+        # ship the stream off-PVC and the size will become irrelevant.
+        # Until then, monitor 'kubelet_volume_stats_available_bytes'
+        # on the openbao-audit-* PVC and rotate manually via
+        #   kubectl -n openbao exec openbao-0 -- sh -c \
+        #     'mv /openbao/audit/audit.log /openbao/audit/audit.log.$(date -u +%Y%m%dT%H%M%SZ) && \
+        #      kill -HUP 1'
+        # (OpenBao reopens its audit FD on SIGHUP, so the move +
+        #  signal pattern is safe.)
+        size: ${openbao_audit_storage_size:=10Gi}
       standalone:
         enabled: true
         config: |
