Switch to openbao docker images

[jessebot]

Description

I would like to replace all the references to hashicorp/vault docker images with our new official images.

Context

This is dependent on the new docker images being uploaded, which is blocked by dockerhub recognizing openbao as an opensource project to raise limit caps. When that is completed, we can start on a PR to get this done. Ref: openbao/openbao#327 (comment)

There's a number of references to official hashicorp vault images and their versions, taken from the newly generated docs for this repo in #2 :

parameter	type	default value
csi.agent.image.repository	string	"hashicorp/vault"
csi.agent.image.tag	string	"1.15.2"
csi.image.repository	string	"hashicorp/vault-csi-provider"
csi.image.tag	string	"1.4.1"
injector.agentImage.repository	string	"hashicorp/vault"
injector.agentImage.tag	string	"1.15.2"
injector.image.repository	string	"hashicorp/vault-k8s"
injector.image.tag	string	"1.3.1"
server.image.repository	string	"hashicorp/vault"
server.image.tag	string	"1.15.2"

Images to be replaced

• hashicorp/vault available via https://quay.io/repository/openbao/openbao
• hashicorp/vault-csi-provider <-- needs Need a docker release workflow openbao-csi-provider#3 resolved
• hashicorp/vault-k8s <-- needs Release docker image openbao-k8s#2 resolved

[naphelps]

@jessebot Quay.io is also available today: https://quay.io/repository/openbao/openbao

We will also be using GitHub builtin container registry as well in the future.

[jessebot]

Thank you, @naphelps for the prompt responses :)

I can submit a PR for the hashicorp/vault -> quay.io/openbao/openbao in just a bit. Note to self: add image.registry to all image maps throughout chart and have it default to quay.io for now.

We'll still need to wait on the other two images though.

[jessebot]

I will start work on this today to get the base image references updated. Feel free to assign to me

[jessebot]

Updates:

• With the merge of Issue 3: update base vault images to point at quay.io/openbao/openbao; add more helm docs #8, we got 60-66.66% of this Issue completed. Since https://github.com/openbao/openbao-csi-provider was recently forked into the org, I can do another PR updating those images.

• Still unsure of the status of the hashicorp/vault-k8s though.

[naphelps]

https://github.com/openbao/openbao-k8s

[jessebot]

Thanks, @naphelps! Looks like both of those repos could use some work I'll try to take a look in the next day or so to see what they need to get their search/replace done and docker images released via ghcr, docker hub, or quay. If others in the community beat me to it, please feel free to comment here and let me know which registry to point to :)

[MagicRB]

For anyone wondering why this helm chart seems to do nothing, it's because it's still using hashicorp/vault-k8s which has different annotation keys...

[cipherboy]

@MagicRB Correct, we've not yet created a release version of this helm chart yet, it is still under development. :-) One of the things holding this up is a new OpenBao release, as it turns out we didn't have the correct Kubernetes auto-discovery tags in the 2.0.0 GA release.

Please bear with us, or if you have the expertise, PRs are welcome :-) But I think mostly a new OpenBao Core release is held up on transactional storage review & merge.

[MagicRB]

No worries :) im bearing with you, just wanted to leave it as a warning for early explorers haha. I managed to get it working, the injector is still hashicorp, but the agent is a custom built container which contains openbao (with a symlink from vault, to make it work). I will open a few PRs making the chart behave a bit nicer on my infra, since I need to pass in images of the form nix:0/nix/store/aaaaaa-image and currently the chart always expects a tag to be there so I had to hack around it slightly.

[shaeliss]

What is the current way to use the injector agent? Is it working with openbao agentImage and openbao annotations in the yaml file? Or the only way for now is to use vault agentImage and vault annotations?