Render the cluster spec into a converged StatefulSet and configuration.

The infrastructure manager is the workload path that turns OpenBaoCluster into running Kubernetes resources. It owns rendered configuration, StatefulSet-facing infrastructure, and the rollout triggers that keep configuration drift and pod lifecycle changes in sync.

At a glance

Control path

• workload reconciler
• internal/app/openbaocluster workload orchestration
• internal/service/infra

Owns

• rendered config.hcl
• StatefulSet, Services, ConfigMaps, and workload-facing Secrets
• static unseal key secret when the operator manages the seal

Writes

• pod-template config hash annotations
• rendered workload resources and their ownership metadata
• state transitions that trigger safe workload rollout

Depends on

• TLS mode and certificate material
• seal mode and credentials
• image verification policy and current workload health

Architectural Placement

Infrastructure reconciliation belongs to the workload orchestration path:

1. internal/controller/openbaocluster receives a workload-side reconcile event.
2. The controller delegates into the internal/app/openbaocluster facade.
3. Workload orchestration calls internal/service/infra to render resources and apply them.

That split keeps controller code as reconcile plumbing while the infra manager owns the workload contract.

Reference table

Owned surfaces

Owned surfaces.

Surface	What the manager decides	Why it matters
Rendered config.hcl	Listener, storage, service registration, TLS, seal, and integration stanzas.	Configuration drift must stay aligned with the declared cluster spec.
StatefulSet and Services	Replica intent, pod template, discovery Services, and workload wiring.	The workload path owns the pod lifecycle and cluster reachability model.
Pod template annotations	Config and certificate hashes that trigger rollout when rendered state changes.	Rendered changes need a safe, predictable rollout boundary.
Static unseal material	Operator-generated unseal Secret and mount wiring when static seal mode is used.	Seal bootstrap has to stay consistent with the rendered config and mounted files.

Render-Then-Apply Flow

Diagram

Render then apply

The infrastructure manager renders workload resources first, then applies only what changed. Hash annotations on the pod template convert rendered config drift into safe Kubernetes rollout behavior.

Configuration And Seal Rendering

The manager does not apply a static ConfigMap. It renders the config from the cluster spec and the selected integration modes.

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_cert_file   = "/etc/bao/tls/tls.crt"
  tls_key_file    = "/etc/bao/tls/tls.key"
}

storage "raft" {
  path    = "/bao/data"
  node_id = "${HOSTNAME}"

  retry_join {
    auto_join              = "provider=k8s label_selector=\"openbao.org/cluster=prod-cluster\""
    leader_tls_servername  = "openbao-cluster-prod-cluster.local"
  }
}

Static seal

The manager generates the unseal material, stores it in Secret/<cluster>-unseal-key, mounts it into the pod, and renders a seal "static" stanza that points at the mounted file.

External KMS

When spec.unseal.type points at a cloud KMS integration, the manager stops generating unseal material and renders the provider-specific seal stanza from the declared credentials and parameters.

TLS mode changes workload rendering

TLS mode affects both rendered config and mounted resource expectations. OperatorManaged, External, and ACME are not only certificate sources, they change what the workload pod expects on disk and what the hot-reload path watches.

Safety Boundaries

Reference table

Safety boundaries

Safety boundaries.

Concern	Manager behavior
Config drift	Rendered config changes are converted into hash-based rollout triggers instead of relying on manual restarts.
Image verification	When verification is enabled, the manager blocks or warns before unsafe workload images are applied, depending on policy.
Least privilege in multi-tenant mode	The workload path avoids broad tenant list/watch access and prefers direct reads plus requeue-based polling.
Lifecycle ownership	ConfigMaps, Services, Secrets, and StatefulSet resources stay owned by the OpenBaoCluster contract rather than becoming user-managed side effects.

Related deep dives

Cert managerFollow how certificate sources, rotation, and hot reload affect what the workload path renders.Init managerSee how the workload path hands off from first-boot infrastructure into cluster initialization.Configure the clusterCompare the internal rendering model with the user-facing configuration guides.