From 8755595e600abea77892501933eaaf71a2dd3dc2 Mon Sep 17 00:00:00 2001
From: Jason Staack <jason@staack.com>
Date: Tue, 17 Mar 2026 18:48:10 -0500
Subject: [PATCH] feat(helm): add NOTES.txt with OpenBao init instructions and
 access info

Post-install notes cover OpenBao initialization/unseal workflow,
ingress or port-forward access, admin credentials, and health check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 infrastructure/helm/templates/NOTES.txt | 55 +++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 infrastructure/helm/templates/NOTES.txt

diff --git a/infrastructure/helm/templates/NOTES.txt b/infrastructure/helm/templates/NOTES.txt
new file mode 100644
index 0000000..6e6a796
--- /dev/null
+++ b/infrastructure/helm/templates/NOTES.txt
@@ -0,0 +1,55 @@
+=======================================================
+  TOD — The Other Dude
+  MikroTik Fleet Management Platform
+=======================================================
+
+{{- if .Values.openbao.enabled }}
+
+IMPORTANT: OpenBao requires manual initialization.
+
+  1. Wait for the OpenBao pod to start:
+     kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/component=openbao
+
+  2. Initialize OpenBao (first time only):
+     kubectl exec -it -n {{ .Release.Namespace }} {{ include "tod.fullname" . }}-openbao-0 -- bao operator init -key-shares=1 -key-threshold=1
+
+     Save the unseal key and root token from the output!
+
+  3. Unseal OpenBao:
+     kubectl exec -it -n {{ .Release.Namespace }} {{ include "tod.fullname" . }}-openbao-0 -- bao operator unseal <UNSEAL_KEY>
+
+  4. Update your release with the token:
+     helm upgrade {{ .Release.Name }} <chart-path> \
+       --set secrets.openbaoToken=<ROOT_TOKEN> \
+       --set secrets.baoUnsealKey=<UNSEAL_KEY>
+
+  NOTE: OpenBao must be manually unsealed after every pod restart.
+{{- end }}
+
+{{- if .Values.ingress.enabled }}
+{{- if .Values.ingress.host }}
+
+Access TOD at: http{{ if .Values.ingress.tls.enabled }}s{{ end }}://{{ .Values.ingress.host }}
+{{- else }}
+
+WARNING: No ingress host configured. Set ingress.host in your values.
+{{- end }}
+{{- else }}
+
+Access TOD via port-forward:
+  kubectl port-forward -n {{ .Release.Namespace }} svc/{{ include "tod.fullname" . }}-frontend 3000:80
+  kubectl port-forward -n {{ .Release.Namespace }} svc/{{ include "tod.fullname" . }}-api 8000:8000
+
+  Then open http://localhost:3000
+{{- end }}
+
+Admin credentials:
+  Email:    {{ .Values.secrets.firstAdminEmail }}
+  Password: (value of secrets.firstAdminPassword)
+
+Verify health:
+  kubectl get pods -n {{ .Release.Namespace }}
+  kubectl port-forward -n {{ .Release.Namespace }} svc/{{ include "tod.fullname" . }}-api 8000:8000
+  curl http://localhost:8000/health
+
+Documentation: https://theotherdude.net/docs