dc-tec
diff --git a/‎api/v1alpha1/openbaocluster_types.go‎
Lines changed: 54 additions & 0 deletions b/‎api/v1alpha1/openbaocluster_types.go‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 25 additions & 0 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎charts/openbao-operator/crds/openbao.org_openbaoclusters.yaml‎
Lines changed: 59 additions & 0 deletions b/‎charts/openbao-operator/crds/openbao.org_openbaoclusters.yaml‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎config/crd/bases/openbao.org_openbaoclusters.yaml‎
Lines changed: 59 additions & 0 deletions b/‎config/crd/bases/openbao.org_openbaoclusters.yaml‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎docs/architecture/operator-invariants.md‎
Lines changed: 10 additions & 3 deletions b/‎docs/architecture/operator-invariants.md‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎docs/architecture/workload-managers.md‎
Lines changed: 3 additions & 1 deletion b/‎docs/architecture/workload-managers.md‎
Lines changed: 3 additions & 1 deletion
@@ -69,6 +69,9 @@ const (
 	// ConditionACMECacheReady indicates whether the shared ACME cache PVC is ready for use
 	// when the configured topology requires or uses a shared ACME cache.
 	ConditionACMECacheReady ConditionType = "ACMECacheReady"
+	// ConditionAuditFileStorageReady indicates whether the shared audit file storage PVC
+	// is ready for file audit devices and mounted by the workload StatefulSets.
+	ConditionAuditFileStorageReady ConditionType = "AuditFileStorageReady"
 	// ConditionGatewayIntegrationReady indicates whether the operator can verify
 	// the referenced Gateway and GatewayClass integration contract for the chosen
 	// Gateway API mode.
@@ -236,6 +239,53 @@ type ACMESharedCacheConfig struct {
 	StorageClassName *string `json:"storageClassName,omitempty"`
 }
 
+// AuditFileStorageMode controls how the operator provides shared filesystem storage for file audit logs.
+// +kubebuilder:validation:Enum=ManagedPVC;ExistingPVC
+type AuditFileStorageMode string
+
+const (
+	// AuditFileStorageModeManagedPVC instructs the operator to create a dedicated RWX PVC.
+	AuditFileStorageModeManagedPVC AuditFileStorageMode = "ManagedPVC"
+	// AuditFileStorageModeExistingPVC instructs the operator to mount an existing RWX PVC.
+	AuditFileStorageModeExistingPVC AuditFileStorageMode = "ExistingPVC"
+)
+
+// AuditFileStorageConfig configures the shared filesystem integration point for file audit devices.
+//
+// The operator mounts the selected PVC into each OpenBao Pod. Each Pod uses a
+// pod-specific subPath under the same PVC so all Pods can render the same audit
+// file path while collectors can mount the PVC read-only and read per-Pod audit
+// files from the backing directories. This storage is intended as a collector
+// handoff and replay buffer, not as the authoritative compliance archive.
+// +kubebuilder:validation:XValidation:rule="self.mode != 'ManagedPVC' || !has(self.existingClaimName) || size(self.existingClaimName) == 0",message="auditFileStorage.existingClaimName is only supported when mode is ExistingPVC"
+// +kubebuilder:validation:XValidation:rule="self.mode != 'ExistingPVC' || size(self.existingClaimName) > 0",message="auditFileStorage.existingClaimName is required when mode is ExistingPVC"
+// +kubebuilder:validation:XValidation:rule="self.mode != 'ExistingPVC' || !has(self.size) || size(self.size) == 0",message="auditFileStorage.size is only supported when mode is ManagedPVC"
+// +kubebuilder:validation:XValidation:rule="self.mode != 'ExistingPVC' || !has(self.storageClassName) || size(self.storageClassName) == 0",message="auditFileStorage.storageClassName is only supported when mode is ManagedPVC"
+// +kubebuilder:validation:XValidation:rule="self.mode != 'ManagedPVC' || size(self.size) > 0",message="auditFileStorage.size is required when mode is ManagedPVC"
+// +kubebuilder:validation:XValidation:rule="!has(self.mountPath) || (self.mountPath.startsWith('/') && self.mountPath != '/')",message="auditFileStorage.mountPath must be an absolute path and must not be /"
+type AuditFileStorageConfig struct {
+	// Mode selects whether the operator creates a dedicated RWX PVC or mounts an existing one.
+	Mode AuditFileStorageMode `json:"mode"`
+	// ExistingClaimName is the name of a pre-created RWX PVC in the same namespace.
+	// Required when Mode is ExistingPVC.
+	// +kubebuilder:validation:MinLength=1
+	// +optional
+	ExistingClaimName string `json:"existingClaimName,omitempty"`
+	// Size is the requested capacity for the managed audit file storage PVC.
+	// Required when Mode is ManagedPVC.
+	// +kubebuilder:validation:MinLength=1
+	// +optional
+	Size string `json:"size,omitempty"`
+	// StorageClassName is an optional StorageClass for the managed audit file storage PVC.
+	// +optional
+	StorageClassName *string `json:"storageClassName,omitempty"`
+	// MountPath is where the audit file storage PVC is mounted in OpenBao Pods.
+	// File audit device paths must be under this path when auditFileStorage is configured.
+	// +kubebuilder:default=/openbao/audit
+	// +optional
+	MountPath string `json:"mountPath,omitempty"`
+}
+
 // TLSConfig captures TLS configuration for an OpenBaoCluster.
 type TLSConfig struct {
 	// Enabled controls whether TLS is enabled for the cluster.
@@ -2015,6 +2065,10 @@ type OpenBaoClusterSpec struct {
 	// +listType=map
 	// +listMapKey=path
 	Audit []AuditDevice `json:"audit,omitempty"`
+	// AuditFileStorage configures a shared filesystem integration point for file audit devices.
+	// When configured, file audit device paths must be under auditFileStorage.mountPath.
+	// +optional
+	AuditFileStorage *AuditFileStorageConfig `json:"auditFileStorage,omitempty"`
 	// Plugins configures declarative plugins for the OpenBao cluster.
 	// See: https://openbao.org/docs/configuration/plugins/
 	// +optional
 
@@ -186,6 +186,65 @@ spec:
                 x-kubernetes-list-map-keys:
                 - path
                 x-kubernetes-list-type: map
+              auditFileStorage:
+                description: |-
+                  AuditFileStorage configures a shared filesystem integration point for file audit devices.
+                  When configured, file audit device paths must be under auditFileStorage.mountPath.
+                properties:
+                  existingClaimName:
+                    description: |-
+                      ExistingClaimName is the name of a pre-created RWX PVC in the same namespace.
+                      Required when Mode is ExistingPVC.
+                    minLength: 1
+                    type: string
+                  mode:
+                    description: Mode selects whether the operator creates a dedicated
+                      RWX PVC or mounts an existing one.
+                    enum:
+                    - ManagedPVC
+                    - ExistingPVC
+                    type: string
+                  mountPath:
+                    default: /openbao/audit
+                    description: |-
+                      MountPath is where the audit file storage PVC is mounted in OpenBao Pods.
+                      File audit device paths must be under this path when auditFileStorage is configured.
+                    type: string
+                  size:
+                    description: |-
+                      Size is the requested capacity for the managed audit file storage PVC.
+                      Required when Mode is ManagedPVC.
+                    minLength: 1
+                    type: string
+                  storageClassName:
+                    description: StorageClassName is an optional StorageClass for
+                      the managed audit file storage PVC.
+                    type: string
+                required:
+                - mode
+                type: object
+                x-kubernetes-validations:
+                - message: auditFileStorage.existingClaimName is only supported when
+                    mode is ExistingPVC
+                  rule: self.mode != 'ManagedPVC' || !has(self.existingClaimName)
+                    || size(self.existingClaimName) == 0
+                - message: auditFileStorage.existingClaimName is required when mode
+                    is ExistingPVC
+                  rule: self.mode != 'ExistingPVC' || size(self.existingClaimName)
+                    > 0
+                - message: auditFileStorage.size is only supported when mode is ManagedPVC
+                  rule: self.mode != 'ExistingPVC' || !has(self.size) || size(self.size)
+                    == 0
+                - message: auditFileStorage.storageClassName is only supported when
+                    mode is ManagedPVC
+                  rule: self.mode != 'ExistingPVC' || !has(self.storageClassName)
+                    || size(self.storageClassName) == 0
+                - message: auditFileStorage.size is required when mode is ManagedPVC
+                  rule: self.mode != 'ManagedPVC' || size(self.size) > 0
+                - message: auditFileStorage.mountPath must be an absolute path and
+                    must not be /
+                  rule: '!has(self.mountPath) || (self.mountPath.startsWith(''/'')
+                    && self.mountPath != ''/'')'
               backup:
                 description: Backup configures scheduled backups for the cluster.
                 properties:
 
@@ -185,6 +185,65 @@ spec:
                 x-kubernetes-list-map-keys:
                 - path
                 x-kubernetes-list-type: map
+              auditFileStorage:
+                description: |-
+                  AuditFileStorage configures a shared filesystem integration point for file audit devices.
+                  When configured, file audit device paths must be under auditFileStorage.mountPath.
+                properties:
+                  existingClaimName:
+                    description: |-
+                      ExistingClaimName is the name of a pre-created RWX PVC in the same namespace.
+                      Required when Mode is ExistingPVC.
+                    minLength: 1
+                    type: string
+                  mode:
+                    description: Mode selects whether the operator creates a dedicated
+                      RWX PVC or mounts an existing one.
+                    enum:
+                    - ManagedPVC
+                    - ExistingPVC
+                    type: string
+                  mountPath:
+                    default: /openbao/audit
+                    description: |-
+                      MountPath is where the audit file storage PVC is mounted in OpenBao Pods.
+                      File audit device paths must be under this path when auditFileStorage is configured.
+                    type: string
+                  size:
+                    description: |-
+                      Size is the requested capacity for the managed audit file storage PVC.
+                      Required when Mode is ManagedPVC.
+                    minLength: 1
+                    type: string
+                  storageClassName:
+                    description: StorageClassName is an optional StorageClass for
+                      the managed audit file storage PVC.
+                    type: string
+                required:
+                - mode
+                type: object
+                x-kubernetes-validations:
+                - message: auditFileStorage.existingClaimName is only supported when
+                    mode is ExistingPVC
+                  rule: self.mode != 'ManagedPVC' || !has(self.existingClaimName)
+                    || size(self.existingClaimName) == 0
+                - message: auditFileStorage.existingClaimName is required when mode
+                    is ExistingPVC
+                  rule: self.mode != 'ExistingPVC' || size(self.existingClaimName)
+                    > 0
+                - message: auditFileStorage.size is only supported when mode is ManagedPVC
+                  rule: self.mode != 'ExistingPVC' || !has(self.size) || size(self.size)
+                    == 0
+                - message: auditFileStorage.storageClassName is only supported when
+                    mode is ManagedPVC
+                  rule: self.mode != 'ExistingPVC' || !has(self.storageClassName)
+                    || size(self.storageClassName) == 0
+                - message: auditFileStorage.size is required when mode is ManagedPVC
+                  rule: self.mode != 'ManagedPVC' || size(self.size) > 0
+                - message: auditFileStorage.mountPath must be an absolute path and
+                    must not be /
+                  rule: '!has(self.mountPath) || (self.mountPath.startsWith(''/'')
+                    && self.mountPath != ''/'')'
               backup:
                 description: Backup configures scheduled backups for the cluster.
                 properties:
 
@@ -153,12 +153,19 @@ Related reading: <SiteLink docId="security/fundamentals/profiles">Security Profi
   rows={[
     {
       cells: [
-        'Gateway, ACME, and API-server assumptions surface as explicit conditions.',
+        'Gateway, ACME, audit storage, and API-server assumptions surface as explicit conditions.',
         'Environment and controller dependencies should become visible status contracts before they become runtime failures.',
-        '`GatewayIntegrationReady`, `ACMEIntegrationReady`, `ACMECacheReady`, and `APIServerNetworkReady` conditions.',
+        '`GatewayIntegrationReady`, `ACMEIntegrationReady`, `ACMECacheReady`, `AuditFileStorageReady`, and `APIServerNetworkReady` conditions.',
       ],
       emphasis: 'recommended',
     },
+    {
+      cells: [
+        'Audit file storage stays an explicit integration point.',
+        'The operator can mount and validate the handoff PVC, but retention, tamper resistance, and collection pipelines belong to the surrounding platform.',
+        '`spec.auditFileStorage`, `spec.audit`, status readiness, and workload mount guardrails.',
+      ],
+    },
     {
       cells: [
         'Backup and restore identity stays separate from the main workload identity.',
@@ -169,7 +176,7 @@ Related reading: <SiteLink docId="security/fundamentals/profiles">Security Profi
   ]}
 />
 
-Related reading: <SiteLink docId="reference/status-and-events">Status and Events</SiteLink> and <SiteLink docId="user-guide/openbaocluster/operations/backups">Configure Backups</SiteLink>.
+Related reading: <SiteLink docId="reference/status-and-events">Status and Events</SiteLink>, <SiteLink docId="user-guide/openbaocluster/configuration/observability">Observability</SiteLink>, and <SiteLink docId="user-guide/openbaocluster/operations/backups">Configure Backups</SiteLink>.
 
 ## Lifecycle safety invariants
 
 
@@ -113,7 +113,7 @@ This keeps change-coupling lower: config rendering, service exposure, ServiceAcc
   columns={['Manager', 'Owns', 'Primary writes', 'Why it stays separate']}
   rows={[
     {
-      cells: ['Bootstrap manager', 'Rendered config, self-init surfaces, unseal prerequisites, and related validation.', 'ConfigMap surfaces, static unseal Secret when applicable, self-init ConfigMap, and shared-cache PVC setup.', 'Config and bootstrap prerequisites change for different reasons than networking or StatefulSet lifecycle.'],
+      cells: ['Bootstrap manager', 'Rendered config, self-init surfaces, unseal prerequisites, and related validation.', 'ConfigMap surfaces, static unseal Secret when applicable, self-init ConfigMap, shared-cache PVC setup, and managed audit file storage PVC setup.', 'Config and bootstrap prerequisites change for different reasons than networking or StatefulSet lifecycle.'],
       emphasis: 'recommended',
     },
     {
@@ -139,6 +139,7 @@ The bootstrap manager prepares everything the workload needs before the Stateful
 - generate the static unseal Secret when that seal mode is selected
 - validate unseal prerequisites and related secret references
 - prepare ACME shared-cache storage when that mode requires it
+- prepare managed audit file storage PVCs when file audit handoff storage is configured
 
 ### Networking manager
 
@@ -166,6 +167,7 @@ The workload manager owns the StatefulSet-facing contract:
 - steady-state read-replica StatefulSet lifecycle and safe drain or delete behavior
 - PodDisruptionBudget reconciliation
 - rollout triggers from rendered config or certificate hash changes
+- audit file storage volume and mount wiring for voter and read-replica StatefulSets
 - single-replica bootstrap and later scale-out after initialization
 - revision-scoped workload resources used by blue/green and rollout-safe updates
 - read-first or restore-safe operational ordering delegated by the app layer for rolling upgrades, blue-green, and restore