edp-doc/docs/userguide/openbao.md

[OpenBao](https://openbao.org/) is a fork of [HashiCorp Vault](https://developer.hashicorp.com/vault) which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials. 
Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.

OpenBao's _Encrypt as a Service_ feature makes it simple to implement data encryption across your systems.

OpenBao's Secret Engines include:
1. **Key-Value Store**
2. **PKI** (Public Key Infrastructure) for certificate management
3. **SSH** for managing SSH credentials
4. **Transit Engine** for encrypting data without storing it
5. **Time-based One-Time Passwords** (TOTP) for two-factor authentication
6. **Kubernetes Secrets** for seamless integration with containerized applications

## 🔨 How to get it to run
The External Secrets Operator needs a kubernetes secret containing the **OpenBao's initial token** to access its secrets. You can create it with:

`kubectl create secret generic vault-token --from-literal=token=<root_token_from_getpassword.sh> -n openbao`

To perform any actions in OpenBao you need to authenticate using the following command:

`kubectl exec -ti openbao-0 -n openbao -- vault login <root_token_from_getpassword.sh>`

For demontrational purposes you can enable a **Key-Value secret engine** on the path **/data** with:

`kubectl exec -ti openbao-0 -n openbao -- vault secrets enable -path=data kv`

And to add your first secret just run:

`kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456`

## 🔗 References

* https://openbao.org/docs/platform/k8s/helm/run/#initialize-and-unseal-openbao
* https://developer.hashicorp.com/vault
openbao.md added 2024-12-04 11:46:03 +00:00			`[OpenBao](https://openbao.org/) is a fork of [HashiCorp Vault](https://developer.hashicorp.com/vault) which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials.`
			`Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.`

			`OpenBao's _Encrypt as a Service_ feature makes it simple to implement data encryption across your systems.`

			`OpenBao's Secret Engines include:`
			`1. Key-Value Store`
			`2. PKI (Public Key Infrastructure) for certificate management`
			`3. SSH for managing SSH credentials`
			`4. Transit Engine for encrypting data without storing it`
			`5. Time-based One-Time Passwords (TOTP) for two-factor authentication`
			`6. Kubernetes Secrets for seamless integration with containerized applications`

docs/userguide/openbao.md aktualisiert 2024-12-18 09:24:58 +00:00			`## 🔨 How to get it to run`
			`The External Secrets Operator needs a kubernetes secret containing the OpenBao's initial token to access its secrets. You can create it with:`

			`kubectl create secret generic vault-token --from-literal=token=<root_token_from_getpassword.sh> -n openbao`

			`To perform any actions in OpenBao you need to authenticate using the following command:`

			`kubectl exec -ti openbao-0 -n openbao -- vault login <root_token_from_getpassword.sh>`

			`For demontrational purposes you can enable a Key-Value secret engine on the path /data with:`

			`kubectl exec -ti openbao-0 -n openbao -- vault secrets enable -path=data kv`

			`And to add your first secret just run:`

			`kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456`

openbao.md added 2024-12-04 11:46:03 +00:00			`## 🔗 References`

			`* https://openbao.org/docs/platform/k8s/helm/run/#initialize-and-unseal-openbao`
			`* https://developer.hashicorp.com/vault`