# OpenBao

[OpenBao](https://openbao.org/) is a fork of [HashiCorp Vault](https://developer.hashicorp.com/vault) which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials. 
Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.

OpenBao's _Encrypt as a Service_ feature makes it simple to implement data encryption across your systems.

---

## Main features

OpenBao's Secret Engines include:

- **Key-Value Store**

- **PKI** (Public Key Infrastructure) for certificate management

- **SSH** for managing SSH credentials

- **Transit Engine** for encrypting data without storing it

- **Time-based One-Time Passwords** (TOTP) for two-factor authentication

- **Kubernetes Secrets** for seamless integration with containerized applications

---

## 🔨 How to get it to run

*Hint: To be able to use OpenBao it has to be unsealed first. This happens automatically. While unsealing an initial token is being created. To access this token just run the **./getpassword.sh** script.*

The External Secrets Operator needs a kubernetes secret containing the **OpenBao's initial token** (see above) to access its secrets. You can create it with:

`kubectl create secret generic vault-token --from-literal=token=<root_token_from_getpassword.sh> -n openbao`

To perform any actions in OpenBao you need to authenticate using the following command:

`kubectl exec -ti openbao-0 -n openbao -- vault login <root_token_from_getpassword.sh>`

For demontrational purposes you can enable a **Key-Value secret engine** on the path **/data** with:

`kubectl exec -ti openbao-0 -n openbao -- vault secrets enable -path=data kv`

And to add your first secret just run:

`kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456`

To fetch it as a kubernetes secret you'll need to create an **external-secrets.yaml** file and apply it to the cluster with `kubectl apply -f external-secrets.yaml`

```yaml

# external-secret.yaml 
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret
  namespace: openbao
spec:
  refreshInterval: "15s" #This specifies the time interval at which the ExternalSecret controller will refresh the secrets.
  secretStoreRef: # This references the first file.
    name: bao-backend
    kind: SecretStore
  target: #This specifies the target Kubernetes secret that the ExternalSecret will create.
    name: postgres-secret
    creationPolicy: Owner 
  data: # This is an array of secret key-value pairs that the ExternalSecret will retrieve from the Vault secret store and store in the Kubernetes secret.
    - secretKey: POSTGRES_USER #Name of the k8 secret that is being created
      remoteRef: #This is an object that contains the reference to the secret in the Vault secret store.
        key: data/postgres # This specifies the path to the secret in the Vault secret store
        property: POSTGRES_USER #This specifies the name of the secret property to retrieve from the Vault secret.
    - secretKey: POSTGRES_PASSWORD
      remoteRef:
        key: data/postgres
        property: POSTGRES_PASSWORD
```

After that just run `kubectl get externalsecrets -A` to check that there are no problems with synchronization. And to access the secret on your cluster run: `kubectl get secrets -n openbao`

---

## 🔗 References

* https://openbao.org/docs/platform/k8s/helm/run/#initialize-and-unseal-openbao
* https://developer.hashicorp.com/vault