[OpenBao](https://openbao.org/) is a fork of [HashiCorp Vault](https://developer.hashicorp.com/vault) which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials - basically a digital safe for your secrets.
Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.

OpenBao's _Encrypt as a Service_ feature makes it simple to implement data encryption across your systems.

OpenBao's Secret Engines include:
1. **Key-Value Store**
2. **PKI** (Public Key Infrastructure) for certificate management
3. **SSH** for managing SSH credentials
4. **Transit Engine** for encrypting data without storing it
5. **Time-based One-Time Passwords** (TOTP) for two-factor authentication
6. **Kubernetes Secrets** for seamless integration with containerized applications

## 🔨 How to get it to run
The External Secrets Operator needs a kubernetes secret containing the **OpenBao's initial token** to access its secrets. You can create it with:

`kubectl create secret generic vault-token --from-literal=token=<root_token_from_getpassword.sh> -n openbao`

To perform any actions in OpenBao you need to authenticate using the following command:

`kubectl exec -ti openbao-0 -n openbao -- vault login <root_token_from_getpassword.sh>`

For demontrational purposes you can enable a **Key-Value secret engine** on the path **/data** with:

`kubectl exec -ti openbao-0 -n openbao -- vault secrets enable -path=data kv`

And to add your first secret just run:

`kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456`

To fetch it as a kubernetes secret you'll need to create an **external-secrets.yaml** file and apply it to the cluster with `kubectl apply -f external-secrets.yaml`
```
# external-secret.yaml 
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret
  namespace: openbao
spec:
  refreshInterval: "15s" #This specifies the time interval at which the ExternalSecret controller will refresh the secrets.
  secretStoreRef: # This references the first file.
    name: bao-backend
    kind: SecretStore
  target: #This specifies the target Kubernetes secret that the ExternalSecret will create.
    name: postgres-secret
    creationPolicy: Owner 
  data: # This is an array of secret key-value pairs that the ExternalSecret will retrieve from the Vault secret store and store in the Kubernetes secret.
    - secretKey: POSTGRES_USER #Name of the k8 secret that is being created
      remoteRef: #This is an object that contains the reference to the secret in the Vault secret store.
        key: data/postgres # This specifies the path to the secret in the Vault secret store
        property: POSTGRES_USER #This specifies the name of the secret property to retrieve from the Vault secret.
    - secretKey: POSTGRES_PASSWORD
      remoteRef:
        key: data/postgres
        property: POSTGRES_PASSWORD
```

After that just run `kubectl get externalsecrets -A` to check that there are no problems with synchronization. And to access the secret on your cluster run: `kubectl get secrets -n openbao`

## 🔗 References

* https://openbao.org/docs/platform/k8s/helm/run/#initialize-and-unseal-openbao
* https://developer.hashicorp.com/vault