1.8 KiB
OpenBao is a fork of HashiCorp Vault which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials. Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.
OpenBao's Encrypt as a Service feature makes it simple to implement data encryption across your systems.
OpenBao's Secret Engines include:
- Key-Value Store
- PKI (Public Key Infrastructure) for certificate management
- SSH for managing SSH credentials
- Transit Engine for encrypting data without storing it
- Time-based One-Time Passwords (TOTP) for two-factor authentication
- Kubernetes Secrets for seamless integration with containerized applications
🔨 How to get it to run
The External Secrets Operator needs a kubernetes secret containing the OpenBao's initial token to access its secrets. You can create it with:
kubectl create secret generic vault-token --from-literal=token=<root_token_from_getpassword.sh> -n openbao
To perform any actions in OpenBao you need to authenticate using the following command:
kubectl exec -ti openbao-0 -n openbao -- vault login <root_token_from_getpassword.sh>
For demontrational purposes you can enable a Key-Value secret engine on the path /data with:
kubectl exec -ti openbao-0 -n openbao -- vault secrets enable -path=data kv
And to add your first secret just run:
kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456