35 lines
1.8 KiB
Markdown
35 lines
1.8 KiB
Markdown
[OpenBao](https://openbao.org/) is a fork of [HashiCorp Vault](https://developer.hashicorp.com/vault) which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials.
|
|
Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.
|
|
|
|
OpenBao's _Encrypt as a Service_ feature makes it simple to implement data encryption across your systems.
|
|
|
|
OpenBao's Secret Engines include:
|
|
1. **Key-Value Store**
|
|
2. **PKI** (Public Key Infrastructure) for certificate management
|
|
3. **SSH** for managing SSH credentials
|
|
4. **Transit Engine** for encrypting data without storing it
|
|
5. **Time-based One-Time Passwords** (TOTP) for two-factor authentication
|
|
6. **Kubernetes Secrets** for seamless integration with containerized applications
|
|
|
|
## 🔨 How to get it to run
|
|
The External Secrets Operator needs a kubernetes secret containing the **OpenBao's initial token** to access its secrets. You can create it with:
|
|
|
|
`kubectl create secret generic vault-token --from-literal=token=<root_token_from_getpassword.sh> -n openbao`
|
|
|
|
To perform any actions in OpenBao you need to authenticate using the following command:
|
|
|
|
`kubectl exec -ti openbao-0 -n openbao -- vault login <root_token_from_getpassword.sh>`
|
|
|
|
For demontrational purposes you can enable a **Key-Value secret engine** on the path **/data** with:
|
|
|
|
`kubectl exec -ti openbao-0 -n openbao -- vault secrets enable -path=data kv`
|
|
|
|
And to add your first secret just run:
|
|
|
|
`kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456`
|
|
|
|
## 🔗 References
|
|
|
|
* https://openbao.org/docs/platform/k8s/helm/run/#initialize-and-unseal-openbao
|
|
* https://developer.hashicorp.com/vault
|
|
|