3.3 KiB
OpenBao is a fork of HashiCorp Vault which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials - basically a digital safe for your secrets. Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.
OpenBao's Encrypt as a Service feature makes it simple to implement data encryption across your systems.
OpenBao's Secret Engines include:
- Key-Value Store
- PKI (Public Key Infrastructure) for certificate management
- SSH for managing SSH credentials
- Transit Engine for encrypting data without storing it
- Time-based One-Time Passwords (TOTP) for two-factor authentication
- Kubernetes Secrets for seamless integration with containerized applications
🔨 How to get it to run
The External Secrets Operator needs a kubernetes secret containing the OpenBao's initial token to access its secrets. You can create it with:
kubectl create secret generic vault-token --from-literal=token=<root_token_from_getpassword.sh> -n openbao
To perform any actions in OpenBao you need to authenticate using the following command:
kubectl exec -ti openbao-0 -n openbao -- vault login <root_token_from_getpassword.sh>
For demontrational purposes you can enable a Key-Value secret engine on the path /data with:
kubectl exec -ti openbao-0 -n openbao -- vault secrets enable -path=data kv
And to add your first secret just run:
kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456
To fetch it as a kubernetes secret you'll need to create an external-secrets.yaml file and apply it to the cluster with kubectl apply -f external-secrets.yaml
# external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: external-secret
namespace: openbao
spec:
refreshInterval: "15s" #This specifies the time interval at which the ExternalSecret controller will refresh the secrets.
secretStoreRef: # This references the first file.
name: bao-backend
kind: SecretStore
target: #This specifies the target Kubernetes secret that the ExternalSecret will create.
name: postgres-secret
creationPolicy: Owner
data: # This is an array of secret key-value pairs that the ExternalSecret will retrieve from the Vault secret store and store in the Kubernetes secret.
- secretKey: POSTGRES_USER #Name of the k8 secret that is being created
remoteRef: #This is an object that contains the reference to the secret in the Vault secret store.
key: data/postgres # This specifies the path to the secret in the Vault secret store
property: POSTGRES_USER #This specifies the name of the secret property to retrieve from the Vault secret.
- secretKey: POSTGRES_PASSWORD
remoteRef:
key: data/postgres
property: POSTGRES_PASSWORD
After that just run kubectl get externalsecrets -A to check that there are no problems with synchronization. And to access the secret on your cluster run: kubectl get secrets -n openbao