82 lines
No EOL
3.5 KiB
Markdown
82 lines
No EOL
3.5 KiB
Markdown
# OpenBao
|
|
|
|
[OpenBao](https://openbao.org/) is a fork of [HashiCorp Vault](https://developer.hashicorp.com/vault) which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials.
|
|
Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.
|
|
|
|
OpenBao's _Encrypt as a Service_ feature makes it simple to implement data encryption across your systems.
|
|
|
|
---
|
|
|
|
## Main features
|
|
|
|
OpenBao's Secret Engines include:
|
|
|
|
- **Key-Value Store**
|
|
|
|
- **PKI** (Public Key Infrastructure) for certificate management
|
|
|
|
- **SSH** for managing SSH credentials
|
|
|
|
- **Transit Engine** for encrypting data without storing it
|
|
|
|
- **Time-based One-Time Passwords** (TOTP) for two-factor authentication
|
|
|
|
- **Kubernetes Secrets** for seamless integration with containerized applications
|
|
|
|
## 🔨 How to get it to run
|
|
|
|
*Hint: To be able to use OpenBao it has to be unsealed first. This happens automatically. While unsealing an initial token is being created. To access this token just run the **./getpassword.sh** script.*
|
|
|
|
The External Secrets Operator needs a kubernetes secret containing the **OpenBao's initial token** (see above) to access its secrets. You can create it with:
|
|
|
|
`kubectl create secret generic vault-token --from-literal=token=<root_token_from_getpassword.sh> -n openbao`
|
|
|
|
To perform any actions in OpenBao you need to authenticate using the following command:
|
|
|
|
`kubectl exec -ti openbao-0 -n openbao -- vault login <root_token_from_getpassword.sh>`
|
|
|
|
For demontrational purposes you can enable a **Key-Value secret engine** on the path **/data** with:
|
|
|
|
`kubectl exec -ti openbao-0 -n openbao -- vault secrets enable -path=data kv`
|
|
|
|
And to add your first secret just run:
|
|
|
|
`kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456`
|
|
|
|
To fetch it as a kubernetes secret you'll need to create an **external-secrets.yaml** file and apply it to the cluster with `kubectl apply -f external-secrets.yaml`
|
|
|
|
```yaml
|
|
|
|
# external-secret.yaml
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: external-secret
|
|
namespace: openbao
|
|
spec:
|
|
refreshInterval: "15s" #This specifies the time interval at which the ExternalSecret controller will refresh the secrets.
|
|
secretStoreRef: # This references the first file.
|
|
name: bao-backend
|
|
kind: SecretStore
|
|
target: #This specifies the target Kubernetes secret that the ExternalSecret will create.
|
|
name: postgres-secret
|
|
creationPolicy: Owner
|
|
data: # This is an array of secret key-value pairs that the ExternalSecret will retrieve from the Vault secret store and store in the Kubernetes secret.
|
|
- secretKey: POSTGRES_USER #Name of the k8 secret that is being created
|
|
remoteRef: #This is an object that contains the reference to the secret in the Vault secret store.
|
|
key: data/postgres # This specifies the path to the secret in the Vault secret store
|
|
property: POSTGRES_USER #This specifies the name of the secret property to retrieve from the Vault secret.
|
|
- secretKey: POSTGRES_PASSWORD
|
|
remoteRef:
|
|
key: data/postgres
|
|
property: POSTGRES_PASSWORD
|
|
```
|
|
|
|
After that just run `kubectl get externalsecrets -A` to check that there are no problems with synchronization. And to access the secret on your cluster run: `kubectl get secrets -n openbao`
|
|
|
|
---
|
|
|
|
## 🔗 References
|
|
|
|
* https://openbao.org/docs/platform/k8s/helm/run/#initialize-and-unseal-openbao
|
|
* https://developer.hashicorp.com/vault |