edp-doc/docs/openbao.md

OpenBao

📋 Outline

• What is it?
• Main features
• Quick start guide
• Configuration
• References

🧐 What is it?

OpenBao is a fork of HashiCorp Vault which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials. Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.

📦 Main features

OpenBao's Encrypt as a Service feature makes it simple to implement data encryption across your systems.

OpenBao's Secret Engines include:

1. Key-Value Store
2. PKI (Public Key Infrastructure) for certificate management
3. SSH for managing SSH credentials
4. Transit Engine for encrypting data without storing it
5. Time-based One-Time Passwords (TOTP) for two-factor authentication
6. Kubernetes Secrets for seamless integration with containerized applications

⏱️ Quick start guide

To initialise and unseal OpenBao follow these instructions:

1. Determine the pods running in your system with:

kubectl get pods -l app.kubernetes.io/name=openbao

2. To get the unseal key for each pod the pod openbao-0 run:

kubectl exec -ti openbao-0 -- bao operator init

3. And to unseal it you'll have to run the following command at least three times - each time with a different key:

kubectl exec -ti openbao-0 -- bao operator unseal <key>

4. Repeat step 2 and 3 for the rest of the pods

5. You should see STATUS: Running for all pods after running

kubectl get pods -l app.kubernetes.io/name=openbao

⚙️ Configuration

Visit http://openbao.cnoe.localtest.me/ui/ to access the UI. From there you can easily manage and configure OpenBao.

🔗 References

• https://openbao.org/docs/platform/k8s/helm/run/#initialize-and-unseal-openbao
• https://developer.hashicorp.com/vault