3.5 KiB
OpenBao is a fork of HashiCorp Vault which is a centralized solution for managing and securing sensitive data like authentication credentials, usernames, API tokens, and database credentials. Beyond static secrets, OpenBao supports dynamic secrets, allowing applications to generate ephemeral credentials for enhanced security.
OpenBao's Encrypt as a Service feature makes it simple to implement data encryption across your systems.
OpenBao's Secret Engines include:
- Key-Value Store
- PKI (Public Key Infrastructure) for certificate management
- SSH for managing SSH credentials
- Transit Engine for encrypting data without storing it
- Time-based One-Time Passwords (TOTP) for two-factor authentication
- Kubernetes Secrets for seamless integration with containerized applications
🔨 How to get it to run
Hint: To be able to use OpenBao it has to be unsealed first. This happens automatically. While unsealing an initial token is being created. To access this token just run the ./getpassword.sh script.
The External Secrets Operator needs a kubernetes secret containing the OpenBao's initial token (see above) to access its secrets. You can create it with:
kubectl create secret generic vault-token --from-literal=token=<root_token_from_getpassword.sh> -n openbao
To perform any actions in OpenBao you need to authenticate using the following command:
kubectl exec -ti openbao-0 -n openbao -- vault login <root_token_from_getpassword.sh>
For demontrational purposes you can enable a Key-Value secret engine on the path /data with:
kubectl exec -ti openbao-0 -n openbao -- vault secrets enable -path=data kv
And to add your first secret just run:
kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456
To fetch it as a kubernetes secret you'll need to create an external-secrets.yaml file and apply it to the cluster with kubectl apply -f external-secrets.yaml
# external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: external-secret
namespace: openbao
spec:
refreshInterval: "15s" #This specifies the time interval at which the ExternalSecret controller will refresh the secrets.
secretStoreRef: # This references the first file.
name: bao-backend
kind: SecretStore
target: #This specifies the target Kubernetes secret that the ExternalSecret will create.
name: postgres-secret
creationPolicy: Owner
data: # This is an array of secret key-value pairs that the ExternalSecret will retrieve from the Vault secret store and store in the Kubernetes secret.
- secretKey: POSTGRES_USER #Name of the k8 secret that is being created
remoteRef: #This is an object that contains the reference to the secret in the Vault secret store.
key: data/postgres # This specifies the path to the secret in the Vault secret store
property: POSTGRES_USER #This specifies the name of the secret property to retrieve from the Vault secret.
- secretKey: POSTGRES_PASSWORD
remoteRef:
key: data/postgres
property: POSTGRES_PASSWORD
After that just run kubectl get externalsecrets -A to check that there are no problems with synchronization. And to access the secret on your cluster run: kubectl get secrets -n openbao