Skip to main content

OpenBao

danger

The following setup may not be suitable for environments requiring the highest level of security, for example apps storing finance or healthcare data. For these environments you may want to use 3rd-party key management system, end to end encryption, etc. Please evaluate your security requirements carefully.

Details at https://openbao.org/docs/platform/k8s/helm/

Create namespace and unseal key

kubectl apply -f k8s/openbao/openbao-namespace.yaml

Generate unseal key and create k8s secret.

openssl rand -out openbao-unseal-1.key 32
kubectl create secret generic openbao-unseal-key -n openbao --from-file=openbao-unseal-1.key

Store base64 encoded unseal key securely in Pulumi.

pulumi --cwd $PULUMI_CWD config set --secret openbao:unsealKey1Base64 "$(cat openbao-unseal-1.key | base64)"

Remove the local unseal key file.

rm openbao-unseal-1.key

Add OpenBao helm repo:

helm repo add openbao https://openbao.github.io/openbao-helm

Install OpenBao in the namespace:

helm upgrade --install openbao openbao/openbao \
--version 0.19.1 \
--namespace openbao \
--values k8s/openbao/override-values.yaml

Initialize OpenBao:

kubectl exec -ti openbao-0 -n openbao -- bao operator init

Store recovery keys. Replace the example keys between quotes below with the actual keys output from the above command.

pulumi --cwd $PULUMI_CWD config set --secret openbao:recoveryKeys "Recovery Key 1: <your-recovery-key-1>
Recovery Key 2: <your-recovery-key-2>
Recovery Key 3: <your-recovery-key-3>
Recovery Key 4: <your-recovery-key-4>
Recovery Key 5: <your-recovery-key-5>"

Store initial root token. Replace the example token between quotes below with the actual initial root token output from the init command.

pulumi --cwd $PULUMI_CWD config set --secret openbao:initialRootToken "<your-initial-root-token>"

Verify

kubectl exec -ti openbao-0 -n openbao -- bao login # Then use the root token
kubectl exec -ti openbao-0 -n openbao -- bao operator raft list-peers
kubectl exec -ti openbao-0 -n openbao -- bao operator raft autopilot state

Enable KV secrets engine

kubectl exec -ti openbao-0 -n openbao -- bao secrets enable -version=2 kv

OpenBao UI

Create OpenBao UI ingress:

envsubst '$CLUSTER_DOMAIN' < k8s/openbao/openbao-ingress.yaml | kubectl apply -f -

Run these commands to access OpenBao UI with initial root token:

echo "OpenBao UI URL: https://openbao.${CLUSTER_DOMAIN}"
echo "Initial Root Token: $(pulumi --cwd $PULUMI_CWD config get openbao:initialRootToken)"