Skip to content

Instantly share code, notes, and snippets.

@kprasad99

kprasad99/openbao.adoc

Created June 23, 2025 17:09
Show Gist options
  • Save kprasad99/a782ca09e1fa0d1477419be142bba9e7 to your computer and use it in GitHub Desktop.
Save kprasad99/a782ca09e1fa0d1477419be142bba9e7 to your computer and use it in GitHub Desktop.
Download ZIP
Openbao Kubernetes Documentation
Raw
openbao.adoc

Installing OpenBao using Helm

Prerequisites

  • Kubernetes cluster (v1.26+)

  • Helm 3.x installed

  • kubectl configured

Add the OpenBao Helm Repository

helm repo add openbao https://openbao.github.io/openbao-helm
helm repo update

Configuration and Installation

Install and configure certificates for webhook

Install cert-manager using Helm

  1. Add the Jetstack Helm repository:

    helm repo add jetstack https://charts.jetstack.io
helm repo update

  2. Install the cert-manager Helm chart:

    helm install cert-manager jetstack/cert-manager \
    --namespace cert-manager \
    --create-namespace

  3. Verify cert-manager pods are running:

    kubectl get pods --namespace cert-manager

Create a Self-Signed Issuer, certificate with CA for openbao service.

  1. Create a file named openbao-certs.yaml:

    apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: injector-selfsigned-ca
spec:
  isCA: true
  commonName: Agent Inject CA
  secretName: injector-ca-secret
  duration: 87660h  # 10 years
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: injector-ca-issuer
spec:
  ca:
    secretName: injector-ca-secret

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: injector-certificate
spec:
  secretName: injector-tls
  duration: 24h
  renewBefore: 144m  # roughly 10% of 24h
  dnsNames:
  - openbao-agent-injector-svc
  - openbao-agent-injector-svc.default
  - openbao-agent-injector-svc.default.svc
  issuerRef:
    name: injector-ca-issuer
  commonName: Agent Inject Cert

  2. Apply the issuer:

    kubectl apply -f openbao-certs.yaml

Configure configuration using values-override.yaml

  1. Create a file named values-override.yaml

    injector:
  certs:
    secretName: injector-tls
  webhook:
    annotations: "cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/injector-certificate"

Install the OpenBao Helm Chart

helm install openbao . --namespace openbao --create-namespace -f values.yaml -f values-override.yaml

Verify the Installation

kubectl get pods -n openbao

Initialize and unseal openbao

  1. Initialize OpenBao, copy the unseal keys and root token, and save them securely.

    kubectl exec -ti openbao-0 -- bao operator init

  2. Run the unseal command using one of the unseal keys, replacing <unseal-key> with the actual key(minimum 3 keys).

    kubectl exec -ti openbao-0 -- bao operator unseal <unseal-key>

  3. Check the OpenBao pods, should be running state.

    kubectl get po -n openbao

  4. Verify the status of OpenBao, pod should be in Running state.

    kubectl exec -ti openbao-0 -- bao operator status

  5. If the status is Unsealed, OpenBao is ready to use.

Validate the installation.

  1. Enable secrets key value type, replace <root-token> with actual token from init command.

    kubectl exec -ti openbao-0 -- sh -c "export VAULT_TOKEN=<root-token>; bao secrets enable -path=secrets/ kv"

  2. Add sample secret into specific path, replace <root-token> with actual token from init command.

    kubectl exec -ti openbao-0 -- sh -c "export VAULT_TOKEN=<root-token>; bao kv put secrets/data/kube-bao/database \
    username=user1 password=password"

  3. Create openbao policy with read privilege to above path.

    kubectl exec -ti openbao-0 -- sh -c 'export VAULT_TOKEN=<root-token>; bao policy write bao-example-policy - <<EOH
path "secrets/data/kube-bao/database" {
  capabilities = ["read"]
}
EOH'

  4. Enable kubernetes auth method.

    kubectl exec -ti openbao-0 -- sh -c 'export VAULT_TOKEN=<root-token>; bao auth enable kubernetes'

  5. Configure openbao kubernetes to use in-cluster authentication.

    kubectl exec -ti openbao-0 -- sh -c 'export VAULT_TOKEN=<root-token>; bao write auth/kubernetes/config \
    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
	kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'

  6. Create a vault role that binds policy and kubernetes service account.

    $ kubectl exec -ti openbao-0 -- sh -c 'export VAULT_TOKEN=<root-token>; bao write auth/kubernetes/role/bao-exampl-role \
        bound_service_account_names=openbao-example \
        bound_service_account_namespaces=default \
        policies=bao-example-policy \
        ttl=72h'

  7. Create helm chart 'openbao-example'

    $ helm create openbao-example

  8. Create values-override.yaml with below content

    podAnnotations:
  vault.hashicorp.com/agent-inject: "true"
  vault.hashicorp.com/agent-inject-secret-database: "secrets/data/kube-bao/database"
  vault.hashicorp.com/agent-inject-file-database: "database.json"
  vault.hashicorp.com/role: 'bao-exampl-role'
  # Default format is properties file
  vault.hashicorp.com/agent-inject-default-template: "json"

  9. Install chart.

    $ helm install openbao-example . -f values.yaml -f values-overrides.yaml

  10. Verify secrets injected into container.

    $ kubectl exec -it <pod-name> -- cat /vault/secrets/database.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment