The OpenBao Operator manages the lifecycle of OpenBao clusters on Kubernetes using a Supervisor Pattern. It handles the orchestration complexity—PKI, backups, upgrades, and secure multi-tenancy—so you can focus on consuming secrets.

Full documentation is available at dc-tec.github.io/openbao-operator .

• Zero Trust Architecture: Dedicated strict RBAC for the Provisioner (cluster-scoped) vs Controller (namespace-scoped).
• Automated PKI: Built-in Certificate Authority that handles rotation and hot reloads for all TLS traffic.
• Raft Streaming: Native backups that stream Raft snapshots directly to S3/GCS/Azure without local disk staging.
• Safe Upgrades: Automated Rolling and Blue/Green upgrade strategies with Raft health checks.
• Multi-Tenancy: Securely share a cluster with namespace isolation and policy enforcement.

Install the operator from our OCI registry.

# 1. Create namespace
kubectl create namespace openbao-operator-system
# 2. Install Chart
helm install openbao-operator oci://ghcr.io/dc-tec/charts/openbao-operator \
 --version 0.1.0 \
 --namespace openbao-operator-system

Apply the latest release manifest directly.

kubectl apply -f https://github.com/dc-tec/openbao-operator/releases/latest/download/install.yaml

Once the operator is running, you can launch a production-ready OpenBao cluster in seconds.

# cluster.yaml
apiVersion: openbao.org/v1alpha1
kind: OpenBaoCluster
metadata:
 name: my-cluster
 namespace: my-namespace
spec:
 version: "2.4.4"
 image: "openbao/openbao:2.4.4"
 replicas: 3
 profile: Development 
 tls:
 enabled: true
 mode: OperatorManaged
 storage:
 size: "10Gi"

kubectl apply -f cluster.yaml

Note: For production, verify prerequisites in the Production Checklist.

We welcome contributions! Please see the Contributing Guide for details on:

• Setting up your development environment.
• Running tests (make test-ci).
• Our AI-Assisted Contribution Policy.

Apache-2.0. See LICENSE.