The project serves to take the first steps with OpenBao. Let's see where it leads... ๐ฅณ
- ๐ฅ openbao-playground
i๏ธ If you don't want to install anything locally, you can also use the devcontainer environment, which only requires a container runtime such as podman/docker.
To work with this project, you need to install some dependencies:
- [https://k3d.io]
- [https://helm.sh]
- [https://github.com/derailed/k9s]
- [https://github.com/mikefarah/yq]
Start a local Kubernetes runtime as a sandbox:
make localTo clean up and delete the Kubernetes cluster and all its resources, run:
make cleanup
Install OpenBao in the Kubernetes cluster (i๏ธ The current k8s context is used!):
# Install openbao in kubernetes cluster make install # Get unseal key kubectl logs -n openbao openbao-0 | grep "Unseal Key:" | cut -d' ' -f3 # Get root token kubectl logs -n openbao openbao-0 | grep "Root Token:" | cut -d' ' -f3 # Unseal openbao kubectl exec -n openbao -ti openbao-0 -- bao operator unseal # Access OpenBao API, print seal and HA status export VAULT_TOKEN=<ROOT_TOKEN> ./bao status # Access OpenBao UI open https://openbao-172.19.0.1.nip.io:8443/ui
Install OpenBao in the Kubernetes cluster (i๏ธ The current k8s context is used!):
# Install openbao in kubernetes cluster (HA mode) make install-ha # Initialize and unseal openbao kubectl exec -n openbao -ti openbao-0 -- bao operator init kubectl exec -n openbao -ti openbao-0 -- bao operator unseal # Join the remaining pods to the raft cluster and unseal them kubectl exec -n openbao -ti openbao-1 -- bao operator raft join http://openbao-0.openbao-internal:8200 kubectl exec -n openbao -ti openbao-1 -- bao operator unseal kubectl exec -n openbao -ti openbao-2 -- bao operator raft join http://openbao-0.openbao-internal:8200 kubectl exec -n openbao -ti openbao-2 -- bao operator unseal # Login using root token kubectl exec -n openbao -ti openbao-0 -- bao login # List all the raft peers kubectl exec -n openbao -ti openbao-0 -- bao operator raft list-peers # Access OpenBao API, print seal and HA status export VAULT_TOKEN=<ROOT_TOKEN> ./bao status # Access OpenBao UI open https://openbao-172.19.0.1.nip.io:8443/ui ### ๐งฝ Update OpenBao Installation ```bash cd charts/openbao # Set new openbao-helm version vi Chart.yaml # Get the values from the new version and # compare them to see if any adjustments need to be made. # `git diff` ./overrideValues.sh
# Install Keycloak in kubernetes cluster make keycloak # Access Keycloak UI (Username: admin, Password: admin) open http://keycloak-172.20.0.1.nip.io:7080/
An OpenTofu provider is available for OpenBao, which can be used to customize and configure an instance.
An OpenTofu configuration is available in the directory config, which can be used to apply some sample configurations.
cd config # Set VAULT_TOKEN for opentofu provider export VAULT_TOKEN=root ./tofu init ./tofu apply
Script bao can be used to play around a little with the API:
$ ./bao --help Usage: bao <command> [args] Common commands: ... $ ./bao status Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 2.0.2 Build Date 2024ๅนด10ๆ05ๆฅT19:26:46Z Storage Type inmem Cluster Name vault-cluster-ed6f4ab3 Cluster ID af9dde27-0153-c53e-272b-610ec1869058 HA Enabled false
- Project Direction & Roadmap
- Run OpenBao on Kubernetes
- OpenBap OIDC Provider