General OpenBao description

Intended audience

sysadm staff members

What is openbao?

OpenBao is an open-source secret management system that provides secure storage, dynamic secrets, and encryption-as-a-service capabilities. It is a community-driven fork of HashiCorp Vault, offering API-compatible features such as:

• High availability – leader/follower replication and integrated storage.

• Identity-based access – policies driven by tokens, AppRoles, or external auth methods (LDAP, OIDC, Kubernetes, etc.).

• Secure secret storage – encrypted at rest with configurable backends.

• Encryption as a service – transit endpoint for on-the-fly data encryption.

The project aims to provide a fully open-source alternative that can be deployed in on-premises or cloud environments, supporting both containerised and traditional service architectures.

It has been chosen to store our current infrastructure secrets.

Installation

One OpenBao instance has been deployed in the kubernetes admin cluster of the swh infrastructure through the swh-charts repository.

It’s been configured with high-availability (1 master, 2 replicas).

Keycloak

OpenBao delegates the authentication through oidc to our Authentication instance. Currently, only keycloak users with the openbao/admin-openbao client role can manage secrets.