🥟 openbao-playground

The project serves to take the first steps with OpenBao. Let's see where it leads... 🥳

📖 Table of Contents

• 🥟 openbao-playground
  • 📖 Table of Contents
  • 📌 Requirements
  • 🌱 How to use
    • 🛸 Install OpenBao in Dev Mode
    • 🚀 Install OpenBao in HA Mode
    • 🧽 Update OpenBao Installation
    • 🔧 Configure OpenBao Instance with OpenTofu
  • 🎮 Play around with the API
  • 🔗 Further Links

📌 Requirements

ℹ️ If you don't want to install anything locally, you can also use the devcontainer environment, which only requires a container runtime such as podman/docker.

To work with this project, you need to install some dependencies:

• [https://k3d.io]
• [https://helm.sh]
• [https://github.com/derailed/k9s]
• [https://github.com/mikefarah/yq]

🌱 How to use

Start a local Kubernetes runtime as a sandbox:

make local

To clean up and delete the Kubernetes cluster and all its resources, run:

make cleanup

🛸 Install OpenBao in Dev Mode

Install OpenBao in the Kubernetes cluster (ℹ️ The current k8s context is used!):

• [https://openbao.org/docs/concepts/dev-server/]

# Install openbao in kubernetes cluster (HA mode)
make install

# Get unseal key
kubectl logs -n openbao openbao-0 | grep "Unseal Key:" | cut -d' ' -f3
# Get root token
kubectl logs -n openbao openbao-0 | grep "Root Token:" | cut -d' ' -f3

# Unseal openbao
kubectl exec -n openbao -ti openbao-0 -- bao operator unseal

# Access OpenBao API, print seal and HA status
export VAULT_TOKEN=<ROOT_TOKEN>
./bao status

# Access OpenBao UI
open http://openbao-127.0.0.1.nip.io:8080/ui/

🚀 Install OpenBao in HA Mode

Install OpenBao in the Kubernetes cluster (ℹ️ The current k8s context is used!):

• [https://openbao.org/docs/concepts/ha/]

# Install openbao in kubernetes cluster (HA mode)
make install-ha

# Initialize and unseal openbao
kubectl exec -n openbao -ti openbao-0 -- bao operator init
kubectl exec -n openbao -ti openbao-0 -- bao operator unseal

# Join the remaining pods to the raft cluster and unseal them
kubectl exec -n openbao -ti openbao-1 -- bao operator raft join http://openbao-0.openbao-internal:8200
kubectl exec -n openbao -ti openbao-1 -- bao operator unseal

kubectl exec -n openbao -ti openbao-2 -- bao operator raft join http://openbao-0.openbao-internal:8200
kubectl exec -n openbao -ti openbao-2 -- bao operator unseal

# Login using root token
kubectl exec -n openbao -ti openbao-0 -- bao login

# List all the raft peers
kubectl exec -n openbao -ti openbao-0 -- bao operator raft list-peers

# Access OpenBao API, print seal and HA status
export VAULT_TOKEN=<ROOT_TOKEN>
./bao status

# Access OpenBao UI
open http://openbao-127.0.0.1.nip.io:8080/ui/

🧽 Update OpenBao Installation

cd charts/openbao

# Set new openbao-helm version
vi Chart.yaml

# Get the values from the new version and
# compare them to see if any adjustments need to be made.
# `git diff`
./overrideValues.sh

🔧 Configure OpenBao Instance with OpenTofu

An OpenTofu provider is available for OpenBao, which can be used to customise and configure an instance.

An OpenTofu configuration is available in the directory config, which can be used to apply some sample configurations.

cd config

# Set VAULT_TOKEN for opentofu provider
export VAULT_TOKEN=root

./tofu init

./tofu apply

🎮 Play around with the API

Script bao can be used to play around a little with the API:

$ ./bao --help
Usage: bao <command> [args]

Common commands:
...

$ ./bao status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         2.0.2
Build Date      2024-10-05T19:26:46Z
Storage Type    inmem
Cluster Name    vault-cluster-ed6f4ab3
Cluster ID      af9dde27-0153-c53e-272b-610ec1869058
HA Enabled      false

🔗 Further Links

• Project Direction & Roadmap
  • [https://openbao.org/blog/roadmap/]
  • [openbao/openbao#569]
• Run OpenBao on Kubernetes
  • [https://openbao.org/docs/platform/k8s/helm/run/]