{"id":42226287,"url":"https://github.com/dc-tec/openbao-operator","last_synced_at":"2026-03-02T00:08:20.161Z","repository":{"id":332200390,"uuid":"1127385211","full_name":"dc-tec/openbao-operator","owner":"dc-tec","description":"The OpenBao Operator manages the lifecycle of OpenBao clusters on Kubernetes. It handles the orchestration complexity, PKI, backups, upgrades, and secure multi-tenancy, so you can focus on consuming secrets.","archived":false,"fork":false,"pushed_at":"2026-02-27T04:13:37.000Z","size":7311,"stargazers_count":3,"open_issues_count":3,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-27T04:57:12.527Z","etag":null,"topics":["kubernetes","kubernetes-operator","openbao","secret-management"],"latest_commit_sha":null,"homepage":"https://dc-tec.github.io/openbao-operator/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dc-tec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-03T19:19:17.000Z","updated_at":"2026-02-27T00:33:53.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/dc-tec/openbao-operator","commit_stats":null,"previous_names":["dc-tec/openbao-operator"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/dc-tec/openbao-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dc-tec%2Fopenbao-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dc-tec%2Fopenbao-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dc-tec%2Fopenbao-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dc-tec%2Fopenbao-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dc-tec","download_url":"https://codeload.github.com/dc-tec/openbao-operator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dc-tec%2Fopenbao-operator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29987656,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-01T22:42:38.399Z","status":"ssl_error","status_checked_at":"2026-03-01T22:41:51.863Z","response_time":124,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","kubernetes-operator","openbao","secret-management"],"created_at":"2026-01-27T02:35:39.927Z","updated_at":"2026-03-02T00:08:20.129Z","avatar_url":"https://github.com/dc-tec.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# OpenBao Operator\n\n**Enterprise-grade management for OpenBao on Kubernetes.**\n\n[![CI](https://github.com/dc-tec/openbao-operator/actions/workflows/ci.yml/badge.svg)](https://github.com/dc-tec/openbao-operator/actions/workflows/ci.yml)\n[![Go Version](https://img.shields.io/badge/Go-1.25.5-00ADD8?logo=go\u0026logoColor=white)](https://go.dev/)\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)\n[![Docs](https://img.shields.io/badge/Docs-Live-green)](https://dc-tec.github.io/openbao-operator/)\n\n[Quick Start](#quick-start) • [Installation](#installation) • [Compatibility](#compatibility) • [Documentation](#documentation) • [Contributing](#contributing)\n\n\u003c/div\u003e\n\n\u003e [!WARNING]\n\u003e **Pre-1.0 Status**: This operator is actively seeking feedback and may introduce breaking changes to APIs and defaults before `1.0.0`. Validate thoroughly before production use.\n\n---\n\nThe OpenBao Operator manages the lifecycle of [OpenBao](https://openbao.org) clusters on Kubernetes using a **Supervisor Pattern**. It handles the orchestration complexity—PKI, backups, upgrades, and secure multi-tenancy—so you can focus on consuming secrets.\n\n## Documentation\n\nFull documentation is available at **[dc-tec.github.io/openbao-operator](https://dc-tec.github.io/openbao-operator/)**.\n\n| | |\n| :---: | :---: |\n| [![User Guide](https://img.shields.io/badge/User_Guide-007EC6?style=for-the-badge\u0026logo=readthedocs\u0026logoColor=white)](https://dc-tec.github.io/openbao-operator/latest/user-guide/) | [![Architecture](https://img.shields.io/badge/Architecture-326CE5?style=for-the-badge\u0026logo=kubernetes\u0026logoColor=white)](https://dc-tec.github.io/openbao-operator/latest/architecture/) |\n| **Installation, Operations, Day-2 Tasks** | **Component Design, Boundaries, Flows** |\n| [![Security](https://img.shields.io/badge/Security-000000?style=for-the-badge\u0026logo=imou\u0026logoColor=white)](https://dc-tec.github.io/openbao-operator/latest/security/) | [![Contributing](https://img.shields.io/badge/Contributing-181717?style=for-the-badge\u0026logo=github\u0026logoColor=white)](https://dc-tec.github.io/openbao-operator/latest/contributing/) |\n| **Threat Model, Hardening, RBAC** | **Dev Setup, Coding Standards, Release** |\n| [![Compatibility](https://img.shields.io/badge/Compatibility-10b981?style=for-the-badge\u0026logo=kubernetes\u0026logoColor=white)](https://dc-tec.github.io/openbao-operator/latest/reference/compatibility/) | [![Samples](https://img.shields.io/badge/Samples-9333ea?style=for-the-badge\u0026logo=yaml\u0026logoColor=white)](config/samples/) |\n| **Supported K8s/OpenBao Versions** | **Ready-to-apply Example Manifests** |\n\n## Compatibility\n\nFor full details, see the [Compatibility Matrix](https://dc-tec.github.io/openbao-operator/latest/reference/compatibility/).\n\n- **Kubernetes**: `v1.33+` (tested: `v1.33`–`v1.35`)\n- **OpenBao**: \u003e= `2.4.x`\n\n## CRDs (API Surface)\n\n- `OpenBaoCluster`: Deploy and operate an OpenBao cluster (TLS, unseal, backups, upgrades).\n- `OpenBaoRestore`: Restore a cluster from a backup (separate controller).\n- `OpenBaoTenant`: Multi-tenant provisioning flow (multi-tenant mode).\n\n## Features\n\n- **Two-Controller Architecture**: Separate controller and provisioner components with least-privilege RBAC boundaries.\n- **Security Profiles with Guardrails**: `Development` vs `Hardened`, enforced by admission policies to prevent insecure combinations.\n- **Self-Init + OIDC Bootstrap**: OpenBao self-initialization, with optional JWT/OIDC bootstrap via `spec.selfInit.oidc.enabled`.\n- **TLS, Your Way**: Operator-managed TLS with rotation, external TLS, and ACME mode where OpenBao owns certificates (with ACME challenge Service support).\n- **Streaming Raft Backups**: Snapshot streaming to S3/GCS/Azure with retention controls (no local staging).\n- **Declarative Restores**: Restore workflows via `OpenBaoRestore` with operation locking and safe overrides.\n- **Safe Upgrades**: Rolling and blue/green upgrade strategies, including pre-upgrade snapshots.\n- **Multi-Tenancy**: Namespace-scoped tenancy model with policy enforcement via `OpenBaoTenant`.\n\n## Security Model\n\n- **Threat model**: Design assumptions and attacker model ([Threat Model](https://dc-tec.github.io/openbao-operator/latest/security/fundamentals/threat-model/))\n- **RBAC boundaries**: Least-privilege split between controller and provisioner ([RBAC](https://dc-tec.github.io/openbao-operator/latest/security/infrastructure/rbac/))\n- **Guardrails**: Validating admission policies that block dangerous settings before they reach the cluster ([Admission Policies](https://dc-tec.github.io/openbao-operator/latest/security/infrastructure/admission-policies/))\n- **Multi-tenancy**: Namespace isolation guarantees and limits ([Tenant Isolation](https://dc-tec.github.io/openbao-operator/latest/security/multi-tenancy/tenant-isolation/))\n\n## Quick Start\n\nOnce the operator is running, you can launch an OpenBao cluster quickly.\n\n### Option A: Evaluation (Development Profile)\n\n```yaml\n# cluster.yaml\napiVersion: openbao.org/v1alpha1\nkind: OpenBaoCluster\nmetadata:\n  name: my-cluster\n  namespace: openbao-demo\nspec:\n  version: \"2.4.4\"\n  replicas: 1\n  profile: Development\n  tls:\n    enabled: true\n    mode: OperatorManaged\n  storage:\n    size: \"10Gi\"\n```\n\n```bash\nkubectl create namespace openbao-demo\nkubectl apply -f cluster.yaml\n\n# Watch status and pods\nkubectl -n openbao-demo get openbaoclusters my-cluster -w\nkubectl -n openbao-demo get pods -l openbao.org/cluster=my-cluster -w\n```\n\nIf `spec.selfInit.enabled` is `false` (default), the operator stores a root token in `Secret/openbao-demo/my-cluster-root-token` (key: `token`).\n\n```bash\nkubectl -n openbao-demo get secret my-cluster-root-token -o jsonpath='{.data.token}' | base64 -d; echo\n```\n\n### Option B: Production (Hardened Profile)\n\nThe `Hardened` profile is the recommended production posture and enforces:\n- External/ACME TLS (`spec.tls.mode`)\n- External unseal (`spec.unseal.type`)\n- Self-init enabled (`spec.selfInit.enabled: true`)\n\nStart with:\n- [Security Profiles](https://dc-tec.github.io/openbao-operator/latest/user-guide/openbaocluster/configuration/security-profiles/)\n- [Production Checklist](https://dc-tec.github.io/openbao-operator/latest/user-guide/openbaocluster/operations/production-checklist/)\n- Production samples in `config/samples/production/`\n\n## Installation\n\n### Option 1: Helm (Recommended)\n\nInstall the operator from our OCI registry.\n\n```bash\n# 1. Create namespace\nkubectl create namespace openbao-operator-system\n\n# 2. Install/upgrade chart\nhelm upgrade --install openbao-operator oci://ghcr.io/dc-tec/charts/openbao-operator \\\n  --version \u003cchart-version\u003e \\\n  --namespace openbao-operator-system\n```\n\n### Option 2: Plain YAML\n\nApply the latest release manifest directly.\n\n```bash\nkubectl apply -f https://github.com/dc-tec/openbao-operator/releases/latest/download/install.yaml\n```\n\n## Uninstall\n\n### Helm\n\n```bash\nhelm uninstall openbao-operator --namespace openbao-operator-system\n```\n\n### Plain YAML\n\n```bash\nkubectl delete -f https://github.com/dc-tec/openbao-operator/releases/latest/download/install.yaml\n```\n\n\u003e [!NOTE]\n\u003e The operator installation includes CRDs. If you want to remove CRDs as well, delete the `openbao.org/*` CRDs after uninstalling (this will delete all custom resources).\n\n## Contributing\n\nWe welcome contributions! Please see the [Contributing Guide](https://dc-tec.github.io/openbao-operator/latest/contributing/) for details on:\n\n- Setting up your development environment.\n- Running tests (`make test-ci`).\n- Our AI-Assisted Contribution Policy.\n\n## License\n\nApache-2.0. See `LICENSE`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdc-tec%2Fopenbao-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdc-tec%2Fopenbao-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdc-tec%2Fopenbao-operator/lists"}