https://github.com/dc-tec/openbao-operator
The OpenBao Operator manages the lifecycle of OpenBao clusters on Kubernetes. It handles the orchestration complexity, PKI, backups, upgrades, and secure multi-tenancy, so you can focus on consuming secrets.
https://github.com/dc-tec/openbao-operator
kubernetes kubernetes-operator openbao secret-management
Last synced: 4 months ago
JSON representation
The OpenBao Operator manages the lifecycle of OpenBao clusters on Kubernetes. It handles the orchestration complexity, PKI, backups, upgrades, and secure multi-tenancy, so you can focus on consuming secrets.
- Host: GitHub
- URL: https://github.com/dc-tec/openbao-operator
- Owner: dc-tec
- License: apache-2.0
- Created: 2026-01-03T19:19:17.000Z (6 months ago)
- Default Branch: main
- Last Pushed: 2026-02-27T04:13:37.000Z (4 months ago)
- Last Synced: 2026-02-27T04:57:12.527Z (4 months ago)
- Topics: kubernetes, kubernetes-operator, openbao, secret-management
- Language: Go
- Homepage: https://dc-tec.github.io/openbao-operator/
- Size: 6.97 MB
- Stars: 3
- Watchers: 1
- Forks: 1
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# OpenBao Operator
**Enterprise-grade management for OpenBao on Kubernetes.**
[](https://github.com/dc-tec/openbao-operator/actions/workflows/ci.yml)
[](https://go.dev/)
[](LICENSE)
[](https://dc-tec.github.io/openbao-operator/)
[Quick Start](#quick-start) • [Installation](#installation) • [Compatibility](#compatibility) • [Documentation](#documentation) • [Contributing](#contributing)
> [!WARNING]
> **Pre-1.0 Status**: This operator is actively seeking feedback and may introduce breaking changes to APIs and defaults before `1.0.0`. Validate thoroughly before production use.
---
The OpenBao Operator manages the lifecycle of [OpenBao](https://openbao.org) clusters on Kubernetes using a **Supervisor Pattern**. It handles the orchestration complexity—PKI, backups, upgrades, and secure multi-tenancy—so you can focus on consuming secrets.
## Documentation
Full documentation is available at **[dc-tec.github.io/openbao-operator](https://dc-tec.github.io/openbao-operator/)**.
| | |
| :---: | :---: |
| [](https://dc-tec.github.io/openbao-operator/latest/user-guide/) | [](https://dc-tec.github.io/openbao-operator/latest/architecture/) |
| **Installation, Operations, Day-2 Tasks** | **Component Design, Boundaries, Flows** |
| [](https://dc-tec.github.io/openbao-operator/latest/security/) | [](https://dc-tec.github.io/openbao-operator/latest/contributing/) |
| **Threat Model, Hardening, RBAC** | **Dev Setup, Coding Standards, Release** |
| [](https://dc-tec.github.io/openbao-operator/latest/reference/compatibility/) | [](config/samples/) |
| **Supported K8s/OpenBao Versions** | **Ready-to-apply Example Manifests** |
## Compatibility
For full details, see the [Compatibility Matrix](https://dc-tec.github.io/openbao-operator/latest/reference/compatibility/).
- **Kubernetes**: `v1.33+` (tested: `v1.33`–`v1.35`)
- **OpenBao**: >= `2.4.x`
## CRDs (API Surface)
- `OpenBaoCluster`: Deploy and operate an OpenBao cluster (TLS, unseal, backups, upgrades).
- `OpenBaoRestore`: Restore a cluster from a backup (separate controller).
- `OpenBaoTenant`: Multi-tenant provisioning flow (multi-tenant mode).
## Features
- **Two-Controller Architecture**: Separate controller and provisioner components with least-privilege RBAC boundaries.
- **Security Profiles with Guardrails**: `Development` vs `Hardened`, enforced by admission policies to prevent insecure combinations.
- **Self-Init + OIDC Bootstrap**: OpenBao self-initialization, with optional JWT/OIDC bootstrap via `spec.selfInit.oidc.enabled`.
- **TLS, Your Way**: Operator-managed TLS with rotation, external TLS, and ACME mode where OpenBao owns certificates (with ACME challenge Service support).
- **Streaming Raft Backups**: Snapshot streaming to S3/GCS/Azure with retention controls (no local staging).
- **Declarative Restores**: Restore workflows via `OpenBaoRestore` with operation locking and safe overrides.
- **Safe Upgrades**: Rolling and blue/green upgrade strategies, including pre-upgrade snapshots.
- **Multi-Tenancy**: Namespace-scoped tenancy model with policy enforcement via `OpenBaoTenant`.
## Security Model
- **Threat model**: Design assumptions and attacker model ([Threat Model](https://dc-tec.github.io/openbao-operator/latest/security/fundamentals/threat-model/))
- **RBAC boundaries**: Least-privilege split between controller and provisioner ([RBAC](https://dc-tec.github.io/openbao-operator/latest/security/infrastructure/rbac/))
- **Guardrails**: Validating admission policies that block dangerous settings before they reach the cluster ([Admission Policies](https://dc-tec.github.io/openbao-operator/latest/security/infrastructure/admission-policies/))
- **Multi-tenancy**: Namespace isolation guarantees and limits ([Tenant Isolation](https://dc-tec.github.io/openbao-operator/latest/security/multi-tenancy/tenant-isolation/))
## Quick Start
Once the operator is running, you can launch an OpenBao cluster quickly.
### Option A: Evaluation (Development Profile)
```yaml
# cluster.yaml
apiVersion: openbao.org/v1alpha1
kind: OpenBaoCluster
metadata:
name: my-cluster
namespace: openbao-demo
spec:
version: "2.4.4"
replicas: 1
profile: Development
tls:
enabled: true
mode: OperatorManaged
storage:
size: "10Gi"
```
```bash
kubectl create namespace openbao-demo
kubectl apply -f cluster.yaml
# Watch status and pods
kubectl -n openbao-demo get openbaoclusters my-cluster -w
kubectl -n openbao-demo get pods -l openbao.org/cluster=my-cluster -w
```
If `spec.selfInit.enabled` is `false` (default), the operator stores a root token in `Secret/openbao-demo/my-cluster-root-token` (key: `token`).
```bash
kubectl -n openbao-demo get secret my-cluster-root-token -o jsonpath='{.data.token}' | base64 -d; echo
```
### Option B: Production (Hardened Profile)
The `Hardened` profile is the recommended production posture and enforces:
- External/ACME TLS (`spec.tls.mode`)
- External unseal (`spec.unseal.type`)
- Self-init enabled (`spec.selfInit.enabled: true`)
Start with:
- [Security Profiles](https://dc-tec.github.io/openbao-operator/latest/user-guide/openbaocluster/configuration/security-profiles/)
- [Production Checklist](https://dc-tec.github.io/openbao-operator/latest/user-guide/openbaocluster/operations/production-checklist/)
- Production samples in `config/samples/production/`
## Installation
### Option 1: Helm (Recommended)
Install the operator from our OCI registry.
```bash
# 1. Create namespace
kubectl create namespace openbao-operator-system
# 2. Install/upgrade chart
helm upgrade --install openbao-operator oci://ghcr.io/dc-tec/charts/openbao-operator \
--version \
--namespace openbao-operator-system
```
### Option 2: Plain YAML
Apply the latest release manifest directly.
```bash
kubectl apply -f https://github.com/dc-tec/openbao-operator/releases/latest/download/install.yaml
```
## Uninstall
### Helm
```bash
helm uninstall openbao-operator --namespace openbao-operator-system
```
### Plain YAML
```bash
kubectl delete -f https://github.com/dc-tec/openbao-operator/releases/latest/download/install.yaml
```
> [!NOTE]
> The operator installation includes CRDs. If you want to remove CRDs as well, delete the `openbao.org/*` CRDs after uninstalling (this will delete all custom resources).
## Contributing
We welcome contributions! Please see the [Contributing Guide](https://dc-tec.github.io/openbao-operator/latest/contributing/) for details on:
- Setting up your development environment.
- Running tests (`make test-ci`).
- Our AI-Assisted Contribution Policy.
## License
Apache-2.0. See `LICENSE`.