OpenBao - Mind Palace

**OpenBao** is a fully open source secrets management platform — a community-maintained fork of HashiCorp Vault, created after Vault's license changed to Business Source License (BSL) in 2023. It provides dynamic secrets, encryption as a service, PKI, and a secrets engine for virtually every database and cloud provider. --- ### First Principle: Secrets should be dynamic, short-lived, and never stored in plaintext — not in config files, not in Git, not in environment variables. Static, long-lived credentials are a security liability. OpenBao generates short-lived, per-request credentials for databases, cloud APIs, and services — so a leaked credential expires quickly and carries no long-term privilege. Every credential issuance is logged, enabling full audit trails. --- ### Key Considerations - **Dynamic Secrets**: For supported backends (PostgreSQL, MySQL, AWS, [[OpenStack]], PKI), OpenBao generates credentials on demand — a new database username/password per service request, automatically revoked after a TTL. - **PKI Secrets Engine**: A full certificate authority. Services request TLS certificates from OpenBao's PKI engine; OpenBao issues short-lived certs automatically. This is the backend for [[cert-manager]] in air-gapped environments. - **Kubernetes Auth Method**: Pods authenticate to OpenBao using their Kubernetes Service Account token — no static secrets needed. OpenBao verifies the JWT with the Kubernetes API. - **Transit Encryption**: OpenBao's transit engine provides encryption-as-a-service — applications send plaintext, get back ciphertext, without ever managing encryption keys themselves. - **Audit Logging**: Every secret request is logged — who requested it, when, from where, and what policy matched. Critical for compliance in regulated environments. - **Agent Sidecar**: The OpenBao Agent can run as a Kubernetes sidecar, rendering secrets into files and environment variables — keeping secrets out of container images and ConfigMaps entirely. --- ### How It Fits ``` Services / pods (request credentials) → OpenBao (issues dynamic secrets + TLS certs) → Databases / APIs (receive short-lived credentials) → [[cert-manager]] (integrates for K8s TLS automation) → [[Keycloak]] (SSO controls who can access which secrets) ``` [[Keycloak]] | [[cert-manager]] | [[Kubernetes]] | [[Falco]] | [[Open Source Hyperscaler MoC]]