From feced6f3be3a56eb8fff14f5e68565ba10b72381 Mon Sep 17 00:00:00 2001
From: Adam Overa <adamovera@protonmail.com>
Date: Fri, 25 Apr 2025 12:02:54 -0400
Subject: [PATCH 1/6] Deploying OpenBao on Kubernetes with Linode LKE
---
.../index.md | 233 ++++++++++++++++++
1 file changed, 233 insertions(+)
create mode 100644 docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
diff --git a/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md b/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
new file mode 100644
index 00000000000..23bcec78e89
--- /dev/null
+++ b/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
@@ -0,0 +1,233 @@
+---
+slug: deploying-openbao-on-kubernetes-with-linode-lke
+title: "Deploying OpenBao on Kubernetes With Linode LKE"
+description: "Two to three sentences describing your guide."
+authors: ["Akamai"]
+contributors: ["Akamai"]
+published: 2025-04-25
+keywords: ['list','of','keywords','and key phrases']
+license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)'
+external_resources:
+- '[Link Title 1](http://www.example.com)'
+- '[Link Title 2](http://www.example.net)'
+---
+
+This guide walks through how to deploy [OpenBao on Kubernetes](https://openbao.org/docs/platform/k8s/) with Linode LKE using the [OpenBao Helm chart](https://github.com/openbao/openbao-helm).
+
+## Prerequisites
+
+To follow along in this walkthrough, you’ll need the following:
+
+* A [Linode account](https://www.linode.com/cfe)
+* A [Linode API token (personal access token)](https://www.linode.com/docs/products/platform/accounts/guides/manage-api-tokens/)
+* The [Linode CLI](https://www.linode.com/docs/products/tools/cli/guides/install/) installed and configured
+
+## Step 1: Provision a Kubernetes Cluster
+
+While there are several ways to create a Kubernetes cluster on Linode, this guide uses the [Linode CLI](https://github.com/linode/linode-cli) to provision resources.
+
+1. Use the Linode CLI (linode) to see available Kubernetes versions:
+
+| $ linode lke versions-list ┌───────┐ │ id │ ├───────┤ │ 1.31 │ ├───────┤ │ 1.30 │ └───────┘ |
+| :---- |
+
+It’s generally recommended to provision the latest version of Kubernetes unless specific requirements dictate otherwise.
+
+2. Use the following command to list available Linode plans, including plan ID, pricing, and performance details. For more detailed pricing information, see [Akamai Connected Cloud: Pricing](https://www.linode.com/pricing/):
+
+| $ linode linodes types |
+| :---- |
+
+3. The examples in this guide use the **g6-standard-2** Linode, which features two CPU cores and 4 GB of memory. Run the following command to display detailed information in JSON for this Linode plan:
+
+| $ linode linodes types \--label "Linode 4GB" \--json \--pretty�\[� {� "addons": {...}, "class": "standard",� "disk": 81920,� "gpus": 0,� "id": "g6-standard-2",� "label": "Linode 4GB",� "memory": 4096,� "network\_out": 4000,� "price": {� "hourly": 0.036,� "monthly": 24.0� },� "region\_prices": \[...\],� "successor": null,� "transfer": 4000,� "vcpus": 2� }�\] |
+| :---- |
+
+4. View available regions with the regions list command:
+
+| $ linode regions list |
+| :---- |
+
+5. With a Kubernetes version and Linode type selected, use the following command to create a cluster named openbao-cluster in the us-mia (Miami, FL) region with three nodes and auto-scaling. Replace openbao-cluster and us-mia with a cluster label and region of your choosing, respectively:
+
+| $ linode lke cluster-create \\� \--label openbao-cluster \\� \--k8s\_version 1.31 \\� \--region us-mia \\� \--node\_pools '\[{� "type": "g6-standard-2",� "count": 3,� "autoscaler": {� "enabled": true,� "min": 3,� "max": 8� }� }\]' |
+| :---- |
+
+Once your cluster is successfully created, you should see output similar to the following:
+
+| Using default values: {}; use the \--no-defaults flag to disable defaults�\+------------------+--------+-------------+ | label | region | k8s\_version | \+------------------+--------+-------------+ | openbao-cluster | us-mia | 1.31 | \+------------------+--------+-------------+ |
+| :---- |
+
+## Step 2: Access the Kubernetes Cluster
+
+To access your cluster, fetch the cluster credentials in the form of a kubeconfig file.
+
+1. Use the following command to retrieve the cluster’s ID:
+
+| $ CLUSTER\_ID=$(linode lke clusters-list \--json | \\� jq \-r \\ '.\[\] | select(.label \== "openbao-cluster") | .id') |
+| :---- |
+
+2. Create a hidden .kube folder in your user’s home directory:
+
+| $ mkdir \~/.kube |
+| :---- |
+
+3. Retrieve the kubeconfig file and save it to \~/.kube/lke-config:
+
+| $ linode lke kubeconfig-view \--json "$CLUSTER\_ID" | \\ jq \-r '.\[0\].kubeconfig' | \\ base64 \--decode \> \~/.kube/lke-config |
+| :---- |
+
+4. Once you have the kubeconfig file saved, access your cluster by using kubectl and specifying the file:
+
+| $ kubectl get no \--kubeconfig \~/.kube/lke-config NAME STATUS ROLES AGE VERSION lke328534-526858-193216620000 Ready \<none\> 54s v1.31.0 lke328534-526858-1bacd9c70000 Ready \<none\> 60s v1.31.0 lke328534-526858-2c4e9cda0000 Ready \<none\> 28s v1.31.0 |
+| :---- |
+
+| Note: Alternatively, to avoid specifying \--kubeconfig \~/.kube/lke-config with every kubectl command, you can set an environment variable for your current terminal window session. $ export KUBECONFIG=\~/.kube/lke-config Then run: $ kubectl get no |
+| :---- |
+
+## Step 3: Set Up OpenBao on LKE
+
+The official [Helm chart](https://github.com/openbao/openbao-helm) provided by the OpenBao development team is the suggested method for installing OpenBao on K8s. [Helm](https://helm.sh/) is a package manager for Kubernetes and helps manage software extensions for the system. Helm organizes these packages via “charts”. To install the OpenBao Helm chart into the Kubernetes cluster above (i.e., the cluster associated with your current .kube config), first add the extension to the local Helm installation via:
+
+| $ helm repo add openbao https://openbao.github.io/openbao-helm� "openbao" has been added to your repositories |
+| :---- |
+
+Next, install the Helm chart onto the cluster:
+
+| $ helm install openbao openbao/openbao� NAME: openbao�LAST DEPLOYED: Tue Jan 28 12:55:42 2025�NAMESPACE: default�STATUS: deployed�REVISION: 1�NOTES:�Thank you for installing OpenBao\!��Now that you have deployed OpenBao, you should look over the docs on using�OpenBao with Kubernetes available here:��https://openbao.org/docs/���Your release is named openbao. To learn more about the release, try:�� $ helm status openbao� $ helm get manifest openbao |
+| :---- |
+
+This Helm chart defaults to Kubernetes OpenBao's standalone mode, which means a single OpenBao server with a file storage backend is set up in the cluster. However, other profiles, such as a development server and a high-availability system, are also available in this chart. For more information on these other profiles, see the documentation.
+
+As mentioned in the result message above, running helm get manifest openbao will return all the YAML configuration files for the newly deployed OpenBao system. This is useful for seeing the system’s initial configuration data. For explanations of these and other installation options, see the [Helm chart’s README](https://github.com/openbao/openbao-helm/blob/main/charts/openbao/README.md). To override any of these configuration options at installation time, use the **\--set** command line argument when installing the Helm chart. For example:
+
+| $ helm install openbao openbao/openbao \--set server.dev.enabled=true |
+| :---- |
+
+You can also override the entire configuration in a file and run it with the following command. For example, if the custom configuration file is named override-values.yml, then run the following command:
+
+| $ helm install openbao openbao/openbao \--values override-values.yml |
+| :---- |
+
+## Step 4: Test the OpenBao Development Server
+
+Now that the OpenBao server is installed in the Kubernetes cluster, it needs to be initialized. The initialization generates the credentials needed to [unseal](https://openbao.org/docs/concepts/seal/#why) the server for use.
+
+To view all the currently configured OpenBao servers in your cluster, run the following:
+
+| $ kubectl get pods \-l app.kubernetes.io/name=openbao� NAME READY STATUS RESTARTS AGE�openbao-0 0/1 Running 0 4m20s |
+| :---- |
+
+There should only be one for the standalone profile. Notice that the READY count is 0, indicating the server has not been initialized yet. To initialize the server, run the following:
+
+| $ kubectl exec \-ti openbao-0 \-- bao operator init �Unseal Key 1: T8WgvU8ofUf1puk1EtMEGWxikhHf9nLdgPBBFHFnlH0q�Unseal Key 2: iXixXscn8SPxfjd+O0tye+tYcbKe345/Ua52lANfb/Kp�Unseal Key 3: g6jOp6PxaEvYnlGyEICS3fvOwA7J/PX0H4WPU7LQWCWQ�Unseal Key 4: VR8DoAmpOW7QE3A6IV/Bz05yXGVEQrkBdVBlZX1A79gt�Unseal Key 5: SlplOoCD4SyYsoX5CbZfcMsDb2FzxPImNSmU78sbuYDg��Initial Root Token: s.XRjSYKwuaULH1N3WxA9k3K27��Vault initialized with 5 key shares and a key threshold of 3\. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests.��Vault does not store the generated root key. Without at least 3 keys to�reconstruct the root key, Vault will remain permanently sealed\!��It is possible to generate new unseal keys, provided you have a quorum of�existing unseal keys shares. See "bao operator rekey" for more information. |
+| :---- |
+
+The output displays the key shares and the initial root key for the server. Unseal the OpenBao server with the key shares until the key threshold is met. For example, using the first unseal key, the command would be:
+
+| $ kubectl exec \-ti openbao-0 \-- \\ bao operator unseal T8WgvU8ofUf1puk1EtMEGWxikhHf9nLdgPBBFHFnlH0q� Key Value�\--- \-----�Seal Type shamir�Initialized true�Sealed true�Total Shares 5�Threshold 3�Unseal Progress 1/3�Unseal Nonce 7adeec56-8ba0-8f20-835b-415837be7977�Version 2.1.0�Build Date 2024-11-29T15:34:50Z�Storage Type file�HA Enabled false |
+| :---- |
+
+The resulting Unseal Progress shows 1/3. This command must be executed two more times, with two additional key shares, to unseal the server for general use.
+
+| $ kubectl exec \-ti openbao-0 \-- \\� bao operator unseal iXixXscn8SPxfjd+O0tye+tYcbKe345/Ua52lANfb/Kp�...��$ kubectl exec \-ti openbao-0 \-- \\� bao operator unseal g6jOp6PxaEvYnlGyEICS3fvOwA7J/PX0H4WPU7LQWCWQ� Key Value�\--- \-----�Seal Type shamir�Initialized true�Sealed false�Total Shares 5�Threshold 3�Version 2.1.0�Build Date 2024-11-29T15:34:50Z�Storage Type file�Cluster Name vault-cluster-38e0bd53�Cluster ID 8740348d-f8ed-1989-e692-10c5f4e7768c�HA Enabled false |
+| :---- |
+
+After the third execution, Sealed shows false. After the server is unsealed, its pod will also report as READY:
+
+| $ kubectl get pods \-l app.kubernetes.io/name=openbao� NAME READY STATUS RESTARTS AGE�openbao-0 1/1 Running 0 11m |
+| :---- |
+
+The server is ready for testing now. [Install the OpenBao CLI utility](https://openbao.org/docs/install/). To test the connection directly through the Kubernetes cluster, forward port 8200 from the cluster to your localhost with the following:
+
+| $ kubectl port-forward openbao-0 8200:8200 |
+| :---- |
+
+Open a new terminal window. Set the following environment variable so that the OpenBao CLI looks to the forwarded port on localhost.
+
+| $ export BAO\_ADDR=http://127.0.0.1:8200 |
+| :---- |
+
+Run the following to log in to the server on the cluster. Use the initial root token that was displayed when you initialized the OpenBao server.
+
+| $ bao login \-method=token \<ROOT TOKEN\> Success\! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value \--- \----- token s.XRjSYKwuaULH1N3WxA9k3K27 token\_accessor 7zqRG80kZwFZXKxbcKRjqQPj token\_duration ∞ token\_renewable false token\_policies \["root"\] identity\_policies \[\] policies \["root"\] |
+| :---- |
+
+Enable the key/value store in the server:
+
+| $ bao secrets enable kv |
+| :---- |
+
+Use curl to test setting and getting secrets from the OpenBao server. Set a secret with the following command. Remember to provide your root token with this command.
+
+| $ curl \-X POST \\� \--header "X-Vault-Token: \<ROOT TOKEN\>" \\� \--header "Content-Type: application/json" \\� \--data '{"data": {"hello": "world"}}' \\� http://127.0.0.1:8200/v1/kv/test-secret |
+| :---- |
+
+Then, to retrieve the secret, run the following:
+
+| $ curl \-X GET \\� \--header "X-Vault-Token: \<ROOT TOKEN\>" \\� http://127.0.0.1:8200/v1/kv/test-secret | json\_pp { "auth" : null, "data" : { "data" : { "hello" : "world" } }, "lease\_duration" : 2764800, "lease\_id" : "", "renewable" : false, "request\_id" : "34b4f7cf-d6d0-b621-2eb5-b4e4d6cf4866", "warnings" : null, "wrap\_info" : null } |
+| :---- |
+
+## Step 5: Configure for External Access
+
+To access the OpenBao server externally, rather than through Kubernetes port-forwarding, use a [LoadBalancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/) service. Open the pod configuration for OpenBao: kubectl edit service openbao
+
+Make the following change to the type field of the spec object, leaving the rest of the file unchanged:
+
+| spec:� type: LoadBalancer |
+| :---- |
+
+Save the file and exit the editor. Then, wait for a public IP address to be supplied to the pod. Query for the IP address with the following command:
+
+| $ kubectl get service openbao� NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE�openbao LoadBalancer 10.128.183.178 172.233.166.52 8200:31782/TCP,8201:31560/TCP 29m |
+| :---- |
+
+To test this connection, issue the curl command again to retrieve the previously stored secret, but change the IP address to the external one shown above, at port 8200. For example:
+
+| $ curl \-X GET \\� \--header "X-Vault-Token: \<ROOT TOKEN\>" \\� http://172.233.166.52:8200/v1/kv/test-secret | json\_pp { "auth" : null, "data" : { "data" : { "hello" : "world" } }, "lease\_duration" : 2764800, "lease\_id" : "", "renewable" : false, "request\_id" : "18cb7adf-6235-bc34-6a6c-df9df6800eb7", "warnings" : null, "wrap\_info" : null } |
+| :---- |
+
+## Additional Considerations for Production Deployments
+
+When deploying OpenBao to a production-grade Kubernetes cluster, consider the following additional points.
+
+### Auto-unseal in a clustered environment
+
+Kubernetes facilitates auto-unseal mechanisms by integrating cloud-based key management systems (such as AWS KMS, GCP KMS, or Azure Key Vault). Store unsealable keys securely in a Kubernetes Secret object encrypted by a separate key management system or similar mechanism. This ensures the OpenBao vault remains sealed until securely auto-unsealed by Kubernetes on pod startup.
+
+With auto-unseal in place, manual unsealing as demonstrated above becomes unnecessary. Kubernetes will handle this for you in a secure, automated way.
+
+### High-availability mode
+
+To achieve high availability, first [enable the high availability control plane for LKE](https://techdocs.akamai.com/cloud-computing/docs/high-availability-ha-control-plane-on-lke). Then, deploy OpenBao in a stateful set with multiple replicas. You will need:
+
+* A distributed storage backend (such as HashiCorp Consul or PostgreSQL) that supports clustering.
+* A Kubernetes StatefulSet for stable network identities and persistent storage.
+
+The [OpenBao Helm chart](https://github.com/openbao/openbao-helm/blob/main/charts/openbao/README.md) has options for configuring a high-availability profile. To use upon installation, run the following:
+
+| $ helm install openbao openbao/openbao \--set "server.ha.enabled=true" |
+| :---- |
+
+This will automatically set up multiple OpenBao servers in your LKE cluster, all with an integrated storage backend.
+
+See the official documentation for [an example](https://openbao.org/docs/platform/k8s/helm/run/#config-example) usage of this Helm configuration.
+
+### Separate configurations from secrets
+
+Store the non-sensitive information for an OpenBao configuration in a Kubernetes [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/). Then, separately, store sensitive information—such as root tokens and unseal keys—as Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). Ensure Secrets are encrypted at rest and avoid exposing them in logs or environment variables.
+
+### Secure the LKE cluster network
+
+Harden the network for your LKE cluster by taking the following measures:
+
+* Encrypting all traffic to and from OpenBao using TLS.
+* Using Kubernetes Secrets to store TLS certificates and private keys securely.
+* Validating certificates to prevent man-in-the-middle attacks.
+* Enforcing secure communication between OpenBao and its clients.
+
+### Restricting access to OpenBao
+
+Use Kubernetes [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to restrict access to the OpenBao service. Reduce the attack surface by denying all incoming traffic by default. Then, explicitly allow only required communication paths. Policies should limit the source of ingress traffic to trusted pods, namespaces, or IP ranges.
+
+Deploy the OpenBao management UI only when necessary. If using the UI, secure access to it by integrating it with Kubernetes [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), [OpenID Connect (OIDC)](https://kubernetes.io/docs/concepts/security/hardening-guide/authentication-mechanisms/#openid-connect-token-authentication), or an external authentication gateway. Limit access to specific IP ranges or authenticated users to prevent unauthorized access.
\ No newline at end of file
From 401ed914b790a5ea25af19520f067568b3512e2d Mon Sep 17 00:00:00 2001
From: Adam Overa <adamovera@protonmail.com>
Date: Wed, 30 Apr 2025 17:55:51 -0400
Subject: [PATCH 2/6] Tech Edit 1
---
.../index.md | 638 ++++++++++++++----
1 file changed, 509 insertions(+), 129 deletions(-)
diff --git a/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md b/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
index 23bcec78e89..39337def117 100644
--- a/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
+++ b/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
@@ -1,233 +1,613 @@
---
slug: deploying-openbao-on-kubernetes-with-linode-lke
title: "Deploying OpenBao on Kubernetes With Linode LKE"
-description: "Two to three sentences describing your guide."
+description: "Learn to deploy and manage OpenBao on Linode Kubernetes Engine (LKE) using Helm. This guide covers setup, unsealing, testing, and production best practices."
authors: ["Akamai"]
contributors: ["Akamai"]
-published: 2025-04-25
-keywords: ['list','of','keywords','and key phrases']
+published: 2025-04-30
+keywords: ['openbao','openbao kubernetes deployment','install openbao on linode','openbao lke','linode kubernetes engine openbao','helm openbao chart','initialize openbao','unseal openbao kubernetes','openbao on akamai cloud','openbao cluster setup','openbao helm install guide','deploy openbao on kubernetes']
license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)'
external_resources:
-- '[Link Title 1](http://www.example.com)'
-- '[Link Title 2](http://www.example.net)'
+- '[OpenBao](https://openbao.org/)'
+- '[Helm](https://helm.sh/)'
---
-This guide walks through how to deploy [OpenBao on Kubernetes](https://openbao.org/docs/platform/k8s/) with Linode LKE using the [OpenBao Helm chart](https://github.com/openbao/openbao-helm).
+This guide walks through how to deploy [OpenBao on Kubernetes](https://openbao.org/docs/platform/k8s/) with Akamai Cloud Linode Kubernetes Engine (LKE) using the [OpenBao Helm chart](https://github.com/openbao/openbao-helm).
-## Prerequisites
+## Before You Begin
-To follow along in this walkthrough, you’ll need the following:
+1. Follow our [Getting Started](https://techdocs.akamai.com/cloud-computing/docs/getting-started) guide, and create an Akamai Cloud account if you do not already have one.
-* A [Linode account](https://www.linode.com/cfe)
-* A [Linode API token (personal access token)](https://www.linode.com/docs/products/platform/accounts/guides/manage-api-tokens/)
-* The [Linode CLI](https://www.linode.com/docs/products/tools/cli/guides/install/) installed and configured
+1. Create a personal access token using the instructions in our [Manage personal access tokens](https://techdocs.akamai.com/cloud-computing/docs/manage-personal-access-tokens) guide.
+
+1. Install the Linode CLI using the instructions in our [Install and configure the CLI](https://techdocs.akamai.com/cloud-computing/docs/install-and-configure-the-cli) guide.
-## Step 1: Provision a Kubernetes Cluster
+1. Follow the steps in the *Install `kubectl`* section of the [Getting started with LKE](https://techdocs.akamai.com/cloud-computing/docs/getting-started-with-lke-linode-kubernetes-engine#install-kubectl) guide to install and configure kubectl.
-While there are several ways to create a Kubernetes cluster on Linode, this guide uses the [Linode CLI](https://github.com/linode/linode-cli) to provision resources.
+1. Install the [Helm CLI](https://helm.sh/docs/intro/install/) on your workstation. Helm is a package manager for Kubernetes that simplifies the deployment of applications.
-1. Use the Linode CLI (linode) to see available Kubernetes versions:
+1. Install the [OpenBao CLI](https://openbao.org/docs/install/) on your workstation.
-| $ linode lke versions-list ┌───────┐ │ id │ ├───────┤ │ 1.31 │ ├───────┤ │ 1.30 │ └───────┘ |
-| :---- |
+{{< note >}}
+This guide is written for a non-root user. Commands that require elevated privileges are prefixed with `sudo`. If you’re not familiar with the `sudo` command, see the [Users and Groups](/docs/guides/linux-users-and-groups/) guide.
+{{< /note >}}
-It’s generally recommended to provision the latest version of Kubernetes unless specific requirements dictate otherwise.
+## Provision an LKE Cluster
-2. Use the following command to list available Linode plans, including plan ID, pricing, and performance details. For more detailed pricing information, see [Akamai Connected Cloud: Pricing](https://www.linode.com/pricing/):
+While there are several ways to create a Kubernetes cluster on Akamai Cloud, this guide uses the [Linode CLI](https://github.com/linode/linode-cli) to provision resources.
-| $ linode linodes types |
-| :---- |
+1. Use the Linode CLI (`linode-cli`) to see available Kubernetes versions:
-3. The examples in this guide use the **g6-standard-2** Linode, which features two CPU cores and 4 GB of memory. Run the following command to display detailed information in JSON for this Linode plan:
+ ```command
+ linode-cli lke versions-list
+ ```
-| $ linode linodes types \--label "Linode 4GB" \--json \--pretty�\[� {� "addons": {...}, "class": "standard",� "disk": 81920,� "gpus": 0,� "id": "g6-standard-2",� "label": "Linode 4GB",� "memory": 4096,� "network\_out": 4000,� "price": {� "hourly": 0.036,� "monthly": 24.0� },� "region\_prices": \[...\],� "successor": null,� "transfer": 4000,� "vcpus": 2� }�\] |
-| :---- |
+ ```output
+ ┌───────┐
+ │ id │
+ ├───────┤
+ │ 1.32 │
+ ├───────┤
+ │ 1.31 │
+ └───────┘
+ ```
-4. View available regions with the regions list command:
+ It’s generally recommended to provision the latest version of Kubernetes unless specific requirements dictate otherwise.
-| $ linode regions list |
-| :---- |
+1. Use the following command to list available Akamai Cloud plans, including plan ID, pricing, and performance details. For more detailed pricing information, see [Akamai Cloud: Pricing](https://www.linode.com/pricing/):
-5. With a Kubernetes version and Linode type selected, use the following command to create a cluster named openbao-cluster in the us-mia (Miami, FL) region with three nodes and auto-scaling. Replace openbao-cluster and us-mia with a cluster label and region of your choosing, respectively:
+ ```command
+ linode-cli linodes types
+ ```
-| $ linode lke cluster-create \\� \--label openbao-cluster \\� \--k8s\_version 1.31 \\� \--region us-mia \\� \--node\_pools '\[{� "type": "g6-standard-2",� "count": 3,� "autoscaler": {� "enabled": true,� "min": 3,� "max": 8� }� }\]' |
-| :---- |
+1. The examples in this guide use the **g6-standard-2** Linode, which features two CPU cores and 4 GB of memory. Run the following command to display detailed information in JSON for this Akamai Cloud plan:
-Once your cluster is successfully created, you should see output similar to the following:
+ ```command
+ linode-cli linodes types --label "Linode 4GB" --json --pretty
+ ```
-| Using default values: {}; use the \--no-defaults flag to disable defaults�\+------------------+--------+-------------+ | label | region | k8s\_version | \+------------------+--------+-------------+ | openbao-cluster | us-mia | 1.31 | \+------------------+--------+-------------+ |
-| :---- |
+ ```output
+ [
+ {
+ "addons": {...}
+ "class": "standard",
+ "disk": 81920,
+ "gpus": 0,
+ "id": "g6-standard-2",
+ "label": "Linode 4GB",
+ "memory": 4096,
+ "network_out": 4000,
+ "price": {...},
+ "region_prices": [...],
+ "successor": null,
+ "transfer": 4000,
+ "vcpus": 2
+ }
+ ]
+ ```
-## Step 2: Access the Kubernetes Cluster
+1. View available regions with the `regions list` command:
-To access your cluster, fetch the cluster credentials in the form of a kubeconfig file.
+ ```command
+ linode-cli regions list
+ ```
-1. Use the following command to retrieve the cluster’s ID:
+1. After selecting a Kubernetes version and Linode type, use the following command to create a cluster named `openbao-cluster` in the `us-mia` (Miami, FL) region with three nodes and auto-scaling. Replace `openbao-cluster` and `us-mia` with a cluster label and region of your choosing, respectively:
-| $ CLUSTER\_ID=$(linode lke clusters-list \--json | \\� jq \-r \\ '.\[\] | select(.label \== "openbao-cluster") | .id') |
-| :---- |
+ ```command
+ linode lke cluster-create \
+ --label openbao-cluster \
+ --k8s_version 1.32 \
+ --region us-mia \
+ --node_pools '[{
+ "type": "g6-standard-2",
+ "count": 3,
+ "autoscaler": {
+ "enabled": true,
+ "min": 3,
+ "max": 8
+ }
+ }]'
+ ```
-2. Create a hidden .kube folder in your user’s home directory:
+ Once your cluster is successfully created, you should see output similar to the following:
-| $ mkdir \~/.kube |
-| :---- |
+ ```output
+ Using default values: {}; use the --no-defaults flag to disable defaults
+ ┌────────┬─────────────────┬────────┬─────────────┬─────────────────────────────────┬──────┐
+ │ id │ label │ region │ k8s_version │ control_plane.high_availability │ tier │
+ ├────────┼─────────────────┼────────┼─────────────┼─────────────────────────────────┼──────┤
+ │ 415365 │ openbao-cluster │ us-mia │ 1.32 │ False │ │
+ └────────┴─────────────────┴────────┴─────────────┴─────────────────────────────────┴──────┘
+ ```
-3. Retrieve the kubeconfig file and save it to \~/.kube/lke-config:
+## Access the LKE Cluster
-| $ linode lke kubeconfig-view \--json "$CLUSTER\_ID" | \\ jq \-r '.\[0\].kubeconfig' | \\ base64 \--decode \> \~/.kube/lke-config |
-| :---- |
+To access your cluster, fetch the cluster credentials in the form of a `kubeconfig` file. Your cluster’s `kubeconfig` can also be [downloaded via the Cloud Manager](https://techdocs.akamai.com/cloud-computing/docs/getting-started-with-lke-linode-kubernetes-engine#access-and-download-your-kubeconfig).
-4. Once you have the kubeconfig file saved, access your cluster by using kubectl and specifying the file:
+1. Use the following command to retrieve the cluster’s ID:
-| $ kubectl get no \--kubeconfig \~/.kube/lke-config NAME STATUS ROLES AGE VERSION lke328534-526858-193216620000 Ready \<none\> 54s v1.31.0 lke328534-526858-1bacd9c70000 Ready \<none\> 60s v1.31.0 lke328534-526858-2c4e9cda0000 Ready \<none\> 28s v1.31.0 |
-| :---- |
+ ```command
+ CLUSTER_ID=$(linode lke clusters-list --json | \
+ jq -r \
+ '.[] | select(.label == "openbao-cluster") | .id')
+ ```
-| Note: Alternatively, to avoid specifying \--kubeconfig \~/.kube/lke-config with every kubectl command, you can set an environment variable for your current terminal window session. $ export KUBECONFIG=\~/.kube/lke-config Then run: $ kubectl get no |
-| :---- |
+1. Create a hidden `.kube` folder in your user’s home directory:
-## Step 3: Set Up OpenBao on LKE
+ ```command
+ mkdir ~/.kube
+ ```
-The official [Helm chart](https://github.com/openbao/openbao-helm) provided by the OpenBao development team is the suggested method for installing OpenBao on K8s. [Helm](https://helm.sh/) is a package manager for Kubernetes and helps manage software extensions for the system. Helm organizes these packages via “charts”. To install the OpenBao Helm chart into the Kubernetes cluster above (i.e., the cluster associated with your current .kube config), first add the extension to the local Helm installation via:
+1. Retrieve the `kubeconfig` file and save it to `~/.kube/lke-config`:
-| $ helm repo add openbao https://openbao.github.io/openbao-helm� "openbao" has been added to your repositories |
-| :---- |
+ ```command
+ linode-cli lke kubeconfig-view --json "$CLUSTER_ID" | \
+ jq -r '.[0].kubeconfig' | \
+ base64 --decode > ~/.kube/lke-config
+ ```
-Next, install the Helm chart onto the cluster:
+1. After saving the `kubeconfig` file, access your cluster by specifying the file with `kubectl`:
-| $ helm install openbao openbao/openbao� NAME: openbao�LAST DEPLOYED: Tue Jan 28 12:55:42 2025�NAMESPACE: default�STATUS: deployed�REVISION: 1�NOTES:�Thank you for installing OpenBao\!��Now that you have deployed OpenBao, you should look over the docs on using�OpenBao with Kubernetes available here:��https://openbao.org/docs/���Your release is named openbao. To learn more about the release, try:�� $ helm status openbao� $ helm get manifest openbao |
-| :---- |
+ ```command
+ kubectl get no --kubeconfig ~/.kube/lke-config
+ ```
-This Helm chart defaults to Kubernetes OpenBao's standalone mode, which means a single OpenBao server with a file storage backend is set up in the cluster. However, other profiles, such as a development server and a high-availability system, are also available in this chart. For more information on these other profiles, see the documentation.
+ ```output
+ NAME STATUS ROLES AGE VERSION
+ lke415365-625696-3fe27ca40000 Ready <none> 115s v1.32.1
+ lke415365-625696-4f320a5f0000 Ready <none> 117s v1.32.1
+ lke415365-625696-5a43a1510000 Ready <none> 119s v1.32.1
+ ```
-As mentioned in the result message above, running helm get manifest openbao will return all the YAML configuration files for the newly deployed OpenBao system. This is useful for seeing the system’s initial configuration data. For explanations of these and other installation options, see the [Helm chart’s README](https://github.com/openbao/openbao-helm/blob/main/charts/openbao/README.md). To override any of these configuration options at installation time, use the **\--set** command line argument when installing the Helm chart. For example:
+ {{< note >}}
+ Alternatively, to avoid specifying `--kubeconfig ~/.kube/lke-config` with every `kubectl` command, you can set an environment variable for your current terminal window session:
-| $ helm install openbao openbao/openbao \--set server.dev.enabled=true |
-| :---- |
+ ```command
+ export KUBECONFIG=~/.kube/lke-config
+ ```
-You can also override the entire configuration in a file and run it with the following command. For example, if the custom configuration file is named override-values.yml, then run the following command:
+ Then run:
-| $ helm install openbao openbao/openbao \--values override-values.yml |
-| :---- |
+ ```command
+ kubectl get no
+ ```
+ {{< /note >}}
-## Step 4: Test the OpenBao Development Server
+## Set Up OpenBao on LKE
-Now that the OpenBao server is installed in the Kubernetes cluster, it needs to be initialized. The initialization generates the credentials needed to [unseal](https://openbao.org/docs/concepts/seal/#why) the server for use.
+[Helm](https://helm.sh/) is a package manager for Kubernetes that simplifies application deployment via *charts*. The OpenBao development team maintains an official [Helm chart](https://github.com/openbao/openbao-helm), which is the recommended method for deploying OpenBao on Kubernetes.
-To view all the currently configured OpenBao servers in your cluster, run the following:
+By default, this Helm chart installs OpenBao in *standalone mode*, which sets up a single server with a file storage backend. This profile is useful for testing. However, production-ready profiles are available in this chart, including a development server and high-availability cluster. See the [OpenBao Helm README](https://github.com/openbao/openbao-helm/blob/main/charts/openbao/README.md) for more information.
-| $ kubectl get pods \-l app.kubernetes.io/name=openbao� NAME READY STATUS RESTARTS AGE�openbao-0 0/1 Running 0 4m20s |
-| :---- |
+1. Add the OpenBao chart repository to your local Helm installation:
-There should only be one for the standalone profile. Notice that the READY count is 0, indicating the server has not been initialized yet. To initialize the server, run the following:
+ ```command
+ helm repo add openbao https://openbao.github.io/openbao-helm
+ ```
-| $ kubectl exec \-ti openbao-0 \-- bao operator init �Unseal Key 1: T8WgvU8ofUf1puk1EtMEGWxikhHf9nLdgPBBFHFnlH0q�Unseal Key 2: iXixXscn8SPxfjd+O0tye+tYcbKe345/Ua52lANfb/Kp�Unseal Key 3: g6jOp6PxaEvYnlGyEICS3fvOwA7J/PX0H4WPU7LQWCWQ�Unseal Key 4: VR8DoAmpOW7QE3A6IV/Bz05yXGVEQrkBdVBlZX1A79gt�Unseal Key 5: SlplOoCD4SyYsoX5CbZfcMsDb2FzxPImNSmU78sbuYDg��Initial Root Token: s.XRjSYKwuaULH1N3WxA9k3K27��Vault initialized with 5 key shares and a key threshold of 3\. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests.��Vault does not store the generated root key. Without at least 3 keys to�reconstruct the root key, Vault will remain permanently sealed\!��It is possible to generate new unseal keys, provided you have a quorum of�existing unseal keys shares. See "bao operator rekey" for more information. |
-| :---- |
+ ```output
+ "openbao" has been added to your repositories
+ ```
-The output displays the key shares and the initial root key for the server. Unseal the OpenBao server with the key shares until the key threshold is met. For example, using the first unseal key, the command would be:
+1. Use Helm to deploy the OpenBao chart:
-| $ kubectl exec \-ti openbao-0 \-- \\ bao operator unseal T8WgvU8ofUf1puk1EtMEGWxikhHf9nLdgPBBFHFnlH0q� Key Value�\--- \-----�Seal Type shamir�Initialized true�Sealed true�Total Shares 5�Threshold 3�Unseal Progress 1/3�Unseal Nonce 7adeec56-8ba0-8f20-835b-415837be7977�Version 2.1.0�Build Date 2024-11-29T15:34:50Z�Storage Type file�HA Enabled false |
-| :---- |
+ ```command
+ helm install openbao openbao/openbao
+ ```
-The resulting Unseal Progress shows 1/3. This command must be executed two more times, with two additional key shares, to unseal the server for general use.
+ ```output
+ NAME: openbao
+ LAST DEPLOYED: Wed Apr 30 16:14:55 2025
+ NAMESPACE: default
+ STATUS: deployed
+ REVISION: 1
+ NOTES:
+ Thank you for installing OpenBao!
-| $ kubectl exec \-ti openbao-0 \-- \\� bao operator unseal iXixXscn8SPxfjd+O0tye+tYcbKe345/Ua52lANfb/Kp�...��$ kubectl exec \-ti openbao-0 \-- \\� bao operator unseal g6jOp6PxaEvYnlGyEICS3fvOwA7J/PX0H4WPU7LQWCWQ� Key Value�\--- \-----�Seal Type shamir�Initialized true�Sealed false�Total Shares 5�Threshold 3�Version 2.1.0�Build Date 2024-11-29T15:34:50Z�Storage Type file�Cluster Name vault-cluster-38e0bd53�Cluster ID 8740348d-f8ed-1989-e692-10c5f4e7768c�HA Enabled false |
-| :---- |
+ Now that you have deployed OpenBao, you should look over the docs on using
+ OpenBao with Kubernetes available here:
-After the third execution, Sealed shows false. After the server is unsealed, its pod will also report as READY:
+ https://openbao.org/docs/
-| $ kubectl get pods \-l app.kubernetes.io/name=openbao� NAME READY STATUS RESTARTS AGE�openbao-0 1/1 Running 0 11m |
-| :---- |
-The server is ready for testing now. [Install the OpenBao CLI utility](https://openbao.org/docs/install/). To test the connection directly through the Kubernetes cluster, forward port 8200 from the cluster to your localhost with the following:
+ Your release is named openbao. To learn more about the release, try:
-| $ kubectl port-forward openbao-0 8200:8200 |
-| :---- |
+ $ helm status openbao
+ $ helm get manifest openbao
+ ```
-Open a new terminal window. Set the following environment variable so that the OpenBao CLI looks to the forwarded port on localhost.
+1. Run the following command to view the complete YAML manifests generated during installation:
-| $ export BAO\_ADDR=http://127.0.0.1:8200 |
-| :---- |
+ ```command
+ helm get manifest openbao
+ ```
-Run the following to log in to the server on the cluster. Use the initial root token that was displayed when you initialized the OpenBao server.
+ This returns all the YAML configuration files for the newly deployed OpenBao system, which is useful for inspecting the system’s initial configuration data.
-| $ bao login \-method=token \<ROOT TOKEN\> Success\! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value \--- \----- token s.XRjSYKwuaULH1N3WxA9k3K27 token\_accessor 7zqRG80kZwFZXKxbcKRjqQPj token\_duration ∞ token\_renewable false token\_policies \["root"\] identity\_policies \[\] policies \["root"\] |
-| :---- |
+ {{< note title="Customize the Installation" >}}
+ To override any of these configuration options at installation time, use the `--set` command line argument when installing the Helm chart, for example:
-Enable the key/value store in the server:
+ ```command
+ helm install openbao openbao/openbao --set server.dev.enabled=true
+ ```
-| $ bao secrets enable kv |
-| :---- |
+ You can also override the entire configuration in a file and run it with the following command, for example:
-Use curl to test setting and getting secrets from the OpenBao server. Set a secret with the following command. Remember to provide your root token with this command.
+ ```command
+ helm install openbao openbao/openbao --values override-values.yml
+ ```
+ {{< /note >}}
-| $ curl \-X POST \\� \--header "X-Vault-Token: \<ROOT TOKEN\>" \\� \--header "Content-Type: application/json" \\� \--data '{"data": {"hello": "world"}}' \\� http://127.0.0.1:8200/v1/kv/test-secret |
-| :---- |
+## Initialize and Unseal the OpenBao Development Server
-Then, to retrieve the secret, run the following:
+Once the OpenBao server is installed in the Kubernetes cluster, it must be initialized. The initialization generates the credentials needed to [unseal](https://openbao.org/docs/concepts/seal/#why) the server for use.
-| $ curl \-X GET \\� \--header "X-Vault-Token: \<ROOT TOKEN\>" \\� http://127.0.0.1:8200/v1/kv/test-secret | json\_pp { "auth" : null, "data" : { "data" : { "hello" : "world" } }, "lease\_duration" : 2764800, "lease\_id" : "", "renewable" : false, "request\_id" : "34b4f7cf-d6d0-b621-2eb5-b4e4d6cf4866", "warnings" : null, "wrap\_info" : null } |
-| :---- |
+1. To view all the currently configured OpenBao servers in your cluster, run the following:
-## Step 5: Configure for External Access
+ ```command
+ kubectl get pods -l app.kubernetes.io/name=openbao
+ ```
-To access the OpenBao server externally, rather than through Kubernetes port-forwarding, use a [LoadBalancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/) service. Open the pod configuration for OpenBao: kubectl edit service openbao
+ There should only be one for the `standalone` profile. Notice that the `READY` count is `0`, indicating the server has not been initialized yet:
-Make the following change to the type field of the spec object, leaving the rest of the file unchanged:
+ ```output
+ NAME READY STATUS RESTARTS AGE
+ openbao-0 0/1 Running 0 4m20s
+ ```
-| spec:� type: LoadBalancer |
-| :---- |
+1. To initialize the server, run the following:
-Save the file and exit the editor. Then, wait for a public IP address to be supplied to the pod. Query for the IP address with the following command:
+ ```command
+ kubectl exec -ti openbao-0 -- bao operator init
+ ```
-| $ kubectl get service openbao� NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE�openbao LoadBalancer 10.128.183.178 172.233.166.52 8200:31782/TCP,8201:31560/TCP 29m |
-| :---- |
+ The output displays the key shares and the initial root key for the server:
-To test this connection, issue the curl command again to retrieve the previously stored secret, but change the IP address to the external one shown above, at port 8200. For example:
+ ```output
+ Unseal Key 1: amIfRt7lBrC0/x5mOtkyk9WvOF5IH6ycPEl8Gy4FnqTh
+ Unseal Key 2: mjUsz45ghgsExRS7l6m11u11CBhe6djQAJHcZ/uZkvOw
+ Unseal Key 3: CCl0vH8Ajw5Rrue6DIbI7nYNUCPQFoCva4Fn0GK7nu0K
+ Unseal Key 4: oqjxlFVel57HqcdqWGX1M7y9BndZ8c/Q0URw6r3cjABG
+ Unseal Key 5: WTEAz+IinG/H+kJ364ALIx2ubhyMh6TJqyDT2LCleyXI
-| $ curl \-X GET \\� \--header "X-Vault-Token: \<ROOT TOKEN\>" \\� http://172.233.166.52:8200/v1/kv/test-secret | json\_pp { "auth" : null, "data" : { "data" : { "hello" : "world" } }, "lease\_duration" : 2764800, "lease\_id" : "", "renewable" : false, "request\_id" : "18cb7adf-6235-bc34-6a6c-df9df6800eb7", "warnings" : null, "wrap\_info" : null } |
-| :---- |
+ Initial Root Token: s.aLWUBcxF6f1e2RVZ5pEsXwMe
+
+ Vault initialized with 5 key shares and a key threshold of 3. Please securely
+ distribute the key shares printed above. When the Vault is re-sealed,
+ restarted, or stopped, you must supply at least 3 of these keys to unseal it
+ before it can start servicing requests.
+
+ Vault does not store the generated root key. Without at least 3 keys to
+ reconstruct the root key, Vault will remain permanently sealed!
+
+ It is possible to generate new unseal keys, provided you have a quorum of
+ existing unseal keys shares. See "bao operator rekey" for more information.
+ ```
+
+ You must unseal the OpenBao server with the unseal keys provided until the key threshold is met. Unsealing must be done a total of three times, as this is the default quorum for OpenBao unsealing. Also take note of the Initial Root Token as it is needed in subsequent steps.
+
+1. Use the following command to begin unsealing the vault using one of the unseal keys:
+
+ ```command
+ kubectl exec -ti openbao-0 -- \
+ bao operator unseal amIfRt7lBrC0/x5mOtkyk9WvOF5IH6ycPEl8Gy4FnqTh
+ ```
+
+ ```output
+ Key Value
+ --- -----
+ Seal Type shamir
+ Initialized true
+ Sealed true
+ Total Shares 5
+ Threshold 3
+ Unseal Progress 1/3
+ Unseal Nonce 3521df43-fe19-7fa7-9a7c-9442dbe8de68
+ Version 2.2.0
+ Build Date 2025-03-05T13:07:08Z
+ Storage Type file
+ HA Enabled false
+ ```
+
+1. Unseal the vault again, but enter a different unseal key when prompted:
+
+ ```command
+ kubectl exec -ti openbao-0 -- \
+ bao operator unseal mjUsz45ghgsExRS7l6m11u11CBhe6djQAJHcZ/uZkvOw
+ ```
+
+ ```output
+ Key Value
+ --- -----
+ Seal Type shamir
+ Initialized true
+ Sealed true
+ Total Shares 5
+ Threshold 3
+ Unseal Progress 2/3
+ Unseal Nonce 3521df43-fe19-7fa7-9a7c-9442dbe8de68
+ Version 2.2.0
+ Build Date 2025-03-05T13:07:08Z
+ Storage Type file
+ HA Enabled false
+ ```
+
+1. Unseal the vault for the third and final time, using yet another unseal:
+
+ ```command
+ kubectl exec -ti openbao-0 -- \
+ bao operator unseal CCl0vH8Ajw5Rrue6DIbI7nYNUCPQFoCva4Fn0GK7nu0K
+ ```
+
+ After unsealing the vault with three different unseal keys, OpenBao should report the following status:
+
+ ```output
+ Key Value
+ --- -----
+ Seal Type shamir
+ Initialized true
+ Sealed false
+ Total Shares 5
+ Threshold 3
+ Version 2.2.0
+ Build Date 2025-03-05T13:07:08Z
+ Storage Type file
+ Cluster Name vault-cluster-7d68e84b
+ Cluster ID 07352961-8d7e-edeb-7757-74d04b221500
+ HA Enabled false
+ ```
+
+ The vault has now been initialized and unsealed.
+
+1. After unsealing, verify that the pod is now ready:
+
+ ```command
+ kubectl get pods -l app.kubernetes.io/name=openbao
+ ```
+
+ After the OpenBao server is unsealed, its pod should also report as `READY`:
+
+ ```output
+ NAME READY STATUS RESTARTS AGE
+ openbao-0 1/1 Running 0 11m
+ ```
+
+ The OpenBao server is now ready for testing.
+
+## Test the OpenBao Development Server
+
+1. To test the connection directly through the Kubernetes cluster, forward port `8200` from the cluster to your `localhost` with the following:
+
+ ```command
+ kubectl port-forward openbao-0 8200:8200
+ ```
+
+ ```output
+ Forwarding from 127.0.0.1:8200 -> 8200
+ Forwarding from [::1]:8200 -> 8200
+ ```
+
+1. Open a new terminal window. Set the following environment variable so that the OpenBao CLI looks to the forwarded port on `localhost`.
+
+ ```command
+ export BAO_ADDR=http://127.0.0.1:8200
+ ```
+
+1. Use the `bao login` command with the initial root token provided upon vault initialization to log in to the OpenBao server on the LKE cluster:
+
+ ```command
+ bao login -method=token {{< placeholder "INITIAL_ROOT_TOKEN" >}}
+ ```
+
+ ```output
+ Success! You are now authenticated. The token information displayed below is
+ already stored in the token helper. You do NOT need to run "bao login" again.
+ Future OpenBao requests will automatically use this token.
+
+ Key Value
+ --- -----
+ token s.aLWUBcxF6f1e2RVZ5pEsXwMe
+ token_accessor zOoW9kLqFjYtZuEZM2UOfn1d
+ token_duration ∞
+ token_renewable false
+ token_policies ["root"]
+ identity_policies []
+ policies ["root"]
+ ```
+
+1. Enable the key/value store in the server:
+
+ ```command
+ bao secrets enable kv
+ ```
+
+ ```output
+ Success! Enabled the kv secrets engine at: kv/
+ ```
+
+1. Use cURL to test storing and retrieving secrets from the OpenBao server. Store a secret with the following command, providing your actual initial root token in place of {{< placeholder "INITIAL_ROOT_TOKEN" >}}:
+
+ ```command
+ curl -X POST \
+ --header "X-Vault-Token: {{< placeholder "INITIAL_ROOT_TOKEN" >}}" \
+ --header "Content-Type: application/json" \
+ --data '{"data": {"hello": "world"}}' \
+ http://127.0.0.1:8200/v1/kv/test-secret
+ ```
+
+1. Run the following cURL to retrieve the secret:
+
+ ```command
+ curl -X GET \
+ --header "X-Vault-Token: {{< placeholder "INITIAL_ROOT_TOKEN" >}}" \
+ http://127.0.0.1:8200/v1/kv/test-secret | json_pp
+ ```
+
+ ```output
+ {
+ "auth" : null,
+ "data" : {
+ "data" : {
+ "hello" : "world"
+ }
+ },
+ "lease_duration" : 2764800,
+ "lease_id" : "",
+ "renewable" : false,
+ "request_id" : "2bfd095a-924f-4d2e-abcc-99ebbca045b5",
+ "warnings" : null,
+ "wrap_info" : null
+ }
+ ```
+
+1. When done, you can close the second terminal session.
+
+1. Return to the original terminal session and press <kbd>Ctrl</kbd>+<kbd>C</kbd> to stop port forwarding.
+
+## Configure OpenBao for External Access
+
+To access the OpenBao server externally, rather than through Kubernetes port-forwarding, use a [LoadBalancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/) service.
+
+1. Open the pod configuration for OpenBao:
+
+ ```command
+ kubectl edit service openbao
+ ```
+
+ By default, the OpenBao service is created as a `ClusterIP`. To expose it externally, change the service type to `LoadBalancer`. Press the <kbd>I</kbd> key to edit the file, and make the following change, leaving the rest of the file unchanged:
+
+ ```file {hl_lines="44"}
+ # Please edit the object below. Lines beginning with a '#' will be ignored,
+ # and an empty file will abort the edit. If an error occurs while saving this file will be
+ # reopened with the relevant failures.
+ #
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ meta.helm.sh/release-name: openbao
+ meta.helm.sh/release-namespace: default
+ creationTimestamp: "2025-04-28T18:12:12Z"
+ labels:
+ app.kubernetes.io/instance: openbao
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: openbao
+ helm.sh/chart: openbao-0.12.0
+ name: openbao
+ namespace: default
+ resourceVersion: "7082"
+ uid: 6e1cb14b-a108-466f-ac77-ddc9c63519ff
+ spec:
+ clusterIP: 10.128.82.244
+ clusterIPs:
+ - 10.128.82.244
+ internalTrafficPolicy: Cluster
+ ipFamilies:
+ - IPv4
+ ipFamilyPolicy: SingleStack
+ ports:
+ - name: http
+ port: 8200
+ protocol: TCP
+ targetPort: 8200
+ - name: https-internal
+ port: 8201
+ protocol: TCP
+ targetPort: 8201
+ publishNotReadyAddresses: true
+ selector:
+ app.kubernetes.io/instance: openbao
+ app.kubernetes.io/name: openbao
+ component: server
+ sessionAffinity: None
+ type: LoadBalancer
+ status:
+ loadBalancer: {}
+ ```
+
+ When done, press the <kbd>ESC</kbd> to exit edit mode, followed by `:wq` to save the changes and exit.
+
+ ```output
+ service/openbao edited
+ ```
+
+1. Wait for a public IP address to be supplied to the pod, then query for the IP address with the following command:
+
+ ```command
+ kubectl get service openbao
+ ```
+
+ ```output
+ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+ openbao LoadBalancer 10.128.154.209 172.233.167.79 8200:31550/TCP,8201:32438/TCP 47m
+ ```
+
+1. To test this connection, issue the `curl` command again to retrieve the previously stored secret, but change the IP address to the external one shown above, at port `8200`. For example:
+
+ ```command
+ curl -X GET \
+ --header "X-Vault-Token: {{< placeholder "INITIAL_ROOT_TOKEN" >}}" \
+ http://{{< placeholder "EXTERNAL_IP_ADDRESS" >}}:8200/v1/kv/test-secret | json_pp
+ ```
+
+ ```output
+ {
+ "auth" : null,
+ "data" : {
+ "data" : {
+ "hello" : "world"
+ }
+ },
+ "lease_duration" : 2764800,
+ "lease_id" : "",
+ "renewable" : false,
+ "request_id" : "8603ab17-1810-f63d-13c5-fc044cb4c101",
+ "warnings" : null,
+ "wrap_info" : null
+ }
+ ```
## Additional Considerations for Production Deployments
When deploying OpenBao to a production-grade Kubernetes cluster, consider the following additional points.
-### Auto-unseal in a clustered environment
+### Auto-Unseal in a Clustered Environment
-Kubernetes facilitates auto-unseal mechanisms by integrating cloud-based key management systems (such as AWS KMS, GCP KMS, or Azure Key Vault). Store unsealable keys securely in a Kubernetes Secret object encrypted by a separate key management system or similar mechanism. This ensures the OpenBao vault remains sealed until securely auto-unsealed by Kubernetes on pod startup.
+Kubernetes facilitates auto-unseal mechanisms by integrating cloud-based key management systems (such as AWS KMS, GCP KMS, or Azure Key Vault). Store the unseal keys securely in a Kubernetes Secret object encrypted by a separate key management system or similar mechanism. This ensures the OpenBao vault remains sealed until securely auto-unsealed by Kubernetes on pod startup.
-With auto-unseal in place, manual unsealing as demonstrated above becomes unnecessary. Kubernetes will handle this for you in a secure, automated way.
+With auto-unseal enabled, Kubernetes can automatically unseal OpenBao when pods start, removing the need for manual unseal operations (as demonstrated above).
-### High-availability mode
+### High-Availability Mode
-To achieve high availability, first [enable the high availability control plane for LKE](https://techdocs.akamai.com/cloud-computing/docs/high-availability-ha-control-plane-on-lke). Then, deploy OpenBao in a stateful set with multiple replicas. You will need:
+To achieve high availability, [enable the high availability control plane for LKE](https://techdocs.akamai.com/cloud-computing/docs/high-availability-ha-control-plane-on-lke) then deploy OpenBao in a stateful set with multiple replicas. To do this, you need:
-* A distributed storage backend (such as HashiCorp Consul or PostgreSQL) that supports clustering.
-* A Kubernetes StatefulSet for stable network identities and persistent storage.
+- A distributed, highly available storage backend (such as HashiCorp Consul or PostgreSQL) that supports concurrent access across replicas.
+- A Kubernetes StatefulSet for stable network identities and persistent storage.
The [OpenBao Helm chart](https://github.com/openbao/openbao-helm/blob/main/charts/openbao/README.md) has options for configuring a high-availability profile. To use upon installation, run the following:
-| $ helm install openbao openbao/openbao \--set "server.ha.enabled=true" |
-| :---- |
-
-This will automatically set up multiple OpenBao servers in your LKE cluster, all with an integrated storage backend.
+```command
+helm install openbao openbao/openbao --set "server.ha.enabled=true"
+```
-See the official documentation for [an example](https://openbao.org/docs/platform/k8s/helm/run/#config-example) usage of this Helm configuration.
+This automatically sets up multiple OpenBao servers in your LKE cluster, all configured to share a common, replicated storage backend. See the official documentation for [an example](https://openbao.org/docs/platform/k8s/helm/run/#config-example) usage of this Helm configuration.
-### Separate configurations from secrets
+### Separate Configurations from Secrets
-Store the non-sensitive information for an OpenBao configuration in a Kubernetes [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/). Then, separately, store sensitive information—such as root tokens and unseal keys—as Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). Ensure Secrets are encrypted at rest and avoid exposing them in logs or environment variables.
+Store the non-sensitive information for an OpenBao configuration in a Kubernetes [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/). Separately store sensitive information (e.g. root tokens and unseal keys) as Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). Encrypt all Kubernetes Secrets at rest, and avoid exposing them in logs or environment variables.
-### Secure the LKE cluster network
+### Secure the LKE Cluster Network
Harden the network for your LKE cluster by taking the following measures:
-* Encrypting all traffic to and from OpenBao using TLS.
-* Using Kubernetes Secrets to store TLS certificates and private keys securely.
-* Validating certificates to prevent man-in-the-middle attacks.
-* Enforcing secure communication between OpenBao and its clients.
+- Encrypt all traffic to and from OpenBao using TLS.
+- Use Kubernetes Secrets to store TLS certificates and private keys securely.
+- Validate certificates to prevent man-in-the-middle attacks.
+- Enforce secure communication between OpenBao and its clients.
-### Restricting access to OpenBao
+### Restrict Access to OpenBao
-Use Kubernetes [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to restrict access to the OpenBao service. Reduce the attack surface by denying all incoming traffic by default. Then, explicitly allow only required communication paths. Policies should limit the source of ingress traffic to trusted pods, namespaces, or IP ranges.
+Use Kubernetes [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to restrict access to the OpenBao service. Reduce the attack surface by denying all incoming traffic by default. Explicitly allow only required communication paths. Policies should limit the source of ingress traffic to trusted pods, namespaces, or IP ranges.
Deploy the OpenBao management UI only when necessary. If using the UI, secure access to it by integrating it with Kubernetes [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), [OpenID Connect (OIDC)](https://kubernetes.io/docs/concepts/security/hardening-guide/authentication-mechanisms/#openid-connect-token-authentication), or an external authentication gateway. Limit access to specific IP ranges or authenticated users to prevent unauthorized access.
\ No newline at end of file
From c7d168b2458db148a2586719c2e2a07ac3e12f05 Mon Sep 17 00:00:00 2001
From: Adam Overa <adamovera@protonmail.com>
Date: Wed, 30 Apr 2025 18:19:22 -0400
Subject: [PATCH 3/6] Tech Edit 2
---
.../index.md | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md b/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
index 39337def117..e2062f7a4e9 100644
--- a/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
+++ b/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
@@ -1,6 +1,6 @@
---
slug: deploying-openbao-on-kubernetes-with-linode-lke
-title: "Deploying OpenBao on Kubernetes With Linode LKE"
+title: "Deploying OpenBao on Kubernetes with Akamai Cloud LKE"
description: "Learn to deploy and manage OpenBao on Linode Kubernetes Engine (LKE) using Helm. This guide covers setup, unsealing, testing, and production best practices."
authors: ["Akamai"]
contributors: ["Akamai"]
@@ -128,9 +128,8 @@ To access your cluster, fetch the cluster credentials in the form of a `kubeconf
1. Use the following command to retrieve the cluster’s ID:
```command
- CLUSTER_ID=$(linode lke clusters-list --json | \
- jq -r \
- '.[] | select(.label == "openbao-cluster") | .id')
+ CLUSTER_ID=$(linode lke clusters-list --json | jq -r \
+ '.[] | select(.label == "openbao-cluster") | .id')
```
1. Create a hidden `.kube` folder in your user’s home directory:
@@ -178,7 +177,7 @@ To access your cluster, fetch the cluster credentials in the form of a `kubeconf
[Helm](https://helm.sh/) is a package manager for Kubernetes that simplifies application deployment via *charts*. The OpenBao development team maintains an official [Helm chart](https://github.com/openbao/openbao-helm), which is the recommended method for deploying OpenBao on Kubernetes.
-By default, this Helm chart installs OpenBao in *standalone mode*, which sets up a single server with a file storage backend. This profile is useful for testing. However, production-ready profiles are available in this chart, including a development server and high-availability cluster. See the [OpenBao Helm README](https://github.com/openbao/openbao-helm/blob/main/charts/openbao/README.md) for more information.
+By default, this Helm chart installs OpenBao in *standalone mode*, which sets up a single server with a file storage backend. This profile is useful for testing, but other profiles are available in this chart (e.g. development server, high-availability cluster). See the [OpenBao Helm README](https://github.com/openbao/openbao-helm/blob/main/charts/openbao/README.md) for more information.
1. Add the OpenBao chart repository to your local Helm installation:
From 5f766312e9b322594226122c97d879a80e6a77ab Mon Sep 17 00:00:00 2001
From: Adam Overa <adamovera@protonmail.com>
Date: Thu, 1 May 2025 08:53:32 -0400
Subject: [PATCH 4/6] Tech Edit 3
---
.../deploying-openbao-on-kubernetes-with-linode-lke/index.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md b/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
index e2062f7a4e9..ac6e32bfa18 100644
--- a/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
+++ b/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
@@ -1,10 +1,10 @@
---
slug: deploying-openbao-on-kubernetes-with-linode-lke
-title: "Deploying OpenBao on Kubernetes with Akamai Cloud LKE"
+title: "Deploy OpenBao on Linode Kubernetes Engine"
description: "Learn to deploy and manage OpenBao on Linode Kubernetes Engine (LKE) using Helm. This guide covers setup, unsealing, testing, and production best practices."
authors: ["Akamai"]
contributors: ["Akamai"]
-published: 2025-04-30
+published: 2025-05-01
keywords: ['openbao','openbao kubernetes deployment','install openbao on linode','openbao lke','linode kubernetes engine openbao','helm openbao chart','initialize openbao','unseal openbao kubernetes','openbao on akamai cloud','openbao cluster setup','openbao helm install guide','deploy openbao on kubernetes']
license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)'
external_resources:
From 23a6c6b2aef3db5ed8eb732e54a2df4a390e565e Mon Sep 17 00:00:00 2001
From: Adam Overa <adamovera@protonmail.com>
Date: Thu, 1 May 2025 09:02:02 -0400
Subject: [PATCH 5/6] Title Change 1
---
.../index.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename docs/guides/security/secrets-management/{deploying-openbao-on-kubernetes-with-linode-lke => deploy-openbao-on-linode-kubernetes-engine}/index.md (99%)
diff --git a/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md b/docs/guides/security/secrets-management/deploy-openbao-on-linode-kubernetes-engine/index.md
similarity index 99%
rename from docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
rename to docs/guides/security/secrets-management/deploy-openbao-on-linode-kubernetes-engine/index.md
index ac6e32bfa18..2403c0199ff 100644
--- a/docs/guides/security/secrets-management/deploying-openbao-on-kubernetes-with-linode-lke/index.md
+++ b/docs/guides/security/secrets-management/deploy-openbao-on-linode-kubernetes-engine/index.md
@@ -1,5 +1,5 @@
---
-slug: deploying-openbao-on-kubernetes-with-linode-lke
+slug: deploy-openbao-on-linode-kubernetes-engine
title: "Deploy OpenBao on Linode Kubernetes Engine"
description: "Learn to deploy and manage OpenBao on Linode Kubernetes Engine (LKE) using Helm. This guide covers setup, unsealing, testing, and production best practices."
authors: ["Akamai"]
From 74ef0e100b53ec6a61ec230f6b533e4eeb0b63ab Mon Sep 17 00:00:00 2001
From: jddocs <jdutton@akamai.com>
Date: Wed, 7 May 2025 15:22:15 -0400
Subject: [PATCH 6/6] copy edits
---
.../index.md | 74 +++++++++++--------
1 file changed, 42 insertions(+), 32 deletions(-)
diff --git a/docs/guides/security/secrets-management/deploy-openbao-on-linode-kubernetes-engine/index.md b/docs/guides/security/secrets-management/deploy-openbao-on-linode-kubernetes-engine/index.md
index 2403c0199ff..dc45b841f44 100644
--- a/docs/guides/security/secrets-management/deploy-openbao-on-linode-kubernetes-engine/index.md
+++ b/docs/guides/security/secrets-management/deploy-openbao-on-linode-kubernetes-engine/index.md
@@ -4,7 +4,7 @@ title: "Deploy OpenBao on Linode Kubernetes Engine"
description: "Learn to deploy and manage OpenBao on Linode Kubernetes Engine (LKE) using Helm. This guide covers setup, unsealing, testing, and production best practices."
authors: ["Akamai"]
contributors: ["Akamai"]
-published: 2025-05-01
+published: 2025-05-07
keywords: ['openbao','openbao kubernetes deployment','install openbao on linode','openbao lke','linode kubernetes engine openbao','helm openbao chart','initialize openbao','unseal openbao kubernetes','openbao on akamai cloud','openbao cluster setup','openbao helm install guide','deploy openbao on kubernetes']
license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)'
external_resources:
@@ -12,13 +12,15 @@ external_resources:
- '[Helm](https://helm.sh/)'
---
-This guide walks through how to deploy [OpenBao on Kubernetes](https://openbao.org/docs/platform/k8s/) with Akamai Cloud Linode Kubernetes Engine (LKE) using the [OpenBao Helm chart](https://github.com/openbao/openbao-helm).
+[OpenBao](https://openbao.org/) is an open source secrets management solution and fork of HashiCorp Vault. This guide walks through how to deploy [OpenBao on Kubernetes](https://openbao.org/docs/platform/k8s/) with Linode Kubernetes Engine (LKE) on Akamai Cloud using the [OpenBao Helm chart](https://github.com/openbao/openbao-helm).
+
+If you prefer a one-click, single-instance deployment, see our [OpenBao Marketplace app](/docs/marketplace-docs/guides/openbao/).
## Before You Begin
-1. Follow our [Getting Started](https://techdocs.akamai.com/cloud-computing/docs/getting-started) guide, and create an Akamai Cloud account if you do not already have one.
+1. Follow our [Get Started](https://techdocs.akamai.com/cloud-computing/docs/getting-started) guide, and create an Akamai Cloud account if you do not already have one.
-1. Create a personal access token using the instructions in our [Manage personal access tokens](https://techdocs.akamai.com/cloud-computing/docs/manage-personal-access-tokens) guide.
+1. Create an API token with proper permissions using the instructions in our [Manage personal access tokens](https://techdocs.akamai.com/cloud-computing/docs/manage-personal-access-tokens) guide.
1. Install the Linode CLI using the instructions in our [Install and configure the CLI](https://techdocs.akamai.com/cloud-computing/docs/install-and-configure-the-cli) guide.
@@ -34,9 +36,11 @@ This guide is written for a non-root user. Commands that require elevated privil
## Provision an LKE Cluster
-While there are several ways to create a Kubernetes cluster on Akamai Cloud, this guide uses the [Linode CLI](https://github.com/linode/linode-cli) to provision resources.
+While there are several ways to create a Kubernetes cluster on Akamai Cloud, this tutorial uses the [Linode CLI](https://github.com/linode/linode-cli) to provision resources.
+
+See our [Create a cluster](https://techdocs.akamai.com/cloud-computing/docs/create-a-cluster) guide for instructions on provisioning an LKE cluster using Cloud Manager.
-1. Use the Linode CLI (`linode-cli`) to see available Kubernetes versions:
+1. Using the Linode CLI (`linode-cli`), list available Kubernetes versions:
```command
linode-cli lke versions-list
@@ -54,13 +58,13 @@ While there are several ways to create a Kubernetes cluster on Akamai Cloud, thi
It’s generally recommended to provision the latest version of Kubernetes unless specific requirements dictate otherwise.
-1. Use the following command to list available Akamai Cloud plans, including plan ID, pricing, and performance details. For more detailed pricing information, see [Akamai Cloud: Pricing](https://www.linode.com/pricing/):
+1. Use the following command to list available Akamai Cloud plans, including plan ID, pricing, and performance details. For more detailed plan and pricing information, see [Akamai Cloud: Pricing](https://www.linode.com/pricing/):
```command
linode-cli linodes types
```
-1. The examples in this guide use the **g6-standard-2** Linode, which features two CPU cores and 4 GB of memory. Run the following command to display detailed information in JSON for this Akamai Cloud plan:
+1. The examples in this guide use the **g6-standard-2** Linode, which features 2 CPU cores and 4 GB of memory. Run the following command to display detailed information in JSON for this Akamai Cloud plan:
```command
linode-cli linodes types --label "Linode 4GB" --json --pretty
@@ -86,19 +90,19 @@ While there are several ways to create a Kubernetes cluster on Akamai Cloud, thi
]
```
-1. View available regions with the `regions list` command:
+1. View available regions with the `regions list` command. See our [Region Availability](https://www.linode.com/global-infrastructure/availability/) page for a complete list of compute regions and region IDs:
```command
linode-cli regions list
```
-1. After selecting a Kubernetes version and Linode type, use the following command to create a cluster named `openbao-cluster` in the `us-mia` (Miami, FL) region with three nodes and auto-scaling. Replace `openbao-cluster` and `us-mia` with a cluster label and region of your choosing, respectively:
+1. After selecting a Kubernetes version and Linode instance type, use the following command to create a cluster named `openbao-cluster` in the `us-mia` (Miami, FL) region with three nodes and auto-scaling. Replace `{{< placeholder "openbao-cluster" >}}` and `{{< placeholder "us-mia" >}}` with a cluster label and region of your choosing, respectively:
```command
linode lke cluster-create \
- --label openbao-cluster \
+ --label {{< placeholder "openbao-cluster" >}} \
--k8s_version 1.32 \
- --region us-mia \
+ --region {{< placeholder "us-mia" >}} \
--node_pools '[{
"type": "g6-standard-2",
"count": 3,
@@ -132,7 +136,7 @@ To access your cluster, fetch the cluster credentials in the form of a `kubeconf
'.[] | select(.label == "openbao-cluster") | .id')
```
-1. Create a hidden `.kube` folder in your user’s home directory:
+1. On your workstation, create a hidden `.kube` folder in your user’s home directory:
```command
mkdir ~/.kube
@@ -146,7 +150,7 @@ To access your cluster, fetch the cluster credentials in the form of a `kubeconf
base64 --decode > ~/.kube/lke-config
```
-1. After saving the `kubeconfig` file, access your cluster by specifying the file with `kubectl`:
+1. After saving the `kubeconfig` file, confirm access to your cluster by checking the status of your cluster nodes with `kubectl` and specifying the file name:
```command
kubectl get no --kubeconfig ~/.kube/lke-config
@@ -175,7 +179,7 @@ To access your cluster, fetch the cluster credentials in the form of a `kubeconf
## Set Up OpenBao on LKE
-[Helm](https://helm.sh/) is a package manager for Kubernetes that simplifies application deployment via *charts*. The OpenBao development team maintains an official [Helm chart](https://github.com/openbao/openbao-helm), which is the recommended method for deploying OpenBao on Kubernetes.
+[Helm](https://helm.sh/) is a package manager for Kubernetes that simplifies application deployment via [*charts*](https://helm.sh/docs/topics/charts/). The OpenBao development team maintains an official [Helm chart](https://github.com/openbao/openbao-helm) and is the recommended method for deploying OpenBao on Kubernetes.
By default, this Helm chart installs OpenBao in *standalone mode*, which sets up a single server with a file storage backend. This profile is useful for testing, but other profiles are available in this chart (e.g. development server, high-availability cluster). See the [OpenBao Helm README](https://github.com/openbao/openbao-helm/blob/main/charts/openbao/README.md) for more information.
@@ -222,7 +226,7 @@ By default, this Helm chart installs OpenBao in *standalone mode*, which sets up
helm get manifest openbao
```
- This returns all the YAML configuration files for the newly deployed OpenBao system, which is useful for inspecting the system’s initial configuration data.
+ This returns all the YAML configuration files for the newly deployed OpenBao system, which can be useful for inspecting the system’s initial configuration data.
{{< note title="Customize the Installation" >}}
To override any of these configuration options at installation time, use the `--set` command line argument when installing the Helm chart, for example:
@@ -240,7 +244,7 @@ By default, this Helm chart installs OpenBao in *standalone mode*, which sets up
## Initialize and Unseal the OpenBao Development Server
-Once the OpenBao server is installed in the Kubernetes cluster, it must be initialized. The initialization generates the credentials needed to [unseal](https://openbao.org/docs/concepts/seal/#why) the server for use.
+Once the OpenBao server is installed on the Kubernetes cluster, it must be initialized. The initialization generates the credentials needed to [unseal](https://openbao.org/docs/concepts/seal/#why) the server for use.
1. To view all the currently configured OpenBao servers in your cluster, run the following:
@@ -248,7 +252,7 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
kubectl get pods -l app.kubernetes.io/name=openbao
```
- There should only be one for the `standalone` profile. Notice that the `READY` count is `0`, indicating the server has not been initialized yet:
+ There should only be one pod for the `standalone` profile. Notice that the `READY` count is `0`, indicating the server has not been initialized yet:
```output
NAME READY STATUS RESTARTS AGE
@@ -261,7 +265,7 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
kubectl exec -ti openbao-0 -- bao operator init
```
- The output displays the key shares and the initial root key for the server:
+ The output displays the `Unseal Key` shares and the `Initial Root Token` for the server:
```output
Unseal Key 1: amIfRt7lBrC0/x5mOtkyk9WvOF5IH6ycPEl8Gy4FnqTh
@@ -284,7 +288,9 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
existing unseal keys shares. See "bao operator rekey" for more information.
```
- You must unseal the OpenBao server with the unseal keys provided until the key threshold is met. Unsealing must be done a total of three times, as this is the default quorum for OpenBao unsealing. Also take note of the Initial Root Token as it is needed in subsequent steps.
+ You must unseal the OpenBao server with the unseal keys provided until the key threshold is met. Unsealing must be done a **total of three times**, as this is the default quorum for the OpenBao unsealing process.
+
+ Take note of the `Initial Root Token` as it is needed in subsequent steps.
1. Use the following command to begin unsealing the vault using one of the unseal keys:
@@ -332,7 +338,7 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
HA Enabled false
```
-1. Unseal the vault for the third and final time, using yet another unseal:
+1. Unseal the vault for the third and final time, using yet another unseal key:
```command
kubectl exec -ti openbao-0 -- \
@@ -365,7 +371,7 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
kubectl get pods -l app.kubernetes.io/name=openbao
```
- After the OpenBao server is unsealed, its pod should also report as `READY`:
+ After the OpenBao server is unsealed, the pod should also report as `READY`:
```output
NAME READY STATUS RESTARTS AGE
@@ -376,7 +382,7 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
## Test the OpenBao Development Server
-1. To test the connection directly through the Kubernetes cluster, forward port `8200` from the cluster to your `localhost` with the following:
+1. To test the connection directly through the Kubernetes cluster, forward port `8200` from the cluster to your `localhost` with the following command:
```command
kubectl port-forward openbao-0 8200:8200
@@ -387,13 +393,13 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
Forwarding from [::1]:8200 -> 8200
```
-1. Open a new terminal window. Set the following environment variable so that the OpenBao CLI looks to the forwarded port on `localhost`.
+1. With port forwarding enabled and active, open a separate terminal window. Set the following environment variable so that the OpenBao CLI looks to the forwarded port on `localhost`.
```command
export BAO_ADDR=http://127.0.0.1:8200
```
-1. Use the `bao login` command with the initial root token provided upon vault initialization to log in to the OpenBao server on the LKE cluster:
+1. While in the new terminal session, use the `bao login` command with the `Initial Root Token` provided upon vault initialization to log in to the OpenBao server on the LKE cluster:
```command
bao login -method=token {{< placeholder "INITIAL_ROOT_TOKEN" >}}
@@ -425,7 +431,9 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
Success! Enabled the kv secrets engine at: kv/
```
-1. Use cURL to test storing and retrieving secrets from the OpenBao server. Store a secret with the following command, providing your actual initial root token in place of {{< placeholder "INITIAL_ROOT_TOKEN" >}}:
+1. Use cURL to test storing and retrieving secrets from the OpenBao server. Store a secret with the following command, replacing {{< placeholder "INITIAL_ROOT_TOKEN" >}} with your `Initial Root Token` value.
+
+ In the example below, the secret stored is represented under the `--data` field as `"hello"` and `"world"`:
```command
curl -X POST \
@@ -435,7 +443,7 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
http://127.0.0.1:8200/v1/kv/test-secret
```
-1. Run the following cURL to retrieve the secret:
+1. Run the following cURL command to retrieve the secret, once again using your `Initial Root Token` as verification:
```command
curl -X GET \
@@ -460,13 +468,15 @@ Once the OpenBao server is installed in the Kubernetes cluster, it must be initi
}
```
+ If successful, you should see the secret data `"hello"` and `"world"` as displayed above.
+
1. When done, you can close the second terminal session.
-1. Return to the original terminal session and press <kbd>Ctrl</kbd>+<kbd>C</kbd> to stop port forwarding.
+1. In the original terminal session, press <kbd>Ctrl</kbd>+<kbd>C</kbd> to stop port forwarding.
## Configure OpenBao for External Access
-To access the OpenBao server externally, rather than through Kubernetes port-forwarding, use a [LoadBalancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/) service.
+To access the OpenBao server externally rather than through Kubernetes port-forwarding, use a [LoadBalancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/) service.
1. Open the pod configuration for OpenBao:
@@ -474,7 +484,7 @@ To access the OpenBao server externally, rather than through Kubernetes port-for
kubectl edit service openbao
```
- By default, the OpenBao service is created as a `ClusterIP`. To expose it externally, change the service type to `LoadBalancer`. Press the <kbd>I</kbd> key to edit the file, and make the following change, leaving the rest of the file unchanged:
+ By default, the OpenBao service is created as a `ClusterIP`. To expose it externally, change the service type to `LoadBalancer`. Press the <kbd>I</kbd> key to edit the file, and make the following change (see Line 44), leaving the rest of the file unchanged:
```file {hl_lines="44"}
# Please edit the object below. Lines beginning with a '#' will be ignored,
@@ -542,7 +552,7 @@ To access the OpenBao server externally, rather than through Kubernetes port-for
openbao LoadBalancer 10.128.154.209 172.233.167.79 8200:31550/TCP,8201:32438/TCP 47m
```
-1. To test this connection, issue the `curl` command again to retrieve the previously stored secret, but change the IP address to the external one shown above, at port `8200`. For example:
+1. To test this connection, issue the `curl` command again to retrieve the previously stored secret, changing the {{< placeholder "EXTERNAL_IP_ADDRESS" >}} field to the external one shown above (under `EXTERNAL-IP`), at port `8200`. For example:
```command
curl -X GET \
@@ -569,7 +579,7 @@ To access the OpenBao server externally, rather than through Kubernetes port-for
## Additional Considerations for Production Deployments
-When deploying OpenBao to a production-grade Kubernetes cluster, consider the following additional points.
+When deploying OpenBao to a Kubernetes cluster for production-grade workloads, consider the following additional points.
### Auto-Unseal in a Clustered Environment