OpenBao
OpenBao is a managed secrets-management service deployed on a dedicated k0s cluster within the customer's VPC. It provides a fully isolated OpenBao API and UI for storing and accessing secrets, certificates, and dynamic credentials.
OpenBao is the open-source community fork of HashiCorp Vault and is wire-compatible with Vault, so existing Vault clients, tooling, and workflows continue to work without modification.
Key Features
- Dedicated deployment — Each customer gets a fully isolated OpenBao cluster on dedicated k0s infrastructure inside their VPC
- Customer admin access — Customer receives an OpenBao admin account; policies, auth methods, secrets engines, and tokens are fully customer-managed
- High availability — Raft-backed HA with 3–5 replicas, or single-instance for non-production
- VPC-native reachability — OpenBao can reach any resource in the customer's VPC and is consumable as an API by any service in that VPC
- Auto-unseal — Cluster is configured to unseal automatically; no manual unseal required after restarts
- Custom domains — Use your own domain with automated TLS certificates via cert-manager
- Vault-compatible — Drop-in replacement for HashiCorp Vault clients and SDKs
Architecture
| Component | Technology |
|---|---|
| Application | OpenBao |
| Storage backend | Integrated Raft |
| Persistence | NetApp NVMe (default) |
| Cluster | k0s on OpenStack via k0smotron |
| Ingress | F5 NGINX Ingress Controller |
| Certificates | cert-manager with Let's Encrypt |
| Backup | Velero (cluster) |
Backup
- Cluster-level: Velero-based backups with configurable schedule and retention (default daily, 31-day retention)
Available Node Configurations
| Configuration | Specifications |
|---|---|
| OpenBao Node: 2 CPU | 8 GB RAM | 200 GB Data Disk |
| OpenBao Node: 4 CPU | 16 GB RAM | 500 GB Data Disk |
| OpenBao Node: 8 CPU | 32 GB RAM | 1.000 GB Data Disk |