OpenBao — Service Terms

Version 1.0 — April 2026

These Service Terms are an integral part of the NeoCloud Master Agreement and define the specific terms for the Managed OpenBao service.

1. Service Description

The Managed OpenBao service provides a dedicated OpenBao API and UI deployed on a k0s cluster inside the customer's VPC. The customer receives an OpenBao admin account and has full control over the OpenBao configuration; Nebul operates the underlying infrastructure.

Included Features

Dedicated OpenBao cluster per customer, deployed in the customer's VPC
HashiCorp Vault wire-compatible API (drop-in for existing Vault clients and SDKs)
High-availability deployment with integrated Raft storage (3–5 replicas) or single-instance
Customer-managed policies, auth methods, secrets engines, and tokens
Auto-unseal configured and operated by Nebul
Reachability to any resource within the customer's VPC
Custom domain with TLS via cert-manager
Velero cluster-level backups

2. Pricing Dimensions

Dimension	Unit	Description
Cluster	Per cluster / month	Based on number of worker nodes and VM flavor
Storage	Per GB / month	Persistent storage for OpenBao data

Refer to the NeoCloud price list for current rates.

3. Customer Responsibilities

Managing OpenBao policies, roles, and access controls
Configuring auth methods (OIDC, LDAP, AppRole, Kubernetes, etc.)
Configuring secrets engines (KV, PKI, transit, database, etc.)
Managing tokens, leases, and secret lifecycle
Integrating client applications with the OpenBao API
Defining backup schedules in coordination with the Cloud Services team

4. Nebul Responsibilities

Operating the underlying k0s cluster, OpenStack VMs, and networking
Installing and upgrading the OpenBao binary and Helm chart
Operating auto-unseal and persistence infrastructure
Performing cluster-level Velero backups according to the agreed schedule

5. Limitations

Customers do not receive Kubernetes cluster-level access; all interaction is through the OpenBao API and UI
Scaling (replica count, VM flavor) is performed manually via the Cloud Services team
Self-service provisioning of OpenBao clusters is not supported in the current infrastructure

6. Definitions

Term	Definition
OpenBao	Open-source secrets-management application, community fork of HashiCorp Vault, wire-compatible with Vault clients
Raft	Integrated consensus-based storage backend used by OpenBao for HA and persistence
Auto-unseal	Mechanism that automatically unseals OpenBao after a restart, removing the need for manual unseal operations
Secrets Engine	OpenBao component that stores, generates, or encrypts data (e.g. KV, PKI, transit, database)
Auth Method	Mechanism through which clients authenticate to OpenBao (e.g. OIDC, LDAP, AppRole, Kubernetes)

1. Service Description​

Included Features​

2. Pricing Dimensions​

3. Customer Responsibilities​

4. Nebul Responsibilities​

5. Limitations​

6. Definitions​