secure k8 s

Wiki index

OpenBao knowledge base. Maintained by Claude from sources under raw/. See log for change history.

Start here

  • overview — what OpenBao is, top-level architecture, fork story, distinctives.

Core concepts

  • auth — authentication methods.
  • secrets — secrets engines (KV, PKI, transit, databases, …).
  • policies — path-based authorization in HCL.
  • tokens — service vs batch tokens, roots, hierarchies.
  • leases — TTL, renewal, revocation, prefix revoke.
  • seal-unseal — barrier protection at startup; Shamir vs auto-unseal.
  • storage — durable backends, untrusted by design.
  • high-availability — leader/standby, request forwarding, standby reads (v2.5.0).
  • raft — Raft consensus from beginner to pro: mechanics, OpenBao integration, tuning, recovery.
  • namespaces — multi-tenancy in OSS (OpenBao’s headline differentiator).
  • identity — entities, aliases, groups, OIDC provider.

Subsystems

  • agent-and-proxy — client-side daemons that handle auth, caching, templating.
  • audit — request/response logging; always run two devices.
  • plugins — auth/secret/database plugin system, OCI distribution.
  • configuration — HCL/JSON server config reference.
  • commands-cli — the bao CLI surface area.
  • kubernetes-platform — Helm chart, Agent Injector, VSO, CSI.
  • k8s-ha-setup — step-by-step Helm + Raft HA bring-up procedure.
  • k8s-ha-from-scratch — End-to-End auf Ubuntu 24.04: drei nackte Server → fertiger OpenBao-HA-Cluster, inkl. cert-manager-PKI.
  • rke2-ha-setup — End-to-End auf RKE2 mit 3 Master + 3 Worker (Ubuntu 24.04), kube-vip VIP, Longhorn-Storage, Worker-Pinning für OpenBao.
  • k3s-ha-setup — End-to-End auf k3s mit 3 stacked Nodes (Ubuntu 24.04), kube-vip VIP, k3s-eigener local-path-Provisioner, leichtgewichtige Variante.
  • kubernetes-service-registration — Pod-Labels für aktive/sealed/Version; Active-Service per Selector; kontrollierte Upgrades.
  • service-registration-reactivation — Reihenfolge zum Wieder-Einschalten einer auskommentierten service_registration "kubernetes"-Stanza: NetPol → RBAC → Downward API → Rollout.
  • deployment-vm-vs-k8s — VM-HA vs Kubernetes-HA decision guide for enterprise.
  • upgrading — upgrade strategy, HA ordering, plugin upgrades.
  • backups — Backup-/Restore-Strategie, Snapshot-Mechanik, Automatisierung (VM + K8s).
  • k8s-backups — K8s-spezifisches Backup-Runbook: Drei-Schichten-Modell, snapshotAgent vs. eigener CronJob, Restore-Verfahren, Sandbox-Tests, Monitoring.
  • internals — barrier, Raft, rotation, telemetry, limits.

History

  • blog-timeline — release and event posts from raw/blog/ (2024-07 → 2026-03).

House notes

  • raw/ is immutable — never edit.
  • Wiki pages use [[wiki-link]] for cross-references.
  • Every factual claim cites its source file inline as (source: filename.md).
  • See CLAUDE.md for the ingest workflow and house rules.