secure k8 s

Kubernetes platform

Summary: OpenBao runs on Kubernetes via the official Helm chart, and integrates with workloads via two patterns: the Agent Injector (sidecar) and the OpenBao Secrets Operator (CRDs).

Sources: raw/docs/platform/k8s/index.md, raw/docs/platform/k8s/helm/*, raw/docs/platform/k8s/injector/*, raw/docs/platform/k8s/vso/*, raw/docs/platform/k8s/csi/*, raw/docs/platform/k8s/injector-csi.md.

Last updated: 2026-05-19

Deployment via Helm

Four chart modes (source: raw/docs/platform/k8s/index.md):

  • Dev — single in-memory node, for testing.
  • Standalone (default) — single node, file-backend persistence.
  • HA — multi-node cluster on an HA-capable storage backend.
  • External — Agent Injector only, talks to an OpenBao cluster running elsewhere.

Chart docs and values reference: raw/docs/platform/k8s/helm/. For a step-by-step HA bring-up procedure, see k8s-ha-setup.

Workload integrations

Three ways to get secrets into a pod without modifying app code (source: raw/docs/platform/k8s/index.md):

Agent Injector

Mutating webhook that injects an OpenBao Agent sidecar into pods annotated for it. Authenticates with the pod’s own service account via the Kubernetes auth method, renders secrets to in-memory files in the pod (no on-disk durable copies).

Considered the mature path — production-proven, broadest auth-method support, templating (raw/docs/platform/k8s/injector/).

OpenBao Secrets Operator (VSO)

A CRD-based operator that reconciles Kubernetes Secrets from OpenBao. Apps consume normal Secret objects; the operator keeps them fresh (raw/docs/platform/k8s/vso/).

CSI provider

OpenBao as a Secrets Store CSI Driver provider. Mounts secrets into pods as files via the CSI driver (raw/docs/platform/k8s/csi/).

raw/docs/platform/k8s/injector-csi.md discusses choosing between Injector and CSI.

Auto-unseal in K8s

Auto-unseal (see seal-unseal) is the operational requirement for HA on Kubernetes — without it, every pod restart needs manual unseal. Cloud KMS or transit are the usual answers.

Service registration

OpenBao can register itself with Kubernetes via the service_registration stanza (raw/docs/configuration/service-registration/kubernetes.md) — node state (active/standby/sealed) becomes a pod label that Services can select on. See kubernetes-service-registration for the full mechanic, RBAC requirements, and the active-Service / upgrade patterns built on top of it.