Skip to content

OpenBao support#92

Merged
digiserg merged 6 commits intomainfrom
feat/openbao
Jan 7, 2026
Merged

OpenBao support#92
digiserg merged 6 commits intomainfrom
feat/openbao

Conversation

@digiserg
Copy link
Collaborator

Implements comprehensive dual backend support allowing vals-operator to work with both
HashiCorp Vault and OpenBao. OpenBao is the open-source fork of Vault that maintains
API compatibility while being fully community-driven.

Key changes:
- Add abstraction layer with SecretsClient interface for backend-agnostic operations
- Implement OpenBao client wrapper using BAO_* environment variables
- Implement Vault client wrapper maintaining existing VAULT_* variables for backwards compatibility
- Add automatic environment variable fallback from BAO_* to VAULT_* variables
- Add workaround for vals library compatibility by setting VAULT_* variables when using OpenBao
- Update Helm chart to support both backends with proper configuration
- Update documentation with authentication configuration for both backends
- Fix initialization to check for either VAULT_ADDR or BAO_ADDR

Environment variable changes:
- OpenBao uses BAO_ prefix (BAO_ADDR, BAO_TOKEN, BAO_ROLE_ID, etc.)
- Falls back to VAULT_* variables when BAO_* not set for easy migration
- OpenBao takes precedence when both are configured

This provides zero-downtime migration path from Vault to OpenBao while maintaining
full backwards compatibility with existing deployments.

Implements comprehensive dual backend support allowing vals-operator to work with both
HashiCorp Vault and OpenBao. OpenBao is the open-source fork of Vault that maintains
API compatibility while being fully community-driven.

Key changes:
- Add abstraction layer with SecretsClient interface for backend-agnostic operations
- Implement OpenBao client wrapper using BAO_* environment variables
- Implement Vault client wrapper maintaining existing VAULT_* variables for backwards compatibility
- Add automatic environment variable fallback from BAO_* to VAULT_* variables
- Add workaround for vals library compatibility by setting VAULT_* variables when using OpenBao
- Update Helm chart to support both backends with proper configuration
- Update documentation with authentication configuration for both backends
- Fix initialization to check for either VAULT_ADDR or BAO_ADDR

Environment variable changes:
- OpenBao uses BAO_ prefix (BAO_ADDR, BAO_TOKEN, BAO_ROLE_ID, etc.)
- Falls back to VAULT_* variables when BAO_* not set for easy migration
- OpenBao takes precedence when both are configured

This provides zero-downtime migration path from Vault to OpenBao while maintaining
full backwards compatibility with existing deployments.
@digiserg digiserg requested review from a team, brainJamStark, millerjp and rgooding December 23, 2025 20:49
@digiserg digiserg self-assigned this Dec 23, 2025
Signed-off-by: Sergio Rua <sergio.rua@digitalis.io>
@digiserg digiserg merged commit cf56ecc into main Jan 7, 2026
1 check passed
@digiserg digiserg deleted the feat/openbao branch January 7, 2026 16:43
@digiserg digiserg restored the feat/openbao branch February 10, 2026 18:24
@digiserg digiserg deleted the feat/openbao branch February 10, 2026 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments