Skip to main content
Version: next

Treat trust material as lifecycle state, not just as Kubernetes Secrets.

The operator manages or coordinates several high-value trust surfaces: bootstrap credentials, unseal roots, TLS material, and the identities used by backup, restore, and upgrade workflows. The most important question is not only where they live, but whether the operating model can avoid creating them in the first place.

Reference table

Managed trust material

Managed trust material.
SurfaceTypical locationSecurity posture
Root tokenSecret only when bootstrap mode persists itCritical and intentionally avoided by the supported Hardened self-init path.
Static unseal key<cluster>-unseal-key SecretCritical because the root of trust sits inside Kubernetes instead of an external trust system.
Cluster CA and server TLS materialSecrets when the selected TLS mode requires themHigh-value trust material whose lifecycle depends on the chosen TLS mode.
Backup, restore, and upgrade job authProjected tokens, generated ServiceAccounts, or explicit credentials SecretsShould remain separate from the main OpenBao workload identity.

Unseal trust model

Static unseal keeps the root of trust in the cluster

Static unseal generates a 32-byte key and stores it in a Kubernetes Secret. If etcd encryption or namespace access is weak, the effective trust root of your OpenBao data is weak too.

Reference table

Static unseal behavior

Static unseal behavior.
AspectBehaviorWhy it matters
GenerationThe operator creates a random key.Bootstrap is convenient, but the cluster is now trusted to protect the root of trust.
StorageThe key is stored in <cluster>-unseal-key.Anyone who can read that Secret can compromise the trust root.
RotationManual, not automatic.Operational handling of the trust root stays a human responsibility.

Bootstrap credentials and root token handling

Decision matrix

Bootstrap paths

Bootstrap paths.
PathWhat happens to the root tokenSecurity effect
Hardened self-initThe initial root token is not persisted as the normal operating model.This avoids leaving a long-lived administrative credential in namespace Secrets.
Development bootstrap without self-initThe root token can be stored in <cluster>-root-token.This is useful for testing but creates a critical secret in the namespace.
Persisted bootstrap secrets are full-administration material

If a root token or equivalent bootstrap credential exists in a Secret, anyone who can read that Secret effectively has full administrative control of the OpenBao cluster.

TLS and job identities

Diagram

Job identity separation

The main OpenBao Pods, backup jobs, restore jobs, and upgrade jobs should not silently share one identity path. Each surface should stay explicit and observable.

The important boundary is this:

  • main OpenBao Pods use the trust path selected for the cluster itself
  • backup, restore, and upgrade Jobs use separate generated identities
  • those Jobs do not automatically inherit the cloud or JWT path of the main workload unless the operator deliberately configured it

This is why backup and restore readiness are surfaced independently in status rather than assumed from the main Pods.

Where the task guidance lives

This page owns the trust model. The operational task pages stay elsewhere:

Continue the security model

Production postureSee how these trust-material choices map back to Development versus Hardened.Configure security profilesSwitch to the task page when you are ready to set the actual cluster fields.Threat modelReturn to the broader threat model if you need the surrounding attacker and boundary assumptions.
Next release documentation

You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.

Was this page helpful?

Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.

Needs work