Keep peer trust, edge exposure, and workload identity on deliberate paths.
TLS in the operator is not just an ingress feature. It defines how pods trust each other, how clients verify the service, where certificate authority material lives, and whether the private key ever touches Kubernetes Secrets at all.
Decision matrix
Choose the TLS mode deliberately
| Mode | Use it when | What the operator owns | Watch for |
|---|---|---|---|
| External | You already have a trusted PKI, cert-manager, or platform certificate workflow. | The operator consumes existing Secrets and watches for rotation, but does not mint the trust chain. | This is the preferred Hardened production path because CA authority stays outside the operator. |
| ACME | The service is exposed publicly and OpenBao should obtain certificates directly from an ACME provider. | The operator wires the listener path, but OpenBao handles the certificate lifecycle itself. | This works best when the service owns the public endpoint and you can meet the ACME challenge requirements. |
| OperatorManaged | You need a fast internal evaluation path or temporary development certificates. | The operator generates and rotates the CA and leaf certificates inside the cluster. | This is not the Hardened production posture because the operator holds certificate authority material. |
Diagram
Certificate rotation and reload path
When the certificate source changes, the operator updates the mounted material and the workload reloads it without rebuilding or reinstalling the cluster.
Trust paths that matter
Reference table
TLS surfaces
| Path | What is being protected | Primary concern |
|---|---|---|
| Client to service | Application and operator clients verifying the OpenBao listener. | The public or internal certificate presented by the service must chain to a trust source your clients already accept. |
| Pod to pod | Raft and internal service traffic between OpenBao members. | The SAN set and CA distribution need to match pod and service DNS accurately so peers can authenticate each other. |
| Edge proxy to backend | Gateway, ingress, or mesh traffic between the edge and the cluster. | Choose passthrough versus termination deliberately so you know where the private key lives and where client identity is enforced. |
Where key material lives
Reference table
Key and CA ownership
| Mode | Server private key | CA or trust root | Operational consequence |
|---|---|---|---|
| External | Kubernetes Secret supplied by your PKI workflow | External CA or organizational PKI | Certificate lifecycle aligns with the rest of your platform and is easier to audit centrally. |
| ACME | Generated inside OpenBao | Public ACME issuer | The operator never needs the private key, but the cluster must satisfy the ACME issuance path. |
| OperatorManaged | Kubernetes Secret managed by the operator | Operator-generated internal CA | Fast to stand up, but the trust root now lives inside the same management plane you are trying to keep small and reviewable. |
Exposure guidance
Decision matrix
Edge exposure choices
| Pattern | Use it when | Why it is preferred or risky |
|---|---|---|
| TLS passthrough | You want OpenBao to terminate TLS and preserve end-to-end certificate identity. | This is usually the cleanest production path because the application keeps control of the server certificate and the edge stays as a transport router. |
| Edge termination | You need policy enforcement, client-auth handling, or platform certificate lifecycle at the edge. | This can be valid, but you must be explicit about how trust is re-established between the proxy and OpenBao. |
| Temporary self-signed or operator-generated edge trust | Short-lived evaluation environments only. | This path is easy to start but tends to leak into production unless you set a deliberate migration plan. |
This page explains the TLS security model. Use the configuration guides when you need the exact cluster fields:
Continue workload protections
You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.