External Access¶
OpenBao clusters can be exposed using Gateway API (Recommended), Ingress, or standard LoadBalancer services.
Access Methods¶
The Operator provides first-class support for Kubernetes Gateway API, offering advanced routing, portability, and cleaner multi-tenancy.
Full Guide
See the Gateway API Guide for complete configuration details, including TLS Passthrough and backend policies.
Standard Kubernetes Ingress support.
spec:
ingress:
enabled: true
host: "bao.example.com"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
Traefik v3
Traefik v3 requires a ServersTransport to trust the internal CA. See the Traefik v3 Configuration section below.
TLS Configuration¶
Secure your cluster using one of the following TLS modes.
Zero-Trust: OpenBao acts as a native ACME client (e.g., Let's Encrypt), managing its own certificates without mounting Secrets.
spec:
tls:
enabled: true
mode: ACME
acme:
directoryURL: "https://acme-v02.api.letsencrypt.org/directory"
# Prefer domains (list) for multi-SAN certificates
domains:
- "bao.example.com"
email: "admin@example.com"
HA (Raft) + private ACME CA
When using a private ACME CA (for example, an in-cluster PKI), peers must trust the PKI CA
that signs the issued leaf certificate. If spec.configuration.acmeCARoot is set to trust the
ACME directory server, place a pki-ca.crt file alongside it in the same volume; the operator
uses it for Raft retry_join and probe verification.
BYO-Cert: Integrate with cert-manager or corporate PKI. You provide the Secrets; the Operator uses them.
Requirements:
- Secret <name>-tls-ca: Keys ca.crt (optional ca.key)
- Secret <name>-tls-server: Keys tls.crt, tls.key, ca.crt
Advanced Configuration¶
Traefik v3 Configuration¶
Traefik v3 enforces potential CA validation for backends. The Operator creates a Secret named <cluster>-tls-ca which Traefik can reference directly in a ServersTransport.