Operator Installation¶
This guide covers deploying the OpenBao Operator to your Kubernetes cluster.
Prerequisites¶
Requirements
- Kubernetes: v1.29+ (see Compatibility)
- kubectl: Installed and configured
- Permissions: Cluster-admin access for CRDs, RBAC, and ValidatingAdmissionPolicies
- Helm (optional): v3.12+ for Helm-based installation
Deployment Modes
The operator supports two deployment modes:
- Multi-Tenant (default): Platform teams providing OpenBao-as-a-Service
- Single-Tenant: Individual teams deploying OpenBao for their application
See Single-Tenant Mode for single-tenant deployments.
Installation¶
Install the operator using the official Helm chart:
helm install openbao-operator oci://ghcr.io/dc-tec/charts/openbao-operator \
--namespace openbao-operator-system \
--create-namespace
Common Configuration¶
helm install openbao-operator oci://ghcr.io/dc-tec/charts/openbao-operator \
--namespace openbao-operator-system \
--create-namespace \
--set image.tag=v1.0.0 \ # (1)!
--set controller.replicas=2 \ # (2)!
--set controller.resources.limits.memory=512Mi # (3)!
- Pin to a specific version for production deployments.
- Run multiple replicas for high availability.
- Adjust resource limits based on cluster size.
Full Values Reference¶
| Parameter | Description | Default |
|---|---|---|
image.repository |
Operator image repository | ghcr.io/dc-tec/openbao-operator |
image.tag |
Image tag (defaults to appVersion) | "" |
image.pullPolicy |
Image pull policy | IfNotPresent |
imagePullSecrets |
Registry credentials | [] |
platform |
Target platform (auto, kubernetes, openshift) |
auto |
tenancy.mode |
multi or single |
multi |
tenancy.targetNamespace |
Target namespace (single-tenant only) | "" |
controller.replicas |
Controller replica count | 1 |
controller.resources |
Controller resource requests/limits | See values.yaml |
provisioner.replicas |
Provisioner replica count | 1 |
provisioner.resources |
Provisioner resource requests/limits | See values.yaml |
admissionPolicies.enabled |
Enable ValidatingAdmissionPolicies | true |
metrics.enabled |
Enable metrics endpoints | true |
For Red Hat OpenShift clusters, the operator defaults to platform auto-detection. You can optionally force the platform mode to ensure compatibility with Security Context Constraints (SCC):
helm install openbao-operator oci://ghcr.io/dc-tec/charts/openbao-operator \
--namespace openbao-operator-system \
--create-namespace \
--set platform=openshift
What this does
This setting instructs the chart/operator to omit pinned runAsUser / fsGroup IDs in generated Pods, allowing OpenShift's SCC admission controller to inject namespace-scoped IDs automatically.
Apply the installer manifest directly from the GitHub Release:
Note
This installs CRDs, RBAC, ValidatingAdmissionPolicies, and the operator deployments in openbao-operator-system.
Verify Installation¶
Check that the operator pods are running:
Expected output (multi-tenant mode):
NAME READY STATUS RESTARTS AGE
openbao-operator-controller-xxxxxxxxxx-xxxxx 1/1 Running 0 1m
openbao-operator-provisioner-xxxxxxxxxx-xxxxx 1/1 Running 0 1m
Ready
Once both pods show Running, proceed to Getting Started to deploy your first OpenBao cluster.
Upgrading¶
Helm Upgrades¶
CRD Updates
Helm does not automatically upgrade CRDs. For releases with CRD changes:
- Apply CRDs from the release assets first:
- Then upgrade the Helm release:
YAML Manifest Upgrades¶
Uninstallation¶
Next Steps¶
-
Deploy a Cluster
Create your first OpenBaoCluster.
-
Multi-Tenancy
Onboard teams with OpenBaoTenant.
-
Single-Tenant
Simplified deployment for single teams.