Skip to content

ADR for managed OpenBao on AppCat#161

Merged
Kidswiss merged 12 commits intovshn:masterfrom
bespinian:bespinian/adr/secretstore
Jan 28, 2026
Merged

ADR for managed OpenBao on AppCat#161
Kidswiss merged 12 commits intovshn:masterfrom
bespinian:bespinian/adr/secretstore

Conversation

@ioboi
Copy link
Contributor

@ioboi ioboi commented Sep 19, 2025

Summary

Checklist

  • Try to isolate changes into separate PRs (to build a better changelog).
  • Categorize the PR by setting a good title and adding one of the labels:
    change, decision, requirement/quality, requirement/functional, dependency
    as they show up in the changelog
  • Link this PR to related issues if applicable.

tobru
tobru reviewed Sep 22, 2025
View reviewed changes
@ioboi ioboi requested a review from tobru September 23, 2025 08:02
Kidswiss
Kidswiss reviewed Sep 25, 2025
View reviewed changes
Copy link
Contributor

@Kidswiss Kidswiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds reasonable.

Using the integrated raft storage makes things a lot less complex than using an external database.

mdnix
mdnix reviewed Sep 25, 2025
View reviewed changes
Copy link
Member

@mdnix mdnix left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for submitting this ADR @ioboi!

Overall I like it and I think using the Helm chart here makes total sense as it fits in well with the AppCat framework. While doing my own research on this I also leaned heavily towards this approach.

Just a few things to help me understand:

  1. How will auto-unseal be configured effectively?
  2. Regarding the authentication method stated in the document, is the kubernetes authentication method also required for ServiceAccounts to consume Secrets from the secrets engine?
  3. At the top of the document it states that it will be used for PKI and secrets management. In that case I assume both engines will be configured by default?

@ioboi
Copy link
Contributor Author

ioboi commented Sep 26, 2025

Thanks for submitting this ADR @ioboi!

Overall I like it and I think using the Helm chart here makes total sense as it fits in well with the AppCat framework. While doing my own research on this I also leaned heavily towards this approach.

Just a few things to help me understand:

  1. How will auto-unseal be configured effectively?
  2. Regarding the authentication method stated in the document, is the kubernetes authentication method also required for ServiceAccounts to consume Secrets from the secrets engine?
  3. At the top of the document it states that it will be used for PKI and secrets management. In that case I assume both engines will be configured by default?

@mdnix thank you for the review ☺️

  1. We will propose a solution in this PR in the next week.
  2. This depends on the integration. For example the Agent injector needs access to the Kubernetes API but the External Secrets Operator supports a multitude of methods.
  3. This is a remainder of an earlier version. I think by default at least a KV2 could be configured. I only saw, that the use of the PKI engine was discussed in ADR24. We will update the ADR to be more specific.

@Kidswiss
Copy link
Contributor

Kidswiss commented Sep 29, 2025

Thanks for submitting this ADR @ioboi!
Overall I like it and I think using the Helm chart here makes total sense as it fits in well with the AppCat framework. While doing my own research on this I also leaned heavily towards this approach.
Just a few things to help me understand:

  1. How will auto-unseal be configured effectively?
  2. Regarding the authentication method stated in the document, is the kubernetes authentication method also required for ServiceAccounts to consume Secrets from the secrets engine?
  3. At the top of the document it states that it will be used for PKI and secrets management. In that case I assume both engines will be configured by default?

@mdnix thank you for the review ☺️

1. We will propose a solution in this PR in the next week.

2. This depends on the integration. For example [the Agent injector](https://developer.hashicorp.com/vault/docs/deploy/kubernetes/injector/examples) needs access to the Kubernetes API but the [External Secrets Operator](https://external-secrets.io/latest/provider/hashicorp-vault/) supports a multitude of methods.

3. This is a remainder of an earlier version. I think by default at least a KV2 could be configured. I only saw, that the use of the PKI engine was discussed in ADR24. We will update the ADR to be more specific.

About the k8s integration: it probably warrants its own ADR. If we actually want to add it to the service offering in the first place.

@ioboi
Copy link
Contributor Author

ioboi commented Oct 28, 2025

Hey @Kidswiss, @mdnix

I updated the ADR with an example CRD definition. The unsealing should be much clearer now. Happy to get feedback 😄

@ioboi ioboi requested review from Kidswiss and mdnix October 28, 2025 14:46
tobru
tobru reviewed Oct 28, 2025
View reviewed changes
tobru
tobru reviewed Oct 28, 2025
View reviewed changes
Kidswiss
Kidswiss requested changes Oct 31, 2025
View reviewed changes
mdnix
mdnix requested changes Oct 31, 2025
View reviewed changes
@ioboi ioboi force-pushed the bespinian/adr/secretstore branch from b1021ca to db78a88 Compare October 31, 2025 16:22
@ioboi ioboi requested review from Kidswiss and mdnix October 31, 2025 16:23
@ioboi ioboi marked this pull request as ready for review December 16, 2025 16:02
ioboi added 6 commits January 28, 2026 11:40
@ioboi
Init ADR for managed OpenBao on AppCat
48d9ab3
@ioboi
Use description lists instead of bold title and list combination
b02b432
@ioboi
Fix spelling of management, K8up instead of K8sup and ObjectBucket
b2d5b2d
@ioboi
Remove AppCat integration advantage
c769cbb
@ioboi
K8s integration is not part of this ADR
bfc3d26
@ioboi
Add API specification and auto-unseal configuration to OpenBao ADR
ad71d5d 
Replaces TODO deployment architecture with complete VSHNOpenBao CRD specification including service configuration, sizing, backup, monitoring, and maintenance parameters. Documents auto-unseal functionality with support for AWS KMS, Azure Key Vault, GCP KMS, and Transit providers, including AWS KMS example configuration.
ioboi added 6 commits January 28, 2026 11:40
@ioboi
Standardize ADR cross-references in OpenBao ADR
0f159f3
@ioboi
Standardize secret reference and key names in OpenBao ADR
1ddab22
@ioboi
Fix typo in OpenBao ADR summary
2a3dc52
@ioboi
Update Proposal 2 title to specify Helm chart deployment
33eb9e0
@ioboi
Clarify default auto-unseal behavior and add service level warning
0530eda 
Adds documentation for the default VSHN-managed auto-unseal configuration
and includes a warning that customer-configured auto-unseal providers only
support besteffort service level. Also fixes typo in section heading.
@ioboi
Add plan specifications to OpenBao ADR
97a1530
@ioboi ioboi force-pushed the bespinian/adr/secretstore branch from 0603e83 to 97a1530 Compare January 28, 2026 10:41
@ioboi ioboi requested a review from Kidswiss January 28, 2026 10:42
@ioboi
Copy link
Contributor Author

ioboi commented Jan 28, 2026

@Kidswiss rebased and ready to be merged 🎉

@Kidswiss Kidswiss merged commit 7ec01d4 into vshn:master Jan 28, 2026
1 check failed
@ioboi ioboi deleted the bespinian/adr/secretstore branch February 2, 2026 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kidswiss Kidswiss Kidswiss approved these changes

@mdnix mdnix mdnix approved these changes

@lieneluksika lieneluksika lieneluksika approved these changes

@tobru tobru Awaiting requested review from tobru

@norbertgruszka norbertgruszka Awaiting requested review from norbertgruszka

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ioboi @Kidswiss @tobru @norbertgruszka @mdnix @lieneluksika