security

Installing OpenBao on Kubernetes

Abubakar Siddiq Ango
Abubakar Siddiq Ango Senior Developer Advocate
Jun 17, 2026 2 min read Beginner
getting-started security secrets-management openbao

Prerequisites

  • A Kubernetes cluster (this tutorial uses a local kind cluster)
  • kubectl installed and configured
  • Helm 3.6+ installed
  • Read ‘What Is Secrets Management on Kubernetes?’ (part 1)

Introduction

OpenBao is an open-source secrets manager, a fork of HashiCorp Vault hosted by the Linux Foundation. This tutorial installs it on a Kubernetes cluster in dev mode — a single in-memory server that starts already unsealed, which is perfect for learning. Dev mode keeps nothing on disk and uses a fixed root token, so use it only for tutorials and experiments, never in production.

Step 1 — Create a local cluster (optional)

If you already have a cluster, skip this. For a throwaway local cluster, kind works well:

kind create cluster --name secrets-lab

Step 2 — Add the OpenBao Helm repository

helm repo add openbao https://openbao.github.io/openbao-helm
helm repo update

Step 3 — Install OpenBao in dev mode

helm install openbao openbao/openbao \
  --set "server.dev.enabled=true" \
  --namespace openbao --create-namespace

Step 4 — Verify it is running

The chart deploys an OpenBao server plus an agent injector. Wait for the server pod:

kubectl get pods -l app.kubernetes.io/name=openbao -n openbao

NAME        READY   STATUS    RESTARTS   AGE
openbao-0   1/1     Running   0          20s

Check the server’s state with the bao CLI inside the pod. In dev mode the server is already unsealed and the root token is root:

kubectl exec -n openbao openbao-0 -- sh -c \
  'BAO_ADDR=http://127.0.0.1:8200 BAO_TOKEN=root bao status'

Sealed          false
Storage Type    inmem
Version         2.5.4

Sealed: false means the server is ready to use. (A production OpenBao starts sealed and must be unsealed with key shares — dev mode skips that.)

Clean up

To remove OpenBao:

helm uninstall openbao -n openbao

To tear down the whole local cluster:

kind delete cluster --name secrets-lab

What’s next

OpenBao is running but empty. Next you will store and read your first secrets with the key/value engine.

Next in this series: Storing and Reading Secrets with OpenBao.

Summary

  • OpenBao installs on Kubernetes through its Helm chart; server.dev.enabled=true runs a single in-memory server for learning.
  • Dev mode starts unsealed with a fixed root token (root); production runs sealed and stores data on a real backend.
  • The bao CLI inside the openbao-0 pod reports server state; Sealed: false means it is ready.