Skip to content

Adds support for OpenBao #927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yxxhero merged 6 commits into from
Dec 29, 2025
Merged

Adds support for OpenBao #927

yxxhero merged 6 commits into from
Dec 29, 2025

Conversation

@digiserg
Copy link
Contributor

@digiserg digiserg commented Dec 25, 2025

This PR introduces support for OpenBao as a secret provider.

Following the recent licensing changes to HashiCorp Vault (BSL), many users are transitioning to OpenBao, an open-source community fork under the LF Decentralized Trust. Since OpenBao maintains API compatibility with Vault's core functionality, this implementation leverages the existing Vault logic while allowing users to explicitly define bao as a source.

Changes

  • Added openbao to the list of supported secret providers.
  • Implemented the OpenBao provider (mirroring the Vault provider logic).
  • Updated documentation to include connection examples for OpenBao.
  • Added unit tests for the bao prefix to ensure URI parsing works correctly.

Why this is needed

As organizations move away from BSL-licensed software, vals needs to remain a neutral and flexible tool for secret injection. Providing first-class support for OpenBao allows users to migrate their infrastructure without losing the ability to manage secrets via Helmfile and other tools that depend on vals.

How to test

You can now use the openbao prefix in your configuration:

# Example usage
key: ref+openbao://secret/db#user
  1. Run an OpenBao instance (e.g., via Docker).
  2. Set the environment variable BAO_ADDR and BAO_TOKEN.
  3. Run vals eval on a file containing a ref+bao:// URI.

@yxxhero
Copy link
Member

yxxhero commented Dec 27, 2025

@digiserg please fix confilcts and DCO.

@digiserg
Adds support for OpenBao
da18b29 
Following the recent licensing changes to HashiCorp Vault (BSL), many users are transitioning to OpenBao, an open-source community fork under the LF Decentralized Trust. Since OpenBao maintains API compatibility with Vault's core functionality, this implementation leverages the existing Vault logic while allowing users to explicitly define bao as a source.

Signed-off-by: Sergio Rua <[email protected]>
@digiserg
Update documentation
bf1152d 
Signed-off-by: Sergio Rua <[email protected]>
@digiserg
Fixes go-lint issues
2d959aa 
Signed-off-by: Sergio Rua <[email protected]>
@yxxhero yxxhero requested a review from Copilot December 29, 2025 00:26
Copilot AI reviewed Dec 29, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds OpenBao support as a new secret provider to vals. OpenBao is an open-source, community-driven fork of HashiCorp Vault under the Linux Foundation, maintaining API compatibility with Vault's core functionality. The implementation strategically reuses the Vault provider logic while introducing OpenBao-specific environment variables and configuration options.

Key changes:

  • Added OpenBao as a first-class provider with ref+openbao:// URI support
  • Implemented authentication methods (token, approle, kubernetes, userpass) mirroring Vault
  • Added comprehensive test coverage following existing provider test patterns

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 15 comments.

Show a summary per file
File Description
vals.go Registers OpenBao provider constant and integrates it into the provider factory
pkg/providers/openbao/openbao.go Main provider implementation with authentication methods and secret retrieval logic
pkg/providers/openbao/kv_helper.go Helper functions for KV v1/v2 version detection and path handling
vals_openbao_test.go Comprehensive test suite covering EvalTemplate, String, Map, and Raw formats
go.mod Adds openbao/openbao/api/v2 v2.5.0 dependency
go.sum Checksum entries for the new OpenBao dependency
README.md Documentation with usage examples and authentication method descriptions

@digiserg
Applied copilot review suggestions
298c3b1 
* Spelling error in error message. "unepected" should be "unexpected".
* Avoid using snake_case variables
* Add unique variables for the bao tests

Signed-off-by: Sergio Rua <[email protected]>
@yxxhero yxxhero merged commit 8b741f0 into helmfile:main Dec 29, 2025
5 checks passed
@digiserg digiserg deleted the feat/openbao branch December 29, 2025 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mumoshu mumoshu Awaiting requested review from mumoshu mumoshu is a code owner

@itscaro itscaro Awaiting requested review from itscaro itscaro is a code owner

@yxxhero yxxhero Awaiting requested review from yxxhero yxxhero is a code owner

@xiaomudk xiaomudk Awaiting requested review from xiaomudk xiaomudk is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@digiserg @yxxhero