Skip to main content

Installing the agent injector

The OpenBao Helm chart is the recommended way to install and configure the Agent Injector in Kubernetes.

warning

The OpenBao Agent Injector requires OpenBao 2.0.0 or greater.

To install a new instance of OpenBao and the OpenBao Agent Injector, first add the OpenBao helm repository and ensure you have access to the chart:

$ helm repo add openbao https://openbao.github.io/openbao-helm
"openbao" has been added to your repositories

$ helm search repo openbao/openbao
NAME            CHART VERSION   APP VERSION             DESCRIPTION
openbao/openbao 0.4.0           v2.0.0-alpha20240329    Official OpenBao Chart

Then install the chart and enable the injection feature by setting the injector.enabled value to true:

helm install openbao openbao/openbao --set="injector.enabled=true"

Upgrades may be performed with helm upgrade on an existing install. Please always run Helm with --dry-run before any install or upgrade to verify changes.

You can see all the available values settings by running helm inspect values openbao/openbao or by reading the OpenBao Helm Configuration Docs. Commonly used values in the Helm chart include limiting the namespaces the injector runs in, TLS options and more.

TLS options

Admission webhook controllers require TLS to run within Kubernetes. The Injector defaults to supporting TLS 1.2 and above, and supports configuring the minimum supported TLS version and list of enabled cipher suites. These can be set via the following environment variables:

Environment variableDescription
AGENT_INJECT_TLS_MIN_VERSIONMinimum supported version of TLS. Defaults to tls12. Accepted values are tls10, tls11, tls12, or tls13.
AGENT_INJECT_TLS_CIPHER_SUITESComma-separated list of enabled cipher suites for TLS 1.0-1.2. (Cipher suites are not configurable for TLS 1.3.)
warning

Warning: TLS 1.1 and lower are generally considered insecure.

These may be set in a Helm chart deployment via the injector.extraEnvironmentVars option:

helm install openbao openbao/openbao \
  --set="injector.extraEnvironmentVars.AGENT_INJECT_TLS_MIN_VERSION=tls13" \
  --set="injector.extraEnvironmentVars.AGENT_INJECT_TLS_CIPHER_SUITES=..."

The OpenBao Agent Injector also supports two TLS management options:

  • Auto TLS generation (default)
  • Manual TLS

Auto TLS

By default, the OpenBao Agent Injector will bootstrap TLS by generating a certificate authority and creating a certificate/key to be used by the controller. If using OpenBao Helm, the chart will automatically create the necessary DNS entries for the controller's service used to verify the certificate.

Manual TLS

If desired, users can supply their own TLS certificates, key and certificate authority. The following is required to configure TLS manually:

  • Server certificate/key
  • Base64 PEM encoded Certificate Authority bundle

For more information on configuring manual TLS, see the OpenBao Helm cert values.

This option may also be used in conjunction with cert-manager for certificate management.

Multiple replicas and TLS

The OpenBao Agent Injector can be run with multiple replicas if using Manual TLS or cert-manager, and as of v0.7.0 multiple replicas are also supported with Auto TLS. The number of replicas is controlled in the OpenBao Helm chart by the injector.replicas value.

With Auto TLS and multiple replicas, a leader replica is determined by ownership of a ConfigMap named openbao-k8s-leader. Another replica can become the leader once the current leader replica stops running, and the Kubernetes garbage collector deletes the ConfigMap. The leader replica is in charge of generating the CA and patching the webhook caBundle in Kubernetes, and also generating and distributing the certificate and key to the "followers". The followers read the certificate and key needed for the webhook service listener from a Kubernetes Secret, which is updated by the leader when a certificate is near expiration.

With Manual TLS and multiple replicas, injector.leaderElector.enabled can be set to false since leader determination is not necessary in this case.

Namespace selector

By default, the OpenBao Agent Injector will process all namespaces in Kubernetes except the system namespaces kube-system and kube-public. To limit what namespaces the injector can work in a namespace selector can be defined to match labels attached to namespaces.

For more information on configuring namespace selection, see the OpenBao Helm namespaceSelector value.