Write OpenBao documentation and production hardening guide #354

New Issue

jason.woltje · 2026-02-07T17:11:41Z

jason.woltje commented

2026-02-07 17:11:41 +00:00

Phase 2d - Documentation

Problem

OpenBao integration needs comprehensive documentation for both development use and production hardening. Operators need to understand the turnkey defaults, how to upgrade security for production, and how the Transit encryption architecture works.

Requirements

Create docs/OPENBAO.md covering setup, architecture, and operations
Document the turnkey auto-init/auto-unseal behavior
Document production hardening steps (Shamir upgrade, TLS, HA, audit logging)
Document the Transit encryption architecture and key hierarchy
Document AppRole authentication flow
Document disaster recovery procedures

Topics to Cover

Overview: why OpenBao, what Transit engine does
Architecture diagram: API -> VaultService -> OpenBao Transit -> PostgreSQL
Default setup: 1-of-1 key share, file storage, auto-unseal
Environment variables: OPENBAO_ADDR, OPENBAO_ROLE_ID, OPENBAO_SECRET_ID
Named encryption keys and their purposes
Fallback behavior when OpenBao is unavailable
Production hardening checklist
Key rotation procedures (Transit handles versioning transparently)
Backup and restore procedures
Troubleshooting common issues

Files

docs/OPENBAO.md (new)

Acceptance Criteria

Documentation covers all topics listed above
Production hardening steps are actionable
Architecture diagram included
Linked from main docs and CLAUDE.md

Dependencies

Depends on: OpenBao Docker setup (need working implementation to document)

Refs #346

## Phase 2d - Documentation ### Problem OpenBao integration needs comprehensive documentation for both development use and production hardening. Operators need to understand the turnkey defaults, how to upgrade security for production, and how the Transit encryption architecture works. ### Requirements 1. Create docs/OPENBAO.md covering setup, architecture, and operations 2. Document the turnkey auto-init/auto-unseal behavior 3. Document production hardening steps (Shamir upgrade, TLS, HA, audit logging) 4. Document the Transit encryption architecture and key hierarchy 5. Document AppRole authentication flow 6. Document disaster recovery procedures ### Topics to Cover - Overview: why OpenBao, what Transit engine does - Architecture diagram: API -> VaultService -> OpenBao Transit -> PostgreSQL - Default setup: 1-of-1 key share, file storage, auto-unseal - Environment variables: OPENBAO_ADDR, OPENBAO_ROLE_ID, OPENBAO_SECRET_ID - Named encryption keys and their purposes - Fallback behavior when OpenBao is unavailable - Production hardening checklist - Key rotation procedures (Transit handles versioning transparently) - Backup and restore procedures - Troubleshooting common issues ### Files - docs/OPENBAO.md (new) ### Acceptance Criteria - [ ] Documentation covers all topics listed above - [ ] Production hardening steps are actionable - [ ] Architecture diagram included - [ ] Linked from main docs and CLAUDE.md ### Dependencies - Depends on: OpenBao Docker setup (need working implementation to document) Refs #346

jason.woltje added this to the M9-CredentialSecurity (0.0.9) milestone 2026-02-07 17:11:41 +00:00

jason.woltje added the security p2 labels 2026-02-07 17:11:41 +00:00

jason.woltje referenced this issue

2026-02-07 17:12:28 +00:00

Add OpenBao to Docker Compose (turnkey setup) #357

jason.woltje referenced this issue

2026-02-07 17:13:29 +00:00

Security: Vault-based credential storage for agents and CI #346

jason.woltje referenced this issue from a commit

2026-02-07 22:16:55 +00:00

docs(#354): Add comprehensive OpenBao integration guide

jason.woltje closed this issue

2026-02-07 22:16:55 +00:00

Sign in to join this conversation.

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#354