Add OpenBao to Docker Compose (turnkey setup) #357

New Issue

Closed

opened 2026-02-07 17:12:27 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-07 17:12:27 +00:00

Owner

Copy Link

Phase 2a - OpenBao Integration

Problem

All secrets (DB passwords, JWT keys, API tokens, encryption keys) are stored in .env files on disk. There is no centralized key management, no audit trail for secret access, and the master encryption key sits in an environment variable (the turtles all the way down problem).

Requirements

1. Add OpenBao (open-source Vault fork) to docker/docker-compose.yml as a turnkey service
2. Auto-initialize on first run (1 key share, 1 threshold for simplicity)
3. Auto-unseal on container restart from stored key in Docker volume
4. Configure Transit secrets engine with named encryption keys
5. Create AppRole authentication for the API service
6. Running docker compose up must work without manual intervention (turnkey)

Implementation Notes

• OpenBao image: quay.io/openbao/openbao:2
• File storage backend (simple, sufficient for single-node)
• Init sidecar container pattern: openbao-init runs after openbao is healthy, configures everything, then exits
• Named Transit keys: mosaic-credentials, mosaic-account-tokens, mosaic-federation, mosaic-llm-config
• AppRole policy: transit/encrypt and transit/decrypt only (least privilege)
• Save AppRole credentials (role_id, secret_id) to shared Docker volume for API to read
• Persistent volumes: openbao_data, openbao_config, openbao_init

Files

• docker/docker-compose.yml (modify - add openbao + openbao-init services, volumes)
• docker/openbao/config.hcl (new - server configuration)
• docker/openbao/init.sh (new - auto-init/unseal/configure script)
• .env.example (modify - add OPENBAO_ADDR, OPENBAO_PORT)

Production Hardening (document, not implement)

• Upgrade to 3-of-5 Shamir key splitting
• Enable TLS on listener
• Use external KMS for auto-unseal (AWS KMS, GCP CKMS)
• Enable audit logging
• Use Raft or Consul storage backend for HA
• Revoke root token after initial setup

Acceptance Criteria

• docker compose up starts OpenBao and auto-initializes
• Container restart auto-unseals without manual intervention
• Transit engine is enabled with 4 named encryption keys
• AppRole credentials are generated and saved
• Health check endpoint works
• Persistent volumes survive container recreation

Dependencies

• Blocks: VaultService NestJS module (#353)
• Blocks: OpenBao documentation (#354)

Refs #346

## Phase 2a - OpenBao Integration ### Problem All secrets (DB passwords, JWT keys, API tokens, encryption keys) are stored in .env files on disk. There is no centralized key management, no audit trail for secret access, and the master encryption key sits in an environment variable (the turtles all the way down problem). ### Requirements 1. Add OpenBao (open-source Vault fork) to docker/docker-compose.yml as a turnkey service 2. Auto-initialize on first run (1 key share, 1 threshold for simplicity) 3. Auto-unseal on container restart from stored key in Docker volume 4. Configure Transit secrets engine with named encryption keys 5. Create AppRole authentication for the API service 6. Running docker compose up must work without manual intervention (turnkey) ### Implementation Notes - OpenBao image: quay.io/openbao/openbao:2 - File storage backend (simple, sufficient for single-node) - Init sidecar container pattern: openbao-init runs after openbao is healthy, configures everything, then exits - Named Transit keys: mosaic-credentials, mosaic-account-tokens, mosaic-federation, mosaic-llm-config - AppRole policy: transit/encrypt and transit/decrypt only (least privilege) - Save AppRole credentials (role_id, secret_id) to shared Docker volume for API to read - Persistent volumes: openbao_data, openbao_config, openbao_init ### Files - docker/docker-compose.yml (modify - add openbao + openbao-init services, volumes) - docker/openbao/config.hcl (new - server configuration) - docker/openbao/init.sh (new - auto-init/unseal/configure script) - .env.example (modify - add OPENBAO_ADDR, OPENBAO_PORT) ### Production Hardening (document, not implement) - Upgrade to 3-of-5 Shamir key splitting - Enable TLS on listener - Use external KMS for auto-unseal (AWS KMS, GCP CKMS) - Enable audit logging - Use Raft or Consul storage backend for HA - Revoke root token after initial setup ### Acceptance Criteria - [ ] docker compose up starts OpenBao and auto-initializes - [ ] Container restart auto-unseals without manual intervention - [ ] Transit engine is enabled with 4 named encryption keys - [ ] AppRole credentials are generated and saved - [ ] Health check endpoint works - [ ] Persistent volumes survive container recreation ### Dependencies - Blocks: VaultService NestJS module (#353) - Blocks: OpenBao documentation (#354) Refs #346

jason.woltje added this to the M9-CredentialSecurity (0.0.9) milestone 2026-02-07 17:12:27 +00:00

jason.woltje added the devopssecurityp1 labels 2026-02-07 17:12:27 +00:00

jason.woltje referenced this issue 2026-02-07 17:13:29 +00:00

Security: Vault-based credential storage for agents and CI #346

jason.woltje referenced this issue from a commit 2026-02-07 21:40:33 +00:00

feat(#357): Add OpenBao to Docker Compose with turnkey setup

jason.woltje closed this issue 2026-02-07 21:40:34 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label devops p1 security

Milestone

No items

No Milestone M9-CredentialSecurity (0.0.9)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#357