···
1
-
# spindle secrets with openbao
3
-
This document covers setting up Spindle to use OpenBao for secrets
4
-
management instead of the default SQLite backend.
8
-
Install OpenBao from nixpkgs:
11
-
nix-env -iA nixpkgs.openbao
14
-
## local development setup
16
-
Start OpenBao in dev mode:
22
-
This starts OpenBao on `http://localhost:8200` with a root token. Save
23
-
the root token from the output -- you'll need it.
25
-
Set up environment for bao CLI:
28
-
export BAO_ADDR=http://localhost:8200
29
-
export BAO_TOKEN=hvs.your-root-token-here
32
-
Create the spindle KV mount:
35
-
bao secrets enable -path=spindle -version=2 kv
38
-
Set up AppRole authentication:
40
-
Create a policy file `spindle-policy.hcl`:
43
-
path "spindle/data/*" {
44
-
capabilities = ["create", "read", "update", "delete", "list"]
47
-
path "spindle/metadata/*" {
48
-
capabilities = ["list", "read", "delete"]
52
-
capabilities = ["list"]
56
-
Apply the policy and create an AppRole:
59
-
bao policy write spindle-policy spindle-policy.hcl
60
-
bao auth enable approle
61
-
bao write auth/approle/role/spindle \
62
-
token_policies="spindle-policy" \
67
-
Get the credentials:
70
-
bao read auth/approle/role/spindle/role-id
71
-
bao write -f auth/approle/role/spindle/secret-id
76
-
Set these environment variables for Spindle:
79
-
export SPINDLE_SERVER_SECRETS_PROVIDER=openbao
80
-
export SPINDLE_SERVER_SECRETS_OPENBAO_ADDR=http://localhost:8200
81
-
export SPINDLE_SERVER_SECRETS_OPENBAO_ROLE_ID=your-role-id-from-above
82
-
export SPINDLE_SERVER_SECRETS_OPENBAO_SECRET_ID=your-secret-id-from-above
83
-
export SPINDLE_SERVER_SECRETS_OPENBAO_MOUNT=spindle
88
-
Spindle will now use OpenBao for secrets storage with automatic token
95
-
bao kv list spindle/
98
-
Add a test secret via Spindle API, then check it exists:
100
-
bao kv list spindle/repos/
103
-
Get a specific secret:
105
-
bao kv get spindle/repos/your_repo_path/SECRET_NAME
110
-
- Secrets are stored at `spindle/repos/{sanitized_repo_path}/{secret_key}`
111
-
- Each repository gets its own namespace
112
-
- Repository paths like `at://did:plc:alice/myrepo` become
113
-
`at_did_plc_alice_myrepo`
114
-
- The system automatically handles token renewal using AppRole
116
-
- On shutdown, Spindle cleanly stops the token renewal process
120
-
**403 errors**: Check that your BAO_TOKEN is set and the spindle mount
123
-
**404 route errors**: The spindle KV mount probably doesn't exist - run
124
-
the mount creation step again
126
-
**Token expired**: The AppRole system should handle this automatically,
127
-
but you can check token status with `bao token lookup`
anirudh.fi