Cloudron package for OpenBao, an open source, community-driven fork of HashiCorp Vault for managing secrets, certificates, and keys.
Packaged version: 2.5.3
| File | Purpose |
|---|---|
CloudronManifest.json |
Cloudron app metadata (id, version, addons, ports) |
Dockerfile |
Builds the app image on top of cloudron/base:4.2.0 |
openbao.hcl.tmpl |
OpenBao config template — {{APP_DOMAIN}} is substituted at runtime |
start.sh |
Entrypoint: generates config, starts server, initializes, unseals, configures LDAP |
logo.png |
App icon (256×256 PNG) |
Persistent volume mounted at /app/data. All runtime state lives here:
| Path | Contents |
|---|---|
/app/data/raft/ |
Raft integrated storage (OpenBao data) |
/app/data/config/openbao.hcl |
Generated config (written from template at startup) |
/app/data/init.json |
Init output — unseal key + root token (mode 600, first run only) |
/app/data/.ldap_configured |
Flag file — prevents re-running LDAP setup on restart |
Note: Because Cloudron mounts
localstorageover/app/dataat runtime, any directories created in the Dockerfile under that path are shadowed.start.shcreates/app/data/raftand/app/data/configexplicitly on every boot.
Cloudron injects the following environment variables when the LDAP addon is enabled:
| Variable | Used for |
|---|---|
LDAP_URL |
OpenBao LDAP auth url |
LDAP_BIND_DN |
Service account DN |
LDAP_BIND_PASSWORD |
Service account password |
LDAP_USERS_BASE_DN |
User search base |
LDAP_GROUPS_BASE_DN |
Group search base |
LDAP auth is configured on first boot (when LDAP_URL is set and the flag file doesn't exist). The Cloudron admin group is mapped to an OpenBao policy with full (sudo) access to all paths.
mkdir -p /app/data/raft /app/data/config— ensure dirs exist under the runtime mount- Render
openbao.hcl.tmpl→/app/data/config/openbao.hclwithAPP_DOMAINsubstituted - Start
bao serverin the background - Wait up to 30 s for the API to respond (accepts HTTP 200, 429, 501, 503 as "up")
- If
/app/data/init.jsondoesn't exist →bao operator init(1 key share, threshold 1), save output - Unseal using the key from
init.json - If LDAP env vars are present and not yet configured → enable LDAP auth and write policy/group mappings
waiton the server PID (container stays alive as long asbao serverruns)
| Port | Purpose |
|---|---|
| 8200 | OpenBao API + UI (HTTP, TLS terminated by Cloudron proxy) |
| 8201 | Raft cluster communication (internal only) |
api_addr in the config is set to https://{{APP_DOMAIN}} even though the listener uses tls_disable = true — this is correct because Cloudron terminates TLS at its reverse proxy.
The health check path is /v1/sys/health, which returns HTTP 200 when the vault is initialized, unsealed, and active.
The unseal key and root token are written to /app/data/init.json (permissions 600). After initial setup you should:
- Log into the OpenBao UI with the root token
- Create admin accounts via LDAP or a new auth method
- Revoke the root token (
bao token revoke <root_token>) - Back up or rotate the unseal key as appropriate for your threat model
# Build the Docker image
cloudron build
# Install on your Cloudron instance
cloudron install --image <image> --location openbao.<your-domain>Or use the Cloudron UI: App Store → Install from local package, point at this directory.
Bump OPENBAO_VERSION in the Dockerfile and version in CloudronManifest.json to match, then rebuild and run cloudron update.