SecureGuard is currently under active development. This documentation is a preview and is not yet publicly announced. Content is subject to change.
Protect and manage secrets with open-source transparency.
Kubermatic SecureGuard is a self-hosted, open-source secrets management platform designed for modern, Kubernetes-native environments. It acts as a secure transport layer for secrets, bridging the gap between high-security cryptographic storage and dynamic application needs.
By merging the cryptographic hardening of OpenBao with the native orchestration of the External Secrets Operator (ESO), SecureGuard provides a unified, production-grade secrets management solution. It eliminates fragmented secrets management, reduces vendor lock-in, and gives developers native access to credentials directly within Kubernetes.
Every app needs secrets — passwords, API keys, database credentials, TLS certificates. The hard questions are: where do you store them safely? and how do they get to the apps that need them without leaking?
SecureGuard answers both by combining three open-source tools and putting a friendly, read-only-by-default dashboard on top:
Secret objects your apps already use, and keeps them up to date.kubectl commands, and without ever exposing the secret values themselves (the dashboard shows ••••••••, never the real value).OpenBao is optional. It’s our opinionated default so teams without a vault get a complete, batteries-included stack out of the box. But SecureGuard is provider-agnostic: ESO supports many backends (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault, and more). If you already have a vault, point your SecretStores at it and disable the bundled OpenBao (--set openbao.enabled=false). Everything else works the same.
Analogy: Think of OpenBao as a bank vault, ESO as the armored truck that delivers cash to ATMs (your apps), and SecureGuard as the security desk with the camera monitors — you can watch and direct everything, but you can’t reach into the vault and pull the cash out through the monitor.
1. STORE 2. DELIVER 3. USE
┌──────────┐ ESO pulls ┌──────────────────┐ app reads ┌──────────┐
│ OpenBao │ ───────────▶ │ Kubernetes Secret│ ──────────▶ │ Your App │
│ (vault) │ & syncs │ (auto-created) │ as env/file│ │
└──────────┘ └──────────────────┘ └──────────┘
▲ ▲
│ you configure & watch all of this from
└────────── the SecureGuard dashboard ──────────┘
(values stay masked: ••••••••)
Secret and keeps it in sync — if you change it in the vault, ESO updates the copy automatically.Secret like any other (no special SDK or code changes).You manage steps 1–2 from the SecureGuard dashboard. New to the terms above? See the Glossary.
Secret objects—no app rewrites or SDKs required.fedclient consumer.Not sure which doc to read first? Pick the path that matches you:
| If you are… | Start with… | Then read… |
|---|---|---|
| Brand new to secrets in Kubernetes | OpenBao Basics → ESO Basics | Glossary, Getting Started |
| Just want to try it locally | Getting Started | User Guide |
| A developer using the dashboard day-to-day | User Guide | Glossary |
| An operator deploying to production | Installation | Security Hardening, Advanced Configuration |
| Integrating or debugging the API | Architecture | API Reference |
Keep the Glossary open in a tab. Whenever a term like ESO, SecretStore, CRD, OIDC, or unsealing is unclear, it’s defined there in one line.