diff --git a/README.md b/README.md
index 5413cc0..66c28ef 100644
--- a/README.md
+++ b/README.md
@@ -16,8 +16,9 @@ The following modules have been implemented and their usage instructions written
 1. [Helm](modules/helm)
 2. [Cluster Issuer for internal certificates](modules/cluster-issuer)
 3. [Observability](modules/observability)
-4. [Garage Storage](modules/garage)
-5. [Cloudnative PG PostgreSQL Database](modules/cnpg)
-6. [FerretDB (MongoDB) Database](modules/ferretdb)
-7. [Valkey In Memory Database](modules/valkey)
-8. [Keycloak Identity Management](modules/keycloak)
+4. [OpenBao Secrets Management](modules/openbao)
+5. [Garage Storage](modules/garage)
+6. [Cloudnative PG PostgreSQL Database](modules/cnpg)
+7. [FerretDB (MongoDB) Database](modules/ferretdb)
+8. [Valkey In Memory Database](modules/valkey)
+9. [Keycloak Identity Management](modules/keycloak)
diff --git a/infrastructure/main.tf b/infrastructure/main.tf
index c09b011..9192b61 100644
--- a/infrastructure/main.tf
+++ b/infrastructure/main.tf
@@ -33,6 +33,30 @@ module "observability" {
   depends_on = [module.cluster-issuer]
 }
 
+# OpenBao Secrets Management Solution deployment
+module "secrets" {
+  source = "git::https://github.com/necro-cloud/modules//modules/openbao?ref=task/110/openbao-deployment"
+  
+  // Certificates Details
+  cluster_issuer_name = module.cluster-issuer.cluster-issuer-name
+  cloudflare_token    = var.cloudflare_token
+  cloudflare_email    = var.cloudflare_email
+  domain              = var.domain
+
+  // Observability details
+  observability_namespace = module.observability.observability_namespace
+
+  // Granting required namespaces access to the OpenBao cluster
+  access_namespaces = "external-secrets,cloud"
+
+  // Whitelisting Kubernetes API Endpoints in the Network Policy
+  kubernetes_api_ip       = one(flatten(data.kubernetes_endpoints_v1.kubernetes_api_endpoint.subset[*].address[*].ip))
+  kubernetes_api_protocol = one(flatten(data.kubernetes_endpoints_v1.kubernetes_api_endpoint.subset[*].port[*].protocol))
+  kubernetes_api_port     = one(flatten(data.kubernetes_endpoints_v1.kubernetes_api_endpoint.subset[*].port[*].port))
+  
+  depends_on = [module.observability]
+}
+
 # Garage Deployment for an S3 compatible object storage solution
 module "garage" {
   source = "git::https://github.com/necro-cloud/modules//modules/garage?ref=main"
diff --git a/modules/openbao/README.md b/modules/openbao/README.md
new file mode 100644
index 0000000..7778a56
--- /dev/null
+++ b/modules/openbao/README.md
@@ -0,0 +1,71 @@
+## necronizer's cloud openbao module
+
+OpenTofu Module to deploy [OpenBao](https://openbao.org/) Secrets Management Solution on the Kubernetes Cluster.
+
+Required Modules to deploy OpenBao Secrets Manageemnt Solution:
+1. [Cluster Issuer](../cluster-issuer)
+2. [Observability](../observability)
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 3.1.1 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.38.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.7.2 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.openbao](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_config_map.configurator_script](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
+| [kubernetes_ingress_v1.ui_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
+| [kubernetes_job.configurator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/job) | resource |
+| [kubernetes_manifest.certificate_authority](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.ingress_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.internal_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.public_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_namespace.namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_network_policy.openbao_network_access_policy](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_role.configurator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource |
+| [kubernetes_role_binding.configurator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [kubernetes_secret.cloudflare_token](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.static_unseal_key](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_service_account.configurator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [random_id.static_unseal_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_namespaces"></a> [access\_namespaces](#input\_access\_namespaces) | Namespaces requiring accesses to the OpenBao Cluster in a comma seperated list | `string` |
+| <a name="input_acme_server"></a> [acme\_server](#input\_acme\_server) | URL for the ACME Server to be used, defaults to production URL for LetsEncrypt | `string` | `"https://acme-v02
+| <a name="input_app_name"></a> [app\_name](#input\_app\_name) | App name for deploying OpenBao Secrets Management Solution | `string` | `"openbao"` | no |
+| <a name="input_certificate_authority_name"></a> [certificate\_authority\_name](#input\_certificate\_authority\_name) | Name of the Certificate Authority to be associated with OpenBao
+| <a name="input_cloudflare_email"></a> [cloudflare\_email](#input\_cloudflare\_email) | Email for generating Ingress Certificates to be associated with OpenBao Secrets Management Solu
+| <a name="input_cloudflare_issuer_name"></a> [cloudflare\_issuer\_name](#input\_cloudflare\_issuer\_name) | Name of the Cloudflare Issuer to be associated with OpenBao Secrets Management Solution | `string` | `"secrets-cloudflare-issuer"` | no |
+| <a name="input_cloudflare_token"></a> [cloudflare\_token](#input\_cloudflare\_token) | Token for generating Ingress Certificates to be associated with OpenBao Secrets Management Solution | `string` | n/a | yes |
+| <a name="input_cluster_issuer_name"></a> [cluster\_issuer\_name](#input\_cluster\_issuer\_name) | Name for the Cluster Issuer to be used to generate internal self signed certificates | `string` | n/a | yes |
+| <a name="input_cluster_size"></a> [cluster\_size](#input\_cluster\_size) | Number of pods to be deployed for High Availability for OpenBao Secrets Management Solution | `number` | `3` | no |
+| <a name="input_configurator_image"></a> [configurator\_image](#input\_configurator\_image) | Docker image to be used for deployment of OpenBao Configurator | `string` | `"openbao"` | no |
+| <a name="input_configurator_repository"></a> [configurator\_repository](#input\_configurator\_repository) | Repository to be used for deployment of OpenBao Configurator | `string` | `"quay.io/openbao"` | no |
+| <a name="input_configurator_tag"></a> [configurator\_tag](#input\_configurator\_tag) | Docker tag to be used for deployment of OpenBao Configurator | `string` | `"2.5.1"` | no |
+| <a name="input_country_name"></a> [country\_name](#input\_country\_name) | Country name for deploying OpenBao Secrets Management Solution | `string` | `"India"` | no |
+| <a name="input_domain"></a> [domain](#input\_domain) | Domain for which Ingress Certificate is to be generated for | `string` | n/a | yes |
+| <a name="input_host_name"></a> [host\_name](#input\_host\_name) | Host name for which Ingress Certificate is to be generated for | `string` | `"secrets"` | no |
+| <a name="input_ingress_certificate_name"></a> [ingress\_certificate\_name](#input\_ingress\_certificate\_name) | Name of the Ingress Certificate to be associated with OpenBao Secrets Management Solution | `string` | `"secrets-ingress-certificate"` | no |
+| <a name="input_internal_certificate_name"></a> [internal\_certificate\_name](#input\_internal\_certificate\_name) | Name of the Internal Certificate to be associated with OpenBao Secrets Management Solution | `string` | `"secrets-internal-certificate"` | no |
+| <a name="input_issuer_name"></a> [issuer\_name](#input\_issuer\_name) | Name of the Issuer to be associated with OpenBao Secrets Management Solution | `string` | `"secrets-certificate-issuer"` | no |
+| <a name="input_kubernetes_api_ip"></a> [kubernetes\_api\_ip](#input\_kubernetes\_api\_ip) | IP Address for the Kubernetes API | `string` | n/a | yes |
+| <a name="input_kubernetes_api_port"></a> [kubernetes\_api\_port](#input\_kubernetes\_api\_port) | Port for the Kubernetes API | `number` | n/a | yes |
+| <a name="input_kubernetes_api_protocol"></a> [kubernetes\_api\_protocol](#input\_kubernetes\_api\_protocol) | Protocol for the Kubernetes API | `string` | n/a | yes |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace to be used for deploying OpenBao Secrets Management Solution | `string` | `"openbao"` | no |
+| <a name="input_observability_namespace"></a> [observability\_namespace](#input\_observability\_namespace) | Namespace where all components for observability are deployed | `string` | n/a | yes |
+| <a name="input_openbao_configuration"></a> [openbao\_configuration](#input\_openbao\_configuration) | Dictionary filled with OpenBao Configuration Details | `map(string)` | <pre>{<br/>  "chart": "openbao",<br/>  "name": "openbao",<br/>  "repository": "https://openbao.github.io/openbao-helm",<br/>  "version": "0.25.6"<br/>}</pre> | no |
+| <a name="input_organization_name"></a> [organization\_name](#input\_organization\_name) | Organization name for deploying OpenBao Secrets Management Solution | `string` | `"cloud"` | no |
+
+## Outputs
+
+No outputs.
diff --git a/modules/openbao/certificates.tf b/modules/openbao/certificates.tf
new file mode 100644
index 0000000..92df5ac
--- /dev/null
+++ b/modules/openbao/certificates.tf
@@ -0,0 +1,254 @@
+// Certificate Authority to be used with OpenBao Cluster
+resource "kubernetes_manifest" "certificate_authority" {
+  manifest = {
+    "apiVersion" = "cert-manager.io/v1"
+    "kind"       = "Certificate"
+    "metadata" = {
+      "name"      = var.certificate_authority_name
+      "namespace" = kubernetes_namespace.namespace.metadata[0].name
+      "labels" = {
+        "app"       = var.app_name
+        "component" = "certificate-authority"
+      }
+    }
+    "spec" = {
+      "isCA" = true
+      "subject" = {
+        "organizations"       = [var.organization_name]
+        "countries"           = [var.country_name]
+        "organizationalUnits" = [var.app_name]
+      }
+      "commonName" = var.certificate_authority_name
+      "secretName" = var.certificate_authority_name
+      "duration"   = "70128h"
+      "privateKey" = {
+        "algorithm" = "ECDSA"
+        "size"      = 256
+      }
+      "issuerRef" = {
+        "name"  = "${var.cluster_issuer_name}"
+        "kind"  = "ClusterIssuer"
+        "group" = "cert-manager.io"
+      }
+    }
+  }
+
+  wait {
+    condition {
+      type   = "Ready"
+      status = "True"
+    }
+  }
+
+  timeouts {
+    create = "5m"
+    update = "5m"
+    delete = "5m"
+  }
+}
+
+// Issuer for the OpenBao Cluster
+resource "kubernetes_manifest" "issuer" {
+  manifest = {
+    "apiVersion" = "cert-manager.io/v1"
+    "kind"       = "Issuer"
+    "metadata" = {
+      "name"      = var.issuer_name
+      "namespace" = kubernetes_namespace.namespace.metadata[0].name
+      "labels" = {
+        "app"       = var.app_name
+        "component" = "issuer"
+      }
+    }
+    "spec" = {
+      "ca" = {
+        "secretName" = kubernetes_manifest.certificate_authority.manifest.spec.secretName
+      }
+    }
+  }
+
+  wait {
+    condition {
+      type   = "Ready"
+      status = "True"
+    }
+  }
+
+  timeouts {
+    create = "5m"
+    update = "5m"
+    delete = "5m"
+  }
+}
+
+// Internal Certificate for OpenBao Cluster
+resource "kubernetes_manifest" "internal_certificate" {
+  manifest = {
+    "apiVersion" = "cert-manager.io/v1"
+    "kind"       = "Certificate"
+    "metadata" = {
+      "name"      = var.internal_certificate_name
+      "namespace" = kubernetes_namespace.namespace.metadata[0].name
+      "labels" = {
+        "app"       = var.app_name
+        "component" = "internal-certificate"
+      }
+    }
+    "spec" = {
+      "dnsNames" = [
+        "${var.host_name}.${var.domain}",
+        "localhost",
+        "127.0.0.1",
+        "*.${kubernetes_namespace.namespace.metadata[0].name}.svc.cluster.local",
+        "openbao-internal",
+        "openbao-internal.${kubernetes_namespace.namespace.metadata[0].name}.svc",
+        "openbao-internal.${kubernetes_namespace.namespace.metadata[0].name}.svc.cluster.local",
+        "*.openbao-internal.${kubernetes_namespace.namespace.metadata[0].name}.svc.cluster.local",
+      ]
+      "subject" = {
+        "organizations"       = [var.organization_name]
+        "countries"           = [var.country_name]
+        "organizationalUnits" = [var.app_name]
+      }
+      "commonName" = var.internal_certificate_name
+      "secretName" = var.internal_certificate_name
+      "issuerRef" = {
+        "name" = kubernetes_manifest.issuer.manifest.metadata.name
+      }
+    }
+  }
+
+  wait {
+    condition {
+      type   = "Ready"
+      status = "True"
+    }
+  }
+  timeouts {
+    create = "5m"
+    update = "5m"
+    delete = "5m"
+  }
+}
+
+// Kubernetes Secret for Cloudflare Tokens
+resource "kubernetes_secret" "cloudflare_token" {
+  metadata {
+    name      = "cloudflare-token"
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+    labels = {
+      "app"       = var.app_name
+      "component" = "secret"
+    }
+  }
+
+  data = {
+    cloudflare-token = var.cloudflare_token
+  }
+
+  type = "Opaque"
+}
+
+// Cloudflare Issuer for Openbao Ingress Service
+resource "kubernetes_manifest" "public_issuer" {
+  manifest = {
+    "apiVersion" = "cert-manager.io/v1"
+    "kind"       = "Issuer"
+    "metadata" = {
+      "name"      = var.cloudflare_issuer_name
+      "namespace" = kubernetes_namespace.namespace.metadata[0].name
+      "labels" = {
+        "app"       = var.app_name
+        "component" = "cloudflare-issuer"
+      }
+    }
+    "spec" = {
+      "acme" = {
+        "email"  = var.cloudflare_email
+        "server" = var.acme_server
+        "privateKeySecretRef" = {
+          "name" = var.cloudflare_issuer_name
+        }
+        "solvers" = [
+          {
+            "dns01" = {
+              "cloudflare" = {
+                "email" = var.cloudflare_email
+                "apiTokenSecretRef" = {
+                  "name" = "cloudflare-token"
+                  "key"  = "cloudflare-token"
+                }
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+
+  depends_on = [kubernetes_secret.cloudflare_token]
+
+  wait {
+    condition {
+      type   = "Ready"
+      status = "True"
+    }
+  }
+
+  timeouts {
+    create = "5m"
+    update = "5m"
+    delete = "5m"
+  }
+}
+
+// Certificate to be used for OpenBao Ingress
+resource "kubernetes_manifest" "ingress_certificate" {
+
+  manifest = {
+    "apiVersion" = "cert-manager.io/v1"
+    "kind"       = "Certificate"
+    "metadata" = {
+      "name"      = var.ingress_certificate_name
+      "namespace" = kubernetes_namespace.namespace.metadata[0].name
+      "labels" = {
+        "app"       = var.app_name
+        "component" = "ingress-certificate"
+      }
+    }
+    "spec" = {
+      "duration"    = "2160h"
+      "renewBefore" = "360h"
+      "subject" = {
+        "organizations"       = [var.organization_name]
+        "countries"           = [var.country_name]
+        "organizationalUnits" = [var.app_name]
+      }
+      "privateKey" = {
+        "algorithm" = "RSA"
+        "encoding"  = "PKCS1"
+        "size"      = "2048"
+      }
+      "dnsNames"   = ["${var.host_name}.${var.domain}"]
+      "secretName" = var.ingress_certificate_name
+      "issuerRef" = {
+        "name"  = kubernetes_manifest.public_issuer.manifest.metadata.name
+        "kind"  = "Issuer"
+        "group" = "cert-manager.io"
+      }
+    }
+  }
+
+  wait {
+    condition {
+      type   = "Ready"
+      status = "True"
+    }
+  }
+
+  timeouts {
+    create = "5m"
+    update = "5m"
+    delete = "5m"
+  }
+}
diff --git a/modules/openbao/config/configurator.sh b/modules/openbao/config/configurator.sh
new file mode 100644
index 0000000..307cd9f
--- /dev/null
+++ b/modules/openbao/config/configurator.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+set -e
+
+# Installing required dependencies
+echo "Installing required dependencies..."
+apk add --no-cache curl jq
+
+# Required Environment Variables
+NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+K8S_API="https://kubernetes.default.svc"
+K8S_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+K8S_CACERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+
+# OpenBao TLS Setup
+BAO_ADDR="https://openbao-internal.$NAMESPACE.svc:8200"
+BAO_CACERT="/openbao/userconfig/${cert_secret_name}/ca.crt"
+
+export BAO_ADDR=$BAO_ADDR
+export BAO_CACERT=$BAO_CACERT
+
+# Wait for OpenBao API to respond over HTTPS
+echo "Waiting for OpenBao API at $BAO_ADDR..."
+until curl -s --cacert "$BAO_CACERT" "$BAO_ADDR/v1/sys/health" | grep -q 'initialized'; do
+  echo "Still waiting..."
+  sleep 5
+done
+
+# Initialize the Cluster
+if ! bao operator init -status > /dev/null 2>&1; then
+  echo "Initializing OpenBao Cluster..."
+  bao operator init -format=json > /tmp/keys.json
+  
+  ROOT_TOKEN=$(jq -r '.root_token' /tmp/keys.json)
+  export BAO_TOKEN=$ROOT_TOKEN
+
+  # Save Keys to K8s Secret
+  echo "Persisting recovery keys to Kubernetes..."
+  B64_DATA=$(cat /tmp/keys.json | base64 | tr -d '\n')
+  
+  curl -s --cacert "$K8S_CACERT" \
+    -X POST \
+    -H "Authorization: Bearer $K8S_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d "{
+      \"apiVersion\": \"v1\",
+      \"kind\": \"Secret\",
+      \"metadata\": { \"name\": \"bao-init-recovery\" },
+      \"data\": { \"keys.json\": \"$B64_DATA\" }
+    }" \
+    "$K8S_API/api/v1/namespaces/$NAMESPACE/secrets"
+
+  # Configure Kubernetes Auth for External Secrets Operator
+  echo "Configuring Kubernetes Auth..."
+  bao auth enable kubernetes
+  bao write auth/kubernetes/config \
+      kubernetes_host="$K8S_API" \
+      kubernetes_ca_cert="@$K8S_CACERT" \
+      disable_iss_validation=true
+
+  # Setup ESO Access
+  bao secrets enable -path=secret kv-v2
+  bao policy write eso-policy - <<EOF
+path "secret/data/*" { capabilities = ["create", "read", "update", "delete", "list"] }
+path "secret/metadata/*" { capabilities = ["list"] }
+EOF
+
+  bao write auth/kubernetes/role/eso-role \
+      bound_service_account_names="external-secrets" \
+      bound_service_account_namespaces="external-secrets" \
+      policies="eso-policy" \
+      ttl=1h
+
+  echo "Provisioning Complete!"
+else
+  echo "Cluster already initialized."
+fi
diff --git a/modules/openbao/config/openbao.hcl b/modules/openbao/config/openbao.hcl
new file mode 100644
index 0000000..b1bdaf9
--- /dev/null
+++ b/modules/openbao/config/openbao.hcl
@@ -0,0 +1,30 @@
+ui = true
+
+listener "tcp" {
+  tls_disable = 0
+  address = "[::]:8200"
+  cluster_address = "[::]:8201"
+
+  # TLS Configuration
+  tls_cert_file = "/openbao/userconfig/${cert_secret_name}/tls.crt"
+  tls_key_file  = "/openbao/userconfig/${cert_secret_name}/tls.key"
+  tls_client_ca_file = "/openbao/userconfig/${cert_secret_name}/ca.crt"
+}
+
+storage "raft" {
+  path = "/openbao/data"
+  retry_join {
+    auto_join = "provider=k8s namespace=${namespace} label_selector=\"app.kubernetes.io/instance=openbao,component=server\""
+    auto_join_scheme = "https"
+    
+    leader_ca_cert_file = "/openbao/userconfig/${cert_secret_name}/ca.crt"
+    leader_tls_servername = "openbao-internal.${namespace}.svc"
+  }
+}
+
+seal "static" {
+  current_key_id = "k3d-local-v1"
+  current_key    = "env://OPENBAO_STATIC_UNSEAL_KEY"
+}
+
+service_registration "kubernetes" {}
diff --git a/modules/openbao/configmap.tf b/modules/openbao/configmap.tf
new file mode 100644
index 0000000..e078c9f
--- /dev/null
+++ b/modules/openbao/configmap.tf
@@ -0,0 +1,17 @@
+// Configurator Script uploaded as a configmap
+resource "kubernetes_config_map" "configurator_script" {
+  metadata {
+    name = "openbao-configurator-script"
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+    labels = {
+      app       = var.app_name
+      component = "configmap"
+    }
+  }
+
+  data = {
+    "configurator.sh" = templatefile("${path.module}/config/configurator.sh", {
+      cert_secret_name = kubernetes_manifest.internal_certificate.manifest.spec.secretName
+    })
+  }
+}
diff --git a/modules/openbao/ingress.tf b/modules/openbao/ingress.tf
new file mode 100644
index 0000000..b47a921
--- /dev/null
+++ b/modules/openbao/ingress.tf
@@ -0,0 +1,44 @@
+// Kubernetes Ingress for OpenBao UI
+resource "kubernetes_ingress_v1" "ui_ingress" {
+  metadata {
+    name      = "openbao-ui-ingress"
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+    labels = {
+      app       = var.app_name
+      component = "ingress"
+    }
+    annotations = {
+      "nginx.ingress.kubernetes.io/proxy-ssl-verify" : "on"
+      "nginx.ingress.kubernetes.io/proxy-ssl-secret" : "${kubernetes_namespace.namespace.metadata[0].name}/${kubernetes_manifest.internal_certificate.manifest.spec.secretName}"
+      "nginx.ingress.kubernetes.io/proxy-ssl-name" : "openbao-internal.${kubernetes_namespace.namespace.metadata[0].name}.svc.cluster.local"
+      "nginx.ingress.kubernetes.io/backend-protocol" : "HTTPS"
+      "nginx.ingress.kubernetes.io/rewrite-target" : "/"
+      "nginx.ingress.kubernetes.io/proxy-body-size" : 0
+      "nginx.ingress.kubernetes.io/client-body-buffer-size" : "500M"
+    }
+  }
+
+  spec {
+    ingress_class_name = "nginx"
+    tls {
+      hosts       = ["${var.host_name}.${var.domain}"]
+      secret_name = kubernetes_manifest.ingress_certificate.manifest.spec.secretName
+    }
+    rule {
+      host = "${var.host_name}.${var.domain}"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "openbao-active"
+              port {
+                number = 8200
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/modules/openbao/job.tf b/modules/openbao/job.tf
new file mode 100644
index 0000000..c41a6ac
--- /dev/null
+++ b/modules/openbao/job.tf
@@ -0,0 +1,68 @@
+// Configurator Job for the OpenBao Cluster
+resource "kubernetes_job" "configurator" {
+  metadata {
+    name      = "openbao-configurator"
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+    labels = {
+      app       = var.app_name
+      component = "job"
+    }
+  }
+  spec {
+    completions = 1
+    template {
+      metadata {
+        labels = {
+          app       = var.app_name
+          component = "pod"
+          created-by : "configurator"
+        }
+      }
+      spec {
+
+        // Service Account to be used for the configurator job
+        service_account_name = kubernetes_service_account.configurator.metadata[0].name
+        restart_policy       = "OnFailure"
+        
+        container {
+          name    = "configurator"
+          image   = "${var.configurator_repository}/${var.configurator_image}:${var.configurator_tag}"
+          command = ["/bin/sh", "/scripts/configurator.sh"]
+
+          // Load the configurator script as a volume
+          volume_mount {
+            name       = "scripts"
+            mount_path = "/scripts"
+          }
+
+          // Load the TLS certificates used by the cluster as a volume
+          volume_mount {
+            name       = "tls"
+            mount_path = "/openbao/userconfig/${kubernetes_manifest.internal_certificate.manifest.spec.secretName}"
+            read_only  = true
+          }
+        }
+
+        // Volume for the configurator script
+        volume {
+          name = "scripts"
+          config_map {
+            name = kubernetes_config_map.configurator_script.metadata[0].name
+            default_mode = "0755"
+          }
+        }
+
+        // Volume for the TLS certificates used by the cluster
+        volume {
+          name = "tls"
+          secret {
+            secret_name = kubernetes_manifest.internal_certificate.manifest.spec.secretName
+          }
+        }
+      }
+    }
+  }
+  
+  # Ensure OpenBao is fully up before running
+  depends_on = [helm_release.openbao, kubernetes_manifest.internal_certificate]
+}
diff --git a/modules/openbao/namespace.tf b/modules/openbao/namespace.tf
new file mode 100644
index 0000000..9c8a9da
--- /dev/null
+++ b/modules/openbao/namespace.tf
@@ -0,0 +1,10 @@
+// Namespace configuration for OpenBao Secrets Management Solution
+resource "kubernetes_namespace" "namespace" {
+  metadata {
+    name = var.namespace
+    labels = {
+      app       = var.app_name
+      component = "namespace"
+    }
+  }
+}
diff --git a/modules/openbao/networkpolicy.tf b/modules/openbao/networkpolicy.tf
new file mode 100644
index 0000000..466caa6
--- /dev/null
+++ b/modules/openbao/networkpolicy.tf
@@ -0,0 +1,180 @@
+// Network policy to restrict network access to the OpenBao Cluster
+resource "kubernetes_network_policy" "openbao_network_access_policy" {
+  metadata {
+    name      = "openbao-network-access-policy"
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+    labels = {
+      app       = var.app_name
+      component = "networkpolicy"
+    }
+  }
+
+  spec {
+    pod_selector {
+      match_labels = {
+        "app.kubernetes.io/name" = "openbao"
+        "component"              = "server"
+      }
+    }
+
+    policy_types = ["Ingress", "Egress"]
+
+    # -------------- INGRESS RULES -------------- #
+    # Rule 1: Allow Raft replication and internal API communication between OpenBao Pods
+    ingress {
+      from {
+        pod_selector {
+          match_labels = {
+            "app.kubernetes.io/name" = "openbao"
+            "component"              = "server"
+          }
+        }
+      }
+      ports {
+        protocol = "TCP"
+        port     = 8200
+      }
+      ports {
+        protocol = "TCP"
+        port     = 8201
+      }
+    }
+
+    # Rule 2: Allow ingress from trusted namespaces
+    ingress {
+      from {
+        namespace_selector {
+          match_expressions {
+            key      = "kubernetes.io/metadata.name"
+            operator = "In"
+            values   = split(",", var.access_namespaces)
+          }
+        }
+        pod_selector {
+          match_labels = {
+            "openbao-access" = "true"
+          }
+        }
+      }
+      ports {
+        protocol = "TCP"
+        port     = 8200
+      }
+    }
+
+    # Rule 3: Allow ingress from configurator job
+    ingress {
+      from {
+        namespace_selector {
+          match_expressions {
+            key      = "kubernetes.io/metadata.name"
+            operator = "In"
+            values   = [kubernetes_namespace.namespace.metadata[0].name]
+          }
+        }
+        pod_selector {
+          match_labels = {
+            "created-by" = "configurator"
+          }
+        }
+      }
+      ports {
+        protocol = "TCP"
+        port     = 8200
+      }
+    }    
+
+    # Rule 4: Allow NGINX Ingress Controller to reach the active leader
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            "kubernetes.io/metadata.name" = "ingress-nginx"
+          }
+        }
+      }
+      ports {
+        protocol = "TCP"
+        port     = 8200
+      }
+    }
+
+    # Rule 5: Allow OpenTelemetry Collector to scrape metrics from the API port
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            "kubernetes.io/metadata.name" = var.observability_namespace
+          }
+        }
+        pod_selector {
+          match_labels = {
+            "app.kubernetes.io/instance" = "otel-collector"
+          }
+        }
+      }
+      ports {
+        protocol = "TCP"
+        port     = 8200
+      }
+    }
+
+    # -------------- EGRESS RULES -------------- #
+    # Rule 1: Allow egress to other OpenBao pods for Raft consensus
+    egress {
+      to {
+        pod_selector {
+          match_labels = {
+            "app.kubernetes.io/name" = "openbao"
+            "component"              = "server"
+          }
+        }
+      }
+      ports {
+        protocol = "TCP"
+        port     = 8200
+      }
+      ports {
+        protocol = "TCP"
+        port     = 8201
+      }
+    }
+
+    # Rule 2: Allow DNS resolution to KubeDNS
+    egress {
+      to {
+        namespace_selector {
+          match_labels = {
+            "kubernetes.io/metadata.name" = "kube-system"
+          }
+        }
+        pod_selector {
+          match_labels = {
+            "k8s-app" = "kube-dns"
+          }
+        }
+      }
+      ports {
+        protocol = "UDP"
+        port     = 53
+      }
+      ports {
+        protocol = "TCP"
+        port     = 53
+      }
+    }
+
+    # Rule 3: Allow egress to the Kubernetes API for Discovery and Auth
+    egress {
+      to {
+        ip_block {
+          cidr = "${var.kubernetes_api_ip}/32"
+        }
+      }
+      ports {
+        protocol = var.kubernetes_api_protocol
+        port     = var.kubernetes_api_port
+      }
+    }
+  }
+}
diff --git a/modules/openbao/openbao.tf b/modules/openbao/openbao.tf
new file mode 100644
index 0000000..7328c0e
--- /dev/null
+++ b/modules/openbao/openbao.tf
@@ -0,0 +1,136 @@
+// OpenBao Deployment Configuration
+resource "helm_release" "openbao" {
+  name = var.openbao_configuration.name
+  repository = var.openbao_configuration.repository
+  chart = var.openbao_configuration.chart
+  version = var.openbao_configuration.version
+
+  // Deploy it in the same namespace
+  namespace = kubernetes_namespace.namespace.metadata[0].name
+  create_namespace = false
+
+  wait = true
+  timeout = 600
+
+  values = [
+    yamlencode({
+      global = {
+        enabled = true
+        tlsDisable = false
+      }
+
+      server = {
+
+        // Resource Requests and Limits
+        resources = {
+          requests = {
+            memory = "256Mi"
+            cpu    = "100m"
+          }
+          limits = {
+            memory = "512Mi"
+            cpu    = "500m"
+          }
+        }
+
+        // Node Affinity for worker nodes
+        affinity = {
+          nodeAffinity = {
+            requiredDuringSchedulingIgnoredDuringExecution = {
+              nodeSelectorTerms = [
+                {
+                  matchExpressions = [
+                    {
+                      key      = "worker"
+                      operator = "Exists"
+                    }
+                  ]
+                }
+              ]
+            }
+          }
+        }
+
+        // Topology Spread Constraints
+        topologySpreadConstraints = [
+          {
+            maxSkew           = 1
+            topologyKey       = "kubernetes.io/hostname"
+            whenUnsatisfiable = "DoNotSchedule"
+            labelSelector = {
+              matchLabels = {
+                "app.kubernetes.io/name"     = "openbao"
+                "app.kubernetes.io/instance" = "openbao"
+                "component"                  = "server"
+              }
+            }
+          }
+        ]
+
+       // Environment variable for unsealing the cluster
+        extraSecretEnvironmentVars = [
+          {
+            envName = "OPENBAO_STATIC_UNSEAL_KEY"
+            secretName = kubernetes_secret.static_unseal_key.metadata[0].name
+            secretKey = "OPENBAO_STATIC_UNSEAL_KEY"
+          }
+        ]
+
+        // TLS Certificates Mounting
+        extraVolumes = [
+          {
+            type = "secret"
+            name = kubernetes_manifest.internal_certificate.manifest.spec.secretName
+          }
+        ]
+
+        // High availability configuration
+        ha = {
+          enabled = true
+          replicas = var.cluster_size
+
+          // Raft Storage Configuration
+          raft = {
+            enabled = true
+            setNodeId = true
+
+            // Config loaded as a configuration file
+            config = templatefile("${path.module}/config/openbao.hcl", {
+              namespace = kubernetes_namespace.namespace.metadata[0].name,
+              cert_secret_name = kubernetes_manifest.internal_certificate.manifest.spec.secretName
+            })
+          }
+        }
+
+        // Data Storage Configuration
+        dataStorage = {
+          enabled = true
+          size = "5Gi"
+          mountPath = "/openbao/data"
+          storageClass = "local-path"
+        }
+
+        // Enable Auth Delegator
+        // for Kubernetes Authentication
+        authDelegator = {
+          enabled = true
+        }
+
+        // Enable permissions for
+        // Service Discovery
+        serviceAccount = {
+          create = true
+          serviceDiscovery = {
+            enabled = true
+          }
+        }
+
+        // UI Service
+        ui = {
+          enabled = true
+          serviceType = "ClusterIP"
+        }
+      }
+    })
+  ]
+}
diff --git a/modules/openbao/secrets.tf b/modules/openbao/secrets.tf
new file mode 100644
index 0000000..b1630c0
--- /dev/null
+++ b/modules/openbao/secrets.tf
@@ -0,0 +1,19 @@
+// Static Unsealing key to be used for OpenBao Auto-Unsealing
+resource "random_id" "static_unseal_key" {
+  byte_length = 32
+}
+
+resource "kubernetes_secret" "static_unseal_key" {
+  metadata {
+    name = "openbao-static-unseal-key"
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+    labels = {
+      app       = var.app_name
+      component = "secret"
+    }
+  }
+
+  data = {
+    "OPENBAO_STATIC_UNSEAL_KEY" = random_id.static_unseal_key.b64_std
+  }
+}
diff --git a/modules/openbao/serviceaccount.tf b/modules/openbao/serviceaccount.tf
new file mode 100644
index 0000000..b04edde
--- /dev/null
+++ b/modules/openbao/serviceaccount.tf
@@ -0,0 +1,50 @@
+// Service account to be used by the Configurator Job
+resource "kubernetes_service_account" "configurator" {
+  metadata {
+    name      = "openbao-configurator"
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+    labels = {
+      app       = var.app_name
+      component = "serviceaccount"
+    }
+  }
+}
+
+// Allow the Configurator Job to create Kubernetes Secrets
+resource "kubernetes_role" "configurator" {
+  metadata {
+    name      = "openbao-configurator-role"
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+    labels = {
+      app       = var.app_name
+      component = "role"
+    }
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["secrets"]
+    verbs      = ["create", "get"]
+  }
+}
+
+// Binding the role to the Service Account
+resource "kubernetes_role_binding" "configurator" {
+  metadata {
+    name      = "openbao-configurator-binding"
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+    labels = {
+      app       = var.app_name
+      component = "rolebinding"
+    }
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+    name      = kubernetes_role.configurator.metadata[0].name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.configurator.metadata[0].name
+    namespace = kubernetes_namespace.namespace.metadata[0].name
+  }
+}
diff --git a/modules/openbao/variables.tf b/modules/openbao/variables.tf
new file mode 100644
index 0000000..018d3cb
--- /dev/null
+++ b/modules/openbao/variables.tf
@@ -0,0 +1,160 @@
+# --------------- GENERAL VARIABLES --------------- #
+variable "app_name" {
+  description = "App name for deploying OpenBao Secrets Management Solution"
+  type        = string
+  default     = "openbao"
+}
+
+variable "organization_name" {
+  description = "Organization name for deploying OpenBao Secrets Management Solution"
+  type        = string
+  default     = "cloud"
+}
+
+variable "country_name" {
+  description = "Country name for deploying OpenBao Secrets Management Solution"
+  type        = string
+  default     = "India"
+}
+
+# --------------- NAMESPACE VARIABLES --------------- #
+variable "namespace" {
+  description = "Namespace to be used for deploying OpenBao Secrets Management Solution"
+  type        = string
+  default     = "openbao"
+}
+
+variable "observability_namespace" {
+  description = "Namespace where all components for observability are deployed"
+  type        = string
+  nullable    = false
+}
+
+variable "access_namespaces" {
+  description = "Namespaces requiring accesses to the OpenBao Cluster in a comma seperated list"
+  type = string
+  nullable = false
+}
+
+# -------------- OPENBAO DEPLOYMENT VARIABLES -------------- #
+variable "openbao_configuration" {
+  description = "Dictionary filled with OpenBao Configuration Details"
+  type        = map(string)
+  default = {
+    "name"             = "openbao"
+    "repository"       = "https://openbao.github.io/openbao-helm"
+    "chart"            = "openbao"
+    "version"          = "0.25.6"
+  }
+}
+
+variable "cluster_size" {
+  description = "Number of pods to be deployed for High Availability for OpenBao Secrets Management Solution"
+  type = number
+  default = 3
+}
+
+# --------------- CERTIFICATE VARIABLES --------------- #
+variable "cluster_issuer_name" {
+  description = "Name for the Cluster Issuer to be used to generate internal self signed certificates"
+  type        = string
+  nullable    = false
+}
+
+variable "certificate_authority_name" {
+  description = "Name of the Certificate Authority to be associated with OpenBao Secrets Management Solution"
+  type        = string
+  default     = "secrets-certificate-authority"
+}
+
+variable "issuer_name" {
+  description = "Name of the Issuer to be associated with OpenBao Secrets Management Solution"
+  type        = string
+  default     = "secrets-certificate-issuer"
+}
+
+variable "internal_certificate_name" {
+  description = "Name of the Internal Certificate to be associated with OpenBao Secrets Management Solution"
+  type        = string
+  default     = "secrets-internal-certificate"
+}
+
+variable "cloudflare_token" {
+  description = "Token for generating Ingress Certificates to be associated with OpenBao Secrets Management Solution"
+  type        = string
+  nullable    = false
+}
+
+variable "cloudflare_email" {
+  description = "Email for generating Ingress Certificates to be associated with OpenBao Secrets Management Solution"
+  type        = string
+  nullable    = false
+}
+
+variable "cloudflare_issuer_name" {
+  description = "Name of the Cloudflare Issuer to be associated with OpenBao Secrets Management Solution"
+  type        = string
+  default     = "secrets-cloudflare-issuer"
+}
+
+variable "acme_server" {
+  description = "URL for the ACME Server to be used, defaults to production URL for LetsEncrypt"
+  type        = string
+  default     = "https://acme-v02.api.letsencrypt.org/directory"
+}
+
+variable "ingress_certificate_name" {
+  description = "Name of the Ingress Certificate to be associated with OpenBao Secrets Management Solution"
+  type        = string
+  default     = "secrets-ingress-certificate"
+}
+
+variable "host_name" {
+  description = "Host name for which Ingress Certificate is to be generated for"
+  type        = string
+  default     = "secrets"
+}
+
+variable "domain" {
+  description = "Domain for which Ingress Certificate is to be generated for"
+  type        = string
+  nullable    = false
+}
+
+# --------------- OPENBAO CONFIGURATION VARIABLES --------------- #
+variable "configurator_repository" {
+  description = "Repository to be used for deployment of OpenBao Configurator"
+  type        = string
+  default     = "quay.io/openbao"
+}
+
+variable "configurator_image" {
+  description = "Docker image to be used for deployment of OpenBao Configurator"
+  type        = string
+  default     = "openbao"
+}
+
+variable "configurator_tag" {
+  description = "Docker tag to be used for deployment of OpenBao Configurator"
+  type        = string
+  default     = "2.5.1"
+}
+
+# --------------- NETWORK POLICY VARIABLES --------------- #
+variable "kubernetes_api_ip" {
+  description = "IP Address for the Kubernetes API"
+  type        = string
+  nullable    = false
+}
+
+variable "kubernetes_api_protocol" {
+  description = "Protocol for the Kubernetes API"
+  type        = string
+  nullable    = false
+}
+
+variable "kubernetes_api_port" {
+  description = "Port for the Kubernetes API"
+  type        = number
+  nullable    = false
+}