You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The chart currently defaults to updateStrategyType: "OnDelete" (values.yaml), which requires operators to manually delete pods in the correct order (standbys first, leader last) during upgrades. This is safe but prevents automated rolling upgrades.
Switching to RollingUpdate is unsafe today because Kubernetes has no awareness of the HA upgrade constraint:
"Do not fail over from a newer version of OpenBao to an older version."
If a newer-version standby becomes leader during a rolling update while older-version nodes still exist, then the leader crashes, an older node could claim leadership. Nothing in OpenBao prevents this.
Upstream dependency
openbao/openbao#2858 proposes version-gated leader election in OpenBao core: a node will refuse leadership if its version is older than the last recorded leader version. Once that lands, the primary blocker for RollingUpdate is removed.
What this issue tracks
After version-gated leader election lands in core:
Evaluate switching the default updateStrategyType to RollingUpdate, or at least documenting how to safely enable it.
Consider pod ordering. StatefulSets with RollingUpdate terminate pods in reverse ordinal order (highest first). If the leader happens to be the lowest ordinal (pod-0, which is typical for Raft-based setups), this naturally upgrades standbys first and leader last -- which is the correct order. Document this behavior.
Consider maxUnavailable settings. For HA clusters, maxUnavailable: 1 ensures only one pod is replaced at a time, maintaining quorum.
Problem
The chart currently defaults to
updateStrategyType: "OnDelete"(values.yaml), which requires operators to manually delete pods in the correct order (standbys first, leader last) during upgrades. This is safe but prevents automated rolling upgrades.Switching to
RollingUpdateis unsafe today because Kubernetes has no awareness of the HA upgrade constraint:If a newer-version standby becomes leader during a rolling update while older-version nodes still exist, then the leader crashes, an older node could claim leadership. Nothing in OpenBao prevents this.
Upstream dependency
openbao/openbao#2858 proposes version-gated leader election in OpenBao core: a node will refuse leadership if its version is older than the last recorded leader version. Once that lands, the primary blocker for
RollingUpdateis removed.What this issue tracks
After version-gated leader election lands in core:
updateStrategyTypetoRollingUpdate, or at least documenting how to safely enable it.RollingUpdateterminate pods in reverse ordinal order (highest first). If the leader happens to be the lowest ordinal (pod-0, which is typical for Raft-based setups), this naturally upgrades standbys first and leader last -- which is the correct order. Document this behavior.maxUnavailablesettings. For HA clusters,maxUnavailable: 1ensures only one pod is replaced at a time, maintaining quorum.openbao-version-blockedK8s pod label (proposed in Enforce version-gated leader election to prevent older-to-newer failover openbao#2858) for readiness gates or monitoring. A version-blocked standby still serves reads but should not receive write-forwarded traffic.Current workarounds
OnDeletestrategy and manually delete pods in the correct order (standbys first, leader last).Related