You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: api/v1alpha1/openbaocluster_types.go
+11-8Lines changed: 11 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -703,8 +703,10 @@ type UpgradeConfig struct {
703
703
// The role must bind to the upgrade ServiceAccount (<cluster-name>-upgrade-serviceaccount),
704
704
// which is automatically created by the operator.
705
705
//
706
-
// If OIDC is enabled in SelfInit and this field is empty, a default role
707
-
// named "openbao-operator-upgrade" will be assumed/created.
706
+
// If OIDC is enabled during initial SelfInit bootstrap and this field is
707
+
// empty, a default role named "openbao-operator-upgrade" will be created.
708
+
// For already-initialized clusters, configure this role explicitly or keep
709
+
// the default role created during initial bootstrap.
708
710
//
709
711
// This is the supported authentication mechanism for built-in upgrade orchestration.
710
712
// +optional
@@ -713,9 +715,9 @@ type UpgradeConfig struct {
713
715
// token for future non-JWT upgrade authentication flows.
714
716
//
715
717
// Built-in rolling and blue/green upgrade orchestration does not support
716
-
// token-based authentication. Configure spec.upgrade.jwtAuthRole or enable
717
-
// spec.selfInit.oidc.enabled instead.
718
-
// +kubebuilder:validation:XValidation:rule="self == null",message="spec.upgrade.tokenSecretRef is not supported; configure spec.upgrade.jwtAuthRole or enable spec.selfInit.oidc.enabled"
718
+
// token-based authentication. Configure spec.upgrade.jwtAuthRole, or use the
719
+
// default role created during initial spec.selfInit.oidc bootstrap.
720
+
// +kubebuilder:validation:XValidation:rule="self == null",message="spec.upgrade.tokenSecretRef is not supported; configure spec.upgrade.jwtAuthRole or use the default role created during initial spec.selfInit.oidc bootstrap"
Copy file name to clipboardExpand all lines: docs/reference/api.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1038,7 +1038,7 @@ _Appears in:_
1038
1038
|`auditFileStorage`_[AuditFileStorageConfig](#auditfilestorageconfig)_| AuditFileStorage configures a shared filesystem integration point for file audit devices.<br />When configured, file audit device paths must be under auditFileStorage.mountPath. || Optional: \{\} <br /> |
1039
1039
|`plugins`_[Plugin](#plugin) array_| Plugins configures declarative plugins for the OpenBao cluster.<br />See: https://openbao.org/docs/configuration/plugins/|| Optional: \{\} <br /> |
1040
1040
|`telemetry`_[TelemetryConfig](#telemetryconfig)_| Telemetry configures telemetry reporting for the OpenBao cluster.<br />See: https://openbao.org/docs/configuration/telemetry/|| Optional: \{\} <br /> |
1041
-
|`upgrade`_[UpgradeConfig](#upgradeconfig)_| Upgrade configures upgrade operations.<br />Built-in upgrade executor Jobs authenticate with JWT auth using the<br />upgrade ServiceAccount (<cluster-name>-upgrade-serviceaccount). If<br />spec.selfInit.oidc.enabled is true andspec.upgrade.jwtAuthRole is empty,<br />the operator assumes or bootstraps the default"openbao-operator-upgrade"<br />role.<br />Pre-upgrade snapshots use spec.backup configuration and backup<br />authentication rather than spec.upgrade credentials. || Optional: \{\} <br /> |
1041
+
|`upgrade`_[UpgradeConfig](#upgradeconfig)_| Upgrade configures upgrade operations.<br />Built-in upgrade executor Jobs authenticate with JWT auth using the<br />upgrade ServiceAccount (<cluster-name>-upgrade-serviceaccount). If<br />spec.selfInit.oidc.enabled is true during initial SelfInit bootstrap and<br />spec.upgrade.jwtAuthRole is empty,the operator creates the default<br />"openbao-operator-upgrade" role. Already-initialized clusters must keep<br />that role or configure spec.upgrade.jwtAuthRole explicitly.<br />Pre-upgrade snapshots use spec.backup configuration and backup<br />authentication rather than spec.upgrade credentials. || Optional: \{\} <br /> |
1042
1042
|`unseal`_[UnsealConfig](#unsealconfig)_| Unseal defines the auto-unseal configuration.<br />If omitted, defaults to "static" mode managed by the operator. || Optional: \{\} <br /> |
|`operatorImageVerification`_[ImageVerificationConfig](#imageverificationconfig)_| OperatorImageVerification configures supply chain security checks for operator-managed helper images<br />(init container, backup/upgrade/restore executors). These images are typically signed<br />by the operator project (e.g., dc-tec/openbao-operator) rather than the OpenBao upstream project.<br />If omitted, helper image verification does not fall back to ImageVerification.<br />In Development, omitted means disabled. In Hardened, omitted means enabled. || Optional: \{\} <br /> |
@@ -2026,8 +2026,8 @@ _Appears in:_
2026
2026
| --- | --- | --- | --- |
2027
2027
|`image`_string_| Image is the container image to use for upgrade operations.<br />This image is used by Kubernetes Jobs created during upgrades (for example, blue/green<br />cluster orchestration actions). The executor runs inside the tenant namespace and<br />authenticates to OpenBao using a projected ServiceAccount token (JWT auth).<br />If not specified, defaults to "<repo>:X.Y.Z" where <repo> is derived from OPERATOR_UPGRADE_IMAGE_REPOSITORY<br />(default: "ghcr.io/dc-tec/openbao-upgrade") and the tag matches OPERATOR_VERSION. || Optional: \{\} <br /> |
2028
2028
|`preUpgradeSnapshot`_boolean_| PreUpgradeSnapshot, when true, triggers a backup before any upgrade.<br />When enabled, the upgrade manager will create a backup using the backup<br />configuration (spec.backup.target, spec.backup.image, etc.) and<br />wait for it to complete before proceeding with the upgrade.<br />If the backup fails, the upgrade will be blocked and a Degraded condition<br />will be set with Reason=PreUpgradeBackupFailed.<br />Requires spec.backup to be configured with target, image, and<br />authentication (jwtAuthRole or tokenSecretRef). || Optional: \{\} <br /> |
2029
-
| `jwtAuthRole` _string_ | JWTAuthRole is the name of the JWT Auth role configured in OpenBao<br />for upgrade executor Jobs. The executor authenticates with a projected<br />ServiceAccount token from <cluster-name>-upgrade-serviceaccount.<br />The role must be configured in OpenBao and must grant the permissions<br />required by the selected upgrade strategy, including:<br />- "read" capability on sys/health<br />- "sudo" and "update" capability on sys/step-down<br />- "read" capability on sys/storage/raft/autopilot/state<br />- for Blue/Green, raft join/configuration/remove-peer/promote/demote operations<br />The role must bind to the upgrade ServiceAccount (<cluster-name>-upgrade-serviceaccount),<br />which is automatically created by the operator.<br />If OIDC is enabled in SelfInit and this field is empty, a default role<br />named "openbao-operator-upgrade" will be assumed/created.<br />This is the supported authentication mechanism for built-in upgrade orchestration. | | Optional: \{\} <br /> |
2030
-
|`tokenSecretRef`_[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#localobjectreference-v1-core)_| TokenSecretRef optionally references a Secret containing an OpenBao API<br />token for future non-JWT upgrade authentication flows.<br />Built-in rolling and blue/green upgrade orchestration does not support<br />token-based authentication. Configure spec.upgrade.jwtAuthRole or enable<br />spec.selfInit.oidc.enabled instead. || Optional: \{\} <br /> |
2029
+
| `jwtAuthRole` _string_ | JWTAuthRole is the name of the JWT Auth role configured in OpenBao<br />for upgrade executor Jobs. The executor authenticates with a projected<br />ServiceAccount token from <cluster-name>-upgrade-serviceaccount.<br />The role must be configured in OpenBao and must grant the permissions<br />required by the selected upgrade strategy, including:<br />- "read" capability on sys/health<br />- "sudo" and "update" capability on sys/step-down<br />- "read" capability on sys/storage/raft/autopilot/state<br />- for Blue/Green, raft join/configuration/remove-peer/promote/demote operations<br />The role must bind to the upgrade ServiceAccount (<cluster-name>-upgrade-serviceaccount),<br />which is automatically created by the operator.<br />If OIDC is enabled during initial SelfInit bootstrap and this field is<br />empty, a default role named "openbao-operator-upgrade" will be created.<br />For already-initialized clusters, configure this role explicitly or keep<br />the default role created during initial bootstrap.<br />This is the supported authentication mechanism for built-in upgrade orchestration. | | Optional: \{\} <br /> |
2030
+
|`tokenSecretRef`_[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#localobjectreference-v1-core)_| TokenSecretRef optionally references a Secret containing an OpenBao API<br />token for future non-JWT upgrade authentication flows.<br />Built-in rolling and blue/green upgrade orchestration does not support<br />token-based authentication. Configure spec.upgrade.jwtAuthRole, or use the<br />default role created during initial spec.selfInit.oidc bootstrap. || Optional: \{\} <br /> |
2031
2031
|`strategy`_[UpdateStrategyType](#updatestrategytype)_| Strategy defines the update strategy to use. | RollingUpdate | Enum: [RollingUpdate BlueGreen] <br /> |
2032
2032
|`requests`_[UpgradeRequestConfig](#upgraderequestconfig)_| Requests defines explicit one-shot operator requests for the current<br />upgrade workflow. The operator acts only when a request value changes. || Optional: \{\} <br /> |
2033
2033
|`blueGreen`_[BlueGreenConfig](#bluegreenconfig)_| BlueGreen configures the behavior when Strategy is BlueGreen. || Optional: \{\} <br /> |
Copy file name to clipboardExpand all lines: docs/reference/compatibility.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,7 +41,7 @@ The current stable release line is intended for real deployments, but it remains
41
41
emphasis: 'caution',
42
42
},
43
43
{
44
-
cells: ['v1.33', 'Not validated for the current release line', 'May work but is not release-gated for 0.2.0', 'Validate in staging before carrying this version into the current pre-GA line'],
44
+
cells: ['v1.33', 'Not validated for the current release line', 'May work but is not release-gated for the current line', 'Validate in staging before carrying this version into the current pre-GA line'],
Copy file name to clipboardExpand all lines: docs/reference/known-limitations.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,7 +35,7 @@ journey: reference
35
35
cells: ['Helm CRD lifecycle', 'Helm does not automatically upgrade or delete CRDs.', 'Use release `crds.yaml` assets for CRD lifecycle operations.'],
36
36
},
37
37
{
38
-
cells: ['Built-in upgrade authentication', 'Built-in rolling and blue/green upgrade orchestration do not support `spec.upgrade.tokenSecretRef`; upgrade Jobs use JWT authentication only.', 'Configure `spec.upgrade.jwtAuthRole` or enable `spec.selfInit.oidc.enabled` so the operator can bootstrap the upgrade auth path.'],
38
+
cells: ['Built-in upgrade authentication', 'Built-in rolling and blue/green upgrade orchestration do not support `spec.upgrade.tokenSecretRef`; upgrade Jobs use JWT authentication only.', 'Configure `spec.upgrade.jwtAuthRole`, or use the default role created during initial `selfInit.oidc` bootstrap.'],
39
39
},
40
40
{
41
41
cells: ['Audit file storage archival', '`spec.auditFileStorage` provides a PVC-backed collector handoff and replay buffer; it does not provide rotation, pruning, tamper-proof retention, or a collector.', 'Mount the audit PVC read-only into a collector and ship records to external retention-controlled storage.'],
0 commit comments