Skip to main content

Upgrading OpenBao

These are general upgrade instructions for OpenBao for both non-HA and HA setups. Please ensure that you also read any version-specific upgrade notes which can be found in the sidebar.

danger

Important: Always back up your data before upgrading! OpenBao does not make backward-compatibility guarantees for its data store. Simply replacing the newly-installed OpenBao binary with the previous version will not cleanly downgrade OpenBao, as upgrades may perform changes to the underlying data structure that make the data incompatible with a downgrade. If you need to roll back to a previous version of OpenBao, you should roll back your data store as well.

OpenBao upgrades are designed such that large jumps (ie 1.3.10 -> 1.7.x) are supported. The upgrade notes for each intervening version must be reviewed. The upgrade notes may describe additional steps or configuration to update before, during, or after the upgrade.

Agent

The OpenBao Agent is an API client of the OpenBao Server. OpenBao APIs are almost always backwards compatible. When they are not, this is called out in the upgrade guide for the new OpenBao version, and there is a lengthy deprecation period. The OpenBao Agent version can lag behind the OpenBao Server version, though we recommend keeping all OpenBao instances up to date with the most recent minor OpenBao version to the extent possible.

Testing the upgrade

It's always a good idea to try to ensure that the upgrade will be successful in your environment. The ideal way to do this is to take a snapshot of your data and load it into a test cluster. However, if you are issuing secrets to third party resources (cloud credentials, database credentials, etc.) ensure that you do not allow external network connectivity during testing, in case credentials expire. This prevents the test cluster from trying to revoke these resources along with the non-test cluster.

Non-HA installations

Upgrading non-HA installations of OpenBao is as simple as replacing the OpenBao binary with the new version and restarting OpenBao. Any upgrade tasks that can be performed for you will be taken care of when OpenBao is unsealed.

Always use SIGINT or SIGTERM to properly shut down OpenBao.

Be sure to also read and follow any instructions in the version-specific upgrade notes.

HA installations

Please refer to our OpenBao HA upgrades documentation for more details.