OpenBao HA upgrades
You should consider how to apply the steps described in this document to your particular setup since HA setups can differ on whether a load balancer is in use, what addresses clients are being given to connect to OpenBao (standby + leader, leader-only, or discovered via service discovery), etc.
HA installations
Regardless of the method you use, do not fail over from a newer version of OpenBao to an older version. Our suggested procedure is designed to prevent this.
Please note that OpenBao does not support true zero-downtime upgrades, but with proper upgrade procedure the downtime should be very short (a few hundred milliseconds to a second depending on how the speed of access to the storage backend).
Perform these steps on each standby:
- Properly shut down OpenBao on the standby node via
SIGINT
orSIGTERM
- Replace the OpenBao binary with the new version
- Start the standby node
- Unseal the standby node
- Verify
bao status
shows correct Version and HA Mode isstandby
- Review the node's logs to ensure successful startup and unseal
At this point all standby nodes are upgraded and ready to take over. The upgrade will not complete until one of the upgraded standby nodes takes over active duty.
To complete the cluster upgrade:
- Properly shut down the remaining (active) node
It is important that you shut the node down properly. This will perform a step-down and release the HA lock, allowing a standby node to take over with a very short delay. If you kill OpenBao without letting it release the lock, a standby node will not be able to take over until the lock's timeout period has expired. This is backend-specific but could be ten seconds or more.
- Replace the OpenBao binary with the new version
- Start the node
- Unseal the node
- Verify
bao status
shows correct Version and HA Mode isstandby
- Review the node's logs to ensure successful startup and unseal
Internal upgrade tasks will happen after one of the upgraded standby nodes takes over active duty.
Be sure to also read and follow any instructions in the version-specific upgrade notes.