bao-kms-providerSearch GitHub

Operations

These pages answer task-based operator questions. Use them when you already know where you are in the lifecycle and need the next safe step.

The runbooks assume bao-kms-provider is already installed on each control-plane node, OpenBao Transit is provisioned, and the Kubernetes API server uses a matching EncryptionConfiguration. Before changing rotation, recovery, or upgrade state, run bao-kms-provider doctor --config /etc/openbao-kms/config.yaml --encryption-config /etc/kubernetes/encryption-config.yaml.

Workflows

  1. Rotation to rotate the OpenBao Transit key version, observe provider promotion, migrate Kubernetes resources, and keep old versions decryptable until migration and backup-retention records allow retirement.
  2. Disaster Recovery to restore OpenBao, etcd, provider state, auth material, and control-plane nodes as compatible sets.
  3. Upgrade to upgrade the provider binary or container image one control-plane node at a time with a documented rollback step.
  4. Troubleshooting for symptom-driven checks and the fastest safe recovery path.

Use Another Section If

  • the question is about CLI flags, configuration fields, or KMS v2 protocol behavior: go to Reference .
  • the question is about token scope, trust boundaries, or sensitive artifact handling: go to Security .
  • the question is about why the system behaves a given way: go to Architecture .

Browse

In This Section

Rotation Rotate the OpenBao Transit key version, observe provider promotion, migrate existing API resources, and preserve recovery records. Disaster Recovery Recover compatible OpenBao, etcd, provider state, auth, and API server dependencies without implying recovery from lost Transit key material. Upgrade Upgrade the bao-kms-provider binary or image one control-plane node at a time, verify the KMS path stays healthy, and roll back safely if needed. Troubleshooting Symptom-driven recovery for common bao-kms-provider failures: socket connectivity, OpenBao auth, Transit key issues, key_id and AAD validation, identity fallback, static pod problems.