Skip to main content
Version: 0.1.0-rc.5

Run a restore only when you are ready to overwrite the target cluster.

The operator restores snapshot state through an explicit OpenBaoRestore request. That request validates the target, acquires the restore operation lock, launches a dedicated restore Job, and records the outcome for audit. Use this page when restore is the right answer, not as a substitute for ordinary troubleshooting.

Restore overwrites the target cluster

Restore replaces the target cluster state with the contents of the selected snapshot. All current secrets, policies, auth methods, and keys in that cluster are treated as replaceable state. Confirm the target namespace, target cluster, and snapshot key before you apply the request.

Decision matrix

Choose the restore auth path

Choose the restore auth path.
PathUse it whenOperator behaviorWatch for
JWT authYou already use selfInit.oidc or can provision a dedicated restore JWT role on the target cluster.The restore Job uses a projected ServiceAccount token and authenticates with a short-lived, scoped identity.Keep the JWT audience and bound ServiceAccount subject aligned with the restore role.
Static tokenJWT auth is not available yet and you need a compatibility path for recovery.The restore Job reads a long-lived OpenBao token from a Secret in the same namespace.Treat the token as a high-sensitivity credential and rotate it intentionally.

Diagram

Restore execution path

The controller validates the request, acquires the restore lock, launches a restore Job, downloads the selected snapshot, and then forces the snapshot into the target cluster leader.

Before you create the restore request

  • Make sure the snapshot you want already exists in object storage and has been validated as usable.
  • Create or keep the target OpenBaoCluster in the same namespace as the restore request. The target cluster must exist and be initialized, even if it is otherwise empty.
  • Verify the restore Job can reach the object storage endpoint. In hardened environments, this usually means explicit spec.network.egressRules.
  • Choose the restore auth path before the incident starts. The restore Job does not automatically inherit the cloud identity or auth material from the main OpenBao Pods.
Same-namespace requirement

The OpenBaoRestore, the target OpenBaoCluster, and any referenced token Secrets all live in the same namespace. Cross-namespace references are intentionally blocked for security reasons.

Configure the snapshot source

Configure

Configure an S3 or S3-compatible restore source

yaml

spec:
cluster: prod-cluster
source:
  target:
    provider: s3
    endpoint: https://s3.amazonaws.com
    bucket: openbao-backups
    region: us-east-1
    usePathStyle: false
    credentialsSecretRef:
      name: s3-credentials
  key: clusters/prod/backup-2026-03-20.snap

The Secret can provide accessKeyId, secretAccessKey, sessionToken, region, and an optional caCert for custom trust chains.

Configure restore auth

Configure

Use a JWT role for restore

yaml

spec:
jwtAuthRole: openbao-operator-restore

When spec.selfInit.oidc.enabled=true on the target cluster, the operator can create and use the default restore role automatically. Otherwise, create the role deliberately and keep the JWT audience aligned with OPENBAO_JWT_AUDIENCE.

Apply the restore request

Configure

Create a full restore request

yaml

apiVersion: openbao.org/v1alpha1
kind: OpenBaoRestore
metadata:
name: prod-restore
namespace: security
spec:
cluster: prod-cluster
source:
  target:
    provider: s3
    endpoint: https://s3.amazonaws.com
    bucket: openbao-backups
    region: us-east-1
    credentialsSecretRef:
      name: s3-credentials
  key: clusters/prod/backup-2026-03-20.snap
jwtAuthRole: openbao-operator-restore

The restore spec is immutable. If you need to change the target, snapshot key, or auth path, create a new OpenBaoRestore resource instead of editing the existing one.

Apply

Apply the restore

bash

kubectl apply -f restore.yaml

Watch the restore phases

Verify

Inspect restore status

bash

kubectl get openbaorestore <name> -n <namespace> -o yaml
kubectl get jobs -n <namespace>
kubectl describe openbaocluster <cluster> -n <namespace>

Watch the restore resource and the target cluster together. The restore phase tells you what the restore controller is doing, while the cluster status shows what still needs follow-up after the destructive step finishes.

Reference table

Restore phases to expect

Restore phases to expect.
PhaseWhat it means
Pending / ValidatingThe operator is checking the target cluster, storage source, auth path, and conflicting operations before it starts destructive work.
RunningThe restore Job owns the cluster operation lock and is actively downloading or applying the snapshot.
CompletedThe restore workflow finished and the operator recorded the result. The cluster may still need unseal or follow-up recovery work.
FailedThe restore did not succeed. Inspect the restore resource, related Job, and target cluster state before retrying with a new request.

After the restore

Recover a sealed clusterGo here when the restored cluster starts but remains sealed because the trust or unseal path still needs attention.Recover from no leaderGo here when the restored cluster needs Raft peer or leadership repair before it can return to service.Recover after upgrade restoreUse the override-lock path only when a failed upgrade or rollback blocks the normal restore request.
Prerelease documentation

This version tracks a prerelease build. Features and behavior may change before the next stable release.

Was this page helpful?

Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.

Needs work