Known Limitations
Know which operator boundaries are real today.
Not every missing feature is an accidental gap. This page captures the current constraints and explicit non-goals for the pre-GA line so operators and contributors can separate unsupported assumptions from issues the project actually intends to solve.
Reference table
Current constraints
| Area | Current limitation | What to do instead |
|---|---|---|
| CRD versioning | The current served and storage API is openbao.org/v1alpha1; multi-version conversion webhooks are out of scope today. | Treat API evolution through the pre-GA contract and review release notes carefully. |
| Cluster adoption | The operator assumes it manages clusters it created and reconciles; generic import of arbitrary unmanaged OpenBao clusters is out of scope. | Create operator-managed clusters directly, or use backup and restore workflows when you need to move data into a new operator-managed cluster. |
| Operator downgrade | Downgrades are not treated as a normal rollback path. | Use the recovery and restore guidance when a release cannot move forward safely. |
| External backup cleanup | DeleteAll removes PVC-backed data but does not delete snapshot objects already written to external object storage. | Clean external backup objects explicitly as part of decommission procedures. |
| etcd encryption verification | The operator cannot directly prove cluster-level etcd encryption at rest and surfaces a warning condition instead. | Validate cluster-level encryption controls outside the operator. |
| Helm CRD lifecycle | Helm does not automatically upgrade or delete CRDs. | Use release crds.yaml assets for CRD lifecycle operations. |
| Built-in upgrade authentication | Built-in rolling and blue/green upgrade orchestration do not support spec.upgrade.tokenSecretRef; upgrade Jobs use JWT authentication only. | Configure spec.upgrade.jwtAuthRole or enable spec.selfInit.oidc.enabled so the operator can bootstrap the upgrade auth path. |
| Upgrade strategy switching | Switching an existing cluster between RollingUpdate and BlueGreen is not a supported in-place transition today. | Choose the upgrade strategy before the next rollout and keep it stable for that cluster. |
Related caveat and recovery pages
Support policyOpen the maintenance contract behind these constraints and the release lines that remain in scope.Upgrade compatibilityUse the exact operator upgrade-path contract when the next question is rollback stance or CRD sequencing.Decommission a clusterReturn to the operational decommission workflow for the data-path caveats around external backups.Restore from backupUse the restore workflow when a limitation turns the next safe move into recovery or migration rather than in-place change.
Next release documentation
You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.