0.2.0

0.2.0

Published 2026-05-01.

Matching docs

Open the docs experience aligned to this release line.

OpenGitHub release

View release assets, tag metadata, and the GitHub release entry.

Open

0.2.0 is the next stable pre-GA release line for OpenBao Operator. This release focuses on horizontal read scaling, safer day-2 maintenance workflows, and tighter production safety checks for hardened deployments.

Highlights

• Added steady-state OpenBao read replicas through spec.readReplicas, including separate read-replica status, optional dedicated read Service support, and dashboard/metrics visibility.
• Integrated read replicas with disruptive workflows: rolling upgrades, blue/green upgrades, restores, restart ordering, and storage-resize ordering now handle the read pool deliberately.
• Added spec.runtime.restartAt as the primary API for explicit rolling restart requests. The older spec.maintenance.restartAt path remains temporarily for compatibility.
• Reworked planned maintenance authorization so direct managed-resource maintenance depends on Kubernetes RBAC for the custom maintenance verb on the owning OpenBaoCluster.
• Hardened production safety checks for managed Ingress exposure, Hardened pod security context overrides, unsafe admission mode, and configured Sigstore trusted roots.
• Improved upgrade reliability across SSA ownership, rolling retry state, blue/green recovery, Raft promote handling, and executor Job resource defaults.

Breaking and Migration Notes

• Managed Ingress now requires explicit source scoping. Clusters with spec.ingress.enabled=true must configure at least one spec.network.trustedIngressPeers entry before creating or updating the OpenBaoCluster under admission enforcement.
• Hardened clusters can no longer create or update pod-level spec.securityContext overrides that weaken the runtime baseline. Remove settings such as runAsNonRoot=false, root UID/GID values, root supplemental groups, Unconfined seccomp, pod sysctls, or Windows pod security options before upgrading with admission enforcement.
• Existing Hardened clusters with weakening security context overrides are reported as ProductionReady=False until corrected.

Operational Notes

• Apply the 0.2.0 CRDs before upgrading the controller or Helm chart.
• Existing initialized clusters may need an OpenBao policy update for read-replica Autopilot health reporting. The operator policy needs read on sys/storage/raft/autopilot/state; the operator does not mutate OpenBao policies after bootstrap.
• In multi-tenant mode, cluster reconciliation now waits until tenant onboarding RBAC exists in the target namespace. GitOps flows that apply OpenBaoTenant and OpenBaoCluster together may see the cluster pause and requeue until onboarding completes.
• Raft scale-downs are now staged one replica at a time, and PVCs for scaled-down ordinals are deleted while StatefulSet deletion still retains PVCs. Review replica-reduction procedures before scaling production clusters down.
• Unsafe admission mode now reports explicit degraded production posture instead of looking equivalent to enforced admission policies.
• If a configured trusted-root ConfigMap is missing, malformed, incomplete, or unreadable, image verification now fails closed instead of falling back silently to the embedded trusted root.

Upgrade from 0.1.x

Before upgrading an existing 0.1.x installation:

1. Review every existing OpenBaoCluster before applying the new controller.

2. For clusters with spec.ingress.enabled=true, configure at least one spec.network.trustedIngressPeers entry.

3. For Hardened clusters, remove pod-level spec.securityContext overrides that weaken the default runtime baseline.

4. For initialized clusters that will use read replicas, update the OpenBao operator policy to allow read on sys/storage/raft/autopilot/state.

5. Apply the 0.2.0 CRDs first:

   kubectl apply -f https://github.com/dc-tec/openbao-operator/releases/download/0.2.0/crds.yaml

6. Upgrade the Helm release:

   helm upgrade openbao-operator oci://ghcr.io/dc-tec/charts/openbao-operator \
     --version 0.2.0 \
     --namespace openbao-operator-system \
     --reuse-values

7. Verify the operator rollout, CRD presence, managed cluster conditions, and recent events before continuing with OpenBao workload changes.

Kubernetes v1.34 and v1.35 are the 0.2.0 release-gated versions. Kubernetes v1.33 may work but is not release-gated for this line. Kubernetes v1.36 is tracked as the next candidate once controller-runtime, Kind, and release-gate coverage are available.

Compatibility

OpenBao Operator requires Kubernetes v1.33+. The current release validation baseline is Kubernetes v1.34-v1.35 and OpenBao 2.5.3, with config compatibility coverage for OpenBao 2.4.4.

Features

• admission: authorize maintenance through RBAC (#347) (b7c05a7)
• api: add runtime restart controls (#348) (b1efd34)
• readreplicas: add steady-state read replica topology and status (#361) (9a74c14)
• readreplicas: integrate read replicas with upgrade and restore workflows (#362) (e8bf8b8)

Bug Fixes

• admission: guard hardened security context overrides (#390) (d0a6533)
• helm: allow global values in chart schema (#378) (5dad02e)
• helm: Helm provisioner admission identity (#387) (f781c70)
• infra: delete scaled-down raft PVCs (#341) (f406e90)
• multitenancy: gate cluster reconcile on tenant onboarding (#359) (cfd850f)
• network: Require source-scoped managed Ingress access (#389) (a3cec85)
• openbao: stage safe raft scale-downs (#339) (4da1ec7)
• probe: stabilize openbao workload probes (#371) (260547b)
• provisioner: reduce release reconciliation log noise (#370) (b2f2bca)
• security: fail closed for configured trusted roots (#393) (04cbd64)
• status: mark unsafe admission mode not production-ready (#391) (98022a3)
• upgrade: complete SSA ownership migration (#345) (eafa931)
• upgrade: harden bluegreen and rolling recovery flakes (#374) (62cf706)
• upgrade: set executor job resource requirements (#392) (8efb8da)
• upgrade: treat raft promote already-voter as no-op (#382) (7d25753)