OpenBao Backup Using AWS S3 or MinIO

This guide explains how to configure and manage automated OpenBao Raft snapshot backups by using AWS S3 or MinIO. It applies to the Connect-specific connect-openbao cluster deployed with automated backup functionality.

Backup Strategy Overview

OpenBao backups use full Raft snapshots. Each snapshot captures all secrets, policies, authentication methods, and system configuration at a point in time. Backups are not incremental. A reference copy of the first unseal key is stored alongside each snapshot for verification purposes.

Configurable options:

Schedule - Cron expression.
S3 or MinIO configuration - S3 or MinIO endpoint, bucket, credentials, and TLS settings.
Retention period - Automatic deletion of old snapshots by using MinIO object lifecycle policies (MinIO only).

Configuration files:

connect-openbao/values.yaml

For additional information on how to apply Helm value overrides, see Chart value override recommendations.

Prerequisites

Kubernetes cluster access with kubectl configured and the appropriate permissions to:
- Access the namespace where connect-openbao is deployed.
- Read Kubernetes secrets (required for manual unseal keys backup).
- View job logs and status (required for backup verification).
MinIO is deployed and running. See the installation configuration in the {foundation-docs-base-url}/foundation-base-installation-guide/foundation_base_manifest_reference.html#_minio_operator[Foundation MinIO Operator] and {foundation-docs-base-url}/foundation-base-installation-guide/foundation_base_manifest_reference.html#_minio_tenant[Foundation MinIO Tenant].

Kubernetes secret for S3 access and TLS certificates:

If you use AWS S3, create a secret named aws-secret that contains the access credentials.

If you use MinIO, enable the following configuration in connect-openbao/values.yaml. This copies MinIO credentials, TLS certificates, and CA secrets from the foundation-cluster-zerotrust namespace into the namespace where connect-openbao is deployed.

secretManager:
  ## Enable SecretManager
  enabled: true
  ## Set external secret manager/provider (only required if secrets are stored in an external provider)
  secretProvider: ""
  ## Secrets. Entries can be defined as yaml or stringified yaml, helm templating is supported.
  ## Map key is used for id on merges and as documentation. To remove existing entries, set key to null.
  ## Each entry configures secret to be managed/copied to Release namespace.
  ## Source secret is defined in .name and .namespace.
  ## Destination secret is defined in .template.
  ## Reference to source secret key must be in .template.value field.
  ## Value field supports templating, managed by the operator (must be escaped to avoid conflicts with helm templates).
  secrets:
    minio-accesskey:
      name: minio1-secret
      namespace: '{{ .Values.global.foundation.zeroTrustNamespace }}'
      template:
        key: accesskey
        name: '{{ include "connect-openbao.fullname" . }}-minio1-creds'
        namespace: '{{ .Release.Namespace }}'
        value: '{{`{{ index . "accesskey" }}`}}'
    minio-secretkey:
      name: minio1-secret
      namespace: '{{ .Values.global.foundation.zeroTrustNamespace }}'
      template:
        key: secretkey
        name: '{{ include "connect-openbao.fullname" . }}-minio1-creds'
        namespace: '{{ .Release.Namespace }}'
        value: '{{`{{ index . "secretkey" }}`}}'
    minio-ca:
      name: minio1-tls
      namespace: '{{ .Values.global.foundation.zeroTrustNamespace }}'
      template:
        key: ca.crt
        name: '{{ include "connect-openbao.fullname" . }}-minio1-tls'
        namespace: '{{ .Release.Namespace }}'
        value: '{{`{{ index . "ca.crt" }}`}}'
    minio-tls-key:
      name: minio1-tls
      namespace: '{{ .Values.global.foundation.zeroTrustNamespace }}'
      template:
        key: tls.key
        name: '{{ include "connect-openbao.fullname" . }}-minio1-tls'
        namespace: '{{ .Release.Namespace }}'
        value: '{{`{{ index . "tls.key" }}`}}'
    minio-tls-crt:
      name: minio1-tls
      namespace: '{{ .Values.global.foundation.zeroTrustNamespace }}'
      template:
        key: tls.crt
        name: '{{ include "connect-openbao.fullname" . }}-minio1-tls'
        namespace: '{{ .Release.Namespace }}'
        value: '{{`{{ index . "tls.crt" }}`}}'

OpenBao Backup Components

Raft snapshots: Capture a complete point-in-time backup of the OpenBao Raft storage backend. Each snapshot includes all secrets, policies, authentication methods, and system configurations stored in OpenBao.
Unseal keys backup: Stores a reference copy of the first unseal key from the unseal secret alongside each snapshot. This reference helps verify and identify the correct unseal keys to use during restore operations. Only the first key is stored for security reasons. The full unseal key set is not included.
Automated retention: Supports a configurable retention period on snapshot objects managed by MinIO object lifecycle policies. Old snapshot backups are automatically deleted after the defined retention period. Retention management is currently supported only for MinIO deployments.

Critical: Manual Unseal Keys Backup

You must manually back up the complete unseal secret.

Backups from the connect-openbao Helm chart store only the first unseal key as a verification reference. For a complete restore, you must have all unseal keys.

Step 1: Export the complete unseal secret

kubectl get secret connect-openbao-unseal-login -o go-template='{{range $k,$v := .data}}{{$v|base64decode}}{{"\n"}}{{end}}' > unseal-login.txt

Step 2: Store securely

Save the unseal-login.txt file in a secure location.
This file contains all five unseal keys required to unseal OpenBao during a restore.
DO NOT store this file in the same location as your automated backups.
Use a password manager, encrypted storage, or a secure vault.

Configure OpenBao Backups

S3 Common Configuration

The following configuration applies to backup operations. Set all parameters exactly as specified for S3 or MinIO connectivity to work correctly.

s3CommonConfig.endpoint: S3/MinIO endpoint URL.
s3CommonConfig.region: S3/MinIO region.
s3CommonConfig.bucket: Target S3/MinIO bucket for backups.
s3CommonConfig.auth.accessKey: Access key for authentication.
s3CommonConfig.auth.secretKey: Secret key for authentication.
s3CommonConfig.externalCa.enabled: Set to true if using a custom CA certificate.
s3CommonConfig.externalCa.cert: Certificate file name (e.g., ca.crt).
s3CommonConfig.auth.secretName and s3CommonConfig.externalCa.secretName: Required if you provide your own Kubernetes secret (instead of relying on the SecretManager-generated one).
s3CommonConfig.forceAwsStyle: Set to true when using MinIO.

openbao:
  s3CommonConfig:
    endpoint: "https://minio.foundation-cluster-zerotrust:443"  # S3/MinIO URL
    region: "us-east-1" # Region name
    bucket: "foundation-pf" # Bucket name
    auth:
      # secretName: minio1-creds # Kubernetes secret containing the credentials. Leave this commented out if you are using the SecretManager block as specified in the prerequisites.
      accessKey: accesskey # Access key
      secretKey: secretkey # Secret key
    externalCa:
      enabled: true # Enable custom CA for TLS
      # secretName: minio1-tls # Kubernetes secret containing the TLS certificate. Leave this commented out if you are using the SecretManager block as specified in the prerequisites.
      cert: ca.crt # Certificate file name
    forceAwsStyle: "true" ## Required 'true' only for S3 MinIO

S3 Backup Configuration

The following configuration is required to enable backups for an OpenBao cluster:

s3BackupConfig.enabled: Set to true to enable backups.
s3BackupConfig.schedule: Define the backup schedule as a cron expression (configure as needed).
s3BackupConfig.backupPath: Specify the S3 bucket path where backups are stored. This value should be unique for each deployment.
Optional: s3BackupConfig.retention: Define the number of days to retain backups (MinIO only).

openbao:
  s3BackupConfig:
    enabled: true ## Set to false to disable backups for this cluster.
    schedule: "0 */6 * * *"  ## Cron schedule for backup jobs (every 6 hours)
    backupPath: "openbao-backup" ## S3 path to store backups
    retention: "180"  # Number of days to retain backups (supported only when using MinIO)

Apply Backup Configuration

Add the S3 common configuration and backup configuration to the connect-openbao/values.yaml file, and then redeploy the connect-openbao release to enable backups.

Deploy or update the connect-openbao release with the updated values:

helm upgrade --install connect-openbao connect-helm/connect-openbao \
  --namespace foundation-env-default \
  --values connect-openbao/values.yaml

Verification

After you apply the backup configuration, verify that backups are stored correctly in S3 or MinIO. Also verify that the object lifecycle policy is configured correctly for the backup path, such as openbao-backup, to ensure automated retention management.

MinIO Console UI

Snapshots: Stored under foundation-pf/openbao-backup/snapshots/ with timestamped file names.
Unseal keys: Stored under foundation-pf/openbao-backup/unseal-keys/.
Object lifecycle policy: Verify that a lifecycle policy exists on the bucket to automatically remove objects from the backup path after the retention period specified in openbao.s3BackupConfig.retention.

Command Line Verification

View Backup History:

Verify that the scheduled backup CronJob exists and review its run history. The CronJob status displays the schedule and the last scheduled time. The jobs list shows currently running, failed, and successful jobs. By default, only the last three successful or failed jobs are listed. Each finished job has a time-to-live value of 300 seconds.

# Check CronJob status
kubectl -n foundation-env-default get cronjob connect-openbao-backup

# Check recent backup job runs
kubectl -n foundation-env-default get jobs -l app.kubernetes.io/name=connect-openbao

Check backup job logs:

Review the logs from backup job runs to confirm successful completion or to diagnose any failures.

# Get logs from the most recent backup job
kubectl -n foundation-env-default logs -l app.kubernetes.io/name=connect-openbao

Example successful backup log output:

{"level":"INFO","timeMillis":1762852323827,"pod":"connect-openbao-backup-29380872-cmfts","message":"Starting OpenBao backup to s3://foundation-pf/openbao-backup"}
{"level":"INFO","timeMillis":1762852323855,"pod":"connect-openbao-backup-29380872-cmfts","message":"Taking OpenBao snapshot..."}
{"level":"INFO","timeMillis":1762852323895,"pod":"connect-openbao-backup-29380872-cmfts","message":"Snapshot created successfully (Size: 24450 bytes)"}
{"level":"INFO","timeMillis":1762852324863,"pod":"connect-openbao-backup-29380872-cmfts","message":"Snapshot uploaded: s3://foundation-pf/openbao-backup/snapshots/2025-11-11_09-12-03-connect-openbao.snap"}
{"level":"INFO","timeMillis":1762852325778,"pod":"connect-openbao-backup-29380872-cmfts","message":"First unseal key uploaded: s3://foundation-pf/openbao-backup/unseal-keys/2025-11-11_09-12-03-connect-openbao.txt"}
{"level":"INFO","timeMillis":1762852325785,"pod":"connect-openbao-backup-29380872-cmfts","message":"Backup of snapshot and unseal-key completed successfully"}

Verify unseal key backup integrity:

Compare the first unseal key from your backup in Critical: Manual Unseal Keys Backup with the contents of the MinIO backup file foundation-pf/openbao-backup/<date+time>connect-openbao.txt to make sure they match.

Backup Job Configuration

You can customize the backup and retention jobs in the jobs section of the values.yaml file:

jobs:
  ## Configurations for s3 backup job
  backup:
    ...
    ...

  ## Configurations for s3 retention job (MinIO bucket lifecycle)
  retention:
    ...
    ...

Was this page helpful?