Keeping SecureGuard updated ensures you have the latest security patches for OpenBao, Dex, ESO, and the UI components. This guide outlines the best practices for upgrading a production deployment.
Because SecureGuard is deployed via Helm, upgrades follow the standard Helm release lifecycle.
OCI-based Helm charts do not require helm repo add or helm repo update. Simply run helm upgrade with the registry URL.
values-production.yaml file to preserve your HA, ingress, and IDP configurations.helm upgrade secureguard oci://quay.io/kubermatic/helm-charts/secureguard \
-f values-production.yaml \
--namespace secureguard-system
Running, dashboard reachable, OpenBao unsealed, a spot-check ExternalSecret still Synced.If the upgrade fails, roll back the release and — only if data was affected — restore the snapshot:
helm rollback secureguard --namespace secureguard-system
CRITICAL: Before performing any upgrade, especially one that bumps the OpenBao major/minor version, you MUST take a snapshot of the OpenBao integrated storage (Raft). Failure to do so risks catastrophic data loss if the upgrade fails.
Also back up the unseal-keys Secret. With the default self-initialization, the Shamir unseal key shares live in the <release>-openbao-keys Secret. A Raft snapshot is useless without the keys to unseal a restored cluster, so back up both together:
kubectl get secret secureguard-openbao-keys -n secureguard-system -o yaml > openbao-keys-backup.yaml
Authenticate to OpenBao with a privileged token. Under self-initialization the root token was revoked after bootstrap, so obtain a break-glass token via bao operator generate-root (using the stored unseal keys) or use a token from a configured auth method:
kubectl exec -it secureguard-openbao-0 -n secureguard-system -- /bin/sh
bao login <root-or-admin-token>
Trigger the snapshot and save it locally:
bao operator raft snapshot save /tmp/backup.snap
Copy the snapshot out of the pod to secure cold storage:
kubectl cp secureguard-system/secureguard-openbao-0:/tmp/backup.snap ./vault_backup_$(date +%F).snap
If an upgrade corrupts the OpenBao data or you need to recover to a known-good state:
kubectl cp ./vault_backup_2026-06-13.snap secureguard-system/secureguard-openbao-0:/tmp/restore.snap
bao operator generate-root, or a token from a configured auth method):kubectl exec -it secureguard-openbao-0 -n secureguard-system -- /bin/sh
bao login <root-or-admin-token>
bao operator raft snapshot restore /tmp/restore.snap
restore -force when restoring into a fresh cluster whose auto-unseal keys or cluster identity differ from the snapshot’s origin — and be aware you then need the original unseal/recovery keys to complete the restore.bao status shows unsealed, and a known secret path reads back correctly.Test the restore procedure regularly on a scratch cluster — a backup that has never been restored is not a backup.
When Helm updates the OpenBao StatefulSet image version, Kubernetes will perform a rolling restart of the OpenBao pods.
helm upgrade and re-unseals every node automatically, so a normal upgrade recovers on its own. Between upgrades, a crashed or rescheduled pod stays sealed until the next upgrade — enable openbao.init.unsealCronJob.enabled=true for automatic periodic re-unseal, or switch to KMS auto-unseal for full restart resilience.openbao.init.enabled=false + a seal stanza), the pods will automatically unseal and rejoin the cluster upon starting — no operator intervention needed.bao operator unseal commands on each newly started pod before the StatefulSet controller proceeds to the next one.Helm does not automatically upgrade Custom Resource Definitions (CRDs) during a helm upgrade command to prevent accidental deletion of stored data.
If a new version of SecureGuard bumps the ESO version and introduces new CRD fields, you must manually apply the updated CRDs before upgrading the Helm chart.
kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v<NEW_VERSION>/deploy/crds/bundle.yaml
ESOVersion CR (and move the latest: true
flag onto it). See Advanced Configuration → ESO Version Catalog.
Only ESO v2.0.0 and newer are supported.The React UI and Go proxy are stateless applications deployed as standard Kubernetes Deployments. Helm will perform a standard rolling rollout of the new ReplicaSets, ensuring zero-downtime availability of the dashboard during the upgrade.
The SG Agent Controller (agent/) is a Go controller-runtime binary deployed as a Kubernetes Deployment. It follows the same rolling update pattern as the proxy — Helm will perform a standard rolling rollout of the new ReplicaSet. No special migration steps are required; the controller is stateless and will automatically resume reconciliation of SGAgent and ESODeployment resources after restart.
Always check the release notes of the exact chart version you are moving to.
The bundled OpenBao default changed from a single-node file backend to a 3-node integrated-Raft HA cluster that is automatically initialized and unsealed by a post-install/upgrade hook Job.
<release>-openbao-keys Secret automatically. Back up that Secret.openbao:
server:
standalone:
enabled: true
ha:
enabled: false
openbao.init.enabled=false + a seal stanza) — no key shares are stored in a Secret. See Installation → OpenBao Self-Initialization & Unsealing.bao operator generate-root with the stored unseal keys for break-glass admin.