New to KubeDB? Please start here.
Rotate Authentication of Milvus
This guide will give an overview on how the KubeDB Ops-manager operator rotates the authentication credentials of a Milvus database.
Before You Begin
- You should be familiar with the following
KubeDBconcepts:
How Rotate Authentication Process Works
Milvus authentication is enabled by default (spec.disableSecurity defaults to false). When you do not provide spec.authSecret, KubeDB auto-generates a kubernetes.io/basic-auth secret named <db>-auth containing a root user and a random password.
A MilvusOpsRequest of type RotateAuth rotates that credential. There are two modes:
- Operator-generated password — omit
spec.authentication. The operator generates a new random password and updates the existing auth secret in place. - User-supplied credentials — set
spec.authentication.secretRef.nameto aSecret(withusername/passwordkeys) you created. The operator switches the database to use your secret.
The flow is:
- A user creates a
MilvusOpsRequestof typeRotateAuth. - The operator validates the request and pauses the
Milvusdatabase. - The credential is updated dynamically inside the running Milvus, then the rendered configuration and PetSets are reconciled to reference the new secret.
- Pods are restarted to ensure every component uses the new credential.
- The operator resumes the database and marks the
MilvusOpsRequestasSuccessful.
Relationship with the Recommendation Engine
Two fields on spec.authSecret drive automatic auth-rotation recommendations:
rotateAfter— the maximum age of the credential. Once the secret is older than this duration, the Recommendation Engine emits aRotateAuthrecommendation.activeFrom— the timestamp from which the current credential is considered active (also stamped on the secret via thekubedb.com/auth-active-fromannotation). It is the reference pointrotateAfteris measured from.
See the Recommendation Engine guide for the end-to-end flow.
In the next doc, we will see a step-by-step guide on rotating authentication of a Milvus database.































