New to KubeDB? Please start here.
Rotate Authentication of Weaviate
This guide will give you an overview of how KubeDB Ops Manager rotates the API-key authentication of a Weaviate cluster.
Before You Begin
- You should be familiar with the following
KubeDBconcepts:
How Rotate Authentication Process Works
By default, KubeDB enables API-key authentication for a Weaviate cluster and stores the generated key in a Secret named <database-name>-auth. Rotating authentication replaces this key.
The rotate authentication process consists of the following steps:
The user creates a
WeaviateOpsRequestCR of typeRotateAuthreferencing theWeaviatedatabase. There are two modes:- Operator-generated key — when no
spec.authentication.secretRefis provided, the Ops Manager generates a brand-new random API key. - User-provided key — when
spec.authentication.secretRefis provided, the Ops Manager uses the key from the referenced Secret.
- Operator-generated key — when no
KubeDBOps Manager watches for theWeaviateOpsRequestCR and halts theWeaviateobject.The Ops Manager updates the auth Secret with the new key. It also keeps the previous key in a
*-PREVdata field so that in-flight clients still using the old key have a short grace window, and it records theactiveFromtimestamp.The Ops Manager updates the PetSet and restarts the pods one by one so they pick up the new key.
After successfully rotating the key, the
KubeDBOps Manager resumes theWeaviateobject so that theKubeDBProvisioner operator resumes its usual operations.
In the next doc, we are going to show a step-by-step guide on rotating the authentication of a Weaviate cluster.































