You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeDB? Please start here.
Authentication Rotate Recommendation
Database credentials are a high-value target. Leaving them static sometimes for years magnifies the blast radius of any leak: backup tarballs, log lines, abandoned dev pods, or a compromised CI runner can all expose them. Regular rotation limits how long a stolen credential is useful, satisfies compliance audits, exercises the rotation code path itself (so it actually works when you need it), and revokes access for stale humans and services.
KubeDB ships the RotateAuth OpsRequest for this — and the Ops-manager generates a Recommendation to drive it automatically. Rotation is opt-in: it is only generated when the database CR sets spec.authSecret.rotateAfter.
KubeDB raises an auth-rotation recommendation when:
- AuthSecret lifespan is more than one month and less than one month of life remains, or
- AuthSecret lifespan is less than one month and less than one third of life remains.
Note: Recommendations work across most KubeDB-managed databases. The walkthrough below uses MongoDB.
Before you begin
- KubeDB and the Supervisor are installed (
--set supervisor.enabled=true). kubectlis configured against the cluster.- The target database CR must set
spec.authSecret.rotateAfter. Without it, no rotation Recommendation is generated.
Deploy MongoDB with rotation enabled
For the demo we use an aggressive rotateAfter: 1h. In production, pick something realistic like 2160h (90 days).
apiVersion: kubedb.com/v1
kind: MongoDB
metadata:
name: mg-ra-recommendation
namespace: demo
spec:
version: "8.0.10"
authSecret:
kind: Secret
name: mg-auth
rotateAfter: 1h
storage:
resources:
requests:
storage: 500Mi
storageClassName: local-path
deletionPolicy: WipeOut
Wait until MongoDB reports Ready. The time depends on image pull speed.
$ kubectl get mongodb,pods -n demo
NAME VERSION STATUS AGE
mongodb.kubedb.com/mg-ra-recommendation 8.0.10 Ready 10m
NAME READY STATUS RESTARTS AGE
pod/mg-ra-recommendation-0 1/1 Running 0 10m
A rotate-auth Recommendation appears
With rotateAfter: 1h, the recommendation engine creates a rotation Recommendation roughly 40 minutes after the auth secret was created (two-thirds of the lifespan). Once it appears, you will see something like:
$ kubectl get recommendation -n demo
NAME STATUS OUTDATED AGE
mg-ra-recommendation-x-mongodb-x-rotate-auth-<HASH> <STATUS> false <AGE>
mg-ra-recommendation-x-mongodb-x-update-version-<HASH> Pending false <AGE>
The Recommendation name follows the pattern <DB-name>-x-<DB-type>-x-<recommendation-type>-<random-suffix>. Let’s look at the full manifest:
$ kubectl get recommendation -n demo mg-ra-recommendation-x-mongodb-x-rotate-auth-2ynyce -oyaml
apiVersion: supervisor.appscode.com/v1alpha1
kind: Recommendation
metadata:
creationTimestamp: "2026-06-08T19:03:27Z"
generation: 1
labels:
app.kubernetes.io/instance: mg-ra-recommendation
app.kubernetes.io/managed-by: kubedb.com
app.kubernetes.io/type: rotate-auth
name: mg-ra-recommendation-x-mongodb-x-rotate-auth-2ynyce
namespace: demo
resourceVersion: "119741"
uid: 2578ba41-2d0f-437a-bc69-a6aefa786713
spec:
backoffLimit: 10
deadline: "2026-06-08T19:13:27Z"
description: Recommending AuthSecret rotation,mg-ra-recommendation-auth AuthSecret
needs to be rotated before 2026-06-08 19:23:27 +0000 UTC
operation:
apiVersion: ops.kubedb.com/v1alpha1
kind: MongoDBOpsRequest
metadata:
name: rotate-auth
namespace: demo
spec:
databaseRef:
name: mg-ra-recommendation
type: RotateAuth
status: {}
recommender:
name: kubedb-ops-manager
rules:
failed: has(self.status) && has(self.status.phase) && self.status.phase == 'Failed'
inProgress: has(self.status) && has(self.status.phase) && self.status.phase ==
'Progressing'
success: has(self.status) && has(self.status.phase) && self.status.phase == 'Successful'
target:
apiGroup: kubedb.com
kind: MongoDB
name: mg-ra-recommendation
status:
approvalStatus: Approved
approvedWindow:
window: Immediate
conditions:
- lastTransitionTime: "2026-06-08T19:13:27Z"
message: OpsRequest is successfully created
reason: SuccessfullyCreatedOperation
status: "True"
type: SuccessfullyCreatedOperation
- lastTransitionTime: "2026-06-08T19:14:27Z"
message: OpsRequest is successfully executed
reason: SuccessfullyExecutedOperation
status: "True"
type: SuccessfullyExecutedOperation
createdOperationRef:
name: mg-ra-recommendation-1780946007-rotate-auth-auto
failedAttempt: 0
observedGeneration: 1
outdated: true
parallelism: Namespace
phase: Succeeded
reason: SuccessfullyExecutedOperation
What this manifest tells you:
spec.description— explains that the auth secret needs rotation before the secret’s expiry timestamp.spec.deadline— Supervisor will auto-approve and execute at or before this time so rotation finishes before the secret expires.spec.operation— aMongoDBOpsRequestof typeRotateAuth.- Notice that
spec.requireExplicitApprovalis not set. Auth secret rotation defaults to automatic approval — like TLS, missing the deadline is worse than running unattended. - When the deadline is reached, Supervisor sets
status.approvalStatus: Approved,status.approvedWindow.window: Immediate, creates the OpsRequest, and reports progress viastatus.conditions.
Watching the OpsRequest
After auto-approval, an MongoDBOpsRequest is created and reaches Successful:
$ kubectl get mongodbopsrequest -n demo
NAME TYPE STATUS AGE
mg-ra-recommendation-<TIMESTAMP>-rotate-auth-auto RotateAuth Successful <AGE>
RotateAuth rotates the auth secret with negligible downtime — the database keeps accepting connections throughout the rolling restart.
You can re-check the Recommendation status as JSON:
$ kubectl get recommendation <ROTATE-AUTH-NAME> \
-n demo -o json | jq '.status'
You will see phase: Succeeded and reason: SuccessfullyExecutedOperation.
Rejecting a recommendation
If you need to skip a rotation (for example because you’re about to change auth strategy), reject it:
$ kubectl patch recommendation <ROTATE-AUTH-NAME> \
-n demo \
--type merge \
--subresource='status' \
-p '{"status":{"approvalStatus":"Rejected"}}'
recommendation.supervisor.appscode.com/<ROTATE-AUTH-NAME> patched
Automating execution with a maintenance window
Auto-approval is great, but Immediate execution can still be disruptive at the wrong hour. Pair a MaintenanceWindow with an ApprovalPolicy to keep rotations off-peak.
1. Define a MaintenanceWindow
apiVersion: supervisor.appscode.com/v1alpha1
kind: MaintenanceWindow
metadata:
name: mongo-maintenance
namespace: demo
spec:
isDefault: true
timezone: UTC
days:
Sunday:
- start: "00:00"
end: "04:00"
Saturday:
- start: "00:00"
end: "04:00"
See Maintenance Window for the complete reference.
2. Auto-approve with an ApprovalPolicy
This policy auto-approves RotateAuth (and any other MongoDB ops) and binds them to the window above.
apiVersion: supervisor.appscode.com/v1alpha1
kind: ApprovalPolicy
metadata:
name: mongodb-policy
namespace: demo
maintenanceWindowRef:
kind: MaintenanceWindow
name: mongo-maintenance
namespace: demo
targets:
- group: kubedb.com
kind: MongoDB
operations:
- group: ops.kubedb.com
kind: MongoDBOpsRequest
See Approval Policy for the complete reference.
3. Or use a cluster-wide default
If you would rather set one default for the whole cluster, replace the namespace-scoped MaintenanceWindow with a ClusterMaintenanceWindow and point maintenanceWindowRef.kind at it. See Cluster Maintenance Window.
Important: Make sure the window opens before the recommendation’s
spec.deadline. If the deadline passes first, Supervisor rotates immediately to keep the auth secret from expiring.
For the complete field reference for Recommendation, see Recommendation Spec & Status.