You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeDB? Please start here.
Rotate Authentication of Milvus
This guide will show you how to use the KubeDB Ops-manager operator to rotate the authentication credentials of a Milvus database.
Before You Begin
You should be familiar with the following
KubeDBconcepts:Complete the dependency setup from Prepare Dependencies. It installs MinIO, creates the
my-release-miniosecret, and installs the etcd operator required by Milvus.
Note: The yaml files used in this tutorial are stored in docs/guides/milvus/rotate-auth/yamls folder in GitHub repository kubedb/docs.
Auth Secret Basics
Milvus authentication is enabled by default. When spec.authSecret is omitted, KubeDB creates a kubernetes.io/basic-auth secret named <db>-auth with a root user and a random password:
$ kubectl get secret milvus-standalone-auth -n demo
NAME TYPE DATA AGE
milvus-standalone-auth kubernetes.io/basic-auth 2 92s
$ kubectl get secret milvus-standalone-auth -n demo -o jsonpath='{.data.username}' | base64 -d
root
There are two ways to rotate this credential.
Rotate Standalone Milvus (User-Supplied Secret)
This sample provides a new secret with a known password and asks the operator to switch to it.
rotate-auth-standalone.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: milvus-new-auth1
namespace: demo
type: Opaque
stringData:
username: root
password: NewPassword1
---
apiVersion: ops.kubedb.com/v1alpha1
kind: MilvusOpsRequest
metadata:
name: milvus-rotate-auth-user-secret
namespace: demo
spec:
type: RotateAuth
databaseRef:
name: milvus-standalone
authentication:
secretRef:
kind: Secret
name: milvus-new-auth1
Here, spec.authentication.secretRef.name points at the user-created secret. To let the operator generate a random password instead, simply omit spec.authentication.
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.7.10/docs/guides/milvus/rotate-auth/yamls/rotate-auth-standalone.yaml
secret/milvus-new-auth1 created
milvusopsrequest.ops.kubedb.com/milvus-rotate-auth-user-secret created
Watch Progress
$ kubectl get milvusopsrequest milvus-rotate-auth-user-secret -n demo
NAME TYPE STATUS AGE
milvus-rotate-auth-user-secret RotateAuth Successful 83s
$ kubectl describe milvusopsrequest milvus-rotate-auth-user-secret -n demo
...
Status:
Conditions:
Message: Milvus ops-request has started to rotate auth for milvus nodes
Reason: RotateAuth
Type: RotateAuth
Message: Successfully referenced the user provided authSecret
Reason: UpdateCredential
Type: UpdateCredential
Message: Successfully updated milvus credential dynamically
Reason: UpdateCredentialDynamically
Type: UpdateCredentialDynamically
Message: successfully reconciled the Milvus with new auth secret
Reason: UpdatePetSets
Type: UpdatePetSets
Message: Successfully restarted all milvus nodes
Reason: RestartNodes
...
Phase: Successful
Verify the Rotation
The database now references the new secret:
$ kubectl get milvuses.kubedb.com milvus-standalone -n demo -o jsonpath='{.spec.authSecret.name}'
milvus-new-auth1
$ kubectl get secret milvus-standalone-auth -n demo -o jsonpath='{.metadata.annotations.kubedb\.com/auth-active-from}'
2026-06-30T17:19:33Z
Rotate Distributed Milvus
For a distributed Milvus, point spec.databaseRef.name at the distributed database (milvus-cluster). The credential is updated dynamically inside every distributed role.
rotate-auth-distributed.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: milvus-new-auth1
namespace: demo
type: Opaque
stringData:
username: root
password: NewPassword1
---
apiVersion: ops.kubedb.com/v1alpha1
kind: MilvusOpsRequest
metadata:
name: milvus-rotate-auth-user-secret
namespace: demo
spec:
type: RotateAuth
databaseRef:
name: milvus-cluster
authentication:
secretRef:
kind: Secret
name: milvus-new-auth1
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.7.10/docs/guides/milvus/rotate-auth/yamls/rotate-auth-distributed.yaml
secret/milvus-new-auth1 created
milvusopsrequest.ops.kubedb.com/milvus-rotate-auth-user-secret created
$ kubectl get milvusopsrequest milvus-rotate-auth-user-secret -n demo
NAME TYPE STATUS AGE
milvus-rotate-auth-user-secret RotateAuth Successful 3m56s
The credential is updated dynamically and then every role is reconciled and restarted:
$ kubectl describe milvusopsrequest milvus-rotate-auth-user-secret -n demo
...
Status:
Conditions:
Message: Successfully referenced the user provided authSecret
Reason: UpdateCredential
Type: UpdateCredential
Message: Successfully updated milvus credential dynamically
Reason: UpdateCredentialDynamically
Type: UpdateCredentialDynamically
Message: successfully reconciled the Milvus with new auth secret
Reason: UpdatePetSets
Type: UpdatePetSets
Phase: Successful
$ kubectl get milvuses.kubedb.com milvus-cluster -n demo -o jsonpath='{.spec.authSecret.name}'
milvus-new-auth1
Automatic Rotation Recommendations
The Recommendation Engine can generate RotateAuth recommendations automatically based on two fields on spec.authSecret:
rotateAfter— once the credential is older than this duration, aRotateAuthrecommendation is generated.activeFrom— the timestamp the credential became active (also reflected in thekubedb.com/auth-active-fromannotation on the secret);rotateAfteris measured from this point.
See the Recommendation Engine guide for an end-to-end walkthrough.
Cleaning up
$ kubectl delete milvusopsrequest -n demo milvus-rotate-auth-user-secret
$ kubectl delete secret -n demo milvus-new-auth1
$ kubectl delete milvus.kubedb.com -n demo milvus-standalone
$ kubectl delete ns demo
Next Steps
- Learn more about the Recommendation Engine.
- Detail concepts of Milvus object.
- Want to hack on KubeDB? Check our contribution guidelines.































