Skip to content

ServiceUser

Usage examples

Prerequisites

  • A Kubernetes cluster with the operator installed using helm, kubectl or kind (for local development).
  • A Kubernetes Secret with an Aiven authentication token.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# This example demonstrates how to use ServiceUser with connInfoSecretSource
# for credential management. The ServiceUser will use a
# predefined password from an existing secret.

apiVersion: v1
kind: Secret
metadata:
  name: predefined-credentials
data:
  # MySecurePassword123! base64 encoded
  PASSWORD: TXlTZWN1cmVQYXNzd29yZDEyMyE= # gitleaks:allow

---

apiVersion: aiven.io/v1alpha1
kind: PostgreSQL
metadata:
  name: my-postgresql
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: aiven-project-name
  cloudName: google-europe-west1
  plan: startup-4

  connInfoSecretTarget:
    name: postgresql-connection
    prefix: PG_
    annotations:
      example: postgresql-service
    labels:
      service: postgresql

---

apiVersion: aiven.io/v1alpha1
kind: ServiceUser
metadata:
  name: my-service-user
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: service-user-secret
    prefix: MY_SECRET_PREFIX_
    annotations:
      foo: bar
    labels:
      baz: egg

  # Use existing secret for credential management
  connInfoSecretSource:
    name: predefined-credentials
    # namespace: my-namespace  # Optional: defaults to same namespace as ServiceUser
    passwordKey: PASSWORD

  project: aiven-project-name
  serviceName: my-postgresql

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
apiVersion: aiven.io/v1alpha1
kind: ServiceUser
metadata:
  name: my-service-user
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: service-user-secret
    prefix: MY_SECRET_PREFIX_
    annotations:
      foo: bar
    labels:
      baz: egg

  # Optional: Use existing secret for credential management
  # connInfoSecretSource:
  #   name: predefined-credentials
  #   namespace: my-namespace  # Optional: defaults to same namespace as ServiceUser
  #   passwordKey: PASSWORD

  project: aiven-project-name
  serviceName: my-service-name

Apply the resource with:

kubectl apply -f example.yaml

Verify the newly created ServiceUser:

kubectl get serviceusers my-service-user

The output is similar to the following: 

Name               Service Name     Project               
my-service-user    my-postgresql    aiven-project-name

To view the details of the Secret, use the following command: 

kubectl describe secret service-user-secret

You can use the jq to quickly decode the Secret:

kubectl get secret service-user-secret -o json | jq '.data | map_values(@base64d)'

The output is similar to the following:

{
    "SERVICEUSER_HOST": "<secret>",
    "SERVICEUSER_PORT": "<secret>",
    "SERVICEUSER_USERNAME": "<secret>",
    "SERVICEUSER_PASSWORD": "<secret>",
    "SERVICEUSER_CA_CERT": "<secret>",
    "SERVICEUSER_ACCESS_CERT": "<secret>",
    "SERVICEUSER_ACCESS_KEY": "<secret>",
}

ServiceUser

ServiceUser is the Schema for the serviceusers API. Creates a service user for accessing Aiven services. The ServiceUser resource name becomes the username in Aiven. Built-in users like avnadmin cannot be deleted but their passwords can be modified using connInfoSecretSource.

Exposes secret keys

SERVICEUSER_HOST, SERVICEUSER_PORT, SERVICEUSER_USERNAME, SERVICEUSER_PASSWORD, SERVICEUSER_CA_CERT, SERVICEUSER_ACCESS_CERT, SERVICEUSER_ACCESS_KEY.

Required

  • apiVersion (string). Value aiven.io/v1alpha1.
  • kind (string). Value ServiceUser.
  • metadata (object). Data that identifies the object, including a name string and optional namespace.
  • spec (object). ServiceUserSpec defines the desired state of ServiceUser. See below for nested schema.

spec

Appears on ServiceUser.

ServiceUserSpec defines the desired state of ServiceUser.

Required

  • project (string, Immutable, Pattern: ^[a-zA-Z0-9_-]+$, MaxLength: 63). Identifies the project this resource belongs to.
  • serviceName (string, Immutable, Pattern: ^[a-z][-a-z0-9]+$, MaxLength: 63). Specifies the name of the service that this resource belongs to.

Optional

  • authSecretRef (object). Authentication reference to Aiven token in a secret. See below for nested schema.
  • authentication (string, Enum: caching_sha2_password, mysql_native_password). Authentication details.

  • connInfoSecretSource (object). ConnInfoSecretSource allows specifying an existing secret to read credentials from. The password from this secret will be used to modify the service user credentials. Password must be 8-256 characters long as per Aiven API requirements. This can be used to set passwords for new users or modify passwords for existing users (e.g., avnadmin).

    Note

    This secret is not watched - changes to the source secret require manual reconciliation. To apply password changes, trigger reconciliation by adding/updating an annotation on the ServiceUser. See below for nested schema.

authSecretRef

Appears on spec.

Authentication reference to Aiven token in a secret.

Required

  • key (string, MinLength: 1).
  • name (string, MinLength: 1).

connInfoSecretSource

Appears on spec.

ConnInfoSecretSource allows specifying an existing secret to read credentials from. The password from this secret will be used to modify the service user credentials. Password must be 8-256 characters long as per Aiven API requirements. This can be used to set passwords for new users or modify passwords for existing users (e.g., avnadmin).

Note

This secret is not watched - changes to the source secret require manual reconciliation. To apply password changes, trigger reconciliation by adding/updating an annotation on the ServiceUser.

Required

  • name (string, MinLength: 1). Name of the secret resource to read connection parameters from.
  • passwordKey (string, MinLength: 1). Key in the secret containing the password to use for authentication.

Optional

  • namespace (string). Namespace of the source secret. If not specified, defaults to the same namespace as the resource.

connInfoSecretTarget

Appears on spec.

Secret configuration.

Required

  • name (string, Immutable). Name of the secret resource to be created. By default, it is equal to the resource name.

Optional

  • annotations (object, AdditionalProperties: string). Annotations added to the secret.
  • labels (object, AdditionalProperties: string). Labels added to the secret.
  • prefix (string). Prefix for the secret's keys. Added "as is" without any transformations. By default, is equal to the kind name in uppercase + underscore, e.g. KAFKA_, REDIS_, etc.