ServiceUser

Prerequisites¶

A Kubernetes cluster with the operator installed using helm, kubectl or kind (for local development).
A Kubernetes Secret with an Aiven authentication token.

Required permissions¶

To create and manage this resource, you must have the appropriate roles or permissions. See the Aiven documentation for details on managing permissions.

This resource uses the following API operations, and for each operation, any of the listed permissions is sufficient:

Operation	Permissions
ProjectKmsGetCA	`organization:projects:write`
ServiceGet	`project:services:read`
ServiceUserCreate	`service:users:write`
ServiceUserCredentialsModify	`service:users:write`
ServiceUserDelete	`service:users:write`
ServiceUserGet	`service:configuration:write` or `service:users:write`

Usage examples¶

custom_credentialsexample

# This example demonstrates how to use ServiceUser with connInfoSecretSource
# for credential management. The ServiceUser will use a
# predefined password from an existing secret.

apiVersion: v1
kind: Secret
metadata:
  name: predefined-credentials
data:
  # MySecurePassword123! base64 encoded
  PASSWORD: TXlTZWN1cmVQYXNzd29yZDEyMyE= # gitleaks:allow

---

apiVersion: aiven.io/v1alpha1
kind: PostgreSQL
metadata:
  name: my-postgresql
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: aiven-project-name
  cloudName: google-europe-west1
  plan: startup-4

  connInfoSecretTarget:
    name: postgresql-connection
    prefix: PG_
    annotations:
      example: postgresql-service
    labels:
      service: postgresql

---

apiVersion: aiven.io/v1alpha1
kind: ServiceUser
metadata:
  name: my-service-user
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: service-user-secret
    prefix: MY_SECRET_PREFIX_
    annotations:
      foo: bar
    labels:
      baz: egg

  # Use existing secret for credential management
  connInfoSecretSource:
    name: predefined-credentials
    passwordKey: PASSWORD

  project: aiven-project-name
  serviceName: my-postgresql

apiVersion: aiven.io/v1alpha1
kind: ServiceUser
metadata:
  name: my-service-user
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: service-user-secret
    prefix: MY_SECRET_PREFIX_
    annotations:
      foo: bar
    labels:
      baz: egg

  # Optional: Use existing secret for credential management
  # connInfoSecretSource:
  #   name: predefined-credentials
  #   namespace: my-namespace  # Optional: defaults to same namespace as ServiceUser
  #   passwordKey: PASSWORD

  project: aiven-project-name
  serviceName: my-service-name

Apply the resource with:

kubectl apply -f example.yaml

Verify the newly created ServiceUser:

kubectl get serviceusers my-service-user

The output is similar to the following:

Name               Service Name     Project               
my-service-user    my-postgresql    aiven-project-name

To view the details of the Secret, use the following command:

kubectl describe secret service-user-secret

You can use the jq to quickly decode the Secret:

kubectl get secret service-user-secret -o json | jq '.data | map_values(@base64d)'

The output is similar to the following:

{
    "SERVICEUSER_HOST": "<secret>",
    "SERVICEUSER_PORT": "<secret>",
    "SERVICEUSER_USERNAME": "<secret>",
    "SERVICEUSER_PASSWORD": "<secret>",
    "SERVICEUSER_CA_CERT": "<secret>",
    "SERVICEUSER_ACCESS_CERT": "<secret>",
    "SERVICEUSER_ACCESS_KEY": "<secret>",
}

ServiceUser¶

ServiceUser is the Schema for the serviceusers API. Creates a service user for accessing Aiven services. The ServiceUser resource name becomes the username in Aiven. Built-in users like avnadmin cannot be deleted but their passwords can be modified using connInfoSecretSource.

Exposes secret keys

SERVICEUSER_HOST, SERVICEUSER_PORT, SERVICEUSER_USERNAME, SERVICEUSER_PASSWORD, SERVICEUSER_CA_CERT, SERVICEUSER_ACCESS_CERT, SERVICEUSER_ACCESS_KEY.

Required

apiVersion (string). Value aiven.io/v1alpha1.
kind (string). Value ServiceUser.
metadata (object). Data that identifies the object, including a name string and optional namespace.
spec (object). ServiceUserSpec defines the desired state of ServiceUser. See below for nested schema.

spec¶

Appears on ServiceUser.

ServiceUserSpec defines the desired state of ServiceUser.

Required

project (string, Immutable, Pattern: ^[a-zA-Z0-9_-]+$, MaxLength: 63). Identifies the project this resource belongs to.
serviceName (string, Immutable, Pattern: ^[a-z][-a-z0-9]+$, MaxLength: 63). Specifies the name of the service that this resource belongs to.

Optional

accessControl (object). AccessControl Service type specific access control rules for user. When this block is present, the operator manages the full access-control scope it contains. See below for nested schema.
authSecretRef (object). Authentication reference to Aiven token in a secret. See below for nested schema.
authentication (string, Enum: caching_sha2_password, mysql_native_password). Authentication details.
connInfoSecretSource (object). ConnInfoSecretSource allows specifying an existing secret to read credentials from. The password from this secret will be used to modify the service user credentials. Password must be 8-256 characters long as per Aiven API requirements. This can be used to set passwords for new users or modify passwords for existing users (e.g., avnadmin). The source secret is watched for changes, and reconciliation will be automatically triggered when the secret data is updated. See below for nested schema.
connInfoSecretTarget (object). Secret configuration. See below for nested schema.
connInfoSecretTargetDisabled (boolean, Immutable). When true, the secret containing connection information will not be created, defaults to false. This field cannot be changed after resource creation.

accessControl¶

Appears on spec.

AccessControl Service type specific access control rules for user. When this block is present, the operator manages the full access-control scope it contains.

Optional

valkeyAclCategories (array of strings). Command category rules. Order matters.
valkeyAclChannels (array of strings). Glob-style patterns defining which pub/sub channels can be accessed.
valkeyAclCommands (array of strings). Rules for individual commands. Order matters.
valkeyAclKeys (array of strings). Key access rules.

authSecretRef¶

Appears on spec.

Authentication reference to Aiven token in a secret.

Required

key (string, MinLength: 1).
name (string, MinLength: 1).

connInfoSecretSource¶

Appears on spec.

ConnInfoSecretSource allows specifying an existing secret to read credentials from. The password from this secret will be used to modify the service user credentials. Password must be 8-256 characters long as per Aiven API requirements. This can be used to set passwords for new users or modify passwords for existing users (e.g., avnadmin). The source secret is watched for changes, and reconciliation will be automatically triggered when the secret data is updated.

Required

name (string, MinLength: 1). Name of the secret resource to read connection parameters from. The secret must be in the same namespace as the resource.
passwordKey (string, MinLength: 1). Key in the secret containing the password to use for authentication.

connInfoSecretTarget¶

Appears on spec.

Secret configuration.

Required

name (string, Immutable). Name of the secret resource to be created. By default, it is equal to the resource name.

Optional

annotations (object, AdditionalProperties: string). Annotations added to the secret.
labels (object, AdditionalProperties: string). Labels added to the secret.
prefix (string). Prefix for the secret's keys. Added "as is" without any transformations. By default, is equal to the kind name in uppercase + underscore, e.g. KAFKA_, REDIS_, etc.