aiven-operator icon indicating copy to clipboard operation
aiven-operator copied to clipboard

Published 20 hours ago verified publisher icon aiven

Question : The aiven operator is it handle itself the service user credential expiration

Open flassagn opened this issue 9 months ago • 7 comments

I would like to know if the operator manage service user credential rotation by itself

flassagn avatar Feb 05 '25 08:02 flassagn

Hello @flassagn, at this time there is no user credential rotation support in the Aiven k8s operator. Would you mind expanding on your use-case so we can understand better if this is something we could support in the future?

rriski avatar Feb 05 '25 08:02 rriski

Hi @rriski 👋

I used the operator to manage our services in K8S to connect to aiven kafka topic thanks to

  • ServiceUser
  • Kafkatopic
  • KafkaAcl

But the generated credentials have an expiration date, and I was expected that the rotation will be achieved by the operator to avoid manual action and operational cost.

flassagn avatar Feb 05 '25 09:02 flassagn

Hi @rriski,

I'm really surprised that the operator is not rotating credentials. How it's supposed to work normally ? It requires a user intervention ?

flassagn avatar Feb 19 '25 14:02 flassagn

Hey @flassagn, thanks for flagging this. According to https://aiven.io/docs/products/kafka/howto/renew-ssl-certs the Kafka certs are valid for two years and three months. Currently we are not handling this rotation gracefully in k8s operator. We are working on a fix.

rriski avatar Feb 19 '25 15:02 rriski

Related idea at https://ideas.aiven.io/forums/951277-event-streaming/suggestions/47151928-allow-overlapping-valid-certificates-for-a-service , feel free to add a vote.

mortenlj avatar Oct 09 '25 10:10 mortenlj

@mortenlj Can I ask you about your proposal, please. Did I understand correctly that you want to have the certificates rotation more often than the default schedule, so you have to create new ServiceUsers for that purpose?

vmyroslav avatar Oct 22 '25 10:10 vmyroslav

Did I understand correctly that you want to have the certificates rotation more often than the default schedule, so you have to create new ServiceUsers for that purpose?

We wish to rotate credentials for applications relatively often, so we have currently implemented a solution that will create a new service user on the first deploy of an application in a given week.

So if the application is updated every day, it will get a new service user every monday. If it is deployed once a month, it will get a new service user on each deploy. Basically the logic is "On deploy, check if there is a service user for the current week. If yes, use that, if no, create new service user". Then we have additional jobs that go around deleting old/unused service users. It is fully automated, but does create a lot of extra service users. Every application has 2-3 service users at any given time.

If we could create new certificates for an existing service user, without invalidating the certificate currently in use (and getting rid of old certificates no longer in use), we could move to a model where every application has a single service user.

mortenlj avatar Oct 23 '25 08:10 mortenlj