Skip to content

Describe how to use existing users #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
allanger merged 1 commit into from
Feb 26, 2026
Merged

Describe how to use existing users #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions docs/database.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,24 @@ USER: << base64 encoded user name (generated by db operator) >>

Then DB Operator will connect to an existing database and set up a user for it.


## Using an existing user

Since version **2.22.0** it's possible to make DB Operator grant access to a database to an existing user instead of generating a new one. To do so add `.spec.existingUser: ${USERNAME}` to your manifest.

```yaml
kind: Database
metadata: {}
spec:
existingUser: my-db-user
```

When using an existing user, DB Operator is not aware of the password anymore, hence the **password** field in the credentials Secret will be empty. Users must handle the authentication on their own.

It's also important to understand, that when you are switching **from/to** existing user **to/from** a generated one, you need to remove the Secret from the cluster, so it's recreated, otherwise it's either going to be empty for a generated user, or filled for an existing one. It will most probably be fixed in future versions.

Another thing that is worth mentioning, DB Operator is running a health check on each reconciliation, and with generated users it's trying to access a database using these users, but as DB Operator is not aware of a password of an existing users, it's performing a health check as an admin, and hence can't verify whether a user really has the required access.

## Experimental features

Experimental features are added via annotations, the following features are available for `Databases`
Expand Down
15 changes: 15 additions & 0 deletions docs/dbuser.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,21 @@ spec:

This metadata can be used by external controllers that watch annotations or require specific labels to enable Secret synchronization or reflection across namespaces.

## Using an existing user

Since version **2.22.0** it's possible to make DB Operator grant access to a database to an existing user instead of generating a new one. To do so add `.spec.existingUser: ${USERNAME}` to your manifest.

```yaml
kind: DbUser
metadata: {}
spec:
existingUser: my-db-user
```

When using an existing user, DB Operator is not aware of the password anymore, hence the **password** field in the credentials Secret will be empty. Users must handle the authentication on their own.

It's also important to understand, that when you are switching **from/to** existing user **to/from** a generated one, you need to remove the Secret from the cluster, so it's recreated, otherwise it's either going to be empty for a generated user, or filled for an existing one. It will most probably be fixed in future versions.

## Experimental features

Experimental features are added via annotations, the following features are available for `DbUsers`
Expand Down
Loading