kubedb
diff --git a/‎docs/guides/elasticsearch/recommendation/_index.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/guides/elasticsearch/recommendation/_index.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/guides/elasticsearch/recommendation/overview.md‎
Lines changed: 6 additions & 9 deletions b/‎docs/guides/elasticsearch/recommendation/overview.md‎
Lines changed: 6 additions & 9 deletions
diff --git a/‎docs/guides/elasticsearch/recommendation/rotate-auth-recommendation.md‎
Lines changed: 248 additions & 43 deletions b/‎docs/guides/elasticsearch/recommendation/rotate-auth-recommendation.md‎
Lines changed: 248 additions & 43 deletions
@@ -8,3 +8,4 @@ menu:
     weight: 60
 menu_name: docs_{{ .version }}
 ---
+
@@ -13,7 +13,7 @@ section_menu_id: guides
 
 > New to KubeDB? Please start [here](/docs/README.md).
 
-# Recommendation for KubeDB managed Elasticsearch
+# Recommendation for KubeDB managed Elasticsearch and Opensearch
 
 Databases on Kubernetes in production grade infrastructure often need to go through several administrative operations depending on specific resource requirements. Such operations include vertical scaling (cpu, memory) and storage expansion. Autoscaling support for KubeDB managed databases takes care of it. However, databases also need to go through some maintenance operations in order to ensure security, enhance performance, getting bug fixes and new features etc. Such operations mostly require organization's manual intervention. Even if these operations are automated, they need to be done in surveillance. KubeDB simplifies this by generating K8s Native Recommendations. 
 
@@ -30,16 +30,13 @@ KubeDB provisioner watches user provided database custom resource spec and creat
 KubeDB provides Three types of recommendation for Elasticsearch and Opensearch.
 
 1. [Version Update Recommendation](/docs/guides/elasticsearch/recommendation/version-update-recommendation.md)
-2. TLS Certificate Rotation Recommendation
-3. Authentication Secret Rotation Recommendation
+2. [TLS Certificate Rotation Recommendation](/docs/guides/elasticsearch/recommendation/rotate-tls-recommendation.md)
+3. [Authentication Secret Rotation Recommendation](/docs/guides/elasticsearch/recommendation/rotate-auth-recommendation.md)
 
 The next page describes these recommendations, how to approve/reject them, their generation mechanism and usability.
 
 ## Next Steps
 
-- Learn how to monitor Elasticsearch database with KubeDB using [builtin-Prometheus](/docs/guides/elasticsearch/monitoring/using-builtin-prometheus.md) and using [Prometheus operator](/docs/guides/elasticsearch/monitoring/using-prometheus-operator.md).
-- Learn how to monitor PostgreSQL database with KubeDB using [builtin-Prometheus](/docs/guides/postgres/monitoring/using-builtin-prometheus.md) and using [Prometheus operator](/docs/guides/postgres/monitoring/using-prometheus-operator.md).
-- Learn how to monitor MySQL database with KubeDB using [builtin-Prometheus](/docs/guides/mysql/monitoring/builtin-prometheus/index.md) and using [Prometheus operator](/docs/guides/mysql/monitoring/prometheus-operator/index.md).
-- Learn how to monitor MongoDB database with KubeDB using [builtin-Prometheus](/docs/guides/mongodb/monitoring/using-builtin-prometheus.md) and using [Prometheus operator](/docs/guides/mongodb/monitoring/using-prometheus-operator.md).
-- Learn how to monitor Redis server with KubeDB using [builtin-Prometheus](/docs/guides/redis/monitoring/using-builtin-prometheus.md) and using [Prometheus operator](/docs/guides/redis/monitoring/using-prometheus-operator.md).
-- Learn how to monitor Memcached server with KubeDB using [builtin-Prometheus](/docs/guides/memcached/monitoring/using-builtin-prometheus.md) and using [Prometheus operator](/docs/guides/memcached/monitoring/using-prometheus-operator.md).
+- Learn about Elasticsearch [Version Update Recommendation](/docs/guides/elasticsearch/recommendation/version-update-recommendation.md).
+- Learn about Elasticsearch [TLS Certificate Rotation Recommendation](/docs/guides/elasticsearch/recommendation/rotate-tls-recommendation.md)
+- Learn about Elasticsearch [Authentication Secret Rotation Recommendation](/docs/guides/elasticsearch/recommendation/rotate-auth-recommendation.md)
@@ -5,7 +5,7 @@ menu:
     identifier: es-rotate-auth-recommendation
     name: Rotate Auth Recommendation
     parent: es-recommendation-elasticsearch
-    weight: 30
+    weight: 40
 menu_name: docs_{{ .version }}
 section_menu_id: guides
 ---
@@ -14,15 +14,14 @@ section_menu_id: guides
 
 # Elasticsearch Version Update Recommendation
 
-Rotating authentication secrets in database management is vital to mitigate security risks, such as credential leakage or unauthorized access, and to comply with regulatory requirements. Regular rotation limits the exposure of compromised credentials, reduces the risk of insider threats, and enforces updated security policies like stronger passwords or algorithms. It also ensures operational resilience by testing the rotation process and revoking stale or unused credentials. KubeDB provides `RotateAuth OpsRequest` which reduces manual errors, and strengthens database security with minimal effort. KubeDB Ops-manager generates Recommendation for rotating authentication secrets via this OpsRequest.
+Rotating authentication secrets in database management is vital to mitigate security risks, such as credential leakage or unauthorized access, and to comply with regulatory requirements. Regular rotation limits the exposure of compromised credentials, reduces the risk of insider threats, and enforces updated security policies like stronger passwords or algorithms. It also ensures operational resilience by testing the rotation process and revoking stale or unused credentials. KubeDB provides `RotateAuth` which reduces manual errors, and strengthens database security with minimal effort. KubeDB Ops-manager generates Recommendation for rotating authentication secrets via this OpsRequest.
 
-`Recommendation` is a Kubernetes `Custom Resource Definitions` (CRD). It provides a declarative recommendation for KubeDB managed databases like [Elasticsearch](https://www.elastic.co/products/elasticsearch) and [OpenSearch](https://opensearch.org/) in a Kubernetes native way. KubeDB generates Elasticsearch/Opensearch Rotate Auth recommendation regarding three particular cases.
+`Recommendation` is a Kubernetes `Custom Resource Definitions` (CRD). It provides a declarative recommendation for KubeDB managed databases like [Elasticsearch](https://www.elastic.co/products/elasticsearch) and [OpenSearch](https://opensearch.org/) in a Kubernetes native way. The recommendation will only be created if `.spec.authSecret.rotateAfter` is set. KubeDB generates Elasticsearch/Opensearch Rotate Auth recommendation regarding two particular cases.
 
-1. There's been an update in the current version image
-2. There's a new version available with a minor/patch fix.
-3. There's a new major version available
+1. AuthSecret lifespan is more than one month and, less than one month remaining till expiry
+2. AuthSecret lifespan is less than one month and, less than one third of lifespan remaining till expiry
 
-Let's go through a demo to see version update recommendations being generated. First, get the available Elasticsearch versions provided by KubeDB.
+Let's go through a demo to see `RotateAuth` recommendations being generated. First, get the available Elasticsearch versions provided by KubeDB.
 
 ```bash
 $ kubectl get elasticsearchversions | grep xpack
@@ -47,48 +46,254 @@ xpack-8.6.2         8.6.2     ElasticStack   ghcr.io/appscode-images/elastic:8.6
 xpack-8.8.2         8.8.2     ElasticStack   ghcr.io/appscode-images/elastic:8.8.2                         17h
 ```
 
-Let's deploy an Elasticsearch cluster with version `xpack-8.15.0`.
+Let's deploy an Elasticsearch cluster with version `xpack-8.15.0`. We are going to create a cluster topology with 2 master nodes, 3 data nodes and 2 ingest node. We also have to provide an available storageclass for each of the node types.
 
 ```yaml
-apiVersion: kubedb.com/v1
-kind: Elasticsearch
+ apiVersion: kubedb.com/v1
+ kind: Elasticsearch
+ metadata:
+   name: elastic
+   namespace: es
+ spec:
+   version: xpack-8.15.0
+   storageType: Durable
+   deletionPolicy: WipeOut
+   authSecret:
+     rotateAfter: 1h
+   topology:
+     master:
+       replicas: 2
+       storage:
+         storageClassName: "local-path"
+         accessModes:
+         - ReadWriteOnce
+         resources:
+           requests:
+             storage: 1Gi
+     data:
+       replicas: 2
+       storage:
+         storageClassName: "local-path"
+         accessModes:
+         - ReadWriteOnce
+         resources:
+           requests:
+             storage: 1Gi
+     ingest:
+       replicas: 1
+       storage:
+         storageClassName: "local-path"
+         accessModes:
+         - ReadWriteOnce
+         resources:
+           requests:
+             storage: 1Gi
+```
+
+Wait for a while till elasicsearch cluster gets into `Ready` state. Required time depends on image pulling and node's physical specifications.
+
+```bash
+$ kubectl get es elastic -n es -w
+NAME      VERSION        STATUS         AGE
+elastic   xpack-8.15.0   Provisioning   98s
+elastic   xpack-8.15.0   Provisioning   5m43s
+elastic   xpack-8.15.0   Provisioning   8m7s
+.
+.
+.
+elastic   xpack-8.15.0   Ready          10m
+elastic   xpack-8.15.0   Ready          10m
+```
+
+Since, `.spec.authSecret.rotateAfter` is set as `1h`, it is expected that the recommendation engine will generate a rotate-auth recommendation at least after 40 minutes (two-third of lifespan) of the authsecret creation. Once generated you will get a similar recommendation as follows.
+
+```bash
+$ kubectl get recommendation -n es | grep rotate-auth
+NAME                                              STATUS    OUTDATED   AGE
+elastic-x-elasticsearch-x-rotate-auth-2juuee      Pending   false      10m
+```
+
+The `Recommendation` custom resource will be named as `<DB-name>-x-<DB type>-x-<Recommendation type>-<random hash>`. Initially, the KubeDB `Supervisor` controller will mark the `Status` of this object to `Pending`. Let's check the complete Recommendation custom resource manifest:
+
+```yaml
+$ kubectl get recommendation -n es elastic-x-elasticsearch-x-rotate-auth-2juuee -oyaml
+apiVersion: supervisor.appscode.com/v1alpha1
+kind: Recommendation
+metadata:
+  creationTimestamp: "2025-02-25T09:12:29Z"
+  generation: 1
+  labels:
+    app.kubernetes.io/instance: elastic
+    app.kubernetes.io/managed-by: kubedb.com
+    app.kubernetes.io/type: rotate-auth
+  name: elastic-x-elasticsearch-x-rotate-auth-2juuee
+  namespace: es
+  resourceVersion: "80116"
+  uid: 12f24cf6-2f02-420f-863d-3523e32a08dd
+spec:
+  backoffLimit: 5
+  deadline: "2025-02-25T09:20:53Z"
+  description: Recommending AuthSecret rotation,elastic-auth AuthSecret needs to be
+    rotated before 2025-02-25 09:30:53 +0000 UTC
+  operation:
+    apiVersion: ops.kubedb.com/v1alpha1
+    kind: ElasticsearchOpsRequest
+    metadata:
+      name: rotate-auth
+      namespace: es
+    spec:
+      databaseRef:
+        name: elastic
+      type: RotateAuth
+    status: {}
+  recommender:
+    name: kubedb-ops-manager
+  rules:
+    failed: has(self.status) && has(self.status.phase) && self.status.phase == 'Failed'
+    inProgress: has(self.status) && has(self.status.phase) && self.status.phase ==
+      'Progressing'
+    success: has(self.status) && has(self.status.phase) && self.status.phase == 'Successful'
+  target:
+    apiGroup: kubedb.com
+    kind: Elasticsearch
+    name: elastic
+status:
+  approvalStatus: Pending
+  failedAttempt: 0
+  outdated: false
+  parallelism: Namespace
+  phase: Pending
+  reason: WaitingForApproval
+```
+
+In the generated Recommendation you will find a description, targeted db object, recommended operation or Ops-Request manifest, current status of the recommendation etc. Let's just focus on the recommendation description first.
+
+```shell
+$ kubectl get recommendation -n es elastic-x-elasticsearch-x-rotate-auth-2juuee -o jsonpath='{.spec.operation}' | yq -y
+apiVersion: ops.kubedb.com/v1alpha1
+kind: ElasticsearchOpsRequest
 metadata:
-  name: es
-  namespace: demo
+  name: rotate-auth
+  namespace: es
 spec:
-  version: xpack-8.15.0
-  storageType: Durable
-  deletionPolicy: WipeOut
-  topology:
-    master:
-      replicas: 2
-      storage:
-        storageClassName: "standard"
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-    data:
-      replicas: 2
-      storage:
-        storageClassName: "standard"
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-    ingest:
-      replicas: 1
-      storage:
-        storageClassName: "standard"
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
+  databaseRef:
+    name: elastic
+  type: RotateAuth
+status: {}
 ```
 
+Let's check the status part of this recommendation.
+
+```bash
+$ kubectl get recommendation -n es elastic-x-elasticsearch-x-rotate-auth-2juuee -o jsonpath='{.status}' | yq -y
+approvalStatus: Pending
+failedAttempt: 0
+outdated: false
+parallelism: Namespace
+phase: Pending
+reason: WaitingForApproval
+```
+
+Now, This recommendation can be approved and operation can be executed immediately by setting `ApprovalStatus` to `Approved` and Setting `approvedWindow` to `Immediate`. You can approve this easily through Appscode UI or edit it manually. Also, You can use kubectl CLI for this -
+
+```bash
+$ kubectl patch Recommendation elastic-x-elasticsearch-x-rotate-auth-2juuee \
+                  -n es \
+                  --type merge \
+                  --subresource='status' \
+                  -p '{"status":{"approvalStatus":"Approved","approvedWindow":{"window":"Immediate"}}}'
+recommendation.supervisor.appscode.com/elastic-x-elasticsearch-x-rotate-auth-2juuee patched
+```
+
+Now, check the status part again. You will find a condition have appeared which says `OpsRequest is successfully created`.
+
+```bash
+$ kubectl get recommendation -n es elastic-x-elasticsearch-x-rotate-auth-2juuee -o jsonpath='{.status}' | yq -y
+approvalStatus: Approved
+approvedWindow:
+  window: Immediate
+conditions:
+  - lastTransitionTime: '2025-02-25T09:23:29Z'
+    message: OpsRequest is successfully created
+    reason: SuccessfullyCreatedOperation
+    status: 'True'
+    type: SuccessfullyCreatedOperation
+createdOperationRef:
+  name: elastic-1740475409-rotate-auth-auto
+failedAttempt: 0
+outdated: false
+parallelism: Namespace
+phase: InProgress
+reason: StartedExecutingOperation
+```
+
+You will find an `ElasticsearchOpsRequest` custom resource have been created and, it is rotating the authsecret of `elastic` cluster with negligible downtime. Let's wait for it to reach `Successful` status.
+
+```bash
+$ kubectl get elasticsearchopsrequest -n es elastic-1740475409-rotate-auth-auto -w
+NAME                                     TYPE            STATUS        AGE
+elastic-1740475409-rotate-auth-auto      UpdateVersion   Progressing   3m12s
+elastic-1740475409-rotate-auth-auto      UpdateVersion   Progressing   3m34s
+.
+.
+elastic-1740475409-rotate-auth-auto      UpdateVersion   Successful    11m
+```
+
+Let's recheck the recommendation for one last time. We should find that `.status.phase` has been marked as `Succeeded`.
+
+```bash
+$ kubectl get recommendation -n es elastic-x-elasticsearch-x-rotate-auth-2juuee
+NAME                                              STATUS      OUTDATED   AGE
+elastic-x-elasticsearch-x-rotate-auth-2juuee      Succeeded   false      78m
+```
+
+You may not want to do trigger recommended operations manually. Rather, trigger them autonomously in a preferred schedule when infrastructure is idle or traffic rate is at the lowest. For this purpose, You can create a `MaintenanceWindow` custom resource where you can set your desired schedule/period for triggering these recommended operations automatically. Here's a sample one:
+
+```yaml
+apiVersion: supervisor.appscode.com/v1alpha1
+kind: MaintenanceWindow
+metadata:
+  name: elastic-maintenance
+  namespace: es
+spec:
+  timezone: Asia/Dhaka
+  days:
+    Wednesday:
+      - start: 5:40AM
+        end: 7:00PM
+  dates:
+    - start: 2025-01-25T00:00:18Z
+      end: 2025-01-25T23:41:18Z
+```
+
+You can now create a `ApprovalPolicy` custom resource to refer this `MaintenanceWindow` for particular DB type. Following is a sample `ApprovalPolicy` for any `Elasticsearch` custom resource deployed in `es` namespace. This `ApprovalPolicy` custom resource is referring to the `elastic-maintenance` MaintenanceWindow created in the same namespace. You can also create `ClusterMaintenanceWindow` instead which is effective for cluster-wide operations and refer it here. The following ApprovalPolicy will trigger recommended operations when referred maintenance window timeframe is reached.
+
+```yaml
+apiVersion: supervisor.appscode.com/v1alpha1
+kind: ApprovalPolicy
+metadata:
+  name: es-policy
+  namespace: es
+maintenanceWindowRef:
+  name: elastic-maintenance
+targets:
+  - group: kubedb.com
+    kind: Elasticsearch
+    operations:
+      - group: ops.kubedb.com
+        kind: ElasticsearchOpsRequest
+```
+
+Lastly, If you want to reject a recommendation, you can just set `ApprovalStatus` to `Rejected` in the recommendation status section. Here's how you can do it using kubectl cli.
+
+```bash
+$ kubectl patch Recommendation elastic-x-elasticsearch-x-rotate-auth-2juuee \
+                  -n es \
+                  --type merge \
+                  --subresource='status' \
+                  -p '{"status":{"approvalStatus":"Rejected"}}'
+recommendation.supervisor.appscode.com/elastic-x-elasticsearch-x-rotate-auth-2juuee patched
+```
 
 
 ## Next Steps