kubedb · biswasurmi · Apr 29, 2026 · Apr 29, 2026 · May 6, 2026
diff --git a/apis/catalog/v1alpha1/milvus_version_types.go b/apis/catalog/v1alpha1/milvus_version_types.go
@@ -27,10 +27,13 @@ const (
 	ResourcePluralMilvusVersion   = "milvusversions"
 )
 
-// Package v1alpha2 contains API Schema definitions for the  v1alpha2 API group.
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:skipVerbs=updateStatus
+// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
 // +kubebuilder:object:root=true
-// +genclient:nonNamespaced
 // +kubebuilder:resource:path=milvusversions,singular=milvusversion,scope=Cluster,shortName=mvversion,categories={catalog,kubedb,appscode}
 // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version"
 // +kubebuilder:printcolumn:name="DB_IMAGE",type="string",JSONPath=".spec.db.image"

diff --git a/apis/catalog/v1alpha1/openapi_generated.go b/apis/catalog/v1alpha1/openapi_generated.go
diff --git a/apis/catalog/v1alpha1/register.go b/apis/catalog/v1alpha1/register.go
@@ -84,6 +84,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&MariaDBVersionList{},
 		&MemcachedVersion{},
 		&MemcachedVersionList{},
+		&MilvusVersion{},
+		&MilvusVersionList{},
 		&MongoDBVersion{},
 		&MongoDBVersionList{},
 		&MSSQLServerVersion{},
@@ -120,8 +122,6 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&WeaviateVersionList{},
 		&ZooKeeperVersion{},
 		&ZooKeeperVersionList{},
-		&MilvusVersion{},
-		&MilvusVersionList{},
 	)
 
 	scheme.AddKnownTypes(SchemeGroupVersion,

diff --git a/apis/kubedb/constants.go b/apis/kubedb/constants.go
@@ -915,6 +915,17 @@ const (
 	MilvusPortDataNode      = 21124
 	MilvusPortQueryNode     = 21123
 	MilvusPortStreamingNode = 22222
+
+	MilvusTLSVolName      = "milvus-tls"
+	MilvusTLSVolDir       = "/milvus/tls"
+	MilvusTLSCACert       = "ca.crt"
+	MilvusTLSCAPem        = "ca.pem"
+	MilvusTLSCert         = "tls.crt"
+	MilvusTLSKey          = "tls.key"
+	MilvusTLSServerPem    = "server.pem"
+	MilvusTLSServerKeyPem = "server.key"
+	MilvusTLSClientPem    = "client.pem"
+	MilvusTLSClientKeyPem = "client.key"
 )
 
 const (

diff --git a/apis/kubedb/v1alpha2/milvus_helpers.go b/apis/kubedb/v1alpha2/milvus_helpers.go
@@ -32,6 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
+	kmapi "kmodules.xyz/client-go/api/v1"
 	"kmodules.xyz/client-go/apiextensions"
 	coreutil "kmodules.xyz/client-go/core/v1"
 	meta_util "kmodules.xyz/client-go/meta"
@@ -80,6 +81,9 @@ func (m Milvus) Type() appcat.AppType {
 
 func (m *Milvus) GetConnectionScheme() string {
 	scheme := "http"
+	if m.Spec.TLS != nil && m.Spec.TLS.External != nil && m.Spec.TLS.External.Mode != TLSModeDisabled {
+		scheme = "https"
+	}
 	return scheme
 }
 
@@ -354,6 +358,8 @@ func (m *Milvus) SetDefaults(kc client.Client) {
 
 	m.SetHealthCheckerDefaults()
 
+	m.SetTLSDefaults()
+
 	if m.Spec.Monitor != nil {
 		if m.Spec.Monitor.Prometheus == nil {
 			m.Spec.Monitor.Prometheus = &mona.PrometheusSpec{}
@@ -371,6 +377,27 @@ func (m *Milvus) SetDefaults(kc client.Client) {
 	}
 }
 
+func (m *Milvus) SetTLSDefaults() {
+	if m.Spec.TLS == nil || m.Spec.TLS.IssuerRef == nil {
+		return
+	}
+
+	if m.Spec.TLS.External == nil {
+		m.Spec.TLS.External = &ProtocolTLSConfig{
+			Mode: TLSModeDisabled,
+		}
+	}
+
+	if m.Spec.TLS.Internal == nil {
+		m.Spec.TLS.Internal = &ProtocolTLSConfig{
+			Mode: TLSModeDisabled,
+		}
+	}
+
+	m.Spec.TLS.Certificates = kmapi.SetMissingSecretNameForCertificate(m.Spec.TLS.Certificates, string(MilvusCertificateTypeServer), m.CertificateName(MilvusCertificateTypeServer))
+	m.Spec.TLS.Certificates = kmapi.SetMissingSecretNameForCertificate(m.Spec.TLS.Certificates, string(MilvusCertificateTypeClient), m.CertificateName(MilvusCertificateTypeClient))
+}
+
 func (m *Milvus) setMetaStorageDefaults() {
 	if m.Spec.MetaStorage == nil {
 		m.Spec.MetaStorage = &MetaStorageSpec{}
@@ -508,3 +535,17 @@ func (m milvusStatsService) TLSConfig() *promapi.TLSConfig {
 func (m Milvus) StatsService() mona.StatsAccessor {
 	return &milvusStatsService{&m}
 }
+
+func (m *Milvus) GetCertSecretName(alias MilvusCertificateType) string {
+	if m.Spec.TLS != nil {
+		name, ok := kmapi.GetCertificateSecretName(m.Spec.TLS.Certificates, string(alias))
+		if ok {
+			return name
+		}
+	}
+	return m.CertificateName(alias)
+}
+
+func (m *Milvus) CertificateName(alias MilvusCertificateType) string {
+	return meta_util.NameWithSuffix(m.Name, fmt.Sprintf("%s-cert", string(alias)))
+}
diff --git a/apis/kubedb/v1alpha2/milvus_types.go b/apis/kubedb/v1alpha2/milvus_types.go
@@ -42,7 +42,6 @@ type MilvusMode string
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:path=milvuses,singular=milvus,shortName=mv,categories={datastore,kubedb,appscode,all}
-
 // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version"
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.phase"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
@@ -113,8 +112,32 @@ type MilvusSpec struct {
 	// Monitor is used monitor database instance
 	// +optional
 	Monitor *mona.AgentSpec `json:"monitor,omitempty"`
+
+	// TLS contains tls configurations
+	// +optional
+	TLS *MilvusTLSConfig `json:"tls,omitempty"`
 }
 
+type MilvusTLSConfig struct {
+	kmapi.TLSConfig `json:",inline"`
+
+	// External controls TLS for client-facing traffic (gRPC + REST).
+	// +optional
+	External *ProtocolTLSConfig `json:"external,omitempty"`
+
+	// Internal enables TLS for inter-component communication (one-way only)
+	// +optional
+	Internal *ProtocolTLSConfig `json:"internal,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=server;client
+type MilvusCertificateType string
+
+const (
+	MilvusCertificateTypeServer MilvusCertificateType = "server"
+	MilvusCertificateTypeClient MilvusCertificateType = "client"
+)
+
 type MilvusTopology struct {
 	// If set to -
 	// "Standalone", Milvus will start a Standalone Mode

diff --git a/apis/kubedb/v1alpha2/neo4j_types.go b/apis/kubedb/v1alpha2/neo4j_types.go
@@ -117,20 +117,6 @@ type Neo4jTLSConfig struct {
 	KeystoreCredSecret *SecretReference `json:"keystoreCredSecret,omitempty"`
 }
 
-type TLSMode string
-
-const (
-	TLSModeDisabled TLSMode = "Disabled"
-	TLSModeTLS      TLSMode = "TLS"
-	TLSModeMTLS     TLSMode = "mTLS"
-)
-
-type ProtocolTLSConfig struct {
-	// +kubebuilder:validation:Enum=Disabled;TLS;mTLS
-	// +optional
-	Mode TLSMode `json:"mode,omitempty"`
-}
-
 // Neo4jStatus defines the observed state of Neo4j.
 type Neo4jStatus struct {
 	// Important: Run "make" to regenerate code after modifying this file

diff --git a/apis/kubedb/v1alpha2/openapi_generated.go b/apis/kubedb/v1alpha2/openapi_generated.go
diff --git a/apis/kubedb/v1alpha2/types.go b/apis/kubedb/v1alpha2/types.go
@@ -250,6 +250,19 @@ type Archiver struct {
 	Ref kmapi.ObjectReference `json:"ref"`
 }
 
+type TLSMode string
+
+const (
+	TLSModeDisabled TLSMode = "Disabled"
+	TLSModeTLS      TLSMode = "TLS"
+	TLSModeMTLS     TLSMode = "mTLS"
+)
+
+type ProtocolTLSConfig struct {
+	// +kubebuilder:validation:Enum=Disabled;TLS;mTLS
+	// +optional
+	Mode TLSMode `json:"mode,omitempty"`
+}
 type ArchiverRecovery struct {
 	RecoveryTimestamp metav1.Time `json:"recoveryTimestamp"`
 	// +optional

diff --git a/apis/kubedb/v1alpha2/zz_generated.deepcopy.go b/apis/kubedb/v1alpha2/zz_generated.deepcopy.go
diff --git a/apis/ops/v1alpha1/constant.go b/apis/ops/v1alpha1/constant.go
@@ -409,6 +409,11 @@ const (
 	UpdateCredentialDynamically = "UpdateCredentialDynamically"
 )
 
+// Milvus Constants
+const (
+	UpdateStreamingNodePVCs = "UpdateStreamingNodePVCs"
+)
+
 // SingleStore Constants
 const (
 	UpdateAggregatorNodePVCs = "UpdateAggregatorNodePVCs"