Couchbase Operator Helm Chart Configuration

    +
    The official Helm chart for the Couchbase Autonomous Operator comes with a default configuration that can be customized to fit your deployment needs.

    This page outlines the design and usage of the official Helm chart for deploying the Couchbase Autonomous Operator and its admission controller. In particular, this page describes the contents of values.yaml, which contains the Couchbase Operator Chart’s default values. Each of the deployed resources is listed and described, along with any available parameterization.

    For instructions on how to install the chart, including how to customize the chart’s values, see Helm Guide for the Couchbase Operator.

    All available configuration parameters for the Operator Chart
    rbac:
      create: true
      apiVersion: v1beta1
      clusterRoleAccess: true
      couchbaseServiceAccountName:
      admissionServiceAccountName:
    
    deployments:
      couchbaseOperator: true
      admissionController: true
    
    couchbaseOperator:
      name: "couchbase-operator"
      image:
        repository: couchbase/operator
        tag: 1.2.2
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      commandArgs:
        create-crd: true
      readinessProbe:
        initialDelaySeconds: 3
        periodSeconds: 3
        failureThreshold: 19
        port: 8080
      resources:
        cpu: 100m
        memory: 128Mi
      nodeSelector: {}
      tolerations: []
    
    admissionController:
      name: "couchbase-admission-controller"
      image:
        repository: couchbase/admission-controller
        tag: 1.2.2
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      verboseLogging: true
    
    admissionService:
      create: true
      name:
      port: 443
      targetPort: 8443
    
    admissionCA:
      create: true
      cert:
      key:
      expiration: 365
    
    admissionSecret:
      create: true
      name:
      cert:
      key:

    About Resource Names

    All resources/objects created by the Couchbase Operator Chart adhere to the following naming scheme: <release-name>-<deployment-name>

    The following table includes some examples of resources that the chart creates, along with their names:

    Table 1. Examples of Helm Resource Names
    Resource/Object Name Example

    Helm release

    <release-name>

    intent-tortoise

    Operator deployment

    <release-name>-couchbaseOperator.name

    intent-tortoise-couchbase-operator

    Admission controller service account

    <release-name>-admissionController.name

    intent-tortoise-couchbase-admission-controller

    Specifying Your Own Resources

    The chart allows you to override certain resources (such as service accounts and TLS certificates) with ones that you’ve already created. In this case, the names of the resources are determined by you and not the chart, and therefore do not adhere to the naming scheme described in the previous section. Just make sure to appropriately specify those resources when you install the chart.

    rbac

    rbac:
      create: true
      apiVersion: v1beta1
      clusterRoleAccess: true
      couchbaseServiceAccountName:
      admissionServiceAccountName:

    The Couchbase Operator Chart installs RBAC roles for both the Operator and admission controller. Helm’s Tiller service must have the appropriate permissions to create the required level of RBAC roles to support your deployment. Refer to the Tiller installation instructions to be sure that you’ve set up Helm to support your deployment’s RBAC requirements.

    The Couchbase Operator Chart also deploys Kubernetes service accounts for both the Operator and the admission controller. (Service accounts are required for the Operator and admission controller to exist.)

    create

    This field specifies whether or not RBAC rules will be created. This parameter should generally be set to true, since it’s recommended that you let the chart configure RBAC automatically. However, you can set this parameter to false if you’ve already configured RBAC rules for the Operator and admission controller.

    If create is set to false, then you’ll need to create service accounts for both the Operator and the admission controller. You would then need to specify those service account names in rbac.couchbaseServiceAccountName and rbac.admissionServiceAccountName, respectively.
    Field Rules:

    The create field defaults to true if not specified.

    apiVersion

    This field specifies the Kubernetes API version to use for creating RBAC resources.

    Field Rules:

    The apiVersion field defaults to v1beta1 if not specified. Supported values follow Kubernetes api versioning.

    clusterRoleAccess

    This field specifies whether or not the Operator should be given access to resources in the entire Kubernetes cluster, or restricted to just its namespace.

    Setting clusterRoleAccess to false is recommended for production.

    When clusterRoleAccess is set to false, the operator will not be able to create the CustomResourceDefinition (CRD). This is because the CRD is a cluster-wide resource in Kubernetes. Make sure to manually install the CRD if you set this field to false.
    Field Rules:

    The clusterRoleAccess value defaults to true if not specified. When set to true, the service account of the Operator gets bound to a cluster role. When set to false, the service account is bound to a standalone role. This field does not apply to the admission controller since it requires cluster wide access.

    couchbaseServiceAccountName

    This field specifies the name to use as the service account for the Operator.

    Field Rules:

    If nothing is specified for couchbaseServiceAccountName, then the value defaults to whatever is specified in couchbaseOperator.name. When rbac.create is set to false, you must specify the name of a pre-existing service account that you’ve already manually created. When rbac.create is set to true, you can specify a custom name that the chart will give to the Operator service account.

    admissionServiceAccountName

    This field specifies the name to use as the service account for the admission controller.

    Field Rules:

    If nothing is specified for admissionServiceAccountName, then the value defaults to whatever is specified in admissionController.name. When rbac.create is set to false, you must specify the name of a pre-existing service account that you’ve already manually created. When rbac.create is set to true, you can specify a custom name that the chart will give to the admission controller service account.

    deployments

    deployments:
      couchbaseOperator: true
      admissionController: true

    The Couchbase Operator Chart creates two deployments: One for the Operator itself, and one for the admission controller. These fields must be set to true for the Helm chart to function properly.

    Field Rules:

    The deployments.couchbaseOperator and deployments.couchbaseOperator fields are Boolean values that default to true when not specified.

    couchbaseOperator

    couchbaseOperator:
      name: "couchbase-operator"
      image:
        repository: couchbase/operator
        tag: 1.2.2
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      commandArgs:
        create-crd: true
      readinessProbe:
        initialDelaySeconds: 3
        periodSeconds: 3
        failureThreshold: 19
        port: 8080
      resources:
        cpu: 100m
        memory: 128Mi
      nodeSelector: {}
      tolerations: []

    The Helm chart deploys the Operator as a Kubernetes Deployment.

    name

    This field specifies the name of the Operator deployment.

    Field Rules:

    The name field defaults to couchbase-operator.

    image

      image:
        repository: couchbase/operator
        tag: 1.2.2

    The repository and tag to use for pulling the Operator image.

    Field Rules:

    The image.repository value can refer to any repository. The image.tag field can refer to any version of the Operator image in the repository.

    imagePullPolicy

    The policy for pulling images from the repository onto hosts.

    Field Rules:

    The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

    imagePullSecrets

    An optional list referencing secrets to use for pulling the image.

    Field Rules:

    The imagePullSecrets value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces:

    helm install --set couchbaseOperator.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator

    commandArgs

    This spec allows you to specify command line arguments to pass on to the Operator.

    Field Rules:

    The commandArgs value is a key-value map of arguments that can be used to modify the behavior of the Operator image. The -create-crd: argument is set to true by default, which means that the Operator will attempt to create the CRD if it doesn’t already exist.

    If you have not given the Operator cluster-wide privileges, then -create-crd: true will fail if you have not manually deployed the CRD. Refer to the production deployment documentation for information about manually creating the CRD.

    readinessProbe

      readinessProbe:
        initialDelaySeconds: 3
        periodSeconds: 3
        failureThreshold: 19
        port: 8080

    Configuration of the readiness probe used by Kubernetes to determine whether the Operator pod is ready.

    Field Rules:

    Refer to the Kubernetes documentation on configuring probes for more information about configuring the readinessProbe values.

    resources

      resources:
        cpu: 100m
        memory: 128Mi

    Resources for CPU and memory of the Operator pod.

    Field Rules:

    Refer to the Kubernetes documentation on specifying request limits for more information about configuring the resources values.

    admissionController

    admissionController:
      name: "couchbase-admission-controller"
      image:
        repository: couchbase/admission-controller
        tag: 1.2.2
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      verboseLogging: true

    The Helm chart deploys the admission controller as a Kubernetes Deployment.

    name

    This field specifies the name of the admission controller deployment.

    Field Rules:

    The name field defaults to couchbase-admission-controller.

    image

      image:
        repository: couchbase/admission-controller
        tag: 1.2.2

    The repository and tag to use for pulling the admission controller image.

    Field Rules:

    The image.repository value can refer to any repository. The image.tag field can refer to any version of the admission controller image in the repository.

    imagePullPolicy

    The policy for pulling images from the repository onto hosts.

    Field Rules:

    The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

    imagePullSecrets

    An optional list referencing secrets to use for pulling the image.

    Field Rules:

    The imagePullSecrets value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces:

    helm install --set admissionController.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator

    verboseLogging

    Determines whether the admission controller should log all of its validation notices within the console.

    Field Rules:

    The verboseLogging field is a boolean value that is set to true by default. When set to false, only validation errors are logged within the pod’s console.

    admissionService

    admissionService:
      create: true
      name:
      port: 443
      targetPort: 8443

    The admission service is used by the webhooks to access the admission operator. Certificates are auto-generated for this service whenever this object is enabled.

    create

    Value to determine if the admission service should be created. To create a service with your own certificates, set admissionSrevice.create to false and provide the name of your service in admissionService.name.

    Field Rules:

    The create field is a boolean value that is set to true by default. When set to false, you must specify the name of a pre-existing service in admissionSrevice.name that you’ve already manually created.

    name

    Name of the admission service.

    port

    Port exposed by the admission service to the validation webhooks.

    targetPort

    Port of the admission controller targeted by the admission Service.

    Field Rules:

    The name value defaults to whatever is specified in admissionController.name.

    admissionCA

    admissionCA:
      create: true
      cert:
      key:
      expiration: 365

    The admissionCA spec specifies the CA certificates that are applied to validating webhooks.

    By default, the CA certificate and key is auto-generated. The following example shows how to use a self-signed certificate:

    1. Create Certificates

      Use openssl to create myCA.key and myCA.pem in your current directory:

      openssl genrsa -out myCA.key 2048
      openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -outform PEM -out myCA.pem
    2. Install the chart with certificates

      Use --set-file to import the files from your current directory:

      helm install  --set-file admissionCA.cert=myCA.pem \
                    --set-file admissionCA.key=myCA.key \
                    couchbase/couchbase-operator

    Refer to the TLS documentation for manually creating certificates and keys that can be used to override the autogenerated secret.

    create

    This value determines whether the chart should create the CA certificate. When set to false, you will need to provide values for cert and key to use as overrides.

    Field Rules:

    The create field is a boolean value that is set to true by default.

    cert

    The PEM format CA certificate.

    Field Rules:

    The cert value defaults to an auto-generated CA certificate.

    key

    The PEM format CA key.

    Field Rules:

    The key value defaults to an auto-generated CA key.

    expiration

    Expiration of CA certificate in days.

    Field Rules:

    The expiration value defaults to 365 days.

    admissionSecret

    admissionSecret:
      create: true
      name:
      cert:
      key:

    The admissionSecret spec specifies the secret for the admission controller to use for validating cluster specs securely over the admission service.

    To use a custom secret, you will also need to provide the CA that was used to generate the certificates and keys within the secret. The following example shows how to use a self-signed CA and client:

    1. Create CA and client certificates

      Use easyrsa CA and signed client cert with DNS cb-example.default.svc

      ./easyrsa build-ca nopasss
      ./easyrsa --subject-alt-name=DNS:cb-example.default.svc build-server-full admission-controller nopas
    2. Install chart with client certificates

      Install chart with custom certs and be sure to set admissionService.name to DNS name.

      This example also sets --namespace default option since this is also included in the DNS of cert we created:

      helm install  --namespace ci-testcluster \
                    --set admissionService.name=ci-testcluster \
                    --set-file admissionCA.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/ca.crt \
                    --set-file admissionCA.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/ca.key \
                    --set-file admissionSecret.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/issued/admission-controller.crt \
                    --set-file admissionSecret.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/admission-controller.key \
                    couchbase/couchbase-operator

    create

    This value determines whether the chart should create the secret used by the admission controller.

    Field Rules:

    The admissionSecret.create field is a boolean value that defaults to true. When set to false, you must provide the name of a pre-existing certificate to admissionSecret.name.

    name

    This value is the name of the secret that contains the certificates for the admission operator. This value must refer to a native kubernetes secret which contains values for TLS cert and key.

    Field Rules:

    The admissionSecret.name value defaults to the name of the admission controller deployment.

    cert

    PEM format certificate to use as the admission controller’s public key during validation.

    Field Rules:

    The admissionSecret.cert value is auto-generated by default from admissionCA.

    key

    PEM format key to use as the admission controllers private key during validation.

    Field Rules:

    The admissionSecret.key value is auto-generated by default from admissionCA.