Couchbase Operator Helm Chart Configuration
The official Helm chart for the Couchbase Autonomous Operator comes with a default configuration that can be customized to fit your deployment needs.
This page outlines the design and usage of the official Helm chart for deploying the Couchbase Autonomous Operator and its admission controller. In particular, this page describes the contents of values.yaml, which contains the Couchbase Operator Chart’s default values. Each of the deployed resources is listed and described, along with any available parameterization.
For instructions on how to install the chart, including how to customize the chart’s values, see Helm Guide for the Couchbase Operator.
rbac:
create: true
apiVersion: v1beta1
clusterRoleAccess: true
couchbaseServiceAccountName:
admissionServiceAccountName:
deployments:
couchbaseOperator: true
admissionController: true
couchbaseOperator:
name: "couchbase-operator"
image:
repository: couchbase/operator
tag: 1.2.2
imagePullPolicy: IfNotPresent
imagePullSecrets: []
commandArgs:
create-crd: true
readinessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 19
port: 8080
resources:
cpu: 100m
memory: 128Mi
nodeSelector: {}
tolerations: []
admissionController:
name: "couchbase-admission-controller"
image:
repository: couchbase/admission-controller
tag: 1.2.2
imagePullPolicy: IfNotPresent
imagePullSecrets: []
verboseLogging: true
admissionService:
create: true
name:
port: 443
targetPort: 8443
admissionCA:
create: true
cert:
key:
expiration: 365
admissionSecret:
create: true
name:
cert:
key:
About Resource Names
All resources/objects created by the Couchbase Operator Chart adhere to the following naming scheme: <release-name>-<deployment-name>
-
<release-name>
-
This is autogenerated by Helm unless you specify your own name during chart installation.
-
-
<deployment-name>
-
This is the name of the Operator and admission controller deployments.
-
If the resource is created for the Operator, then
<deployment-name>
will be whatever is specified incouchbaseOperator.name
. -
If the resource is created for the admission controller, then
<deployment-name>
will be whatever is specified inadmissionController.name
.
-
The following table includes some examples of resources that the chart creates, along with their names:
Resource/Object | Name | Example |
---|---|---|
Helm release |
|
intent-tortoise |
Operator deployment |
|
intent-tortoise-couchbase-operator |
Admission controller service account |
|
intent-tortoise-couchbase-admission-controller |
Specifying Your Own Resources
The chart allows you to override certain resources (such as service accounts and TLS certificates) with ones that you’ve already created. In this case, the names of the resources are determined by you and not the chart, and therefore do not adhere to the naming scheme described in the previous section. Just make sure to appropriately specify those resources when you install the chart.
rbac
rbac:
create: true
apiVersion: v1beta1
clusterRoleAccess: true
couchbaseServiceAccountName:
admissionServiceAccountName:
The Couchbase Operator Chart installs RBAC roles for both the Operator and admission controller. Helm’s Tiller service must have the appropriate permissions to create the required level of RBAC roles to support your deployment. Refer to the Tiller installation instructions to be sure that you’ve set up Helm to support your deployment’s RBAC requirements.
The Couchbase Operator Chart also deploys Kubernetes service accounts for both the Operator and the admission controller. (Service accounts are required for the Operator and admission controller to exist.)
create
This field specifies whether or not RBAC rules will be created.
This parameter should generally be set to true
, since it’s recommended that you let the chart configure RBAC automatically.
However, you can set this parameter to false
if you’ve already configured RBAC rules for the Operator and admission controller.
If create is set to false , then you’ll need to create service accounts for both the Operator and the admission controller.
You would then need to specify those service account names in rbac.couchbaseServiceAccountName and rbac.admissionServiceAccountName , respectively.
|
Field Rules: |
---|
The |
apiVersion
This field specifies the Kubernetes API version to use for creating RBAC resources.
Field Rules: |
---|
The |
clusterRoleAccess
This field specifies whether or not the Operator should be given access to resources in the entire Kubernetes cluster, or restricted to just its namespace.
Setting clusterRoleAccess
to false
is recommended for production.
When clusterRoleAccess is set to false , the operator will not be able to create the CustomResourceDefinition (CRD).
This is because the CRD is a cluster-wide resource in Kubernetes.
Make sure to manually install the CRD if you set this field to false .
|
Field Rules: |
---|
The |
couchbaseServiceAccountName
This field specifies the name to use as the service account for the Operator.
Field Rules: |
---|
If nothing is specified for |
admissionServiceAccountName
This field specifies the name to use as the service account for the admission controller.
Field Rules: |
---|
If nothing is specified for |
deployments
deployments:
couchbaseOperator: true
admissionController: true
The Couchbase Operator Chart creates two deployments: One for the Operator itself, and one for the admission controller.
These fields must be set to true
for the Helm chart to function properly.
Field Rules: |
---|
The |
couchbaseOperator
couchbaseOperator:
name: "couchbase-operator"
image:
repository: couchbase/operator
tag: 1.2.2
imagePullPolicy: IfNotPresent
imagePullSecrets: []
commandArgs:
create-crd: true
readinessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 19
port: 8080
resources:
cpu: 100m
memory: 128Mi
nodeSelector: {}
tolerations: []
The Helm chart deploys the Operator as a Kubernetes Deployment.
name
This field specifies the name of the Operator deployment.
Field Rules: |
---|
The |
image
image:
repository: couchbase/operator
tag: 1.2.2
The repository and tag to use for pulling the Operator image.
Field Rules: |
---|
The |
imagePullPolicy
The policy for pulling images from the repository onto hosts.
Field Rules: |
---|
The |
imagePullSecrets
An optional list referencing secrets to use for pulling the image.
Field Rules: |
---|
The
|
commandArgs
This spec allows you to specify command line arguments to pass on to the Operator.
Field Rules: | ||
---|---|---|
The
|
readinessProbe
readinessProbe:
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 19
port: 8080
Configuration of the readiness probe used by Kubernetes to determine whether the Operator pod is ready.
Field Rules: |
---|
Refer to the Kubernetes documentation on configuring probes for more information about configuring the |
resources
resources:
cpu: 100m
memory: 128Mi
Resources for CPU and memory of the Operator pod.
Field Rules: |
---|
Refer to the Kubernetes documentation on specifying request limits for more information about configuring the |
admissionController
admissionController:
name: "couchbase-admission-controller"
image:
repository: couchbase/admission-controller
tag: 1.2.2
imagePullPolicy: IfNotPresent
imagePullSecrets: []
verboseLogging: true
The Helm chart deploys the admission controller as a Kubernetes Deployment.
name
This field specifies the name of the admission controller deployment.
Field Rules: |
---|
The |
image
image:
repository: couchbase/admission-controller
tag: 1.2.2
The repository and tag to use for pulling the admission controller image.
Field Rules: |
---|
The |
imagePullPolicy
The policy for pulling images from the repository onto hosts.
Field Rules: |
---|
The |
imagePullSecrets
An optional list referencing secrets to use for pulling the image.
Field Rules: |
---|
The
|
admissionService
admissionService:
create: true
name:
port: 443
targetPort: 8443
The admission service is used by the webhooks to access the admission operator. Certificates are auto-generated for this service whenever this object is enabled.
create
Value to determine if the admission service should be created.
To create a service with your own certificates, set admissionSrevice.create
to false
and provide the name of your service in admissionService.name
.
Field Rules: |
---|
The |
targetPort
Port of the admission controller targeted by the admission Service.
Field Rules: |
---|
The |
admissionCA
admissionCA:
create: true
cert:
key:
expiration: 365
The admissionCA
spec specifies the CA certificates that are applied to validating webhooks.
By default, the CA certificate and key is auto-generated. The following example shows how to use a self-signed certificate:
-
Create Certificates
Use openssl to create
myCA.key
andmyCA.pem
in your current directory:openssl genrsa -out myCA.key 2048 openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -outform PEM -out myCA.pem
-
Install the chart with certificates
Use
--set-file
to import the files from your current directory:helm install --set-file admissionCA.cert=myCA.pem \ --set-file admissionCA.key=myCA.key \ couchbase/couchbase-operator
Refer to the TLS documentation for manually creating certificates and keys that can be used to override the autogenerated secret.
create
This value determines whether the chart should create the CA certificate.
When set to false
, you will need to provide values for cert
and key
to use as overrides.
Field Rules: |
---|
The |
admissionSecret
admissionSecret:
create: true
name:
cert:
key:
The admissionSecret
spec specifies the secret for the admission controller to use for validating cluster specs securely over the admission service.
To use a custom secret, you will also need to provide the CA that was used to generate the certificates and keys within the secret. The following example shows how to use a self-signed CA and client:
-
Create CA and client certificates
Use easyrsa CA and signed client cert with DNS
cb-example.default.svc
./easyrsa build-ca nopasss ./easyrsa --subject-alt-name=DNS:cb-example.default.svc build-server-full admission-controller nopas
-
Install chart with client certificates
Install chart with custom certs and be sure to set
admissionService.name
to DNS name.This example also sets
--namespace default
option since this is also included in the DNS of cert we created:helm install --namespace ci-testcluster \ --set admissionService.name=ci-testcluster \ --set-file admissionCA.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/ca.crt \ --set-file admissionCA.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/ca.key \ --set-file admissionSecret.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/issued/admission-controller.crt \ --set-file admissionSecret.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/admission-controller.key \ couchbase/couchbase-operator
create
This value determines whether the chart should create the secret used by the admission controller.
Field Rules: |
---|
The |
name
This value is the name of the secret that contains the certificates for the admission operator.
This value must refer to a native kubernetes secret which contains values for TLS cert
and key
.
Field Rules: |
---|
The |
cert
PEM format certificate to use as the admission controller’s public key during validation.
Field Rules: |
---|
The |
key
PEM format key to use as the admission controllers private key during validation.
Field Rules: |
---|
The |