Couchbase Operator Helm Chart Configuration

The official Helm chart for the Couchbase Autonomous Operator comes with a default configuration that can be customized to fit your deployment needs.

This page outlines the design and usage of the official Helm chart for deploying the Couchbase Autonomous Operator and its admission controller. In particular, this page describes the contents of values.yaml, which contains the Couchbase Operator Chart’s default values. Each of the deployed resources is listed and described, along with any available parameterization.

For instructions on how to install the chart, including how to customize the chart’s values, see Helm Guide for the Couchbase Operator.

All available configuration parameters for the Operator Chart

rbac:
  create: true
  apiVersion: v1beta1
  clusterRoleAccess: true
  couchbaseServiceAccountName:
  admissionServiceAccountName:

deployments:
  couchbaseOperator: true
  admissionController: true

couchbaseOperator:
  name: "couchbase-operator"
  image:
    repository: couchbase/operator
    tag: 1.2.0
  imagePullPolicy: IfNotPresent
  imagePullSecrets: []
  commandArgs:
    create-crd: true
  readinessProbe:
    initialDelaySeconds: 3
    periodSeconds: 3
    failureThreshold: 19
    port: 8080
  resources:
    cpu: 100m
    memory: 128Mi
  nodeSelector: {}
  tolerations: []

admissionController:
  name: "couchbase-admission-controller"
  image:
    repository: couchbase/admission-controller
    tag: 1.2.0
  imagePullPolicy: IfNotPresent
  imagePullSecrets: []
  verboseLogging: true

admissionService:
  create: true
  name:
  port: 443
  targetPort: 8443

admissionCA:
  create: true
  cert:
  key:
  expiration: 365

admissionSecret:
  create: true
  name:
  cert:
  key:

About Resource Names

All resources/objects created by the Couchbase Operator Chart adhere to the following naming scheme: <release-name>-<deployment-name>

<release-name>
- This is autogenerated by Helm unless you specify your own name during chart installation.
<deployment-name>
- This is the name of the Operator and admission controller deployments.
- If the resource is created for the Operator, then <deployment-name> will be whatever is specified in couchbaseOperator.name.
- If the resource is created for the admission controller, then <deployment-name> will be whatever is specified in admissionController.name.

The following table includes some examples of resources that the chart creates, along with their names:

Table 1. Examples of Helm Resource Names
Resource/Object	Name	Example
Helm release	`<release-name>`	intent-tortoise
Operator deployment	`<release-name>-couchbaseOperator.name`	intent-tortoise-couchbase-operator
Admission controller service account	`<release-name>-admissionController.name`	intent-tortoise-couchbase-admission-controller

Specifying Your Own Resources

The chart allows you to override certain resources (such as service accounts and TLS certificates) with ones that you’ve already created. In this case, the names of the resources are determined by you and not the chart, and therefore do not adhere to the naming scheme described in the previous section. Just make sure to appropriately specify those resources when you install the chart.

rbac

rbac:
  create: true
  apiVersion: v1beta1
  clusterRoleAccess: true
  couchbaseServiceAccountName:
  admissionServiceAccountName:

The Couchbase Operator Chart installs RBAC roles for both the Operator and admission controller. Helm’s Tiller service must have the appropriate permissions to create the required level of RBAC roles to support your deployment. Refer to the Tiller installation instructions to be sure that you’ve set up Helm to support your deployment’s RBAC requirements.

The Couchbase Operator Chart also deploys Kubernetes service accounts for both the Operator and the admission controller. (Service accounts are required for the Operator and admission controller to exist.)

create

This field specifies whether or not RBAC rules will be created. This parameter should generally be set to true, since it’s recommended that you let the chart configure RBAC automatically. However, you can set this parameter to false if you’ve already configured RBAC rules for the Operator and admission controller.

If create is set to false, then you’ll need to create service accounts for both the Operator and the admission controller. You would then need to specify those service account names in rbac.couchbaseServiceAccountName and rbac.admissionServiceAccountName, respectively.

Field Rules:
The `create` field defaults to `true` if not specified.

Field Rules:

The create field defaults to true if not specified.

apiVersion

This field specifies the Kubernetes API version to use for creating RBAC resources.

Field Rules:
The `apiVersion` field defaults to `v1beta1` if not specified. Supported values follow Kubernetes api versioning.

Field Rules:

The apiVersion field defaults to v1beta1 if not specified. Supported values follow Kubernetes api versioning.

clusterRoleAccess

This field specifies whether or not the Operator should be given access to resources in the entire Kubernetes cluster, or restricted to just its namespace.

Setting clusterRoleAccess to false is recommended for production.

When clusterRoleAccess is set to false, the operator will not be able to create the CustomResourceDefinition (CRD). This is because the CRD is a cluster-wide resource in Kubernetes. Make sure to manually install the CRD if you set this field to false.

Field Rules:
The `clusterRoleAccess` value defaults to `true` if not specified. When set to `true`, the service account of the Operator gets bound to a cluster role. When set to `false`, the service account is bound to a standalone role. This field does not apply to the admission controller since it requires cluster wide access.

Field Rules:

The clusterRoleAccess value defaults to true if not specified. When set to true, the service account of the Operator gets bound to a cluster role. When set to false, the service account is bound to a standalone role. This field does not apply to the admission controller since it requires cluster wide access.

couchbaseServiceAccountName

This field specifies the name to use as the service account for the Operator.

Field Rules:
If nothing is specified for `couchbaseServiceAccountName`, then the value defaults to whatever is specified in `couchbaseOperator.name`. When `rbac.create` is set to `false`, you must specify the name of a pre-existing service account that you’ve already manually created. When `rbac.create` is set to `true`, you can specify a custom name that the chart will give to the Operator service account.

Field Rules:

If nothing is specified for couchbaseServiceAccountName, then the value defaults to whatever is specified in couchbaseOperator.name. When rbac.create is set to false, you must specify the name of a pre-existing service account that you’ve already manually created. When rbac.create is set to true, you can specify a custom name that the chart will give to the Operator service account.

admissionServiceAccountName

This field specifies the name to use as the service account for the admission controller.

Field Rules:
If nothing is specified for `admissionServiceAccountName`, then the value defaults to whatever is specified in `admissionController.name`. When `rbac.create` is set to `false`, you must specify the name of a pre-existing service account that you’ve already manually created. When `rbac.create` is set to `true`, you can specify a custom name that the chart will give to the admission controller service account.

Field Rules:

If nothing is specified for admissionServiceAccountName, then the value defaults to whatever is specified in admissionController.name. When rbac.create is set to false, you must specify the name of a pre-existing service account that you’ve already manually created. When rbac.create is set to true, you can specify a custom name that the chart will give to the admission controller service account.

deployments

deployments:
  couchbaseOperator: true
  admissionController: true

The Couchbase Operator Chart creates two deployments: One for the Operator itself, and one for the admission controller. These fields must be set to true for the Helm chart to function properly.

Field Rules:
The `deployments.couchbaseOperator` and `deployments.couchbaseOperator` fields are Boolean values that default to `true` when not specified.

Field Rules:

The deployments.couchbaseOperator and deployments.couchbaseOperator fields are Boolean values that default to true when not specified.

couchbaseOperator

couchbaseOperator:
  name: "couchbase-operator"
  image:
    repository: couchbase/operator
    tag: 1.2.0
  imagePullPolicy: IfNotPresent
  imagePullSecrets: []
  commandArgs:
    create-crd: true
  readinessProbe:
    initialDelaySeconds: 3
    periodSeconds: 3
    failureThreshold: 19
    port: 8080
  resources:
    cpu: 100m
    memory: 128Mi
  nodeSelector: {}
  tolerations: []

The Helm chart deploys the Operator as a Kubernetes Deployment.

name

This field specifies the name of the Operator deployment.

Field Rules:
The `name` field defaults to `couchbase-operator`.

Field Rules:

The name field defaults to couchbase-operator.

image

  image:
    repository: couchbase/operator
    tag: 1.2.0

The repository and tag to use for pulling the Operator image.

Field Rules:
The `image.repository` value can refer to any repository. The `image.tag` field can refer to any version of the Operator image in the repository.

Field Rules:

The image.repository value can refer to any repository. The image.tag field can refer to any version of the Operator image in the repository.

imagePullPolicy

The policy for pulling images from the repository onto hosts.

Field Rules:
The `imagePullPolicy` value defaults to `IfNotPresent`, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are `Always`, `IfNotPresent`, and `Never`.

Field Rules:

The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

imagePullSecrets

An optional list referencing secrets to use for pulling the image.

Field Rules:
The `imagePullSecrets` value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces: `helm install --set couchbaseOperator.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator`

Field Rules:

The imagePullSecrets value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces:

helm install --set couchbaseOperator.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator

commandArgs

This spec allows you to specify command line arguments to pass on to the Operator.

Field Rules:

The commandArgs value is a key-value map of arguments that can be used to modify the behavior of the Operator image. The -create-crd: argument is set to true by default, which means that the Operator will attempt to create the CRD if it doesn’t already exist.

If you have not given the Operator cluster-wide privileges, then -create-crd: true will fail if you have not manually deployed the CRD. Refer to the production deployment documentation for information about manually creating the CRD.

readinessProbe

  readinessProbe:
    initialDelaySeconds: 3
    periodSeconds: 3
    failureThreshold: 19
    port: 8080

Configuration of the readiness probe used by Kubernetes to determine whether the Operator pod is ready.

Field Rules:
Refer to the Kubernetes documentation on configuring probes for more information about configuring the `readinessProbe` values.

Field Rules:

Refer to the Kubernetes documentation on configuring probes for more information about configuring the readinessProbe values.

resources

  resources:
    cpu: 100m
    memory: 128Mi

Resources for CPU and memory of the Operator pod.

Field Rules:
Refer to the Kubernetes documentation on specifying request limits for more information about configuring the `resources` values.

Field Rules:

Refer to the Kubernetes documentation on specifying request limits for more information about configuring the resources values.

admissionController

admissionController:
  name: "couchbase-admission-controller"
  image:
    repository: couchbase/admission-controller
    tag: 1.2.0
  imagePullPolicy: IfNotPresent
  imagePullSecrets: []
  verboseLogging: true

The Helm chart deploys the admission controller as a Kubernetes Deployment.

name

This field specifies the name of the admission controller deployment.

Field Rules:
The `name` field defaults to `couchbase-admission-controller`.

Field Rules:

The name field defaults to couchbase-admission-controller.

image

  image:
    repository: couchbase/admission-controller
    tag: 1.2.0

The repository and tag to use for pulling the admission controller image.

Field Rules:
The `image.repository` value can refer to any repository. The `image.tag` field can refer to any version of the admission controller image in the repository.

Field Rules:

The image.repository value can refer to any repository. The image.tag field can refer to any version of the admission controller image in the repository.

imagePullPolicy

The policy for pulling images from the repository onto hosts.

Field Rules:
The `imagePullPolicy` value defaults to `IfNotPresent`, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are `Always`, `IfNotPresent`, and `Never`.

Field Rules:

imagePullSecrets

An optional list referencing secrets to use for pulling the image.

Field Rules:
The `imagePullSecrets` value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces: `helm install --set admissionController.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator`

Field Rules:

helm install --set admissionController.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator

verboseLogging

Determines whether the admission controller should log all of its validation notices within the console.

Field Rules:
The `verboseLogging` field is a boolean value that is set to `true` by default. When set to `false`, only validation errors are logged within the pod’s console.

Field Rules:

The verboseLogging field is a boolean value that is set to true by default. When set to false, only validation errors are logged within the pod’s console.

admissionService

admissionService:
  create: true
  name:
  port: 443
  targetPort: 8443

The admission service is used by the webhooks to access the admission operator. Certificates are auto-generated for this service whenever this object is enabled.

create

Value to determine if the admission service should be created. To create a service with your own certificates, set admissionSrevice.create to false and provide the name of your service in admissionService.name.

Field Rules:
The `create` field is a boolean value that is set to `true` by default. When set to `false`, you must specify the name of a pre-existing service in `admissionSrevice.name` that you’ve already manually created.

Field Rules:

The create field is a boolean value that is set to true by default. When set to false, you must specify the name of a pre-existing service in admissionSrevice.name that you’ve already manually created.

name

Name of the admission service.

port

Port exposed by the admission service to the validation webhooks.

targetPort

Port of the admission controller targeted by the admission Service.

Field Rules:
The `name` value defaults to whatever is specified in `admissionController.name`.

Field Rules:

The name value defaults to whatever is specified in admissionController.name.

admissionCA

admissionCA:
  create: true
  cert:
  key:
  expiration: 365

The admissionCA spec specifies the CA certificates that are applied to validating webhooks.

By default, the CA certificate and key is auto-generated. The following example shows how to use a self-signed certificate:

Create Certificates

Use openssl to create myCA.key and myCA.pem in your current directory:

openssl genrsa -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -outform PEM -out myCA.pem

Install the chart with certificates

Use --set-file to import the files from your current directory:

helm install  --set-file admissionCA.cert=myCA.pem \
              --set-file admissionCA.key=myCA.key \
              couchbase/couchbase-operator

Refer to the TLS documentation for manually creating certificates and keys that can be used to override the autogenerated secret.

create

This value determines whether the chart should create the CA certificate. When set to false, you will need to provide values for cert and key to use as overrides.

Field Rules:
The `create` field is a boolean value that is set to `true` by default.

Field Rules:

The create field is a boolean value that is set to true by default.

cert

The PEM format CA certificate.

Field Rules:
The `cert` value defaults to an auto-generated CA certificate.

Field Rules:

The cert value defaults to an auto-generated CA certificate.

key

The PEM format CA key.

Field Rules:
The `key` value defaults to an auto-generated CA key.

Field Rules:

The key value defaults to an auto-generated CA key.

expiration

Expiration of CA certificate in days.

Field Rules:
The `expiration` value defaults to 365 days.

Field Rules:

The expiration value defaults to 365 days.

admissionSecret

admissionSecret:
  create: true
  name:
  cert:
  key:

The admissionSecret spec specifies the secret for the admission controller to use for validating cluster specs securely over the admission service.

To use a custom secret, you will also need to provide the CA that was used to generate the certificates and keys within the secret. The following example shows how to use a self-signed CA and client:

Create CA and client certificates

Use easyrsa CA and signed client cert with DNS cb-example.default.svc

./easyrsa build-ca nopasss
./easyrsa --subject-alt-name=DNS:cb-example.default.svc build-server-full admission-controller nopas

Install chart with client certificates

Install chart with custom certs and be sure to set admissionService.name to DNS name.

This example also sets --namespace default option since this is also included in the DNS of cert we created:

helm install  --namespace ci-testcluster \
              --set admissionService.name=ci-testcluster \
              --set-file admissionCA.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/ca.crt \
              --set-file admissionCA.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/ca.key \
              --set-file admissionSecret.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/issued/admission-controller.crt \
              --set-file admissionSecret.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/admission-controller.key \
              couchbase/couchbase-operator

create

This value determines whether the chart should create the secret used by the admission controller.

Field Rules:
The `admissionSecret.create` field is a boolean value that defaults to `true`. When set to `false`, you must provide the name of a pre-existing certificate to `admissionSecret.name`.

Field Rules:

The admissionSecret.create field is a boolean value that defaults to true. When set to false, you must provide the name of a pre-existing certificate to admissionSecret.name.

name

This value is the name of the secret that contains the certificates for the admission operator. This value must refer to a native kubernetes secret which contains values for TLS cert and key.

Field Rules:
The `admissionSecret.name` value defaults to the name of the admission controller deployment.

Field Rules:

The admissionSecret.name value defaults to the name of the admission controller deployment.

cert

PEM format certificate to use as the admission controller’s public key during validation.

Field Rules:
The `admissionSecret.cert` value is auto-generated by default from `admissionCA`.

Field Rules:

The admissionSecret.cert value is auto-generated by default from admissionCA.

key

PEM format key to use as the admission controllers private key during validation.

Field Rules:
The `admissionSecret.key` value is auto-generated by default from `admissionCA`.

Field Rules:

The admissionSecret.key value is auto-generated by default from admissionCA.