Couchbase Helm Chart Specification

The official Couchbase Helm Chart for the Autonomous Operator comes with a default configuration that can be customized to fit your deployment needs.

This page describes the parameters of the official Couchbase Helm Chart. In particular, this page describes the contents of the chart’s values.yaml, which contains the chart’s default values. Each of the deployed resources is listed and described, along with any available parameterization.

For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to Helm Deployment.

All available configuration parameters in the Couchbase Helm Chart, along with their default values
  # Select what to install
  install:
    # couchbaseOperator is the couchbase-operator deployment
    couchbaseOperator: true
    # admissionController enforces validation
    admissionController: true
    # couchbase cluster
    couchbaseCluster: true
    # sync gateway
    syncGateway: false

  # couchbaseOperator is the controller for couchbase cluster
  couchbaseOperator:
    # name of the couchbase operator
    name: "couchbase-operator"
    # image config
    image:
      repository: couchbase/operator
      tag: 2.0.0
    imagePullPolicy: IfNotPresent
    # imagePullSecrets is an optional list of references to secrets  to use for pulling images
    imagePullSecrets: []
    # additional command arguments will be translated to `--key=value`
    commandArgs:
      # pod creation timeout
      pod-create-timeout: 10m
    # resources of couchbase-operator
    resources: {}
    # nodeSelector for couchbase-operator pod assignment
    # Ref: https://kubernetes.io/docs/user-guide/node-selection/
    nodeSelector: {}
    # tolerations of pod match nodes with corresponding taints
    tolerations: []


  # admissionController is the controller for couchbase admission controller
  # name is derived from chart
  admissionController:
    name: "couchbase-admission-controller"
    image:
      repository: couchbase/admission-controller
      tag: 2.0.0
    imagePullPolicy: IfNotPresent
    # imagePullSecrets is an optional list of references to secrets  to use for pulling images
    imagePullSecrets: []
    verboseLogging: true

  # admissionService exposes validation to cluster. This service
  # is over https and certs are auto-generated based on serviceName.
  admissionService:
    # name of the service (auto-generated)
    name:
    # port service exposes
    port: 443
    targetPort: 8443

  # admissionCA can be used to override the Certs that will be used
  # to sign the keys used by the admsission operator.
  admissionCA:
    # A base64 encoded PEM format certificate
    cert:
    # A base64 encoded PEM format private key
    key:
    # Expiry time of CA in days for generated certs
    expiration: 365

  # secret with client certs mounted within the admission controller.
  admissionSecret:
    # name of the secret (auto-generated)
    name:
    # PEM format certificate (auto-generated)
    # override via --set-file
    cert:
    # PEM format certificate (auto-generated)
    # override via --set-file
    key:


  # Default values for couchbase-cluster
  cluster:
    # name of the cluster. defaults to name of chart release
    name:
    # image is the base couchbase image and version of the couchbase cluster
    image: "couchbase/server:6.5.0"
    security:
      # username of the cluster admin.
      username: Administrator
      # password of the cluster admin.
      # auto-generated when empty
      password:
      # adminSecret is name of secret to use instead of using
      # the default secret with username and password specified above
      adminSecret:
      rbac:
        managed: true
    # networking options
    networking:
      # Option to expose admin console
      exposeAdminConsole: true
      # Option to expose admin console
      adminConsoleServices:
        - data
      # Specific services to use when exposing ui
      exposedFeatures:
        - client
        - xdcr
      # Defines how the admin console service is exposed.
      # Allowed values are NodePort and LoadBalancer.
      # If this field is LoadBalancer then you must also define a spec.dns.domain.
      adminConsoleServiceType: NodePort
      # Defines how the per Couchbase node ports are exposed.
      # Allowed values are NodePort and LoadBalancer.
      # If this field is LoadBalancer then you must also define a spec.dns.domain.
      exposedFeatureServiceType: NodePort
      # The dynamic DNS configuration to use when exposing services
      dns:
      # The Couchbase cluster tls configuration (auto-generated)
      tls:
    # The retention period that log volumes are kept for after their associated pods have been deleted.
    logRetentionTime: 604800s
    # The maximum number of log volumes that can be kept after their associated pods have been deleted.
    logRetentionCount: 20
    # xdcr defines remote clusters and replications to them.
    xdcr:
      # managed defines whether the Operator should manage XDCR remote clusters
      managed: false
      # remoteClusters contains references to any remote clusters to replicate to
      remoteClusters:
    # backup defines values for automated backup.
    backup:
      # managed determines whether Automated Backup is enabled
      managed: true
      # image used by the Operator to perform backup or restore
      image: couchbase/operator-backup:6.5.0
      # optional service account to use when performing backups
      # service account will be created if it does not exist
      serviceAccountName:
    # defines integration with third party monitoring sofware
    monitoring:
      prometheus:
        # defines whether Prometheus metric collection is enabled
        enabled: false
        # image used by the Operator to perform metric collection
        # (injected as a "sidecar" in each Couchbase Server Pod)
        image: couchbase/prometheus-exporter:1.0.0
        # Optional Kubernetes secret that clients use to access Prometheus metrics
        authorizationSecret:
    # Cluster wide settings for nodes and services
    cluster:
      # The amount of memory that should be allocated to the data service
      dataServiceMemoryQuota: 256Mi
      # The amount of memory that should be allocated to the index service
      indexServiceMemoryQuota: 256Mi
      # The amount of memory that should be allocated to the search service
      searchServiceMemoryQuota: 256Mi
      # The amount of memory that should be allocated to the eventing service
      eventingServiceMemoryQuota: 256Mi
      # The amount of memory that should be allocated to the analytics service
      analyticsServiceMemoryQuota: 1Gi
      # The index storage mode to use for secondary indexing
      indexStorageSetting: memory_optimized
      # Timeout that expires to trigger the auto failover.
      autoFailoverTimeout: 120s
      # The number of failover events we can tolerate
      autoFailoverMaxCount: 3
      # Whether to auto failover if disk issues are detected
      autoFailoverOnDataDiskIssues: true
      # How long to wait for transient errors before failing over a faulty disk
      autoFailoverOnDataDiskIssuesTimePeriod: 120s
      # configuration of global Couchbase auto-compaction settings.
      autoCompaction:
        # amount of fragmentation allowed in persistent database [2-100]
        databaseFragmentationThreshold:
          percent: 30
          size: 1Gi
        # amount of fragmentation allowed in persistent view files [2-100]
        viewFragmentationThreshold:
          percent: 30
          size: 1Gi
        # whether auto-compaction should be performed in parallel
        parallelCompaction: false
        # how frequently tombstones may be purged
        tombstonePurgeInterval: 72h
        # optional window when an auto-compaction may start (uncomment below)
        timeWindow: {}
        # start: 02:00
        # end: 06:00
        # abortCompactionOutsideWindow: true

    # configuration of logging functionality
    # for use in conjuction with logs persistent volume mount
    logging:
      # retention period that log volumes are kept after pods have been deleted
      logRetentionTime: 604800s
      # the maximum number of log volumes that can be kept after pods have been deleted
      logRetentionCount: 20
    # kubernetes security context applied to pods
    securityContext:
      # fsGroup of persistent volume mount
      fsGroup: 1000
    # cluster buckets
    buckets:
      # Managed defines whether buckets are managed by us or the clients.
      managed: true
    servers:
      # Name for the server configuration. It must be unique.
      default:
        # Size of the couchbase cluster.
        size: 3
        # The services to run on nodes
        services:
          - data
          - index
          - query
          - search
          - analytics
          - eventing
        # volume claims to use for persistent storage
        volumeMounts: {}
        # ServerGroups define the set of availability zones we want to distribute pods over.
        serverGroups: []
        # Pod defines the policy to create pod for the couchbase pod.
        pod:
          spec:
            containers:
    # VolumeClaimTemplates define the desired characteristics of a volume
    # that can be requested and claimed by a pod.
    volumeClaimTemplates: []

  # couchbase buckets to create
  # disable default bucket creation by setting
  # couchbaseBuckets.default: null
  buckets:
    # A bucket to create by default
    default:
      # Name of the bucket
      name: default
      # The type of bucket to use
      type: couchbase
      # The amount of memory that should be allocated to the bucket
      memoryQuota: 128Mi
      # The number of bucket replicates
      replicas: 1
      # The priority when compared to other buckets
      ioPriority: high
      # The bucket eviction policy which determines behavior during expire and high mem usage
      evictionPolicy: fullEviction
      # The bucket's conflict resolution mechanism; which is to be used if a conflict occurs during Cross Data-Center Replication (XDCR). Sequence-based and timestamp-based mechanisms are supported.
      conflictResolution: seqno
      # The enable flush option denotes wether the data in the bucket can be flushed
      enableFlush: true
      # Enable Index replica specifies whether or not to enable view index replicas for this bucket.
      enableIndexReplica: false
      # data compression mode for the bucket to run in [off, passive, active]
      compressionMode: "passive"

  # RBAC users to create
  # (requires couchbase server 6.5.0 and higher)
  users:
    # creates an example user named 'developer'
    developer:
      # password to use for user authentication
      # (alternatively use authSecret)
      password: password
      # optional secret to use containing user password
      authSecret:
      # roles attributed to group
      roles:
        - name: bucket_admin
          bucket: default

  # TLS Certs that will be used to encrypt traffic between operator and couchbase
  tls:
    # enable to auto create certs
    generate: false
    # Expiry time of CA in days for generated certs
    expiration: 365

  # syncGateway configuration
  syncGateway:
    # name of the sync gatway pod.
    # defaults to name of chart
    name:
    # database config
    config:
      logging:
        console:
          enabled: true
          log_level: "debug"
          log_keys:
          - "*"
      # databases is a list containing
      # bucket replication configs
      databases:
        db:
          # bucket replicated to sync gateway
          bucket: default
          # guest user config
          users:
            GUEST:
              # disable creation of guest user
              disabled: false
              # channels guest user may access.
              # defaults to all channels
              admin_channels: ["*"]
          # server to connect db to, defaults to cluster server
          server:
          # username of db admin, defaults to cluster admin username
          username:
          # password of db admin, defaults to cluster admin password
          password:
          allow_conflicts: false
          revs_limit: 20
          enable_shared_bucket_access: true
    # Type of service to use for exposing Sync Gateway
    # Set as empty string to prevent service creation
    exposeServiceType: ClusterIP
    # image of the sync gateway container
    image:
      repository: couchbase/sync-gateway
      tag: 2.7.0-enterprise
    imagePullPolicy: IfNotPresent
    # Optional secret to use with prepoulated database config
    configSecret:
    # optional ca.cert for tls connection
    # of all databases
    cacert:
    # optional dns config
    dns:
      # name kubernete service which exposes nameserver (ie coredns)
      service:
      # search list for host-name lookup
      searches:
      - default.svc.cluster.local
      - svc.cluster.local
      - cluster.local

About Resource Names

All resources/objects created by the Couchbase Chart adhere to the following naming scheme: <release-name>-<component-name>

  • <release-name>

    • This is name of the installed instance.

  • <component-name>

    • This is the name of the Operator, Admission, and Couchbase component..

    • If the resource is created for the Operator, then <component-name> will be whatever is specified in couchbaseOperator.name.

    • If the resource is created for the admission controller, then <component-name> will be whatever is specified in admissionController.name.

    • If the resource is created for the couchbase cluster, then <component-name> will be whatever is specified in cluster.name.

Specifying Your Own Resources

The chart allows you to override certain resources such as tls certificates with ones that you’ve already created. In this case, the names of the resources are determined by you and not the chart, and therefore do not adhere to the naming scheme described in the previous section. Check the specs below for the value you are attempting to override for additional information on what type of resource is expected and how it should be formated.

Install Values

Installation values for selective deployment of components within the chart.

  # Select what to install
  install:
    # install the couchbase operator
    couchbaseOperator: true
    # install the admission controller
    admissionController: true
    # install couchbase cluster
    couchbaseCluster: true
    # install sync gateway
    syncGateway: false

The Couchbase Chart is capable of installing the Operator, Admission Controller, Couchbase Cluster, and Sync Gateway.

couchbaseOperator

This field specifies whether or not the Couchbase Autonomous Operator will be installed.

Field Rules:

The couchbaseOperator field defaults to true.

admissionController

This field specifies whether or not the Couchbase Admission Controller will be installed.

Field Rules:

The admissionController field defaults to true.

couchbaseCluster

This field specifies whether or not a Couchbase Cluster will be installed.

Field Rules:

The couchbaseCluster field defaults to true.

syncGateway

This field specifies whether or not an instance of the Sync Gateway will be installed.

Field Rules:

The syncGateway field defaults to false.

Couchbase Cluster

The cluster configuration represents the CouchbaseCluster resources to be installed. If install.couchbaseCluster is set to false then the cluster will not be installed.

cluster

  cluster:
    name:
    security:
      username: Administrator
      password:
      adminSecret:

name

The name of the cluster to create.

Value rules: The couchbaseCluster.name value defaults to the name of the chart if not specified. Must be unique from any other clusters in the namespace.

username

The username to use as the cluster admin.

This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

Value rules: The couchbaseCluster.username value is a string set to Administrator by default.

password

The password to use as the cluster admin.

This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

Value rules: The couchbaseCluster.password value is a string that is auto-generated by default.

adminSecret

The secret to use for overriding the auto-generated secret. When specified the username and password from the secret are used for Administrator login.

Value rules: The couchbaseCluster.adminSecret value is the name of a kubernetes secret and is not set by default.

Persistent Volumes

The best way to create a cluster with persistent volumes is to make a custom value file. The following example shows how volumeMounts can be added to created a persisted cluster.

Create a file named values-persistent.yaml with the following values:

cluster:
  servers:
    default:
      pod:
        volumeMounts:
          default: couchbase
          data:  couchbase
  securityContext:
      fsGroup: 1000
  volumeClaimTemplates:
    - metadata:
        name: couchbase
      spec:
        storageClassName: "default"
        resources:
          requests:
            storage: 1Gi

Install the cluster chart using the custom value file:

helm install my-release -f values-persistent.yaml couchbase/couchbase-cluster

additional values

All of the remaining values which can be overridden in this spec are described here in the Couchbase Cluster Config documentation.

TLS

Certificates can be auto-generated or overridden by user supplied certs. Also since couchbase certs are represented as plain kubernetes secrets, the secret itself can be overridden.

tls:
  generate: false
  expiration: 365

generate

This value determines whether the chart should create the cluster with TLS.

Value rules: The tls.generate is a boolean which defaults to false. When set to true all of the certs and keys required for tls will be auto-generated unless manually specified. When value is false certs are not generated, but manual Secrets can be provided by overriding cluster.networking.tls.

expiration

Expiration of CA in days

Value rules: The couchbaseTLS.expiration defaults to 365 days.

Custom TLS

Create cluster with auto-generated tls certs

helm install my-release --set tls.generate=true couchbase/couchbase-cluster

Use manually created secrets . Create a file named tls_values.yaml with the following custom override values for the Couchbase Chart:

+

cluster:
   tls:
     static:
       operatorSecret: tls-operator-secret
       serverSecert: my-tls-server-secret
helm install  my-release -f tls_values.yaml couchbase/couchbase-cluster

Buckets

The buckets configuration represent CouchbaseBucket resources to be installed by the cluster. Buckets are installed whenever install.CouchbaseCluster is set to true.

buckets:
  default:
    name: default
    type: couchbase
Buckets are automatically provisioned with label selectors matching the corresponding couchbase cluster.

name

This value determines name of the bucket to create.

Value rules: The bucket.name value is a string. This value is optional and when not set, the name of the object key is used instead.

additional values

All of the remaining values which can be overridden in this spec are described here in the Couchbase Cluster Config documentation.

Users

The users configuration represent CouchbaseUser, CouchbaseGroup, and CouchbaseRoleBinding resources to be installed by the cluster. Users are installed whenever install.CouchbaseCluster is set to true.

  users:
    developer:   # username (1)
      password: password
      authSecret:
      authDomain: local
      roles:
        - name: bucket_admin
          bucket: default
1 The username is set from the key of each user configuration. NOTE: Users are automatically provisioned with label selectors matching the corresponding Couchbase cluster.

password

The user password.

This should only be used for experimental and test clusters. Consider using authSecret or setting authDomain: external to improve security .

Value rules: The user.<name>.password value is a string. This value is required when authDomain is local.

authSecret

The Kubernetes Secret containing the user password.

Value rules: The user.<name>.authSecret value is a string. This value is optional and must refer to a Kubernetes Secret resource when specified. The Secret must contain the path data.password with the base64 encoded value of the secret

authDomain

The Couchbase RBAC Domain to use when authenticating the user.

Value rules: The user.<name>.authDomain value is a string. This value is required and must be either local or external.

roles

The Couchbase Roles to assign to the user

Value rules: The user.<name>.roles value is a list. This value is required and must provide the name of a valid Couchbase Server role. If the Couchbase Server role is a bucket role, then the name of a bucket value may also be provided. If the name of a bucket is not provided for a bucket role then the value defaults to * which means the role applies to all buckets.

Refer to Couchbae Groups for list of Administrator and Bucket roles.

Sync Gateway

The Sync Gateway configuration provides defaults for deploying Sync Gateway along with associated services. The Sync Gateway server is installed when install.syncGateway is set to true. When installed, Sync Gateway is automatically connected to couchbase cluster.

syncGateway:
  name:
  config:
    logging:
      console:
        enabled: true
        log_level: "debug"
        log_keys:
        - "*"
    databases:
      db:
        bucket: default
        users:
          GUEST:
            disabled: false
            admin_channels: ["*"]
        server:
        username:
        password:
        allow_conflicts: false
        revs_limit: 20
        enable_shared_bucket_access: true
  exposeServiceType: ClusterIP
  image:
    repository: couchbase/sync-gateway
    tag: 2.7.0-enterprise
  imagePullPolicy: IfNotPresent
  configSecret:
  cacert:
  dns:
    service:
    searches:
    - default.svc.cluster.local
    - svc.cluster.local
    - cluster.local
If you install a bucket with a name other than default then you will need to update databases.db.bucket accordingly.

exposeServiceType

The type of service to use for exposing the Sync Gateway server.

Value rules: The exposeServiceType value is a string. This value is optional and defaults to ClusterIP. When specified the value must be either ClusterIP, NOodePort, or LoadBalancer. When the value is not specified then the exposing service is not created.

configSecret

A Kubernetes Secret containing values that override config.databases This allows for sync-gateway configurations to be shared across clusters, since the Secret will contain the same configuration information about connecting to a particular Couchbase Cluster.

Value rules: The configSecret value is a string This value is optional. When specified the content of the Secret will be used to override the values of config.databases.

dns

DNS settings to apply to the Sync Gateway server

dns:
  service:
  searches:
  - default.svc.cluster.local
  - svc.cluster.local
  - cluster.local

dns.service

The name of a Kubernetes Service resource which provides DNS to Sync Gateway. By default the kube-dns service is used, but user may decide to install coredns for Inter-Cluster Deployments.

Value rules: The dns.service value is a string. This value is optional. When specified the value must refer to a Kubernetes Service resource that is capable of providing DNS to the Sync Gateway server.

dns.searches

The search domains to use when looking up hostnames

Value rules: The dns.searches value is a list of strings. This value is optional and only provided to the Sync Gateway server when dns.service is also set.

Autonomous Operator

The Helm chart deploys the Operator as a Kubernetes Deployment.

couchbaseOperator:
  name: "couchbase-operator"
  image:
    repository: couchbase/operator
    tag: 2.0.0
  imagePullPolicy: IfNotPresent
  imagePullSecrets: []
  commandArgs:
    pod-create-timeout: 10m
  resources: {}
  nodeSelector: {}
  tolerations: []

commandArgs

This spec allows you to specify command line arguments to pass on to the Operator.

value rules: The commandArgs value is a key-value map of arguments that can be used to modify the behavior of the Operator image. The -pod-create-timeout: argument is set to 10m by default, which means that the Operator will wait 10 minutes for a Couchbase Server Pod to start. The -debug: argument can also be used here, and set to debug for more verbose logging.

Additional Values

The couchbaseOperator parameters are described in the Operator Deployment Settings documentation.

Admission Controller

admissionController:
  name: "couchbase-admission-controller"
  image:
    repository: couchbase/admission-controller
    tag: 2.0.0
  imagePullPolicy: IfNotPresent
  imagePullSecrets: []
  verboseLogging: true

The Helm chart deploys the admission controller as a Kubernetes Deployment.

name

This field specifies the name of the admission controller deployment.

Field Rules:

The name field defaults to couchbase-admission-controller.

image

  image:
    repository: couchbase/admission-controller
    tag: 1.2.2

The repository and tag to use for pulling the admission controller image.

Field Rules:

The image.repository value can refer to any repository. The image.tag field can refer to any version of the admission controller image in the repository.

imagePullPolicy

The policy for pulling images from the repository onto hosts.

Field Rules:

The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

imagePullSecrets

An optional list referencing secrets to use for pulling the image.

Field Rules:

The imagePullSecrets value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces:

helm install --set admissionController.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator

verboseLogging

Determines whether the admission controller should log all of its validation notices within the console.

Field Rules:

The verboseLogging field is a boolean value that is set to false by default, which means only validation errors are logged within the pod’s console.

Admission Service

  admissionService:
    name:
    port: 443
    targetPort: 8443

The admission service is used by the webhooks to access the admission operator. Certificates are auto-generated for this service whenever this object is enabled. The admission service is always created when install.admissionController is set to true.

name

Name of the admission service.

port

Port exposed by the admission service to the validation webhooks.

targetPort

Port of the admission controller targeted by the admission Service.

Field Rules:

The name value defaults to whatever is specified in admissionController.name.

Admission Controller Certificate Authority

admissionCA:
  cert:
  key:
  expiration: 365

The admissionCA spec specifies the CA certificates that are applied to validating webhooks.

By default, the CA certificate and key is auto-generated. The following example shows how to use a self-signed certificate:

  1. Create Certificates

    Use openssl to create myCA.key and myCA.pem in your current directory:

    openssl genrsa -out myCA.key 2048
    openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -outform PEM -out myCA.pem
  2. Install the chart with certificates

    Use --set-file to import the files from your current directory:

    helm install  --set-file admissionCA.cert=myCA.pem \
                  --set-file admissionCA.key=myCA.key \
                  couchbase/couchbase-operator

Refer to the TLS documentation for manually creating certificates and keys that can be used to override the auto-generated secret.

cert

The PEM format CA certificate.

Field Rules:

The cert value defaults to an auto-generated CA certificate.

key

The PEM format CA key.

Field Rules:

The key value defaults to an auto-generated CA key.

expiration

Expiration of CA certificate in days.

Field Rules:

The expiration value defaults to 365 days.

Admission Controller Secret

admissionSecret:
  name:
  cert:
  key:

The admissionSecret spec specifies the secret for the admission controller to use for validating cluster specs securely over the admission service.

To use a custom secret, you will also need to provide the CA that was used to generate the certificates and keys within the secret. The following example shows how to use a self-signed CA and client:

  1. Create CA and client certificates

    Use easyrsa CA and signed client cert with DNS cb-example.default.svc

    ./easyrsa build-ca nopasss
    ./easyrsa --subject-alt-name=DNS:cb-example.default.svc build-server-full admission-controller nopas
  2. Install chart with client certificates

    Install chart with custom certs and be sure to set admissionService.name to DNS name.

    This example also sets --namespace default option since this is also included in the DNS of cert we created:

    helm install  --namespace ci-testcluster \
                  --set admissionService.name=ci-testcluster \
                  --set-file admissionCA.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/ca.crt \
                  --set-file admissionCA.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/ca.key \
                  --set-file admissionSecret.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/issued/admission-controller.crt \
                  --set-file admissionSecret.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/admission-controller.key \
                  couchbase/couchbase-operator

name

This value is the name of the secret that contains the certificates for the admission operator. This value must refer to a native kubernetes secret which contains values for TLS cert and key.

Field Rules:

The admissionSecret.name value defaults to the name of the admission controller deployment.

cert

PEM format certificate to use as the admission controller’s public key during validation.

Field Rules:

The admissionSecret.cert value is auto-generated by default from admissionCA.

key

PEM format key to use as the admission controllers private key during validation.

Field Rules:

The admissionSecret.key value is auto-generated by default from admissionCA.