Couchbase Helm Chart Specification

    +
    The official Couchbase Helm Chart for the Autonomous Operator comes with a default configuration that can be customized to fit your deployment needs.

    This page describes the parameters of the official Couchbase Helm Chart. In particular, this page describes the contents of the chart’s values.yaml, which contains the chart’s default values. Each of the deployed resources is listed and described, along with any available parameterization.

    For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to Helm Deployment.

    All available configuration parameters in the Couchbase Helm Chart, along with their default values
      # Select what to install
      install:
        # couchbaseOperator is the couchbase-operator deployment
        couchbaseOperator: true
        # admissionController enforces validation
        admissionController: true
        # couchbase cluster
        couchbaseCluster: true
        # sync gateway
        syncGateway: false
    
      # couchbaseOperator is the controller for couchbase cluster
      couchbaseOperator:
        # name of the couchbase operator
        name: "couchbase-operator"
        # image config
        image:
          repository: couchbase/operator
          tag: 2.0.0
        imagePullPolicy: IfNotPresent
        # imagePullSecrets is an optional list of references to secrets  to use for pulling images
        imagePullSecrets: []
        # additional command arguments will be translated to `--key=value`
        commandArgs:
          # pod creation timeout
          pod-create-timeout: 10m
        # resources of couchbase-operator
        resources: {}
        # nodeSelector for couchbase-operator pod assignment
        # Ref: https://kubernetes.io/docs/user-guide/node-selection/
        nodeSelector: {}
        # tolerations of pod match nodes with corresponding taints
        tolerations: []
    
    
      # admissionController is the controller for couchbase admission controller
      # name is derived from chart
      admissionController:
        name: "couchbase-admission-controller"
        image:
          repository: couchbase/admission-controller
          tag: 2.0.0
        imagePullPolicy: IfNotPresent
        # imagePullSecrets is an optional list of references to secrets  to use for pulling images
        imagePullSecrets: []
        verboseLogging: true
    
      # admissionService exposes validation to cluster. This service
      # is over https and certs are auto-generated based on serviceName.
      admissionService:
        # name of the service (auto-generated)
        name:
        # port service exposes
        port: 443
        targetPort: 8443
    
      # admissionCA can be used to override the Certs that will be used
      # to sign the keys used by the admsission operator.
      admissionCA:
        # A base64 encoded PEM format certificate
        cert:
        # A base64 encoded PEM format private key
        key:
        # Expiry time of CA in days for generated certs
        expiration: 365
    
      # secret with client certs mounted within the admission controller.
      admissionSecret:
        # name of the secret (auto-generated)
        name:
        # PEM format certificate (auto-generated)
        # override via --set-file
        cert:
        # PEM format certificate (auto-generated)
        # override via --set-file
        key:
    
    
      # Default values for couchbase-cluster
      cluster:
        # name of the cluster. defaults to name of chart release
        name:
        # image is the base couchbase image and version of the couchbase cluster
        image: "couchbase/server:6.5.0"
        security:
          # username of the cluster admin.
          username: Administrator
          # password of the cluster admin.
          # auto-generated when empty
          password:
          # adminSecret is name of secret to use instead of using
          # the default secret with username and password specified above
          adminSecret:
          rbac:
            managed: true
        # networking options
        networking:
          # Option to expose admin console
          exposeAdminConsole: true
          # Option to expose admin console
          adminConsoleServices:
            - data
          # Specific services to use when exposing ui
          exposedFeatures:
            - client
            - xdcr
          # Defines how the admin console service is exposed.
          # Allowed values are NodePort and LoadBalancer.
          # If this field is LoadBalancer then you must also define a spec.dns.domain.
          adminConsoleServiceType: NodePort
          # Defines how the per Couchbase node ports are exposed.
          # Allowed values are NodePort and LoadBalancer.
          # If this field is LoadBalancer then you must also define a spec.dns.domain.
          exposedFeatureServiceType: NodePort
          # The dynamic DNS configuration to use when exposing services
          dns:
          # The Couchbase cluster tls configuration (auto-generated)
          tls:
        # The retention period that log volumes are kept for after their associated pods have been deleted.
        logRetentionTime: 604800s
        # The maximum number of log volumes that can be kept after their associated pods have been deleted.
        logRetentionCount: 20
        # xdcr defines remote clusters and replications to them.
        xdcr:
          # managed defines whether the Operator should manage XDCR remote clusters
          managed: false
          # remoteClusters contains references to any remote clusters to replicate to
          remoteClusters:
        # backup defines values for automated backup.
        backup:
          # managed determines whether Automated Backup is enabled
          managed: true
          # image used by the Operator to perform backup or restore
          image: couchbase/operator-backup:6.5.0
          # optional service account to use when performing backups
          # service account will be created if it does not exist
          serviceAccountName:
        # defines integration with third party monitoring sofware
        monitoring:
          prometheus:
            # defines whether Prometheus metric collection is enabled
            enabled: false
            # image used by the Operator to perform metric collection
            # (injected as a "sidecar" in each Couchbase Server Pod)
            image: couchbase/prometheus-exporter:1.0.0
            # Optional Kubernetes secret that clients use to access Prometheus metrics
            authorizationSecret:
        # Cluster wide settings for nodes and services
        cluster:
          # The amount of memory that should be allocated to the data service
          dataServiceMemoryQuota: 256Mi
          # The amount of memory that should be allocated to the index service
          indexServiceMemoryQuota: 256Mi
          # The amount of memory that should be allocated to the search service
          searchServiceMemoryQuota: 256Mi
          # The amount of memory that should be allocated to the eventing service
          eventingServiceMemoryQuota: 256Mi
          # The amount of memory that should be allocated to the analytics service
          analyticsServiceMemoryQuota: 1Gi
          # The index storage mode to use for secondary indexing
          indexStorageSetting: memory_optimized
          # Timeout that expires to trigger the auto failover.
          autoFailoverTimeout: 120s
          # The number of failover events we can tolerate
          autoFailoverMaxCount: 3
          # Whether to auto failover if disk issues are detected
          autoFailoverOnDataDiskIssues: true
          # How long to wait for transient errors before failing over a faulty disk
          autoFailoverOnDataDiskIssuesTimePeriod: 120s
          # configuration of global Couchbase auto-compaction settings.
          autoCompaction:
            # amount of fragmentation allowed in persistent database [2-100]
            databaseFragmentationThreshold:
              percent: 30
              size: 1Gi
            # amount of fragmentation allowed in persistent view files [2-100]
            viewFragmentationThreshold:
              percent: 30
              size: 1Gi
            # whether auto-compaction should be performed in parallel
            parallelCompaction: false
            # how frequently tombstones may be purged
            tombstonePurgeInterval: 72h
            # optional window when an auto-compaction may start (uncomment below)
            timeWindow: {}
            # start: 02:00
            # end: 06:00
            # abortCompactionOutsideWindow: true
    
        # configuration of logging functionality
        # for use in conjuction with logs persistent volume mount
        logging:
          # retention period that log volumes are kept after pods have been deleted
          logRetentionTime: 604800s
          # the maximum number of log volumes that can be kept after pods have been deleted
          logRetentionCount: 20
        # kubernetes security context applied to pods
        securityContext:
          # fsGroup of persistent volume mount
          fsGroup: 1000
        # cluster buckets
        buckets:
          # Managed defines whether buckets are managed by us or the clients.
          managed: true
        servers:
          # Name for the server configuration. It must be unique.
          default:
            # Size of the couchbase cluster.
            size: 3
            # The services to run on nodes
            services:
              - data
              - index
              - query
              - search
              - analytics
              - eventing
            # volume claims to use for persistent storage
            volumeMounts: {}
            # ServerGroups define the set of availability zones we want to distribute pods over.
            serverGroups: []
            # Pod defines the policy to create pod for the couchbase pod.
            pod:
              spec:
                containers:
        # VolumeClaimTemplates define the desired characteristics of a volume
        # that can be requested and claimed by a pod.
        volumeClaimTemplates: []
    
      # couchbase buckets to create
      # disable default bucket creation by setting
      # couchbaseBuckets.default: null
      buckets:
        # A bucket to create by default
        default:
          # Name of the bucket
          name: default
          # The type of bucket to use
          type: couchbase
          # The amount of memory that should be allocated to the bucket
          memoryQuota: 128Mi
          # The number of bucket replicates
          replicas: 1
          # The priority when compared to other buckets
          ioPriority: high
          # The bucket eviction policy which determines behavior during expire and high mem usage
          evictionPolicy: fullEviction
          # The bucket's conflict resolution mechanism; which is to be used if a conflict occurs during Cross Data-Center Replication (XDCR). Sequence-based and timestamp-based mechanisms are supported.
          conflictResolution: seqno
          # The enable flush option denotes wether the data in the bucket can be flushed
          enableFlush: true
          # Enable Index replica specifies whether or not to enable view index replicas for this bucket.
          enableIndexReplica: false
          # data compression mode for the bucket to run in [off, passive, active]
          compressionMode: "passive"
    
      # RBAC users to create
      # (requires couchbase server 6.5.0 and higher)
      users:
        # creates an example user named 'developer'
        developer:
          # password to use for user authentication
          # (alternatively use authSecret)
          password: password
          # optional secret to use containing user password
          authSecret:
          # roles attributed to group
          roles:
            - name: bucket_admin
              bucket: default
    
      # TLS Certs that will be used to encrypt traffic between operator and couchbase
      tls:
        # enable to auto create certs
        generate: false
        # Expiry time of CA in days for generated certs
        expiration: 365
    
      # syncGateway configuration
      syncGateway:
        # name of the sync gatway pod.
        # defaults to name of chart
        name:
        # database config
        config:
          logging:
            console:
              enabled: true
              log_level: "debug"
              log_keys:
              - "*"
          # databases is a list containing
          # bucket replication configs
          databases:
            db:
              # bucket replicated to sync gateway
              bucket: default
              # guest user config
              users:
                GUEST:
                  # disable creation of guest user
                  disabled: false
                  # channels guest user may access.
                  # defaults to all channels
                  admin_channels: ["*"]
              # server to connect db to, defaults to cluster server
              server:
              # username of db admin, defaults to cluster admin username
              username:
              # password of db admin, defaults to cluster admin password
              password:
              allow_conflicts: false
              revs_limit: 20
              enable_shared_bucket_access: true
        # Type of service to use for exposing Sync Gateway
        # Set as empty string to prevent service creation
        exposeServiceType: ClusterIP
        # image of the sync gateway container
        image:
          repository: couchbase/sync-gateway
          tag: 2.7.0-enterprise
        imagePullPolicy: IfNotPresent
        # Optional secret to use with prepoulated database config
        configSecret:
        # optional ca.cert for tls connection
        # of all databases
        cacert:
        # optional dns config
        dns:
          # name kubernete service which exposes nameserver (ie coredns)
          service:
          # search list for host-name lookup
          searches:
          - default.svc.cluster.local
          - svc.cluster.local
          - cluster.local

    About Resource Names

    All resources/objects created by the Couchbase Chart adhere to the following naming scheme: <release-name>-<component-name>

    • <release-name>

      • This is name of the installed instance.

    • <component-name>

      • This is the name of the Operator, Admission, and Couchbase component..

      • If the resource is created for the Operator, then <component-name> will be whatever is specified in couchbaseOperator.name.

      • If the resource is created for the admission controller, then <component-name> will be whatever is specified in admissionController.name.

      • If the resource is created for the couchbase cluster, then <component-name> will be whatever is specified in cluster.name.

    Specifying Your Own Resources

    The chart allows you to override certain resources such as tls certificates with ones that you’ve already created. In this case, the names of the resources are determined by you and not the chart, and therefore do not adhere to the naming scheme described in the previous section. Check the specs below for the value you are attempting to override for additional information on what type of resource is expected and how it should be formated.

    Install Values

    Installation values for selective deployment of components within the chart.

      # Select what to install
      install:
        # install the couchbase operator
        couchbaseOperator: true
        # install the admission controller
        admissionController: true
        # install couchbase cluster
        couchbaseCluster: true
        # install sync gateway
        syncGateway: false

    The Couchbase Chart is capable of installing the Operator, Admission Controller, Couchbase Cluster, and Sync Gateway.

    couchbaseOperator

    This field specifies whether or not the Couchbase Autonomous Operator will be installed.

    Field Rules:

    The couchbaseOperator field defaults to true.

    admissionController

    This field specifies whether or not the Couchbase Admission Controller will be installed.

    Field Rules:

    The admissionController field defaults to true.

    couchbaseCluster

    This field specifies whether or not a Couchbase Cluster will be installed.

    Field Rules:

    The couchbaseCluster field defaults to true.

    syncGateway

    This field specifies whether or not an instance of the Sync Gateway will be installed.

    Field Rules:

    The syncGateway field defaults to false.

    Couchbase Cluster

    The cluster configuration represents the CouchbaseCluster resources to be installed. If install.couchbaseCluster is set to false then the cluster will not be installed.

    cluster

      cluster:
        name:
        security:
          username: Administrator
          password:
          adminSecret:

    name

    The name of the cluster to create.

    Value rules: The couchbaseCluster.name value defaults to the name of the chart if not specified. Must be unique from any other clusters in the namespace.

    username

    The username to use as the cluster admin.

    This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

    Value rules: The couchbaseCluster.username value is a string set to Administrator by default.

    password

    The password to use as the cluster admin.

    This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

    Value rules: The couchbaseCluster.password value is a string that is auto-generated by default.

    adminSecret

    The secret to use for overriding the auto-generated secret. When specified the username and password from the secret are used for Administrator login.

    Value rules: The couchbaseCluster.adminSecret value is the name of a kubernetes secret and is not set by default.

    Persistent Volumes

    The best way to create a cluster with persistent volumes is to make a custom value file. The following example shows how volumeMounts can be added to created a persisted cluster.

    Create a file named values-persistent.yaml with the following values:

    cluster:
      servers:
        default:
          pod:
            volumeMounts:
              default: couchbase
              data:  couchbase
      securityContext:
          fsGroup: 1000
      volumeClaimTemplates:
        - metadata:
            name: couchbase
          spec:
            storageClassName: "default"
            resources:
              requests:
                storage: 1Gi

    Install the cluster chart using the custom value file:

    helm install my-release -f values-persistent.yaml couchbase/couchbase-cluster

    additional values

    All of the remaining values which can be overridden in this spec are described here in the Couchbase Cluster Config documentation.

    TLS

    Certificates can be auto-generated or overridden by user supplied certs. Also since couchbase certs are represented as plain kubernetes secrets, the secret itself can be overridden.

    tls:
      generate: false
      expiration: 365

    generate

    This value determines whether the chart should create the cluster with TLS.

    Value rules: The tls.generate is a boolean which defaults to false. When set to true all of the certs and keys required for tls will be auto-generated unless manually specified. When value is false certs are not generated, but manual Secrets can be provided by overriding cluster.networking.tls.

    expiration

    Expiration of CA in days

    Value rules: The couchbaseTLS.expiration defaults to 365 days.

    Custom TLS

    Create cluster with auto-generated tls certs

    helm install my-release --set tls.generate=true couchbase/couchbase-cluster

    Use manually created secrets . Create a file named tls_values.yaml with the following custom override values for the Couchbase Chart:

    +

    cluster:
       tls:
         static:
           operatorSecret: tls-operator-secret
           serverSecert: my-tls-server-secret
    helm install  my-release -f tls_values.yaml couchbase/couchbase-cluster

    Buckets

    The buckets configuration represent CouchbaseBucket resources to be installed by the cluster. Buckets are installed whenever install.CouchbaseCluster is set to true.

    buckets:
      default:
        name: default
        type: couchbase
    Buckets are automatically provisioned with label selectors matching the corresponding couchbase cluster.

    name

    This value determines name of the bucket to create.

    Value rules: The bucket.name value is a string. This value is optional and when not set, the name of the object key is used instead.

    additional values

    All of the remaining values which can be overridden in this spec are described here in the Couchbase Cluster Config documentation.

    Users

    The users configuration represent CouchbaseUser, CouchbaseGroup, and CouchbaseRoleBinding resources to be installed by the cluster. Users are installed whenever install.CouchbaseCluster is set to true.

      users:
        developer:   # username (1)
          password: password
          authSecret:
          authDomain: local
          roles:
            - name: bucket_admin
              bucket: default
    1 The username is set from the key of each user configuration. NOTE: Users are automatically provisioned with label selectors matching the corresponding Couchbase cluster.

    password

    The user password.

    This should only be used for experimental and test clusters. Consider using authSecret or setting authDomain: external to improve security .

    Value rules: The user.<name>.password value is a string. This value is required when authDomain is local.

    authSecret

    The Kubernetes Secret containing the user password.

    Value rules: The user.<name>.authSecret value is a string. This value is optional and must refer to a Kubernetes Secret resource when specified. The Secret must contain the path data.password with the base64 encoded value of the secret

    authDomain

    The Couchbase RBAC Domain to use when authenticating the user.

    Value rules: The user.<name>.authDomain value is a string. This value is required and must be either local or external.

    roles

    The Couchbase Roles to assign to the user

    Value rules: The user.<name>.roles value is a list. This value is required and must provide the name of a valid Couchbase Server role. If the Couchbase Server role is a bucket role, then the name of a bucket value may also be provided. If the name of a bucket is not provided for a bucket role then the value defaults to * which means the role applies to all buckets.

    Refer to Couchbae Groups for list of Administrator and Bucket roles.

    Sync Gateway

    The Sync Gateway configuration provides defaults for deploying Sync Gateway along with associated services. The Sync Gateway server is installed when install.syncGateway is set to true. When installed, Sync Gateway is automatically connected to couchbase cluster.

    syncGateway:
      name:
      config:
        logging:
          console:
            enabled: true
            log_level: "debug"
            log_keys:
            - "*"
        databases:
          db:
            bucket: default
            users:
              GUEST:
                disabled: false
                admin_channels: ["*"]
            server:
            username:
            password:
            allow_conflicts: false
            revs_limit: 20
            enable_shared_bucket_access: true
      exposeServiceType: ClusterIP
      image:
        repository: couchbase/sync-gateway
        tag: 2.7.0-enterprise
      imagePullPolicy: IfNotPresent
      configSecret:
      cacert:
      dns:
        service:
        searches:
        - default.svc.cluster.local
        - svc.cluster.local
        - cluster.local
    If you install a bucket with a name other than default then you will need to update databases.db.bucket accordingly.

    exposeServiceType

    The type of service to use for exposing the Sync Gateway server.

    Value rules: The exposeServiceType value is a string. This value is optional and defaults to ClusterIP. When specified the value must be either ClusterIP, NOodePort, or LoadBalancer. When the value is not specified then the exposing service is not created.

    configSecret

    A Kubernetes Secret containing values that override config.databases This allows for sync-gateway configurations to be shared across clusters, since the Secret will contain the same configuration information about connecting to a particular Couchbase Cluster.

    Value rules: The configSecret value is a string This value is optional. When specified the content of the Secret will be used to override the values of config.databases.

    dns

    DNS settings to apply to the Sync Gateway server

    dns:
      service:
      searches:
      - default.svc.cluster.local
      - svc.cluster.local
      - cluster.local

    dns.service

    The name of a Kubernetes Service resource which provides DNS to Sync Gateway. By default the kube-dns service is used, but user may decide to install coredns for Inter-Cluster Deployments.

    Value rules: The dns.service value is a string. This value is optional. When specified the value must refer to a Kubernetes Service resource that is capable of providing DNS to the Sync Gateway server.

    dns.searches

    The search domains to use when looking up hostnames

    Value rules: The dns.searches value is a list of strings. This value is optional and only provided to the Sync Gateway server when dns.service is also set.

    Autonomous Operator

    The Helm chart deploys the Operator as a Kubernetes Deployment.

    couchbaseOperator:
      name: "couchbase-operator"
      image:
        repository: couchbase/operator
        tag: 2.0.0
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      commandArgs:
        pod-create-timeout: 10m
      resources: {}
      nodeSelector: {}
      tolerations: []

    commandArgs

    This spec allows you to specify command line arguments to pass on to the Operator.

    value rules: The commandArgs value is a key-value map of arguments that can be used to modify the behavior of the Operator image. The -pod-create-timeout: argument is set to 10m by default, which means that the Operator will wait 10 minutes for a Couchbase Server Pod to start. The -debug: argument can also be used here, and set to debug for more verbose logging.

    Additional Values

    The couchbaseOperator parameters are described in the Operator Deployment Settings documentation.

    Admission Controller

    admissionController:
      name: "couchbase-admission-controller"
      image:
        repository: couchbase/admission-controller
        tag: 2.0.0
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      verboseLogging: true

    The Helm chart deploys the admission controller as a Kubernetes Deployment.

    name

    This field specifies the name of the admission controller deployment.

    Field Rules:

    The name field defaults to couchbase-admission-controller.

    image

      image:
        repository: couchbase/admission-controller
        tag: 1.2.2

    The repository and tag to use for pulling the admission controller image.

    Field Rules:

    The image.repository value can refer to any repository. The image.tag field can refer to any version of the admission controller image in the repository.

    imagePullPolicy

    The policy for pulling images from the repository onto hosts.

    Field Rules:

    The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

    imagePullSecrets

    An optional list referencing secrets to use for pulling the image.

    Field Rules:

    The imagePullSecrets value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces:

    helm install --set admissionController.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator

    verboseLogging

    Determines whether the admission controller should log all of its validation notices within the console.

    Field Rules:

    The verboseLogging field is a boolean value that is set to false by default, which means only validation errors are logged within the pod’s console.

    Admission Service

      admissionService:
        name:
        port: 443
        targetPort: 8443

    The admission service is used by the webhooks to access the admission operator. Certificates are auto-generated for this service whenever this object is enabled. The admission service is always created when install.admissionController is set to true.

    name

    Name of the admission service.

    port

    Port exposed by the admission service to the validation webhooks.

    targetPort

    Port of the admission controller targeted by the admission Service.

    Field Rules:

    The name value defaults to whatever is specified in admissionController.name.

    Admission Controller Certificate Authority

    admissionCA:
      cert:
      key:
      expiration: 365

    The admissionCA spec specifies the CA certificates that are applied to validating webhooks.

    By default, the CA certificate and key is auto-generated. The following example shows how to use a self-signed certificate:

    1. Create Certificates

      Use openssl to create myCA.key and myCA.pem in your current directory:

      openssl genrsa -out myCA.key 2048
      openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -outform PEM -out myCA.pem
    2. Install the chart with certificates

      Use --set-file to import the files from your current directory:

      helm install  --set-file admissionCA.cert=myCA.pem \
                    --set-file admissionCA.key=myCA.key \
                    couchbase/couchbase-operator

    Refer to the TLS documentation for manually creating certificates and keys that can be used to override the auto-generated secret.

    cert

    The PEM format CA certificate.

    Field Rules:

    The cert value defaults to an auto-generated CA certificate.

    key

    The PEM format CA key.

    Field Rules:

    The key value defaults to an auto-generated CA key.

    expiration

    Expiration of CA certificate in days.

    Field Rules:

    The expiration value defaults to 365 days.

    Admission Controller Secret

    admissionSecret:
      name:
      cert:
      key:

    The admissionSecret spec specifies the secret for the admission controller to use for validating cluster specs securely over the admission service.

    To use a custom secret, you will also need to provide the CA that was used to generate the certificates and keys within the secret. The following example shows how to use a self-signed CA and client:

    1. Create CA and client certificates

      Use easyrsa CA and signed client cert with DNS cb-example.default.svc

      ./easyrsa build-ca nopasss
      ./easyrsa --subject-alt-name=DNS:cb-example.default.svc build-server-full admission-controller nopas
    2. Install chart with client certificates

      Install chart with custom certs and be sure to set admissionService.name to DNS name.

      This example also sets --namespace default option since this is also included in the DNS of cert we created:

      helm install  --namespace ci-testcluster \
                    --set admissionService.name=ci-testcluster \
                    --set-file admissionCA.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/ca.crt \
                    --set-file admissionCA.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/ca.key \
                    --set-file admissionSecret.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/issued/admission-controller.crt \
                    --set-file admissionSecret.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/admission-controller.key \
                    couchbase/couchbase-operator

    name

    This value is the name of the secret that contains the certificates for the admission operator. This value must refer to a native kubernetes secret which contains values for TLS cert and key.

    Field Rules:

    The admissionSecret.name value defaults to the name of the admission controller deployment.

    cert

    PEM format certificate to use as the admission controller’s public key during validation.

    Field Rules:

    The admissionSecret.cert value is auto-generated by default from admissionCA.

    key

    PEM format key to use as the admission controllers private key during validation.

    Field Rules:

    The admissionSecret.key value is auto-generated by default from admissionCA.