How to configure Couchbase Server with basic TLS.
By default a Couchbase Server deployment uses basic authentication, commonly known as username and password. Basic authentication may be used over a plain text network communication where a malicious party can see the password. Basic authentication may also be used over a server-side TLS protected network connection which encrypts the password and prevents a malicious party from acquiring it.
Secrets are specified in the CouchbaseCluster resource, therefore they may have any name you choose. The format of individual secrets is discussed below.
Please see the TLS certificate tutorial for a simple guide to creating TLS certificates.
Server secrets need to be mounted as a volume within the Couchbase Server pod with specific names. The certificate chain must be named
chain.pem and the private key
$ kubectl create secret generic couchbase-server-tls \ --from-file example/tls/certs/chain.pem \ --from-file example/tls/certs/pkey.key
The Operator client secrets are read directly from the API. It expects only a single value to be present;
ca.crt is the top-level CA which is used to authenticate all TLS server certificate chains.
$ kubectl create secret generic couchbase-operator-tls \ --from-file example/tls/certs/ca.crt
The following configuration will enable managed TLS.
apiVersion: couchbase.com/v2 kind: CouchbaseCluster spec: networking: tls: static: serverSecret: couchbase-server-tls (1) operatorSecret: couchbase-operator-tls (2)