CouchbaseGroup Resource

The Couchbase Autonomous Operator operates on CouchbaseCluster objects. Groups are decoupled from this configuration and are selected for inclusion within a cluster with configurable label selectors.

The CouchbaseGroup resource contains a set of roles that are to be applied to users. CouchbaseGroup resources are analogous to Kubernetes Role resources.

The following YAML shows all possible fields that may be configured for a CouchbaseGroup. This configuration may not be valid and is only for illustrative purposes.

All available CouchbaseGroup configuration parameters

apiVersion: couchbase.com/v2
kind: CouchbaseGroup
metadata:
  name: my-group
  labels:
    cluster: my-cluster
spec:
  roles:
  - name: bucket_admin
    bucket: my-bucket
  ldapGroupRef: cn=users,ou=Groups,dc=example,dc=com

Top-Level Definitions

The following are relevant generic parameters that can be defined:

apiVersion: couchbase.com/v2
kind: CouchbaseGroup
metadata:
  name: my-group
  labels:
    cluster: my-cluster

apiVersion

The apiVersion defines which version of the resource this configuration refers to.

Field rules: This field is required and must be set to couchbase.com/v2

kind

The kind defines the type of resource this configuration refers to.

Field rules: This field is required and must be set to CouchbaseGroup

metadata.name

The metadata name defines the name of the resource. The name must be unique for the kind defined.

Field rules: This field is required and must be unique as described above.

metadata.labels

The metadata labels allow the resource to be tagged so that it is only selected by specific CouchbaseCluster resources. Further details about resource selection can be found on the Couchbase Resources and RBAC page.

Field rules: This field is optional and must be a map of string key/value pairs.

spec

The following are parameters that may be set on the role:

spec:
  roles:
  - name: bucket_admin
    bucket: my-bucket

spec.roles[]

This field is a list of roles to be associated with a user or group of users.

spec.roles[].name

This field defines a Couchbase role to grant to a user.

Field rules: This field is required and must be either admin, cluster_admin, security_admin, ro_admin, replication_admin, query_external_access, query_system_catalog, analytics_reader, bucket_admin, views_admin, fts_admin, bucket_full_access, data_reader, data_writer, data_dcp_reader, data_backup, data_monitoring, replication_target, analytics_manager, views_reader, fts_searcher, query_select, query_update, query_insert, query_delete or query_manage_index.

spec.roles[].bucket

This field defines the scope to which a role applies. Non-cluster roles may be limited to a specific bucket. If specified the bucket must exist on the related CouchbaseCluster resource.

Field rules: This field is required and must be a bucket name string. This field is only relevant when used with the roles bucket_admin, views_admin, fts_admin, bucket_full_access, data_reader, data_writer, data_dcp_reader, data_backup, data_monitoring, replication_target, analytics_manager, views_reader, fts_searcher, query_select, query_update, query_insert, query_delete or query_manage_index.

specldapGroupRef.

This field defines the distinguished name (DN) of an external ldap group to use for authentication.

Field rules: This field is optional and must be a string. If set, the roles of this group will be applied to users within the referenced LDAP group.