Release Notes for Couchbase Autonomous Operator 2.0

K8S-1600

Summary: An issue can occur where the Autonomous Operator incorrectly populates the Prometheus sidecar’s container specification. This only applies to configurations using TLS, and causes the Prometheus exporter to be unable to start.

K8S-1492

Summary: A memory leak in a 3rd party library dependency causes the Autonomous Operator to continually allocate memory until the host system detects memory exhaustion and terminates the Autonomous Operator process. In some circumstances, this can lead to the Autonomous Operator being unable to restart due to lock contention.

K8S-1585

Summary: When running applications (such as Sync Gateway) that are using DNS SRV over TLS to connect to a Couchbase Cluster in the same Kubernetes cluster, lookup may fail hostname validation checks.

Workaround: Add wildcard matches to the Subject Alternate Names (SANs) in the certificate for the Kubernetes-based host names. Specifically, add DNS:*.${cluster}.${namespace}.svc and DNS:${cluster}-srv.${namespace}.svc as discussed in the Creating TLS Certificates tutorial.

K8S-1532

Summary: When using the Autonomous Operator to upgrade Couchbase Server from version 6.5.0 to 6.5.1, the resulting deployment may still show 6.5.0 as the version, even though the individual nodes in the pods are in fact running version 6.5.1.

K8S-1483

Summary: Logging is provided by a 3rd party library. This library adds in a sampler that can cause an array out of bounds panic due to non-standard log levels, and is generally not compatible with Couchbase support processes.

This library will be removed or replaced in a future release of the Autonomous Operator.

K8S-1168

Summary: Pod readiness is performed with an exec-based probe that looks for the presence of an operator-created file. This requires the "pods/exec" privilege, and is a security concern in some environments.

A new readiness method will be implemented in a future release of the Autonomous Operator.

K8S-968

Summary: CRDs are now generated directly from source using upstream tooling. As a result, some attributes in the CRD may not be compatible with older versions of Kubernetes. An error containing the following message can be ignored, and you can feel free to follow the instructions in the message.

K8S-1452

Summary: Prometheus metrics collection will fail to run on open source Kubernetes if you use the default Prometheus exporter image. This is the result of an issue with the couchbase/exporter:1.0.0 image, and does not occur with the OpenShift version of the image that is found on the Red Hat Container Catalog.

It’s important to note that in Autonomous Operator 2.0.0, the admission controller fills in a default value of couchbase/exporter:1.0.0 for spec.monitoring.prometheus.image if it is left unspecified, and therefore this issue would always occur unless you explicitly specified a value of couchbase/exporter:1.0.1.

In Autonomous Operator 2.0.1, the admission controller fills in a default value of couchbase/exporter:1.0.2. This updated tag is already reflected in the relevant documentation.

K8S-1451

Summary: A behavioral change to XDCR in Couchbase Server 6.5.1 means that the documented method for generating connection strings will not work. This applies to incoming XDCR connections that are external to the Kubernetes cluster i.e. public networking with External DNS and generic networking.

K8S-1449

Summary: Running cbopcfg with the intention of generating backup resources will not result in the expected behavior.

The previous workaround for creating backup resources is no longer required, and the documentation for configuring backups has been updated with the relevant cbopcfg command.

K8S-1437

Summary: The current operator-backup image in the Red Hat Container Catalog has a security grade of C due to being built on an older RHEL base image. A new image will be built to resolve this security grade and the default value for this image will be reflected in the next maintenance release. The reported vulnerability, CVE-2019-13734, is low risk in this use, as the Autonomous Operator does not use the RHEL-supplied Chrome or SQLite as described in the vulnerability.

K8S-1329

Summary: In releases prior to 2.0.0, removing a server class with a NodePort would fail (hang indefinitely). As a workaround, it was recommended to not use NodePorts. Starting in 2.0.0, the Autonomous Operator will remove server classes correctly when using NodePorts.

K8S-1189

Summary: Helm no longer merges Exposed Feature Sets when editing. In releases prior to 2.0.0, editing the Exposed Features, such as "client" and "admin", would be merged to "clientadmin" incorrectly. This is no longer the case with Helm Charts for 2.0 and later.

K8S-1169

Summary: When deploying on Red Hat OpenShift using the Operator Lifecycle Manager (OLM), you may see the error messages The field status.members is invalid or The field status.conditions is invalid. This has been corrected in the 2.0 release.

K8S-1111

Summary: In releases prior to 2.0, running kubectl wait on a Couchbase Cluster resource-based deployment may have resulted in errors such as error: .status.conditions accessor error. Starting in 2.0, it is possible to run kubectl wait on Couchbase Cluster defined resources to wait until Pods are ready, etc.

K8S-1452

Summary: Prometheus metrics collection will fail to run on open source Kubernetes if you use the default Prometheus exporter image. This is the result of an issue with the couchbase/exporter:1.0.0 image, and does not occur with the OpenShift version of the image that is found on the Red Hat Container Catalog.

It’s important to note that the admission controller will fill in a default value of couchbase/exporter:1.0.0 for spec.monitoring.prometheus.image if it is left unspecified, and therefore this issue will always occur unless you follow the workaround below.

Workaround: Explicitly specify a value of couchbase/exporter:1.0.1 for the spec.monitoring.prometheus.image field. This updated tag is already reflected in the relevant documentation.

K8S-1449

Summary: Running cbopcfg with the intention of generating backup resources will not result in the expected behavior.

Workaround: Until cbopcfg is fixed, a workaround for creating backup resources is provided in the documentation for configuring backups.

K8S-1437

Summary: The current operator-backup image in the Red Hat Container Catalog has a security grade of C due to being built on an older RHEL base image. A new image will be built to resolve this security grade and the default value for this image will be reflected in the next maintenance release. The reported vulnerability, CVE-2019-13734, is low risk in this use, as the Autonomous Operator does not use the RHEL-supplied Chrome or SQLite as described in the vulnerability.

Workaround: Ensure you do not use Chrome from backup jobs to access websites. Edit the image tag under spec.backup.image in the running CouchbaseCluster resource configuration from revision -4 to revision -5.

K8S-1395

Summary: On macOS 10.15 (Catalina), you may see an error such as ./cbopcfg: cannot execute binary file when trying to execute commands included in the Autonomous Operator download package.

Workaround: Update the macOS security settings as outlined in the Apple article on macOS Gatekeeper. Go to System Preferences > Security & Privacy, and under the General tab, find the header “Allow apps downloaded from” and select App Store and identified developers.

K8S-1451

Summary: A behavioral change to XDCR in Couchbase Server 6.5.1 means that the documented method for generating connection strings will not work. This applies to incoming XDCR connections that are external to the Kubernetes cluster i.e. public networking with External DNS and generic networking.

Workaround: We advise the use of load-balanced XDCR endpoints as they have stable names and provide high-availability. Couchbase Server 6.5.1, however, requires that the connection string exactly matches a Couchbase Server node hostname. Additional instructions are provided to allow successful configuration of XDCR connections.