Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

A newer version of this documentation is available.

View Latest

Configure TLS

      +
      How to configure Couchbase Server with basic TLS.

      By default a Couchbase Server deployment uses basic authentication, commonly known as username and password. Basic authentication may be used over a plain text network communication where a malicious party can see the password. Basic authentication may also be used over a server-side TLS protected network connection which encrypts the password and prevents a malicious party from acquiring it.

      Creating Secrets

      Secrets are specified in the CouchbaseCluster resource, therefore they may have any name you choose. The format of individual secrets is discussed below.

      Please see the TLS certificate tutorial for a simple guide to creating TLS certificates.

      Server Secret

      Server secrets need to be mounted as a volume within the Couchbase Server pod with specific names. The certificate chain must be named chain.pem and the private key pkey.key.

      $ kubectl create secret generic couchbase-server-tls \
  --from-file example/tls/certs/tls.crt \
  --from-file example/tls/certs/tls.key \
  --from-file example/tls/certs/ca.crt

      Couchbase Cluster Configuration

      The following configuration will enable managed TLS.

      apiVersion: couchbase.com/v2
kind: CouchbaseCluster
spec:
  networking:
    tls:
      secretSource:
        serverSecretName: couchbase-server-tls (1)
      1 couchbaseclusters.spec.networking.tls.secretSource.serverSecretName defines a secret that will be mounted to all Couchbase Server pods. It contains the server wildcard certificate and its private key. As the private key is securely mounted to the pod by Kubernetes it is never exposed over the network.