Configure TLS
How to configure Couchbase Server with basic TLS.
By default a Couchbase Server deployment uses basic authentication, commonly known as username and password. Basic authentication may be used over a plain text network communication where a malicious party can see the password. Basic authentication may also be used over a server-side TLS protected network connection which encrypts the password and prevents a malicious party from acquiring it.
Creating Secrets
Secrets are specified in the CouchbaseCluster
resource, therefore they may have any name you choose. The format of individual secrets is discussed below.
See the TLS certificate tutorial for a simple guide to creating TLS certificates.
CA Secrets
All CA secrets must contain the tls.crt
field (as per the kubernetes.io/tls
spec) and are used to form a trust pool.
All other provided certificates must be signed by a certificate in the trust pool.
$ kubectl create secret tls couchbase-server-ca \
--cert example/pki/ca.crt \
--key example/pki/private/ca.key
When using Couchbase 7.0 and earlier, only one CA is supported, therefore all server and client certificates must be signed by the same root CA. Specifying multiple CA certificates with Couchbase Server 7.0 and earlier will result in undefined behavior. |
Couchbase Cluster Configuration
The following configuration will enable managed TLS.
apiVersion: couchbase.com/v2
kind: CouchbaseCluster
spec:
networking:
tls:
rootCAs:
- couchbase-server-ca
- couchbase-server-ca2 (1)
secretSource:
serverSecretName: couchbase-server-tls
1 | couchbaseclusters.spec.networking.tls.rootCAs
additional root CAs are added here. |