cao
Installation
Make sure that you have downloaded the Operator package and unpacked it.
After you unpack the download, the resulting directory will be titled something like couchbase-autonomous-operator-kubernetes_x.x.x-linux_x86_64.
-
macOS
-
Linux
-
Windows
-
Open a Terminal window and go to the directory where the
caobinary is located:$ cd couchbase-autonomous-operator-kubernetes_x.x.x-macos_x86_64/bin/ -
Make the
caobinary executable:$ chmod +x ./cao -
Move the binary into your PATH:
$ sudo mv ./cao /usr/local/bin/cao
On newer versions of macOS, you may encounter errors such as cannot execute binary file when trying to use the tools included in the Autonomous Operator package.
If you encounter such an error, you’ll need to update your security settings as outlined in Apple’s support article on macOS Gatekeeper.
In System Preferences, click Security & Privacy, then click General.
Click the lock and enter your password to make changes.
Select App Store and identified developers under the header “Allow apps downloaded from.”
|
-
Open a command prompt and go to the directory where the
caobinary is located:$ cd couchbase-autonomous-operator-kubernetes_x.x.x-linux_x86_64/bin/ -
Make the
caobinary executable:$ chmod +x ./cao -
Move the binary into your PATH:
$ sudo mv ./cao /usr/local/bin/cao
-
Open a command prompt and go to the directory where the
caobinary is located:$ cd couchbase-autonomous-operator-kubernetes_x.x.x-windows_x86_64\bin\ -
Add the
caobinary into your PATH.
cao certify [flags]
Runs the platform certification suite
It’s impossible to officially test every combination of Kubernetes platform, CNI and CSI plugin in order to give confidence that your specific combination will work as intended with the Operator. To this end, the certify command will run a platform certification subset of the official Operator tests to give confidence that your plaform will work in a safe and supportable manner with managed Couchbase Server.
The certification process is relatively invasive, so we recommend that this command be executed on a dedicated test Kubernetes cluster and not a production one.
The certification process requires that it be allowed to create and delete namespaces in order to facilitate testing concurrently. It also requires permission to create roles and rolebindings in order to deploy the operator and dynamic admission controller. As such it will not be able to run without cluster wide roles that allow such functionality.
Resource access is scoped so that only couchbase.com CRDs are managed and namespace with the name 'test-*'.
When running on a platform with Istio network service mesh, the dynamic admission controller will be installed into the default namespace, and MUST NOT have Istio injection enabled. The certification image MUST be installed in a non-default namespace with Istio injecton enabled.
Examples
# Run platform certification with defaults
cao certify
# Run platform certification with a custom storage class
cao certify -storage-class my-class
# Run platform certification with private image repository
cao certify --registry=https://index.docker.io/v1/,username,password
# Run certification on an Istio enabled platform.
cao certify --namespace istio-enabled-namespace -- -istioFlags
- --archive-name
-
Type: string
Default: couchbase-operator-certification
Set the default test archive name
- --clean
-
Type: bool
Default: false
Force a cleanup of existing resources on start up. These may have been left over from an earlier aborted run
- --collected-log-level
-
Type: int
Default: 0
Log level to be collected by cbopinfo
- --fsgroup
-
Type: int
Default: 1000
Set the file system group for persistent volumes.
- --image
-
Type: string
Default: couchbase/operator-certification:
Certification image to use
- --image-pull-policy
-
Type: string
Default: IfNotPresent
Pull Policy to use when downloading the Certification container
- --ipv6
-
Type: bool
Default: false
Force the use of IPv6 with Couchbase Server.
- --parallel
-
Type: int
Default: 8
Test concurrency
- --registry
-
Type: string
Allows container image registry configuration e.g. SERVER,USERNAME,PASSWORD. This will be added as an image pull secret. Can be specified multiple times.
- --storage-class
-
Type: string
Storage class to use for result artifacts and test volumes. The default storage class of the platform is used if not specified.
- --timeout
-
Type: string
Default: 12h
Maximum runtime to allow. 4h is enough for all tests on most platforms with 8 way concurrency. It may take over a day running with 1 way concurrency
- --use-fsgroup
-
Type: bool
Default: true
Use a file system group for persistent volumes.
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao collect-logs [flags]
Log and resource collection for Couchbase Autonomous Operator support.
When you encounter a problem with the Autonomous Operator, our support teams require more than just the last line of the logs to diagnose and, ultimately, resolve the issue quickly.
Log collection, in its most basic form, collects all resources associated with the Autonomous Operator and Couchbase clusters in the specified namespace, this includes associated logs and events. Most resource types are filtered, so the tool collects only what is necessary. Where filtering is not possible, all instances of that resource are collected, so it may be desirable to segregate the Autonomous Operator into its own namespace. Secrets, for example, are not filtered, but the tool redacts values, so if your support request relates to TLS, you may need to manually collect these resources and include them in your support request.
Collected Resources
Collected resources are categorised based on log level and scope.
- Log level
-
Required: Couchbase resources and those scoped to the cluster.
Sensitive: may include secrets, roles, etc
- Scope
-
all: All resources found
cluster: All resources associated with a cluster
name: All resources limited by cluster names
namespace: All resources limited by namespace name
group: All resources limited by resource name
operator: Only the Operator deployment
Log Level - Required
- CouchbaseCollectionGroup
-
Log Level: Required
Scope: all
- CouchbaseBucket
-
Log Level: Required
Scope: all
- CouchbaseEphemeralBucket
-
Log Level: Required
Scope: all
- CouchbaseMemcachedBucket
-
Log Level: Required
Scope: all
- CouchbaseReplication
-
Log Level: Required
Scope: all
- CouchbaseUser
-
Log Level: Required
Scope: all
- CouchbaseGroup
-
Log Level: Required
Scope: all
- CouchbaseRoleBinding
-
Log Level: Required
Scope: all
- CouchbaseBackup
-
Log Level: Required
Scope: all
- CouchbaseBackupRestore
-
Log Level: Required
Scope: all
- CouchbaseAutoscaler
-
Log Level: Required
Scope: all
- CouchbaseScope
-
Log Level: Required
Scope: all
- CouchbaseScopeGroup
-
Log Level: Required
Scope: all
- CouchbaseCollection
-
Log Level: Required
Scope: all
- Service
-
Log Level: Required
Scope: cluster
- ConfigMap
-
Log Level: Required
Scope: cluster
Reason: Used to determine issues with Couchbase Cluster state, server environment variables, and logging configuration
- Endpoints
-
Log Level: Required
Scope: cluster
- PodDisruptionBudget
-
Log Level: Required
Scope: cluster
Reason: Used to determine issues with automatic Kubernetes upgrades
- Pod
-
Log Level: Required
Scope: cluster
- CronJob
-
Log Level: Required
Scope: cluster
Reason: Used to determine issues with Cronjobs for scheduled backups
- PersistentVolumeClaim
-
Log Level: Required
Scope: cluster
Reason: Used to determine compatibility issues with underlying persistent volume
- Job
-
Log Level: Required
Scope: cluster
Reason: Used to determine issues with Jobs created for restoring from backup
- CustomResourceDefinition
-
Log Level: Required
Scope: group
Reason: Used to determine issues with installed CRD version against installed Operator and DAC version
- CouchbaseCluster
-
Log Level: Required
Scope: name
- Namespace
-
Log Level: Required
Scope: namespace
- Deployment
-
Log Level: Required
Scope: operator
Reason: Used to determine issues with Operator and Dynamic Admission Control deployments
Log Level - Sensitive
- ServiceAccount
-
Log Level: Sensitive
Scope: all
- ClusterRole
-
Log Level: Sensitive
Scope: all
Reason: Used to determine whether RBAC Is correctly setup for the running Operator version.
- Role
-
Log Level: Sensitive
Scope: all
Reason: Used to determine whether RBAC Is correctly setup for the running Operator version.
- RoleBinding
-
Log Level: Sensitive
Scope: all
Reason: Used to determine whether RBAC Is correctly setup for the running Operator version.
- Secret
-
Log Level: Sensitive
Scope: all
Reason: Used to determine issues with stored cluster passwords, TLS configurations and other private keys stored in secrets
- PersistentVolume
-
Log Level: Sensitive
Scope: all
Reason: Used to determine compatibility issues with underlying persistent volume
- Node
-
Log Level: Sensitive
Scope: all
Reason: Used to determine issues with orchestration platform and identify potential images problems
- ClusterRoleBinding
-
Log Level: Sensitive
Scope: all
Reason: Used to determine whether RBAC Is correctly setup for the running Operator version.
Examples
# Collect operator and all couchbase cluster resources
cao collect-logs
# Collect operator and a named cluster's resources
cao collect-logs --couchbase-cluster my-cluster
# Collect operator resources and Couchbase Server logs
cao collect-logs --collectinfo --collectinfo-collect=all
# Collect operator and system (kube-system) resources
cao collect-logs --system
# Collect all known resources, applying no filtering
cao collect-logs --all
# Collect only required resources, filtering potentially sensitive information
cao collect-logs --log-level 0Flags
- --all
-
Type: bool
Default: false
Collect all resources from the namespace
- --collectinfo
-
Type: bool
Default: false
Collect couchbase server logs
- --collectinfo-collect
-
Type: string
Collect couchbase server logs non-interactively, requires the -collectinfo flag to be set
- --collectinfo-list
-
Type: bool
Default: false
List all log sources in json and exit, requires the -collectinfo flag to be set
- --collectinfo-redact
-
Type: bool
Default: false
Redact couchbase server logs, requires the -collectinfo flag to be set
- --couchbase-cluster
-
Type: string
Collect only resource for the named CouchbaseCluster, may be used multiple times
- --directory
-
Type: string
Collect logs in a specific directory
- --log-level
-
Type: int
Default: 0
Control the verbosity of collection, 0 will collect couchbase resources and those scoped to the cluster, 1 will collect more sensitive things that may be required for support such as secrets, roles etc.
- --operator-image
-
Type: string
Default: couchbase/operator:
Operator image name
- --operator-metrics-port
-
Type: string
Default: 8383
Operator metrics port
- --operator-rest-port
-
Type: string
Default: 8080
Operator rest port
- --server-image
-
Type: string
Default: couchbase/server:6.6.2
Couchbase server image
- --system
-
Type: bool
Default: false
Collect kube-system resources and logs
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao create admission [flags]
Creates the dynamic admission controller.
The DAC is designed to be deployed at the cluster scope (default). It monitors Couchbase resources as they are created and modified, accepting, or rejecting them, before they are persisted in etcd.
Use of the DAC is encouraged as it will report any configuration errors that are specific to deployment of Couchbase resources that aren’t available by default in the Kubernetes API. For example, this includes validating memory quotas are satisfiable, TLS certificates are correctly configured, and any resources referenced actually exist.
Examples
# Create admission controller (recommended).
cao create admission
# Create admission controller scoped to a namespace.
cao create admission --scope namespace --namespace-selector key=value
# Create admission controller with custom image and secure image registry.
cao create admission --image acme.corp/admission:1.0.0 --image-pull-secret secret-name
# Create admission controller without secret access.
cao create admission --validate-secrets=false
# Create admission controller with debug logging.
cao create admission --log-level debugFlags
- --cpu-limit
-
Type: quantity
Default: 1
CPU limit for constraining, only valid when used with --with-resources
- --cpu-request
-
Type: quantity
Default: 500m
CPU requested for scheduling, only valid when used with --with-resources
- --image
-
Type: string
Default: couchbase/admission-controller:
Operator image to use
- --image-pull-policy
-
Type: string
Default: IfNotPresent
Image pull policy to affect when the image is downloaded.
- --image-pull-secret
-
Type: string
Image pull secret to allow access to the operator image
- --log-level
-
Type: string
Default: info
Log level to generate logs at. "info", or "0", prints basic operations. "debug", or "1" prints extended information.
- --memory-limit
-
Type: quantity
Default: 200Mi
Memory limit for constraining, only valid when used with --with-resources
- --memory-request
-
Type: quantity
Default: 100Mi
Memory requested for scheduling, only valid when used with --with-resources
- --namespace-selector
-
Type: map
Required namespace selector to use when scope is set to 'namespace'. Format label=value[,label=value].
- --replicas
-
Type: int
Default: 1
The number of replicas in the deployment
- --scope
-
Type: string
Default: cluster
Whether to scope the Operator to a 'namespace' or to the 'cluster'.
- --validate-secrets
-
Type: bool
Default: true
Validates secrets referenced by Couchbase resources, and their contents e.g. TLS configuration, for validity
- --validate-storage-classes
-
Type: bool
Default: true
Validates storage classes referenced by Couchbase resources
- --with-resources
-
Type: bool
Default: false
Populates pod resource requests and limits
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao create backup [flags]
Creates backup roles.
Flags
- --iam-role-arn
-
Type: string
Adds the IAM Role ARN to the backup service account’s annotation. e.g arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao create operator [flags]
Creates the Couchbase Autonomous Operator.
The Operator is designed to be run at the namespace scope (default). It watches for creation of CouchbaseCluster resources in that namespace and provides automated provisioning, management and disaster recovery of Couchbase Server.
Examples
# Create operator (recommended).
cao create operator
# Create operator scoped to the cluster.
cao create operator --scope cluster
# Create operator with a custom image and secure image registry.
cao create operator --image acme.corp/operator:1.0.0 --image-pull-secret secret-name
# Create operator with debug logging.
cao create operator --log-level debug
# Create operator with extended timeouts (for slow platforms).
cao create operator --pod-creation-timeout 1hFlags
- --cpu-limit
-
Type: quantity
Default: 1
CPU limit for constraining
- --cpu-request
-
Type: quantity
Default: 500m
CPU requested for scheduling
- --image
-
Type: string
Default: couchbase/operator:
Operator image to use.
- --image-pull-policy
-
Type: string
Default: IfNotPresent
Image pull policy to affect when the image is downloaded.
- --image-pull-secret
-
Type: string
Image pull secret to allow access to the operator image.
- --log-level
-
Type: string
Default: info
Log level to generate logs at. "info", or "0", prints basic operations. "debug", or "1" prints extended information and API calls. "2" prints very detailed logs, including full API payloads that may contain passwords and keys.
- --memory-limit
-
Type: quantity
Default: 400Mi
Memory limit for constraining
- --memory-request
-
Type: quantity
Default: 200Mi
Memory requested for scheduling
- --pod-creation-timeout
-
Type: string
Default: 10m0s
How long to wait before declaring an error when provisioning a pod.
- --scope
-
Type: string
Default: namespace
Whether to scope the Operator to a 'namespace' or to the 'cluster'.
- --with-resources
-
Type: bool
Default: false
Populates pod resource requests and limits
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao delete admission [flags]
Deletes the dynamic admission controller.
Examples
# Delete admission controller (recommended).
cao delete admission
# Delete admission controller scoped to a namespace.
cao delete admission --scope namespaceFlags
- --scope
-
Type: string
Default: cluster
Whether to scope the Operator to a 'namespace' or to the 'cluster'.
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao delete backup
Deletes backup roles.
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao delete operator [flags]
Deletes the Couchbase Autonomous Operator.
Examples
# Delete operator (recommended).
cao delete operator
# Delete operator scoped to the cluster.
cao delete operator --scope clusterFlags
- --scope
-
Type: string
Default: namespace
Whether to scope the Operator to a 'namespace' or to the 'cluster'.
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao generate admission [flags]
Generates YAML for the dynamic admission controller.
The DAC is designed to be deployed at the cluster scope (default). It monitors Couchbase resources as they are created and modified, accepting, or rejecting them, before they are persisted in etcd.
Use of the DAC is encouraged as it will report any configuration errors that are specific to deployment of Couchbase resources that aren’t available by default in the Kubernetes API. For example, this includes validating memory quotas are satisfiable, TLS certificates are correctly configured, and any resources referenced actually exist.
Examples
# Create admission controller (recommended).
cao generate admission
# Create admission controller scoped to a namespace.
cao generate admission --scope namespace --namespace-selector key=value
# Create admission controller with custom image and secure image registry.
cao generate admission --image acme.corp/admission:1.0.0 --image-pull-secret secret-name
# Create admission controller without secret access.
cao generate admission --validate-secrets=false
# Create admission controller with debug logging.
cao generate admission --log-level debugFlags
- --cpu-limit
-
Type: quantity
Default: 1
CPU limit for constraining, only valid when used with --with-resources
- --cpu-request
-
Type: quantity
Default: 500m
CPU requested for scheduling, only valid when used with --with-resources
- --image
-
Type: string
Default: couchbase/admission-controller:
Operator image to use
- --image-pull-policy
-
Type: string
Default: IfNotPresent
Image pull policy to affect when the image is downloaded.
- --image-pull-secret
-
Type: string
Image pull secret to allow access to the operator image
- --log-level
-
Type: string
Default: info
Log level to generate logs at. "info", or "0", prints basic operations. "debug", or "1" prints extended information.
- --memory-limit
-
Type: quantity
Default: 200Mi
Memory limit for constraining, only valid when used with --with-resources
- --memory-request
-
Type: quantity
Default: 100Mi
Memory requested for scheduling, only valid when used with --with-resources
- --namespace-selector
-
Type: map
Required namespace selector to use when scope is set to 'namespace'. Format label=value[,label=value].
- --replicas
-
Type: int
Default: 1
The number of replicas in the deployment
- --scope
-
Type: string
Default: cluster
Whether to scope the Operator to a 'namespace' or to the 'cluster'.
- --validate-secrets
-
Type: bool
Default: true
Validates secrets referenced by Couchbase resources, and their contents e.g. TLS configuration, for validity
- --validate-storage-classes
-
Type: bool
Default: true
Validates storage classes referenced by Couchbase resources
- --with-resources
-
Type: bool
Default: false
Populates pod resource requests and limits
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao generate backup [flags]
Generates YAML for backup jobs.
Flags
- --iam-role-arn
-
Type: string
Adds the IAM Role ARN to the backup service account’s annotation. e.g arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao generate operator [flags]
Generates YAML for the Couchbase Autonomous Operator.
The Operator is designed to be run at the namespace scope (default). It watches for creation of CouchbaseCluster resources in that namespace and provides automated provisioning, management and disaster recovery of Couchbase Server.
Examples
# Create operator (recommended).
cao generate operator
# Create operator scoped to the cluster.
cao generate operator --scope cluster
# Create operator with a custom image and secure image registry.
cao generate operator --image acme.corp/operator:1.0.0 --image-pull-secret secret-name
# Create operator with debug logging.
cao generate operator --log-level debug
# Create operator with extended timeouts (for slow platforms).
cao generate operator --pod-creation-timeout 1hFlags
- --cpu-limit
-
Type: quantity
Default: 1
CPU limit for constraining
- --cpu-request
-
Type: quantity
Default: 500m
CPU requested for scheduling
- --image
-
Type: string
Default: couchbase/operator:
Operator image to use.
- --image-pull-policy
-
Type: string
Default: IfNotPresent
Image pull policy to affect when the image is downloaded.
- --image-pull-secret
-
Type: string
Image pull secret to allow access to the operator image.
- --log-level
-
Type: string
Default: info
Log level to generate logs at. "info", or "0", prints basic operations. "debug", or "1" prints extended information and API calls. "2" prints very detailed logs, including full API payloads that may contain passwords and keys.
- --memory-limit
-
Type: quantity
Default: 400Mi
Memory limit for constraining
- --memory-request
-
Type: quantity
Default: 200Mi
Memory requested for scheduling
- --pod-creation-timeout
-
Type: string
Default: 10m0s
How long to wait before declaring an error when provisioning a pod.
- --scope
-
Type: string
Default: namespace
Whether to scope the Operator to a 'namespace' or to the 'cluster'.
- --with-resources
-
Type: bool
Default: false
Populates pod resource requests and limits
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao restore [flags]
Restore a cluster’s data topology
In a development environment it may be desirable to manually manage the data topology in a rapid and agile fashion, rather than use the native Kubernetes resource types we provide. For example you may wish to create buckets, scopes and collections using the UI, or an SDK, without having the overhead of change control, review and auditing of changes that using native resources would provide.
This command allows existing save data (as generated by 'cao save') to be applied to the selected cluster. Restoration of data topology occurs as follows: the Couchbase cluster is interrogated for all data topology (including unmanaged buckets, scopes and collections). This is then compared with the contents of the save data to detect resources that will be added, updated or deleted as a result of this restore operation. The user will be prompted for confimation that the outcome is as desired, giving you an opportunity to back out of unintentionally destructive operations.
A new, full tree of resources (buckets, scopes and collections) is created then atomically swapped with the old tree, providing roll back in the event of an error. Finally any old Kubernetes resources are automatically cleaned up.
The atomic swap of resources is performed using label selectors, allowing restores when multiple Couchbase clusters are running in the same namespace. As a precaution, the tool will only function if your cluster’s buckets are unmanaged, there is no label selector set and there are no existing resources, or a label selector is already in use. It is your reponsibility to ensure that when multiple Couchbase clusters are running in the same namespace, they will not be affected by a restore operation e.g. they are not sharing any resources that may be modified or deleted. It is usually safest to run a single Couchbase cluster per-namespace.
All resources discovered when polling the Couchbase cluster will be backed by a Kubernetes resource, and managed by the Operator after a restore. You may manually disable management of a particular bucket or scope if you so wish.
Save and restore of resources will modify Kubernetes resources, so therefore should never be used with any other form of lifecycle management tool (e.g. Helm or Red Hat OLM) as these may revert changes and lead to catastrophic data loss.
Examples
# Restore the full data topology on the only cluster in a namespace
cao restore -f save-data.yaml
# Restore the full data topology to the specific cluster
cao restore --couchbase-cluster squirrel -f save-data.yaml
# Restore all scope and collections in a bucket
cao restore --path /bucket -f save-data.yaml
# Restore all collections in a scope
cao restore --path /bucket/scope -f save-data.yamlFlags
- --couchbase-cluster
-
Type: string
Cluster to save from (CouchbaseCluster resource name)
- --filename, -f
-
Type: string
Filename to read the save data from.
- --path
-
Type: string
Default: /
Path restore data to. Default will restore all buckets, scopes and collections. '/bucket' will restore all scopes and collection in Couchbase bucket 'bucket'. '/bucket/scope' will restore all collections in Couchbase bucket 'bucket' and Couchbase scope 'scope'.
- --strategy
-
Type: string
Default: merge
Strategy to use when merging the save data with the current cluster’s data. When 'merge', this will retain any existing items that are in the current cluster, but not in the save. When 'replace', this will fully replace the existing items that exist in the current cluster, but don’t exist in the save. Merging protects the user from accidental data loss, whereas replacement may cause data loss, but ensures old data is purged to enforce data retention policies. This flag defaults to 'merge'.
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao save [flags]
Save a cluster’s data topology
In a development environment it may be desirable to manually manage the data topology in a rapid and agile fashion, rather than use the native Kubernetes resource types we provide. For example you may wish to create buckets, scopes and collections using the UI, or an SDK, without having the overhead of change control, review and auditing of changes that using native resources would provide.
This command allows a specific cluster to be probed and all data topology resources saved, direct from the Couchbase cluster. Saved data topology represents data as Kubernetes native resource types and can later be used to restore data topology, allow it to be managed by the Operator, or even replicated to a completely new cluster.
Save and restore of resources will modify Kubernetes resources, so therefore should never be used with any other form of lifecycle management tool (e.g. Helm or Red Hat OLM) as these may revert changes and lead to catastrophic data loss.
Examples
# Save the full data topology on the only cluster in a namespace
cao save --filename save.yaml
# Save the full data topology for a specific cluster
cao save --couchbase-cluster cluster-name --filename save.yaml
# Save all scope and collections in a bucket
cao save --path /bucket --filename save.yaml
# Save all collections in a scope
cao save --path /bucket/scope --filename save.yamlFlags
- --couchbase-cluster
-
Type: string
Cluster to save from (CouchbaseCluster resource name)
- --filename, -f
-
Type: string
Filename to write the save data to. This flag is required.
- --path
-
Type: string
Default: /
Path to save data from. Default will save all buckets, scopes and collections. '/bucket' will save all scopes and collection in Couchbase bucket 'bucket'. '/bucket/scope' will save all collections in Couchbase bucket 'bucket' and Couchbase scope 'scope'.
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use
cao version
Prints the command version
Inherited Flags
- --as
-
Type: string
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
- --as-group
-
Type: stringArray
Default: []
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --as-uid
-
Type: string
UID to impersonate for the operation.
- --cache-dir
-
Type: string
Default: $HOME/.kube/cache
Default cache directory
- --certificate-authority
-
Type: string
Path to a cert file for the certificate authority
- --client-certificate
-
Type: string
Path to a client certificate file for TLS
- --client-key
-
Type: string
Path to a client key file for TLS
- --cluster
-
Type: string
The name of the kubeconfig cluster to use
- --context
-
Type: string
The name of the kubeconfig context to use
- --insecure-skip-tls-verify
-
Type: bool
Default: false
If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig
-
Type: string
Path to the kubeconfig file to use for CLI requests.
- --namespace, -n
-
Type: string
If present, the namespace scope for this CLI request
- --request-timeout
-
Type: string
Default: 0
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.
- --server, -s
-
Type: string
The address and port of the Kubernetes API server
- --tls-server-name
-
Type: string
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
- --token
-
Type: string
Bearer token for authentication to the API server
- --user
-
Type: string
The name of the kubeconfig user to use