Couchbase TLS

    Transport layer security (TLS) is responsible for securing data over networks. This section documents what security protections are available.

    Basic TLS Configuration

    Couchbase Server supports TLS out of the box. Couchbase Server generates a self-signed CA certificate for the whole cluster. Each pod that is added to the cluster gets a certificate valid for its hostname.

    The TLS certificates generated by Couchbase Server are, however, not suited for use with Kubernetes. The DNS subject alternative names are insufficient to support anything other than very specific service naming, or any form of highly-available addressing.

    For this reason, Couchbase Server provided TLS is not supported for use with the Operator or any Kubernetes environment.

    Managed TLS Configuration

    When using basic configuration the end user has no control over how the certificates are generated.

    When using the public connectivity feature for example — the Couchbase Cluster is accessed from outside of the Kubernetes cluster — the internal DNS names that would be automatically generated by Couchbase Server are no longer valid. The certificate needs to be valid for an alternative public DNS name. Likewise the Prometheus exporter when operating over TLS needs to access the local pod on localhost. It may also be desirable to integrate Couchbase Server into an existing corporate TLS hierarchy.

    Managed TLS gives the ability for you to use any TLS certificates you like with Couchbase Server. A certificate may be a single certificate or an entire certificate chain.

    TLS can be configured by the Operator in a number of different ways as described in the following sections.

    When using managed TLS, the Operator and any sidecar containers will also communicate with Couchbase Server over TLS. Use of managed TLS is highly recommended in order to encrypt passwords and other sensitive information that may be exchanged between Couchbase Server and the Operator.

    For configuration details please see the TLS configuration how-to.

    Kubernetes Native TLS

    operator 2.3

    From Operator version 2.3 onward, Kubernetes native TLS is the standard way of configuring TLS. Consider the following topology:

    Kubernetes Native TLS Topology

    tls kubernetes

    All Kubernetes secrets are of the standard type. This provides the most generic method of TLS configuration, and the largest scope for 3rd party TLS management integration.

    Couchbase Server has strict naming and format requirements for server certificates and keys (see Legacy TLS). When using Kubernetes native TLS, the Operator abstracts some of these away to make configuration more flexible and compatible with your security requirements. For example, this configuration mode supports PKCS#8 formatted RSA keys. Elliptic curve is not supported by Couchbase Server, and the Operator is unable to convert between EC and RSA key types.

    Kubernetes Native TLS CA Certificates

    CA certificates are provided as a pool, whose referenced secrets only need contain the tls.crt field — it is unnecessary to expose private keys to maintain security. When using Native TLS, the contents of tls.crt may also contain multiple CA certificates. Providing multiple CA certificates within a single secret is effectively the same as providing a CA Pool with multiple secrets containing a single CA certificate.

    A CA pool allows Couchbase Server to utilize one CA, while client certificates can authenticate against an arbitrary number of certificate authorities. This provides isolated security domains and allows rolling CA rotation with minimal operational impact.

    When using Couchbase 7.0 and earlier, only one CA is supported, therefore all server and client certificates must be signed by the same root CA. Specifying multiple CA certificates with Couchbase Server 7.0 and earlier will result in undefined behavior.

    Cert-Manager TLS

    operator 2.2

    Cert-Manager TLS is an extension of Kubernetes Native TLS. The only difference is highlighted in red in the following topology:

    Cert-Manager TLS Topology

    tls cert manager

    Cert-manager generates TLS keys and certificates using the, and additionally supplies a ca.crt field in the secret, so you don’t need to worry about providing it manually via the CA pool.

    The ca.crt field is not respected — if provided — in the client secret. The root CA pool can be used to support a different client signing CA. See Kubernetes Native TLS for additional details on multiple root CA support.

    For more information, read the Cert-Manager Tutorial.

    Legacy TLS


    Legacy TLS was initially designed as a direct integration of TLS with Couchbase Server. Consider the diagram below:

    Legacy TLS Topology

    tls legacy

    The server secret contains the server certificate and key that need to be mounted in the Couchbase Server pod. As no abstraction is performed by the Operator, the secret format and key names are non-standard, and need to be those hard-coded into Couchbase Server. Additionally only PKCS#1 formatted keys are supported.

    This bespoke domain specific format is inflexible and incompatible with any 3rd party certificate management.

    Use of this configuration mode is deprecated and will be removed in a future release. It is highly recommended that you use, or migrate to, one of the other modes.

    Node-to-Node Encryption

    The Operator supports Couchbase Server’s node-to-node encryption feature. Secure network layer transport between pods is not secure by default, and needs to be manually enabled. To enable node-to-node encryption, TLS must be Operator managed.

    The following modes are available:

    Strict TLS operator 2.3

    All traffic between pods, be that internal control communication or user data, is encrypted. Additionally non-TLS ports are not exposed and cannot be used. Strict mode TLS is only available on Couchbase Server 7.1+.

    Full TLS

    All traffic between pods, be that internal control communication or user data, is encrypted.

    Control plane TLS

    Only internal control communication is encrypted. While this may be marginally faster, it will expose any user data on the network.

    For further information, see read about the spec.networking.tls.nodeToNodeEncryption field.

    TLS Client Authentication

    Couchbase Server supports mutual TLS (mTLS). With this mode of operation not only do clients verify they are talking to a trusted entity, but the Couchbase Server instance can also establish trust in the client. Client authentication may be mandatory or optional.

    When using mTLS then the certificate must also contain identity information in the form of a username that maps to a Couchbase Server user. With optional authentication if the client does not supply a certificate to Couchbase Server on request then it will fall back to basic (username & password) authentication.

    mTLS is fully supported by the Operator. When enabled the user must supply the Operator with a client certificate valid for the cluster administrator.

    For configuration details please see the TLS client certificate how-to.

    TLS Certificate Rotation

    Certificates go out of date and cause clients to stop working. Private keys corresponding to certificates can be compromised thus allowing communications to be decrypted. With this in mind, the Operator allows certificates to be rotated and replaced with new versions.

    The Operator supports all possible rotation types:

    • Replacing a server certificate/key

    • Replacing a client certificate/key

    • Replacing the entire PKI

    For details on certificate rotation read the TLS certificate rotation how-to.