Couchbase Helm Chart Specification

      +
      The official Couchbase Helm Chart for the Autonomous Operator comes with a default configuration that can be customized to fit your deployment needs.

      This page describes the parameters of the official Couchbase Helm Chart. In particular, this page describes the contents of the chart’s values.yaml, which contains the chart’s default values. Each of the deployed resources is listed and described, along with any user definable parameters.

      For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to Helm Deployment.

      The official Couchbase Helm Chart may only be used with Enterprise Edition products, such as Couchbase Server Enterprise Edition and Sync Gateway Enterprise Edition.

      Table 1. Helm Chart Values
      Key Type Default Description

      admissionCA.cert

      string

      nil

      A base64 encoded PEM format certificate

      admissionCA.expiration

      int

      365

      Expiry time of CA in days for generated certs

      admissionCA.key

      string

      nil

      A base64 encoded PEM format private key

      admissionController.commandArgs

      object

      {"default-file-system-group":true,"validate-secrets":true,"validate-storage-classes":true}

      Set of command-line flags to pass on to the Admission Controller to modify its behavior. Do not change.

      admissionController.disableValidatingWebhook

      bool

      false

      Disable the creation of Validation webhook. Setting to 'false' may be helpful when installing into a restricted environments (ie Strict mTLS), since disabling avoids performing resource fetching and validation from the Kubernetes API server.

      admissionController.image

      object

      {"repository":"couchbase/admission-controller","tag":"2.3.0"}

      Image specifies repository and tag of the Couchbase Admission container.

      admissionController.imagePullPolicy

      string

      "IfNotPresent"

      The policy for pulling images from the repository onto hosts. The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

      admissionController.imagePullSecrets

      list

      []

      ImagePullSecrets is an optional list of references to secrets to use for pulling images

      admissionController.name

      string

      "couchbase-admission-controller"

      admissionController.nodeSelector

      object

      {}

      Specify a node selection constraint for couchbase-admission-controller pod assignment. Ref: https://kubernetes.io/docs/user-guide/node-selection/

      admissionController.resources

      object

      {}

      Resource Limits and requests for Pod CPU and Memory

      admissionController.runAsNonRoot

      bool

      true

      Specify whether to run as a non-root user. Running as non-root ensures least privilege.

      admissionController.scope

      string

      "ClusterRole"

      RBAC Scope of the Admission Controller. Must be either 'Role' or 'ClusterRole'. When scope is 'ClusterRole' the admission controller is able to validate resources in all namespaces. 'Role' scope limits validation to a single a namespace.

      admissionController.tolerations

      list

      []

      Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints.

      admissionController.verboseLogging

      bool

      false

      Determines whether the admission controller should log all of its validation notices within the console. When set to false, only validation errors are logged within the pod’s console.

      admissionSecret.cert

      string

      nil

      PEM format certificate (auto-generated) override via --set-file

      admissionSecret.key

      string

      nil

      PEM format certificate (auto-generated) override via --set-file

      admissionSecret.name

      string

      nil

      Name of the secret (auto-generated)

      admissionService.name

      string

      nil

      Name of the service (auto-generated)

      admissionService.port

      int

      443

      Port service exposes

      admissionService.targetPort

      int

      8443

      backuprestores

      object

      {}

      backups

      object

      {}

      CouchbaseBackups runs a job which preserves data into backups

      buckets.default.compressionMode

      string

      "passive"

      CompressionMode defines how Couchbase server handles document compression. When off, documents are stored in memory, and transferred to the client uncompressed. When passive, documents are stored compressed in memory, and transferred to the client compressed when requested. When active, documents are stored compresses in memory and when transferred to the client. This field must be "off", "passive" or "active", defaulting to "passive". Be aware "off" in YAML 1.2 is a boolean, so must be quoted as a string in configuration files.

      buckets.default.conflictResolution

      string

      "seqno"

      ConflictResolution defines how XDCR handles concurrent write conflicts. Sequence number based resolution selects the document with the highest sequence number as the most recent. Timestamp based resolution selects the document that was written to most recently as the most recent. This field must be "seqno" (sequence based), or "lww" (timestamp based), defaulting to "seqno".

      buckets.default.enableFlush

      bool

      false

      EnableFlush defines whether a client can delete all documents in a bucket. This field defaults to false.

      buckets.default.enableIndexReplica

      bool

      false

      EnableIndexReplica defines whether indexes for this bucket are replicated. This field defaults to false.

      buckets.default.evictionPolicy

      string

      "valueOnly"

      EvictionPolicy controls how Couchbase handles memory exhaustion. Value only eviction flushes documents to disk but maintains document metadata in memory in order to improve query performance. Full eviction removes all data from memory after the document is flushed to disk. This field must be "valueOnly" or "fullEviction", defaulting to "valueOnly".

      buckets.default.ioPriority

      string

      "low"

      IOPriority controls how many threads a bucket has, per pod, to process reads and writes. This field must be "low" or "high", defaulting to "low". Modification of this field will cause a temporary service disruption as threads are restarted.

      buckets.default.kind

      string

      "CouchbaseBucket"

      The type of the bucket to create by default. Removed from CRD as only used by Helm.

      buckets.default.maxTTL

      string

      nil

      MaxTTL defines how long a document is permitted to exist for, without modification, until it is automatically deleted. This is a default and maximum time-to-live and may be set to a lower value by the client. If the client specifies a higher value, then it is truncated to the maximum durability. Documents are removed by Couchbase, after they have expired, when either accessed, the expiry pager is run, or the bucket is compacted. When set to 0, then documents are not expired by default. This field must be a duration in the range 0-2147483648s, defaulting to 0. More info: https://golang.org/pkg/time/#ParseDuration

      buckets.default.memoryQuota

      string

      "100Mi"

      MemoryQuota is a memory limit to the size of a bucket. When this limit is exceeded, documents will be evicted from memory to disk as defined by the eviction policy. The memory quota is defined per Couchbase pod running the data service. This field defaults to, and must be greater than or equal to 100Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      buckets.default.minimumDurability

      string

      nil

      MiniumumDurability defines how durable a document write is by default, and can be made more durable by the client. This feature enables ACID transactions. When none, Couchbase server will respond when the document is in memory, it will become eventually consistent across the cluster. When majority, Couchbase server will respond when the document is replicated to at least half of the pods running the data service in the cluster. When majorityAndPersistActive, Couchbase server will respond when the document is replicated to at least half of the pods running the data service in the cluster and the document has been persisted to disk on the document master pod. When persistToMajority, Couchbase server will respond when the document is replicated and persisted to disk on at least half of the pods running the data service in the cluster. This field must be either "none", "majority", "majorityAndPersistActive" or "persistToMajority", defaulting to "none".

      buckets.default.name

      string

      nil

      Name is the name of the bucket within Couchbase server. By default the Operator will use the metadata.name field to define the bucket name. The metadata.name field only supports a subset of the supported character set. When specified, this field overrides metadata.name. Legal bucket names have a maximum length of 100 characters and may be composed of any character from "a-z", "A-Z", "0-9" and "-_%\.".

      buckets.default.replicas

      int

      1

      Replicas defines how many copies of documents Couchbase server maintains. This directly affects how fault tolerant a Couchbase cluster is. With a single replica, the cluster can tolerate one data pod going down and still service requests without data loss. The number of replicas also affect memory use. With a single replica, the effective memory quota for documents is halved, with two replicas it is one third. The number of replicas must be between 0 and 3, defaulting to 1.

      buckets.default.scopes

      object

      {"managed":false,"resources":[],"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}}

      Scopes defines whether the Operator manages scopes for the bucket or not, and the set of scopes defined for the bucket.

      buckets.default.scopes.managed

      bool

      false

      Managed defines whether scopes are managed for this bucket. This field is false by default, and the Operator will take no actions that will affect scopes and collections in this bucket. The default scope and collection will be present. When set to true, the Operator will manage user defined scopes, and optionally, their collections as defined by the CouchbaseScope, CouchbaseScopeGroup, CouchbaseCollection and CouchbaseCollectionGroup resource documentation. If this field is set to false while the already managed, then the Operator will leave whatever configuration is already present.

      buckets.default.scopes.resources

      list

      []

      Resources is an explicit list of named resources that will be considered for inclusion in this bucket. If a resource reference doesn’t match a resource, then no error conditions are raised due to undefined resource creation ordering and eventual consistency.

      buckets.default.scopes.selector

      object

      {"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}

      Selector allows resources to be implicitly considered for inclusion in this bucket. More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#labelselector-v1-meta

      buckets.default.scopes.selector.matchExpressions

      object

      {"key":null,"operator":null,"values":null}

      matchExpressions is a list of label selector requirements. The requirements are ANDed.

      buckets.default.scopes.selector.matchLabels

      string

      nil

      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

      cluster.antiAffinity

      bool

      false

      AntiAffinity forces the Operator to schedule different Couchbase server pods on different Kubernetes nodes. Anti-affinity reduces the likelihood of unrecoverable failure in the event of a node issue. Use of anti-affinity is highly recommended for production clusters.

      cluster.autoResourceAllocation

      object

      {"cpuLimits":"4","cpuRequests":"2","enabled":false,"overheadPercent":25}

      AutoResourceAllocation populates pod resource requests based on the services running on that pod. When enabled, this feature will calculate the memory request as the total of service allocations defined in spec.cluster, plus an overhead defined by spec.autoResourceAllocation.overheadPercent.Changing individual allocations for a service will cause a cluster upgrade as allocations are modified in the underlying pods. This field also allows default pod CPU requests and limits to be applied. All resource allocations can be overridden by explicitly configuring them in the spec.servers.resources field.

      cluster.autoResourceAllocation.cpuLimits

      string

      "4"

      CPULimits automatically populates the CPU limits across all Couchbase server pods. This field defaults to "4" CPUs. Explicitly specifying the CPU limit for a particular server class will override this value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      cluster.autoResourceAllocation.cpuRequests

      string

      "2"

      CPURequests automatically populates the CPU requests across all Couchbase server pods. The default value of "2", is the minimum recommended number of CPUs required to run Couchbase Server. Explicitly specifying the CPU request for a particular server class will override this value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      cluster.autoResourceAllocation.enabled

      bool

      false

      Enabled defines whether auto-resource allocation is enabled.

      cluster.autoResourceAllocation.overheadPercent

      int

      25

      OverheadPercent defines the amount of memory above that required for individual services on a pod. For Couchbase Server this should be approximately 25%.

      cluster.autoscaleStabilizationPeriod

      string

      nil

      AutoscaleStabilizationPeriod defines how long after a rebalance the corresponding HorizontalPodAutoscaler should remain in maintenance mode. During maintenance mode all autoscaling is disabled since every HorizontalPodAutoscaler associated with the cluster becomes inactive. Since certain metrics can be unpredictable when Couchbase is rebalancing or upgrading, setting a stabilization period helps to prevent scaling recommendations from the HorizontalPodAutoscaler for a provided period of time. Values must be a valid Kubernetes duration of 0s or higher: https://golang.org/pkg/time/#ParseDuration A value of 0, puts the cluster in maintenance mode during rebalance but immediately exits this mode once the rebalance has completed. When undefined, the HPA is never put into maintenance mode during rebalance.

      cluster.backup

      object

      {"image":"couchbase/operator-backup:1.2.0","imagePullSecrets":{"name":null},"managed":true,"nodeSelector":null,"objectEndpoint":{"secret":null,"url":null,"useVirtualPath":false},"resources":{"limits":null,"requests":null},"s3Secret":null,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null},"serviceAccountName":"couchbase-backup","tolerations":{"effect":null,"key":null,"operator":null,"tolerationSeconds":null,"value":null},"useIAMRole":false}

      Backup defines whether the Operator should manage automated backups, and how to lookup backup resources. Refer to the documentation for supported values https://docs.couchbase.com/operator/current/howto-backup.html#enable-automated-backup

      cluster.backup.image

      string

      "couchbase/operator-backup:1.2.0"

      The Backup Image to run on backup pods.

      cluster.backup.imagePullSecrets

      object

      {"name":null}

      ImagePullSecrets allow you to use an image from private repositories and non-dockerhub ones.

      cluster.backup.imagePullSecrets.name

      string

      nil

      Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

      cluster.backup.managed

      bool

      true

      Managed defines whether backups are managed by us or the clients.

      cluster.backup.nodeSelector

      string

      nil

      NodeSelector defines which nodes to constrain the pods that run any backup and restore operations to.

      cluster.backup.objectEndpoint

      object

      {"secret":null,"url":null,"useVirtualPath":false}

      ObjectEndpoint contains the configuration for connecting to a custom S3 compliant object store.

      cluster.backup.objectEndpoint.secret

      string

      nil

      The name of the secret, in this namespace, that contains the CA certificate for verification of a TLS endpoint (when required, e.g. not signed by a public CA). The secret must have the key with the name "tls.crt"

      cluster.backup.objectEndpoint.url

      string

      nil

      The host/address of the custom object endpoint.

      cluster.backup.objectEndpoint.useVirtualPath

      bool

      false

      UseVirtualPath will force the AWS SDK to use the new virtual style paths. by default alternative path style URLs which are often required by S3 compatible object stores.

      cluster.backup.resources

      object

      {"limits":null,"requests":null}

      Resources is the resource requirements for the backup and restore containers. Will be populated by defaults if not specified.

      cluster.backup.resources.limits

      string

      nil

      Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

      cluster.backup.resources.requests

      string

      nil

      Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

      cluster.backup.s3Secret

      string

      nil

      S3Secret contains the region and credentials for operating backups in S3. This field must be popluated when the spec.s3bucket field is specified for a backup or restore resource.

      cluster.backup.selector

      object

      {"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}

      Selector allows CouchbaseBackup and CouchbaseBackupRestore resources to be filtered based on labels.

      cluster.backup.selector.matchExpressions

      object

      {"key":null,"operator":null,"values":null}

      matchExpressions is a list of label selector requirements. The requirements are ANDed.

      cluster.backup.selector.matchLabels

      string

      nil

      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

      cluster.backup.serviceAccountName

      string

      "couchbase-backup"

      The Service Account to run backup (and restore) pods under. Without this backup pods will not be able to update status.

      cluster.backup.tolerations

      object

      {"effect":null,"key":null,"operator":null,"tolerationSeconds":null,"value":null}

      Tolerations specifies all backup and restore pod tolerations.

      cluster.backup.tolerations.effect

      string

      nil

      Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

      cluster.backup.tolerations.key

      string

      nil

      Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

      cluster.backup.tolerations.operator

      string

      nil

      Operator represents a key’s relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

      cluster.backup.tolerations.tolerationSeconds

      string

      nil

      TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

      cluster.backup.tolerations.value

      string

      nil

      Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

      cluster.backup.useIAMRole

      bool

      false

      UseIAMRole enables backup to fetch EC2 instance metadata. This allows the AWS SDK to use the EC2’s IAM Role for S3 access. UseIAMRole will ignore credentials in s3Secret.

      cluster.buckets

      object

      {"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null},"synchronize":false}

      Buckets defines whether the Operator should manage buckets, and how to lookup bucket resources.

      cluster.buckets.managed

      bool

      true

      Managed defines whether buckets are managed by the Operator (true), or user managed (false). When Operator managed, all buckets must be defined with either CouchbaseBucket, CouchbaseEphemeralBucket or CouchbaseMemcachedBucket resources. Manual addition of buckets will be reverted by the Operator. When user managed, the Operator will not interrogate buckets at all. This field defaults to false.

      cluster.buckets.selector

      object

      {"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}

      Selector is a label selector used to list buckets in the namespace that are managed by the Operator.

      cluster.buckets.selector.matchExpressions

      object

      {"key":null,"operator":null,"values":null}

      matchExpressions is a list of label selector requirements. The requirements are ANDed.

      cluster.buckets.selector.matchLabels

      string

      nil

      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

      cluster.buckets.synchronize

      bool

      false

      Synchronize allows unmanaged buckets, scopes, and collections to be synchronized as Kubernetes resources by the Operator. This feature is intended for development only and should not be used for production workloads. The synchronization workflow starts with spec.buckets.managed being set to false, the user can manually create buckets, scopes, and collections using the Couchbase UI, or other tooling. When you wish to commit to Kubernetes resources, you must specify a unique label selector in the spec.buckets.selector field, and this field is set to true. The Operator will create Kubernetes resources for you, and upon completion set the cluster’s Synchronized status condition. You may then safely set spec.buckets.managed to true and the Operator will manage these resources as per usual. To update an already managed data topology, you must first set it to unmanaged, make any changes, and delete any old resources, then follow the standard synchronization workflow. The Operator can not, and will not, ever delete, or make modifications to resource specifications that are intended to be user managed, or managed by a life cycle management tool. These actions must be instigated by an end user. For a more complete experience, refer to the documentation for the cao save and cao restore CLI commands.

      cluster.cluster

      object

      {"analyticsServiceMemoryQuota":"1Gi","autoCompaction":{"databaseFragmentationThreshold":{"percent":30,"size":null},"parallelCompaction":false,"timeWindow":{"abortCompactionOutsideWindow":false,"end":null,"start":null},"tombstonePurgeInterval":"72h","viewFragmentationThreshold":{"percent":30,"size":null}},"autoFailoverMaxCount":3,"autoFailoverOnDataDiskIssues":false,"autoFailoverOnDataDiskIssuesTimePeriod":"120s","autoFailoverServerGroup":false,"autoFailoverTimeout":"120s","clusterName":null,"data":{"readerThreads":null,"writerThreads":null},"dataServiceMemoryQuota":"256Mi","eventingServiceMemoryQuota":"256Mi","indexServiceMemoryQuota":"256Mi","indexStorageSetting":"memory_optimized","indexer":{"logLevel":"info","maxRollbackPoints":2,"memorySnapshotInterval":"200ms","stableSnapshotInterval":"5s","storageMode":"memory_optimized","threads":null},"query":{"backfillEnabled":true,"temporarySpace":"5Gi","temporarySpaceUnlimited":false},"queryServiceMemoryQuota":null,"searchServiceMemoryQuota":"256Mi"}

      ClusterSettings define Couchbase cluster-wide settings such as memory allocation, failover characteristics and index settings.

      cluster.cluster.analyticsServiceMemoryQuota

      string

      "1Gi"

      AnalyticsServiceMemQuota is the amount of memory that should be allocated to the analytics service. This value is per-pod, and only applicable to pods belonging to server classes running the analytics service. This field must be a quantity greater than or equal to 1Gi. This field defaults to 1Gi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      cluster.cluster.autoCompaction

      object

      {"databaseFragmentationThreshold":{"percent":30,"size":null},"parallelCompaction":false,"timeWindow":{"abortCompactionOutsideWindow":false,"end":null,"start":null},"tombstonePurgeInterval":"72h","viewFragmentationThreshold":{"percent":30,"size":null}}

      AutoCompaction allows the configuration of auto-compaction, including on what conditions disk space is reclaimed and when it is allowed to run.

      cluster.cluster.autoCompaction.databaseFragmentationThreshold

      object

      {"percent":30,"size":null}

      DatabaseFragmentationThreshold defines triggers for when database compaction should start.

      cluster.cluster.autoCompaction.parallelCompaction

      bool

      false

      ParallelCompaction controls whether database and view compactions can happen in parallel.

      cluster.cluster.autoCompaction.timeWindow

      object

      {"abortCompactionOutsideWindow":false,"end":null,"start":null}

      TimeWindow allows restriction of when compaction can occur.

      cluster.cluster.autoCompaction.tombstonePurgeInterval

      string

      "72h"

      TombstonePurgeInterval controls how long to wait before purging tombstones. This field must be in the range 1h-1440h, defaulting to 72h. More info: https://golang.org/pkg/time/#ParseDuration

      cluster.cluster.autoCompaction.viewFragmentationThreshold

      object

      {"percent":30,"size":null}

      ViewFragmentationThreshold defines triggers for when view compaction should start.

      cluster.cluster.autoFailoverMaxCount

      int

      3

      AutoFailoverMaxCount is the maximum number of automatic failovers Couchbase server will allow before not allowing any more. This field must be between 1-3, default 3.

      cluster.cluster.autoFailoverOnDataDiskIssues

      bool

      false

      AutoFailoverOnDataDiskIssues defines whether Couchbase server should failover a pod if a disk issue was detected.

      cluster.cluster.autoFailoverOnDataDiskIssuesTimePeriod

      string

      "120s"

      AutoFailoverOnDataDiskIssuesTimePeriod defines how long to wait for transient errors before failing over a faulty disk. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration

      cluster.cluster.autoFailoverServerGroup

      bool

      false

      AutoFailoverServerGroup whether to enable failing over a server group.

      cluster.cluster.autoFailoverTimeout

      string

      "120s"

      AutoFailoverTimeout defines how long Couchbase server will wait between a pod being witnessed as down, until when it will failover the pod. Couchbase server will only failover pods if it deems it safe to do so, and not result in data loss. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration

      cluster.cluster.clusterName

      string

      nil

      ClusterName defines the name of the cluster, as displayed in the Couchbase UI. By default, the cluster name is that specified in the CouchbaseCluster resource’s metadata.

      cluster.cluster.data

      object

      {"readerThreads":null,"writerThreads":null}

      Data allows the data service to be configured.

      cluster.cluster.data.readerThreads

      string

      nil

      ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server.

      cluster.cluster.data.writerThreads

      string

      nil

      ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This setting is especially relevant when using "durable writes", increasing this field will have a large impact on performance. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server.

      cluster.cluster.dataServiceMemoryQuota

      string

      "256Mi"

      DataServiceMemQuota is the amount of memory that should be allocated to the data service. This value is per-pod, and only applicable to pods belonging to server classes running the data service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      cluster.cluster.eventingServiceMemoryQuota

      string

      "256Mi"

      EventingServiceMemQuota is the amount of memory that should be allocated to the eventing service. This value is per-pod, and only applicable to pods belonging to server classes running the eventing service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      cluster.cluster.indexServiceMemoryQuota

      string

      "256Mi"

      IndexServiceMemQuota is the amount of memory that should be allocated to the index service. This value is per-pod, and only applicable to pods belonging to server classes running the index service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      cluster.cluster.indexStorageSetting

      string

      "memory_optimized"

      DEPRECATED - by indexer. The index storage mode to use for secondary indexing. This field must be one of "memory_optimized" or "plasma", defaulting to "memory_optimized". This field is immutable and cannot be changed unless there are no server classes running the index service in the cluster.

      cluster.cluster.indexer

      object

      {"logLevel":"info","maxRollbackPoints":2,"memorySnapshotInterval":"200ms","stableSnapshotInterval":"5s","storageMode":"memory_optimized","threads":null}

      Indexer allows the indexer to be configured.

      cluster.cluster.indexer.logLevel

      string

      "info"

      LogLevel controls the verbosity of indexer logs. This field must be one of "silent", "fatal", "error", "warn", "info", "verbose", "timing", "debug" or "trace", defaulting to "info".

      cluster.cluster.indexer.maxRollbackPoints

      int

      2

      MaxRollbackPoints controls the number of checkpoints that can be rolled back to. The default is 2, with a minimum of 1.

      cluster.cluster.indexer.memorySnapshotInterval

      string

      "200ms"

      MemorySnapshotInterval controls when memory indexes should be snapshotted. This defaults to 200ms, and must be greater than or equal to 1ms.

      cluster.cluster.indexer.stableSnapshotInterval

      string

      "5s"

      StableSnapshotInterval controls when disk indexes should be snapshotted. This defaults to 5s, and must be greater than or equal to 1ms.

      cluster.cluster.indexer.storageMode

      string

      "memory_optimized"

      StorageMode controls the underlying storage engine for indexes. Once set it can only be modified if there are no nodes in the cluster running the index service. The field must be one of "memory_optimized" or "plasma", defaulting to "memory_optimized".

      cluster.cluster.indexer.threads

      string

      nil

      Threads controls the number of processor threads to use for indexing. A value of 0 means 1 per CPU. This attribute must be greater than or equal to 0, defaulting to 0.

      cluster.cluster.query

      object

      {"backfillEnabled":true,"temporarySpace":"5Gi","temporarySpaceUnlimited":false}

      Query allows the query service to be configured.

      cluster.cluster.query.backfillEnabled

      bool

      true

      BackfillEnabled allows the query service to backfill.

      cluster.cluster.query.temporarySpace

      string

      "5Gi"

      TemporarySpace allows the temporary storage used by the query service backfill, per-pod, to be modified. This field requires backfillEnabled to be set to true in order to have any effect. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      cluster.cluster.query.temporarySpaceUnlimited

      bool

      false

      TemporarySpaceUnlimited allows the temporary storage used by the query service backfill, per-pod, to be unconstrained. This field requires backfillEnabled to be set to true in order to have any effect. This field overrides temporarySpace.

      cluster.cluster.queryServiceMemoryQuota

      string

      nil

      QueryServiceMemQuota is a dummy field. By default, Couchbase server provides no memory resource constraints for the query service, so this has no effect on Couchbase server. It is, however, used when the spec.autoResourceAllocation feature is enabled, and is used to define the amount of memory reserved by the query service for use with Kubernetes resource scheduling. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      cluster.cluster.searchServiceMemoryQuota

      string

      "256Mi"

      SearchServiceMemQuota is the amount of memory that should be allocated to the search service. This value is per-pod, and only applicable to pods belonging to server classes running the search service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

      cluster.enableOnlineVolumeExpansion

      bool

      false

      EnableOnlineVolumeExpansion enables online expansion of Persistent Volumes. You can only expand a PVC if its storage class’s "allowVolumeExpansion" field is set to true. Additionally, Kubernetes feature "ExpandInUsePersistentVolumes" must be enabled in order to expand the volumes which are actively bound to Pods. Volumes can only be expanded and not reduced to a smaller size. See: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#resizing-an- in-use-persistentvolumeclaim If "EnableOnlineVolumeExpansion" is enabled for use within an environment that does not actually support online volume and file system expansion then the cluster will fallback to rolling upgrade procedure to create a new set of Pods for use with resized Volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims

      cluster.enablePreviewScaling

      bool

      false

      DEPRECATED - This option only exists for backwards compatibility and no longer restricts autoscaling to ephemeral services. EnablePreviewScaling enables autoscaling for stateful services and buckets.

      cluster.hibernate

      bool

      false

      Hibernate is whether to hibernate the cluster.

      cluster.hibernationStrategy

      string

      nil

      HibernationStrategy defines how to hibernate the cluster. When Immediate the Operator will immediately delete all pods and take no further action until the hibernate field is set to false.

      cluster.image

      string

      "couchbase/server:7.0.2"

      Image is the container image name that will be used to launch Couchbase server instances. Updating this field will cause an automatic upgrade of the cluster.

      cluster.logging

      object

      {"audit":{"disabledEvents":null,"disabledUsers":null,"enabled":false,"garbageCollection":{"sidecar":{"age":"1h","enabled":false,"image":"busybox:1.33.1","interval":"20m","resources":{"limits":null,"requests":null}}},"rotation":{"interval":"15m","size":"20Mi"}},"logRetentionCount":null,"logRetentionTime":null,"server":{"configurationName":"fluent-bit-config","enabled":false,"manageConfiguration":true,"sidecar":{"configurationMountPath":"/fluent-bit/config/","image":"couchbase/fluent-bit:1.1.1","resources":{"limits":null,"requests":null}}}}

      Logging defines Operator logging options.

      cluster.logging.audit

      object

      {"disabledEvents":null,"disabledUsers":null,"enabled":false,"garbageCollection":{"sidecar":{"age":"1h","enabled":false,"image":"busybox:1.33.1","interval":"20m","resources":{"limits":null,"requests":null}}},"rotation":{"interval":"15m","size":"20Mi"}}

      Used to manage the audit configuration directly

      cluster.logging.audit.disabledEvents

      string

      nil

      The list of event ids to disable for auditing purposes. This is passed to the REST API with no verification by the operator. Refer to the documentation for details: https://docs.couchbase.com/server/current/audit-event-reference/audit-event-reference.html

      cluster.logging.audit.disabledUsers

      string

      nil

      The list of users to ignore for auditing purposes. This is passed to the REST API with minimal validation it meets an acceptable regex pattern. Refer to the documentation for full details on how to configure this: https://docs.couchbase.com/server/current/manage/manage-security/manage-auditing.html#ignoring-events-by-user

      cluster.logging.audit.enabled

      bool

      false

      Enabled is a boolean that enables the audit capabilities.

      cluster.logging.audit.garbageCollection

      object

      {"sidecar":{"age":"1h","enabled":false,"image":"busybox:1.33.1","interval":"20m","resources":{"limits":null,"requests":null}}}

      Handle all optional garbage collection (GC) configuration for the audit functionality. This is not part of the audit REST API, it is intended to handle GC automatically for the audit logs. By default the Couchbase Server rotates the audit logs but does not clean up the rotated logs. This is left as an operation for the cluster administrator to manage, the operator allows for us to automate this: https://docs.couchbase.com/server/current/manage/manage-security/manage-auditing.html

      cluster.logging.audit.rotation

      object

      {"interval":"15m","size":"20Mi"}

      The interval to optionally rotate the audit log. This is passed to the REST API, see here for details: https://docs.couchbase.com/server/current/manage/manage-security/manage-auditing.html

      cluster.logging.logRetentionCount

      string

      nil

      LogRetentionCount gives the number of persistent log PVCs to keep.

      cluster.logging.logRetentionTime

      string

      nil

      LogRetentionTime gives the time to keep persistent log PVCs alive for.

      cluster.logging.server

      object

      {"configurationName":"fluent-bit-config","enabled":false,"manageConfiguration":true,"sidecar":{"configurationMountPath":"/fluent-bit/config/","image":"couchbase/fluent-bit:1.1.1","resources":{"limits":null,"requests":null}}}

      Specification of all logging configuration required to manage the sidecar containers in each pod.

      cluster.logging.server.configurationName

      string

      "fluent-bit-config"

      ConfigurationName is the name of the Secret to use holding the logging configuration in the namespace. A Secret is used to ensure we can safely store credentials but this can be populated from plaintext if acceptable too. If it does not exist then one will be created with defaults in the namespace so it can be easily updated whilst running. Note that if running multiple clusters in the same kubernetes namespace then you should use a separate Secret for each, otherwise the first cluster will take ownership (if created) and the Secret will be cleaned up when that cluster is removed. If running clusters in separate namespaces then they will be separate Secrets anyway.

      cluster.logging.server.enabled

      bool

      false

      Enabled is a boolean that enables the logging sidecar container.

      cluster.logging.server.manageConfiguration

      bool

      true

      A boolean which indicates whether the operator should manage the configuration or not. If omitted then this defaults to true which means the operator will attempt to reconcile it to default values. To use a custom configuration make sure to set this to false. Note that the ownership of any Secret is not changed so if a Secret is created externally it can be updated by the operator but it’s ownership stays the same so it will be cleaned up when it’s owner is.

      cluster.logging.server.sidecar

      object

      {"configurationMountPath":"/fluent-bit/config/","image":"couchbase/fluent-bit:1.1.1","resources":{"limits":null,"requests":null}}

      Any specific logging sidecar container configuration.

      cluster.monitoring

      object

      {}

      Monitoring defines any Operator managed integration into 3rd party monitoring infrastructure.

      cluster.name

      string

      nil

      Name of the cluster, defaults to name of chart release

      cluster.networking

      object

      {"addressFamily":null,"adminConsoleServiceTemplate":{"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}},"adminConsoleServices":["data"],"disableUIOverHTTP":false,"disableUIOverHTTPS":false,"dns":{"domain":null},"exposeAdminConsole":true,"exposedFeatureServiceTemplate":{"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}},"exposedFeatureTrafficPolicy":null,"exposedFeatures":["client","xdcr"],"loadBalancerSourceRanges":null,"networkPlatform":null,"serviceAnnotations":null,"waitForAddressReachable":"10m","waitForAddressReachableDelay":"2m"}

      Networking defines Couchbase cluster networking options such as network topology, TLS and DDNS settings.

      cluster.networking.addressFamily

      string

      nil

      AddressFamily allows the manual selection of the address family to use. When this field is not set, Couchbase server will default to using IPv4 for internal communication and also support IPv6 on dual stack systems. Setting this field to either IPv4 or IPv6 will force Couchbase to use the selected protocol for internal communication, and also disable all other protocols to provide added security and simplicty when defining firewall rules. Disabling of address families is only supported in Couchbase Server 7.0.2+.

      cluster.networking.adminConsoleServiceTemplate

      object

      {"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}}

      AdminConsoleServiceTemplate provides a template used by the Operator to create and manage the admin console service. This allows services to be annotated, the service type defined and any other options that Kubernetes provides. When using a LoadBalancer service type, TLS and dynamic DNS must also be enabled. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#service-v1-core

      cluster.networking.adminConsoleServiceTemplate.metadata

      object

      {"annotations":null,"labels":null}

      Standard objects metadata. This is a curated version for use with Couchbase resource templates.

      cluster.networking.adminConsoleServiceTemplate.spec

      object

      {"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}

      ServiceSpec describes the attributes that a user creates on a service.

      cluster.networking.adminConsoleServices

      list

      ["data"]

      DEPRECATED - not required by Couchbase Server 6.5.0 onward. AdminConsoleServices is a selector to choose specific services to expose via the admin console. This field may contain any of "data", "index", "query", "search", "eventing" and "analytics". Each service may only be included once.

      cluster.networking.disableUIOverHTTP

      bool

      false

      DisableUIOverHTTP is used to explicitly enable and disable UI access over the HTTP protocol. If not specified, this field defaults to false.

      cluster.networking.disableUIOverHTTPS

      bool

      false

      DisableUIOverHTTPS is used to explicitly enable and disable UI access over the HTTPS protocol. If not specified, this field defaults to false.

      cluster.networking.dns

      object

      {"domain":null}

      DNS defines information required for Dynamic DNS support.

      cluster.networking.dns.domain

      string

      nil

      Domain is the domain to create pods in. When populated the Operator will annotate the admin console and per-pod services with the key "external-dns.alpha.kubernetes.io/hostname". These annotations can be used directly by a Kubernetes External-DNS controller to replicate load balancer service IP addresses into a public DNS server.

      cluster.networking.exposeAdminConsole

      bool

      true

      ExposeAdminConsole creates a service referencing the admin console. The service is configured by the adminConsoleServiceTemplate field.

      cluster.networking.exposedFeatureServiceTemplate

      object

      {"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}}

      ExposedFeatureServiceTemplate provides a template used by the Operator to create and manage per-pod services. This allows services to be annotated, the service type defined and any other options that Kubernetes provides. When using a LoadBalancer service type, TLS and dynamic DNS must also be enabled. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#service-v1-core

      cluster.networking.exposedFeatureServiceTemplate.metadata

      object

      {"annotations":null,"labels":null}

      Standard objects metadata. This is a curated version for use with Couchbase resource templates.

      cluster.networking.exposedFeatureServiceTemplate.spec

      object

      {"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}

      ServiceSpec describes the attributes that a user creates on a service.

      cluster.networking.exposedFeatureTrafficPolicy

      string

      nil

      DEPRECATED - by exposedFeatureServiceTemplate. ExposedFeatureTrafficPolicy defines how packets should be routed from a load balancer service to a Couchbase pod. When local, traffic is routed directly to the pod. When cluster, traffic is routed to any node, then forwarded on. While cluster routing may be slower, there are some situations where it is required for connectivity. This field must be either "Cluster" or "Local", defaulting to "Local",

      cluster.networking.exposedFeatures

      list

      ["client","xdcr"]

      ExposedFeatures is a list of Couchbase features to expose when using a networking model that exposes the Couchbase cluster externally to Kubernetes. This field also triggers the creation of per-pod services used by clients to connect to the Couchbase cluster. When admin, only the administrator port is exposed, allowing remote administration. When xdcr, only the services required for remote replication are exposed. The xdcr feature is only required when the cluster is the destination of an XDCR replication. When client, all services are exposed as required for client SDK operation. This field may contain any of "admin", "xdcr" and "client". Each feature may only be included once.

      cluster.networking.loadBalancerSourceRanges

      string

      nil

      DEPRECATED - by adminConsoleServiceTemplate and exposedFeatureServiceTemplate. LoadBalancerSourceRanges applies only when an exposed service is of type LoadBalancer and limits the source IP ranges that are allowed to use the service. Items must use IPv4 class-less interdomain routing (CIDR) notation e.g. 10.0.0.0/16.

      cluster.networking.networkPlatform

      string

      nil

      NetworkPlatform is used to enable support for various networking technologies. This field must be one of "Istio".

      cluster.networking.serviceAnnotations

      string

      nil

      DEPRECATED - by adminConsoleServiceTemplate and exposedFeatureServiceTemplate. ServiceAnnotations allows services to be annotated with custom labels. Operator annotations are merged on top of these so have precedence as they are required for correct operation.

      cluster.networking.waitForAddressReachable

      string

      "10m"

      WaitForAddressReachable is used to set the timeout between when polling of external addresses is started, and when it is deemed a failure. Polling of DNS name availability inherently dangerous due to negative caching, so prefer the use of an initial waitForAddressReachableDelay to allow propagation.

      cluster.networking.waitForAddressReachableDelay

      string

      "2m"

      WaitForAddressReachableDelay is used to defer operator checks that ensure external addresses are reachable before new nodes are balanced in to the cluster. This prevents negative DNS caching while waiting for external-DDNS controllers to propagate addresses.

      cluster.paused

      bool

      false

      Paused is to pause the control of the operator for the Couchbase cluster. This does not pause the cluster itself, instead stopping the operator from taking any action.

      cluster.platform

      string

      nil

      Platform gives a hint as to what platform we are running on and how to configure services. This field must be one of "aws", "gke" or "azure".

      cluster.recoveryPolicy

      string

      nil

      RecoveryPolicy controls how aggressive the Operator is when recovering cluster topology. When PrioritizeDataIntegrity, the Operator will delegate failover exclusively to Couchbase server, relying on it to only allow recovery when safe to do so. When PrioritizeUptime, the Operator will wait for a period after the expected auto-failover of the cluster, before forcefully failing-over the pods. This may cause data loss, and is only expected to be used on clusters with ephemeral data, where the loss of the pod means that the data is known to be unrecoverable. This field must be either "PrioritizeDataIntegrity" or "PrioritizeUptime", defaulting to "PrioritizeDataIntegrity".

      cluster.rollingUpgrade

      object

      {"maxUpgradable":null,"maxUpgradablePercent":null}

      When spec.upgradeStrategy is set to RollingUpgrade it will, by default, upgrade one pod at a time. If this field is specified then that number can be increased.

      cluster.rollingUpgrade.maxUpgradable

      string

      nil

      MaxUpgradable allows the number of pods affected by an upgrade at any one time to be increased. By default a rolling upgrade will upgrade one pod at a time. This field allows that limit to be removed. This field must be greater than zero. The smallest of maxUpgradable and maxUpgradablePercent takes precedence if both are defined.

      cluster.rollingUpgrade.maxUpgradablePercent

      string

      nil

      MaxUpgradablePercent allows the number of pods affected by an upgrade at any one time to be increased. By default a rolling upgrade will upgrade one pod at a time. This field allows that limit to be removed. This field must be an integer percentage, e.g. "10%", in the range 1% to 100%. Percentages are relative to the total cluster size, and rounded down to the nearest whole number, with a minimum of 1. For example, a 10 pod cluster, and 25% allowed to upgrade, would yield 2.5 pods per iteration, rounded down to 2. The smallest of maxUpgradable and maxUpgradablePercent takes precedence if both are defined.

      cluster.security

      object

      {"adminSecret":"","password":"","rbac":{"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}},"username":"Administrator"}

      Security defines Couchbase cluster security options such as the administrator account username and password, and user RBAC settings.

      cluster.security.adminSecret

      string

      ""

      AdminSecret is the name of a Kubernetes secret to use for administrator authentication. The admin secret must contain the keys "username" and "password". The password data must be at least 6 characters in length, and not contain the any of the characters ()<>,;:\"/[]?={}.

      cluster.security.password

      string

      ""

      Cluster administrator pasword, auto-generated when empty

      cluster.security.rbac

      object

      {"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}}

      Couchbase RBAC Users

      cluster.security.rbac.managed

      bool

      true

      Managed defines whether RBAC is managed by us or the clients.

      cluster.security.rbac.selector

      object

      {"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}

      Selector is a label selector used to list RBAC resources in the namespace that are managed by the Operator.

      cluster.security.username

      string

      "Administrator"

      Cluster administrator username

      cluster.securityContext

      object

      {"fsGroup":1000,"fsGroupChangePolicy":null,"runAsGroup":null,"runAsNonRoot":true,"runAsUser":1000,"seLinuxOptions":{"level":null,"role":null,"type":null,"user":null},"seccompProfile":{"localhostProfile":null,"type":null},"supplementalGroups":null,"sysctls":[],"windowsOptions":{}}

      SecurityContext allows the configuration of the security context for all Couchbase server pods. When using persistent volumes you may need to set the fsGroup field in order to write to the volume. For non-root clusters you must also set runAsUser to 1000, corresponding to the Couchbase user in official container images. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

      cluster.securityContext.fsGroup

      int

      1000

      A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR’d with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.

      cluster.securityContext.fsGroupChangePolicy

      string

      nil

      fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows.

      cluster.securityContext.runAsGroup

      string

      nil

      The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.

      cluster.securityContext.runAsNonRoot

      bool

      true

      Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

      cluster.securityContext.runAsUser

      int

      1000

      The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.

      cluster.securityContext.seLinuxOptions

      object

      {"level":null,"role":null,"type":null,"user":null}

      The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.

      cluster.securityContext.seLinuxOptions.level

      string

      nil

      Level is SELinux level label that applies to the container.

      cluster.securityContext.seLinuxOptions.role

      string

      nil

      Role is a SELinux role label that applies to the container.

      cluster.securityContext.seLinuxOptions.type

      string

      nil

      Type is a SELinux type label that applies to the container.

      cluster.securityContext.seLinuxOptions.user

      string

      nil

      User is a SELinux user label that applies to the container.

      cluster.securityContext.seccompProfile

      object

      {"localhostProfile":null,"type":null}

      The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.

      cluster.securityContext.seccompProfile.localhostProfile

      string

      nil

      localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet’s configured seccomp profile location. Must only be set if type is "Localhost".

      cluster.securityContext.seccompProfile.type

      string

      nil

      type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.

      cluster.securityContext.supplementalGroups

      string

      nil

      A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows.

      cluster.securityContext.sysctls

      list

      []

      Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.

      cluster.securityContext.windowsOptions

      object

      {}

      The Windows specific settings applied to all containers. If unspecified, the options within a container’s SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.

      cluster.serverGroups

      string

      nil

      ServerGroups define the set of availability zones you want to distribute pods over, and construct Couchbase server groups for. By default, most cloud providers will label nodes with the key "topology.kubernetes.io/zone", the values associated with that key are used here to provide explicit scheduling by the Operator. You may manually label nodes using the "topology.kubernetes.io/zone" key, to provide failure-domain aware scheduling when none is provided for you. Global server groups are applied to all server classes, and may be overridden on a per-server class basis to give more control over scheduling and server groups.

      cluster.servers

      object

      {"default":{"autoscaleEnabled":false,"env":[],"envFrom":[],"pod":{"spec":{}},"services":["data","index","query","search","analytics","eventing"],"size":3}}

      Servers defines server classes for the Operator to provision and manage. A server class defines what services are running and how many members make up that class. Specifying multiple server classes allows the Operator to provision clusters with Multi-Dimensional Scaling (MDS). At least one server class must be defined, and at least one server class must be running the data service.

      cluster.servers.default

      object

      {"autoscaleEnabled":false,"env":[],"envFrom":[],"pod":{"spec":{}},"services":["data","index","query","search","analytics","eventing"],"size":3}

      Name for the server configuration. It must be unique.

      cluster.servers.default.autoscaleEnabled

      bool

      false

      AutoscaledEnabled defines whether the autoscaling feature is enabled for this class. When true, the Operator will create a CouchbaseAutoscaler resource for this server class. The CouchbaseAutoscaler implements the Kubernetes scale API and can be controlled by the Kubernetes horizontal pod autoscaler (HPA).

      cluster.servers.default.env

      list

      []

      Env allows the setting of environment variables in the Couchbase server container.

      cluster.servers.default.envFrom

      list

      []

      EnvFrom allows the setting of environment variables in the Couchbase server container.

      cluster.servers.default.pod

      object

      {"spec":{}}

      Pod defines a template used to create pod for each Couchbase server instance. Modifying pod metadata such as labels and annotations will update the pod in-place. Any other modification will result in a cluster upgrade in order to fulfill the request. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#pod-v1-core

      cluster.servers.default.services

      list

      ["data","index","query","search","analytics","eventing"]

      Services is the set of Couchbase services to run on this server class. At least one class must contain the data service. The field may contain any of "data", "index", "query", "search", "eventing" or "analytics". Each service may only be specified once.

      cluster.servers.default.size

      int

      3

      Size is the expected requested of the server class. This field must be greater than or equal to 1.

      cluster.softwareUpdateNotifications

      bool

      false

      SoftwareUpdateNotifications enables software update notifications in the UI. When enabled, the UI will alert when a Couchbase server upgrade is available.

      cluster.upgradeStrategy

      string

      nil

      UpgradeStrategy controls how aggressive the Operator is when performing a cluster upgrade. When a rolling upgrade is requested, pods are upgraded one at a time. This strategy is slower, however less disruptive. When an immediate upgrade strategy is requested, all pods are upgraded at the same time. This strategy is faster, but more disruptive. This field must be either "RollingUpgrade" or "ImmediateUpgrade", defaulting to "RollingUpgrade".

      cluster.volumeClaimTemplates

      object

      {"metadata":{"annotations":null,"labels":null,"name":null},"spec":{"accessModes":null,"dataSourceRef":{"apiGroup":null,"kind":null,"name":null},"resources":{"limits":null,"requests":null},"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null},"storageClassName":null,"volumeMode":null,"volumeName":null}}

      VolumeClaimTemplates define the desired characteristics of a volume that can be requested/claimed by a pod, for example the storage class to use and the volume size. Volume claim templates are referred to by name by server class volume mount configuration.

      cluster.volumeClaimTemplates.metadata

      object

      {"annotations":null,"labels":null,"name":null}

      Standard objects metadata. This is a curated version for use with Couchbase resource templates.

      cluster.volumeClaimTemplates.metadata.annotations

      string

      nil

      Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations

      cluster.volumeClaimTemplates.metadata.labels

      string

      nil

      Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels

      cluster.volumeClaimTemplates.metadata.name

      string

      nil

      Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names

      cluster.volumeClaimTemplates.spec

      object

      {"accessModes":null,"dataSourceRef":{"apiGroup":null,"kind":null,"name":null},"resources":{"limits":null,"requests":null},"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null},"storageClassName":null,"volumeMode":null,"volumeName":null}

      PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes

      cluster.volumeClaimTemplates.spec.accessModes

      string

      nil

      AccessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1

      cluster.volumeClaimTemplates.spec.dataSourceRef

      object

      {"apiGroup":null,"kind":null,"name":null}

      Specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any local object from a non- empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the DataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, both fields (DataSource and DataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. There are two important differences between DataSource and DataSourceRef: * While DataSource only allows two specific types of objects, DataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While DataSource ignores disallowed values (dropping them), DataSourceRef preserves all values, and generates an error if a disallowed value is specified. (Alpha) Using this field requires the AnyVolumeDataSource feature gate to be enabled.

      cluster.volumeClaimTemplates.spec.resources

      object

      {"limits":null,"requests":null}

      Resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources

      cluster.volumeClaimTemplates.spec.selector

      object

      {"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}

      A label query over volumes to consider for binding.

      cluster.volumeClaimTemplates.spec.storageClassName

      string

      nil

      Name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1

      cluster.volumeClaimTemplates.spec.volumeMode

      string

      nil

      volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.

      cluster.volumeClaimTemplates.spec.volumeName

      string

      nil

      VolumeName is the binding reference to the PersistentVolume backing this claim.

      cluster.xdcr

      object

      {"managed":false,"remoteClusters":{"authenticationSecret":null,"hostname":null,"name":null,"replications":{"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}},"tls":{"secret":null},"uuid":null}}

      XDCR defines whether the Operator should manage XDCR, remote clusters and how to lookup replication resources.

      cluster.xdcr.managed

      bool

      false

      Managed defines whether XDCR is managed by the operator or not.

      cluster.xdcr.remoteClusters

      object

      {"authenticationSecret":null,"hostname":null,"name":null,"replications":{"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}},"tls":{"secret":null},"uuid":null}

      RemoteClusters is a set of named remote clusters to establish replications to.

      cluster.xdcr.remoteClusters.authenticationSecret

      string

      nil

      AuthenticationSecret is a secret used to authenticate when establishing a remote connection. It is only required when not using mTLS. The secret must contain a username (secret key "username") and password (secret key "password").

      cluster.xdcr.remoteClusters.hostname

      string

      nil

      Hostname is the connection string to use to connect the remote cluster.

      cluster.xdcr.remoteClusters.name

      string

      nil

      Name of the remote cluster.

      cluster.xdcr.remoteClusters.replications

      object

      {"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}}

      Replications are replication streams from this cluster to the remote one. This field defines how to look up CouchbaseReplication resources. By default any CouchbaseReplication resources in the namespace will be considered.

      cluster.xdcr.remoteClusters.tls

      object

      {"secret":null}

      TLS if specified references a resource containing the necessary certificate data for an encrypted connection.

      cluster.xdcr.remoteClusters.uuid

      string

      nil

      UUID of the remote cluster. The UUID of a CouchbaseCluster resource is advertised in the status.clusterId field of the resource.

      collectiongroups

      object

      {}

      Uncomment to create a "couchbasecollectiongroups" resource Defines a group of collections. A collection is a data container, defined on Couchbase Server, within a bucket whose type is either Couchbase or Ephemeral. See https://docs.couchbase.com/operator/current/resource/couchbasecollectiongroup.html

      collections

      object

      {}

      Uncomment to create a "couchbasecollections" resource A collection is a data container, defined on Couchbase Server, within a bucket whose type is either Couchbase or Ephemeral. See https://docs.couchbase.com/operator/current/resource/couchbasecollection.html

      coredns

      object

      {"searches":["default.svc.cluster.local","svc.cluster.local","cluster.local"],"service":null}

      Coredns service configuration to be applied to pods for cross-cluster deployments

      coredns.searches

      list

      ["default.svc.cluster.local","svc.cluster.local","cluster.local"]

      Search list for host-name lookup

      coredns.service

      string

      nil

      Name of Kubernetes service which exposes DNS endpoints

      couchbaseOperator.commandArgs

      object

      {"pod-create-timeout":"10m"}

      Set of command-line flags to pass on to the Operator to modify its behavior. see: https://docs.couchbase.com/operator/2.0/reference-operator-configuration.html#command-line-arguments

      couchbaseOperator.commandArgs.pod-create-timeout

      string

      "10m"

      Pod creation timeout. The Operator allows the timeout of pod creation to be manually configured. It is primarily intended for use on cloud platforms where the deployment of multiple volumes and pulling of a Couchbase Server container image may take a longer time than the default timeout period.

      couchbaseOperator.image

      object

      {"repository":"couchbase/operator","tag":"2.3.0"}

      Image specifies repository and tag of the Couchbase Operator container.

      couchbaseOperator.imagePullPolicy

      string

      "IfNotPresent"

      The policy for pulling images from the repository onto hosts. The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

      couchbaseOperator.imagePullSecrets

      list

      []

      ImagePullSecrets is an optional list of references to secrets to use for pulling images.

      couchbaseOperator.name

      string

      "couchbase-operator"

      Name of the couchbase operator Deployment

      couchbaseOperator.nodeSelector

      object

      {}

      Specify a node selection constraint for couchbase-admission-operator pod assignment. — Ref: https://kubernetes.io/docs/user-guide/node-selection/

      couchbaseOperator.resources

      object

      {}

      Resource Limits and requests for Pod CPU and Memory

      couchbaseOperator.scope

      string

      "Role"

      RBAC Scope of the Operator. Must be either 'Role' or 'ClusterRole'

      couchbaseOperator.tolerations

      list

      []

      Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints.

      install.admissionController

      bool

      true

      Install the admission controller

      install.couchbaseCluster

      bool

      true

      Install couchbase cluster

      install.couchbaseOperator

      bool

      true

      Install the couchbase operator

      install.syncGateway

      bool

      false

      Install sync gateway

      scopegroups

      object

      {}

      Uncomment to create a "couchbasescopegroups" resource CouchbaseScopeGroup represents a logical unit of data storage that sits between buckets and collections e.g. a bucket may contain multiple scopes, and a scope may contain multiple collections. See https://docs.couchbase.com/operator/current/resource/couchbasescopegroup.html

      scopes

      object

      {}

      Uncomment to create a "couchbasescopes" resource A scope is simply a single-tier namespace for a group of collections to exist within. Collections within a scope must all have unique names, but collections in different scopes may share the same name. This property allows multi-tenancy. See https://docs.couchbase.com/operator/current/resource/couchbasescope.html

      syncGateway.admin.enabled

      bool

      false

      Defines if the admin API will be exposed by sync gateway

      syncGateway.affinity

      object

      {}

      Affinity to apply to the pods

      syncGateway.config

      object

      {"databases":{"db":{"allow_conflicts":false,"bucket":"default","cacert":null,"enable_shared_bucket_access":true,"password":null,"revs_limit":20,"server":null,"username":null,"users":{"GUEST":{"admin_channels":[""],"disabled":false}}}},"logging":{"console":{"enabled":true,"log_keys":[""],"log_level":"debug"}}}

      Database config

      syncGateway.config.databases

      object

      {"db":{"allow_conflicts":false,"bucket":"default","cacert":null,"enable_shared_bucket_access":true,"password":null,"revs_limit":20,"server":null,"username":null,"users":{"GUEST":{"admin_channels":["*"],"disabled":false}}}}

      Databases is a list containing bucket replication configs

      syncGateway.config.databases.db.bucket

      string

      "default"

      Bucket replicated to sync gateway

      syncGateway.config.databases.db.cacert

      string

      nil

      Optional ca.cert for tls connection (auto-generated when tls.generate true)

      syncGateway.config.databases.db.password

      string

      nil

      Password of db admin, defaults to cluster admin password

      syncGateway.config.databases.db.server

      string

      nil

      Server to connect db to, defaults to cluster server

      syncGateway.config.databases.db.username

      string

      nil

      Username of db admin, defaults to cluster admin username

      syncGateway.config.databases.db.users

      object

      {"GUEST":{"admin_channels":["*"],"disabled":false}}

      Guest user config

      syncGateway.config.databases.db.users.GUEST.admin_channels

      list

      ["*"]

      Channels guest user may access. defaults to all channels

      syncGateway.config.databases.db.users.GUEST.disabled

      bool

      false

      Disable creation of guest user

      syncGateway.configSecret

      string

      nil

      Optional secret to use with prepoulated database config

      syncGateway.exposeServiceType

      string

      "ClusterIP"

      Type of service to use for exposing Sync Gateway Set as empty string to prevent service creation

      syncGateway.image

      object

      {"repository":"couchbase/sync-gateway","tag":"2.8.0-enterprise"}

      Image of the sync gateway container

      syncGateway.imagePullPolicy

      string

      "IfNotPresent"

      syncGateway.kind

      string

      "Deployment"

      Kind of resource to use when installing sync gateway resource. suppports (Deployment

      Statefulset)

      syncGateway.labels

      object

      {}

      Labels to apply to the deployment resource

      syncGateway.monitoring.prometheus.enabled

      bool

      false

      Defines whether Prometheus metric collection is enabled

      syncGateway.monitoring.prometheus.image

      object

      {"repository":"couchbasesamples/sync-gateway-prometheus-exporter","tag":"latest"}

      Image used by the Sync Gateway to perform metric collection (injected as a "sidecar" in each Sync Gateway Pod)

      syncGateway.monitoring.prometheus.resources

      object

      {}

      syncGateway.name

      string

      nil

      Name of the sync gateway pod. defaults to name of chart

      syncGateway.nodeSelector

      object

      {}

      Which nodes to run the pods on

      syncGateway.podLabels

      object

      {}

      Labels to apply to the pods

      syncGateway.replicas

      int

      1

      How many sync gateway pods to create horizontally scale the deployment

      syncGateway.resources

      object

      {}

      Resources to apply to the pods

      syncGateway.revisionHistoryLimit

      string

      nil

      Optional set to change cleanup policy

      syncGateway.service.annotations

      object

      {}

      Additional annotations to add to the Sync Gateway service. Useful for setting cloud provider specific annotations controlling the services deployed.

      syncGateway.service.externalTrafficPolicy

      string

      nil

      Optionally configure traffic policy for LoadBalancer and NodePort

      syncGateway.tolerations

      list

      []

      Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints.

      syncGateway.volumeClaimTemplates

      list

      [{"metadata":{"name":"data"},"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"default"}}]

      Volume claim template to define size of persistent volumes to provide for stateful sets

      syncGateway.volumeMounts

      list

      [{"mountPath":"/dbs","name":"data","readOnly":true}]

      Location within sync gateway to back with persistent volume

      tls.expiration

      int

      365

      Expiry time of CA in days for generated certs

      tls.generate

      bool

      false

      Enable to auto create certs

      tls.legacy

      bool

      false

      Legacy TLS configuration with static format which requires PKCS#1 formatted keys. Legacy format is used implicitly during upgrade when old static keys exist. The default is 'false' which supports additional formats and multiple root CAs.

      tls.nodeToNodeEncryption

      string

      nil

      This field defines whether node-to-node encryption is enabled. Must be either 'All' or 'ControlPlaneOnly'. If not specified, data between Couchbase Server nodes is not encrypted.

      users

      object

      {}

      About Resource Names

      All resources/objects created by the Couchbase Chart adhere to the following naming scheme: <release-name>-<component-name>

      • <release-name>

        • This is name of the installed instance.

      • <component-name>

        • This is the name of the Operator, Admission, and Couchbase component..

        • If the resource is created for the Operator, then <component-name> will be whatever is specified in couchbaseOperator.name.

        • If the resource is created for the admission controller, then <component-name> will be whatever is specified in admissionController.name.

        • If the resource is created for the Couchbase cluster, then <component-name> will be whatever is specified in cluster.name.

      Specifying Your Own Resources

      The chart allows you to override certain resources such as TLS certificates with ones that you’ve already created. In this case, the names of the resources are determined by you and not the chart, and therefore do not adhere to the naming scheme described in the previous section. Check the specs below for the value you are attempting to override for additional information on what type of resource is expected and how it should be formatted.

      Install Values

      Installation values for selective deployment of components within the chart.

        # Select what to install
        install:
          # install the couchbase operator
          couchbaseOperator: true
          # install the admission controller
          admissionController: true
          # install couchbase cluster
          couchbaseCluster: true
          # install sync gateway
          syncGateway: false

      The Couchbase Chart is capable of installing the Operator, Admission Controller, Couchbase Cluster, and Sync Gateway.

      couchbaseOperator

      This field specifies whether or not the Couchbase Autonomous Operator will be installed.

      Field Rules:

      The couchbaseOperator field defaults to true.

      admissionController

      This field specifies whether or not the Couchbase Admission Controller will be installed.

      Field Rules:

      The admissionController field defaults to true.

      couchbaseCluster

      This field specifies whether or not a Couchbase Cluster will be installed.

      Field Rules:

      The couchbaseCluster field defaults to true.

      syncGateway

      This field specifies whether or not an instance of the Sync Gateway will be installed.

      Field Rules:

      The syncGateway field defaults to false.

      Couchbase Cluster

      The cluster configuration represents the CouchbaseCluster resources to be installed. If install.couchbaseCluster is set to false then the cluster will not be installed.

      cluster

        cluster:
          name:
          security:
            username: Administrator
            password:
            adminSecret:

      name

      The name of the cluster to create.

      Value rules: The couchbaseCluster.name value defaults to the name of the chart if not specified. Must be unique from any other clusters in the namespace.

      username

      The username to use as the cluster admin.

      This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

      Value rules: The couchbaseCluster.username value is a string set to Administrator by default.

      password

      The password to use as the cluster admin.

      This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

      Value rules: The couchbaseCluster.password value is a string that is auto-generated by default.

      adminSecret

      The secret to use for overriding the auto-generated secret. When specified the username and password from the secret are used for Administrator login.

      Value rules: The couchbaseCluster.adminSecret value is the name of a Kubernetes secret and is not set by default.

      Persistent Volumes

      The best way to create a cluster with persistent volumes is to make a custom value file. The following example shows how volume mounts can be added to created a persisted cluster.

      Create a file named values-persistent.yaml with the following values:

      cluster:
        servers:
          default:
            pod:
              volumeMounts:
                default: couchbase
                data:  couchbase
        securityContext:
            fsGroup: 1000
        volumeClaimTemplates:
          - metadata:
              name: couchbase
            spec:
              storageClassName: "default"
              resources:
                requests:
                  storage: 1Gi

      Install the Couchbase Helm Chart using the custom value file:

      helm install my-release -f values-persistent.yaml couchbase/couchbase-operator

      additional values

      All of the remaining values which can be overridden in this spec are described in the CouchbaseCluster documentation.

      TLS

      Certificates can be auto-generated or overridden by user supplied certs. Also since Couchbase certs are represented as plain Kubernetes secrets, the secret itself can be overridden.

      tls:
        generate: false
        legacy: false
        expiration: 365
        nodeToNodeEncryption: All

      generate

      This value determines whether the chart should create the cluster with TLS.

      Value rules: The tls.generate is a boolean which defaults to false. When set to true all of the certs and keys required for TLS will be auto-generated unless manually specified. When value is false certs are not generated, but manual Secrets can be provided by overriding cluster.networking.tls.

      legacy

      This value determines whether legacy or Native TLS format will be used.

      Value rules: The tls.legacy is a boolean which defaults to false. When value is 'true' legacy TLS configuration with static format which requires PKCS#1 formatted keys. When value is 'false' native TLS is used and a root CA is generated along with separate client and server keys.

      expiration

      Expiration of CA in days

      Value rules: The couchbaseTLS.expiration defaults to 365 days.

      nodeToNodeEncryption

      This field defines whether node-to-node encryption is enabled.

      When set to All, all data between Couchbase server nodes is encrypted. When set to ControlPlaneOnly, only internal Couchbase server messages are encrypted, user data is not. If not specified, data between Couchbase Server nodes is not encrypted.

      As with all encryption protocols, this setting may negatively affect performance with the increased data protection.

      Field rules: This field is optional and must be either All or ControlPlaneOnly.

      Custom TLS

      Create cluster with auto-generated TLS certs

      helm install my-release --set tls.generate=true -f values-persistent.yaml couchbase/couchbase-operator

      Use manually created secrets . Create a file named tls_values.yaml with the following custom override values for the Couchbase Chart:

      cluster:
         networking:
           tls:
             rootCAs:
             - secure-couchbase-cluster-ca-tls
             secretSource:
               clientSecretName: secure-couchbase-cluster-operator-tls
               serverSecretName: secure-couchbase-cluster-server-tls

      Refer to TLS Concept documentation for additional information about available security options.

      helm install  my-release -f tls_values.yaml couchbase/couchbase-operator

      Buckets

      The buckets configuration represent CouchbaseBucket resources to be installed by the cluster.

      buckets:
        default:
          name: default
          kind: CouchbaseBucket
      Buckets are automatically provisioned with label selectors matching the corresponding Couchbase cluster.

      At least one bucket will be created whenever install.CouchbaseCluster is set to true (if you don’t actively configure at least one bucket, then a default bucket is created automatically). If zero buckets are desired, then you must disable bucket creation completely by setting the contents to null.

      buckets: null
      The buckets field must be explicitly set to null in order to avoid bucket creation. Even if the section is completely empty, unless buckets: null is specified, the default bucket will be created.

      name

      This value determines the name of the bucket to create within Couchbase Server.

      Value rules: The bucket.name value is a string. This value is optional and when not set, the object key name is used instead. The object key name is used for the Kubernetes CRD, whereas this value is used for the bucket name that is recognized within the Couchbase Server application.

      kind

      This is the type of the bucket to create and can be one of the supported types provided by Couchbase Server.

      Value rules: The bucket.kind value takes one of the supported values: CouchbaseBucket, CouchbaseEphemeralBucket, or CouchbaseMemcachedBucket. This value is optional and defaults to CouchbaseBucket when not set.

      additional values

      All of the remaining values which can be overridden in this spec are described in the CouchbaseCluster documentation.

      Users

      The users configuration represent CouchbaseUser, CouchbaseGroup, and CouchbaseRoleBinding resources to be installed by the cluster. Users are installed whenever install.CouchbaseCluster is set to true.

        users:
          developer:   # username (1)
            autobind: true
            password: password
            authSecret:
            authDomain: local
            roles:
              - name: bucket_admin
                bucket: default
      1 The username is set from the key of each user configuration. NOTE: Users are automatically provisioned with label selectors matching the corresponding Couchbase cluster.

      autobind

      Value rules: The user.<name>.autobind value is a boolean. If autobind is set, then Users are automatically created alongside groups with specified roles. To manually create groups and bind users then set autobind to 'false' and specify groups and rolebindings resources

      password

      The user password.

      This should only be used for experimental and test clusters. Consider using authSecret or setting authDomain: external to improve security .

      Value rules: The user.<name>.password value is a string. This value is required when authDomain is local.

      authSecret

      The Kubernetes Secret containing the user password.

      Value rules: The user.<name>.authSecret value is a string. This value is optional and must refer to a Kubernetes Secret resource when specified. The Secret must contain the path data.password with the base64 encoded value of the secret

      authDomain

      The Couchbase RBAC Domain to use when authenticating the user.

      Value rules: The user.<name>.authDomain value is a string. This value is required and must be either local or external.

      roles

      The Couchbase Roles to assign to the user

      Value rules: The user.<name>.roles value is a list. This value is required and must provide the name of a valid Couchbase Server role. If the Couchbase Server role is a bucket role, then the name of a bucket value may also be provided. If the name of a bucket is not provided for a bucket role then the value defaults to * which means the role applies to all buckets.

      Refer to CouchbaseGroups documentation for list of Administrator and Bucket roles.

      Backups

      This object defines parameters and variables for automated backup. When set, the chart will create a backup job.

      backups:
        default-backup:
          name: my-backup
          strategy: full_incremental
          full:
            schedule: "0 3 * * 0"
          incremental:
            schedule: "0 3 * * 1-6"

      All of the provided values for this spec are described here in the Couchbase Cluster Configuration documentation.

      Backup Restores

      This object defines parameters and variables for automated backup restores. When set, the chart will create a backup restore job.

      backuprestores:
        default-restore:
          name: my-restore
          backup: my-backup
          repo: cb-example-2020-11-12T19_00_03
          start:
            int: 1
            str: oldest
          end:
            int: 1
            str: latest
          backOffLimit: 2
          logRetention: 24h

      All of the provided values for this spec are described here in the Couchbase Cluster Configuration documentation.

      Sync Gateway

      The Sync Gateway configuration provides defaults for deploying Sync Gateway along with associated services. The Sync Gateway server is installed when install.syncGateway is set to true. When installed, Sync Gateway is automatically connected to Couchbase cluster.

      syncGateway:
        name:
        config:
          logging:
            console:
              enabled: true
              log_level: "debug"
              log_keys:
              - "*"
          databases:
            db:
              bucket: default
              users:
                GUEST:
                  disabled: false
                  admin_channels: ["*"]
              server:
              username:
              password:
              allow_conflicts: false
              revs_limit: 20
              enable_shared_bucket_access: true
              cacert:
        exposeServiceType: ClusterIP
        image:
          repository: couchbase/sync-gateway
          tag: 2.8.3-enterprise
        imagePullPolicy: IfNotPresent
        configSecret:
      If you install a bucket with a name other than default then you will need to update databases.db.bucket accordingly.

      exposeServiceType

      The type of service to use for exposing the Sync Gateway server.

      Value rules: The exposeServiceType value is a string. This value is optional and defaults to ClusterIP. When specified the value must be either ClusterIP, NOodePort, or LoadBalancer. When the value is not specified then the exposing service is not created.

      configSecret

      A Kubernetes Secret containing values that override config.databases This allows for sync-gateway configurations to be shared across clusters, since the Secret will contain the same configuration information about connecting to a particular Couchbase Cluster.

      Value rules: The configSecret value is a string This value is optional. When specified the content of the Secret will be used to override the values of config.databases.

      coredns

      DNS settings to apply to the Couchbase and Sync Gateway Deployments

      coredns:
        service:
        searches:
        - default.svc.cluster.local
        - svc.cluster.local
        - cluster.local

      coredns.service

      The name of a Kubernetes Service resource which exposes Kubernetes DNS. By default the kube-dns service is used, but user may decide to install CoreDNS for Inter-Cluster Deployments.

      Value rules: The coredns.service value is a string. This value is optional. When specified the value must refer to a Kubernetes Service resource that is capable of providing DNS to the Sync Gateway server.

      coredns.searches

      The search domains to use when looking up hostnames

      Value rules: The coredns.searches value is an optional list of strings.

      Autonomous Operator

      The Helm chart deploys the Operator as a Kubernetes Deployment.

      couchbaseOperator:
        name: "couchbase-operator"
        image:
          repository: couchbase/operator
          tag: 2.3.0
        imagePullPolicy: IfNotPresent
        imagePullSecrets: []
        commandArgs:
          pod-create-timeout: 10m
        resources: {}
        nodeSelector: {}
        tolerations: []

      commandArgs

      This spec allows you to specify command line arguments to pass on to the Operator.

      value rules: The commandArgs value is a key-value map of arguments that can be used to modify the behavior of the Operator image. The -pod-create-timeout: argument is set to 10m by default, which means that the Operator will wait 10 minutes for a Couchbase Server Pod to start. The -debug: argument can also be used here, and set to debug for more verbose logging.

      Additional Values

      The couchbaseOperator parameters are described in the Operator Deployment Settings documentation.

      Admission Controller

      admissionController:
        name: "couchbase-admission-controller"
        image:
          repository: couchbase/admission-controller
          tag: 2.3.0
        imagePullPolicy: IfNotPresent
        imagePullSecrets: []
        verboseLogging: true

      The Helm chart deploys the admission controller as a Kubernetes Deployment.

      name

      This field specifies the name of the admission controller deployment.

      Field Rules:

      The name field defaults to couchbase-admission-controller.

      image

        image:
          repository: couchbase/admission-controller
          tag: 2.3.0

      The repository and tag to use for pulling the admission controller image.

      Field Rules:

      The image.repository value can refer to any repository. The image.tag field can refer to any version of the admission controller image in the repository.

      imagePullPolicy

      The policy for pulling images from the repository onto hosts.

      Field Rules:

      The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

      imagePullSecrets

      An optional list referencing secrets to use for pulling the image.

      Field Rules:

      The imagePullSecrets value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces:

      helm install --set admissionController.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator

      verboseLogging

      Determines whether the admission controller should log all of its validation notices within the console.

      Field Rules:

      The verboseLogging field is a boolean value that is set to false by default, which means only validation errors are logged within the pod’s console.

      Admission Service

        admissionService:
          name:
          port: 443
          targetPort: 8443

      The admission service is used by the webhooks to access the admission operator. Certificates are auto-generated for this service whenever this object is enabled. The admission service is always created when install.admissionController is set to true.

      name

      Name of the admission service.

      port

      Port exposed by the admission service to the validation webhooks.

      targetPort

      Port of the admission controller targeted by the admission Service.

      Field Rules:

      The name value defaults to whatever is specified in admissionController.name.

      Admission Controller Certificate Authority

      admissionCA:
        cert:
        key:
        expiration: 365

      The admissionCA spec specifies the CA certificates that are applied to validating webhooks.

      By default, the CA certificate and key is auto-generated. The following example shows how to use a self-signed certificate:

      1. Create Certificates

        Use OpenSSL to create myCA.key and myCA.pem in your current directory:

        openssl genrsa -out myCA.key 2048
        openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -outform PEM -out myCA.pem
      2. Install the chart with certificates

        Use --set-file to import the files from your current directory:

        helm install  --set-file admissionCA.cert=myCA.pem \
                      --set-file admissionCA.key=myCA.key \
                      couchbase/couchbase-operator

      Refer to the TLS documentation for manually creating certificates and keys that can be used to override the auto-generated secret.

      cert

      The PEM format CA certificate.

      Field Rules:

      The cert value defaults to an auto-generated CA certificate.

      key

      The PEM format CA key.

      Field Rules:

      The key value defaults to an auto-generated CA key.

      expiration

      Expiration of CA certificate in days.

      Field Rules:

      The expiration value defaults to 365 days.

      Admission Controller Secret

      admissionSecret:
        name:
        cert:
        key:

      The admissionSecret spec specifies the secret for the admission controller to use for validating cluster specs securely over the admission service.

      To use a custom secret, you will also need to provide the CA that was used to generate the certificates and keys within the secret. The following example shows how to use a self-signed CA and client:

      1. Create CA and client certificates

        Use EasyRSA CA and signed client cert with DNS cb-example.default.svc

        ./easyrsa build-ca nopasss
        ./easyrsa --subject-alt-name=DNS:cb-example.default.svc build-server-full admission-controller nopas
      2. Install chart with client certificates

        Install chart with custom certs and be sure to set admissionService.name to DNS name.

        This example also sets --namespace default option since this is also included in the DNS of cert we created:

        helm install  --namespace ci-testcluster \
                      --set admissionService.name=ci-testcluster \
                      --set-file admissionCA.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/ca.crt \
                      --set-file admissionCA.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/ca.key \
                      --set-file admissionSecret.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/issued/admission-controller.crt \
                      --set-file admissionSecret.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/admission-controller.key \
                      couchbase/couchbase-operator

      name

      This value is the name of the secret that contains the certificates for the admission operator. This value must refer to a native Kubernetes secret which contains values for TLS cert and key.

      Field Rules:

      The admissionSecret.name value defaults to the name of the admission controller deployment.

      cert

      PEM format certificate to use as the admission controller’s public key during validation.

      Field Rules:

      The admissionSecret.cert value is auto-generated by default from admissionCA.

      key

      PEM format key to use as the admission controllers private key during validation.

      Field Rules:

      The admissionSecret.key value is auto-generated by default from admissionCA.