Couchbase Helm Chart Specification

    +
    The official Couchbase Helm Chart for the Autonomous Operator comes with a default configuration that can be customized to fit your deployment needs.

    This page describes the parameters of the official Couchbase Helm Chart. In particular, this page describes the contents of the chart’s values.yaml, which contains the chart’s default values. Each of the deployed resources is listed and described, along with any user definable parameters.

    For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to Helm Deployment.

    All available configuration parameters in the Couchbase Helm Chart, along with their default values
    # Select what to install
    install:
      # install the couchbase operator
      couchbaseOperator: true
      # install the admission controller
      admissionController: true
      # install couchbase cluster
      couchbaseCluster: true
      # install sync gateway
      syncGateway: false
    
    # couchbaseOperator is the controller for couchbase cluster
    couchbaseOperator:
      # name of the couchbase operator
      name: "couchbase-operator"
      # image config
      image:
        repository: couchbase/operator
        tag: 2.1.0
      imagePullPolicy: IfNotPresent
      # imagePullSecrets is an optional list of references to secrets  to use for pulling images
      imagePullSecrets: []
      # additional command arguments will be translated to `--key=value`
      commandArgs:
        # pod creation timeout
        pod-create-timeout: 10m
      # resources of couchbase-operator
      resources: {}
      # nodeSelector for couchbase-operator pod assignment
      # Ref: https://kubernetes.io/docs/user-guide/node-selection/
      nodeSelector: {}
      # tolerations of pod match nodes with corresponding taints
      tolerations: []
    
    # admissionController is the controller for couchbase admission controller
    # name is derived from chart
    admissionController:
      name: "couchbase-admission-controller"
      image:
        repository: couchbase/admission-controller
        tag: 2.1.0
      imagePullPolicy: IfNotPresent
      # imagePullSecrets is an optional list of references to secrets  to use for pulling images
      imagePullSecrets: []
      verboseLogging: false
    
    # admissionService exposes validation to cluster. This service
    # is over https and certs are auto-generated based on serviceName.
    admissionService:
      # name of the service (auto-generated)
      name:
      # port service exposes
      port: 443
      targetPort: 8443
    
    # admissionCA can be used to override the Certs that will be used
    # to sign the keys used by the admsission operator.
    admissionCA:
      # A base64 encoded PEM format certificate
      cert:
      # A base64 encoded PEM format private key
      key:
      # Expiry time of CA in days for generated certs
      expiration: 365
    
    # secret with client certs mounted within the admission controller.
    admissionSecret:
      # name of the secret (auto-generated)
      name:
      # PEM format certificate (auto-generated)
      # override via --set-file
      cert:
      # PEM format certificate (auto-generated)
      # override via --set-file
      key:
    
    # Default values for couchbase-cluster
    cluster:
      # name of the cluster. defaults to name of chart release
      name:
      # image is the base couchbase image and version of the couchbase cluster
      image: "couchbase/server:6.6.0"
      # guarantees that the pods in the same cluster are unable to be scheduled on the same node
      antiAffinity: false
      upgradeStrategy: RollingUpgrade
      hibernate: false
      hibernationStrategy: Immediate
      recoveryPolicy: PrioritizeDataIntegrity
      security:
        # username of the cluster admin.
        username: Administrator
        # password of the cluster admin.
        # auto-generated when empty
        password:
        # adminSecret is name of secret to use instead of using
        # the default secret with username and password specified above
        adminSecret:
        rbac:
          managed: true
        ldap: {}
      # networking options
      networking:
        # Option to expose admin console
        exposeAdminConsole: true
        # Option to expose admin console
        adminConsoleServices:
          - data
        # Specific services to use when exposing ui
        exposedFeatures:
          - client
          - xdcr
        # Defines how the admin console service is exposed.
        # Allowed values are NodePort and LoadBalancer.
        # If this field is LoadBalancer then you must also define a spec.dns.domain.
        adminConsoleServiceType: NodePort
        # Defines how the per Couchbase node ports are exposed.
        # Allowed values are NodePort and LoadBalancer.
        # If this field is LoadBalancer then you must also define a spec.dns.domain.
        exposedFeatureServiceType: NodePort
        # This controls routing to external services.
        exposedFeatureTrafficPolicy: Local
        # This field allows the definition of a base Service resource.
        # When set, the Operator will generate a service that exposes Couchbase services per-pod.
        exposedFeatureServiceTemplate: {}
        # The dynamic DNS configuration to use when exposing services
        dns:
        # Custom map of annotations to be added to console and per-pod (exposed feature) services
        serviceAnnotations: {}
        # The Couchbase cluster tls configuration (auto-generated)
        tls:
        # The underlying network platform in use (when set, must be 'Istio')
        networkPlatform:
      # The retention period that log volumes are kept for after their associated pods have been deleted.
      logRetentionTime: 604800s
      # The maximum number of log volumes that can be kept after their associated pods have been deleted.
      logRetentionCount: 20
      # xdcr defines remote clusters and replications to them.
      xdcr:
        # managed defines whether the Operator should manage XDCR remote clusters
        managed: false
        # remoteClusters contains references to any remote clusters to replicate to
        remoteClusters:
      # backup defines values for automated backup.
      backup:
        # managed determines whether Automated Backup is enabled
        managed: true
        # image used by the Operator to perform backup or restore
        image: couchbase/operator-backup:6.6.0-100
        # optional service account to use when performing backups
        # service account will be created if it does not exist
        serviceAccountName:
      # defines integration with third party monitoring sofware
      monitoring:
        prometheus:
          # defines whether Prometheus metric collection is enabled
          enabled: false
          # image used by the Operator to perform metric collection
          # (injected as a "sidecar" in each Couchbase Server Pod)
          image: couchbase/exporter:1.0.3
          # Optional Kubernetes secret that clients use to access Prometheus metrics
          authorizationSecret:
      # Cluster wide settings for nodes and services
      cluster:
        # The amount of memory that should be allocated to the data service
        dataServiceMemoryQuota: 256Mi
        # The amount of memory that should be allocated to the index service
        indexServiceMemoryQuota: 256Mi
        # The amount of memory that should be allocated to the search service
        searchServiceMemoryQuota: 256Mi
        # The amount of memory that should be allocated to the eventing service
        eventingServiceMemoryQuota: 256Mi
        # The amount of memory that should be allocated to the analytics service
        analyticsServiceMemoryQuota: 1Gi
        # The index storage mode to use for secondary indexing
        indexStorageSetting: memory_optimized
        # Timeout that expires to trigger the auto failover.
        autoFailoverTimeout: 120s
        # The number of failover events we can tolerate
        autoFailoverMaxCount: 3
        # Whether to auto failover if disk issues are detected
        autoFailoverOnDataDiskIssues: true
        # How long to wait for transient errors before failing over a faulty disk
        autoFailoverOnDataDiskIssuesTimePeriod: 120s
        # configuration of global Couchbase auto-compaction settings.
        autoCompaction:
          # amount of fragmentation allowed in persistent database [2-100]
          databaseFragmentationThreshold:
            percent: 30
            size: 1Gi
          # amount of fragmentation allowed in persistent view files [2-100]
          viewFragmentationThreshold:
            percent: 30
            size: 1Gi
          # whether auto-compaction should be performed in parallel
          parallelCompaction: false
          # how frequently tombstones may be purged
          tombstonePurgeInterval: 72h
          # optional window when an auto-compaction may start (uncomment below)
          timeWindow: {}
          # start: 02:00
          # end: 06:00
          # abortCompactionOutsideWindow: true
    
      # configuration of logging functionality
      # for use in conjuction with logs persistent volume mount
      logging:
        # retention period that log volumes are kept after pods have been deleted
        logRetentionTime: 604800s
        # the maximum number of log volumes that can be kept after pods have been deleted
        logRetentionCount: 20
      # kubernetes security context applied to pods
      securityContext:
        # fsGroup of persistent volume mount
        fsGroup: 1000
        runAsUser: 1000
        runAsNonRoot: true
      # cluster buckets
      buckets:
        # Managed defines whether buckets are managed by us or the clients.
        managed: true
      enablePreviewScaling: false
      servers:
        # Name for the server configuration. It must be unique.
        default:
          # Size of the couchbase cluster.
          size: 3
          # The services to run on nodes
          services:
            - data
            - index
            - query
            - search
            - analytics
            - eventing
          # Defines whether Autoscale is permitted for this specific server configuration.
          # Only `query` service is allowed to be defined unless `enablePreviewScaling` is set.
          autoscaleEnabled: false
          # volume claims to use for persistent storage
          volumeMounts: {}
          # ServerGroups define the set of availability zones we want to distribute pods over.
          serverGroups: []
          # Pod defines the policy to create pod for the couchbase pod.
          pod:
            spec:
              containers: []
      # VolumeClaimTemplates define the desired characteristics of a volume
      # that can be requested and claimed by a pod.
      volumeClaimTemplates: []
    
    # couchbase buckets to create
    # disable default bucket creation by setting
    # buckets.default: null
    #
    # setting default to null throws warning https://github.com/helm/helm/issues/5184
    buckets:
      # A bucket to create by default
      default:
        # Kind of bucket
        kind: CouchbaseBucket
        # Name of the bucket
        name: default
        # The amount of memory that should be allocated to the bucket
        memoryQuota: 128Mi
        # The number of bucket replicates
        replicas: 1
        # The priority when compared to other buckets
        ioPriority: high
        # The bucket eviction policy which determines behavior during expire and high mem usage
        evictionPolicy: fullEviction
        # The bucket's conflict resolution mechanism; which is to be used if a conflict occurs during Cross Data-Center Replication (XDCR). Sequence-based and timestamp-based mechanisms are supported.
        conflictResolution: seqno
        # The enable flush option denotes wether the data in the bucket can be flushed
        enableFlush: true
        # Enable Index replica specifies whether or not to enable view index replicas for this bucket.
        enableIndexReplica: false
        # data compression mode for the bucket to run in [off, passive, active]
        compressionMode: "passive"
    
    # CouchbaseBackups runs a job which preserves data into backups
    backups: {}
    #
    # Uncomment to create an backup restore named 'my-restore'
    #
    #   default-backup:
    #     name: my-backup
    #     strategy: full_incremental
    #     full:
    #       schedule: "0 3 * * 0"
    #     incremental:
    #       schedule: "0 3 * * 1-6"
    #     successfulJobsHistoryLimit: 1
    #     failedJobsHistoryLimit: 3
    #     backOffLimit: 2
    #     backupRetention: 24h
    #     logRetention: 24h
    #     size: 5Gi
    
    # CouchbaseBackupRestore restores data from backups
    backuprestores: {}
    #
    # Uncomment to create an backup restore named 'my-restore'
    #
    # default-restore:
    #   name: my-restore
    #   backup: my-backup
    #   repo: cb-example-2020-11-12T19_00_03
    #   start:
    #     int: 1
    #     str: oldest
    #   end:
    #     int: 1
    #     str: latest
    #   backOffLimit: 2
    #   logRetention: 24h
    
    # RBAC users to create
    # (requires couchbase server 6.5.0 and higher)
    users: {}
    #
    # Uncomment to create an example user named 'developer'
    #
    # developer:
    #   # password to use for user authentication
    #   # (alternatively use authSecret)
    #   password: password
    #   # optional secret to use containing user password
    #   authSecret:
    #   # domain of user authentication
    #   authDomain: local
    #   # roles attributed to group
    #   roles:
    #     - name: bucket_admin
    #       bucket: default
    
    # TLS Certs that will be used to encrypt traffic between operator and couchbase
    tls:
      # enable to auto create certs
      generate: false
      # Expiry time of CA in days for generated certs
      expiration: 365
      # This field defines whether node-to-node encryption is enabled.
      # Must be either 'All' or 'ControlPlaneOnly'.
      # If not specified, data between Couchbase Server nodes is not encrypted.
      nodeToNodeEncryption:
    
    # syncGateway configuration
    syncGateway:
      # name of the sync gatway pod.
      # defaults to name of chart
      name:
      # database config
      config:
        logging:
          console:
            enabled: true
            log_level: "debug"
            log_keys:
            - "*"
        # databases is a list containing
        # bucket replication configs
        databases:
          db:
            # bucket replicated to sync gateway
            bucket: default
            # guest user config
            users:
              GUEST:
                # disable creation of guest user
                disabled: false
                # channels guest user may access.
                # defaults to all channels
                admin_channels: ["*"]
            # server to connect db to, defaults to cluster server
            server:
            # username of db admin, defaults to cluster admin username
            username:
            # password of db admin, defaults to cluster admin password
            password:
            allow_conflicts: false
            revs_limit: 20
            enable_shared_bucket_access: true
            # optional ca.cert for tls connection
            # (auto-generated when tls.generate true)
            cacert:
      # Type of service to use for exposing Sync Gateway
      # Set as empty string to prevent service creation
      exposeServiceType: ClusterIP
      # image of the sync gateway container
      image:
        repository: couchbase/sync-gateway
        tag: 2.8.0-enterprise
      imagePullPolicy: IfNotPresent
      # Optional secret to use with prepoulated database config
      configSecret:
    
    
    # coredns service config to be applied to
    # pods for cross-cluster deployments
    coredns:
      # name kubernete service which exposes nameserver (ie coredns)
      service:
      # search list for host-name lookup
      searches:
      - default.svc.cluster.local
      - svc.cluster.local
      - cluster.local

    About Resource Names

    All resources/objects created by the Couchbase Chart adhere to the following naming scheme: <release-name>-<component-name>

    • <release-name>

      • This is name of the installed instance.

    • <component-name>

      • This is the name of the Operator, Admission, and Couchbase component..

      • If the resource is created for the Operator, then <component-name> will be whatever is specified in couchbaseOperator.name.

      • If the resource is created for the admission controller, then <component-name> will be whatever is specified in admissionController.name.

      • If the resource is created for the Couchbase cluster, then <component-name> will be whatever is specified in cluster.name.

    Specifying Your Own Resources

    The chart allows you to override certain resources such as TLS certificates with ones that you’ve already created. In this case, the names of the resources are determined by you and not the chart, and therefore do not adhere to the naming scheme described in the previous section. Check the specs below for the value you are attempting to override for additional information on what type of resource is expected and how it should be formatted.

    Install Values

    Installation values for selective deployment of components within the chart.

      # Select what to install
      install:
        # install the couchbase operator
        couchbaseOperator: true
        # install the admission controller
        admissionController: true
        # install couchbase cluster
        couchbaseCluster: true
        # install sync gateway
        syncGateway: false

    The Couchbase Chart is capable of installing the Operator, Admission Controller, Couchbase Cluster, and Sync Gateway.

    couchbaseOperator

    This field specifies whether or not the Couchbase Autonomous Operator will be installed.

    Field Rules:

    The couchbaseOperator field defaults to true.

    admissionController

    This field specifies whether or not the Couchbase Admission Controller will be installed.

    Field Rules:

    The admissionController field defaults to true.

    couchbaseCluster

    This field specifies whether or not a Couchbase Cluster will be installed.

    Field Rules:

    The couchbaseCluster field defaults to true.

    syncGateway

    This field specifies whether or not an instance of the Sync Gateway will be installed.

    Field Rules:

    The syncGateway field defaults to false.

    Couchbase Cluster

    The cluster configuration represents the CouchbaseCluster resources to be installed. If install.couchbaseCluster is set to false then the cluster will not be installed.

    cluster

      cluster:
        name:
        security:
          username: Administrator
          password:
          adminSecret:

    name

    The name of the cluster to create.

    Value rules: The couchbaseCluster.name value defaults to the name of the chart if not specified. Must be unique from any other clusters in the namespace.

    username

    The username to use as the cluster admin.

    This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

    Value rules: The couchbaseCluster.username value is a string set to Administrator by default.

    password

    The password to use as the cluster admin.

    This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

    Value rules: The couchbaseCluster.password value is a string that is auto-generated by default.

    adminSecret

    The secret to use for overriding the auto-generated secret. When specified the username and password from the secret are used for Administrator login.

    Value rules: The couchbaseCluster.adminSecret value is the name of a Kubernetes secret and is not set by default.

    Persistent Volumes

    The best way to create a cluster with persistent volumes is to make a custom value file. The following example shows how volume mounts can be added to created a persisted cluster.

    Create a file named values-persistent.yaml with the following values:

    cluster:
      servers:
        default:
          pod:
            volumeMounts:
              default: couchbase
              data:  couchbase
      securityContext:
          fsGroup: 1000
      volumeClaimTemplates:
        - metadata:
            name: couchbase
          spec:
            storageClassName: "default"
            resources:
              requests:
                storage: 1Gi

    Install the cluster chart using the custom value file:

    helm install my-release -f values-persistent.yaml couchbase/couchbase-cluster

    additional values

    All of the remaining values which can be overridden in this spec are described here in the Couchbase Cluster Configuration documentation.

    TLS

    Certificates can be auto-generated or overridden by user supplied certs. Also since Couchbase certs are represented as plain Kubernetes secrets, the secret itself can be overridden.

    tls:
      generate: false
      expiration: 365
      nodeToNodeEncryption: All

    generate

    This value determines whether the chart should create the cluster with TLS.

    Value rules: The tls.generate is a boolean which defaults to false. When set to true all of the certs and keys required for TLS will be auto-generated unless manually specified. When value is false certs are not generated, but manual Secrets can be provided by overriding cluster.networking.tls.

    expiration

    Expiration of CA in days

    Value rules: The couchbaseTLS.expiration defaults to 365 days.

    nodeToNodeEncryption

    This field defines whether node-to-node encryption is enabled.

    When set to All, all data between Couchbase server nodes is encrypted. When set to ControlPlaneOnly, only internal Couchbase server messages are encrypted, user data is not. If not specified, data between Couchbase Server nodes is not encrypted.

    As with all encryption protocols, this setting may negatively affect performance with the increased data protection.

    Field rules: This field is optional and must be either All or ControlPlaneOnly.

    Custom TLS

    Create cluster with auto-generated TLS certs

    helm install my-release --set tls.generate=true couchbase/couchbase-cluster

    Use manually created secrets . Create a file named tls_values.yaml with the following custom override values for the Couchbase Chart:

    +

    cluster:
       networking:
         tls:
           static:
             operatorSecret: tls-operator-secret
             serverSecret: tls-server-secret
    helm install  my-release -f tls_values.yaml couchbase/couchbase-cluster

    Buckets

    The buckets configuration represent CouchbaseBucket resources to be installed by the cluster. Buckets are installed whenever install.CouchbaseCluster is set to true.

    buckets:
      default:
        name: default
        type: couchbase
    Buckets are automatically provisioned with label selectors matching the corresponding Couchbase cluster.

    name

    This value determines name of the bucket to create.

    Value rules: The bucket.name value is a string. This value is optional and when not set, the name of the object key is used instead.

    additional values

    All of the remaining values which can be overridden in this spec are described here in the Couchbase Cluster Configuration documentation.

    Users

    The users configuration represent CouchbaseUser, CouchbaseGroup, and CouchbaseRoleBinding resources to be installed by the cluster. Users are installed whenever install.CouchbaseCluster is set to true.

      users:
        developer:   # username (1)
          password: password
          authSecret:
          authDomain: local
          roles:
            - name: bucket_admin
              bucket: default
    1 The username is set from the key of each user configuration. NOTE: Users are automatically provisioned with label selectors matching the corresponding Couchbase cluster.

    password

    The user password.

    This should only be used for experimental and test clusters. Consider using authSecret or setting authDomain: external to improve security .

    Value rules: The user.<name>.password value is a string. This value is required when authDomain is local.

    authSecret

    The Kubernetes Secret containing the user password.

    Value rules: The user.<name>.authSecret value is a string. This value is optional and must refer to a Kubernetes Secret resource when specified. The Secret must contain the path data.password with the base64 encoded value of the secret

    authDomain

    The Couchbase RBAC Domain to use when authenticating the user.

    Value rules: The user.<name>.authDomain value is a string. This value is required and must be either local or external.

    roles

    The Couchbase Roles to assign to the user

    Value rules: The user.<name>.roles value is a list. This value is required and must provide the name of a valid Couchbase Server role. If the Couchbase Server role is a bucket role, then the name of a bucket value may also be provided. If the name of a bucket is not provided for a bucket role then the value defaults to * which means the role applies to all buckets.

    Refer to Couchbase Groups for list of Administrator and Bucket roles.

    Backups

    This object defines parameters and variables for automated backup. When set, the chart will create a backup job.

    backups:
      default-backup:
        name: my-backup
        strategy: full_incremental
        full:
          schedule: "0 3 * * 0"
        incremental:
          schedule: "0 3 * * 1-6"

    All of the provided values for this spec are described here in the Couchbase Cluster Configuration documentation.

    Backup Restores

    This object defines parameters and variables for automated backup restores. When set, the chart will create a backup restore job.

    backuprestores:
      default-restore:
        name: my-restore
        backup: my-backup
        repo: cb-example-2020-11-12T19_00_03
        start:
          int: 1
          str: oldest
        end:
          int: 1
          str: latest
        backOffLimit: 2
        logRetention: 24h

    All of the provided values for this spec are described here in the Couchbase Cluster Configuration documentation.

    Sync Gateway

    The Sync Gateway configuration provides defaults for deploying Sync Gateway along with associated services. The Sync Gateway server is installed when install.syncGateway is set to true. When installed, Sync Gateway is automatically connected to Couchbase cluster.

    syncGateway:
      name:
      config:
        logging:
          console:
            enabled: true
            log_level: "debug"
            log_keys:
            - "*"
        databases:
          db:
            bucket: default
            users:
              GUEST:
                disabled: false
                admin_channels: ["*"]
            server:
            username:
            password:
            allow_conflicts: false
            revs_limit: 20
            enable_shared_bucket_access: true
            cacert:
      exposeServiceType: ClusterIP
      image:
        repository: couchbase/sync-gateway
        tag: 2.7.0-enterprise
      imagePullPolicy: IfNotPresent
      configSecret:
    If you install a bucket with a name other than default then you will need to update databases.db.bucket accordingly.

    exposeServiceType

    The type of service to use for exposing the Sync Gateway server.

    Value rules: The exposeServiceType value is a string. This value is optional and defaults to ClusterIP. When specified the value must be either ClusterIP, NOodePort, or LoadBalancer. When the value is not specified then the exposing service is not created.

    configSecret

    A Kubernetes Secret containing values that override config.databases This allows for sync-gateway configurations to be shared across clusters, since the Secret will contain the same configuration information about connecting to a particular Couchbase Cluster.

    Value rules: The configSecret value is a string This value is optional. When specified the content of the Secret will be used to override the values of config.databases.

    coredns

    DNS settings to apply to the Couchbase and Sync Gateway Deployments

    coredns:
      service:
      searches:
      - default.svc.cluster.local
      - svc.cluster.local
      - cluster.local

    coredns.service

    The name of a Kubernetes Service resource which exposes Kubernetes DNS. By default the kube-dns service is used, but user may decide to install CoreDNS for Inter-Cluster Deployments.

    Value rules: The coredns.service value is a string. This value is optional. When specified the value must refer to a Kubernetes Service resource that is capable of providing DNS to the Sync Gateway server.

    coredns.searches

    The search domains to use when looking up hostnames

    Value rules: The coredns.searches value is an optional list of strings.

    Autonomous Operator

    The Helm chart deploys the Operator as a Kubernetes Deployment.

    couchbaseOperator:
      name: "couchbase-operator"
      image:
        repository: couchbase/operator
        tag: 2.1.0
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      commandArgs:
        pod-create-timeout: 10m
      resources: {}
      nodeSelector: {}
      tolerations: []

    commandArgs

    This spec allows you to specify command line arguments to pass on to the Operator.

    value rules: The commandArgs value is a key-value map of arguments that can be used to modify the behavior of the Operator image. The -pod-create-timeout: argument is set to 10m by default, which means that the Operator will wait 10 minutes for a Couchbase Server Pod to start. The -debug: argument can also be used here, and set to debug for more verbose logging.

    Additional Values

    The couchbaseOperator parameters are described in the Operator Deployment Settings documentation.

    Admission Controller

    admissionController:
      name: "couchbase-admission-controller"
      image:
        repository: couchbase/admission-controller
        tag: 2.1.0
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      verboseLogging: true

    The Helm chart deploys the admission controller as a Kubernetes Deployment.

    name

    This field specifies the name of the admission controller deployment.

    Field Rules:

    The name field defaults to couchbase-admission-controller.

    image

      image:
        repository: couchbase/admission-controller
        tag: 1.2.2

    The repository and tag to use for pulling the admission controller image.

    Field Rules:

    The image.repository value can refer to any repository. The image.tag field can refer to any version of the admission controller image in the repository.

    imagePullPolicy

    The policy for pulling images from the repository onto hosts.

    Field Rules:

    The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

    imagePullSecrets

    An optional list referencing secrets to use for pulling the image.

    Field Rules:

    The imagePullSecrets value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces:

    helm install --set admissionController.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator

    verboseLogging

    Determines whether the admission controller should log all of its validation notices within the console.

    Field Rules:

    The verboseLogging field is a boolean value that is set to false by default, which means only validation errors are logged within the pod’s console.

    Admission Service

      admissionService:
        name:
        port: 443
        targetPort: 8443

    The admission service is used by the webhooks to access the admission operator. Certificates are auto-generated for this service whenever this object is enabled. The admission service is always created when install.admissionController is set to true.

    name

    Name of the admission service.

    port

    Port exposed by the admission service to the validation webhooks.

    targetPort

    Port of the admission controller targeted by the admission Service.

    Field Rules:

    The name value defaults to whatever is specified in admissionController.name.

    Admission Controller Certificate Authority

    admissionCA:
      cert:
      key:
      expiration: 365

    The admissionCA spec specifies the CA certificates that are applied to validating webhooks.

    By default, the CA certificate and key is auto-generated. The following example shows how to use a self-signed certificate:

    1. Create Certificates

      Use OpenSSL to create myCA.key and myCA.pem in your current directory:

      openssl genrsa -out myCA.key 2048
      openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -outform PEM -out myCA.pem
    2. Install the chart with certificates

      Use --set-file to import the files from your current directory:

      helm install  --set-file admissionCA.cert=myCA.pem \
                    --set-file admissionCA.key=myCA.key \
                    couchbase/couchbase-operator

    Refer to the TLS documentation for manually creating certificates and keys that can be used to override the auto-generated secret.

    cert

    The PEM format CA certificate.

    Field Rules:

    The cert value defaults to an auto-generated CA certificate.

    key

    The PEM format CA key.

    Field Rules:

    The key value defaults to an auto-generated CA key.

    expiration

    Expiration of CA certificate in days.

    Field Rules:

    The expiration value defaults to 365 days.

    Admission Controller Secret

    admissionSecret:
      name:
      cert:
      key:

    The admissionSecret spec specifies the secret for the admission controller to use for validating cluster specs securely over the admission service.

    To use a custom secret, you will also need to provide the CA that was used to generate the certificates and keys within the secret. The following example shows how to use a self-signed CA and client:

    1. Create CA and client certificates

      Use EasyRSA CA and signed client cert with DNS cb-example.default.svc

      ./easyrsa build-ca nopasss
      ./easyrsa --subject-alt-name=DNS:cb-example.default.svc build-server-full admission-controller nopas
    2. Install chart with client certificates

      Install chart with custom certs and be sure to set admissionService.name to DNS name.

      This example also sets --namespace default option since this is also included in the DNS of cert we created:

      helm install  --namespace ci-testcluster \
                    --set admissionService.name=ci-testcluster \
                    --set-file admissionCA.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/ca.crt \
                    --set-file admissionCA.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/ca.key \
                    --set-file admissionSecret.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/issued/admission-controller.crt \
                    --set-file admissionSecret.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/admission-controller.key \
                    couchbase/couchbase-operator

    name

    This value is the name of the secret that contains the certificates for the admission operator. This value must refer to a native Kubernetes secret which contains values for TLS cert and key.

    Field Rules:

    The admissionSecret.name value defaults to the name of the admission controller deployment.

    cert

    PEM format certificate to use as the admission controller’s public key during validation.

    Field Rules:

    The admissionSecret.cert value is auto-generated by default from admissionCA.

    key

    PEM format key to use as the admission controllers private key during validation.

    Field Rules:

    The admissionSecret.key value is auto-generated by default from admissionCA.