Couchbase Helm Chart Specification

    +
    The official Couchbase Helm Chart for the Autonomous Operator comes with a default configuration that can be customized to fit your deployment needs.

    This page describes the parameters of the official Couchbase Helm Chart. In particular, this page describes the contents of the chart’s values.yaml, which contains the chart’s default values. Each of the deployed resources is listed and described, along with any user definable parameters.

    For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to Helm Deployment.

    The official Couchbase Helm Chart may only be used with Enterprise Edition products, such as Couchbase Server Enterprise Edition and Sync Gateway Enterprise Edition.

    Table 1. Helm Chart Values
    Key Type Default Description

    admissionCA.cert

    string

    nil

    A base64 encoded PEM format certificate

    admissionCA.expiration

    int

    365

    Expiry time of CA in days for generated certs

    admissionCA.key

    string

    nil

    A base64 encoded PEM format private key

    admissionController.image.repository

    string

    "couchbase/admission-controller"

    admissionController.image.tag

    string

    "2.2.0"

    admissionController.imagePullPolicy

    string

    "IfNotPresent"

    admissionController.imagePullSecrets

    list

    []

    imagePullSecrets is an optional list of references to secrets to use for pulling images

    admissionController.name

    string

    "couchbase-admission-controller"

    admissionController.nodeSelector

    object

    {}

    nodeSelector for couchbase-admission-controller pod assignment Ref: https://kubernetes.io/docs/user-guide/node-selection/

    admissionController.resources

    object

    {}

    resources of couchbase-admission-controller

    admissionController.tolerations

    list

    []

    tolerations of pod match nodes with corresponding taints

    admissionController.verboseLogging

    bool

    false

    admissionSecret.cert

    string

    nil

    PEM format certificate (auto-generated) override via --set-file

    admissionSecret.key

    string

    nil

    PEM format certificate (auto-generated) override via --set-file

    admissionSecret.name

    string

    nil

    name of the secret (auto-generated)

    admissionService.name

    string

    nil

    name of the service (auto-generated)

    admissionService.port

    int

    443

    port service exposes

    admissionService.targetPort

    int

    8443

    backuprestores

    object

    {}

    backups

    object

    {}

    CouchbaseBackups runs a job which preserves data into backups

    buckets.default.compressionMode

    string

    "passive"

    CompressionMode defines how Couchbase server handles document compression. When off, documents are stored in memory, and transferred to the client uncompressed. When passive, documents are stored compressed in memory, and transferred to the client compressed when requested. When active, documents are stored compresses in memory and when transferred to the client. This field must be "off", "passive" or "active", defaulting to "passive". Be aware "off" in YAML 1.2 is a boolean, so must be quoted as a string in configuration files.

    buckets.default.conflictResolution

    string

    "seqno"

    ConflictResolution defines how XDCR handles concurrent write conflicts. Sequence number based resolution selects the document with the highest sequence number as the most recent. Timestamp based resolution selects the document that was written to most recently as the most recent. This field must be "seqno" (sequence based), or "lww" (timestamp based), defaulting to "seqno".

    buckets.default.enableFlush

    bool

    false

    EnableFlush defines whether a client can delete all documents in a bucket. This field defaults to false.

    buckets.default.enableIndexReplica

    bool

    false

    EnableIndexReplica defines whether indexes for this bucket are replicated. This field defaults to false.

    buckets.default.evictionPolicy

    string

    "valueOnly"

    EvictionPolicy controls how Couchbase handles memory exhaustion. Value only eviction flushes documents to disk but maintains document metadata in memory in order to improve query performance. Full eviction removes all data from memory after the document is flushed to disk. This field must be "valueOnly" or "fullEviction", defaulting to "valueOnly".

    buckets.default.ioPriority

    string

    "low"

    IOPriority controls how many threads a bucket has, per pod, to process reads and writes. This field must be "low" or "high", defaulting to "low". Modification of this field will cause a temporary service disruption as threads are restarted.

    buckets.default.kind

    string

    "CouchbaseBucket"

    The type of the bucket to create by default. Removed from CRD as only used by Helm.

    buckets.default.maxTTL

    string

    nil

    MaxTTL defines how long a document is permitted to exist for, without modification, until it is automatically deleted. This is a default and maximum time-to-live and may be set to a lower value by the client. If the client specifies a higher value, then it is truncated to the maximum durability. Documents are removed by Couchbase, after they have expired, when either accessed, the expiry pager is run, or the bucket is compacted. When set to 0, then documents are not expired by default. This field must be a duration in the range 0-2147483648s, defaulting to 0. More info: https://golang.org/pkg/time/#ParseDuration

    buckets.default.memoryQuota

    string

    "100Mi"

    MemoryQuota is a memory limit to the size of a bucket. When this limit is exceeded, documents will be evicted from memory to disk as defined by the eviction policy. The memory quota is defined per Couchbase pod running the data service. This field defaults to, and must be greater than or equal to 100Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources- containers/#resource-units-in-kubernetes

    buckets.default.minimumDurability

    string

    nil

    MiniumumDurability defines how durable a document write is by default, and can be made more durable by the client. This feature enables ACID transactions. When none, Couchbase server will respond when the document is in memory, it will become eventually consistent across the cluster. When majority, Couchbase server will respond when the document is replicated to at least half of the pods running the data service in the cluster. When majorityAndPersistActive, Couchbase server will respond when the document is replicated to at least half of the pods running the data service in the cluster and the document has been persisted to disk on the document master pod. When persistToMajority, Couchbase server will respond when the document is replicated and persisted to disk on at least half of the pods running the data service in the cluster. This field must be either "none", "majority", "majorityAndPersistActive" or "persistToMajority", defaulting to "none".

    buckets.default.name

    string

    nil

    Name is the name of the bucket within Couchbase server. By default the Operator will use the metadata.name field to define the bucket name. The metadata.name field only supports a subset of the supported character set. When specified, this field overrides metadata.name. Legal bucket names have a maximum length of 100 characters and may be composed of any character from "a-z", "A-Z", "0-9" and "-_%\.".

    buckets.default.replicas

    int

    1

    Replicas defines how many copies of documents Couchbase server maintains. This directly affects how fault tolerant a Couchbase cluster is. With a single replica, the cluster can tolerate one data pod going down and still service requests without data loss. The number of replicas also affect memory use. With a single replica, the effective memory quota for documents is halved, with two replicas it is one third. The number of replicas must be between 0 and 3, defaulting to 1.

    cluster.antiAffinity

    bool

    false

    AntiAffinity forces the Operator to schedule different Couchbase server pods on different Kubernetes nodes. Anti-affinity reduces the likelihood of unrecoverable failure in the event of a node issue. Use of anti-affinity is highly recommended for production clusters.

    cluster.autoResourceAllocation

    object

    {"cpuLimits":"4","cpuRequests":"2","enabled":false,"overheadPercent":25}

    AutoResourceAllocation populates pod resource requests based on the services running on that pod. When enabled, this feature will calculate the memory request as the total of service allocations defined in spec.cluster, plus an overhead defined by spec.autoResourceAllocation.overheadPercent.Changing individual allocations for a service will cause a cluster upgrade as allocations are modified in the underlying pods. This field also allows default pod CPU requests and limits to be applied. All resource allocations can be overridden by explcitly configuring them in the spec.servers.resources field.

    cluster.autoResourceAllocation.cpuLimits

    string

    "4"

    CPULimits automatically populates the CPU limits across all Couchbase server pods. This field defaults to "4" CPUs. Explicitly specifying the CPU limit for a particular server class will override this value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources- containers/#resource-units-in-kubernetes

    cluster.autoResourceAllocation.cpuRequests

    string

    "2"

    CPURequests automatically populates the CPU requests across all Couchbase server pods. The default vaule of "2", is the minimum recommended number of CPUs required to run Couchbase Server. Explicitly specifying the CPU request for a particular server class will override this value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources- containers/#resource-units-in-kubernetes

    cluster.autoResourceAllocation.enabled

    bool

    false

    Enabled defines whether auto-resource allocation is enabled.

    cluster.autoResourceAllocation.overheadPercent

    int

    25

    OverheadPercent defines the amount of memory above that required for individual services on a pod. For Couchbase Server this should be approximately 25%.

    cluster.autoscaleStabilizationPeriod

    string

    nil

    AutoscaleStabilizationPeriod defines how long after a rebalance the corresponding HorizontalPodAutoscaler should remain in maintenance mode. During maintenance mode all autoscaling is disabled since every HorizontalPodAutoscaler associated with the cluster becomes inactive. Since certain metrics can be unpredictable when Couchbase is rebalancing or upgrading, setting a stabilization period helps to prevent scaling recommendations from the HorizontalPodAutoscaler for a provided period of time. Values must be a valid Kubernetes duration of 0s or higher: https://golang.org/pkg/time/#ParseDuration A value of 0, puts the cluster in maintenance mode during rebalance but immediately exits this mode once the rebalance has completed. When undefined, the HPA is never put into maintenance mode during rebalance.

    cluster.backup

    object

    {"image":"couchbase/operator-backup:1.0.0","imagePullSecrets":{"name":null},"managed":true,"nodeSelector":null,"resources":{"limits":null,"requests":null},"s3Secret":null,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null},"serviceAccountName":null,"tolerations":{"effect":null,"key":null,"operator":null,"tolerationSeconds":null,"value":null}}

    Backup defines whether the Operator should manage automated backups, and how to lookup backup resources.

    cluster.backup.image

    string

    "couchbase/operator-backup:1.0.0"

    The Backup Image to run on backup pods

    cluster.backup.imagePullSecrets

    object

    {"name":null}

    ImagePullSecrets allow you to use an image from private repositories and non-dockerhub ones.

    cluster.backup.imagePullSecrets.name

    string

    nil

    Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with- objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

    cluster.backup.managed

    bool

    true

    Managed defines whether backups are managed by us or the clients.

    cluster.backup.nodeSelector

    string

    nil

    NodeSelector defines which nodes to constrain the pods that run any backup operations to

    cluster.backup.resources

    object

    {"limits":null,"requests":null}

    Resources is the resource requirements for the backup container. Will be populated by defaults if not specified.

    cluster.backup.resources.limits

    string

    nil

    Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage- compute-resources-container/

    cluster.backup.resources.requests

    string

    nil

    Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute- resources-container/

    cluster.backup.s3Secret

    string

    nil

    S3Secret contains the region and credentials for operating backups in S3

    cluster.backup.selector

    object

    {"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}

    Selector allows CouchbaseBackup and CouchbaseBackupRestore resources to be filtered based on labels.

    cluster.backup.selector.matchExpressions

    object

    {"key":null,"operator":null,"values":null}

    matchExpressions is a list of label selector requirements. The requirements are ANDed.

    cluster.backup.selector.matchLabels

    string

    nil

    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

    cluster.backup.serviceAccountName

    string

    nil

    The Service Account to run backup (and restore) pods under. Without this backup pods will not be able to update status

    cluster.backup.tolerations

    object

    {"effect":null,"key":null,"operator":null,"tolerationSeconds":null,"value":null}

    Tolerations specifies all backup pod tolerations.

    cluster.backup.tolerations.effect

    string

    nil

    Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

    cluster.backup.tolerations.key

    string

    nil

    Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

    cluster.backup.tolerations.operator

    string

    nil

    Operator represents a key’s relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

    cluster.backup.tolerations.tolerationSeconds

    string

    nil

    TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

    cluster.backup.tolerations.value

    string

    nil

    Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

    cluster.buckets

    object

    {"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}}

    Buckets defines whether the Operator should manage buckets, and how to lookup bucket resources.

    cluster.buckets.managed

    bool

    true

    Managed defines whether buckets are managed by us or the clients.

    cluster.buckets.selector

    object

    {"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}

    Selector is a label selector used to list buckets in the namespace that are managed by the Operator.

    cluster.buckets.selector.matchExpressions

    object

    {"key":null,"operator":null,"values":null}

    matchExpressions is a list of label selector requirements. The requirements are ANDed.

    cluster.buckets.selector.matchLabels

    string

    nil

    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

    cluster.cluster

    object

    {"analyticsServiceMemoryQuota":"1Gi","autoCompaction":{"databaseFragmentationThreshold":{"percent":30,"size":null},"parallelCompaction":false,"timeWindow":{"abortCompactionOutsideWindow":false,"end":null,"start":null},"tombstonePurgeInterval":"72h","viewFragmentationThreshold":{"percent":30,"size":null}},"autoFailoverMaxCount":3,"autoFailoverOnDataDiskIssues":false,"autoFailoverOnDataDiskIssuesTimePeriod":"120s","autoFailoverServerGroup":false,"autoFailoverTimeout":"120s","clusterName":null,"data":{"readerThreads":null,"writerThreads":null},"dataServiceMemoryQuota":"256Mi","eventingServiceMemoryQuota":"256Mi","indexServiceMemoryQuota":"256Mi","indexStorageSetting":"memory_optimized","indexer":{"logLevel":"info","maxRollbackPoints":2,"memorySnapshotInterval":"200ms","stableSnapshotInterval":"5s","storageMode":"memory_optimized","threads":null},"query":{"backfillEnabled":true,"temporarySpace":"5Gi","temporarySpaceUnlimited":false},"queryServiceMemoryQuota":null,"searchServiceMemoryQuota":"256Mi"}

    ClusterSettings define Couchbase cluster-wide settings such as memory allocation, failover characteristics and index settings.

    cluster.cluster.analyticsServiceMemoryQuota

    string

    "1Gi"

    AnalyticsServiceMemQuota is the amount of memory that should be allocated to the analytics service. This value is per-pod, and only applicable to pods belonging to server classes running the analytics service. This field must be a quantity greater than or equal to 1Gi. This field defaults to 1Gi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources- containers/#resource-units-in-kubernetes

    cluster.cluster.autoCompaction

    object

    {"databaseFragmentationThreshold":{"percent":30,"size":null},"parallelCompaction":false,"timeWindow":{"abortCompactionOutsideWindow":false,"end":null,"start":null},"tombstonePurgeInterval":"72h","viewFragmentationThreshold":{"percent":30,"size":null}}

    AutoCompaction allows the configuration of auto-compaction, including on what conditions disk space is reclaimed and when it is allowed to run.

    cluster.cluster.autoCompaction.databaseFragmentationThreshold

    object

    {"percent":30,"size":null}

    DatabaseFragmentationThreshold defines triggers for when database compaction should start.

    cluster.cluster.autoCompaction.parallelCompaction

    bool

    false

    ParallelCompaction controls whether database and view compactions can happen in parallel.

    cluster.cluster.autoCompaction.timeWindow

    object

    {"abortCompactionOutsideWindow":false,"end":null,"start":null}

    TimeWindow allows restriction of when compaction can occur.

    cluster.cluster.autoCompaction.tombstonePurgeInterval

    string

    "72h"

    TombstonePurgeInterval controls how long to wait before purging tombstones. This field must be in the range 1h-1440h, defaulting to 72h. More info: https://golang.org/pkg/time/#ParseDuration

    cluster.cluster.autoCompaction.viewFragmentationThreshold

    object

    {"percent":30,"size":null}

    ViewFragmentationThreshold defines triggers for when view compaction should start.

    cluster.cluster.autoFailoverMaxCount

    int

    3

    AutoFailoverMaxCount is the maximum number of automatic failovers Couchbase server will allow before not allowing any more. This field must be between 1-3, default 3.

    cluster.cluster.autoFailoverOnDataDiskIssues

    bool

    false

    AutoFailoverOnDataDiskIssues defines whether Couchbase server should failover a pod if a disk issue was detected.

    cluster.cluster.autoFailoverOnDataDiskIssuesTimePeriod

    string

    "120s"

    AutoFailoverOnDataDiskIssuesTimePeriod defines how long to wait for transient errors before failing over a faulty disk. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration

    cluster.cluster.autoFailoverServerGroup

    bool

    false

    AutoFailoverServerGroup whether to enable failing over a server group.

    cluster.cluster.autoFailoverTimeout

    string

    "120s"

    AutoFailoverTimeout defines how long Couchbase server will wait between a pod being witnessed as down, until when it will failover the pod. Couchbase server will only failover pods if it deems it safe to do so, and not result in data loss. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration

    cluster.cluster.clusterName

    string

    nil

    ClusterName defines the name of the cluster, as displayed in the Couchbase UI. By default, the cluster name is that specified in the CouchbaseCluster resource’s metadata.

    cluster.cluster.data

    object

    {"readerThreads":null,"writerThreads":null}

    Data allows the data service to be configured.

    cluster.cluster.data.readerThreads

    string

    nil

    ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server.

    cluster.cluster.data.writerThreads

    string

    nil

    ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This setting is especially relevant when using "durable writes", increaing this field will have a large impact on performance. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server.

    cluster.cluster.dataServiceMemoryQuota

    string

    "256Mi"

    DataServiceMemQuota is the amount of memory that should be allocated to the data service. This value is per-pod, and only applicable to pods belonging to server classes running the data service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage- resources-containers/#resource-units-in-kubernetes

    cluster.cluster.eventingServiceMemoryQuota

    string

    "256Mi"

    EventingServiceMemQuota is the amount of memory that should be allocated to the eventing service. This value is per-pod, and only applicable to pods belonging to server classes running the eventing service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources- containers/#resource-units-in-kubernetes

    cluster.cluster.indexServiceMemoryQuota

    string

    "256Mi"

    IndexServiceMemQuota is the amount of memory that should be allocated to the index service. This value is per-pod, and only applicable to pods belonging to server classes running the index service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage- resources-containers/#resource-units-in-kubernetes

    cluster.cluster.indexStorageSetting

    string

    "memory_optimized"

    DEPRECATED - by indexer. The index storage mode to use for secondary indexing. This field must be one of "memory_optimized" or "plasma", defaulting to "memory_optimized". This field is immutable and cannot be changed unless there are no server classes running the index service in the cluster.

    cluster.cluster.indexer

    object

    {"logLevel":"info","maxRollbackPoints":2,"memorySnapshotInterval":"200ms","stableSnapshotInterval":"5s","storageMode":"memory_optimized","threads":null}

    Indexer allows the indexer to be configured.

    cluster.cluster.indexer.logLevel

    string

    "info"

    LogLevel controls the verbosity of indexer logs. This field must be one of "silent", "fatal", "error", "warn", "info", "verbose", "timing", "debug" or "trace", defaulting to "info".

    cluster.cluster.indexer.maxRollbackPoints

    int

    2

    MaxRollbackPoints controls the number of checkpoints that can be rolled back to. The default is 2, with a minimum of 1.

    cluster.cluster.indexer.memorySnapshotInterval

    string

    "200ms"

    MemorySnapshotInterval controls when memory indexes should be snapshotted. This defaults to 200ms, and must be greater than or equal to 1ms.

    cluster.cluster.indexer.stableSnapshotInterval

    string

    "5s"

    StableSnapshotInterval controls when disk indexes should be snapshotted. This defaults to 5s, and must be greater than or equal to 1ms.

    cluster.cluster.indexer.storageMode

    string

    "memory_optimized"

    StorageMode controls the underlying storage engine for indexes. Once set it can only be modified if there are no nodes in the cluster running the index service. The field must be one of "memory_optimized" or "plasma", defaulting to "memory_optimized".

    cluster.cluster.indexer.threads

    string

    nil

    Threads controls the number of processor threads to use for indexing. A value of 0 means 1 per CPU. This attribute must be greater than or equal to 0, defaulting to 0.

    cluster.cluster.query

    object

    {"backfillEnabled":true,"temporarySpace":"5Gi","temporarySpaceUnlimited":false}

    Query allows the query service to be configured.

    cluster.cluster.query.backfillEnabled

    bool

    true

    BackfillEnabled allows the query service to backfill.

    cluster.cluster.query.temporarySpace

    string

    "5Gi"

    TemporarySpace allows the temporary storage used by the query service backfill, per-pod, to be modified. This field requires backfillEnabled to be set to true in order to have any effect. More info: https://kubernetes.io/docs/concepts/configuration/manage- resources-containers/#resource-units-in-kubernetes

    cluster.cluster.query.temporarySpaceUnlimited

    bool

    false

    TemporarySpaceUnlimited allows the temporary storage used by the query service backfill, per-pod, to be unconstrainend. This field requires backfillEnabled to be set to true in order to have any effect. This field overrides temporarySpace.

    cluster.cluster.queryServiceMemoryQuota

    string

    nil

    QueryServiceMemQuota is a dummy field. By default, Couchbase server provides no memory resource constrints for the query service, so this has no effect on Couchbase server. It is, however, used when the spec.autoResourceAllocation feature is enabled, and is used to define the amount of memory reserved by the query service for use with Kubernetes resource scheduling. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources- containers/#resource-units-in-kubernetes

    cluster.cluster.searchServiceMemoryQuota

    string

    "256Mi"

    SearchServiceMemQuota is the amount of memory that should be allocated to the search service. This value is per-pod, and only applicable to pods belonging to server classes running the search service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources- containers/#resource-units-in-kubernetes

    cluster.enableOnlineVolumeExpansion

    bool

    false

    EnableOnlineVolumeExpansion enables online expansion of Persistent Volumes. You can only expand a PVC if its storage class’s "allowVolumeExpansion" field is set to true. Additionally, Kubernetes feature "ExpandInUsePersistentVolumes" must be enabled in order to expand the volumes which are actively bound to Pods. Volumes can only be expanded and not reduced to a smaller size. See: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#resizing-an- in-use-persistentvolumeclaim If "EnableOnlineVolumeExpansion" is enabled for use within an evironment that does not actually support online volume and file system expansion then the cluster will fallback to rolling upgrade procedure to create a new set of Pods for use with resized Volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent- volumes/#expanding-persistent-volumes-claims

    cluster.enablePreviewScaling

    bool

    false

    EnablePreviewScaling enables autoscaling for stateful services and buckets. DEPRECATED - This option only exists for backwards compatibility and no longer restricts autoscaling to ephemeral services. To be removed in future releases.

    cluster.hibernate

    bool

    false

    Hibernate is whether to hibernate the cluster.

    cluster.hibernationStrategy

    string

    nil

    HibernationStrategy defines how to hibernate the cluster. When Immediate the Operator will immediately delete all pods and take no further action until the hibernate field is set to false.

    cluster.image

    string

    "couchbase/server:6.6.2"

    Image is the container image name that will be used to launch Couchbase server instances. Updating this field will cause an automatic upgrade of the cluster.

    cluster.logging

    object

    {"audit":{"disabledEvents":null,"disabledUsers":null,"enabled":false,"garbageCollection":{"sidecar":{"age":"1h","enabled":false,"image":"busybox:1.32.1","interval":"20m","resources":{"limits":null,"requests":null}}},"rotation":{"interval":"15m","size":"20Mi"}},"logRetentionCount":null,"logRetentionTime":null,"server":{"configurationName":"fluent-bit-config","enabled":false,"manageConfiguration":true,"sidecar":{"configurationMountPath":"/fluent-bit/config/","image":"couchbase/fluent-bit:1.0.0","resources":{"limits":null,"requests":null}}}}

    Logging defines Operator logging options.

    cluster.logging.audit

    object

    {"disabledEvents":null,"disabledUsers":null,"enabled":false,"garbageCollection":{"sidecar":{"age":"1h","enabled":false,"image":"busybox:1.32.1","interval":"20m","resources":{"limits":null,"requests":null}}},"rotation":{"interval":"15m","size":"20Mi"}}

    Used to manage the audit configuration directly

    cluster.logging.audit.disabledEvents

    string

    nil

    The list of event ids to disable for auditing purposes. This is passed to the REST API with no verification by the operator. Refer to the documentation for details: https://docs.couchbase.com/server/current/audit-event-reference/audit- event-reference.html

    cluster.logging.audit.disabledUsers

    string

    nil

    The list of users to ignore for auditing purposes. This is passed to the REST API with minimal validation it meets an acceptable regex pattern. Refer to the documentation for full details on how to configure this: https://docs.couchbase.com/server/current/manage/manage- security/manage-auditing.html#ignoring-events-by-user

    cluster.logging.audit.enabled

    bool

    false

    Enabled is a boolean that enables the audit capabilities.

    cluster.logging.audit.garbageCollection

    object

    {"sidecar":{"age":"1h","enabled":false,"image":"busybox:1.32.1","interval":"20m","resources":{"limits":null,"requests":null}}}

    Handle all optional garbage collection (GC) configuration for the audit functionality. This is not part of the audit REST API, it is intended to handle GC automatically for the audit logs. By default the Couchbase Server rotates the audit logs but does not clean up the rotated logs. This is left as an operation for the cluster administrator to manage, the operator allows for us to automate this: https://docs.couchbase.com/server/current/manage/manage-security/manage- auditing.html

    cluster.logging.audit.rotation

    object

    {"interval":"15m","size":"20Mi"}

    The interval to optionally rotate the audit log. This is passed to the REST API, see here for details: https://docs.couchbase.com/server/current/manage/manage-security/manage- auditing.html

    cluster.logging.logRetentionCount

    string

    nil

    LogRetentionCount gives the number of persistent log PVCs to keep.

    cluster.logging.logRetentionTime

    string

    nil

    LogRetentionTime gives the time to keep persistent log PVCs alive for.

    cluster.logging.server

    object

    {"configurationName":"fluent-bit-config","enabled":false,"manageConfiguration":true,"sidecar":{"configurationMountPath":"/fluent-bit/config/","image":"couchbase/fluent-bit:1.0.0","resources":{"limits":null,"requests":null}}}

    Specification of all logging configuration required to manage the sidecar containers in each pod.

    cluster.logging.server.configurationName

    string

    "fluent-bit-config"

    ConfigurationName is the name of the Secret to use holding the logging configuration in the namespace. A Secret is used to ensure we can safely store credentials but this can be populated from plaintext if acceptable too. If it does not exist then one will be created with defaults in the namespace so it can be easily updated whilst running.

    cluster.logging.server.enabled

    bool

    false

    Enabled is a boolean that enables the logging sidecar container.

    cluster.logging.server.manageConfiguration

    bool

    true

    A boolean which indicates whether the operator should manage the configuration or not. If omitted then this defaults to true which means the operator will attempt to reconcile it to default values. To use a custom configuration make sure to set this to false.

    cluster.logging.server.sidecar

    object

    {"configurationMountPath":"/fluent-bit/config/","image":"couchbase/fluent-bit:1.0.0","resources":{"limits":null,"requests":null}}

    Any specific logging sidecar container configuration.

    cluster.monitoring

    object

    {"prometheus":{"authorizationSecret":null,"enabled":false,"image":null,"resources":{"limits":null,"requests":null}}}

    Monitoring defines any Operator managed integration into 3rd party monitoring infrastructure.

    cluster.monitoring.prometheus

    object

    {"authorizationSecret":null,"enabled":false,"image":null,"resources":{"limits":null,"requests":null}}

    Prometheus provides integration with Prometheus monitoring.

    cluster.monitoring.prometheus.authorizationSecret

    string

    nil

    AuthorizationSecret is the name of a Kubernetes secret that contains a bearer token to authorize GET requests to the metrics endpoint

    cluster.monitoring.prometheus.enabled

    bool

    false

    Enabled is a boolean that enables/disables the metrics sidecar container.

    cluster.monitoring.prometheus.image

    string

    nil

    Image is the metrics image to be used to collect metrics. No validation is carried out as this can be any arbitrary repo and tag.

    cluster.monitoring.prometheus.resources

    object

    {"limits":null,"requests":null}

    Resources is the resource requirements for the metrics container. Will be populated by Kubernetes defaults if not specified.

    cluster.networking

    object

    {"addressFamily":null,"adminConsoleServiceTemplate":{"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"ipFamily":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"publishNotReadyAddresses":false,"selector":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"topologyKeys":null,"type":null}},"adminConsoleServiceType":"NodePort","adminConsoleServices":["data"],"disableUIOverHTTP":false,"disableUIOverHTTPS":false,"dns":{"domain":null},"exposeAdminConsole":true,"exposedFeatureServiceTemplate":{"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"ipFamily":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"publishNotReadyAddresses":false,"selector":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"topologyKeys":null,"type":null}},"exposedFeatureServiceType":"NodePort","exposedFeatureTrafficPolicy":null,"exposedFeatures":["client","xdcr"],"loadBalancerSourceRanges":null,"networkPlatform":null,"serviceAnnotations":null,"tls":{"cipherSuites":null,"clientCertificatePaths":{"delimiter":null,"path":null,"prefix":null},"clientCertificatePolicy":null,"nodeToNodeEncryption":null,"secretSource":{"clientSecretName":null,"serverSecretName":null},"static":{"operatorSecret":null,"serverSecret":null},"tlsMinimumVersion":"TLS1.2"}}

    Networking defines Couchbase cluster networking options such as network topology, TLS and DDNS settings.

    cluster.networking.addressFamily

    string

    nil

    DEVELOPER PREVIEW - this feature is not for production use. AddressFamily allows the manual selection of the address family to use. Couchbase server will default to "IPv4" regardless of underlying network configuration, so this must be manually set to enable use on an "IPv6" only network. This field is immutable and cannot be changed once set.

    cluster.networking.adminConsoleServiceTemplate

    object

    {"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"ipFamily":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"publishNotReadyAddresses":false,"selector":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"topologyKeys":null,"type":null}}

    AdminConsoleServiceTemplate provides a template used by the Operator to create and manage the admin console service. This allows services to be annotated, the service type defined and any other options that Kubernetes provides. When using a LoadBalancer service type, TLS and dynamic DNS must also be enabled. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes- api/v1.19/#service-v1-core

    cluster.networking.adminConsoleServiceTemplate.metadata

    object

    {"annotations":null,"labels":null}

    Standard objects metadata. This is a curated version for use with Couchbase resource templates.

    cluster.networking.adminConsoleServiceTemplate.spec

    object

    {"clusterIP":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"ipFamily":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"publishNotReadyAddresses":false,"selector":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"topologyKeys":null,"type":null}

    ServiceSpec describes the attributes that a user creates on a service.

    cluster.networking.adminConsoleServiceType

    string

    "NodePort"

    DEPRECATED - by adminConsoleServiceTemplate. AdminConsoleServiceType defines whether to create a node port or load balancer service. When using a LoadBalancer service type, TLS and dynamic DNS must also be enabled. This field must be one of "NodePort" or "LoadBalancer", defaulting to "NodePort".

    cluster.networking.adminConsoleServices

    list

    ["data"]

    DEPRECATED - not required by Couchbase Server 6.5.0 onward. AdminConsoleServices is a selector to choose specific services to expose via the admin console. This field may contain any of "data", "index", "query", "search", "eventing" and "analytics". Each service may only be included once.

    cluster.networking.disableUIOverHTTP

    bool

    false

    DisableUIOverHTTP is used to explicitly enable and disable UI access over the HTTP protocol. If not specified, this field defaults to false.

    cluster.networking.disableUIOverHTTPS

    bool

    false

    DisableUIOverHTTPS is used to explicitly enable and disable UI access over the HTTPS protocol. If not specified, this field defaults to false.

    cluster.networking.dns

    object

    {"domain":null}

    DNS defines information required for Dynamic DNS support.

    cluster.networking.dns.domain

    string

    nil

    Domain is the domain to create pods in. When populated the Operator will annotate the admin console and per-pod services with the key "external-dns.alpha.kubernetes.io/hostname". These annotations can be used directly by a Kubernetes External-DNS controller to replicate load balancer service IP addresses into a public DNS server.

    cluster.networking.exposeAdminConsole

    bool

    true

    ExposeAdminConsole creates a service referencing the admin console. The service is configured by the adminConsoleServiceTemplate field.

    cluster.networking.exposedFeatureServiceTemplate

    object

    {"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"ipFamily":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"publishNotReadyAddresses":false,"selector":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"topologyKeys":null,"type":null}}

    ExposedFeatureServiceTemplate provides a template used by the Operator to create and manage per-pod services. This allows services to be annotated, the service type defined and any other options that Kubernetes provides. When using a LoadBalancer service type, TLS and dynamic DNS must also be enabled. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes- api/v1.19/#service-v1-core

    cluster.networking.exposedFeatureServiceTemplate.metadata

    object

    {"annotations":null,"labels":null}

    Standard objects metadata. This is a curated version for use with Couchbase resource templates.

    cluster.networking.exposedFeatureServiceTemplate.spec

    object

    {"clusterIP":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"ipFamily":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"publishNotReadyAddresses":false,"selector":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"topologyKeys":null,"type":null}

    ServiceSpec describes the attributes that a user creates on a service.

    cluster.networking.exposedFeatureServiceType

    string

    "NodePort"

    DEPRECATED - by exposedFeatureServiceTemplate. ExposedFeatureServiceType defines whether to create a node port or load balancer service. When using a LoadBalancer service type, TLS and dynamic DNS must also be enabled. This field must be one of "NodePort" or "LoadBalancer", defaulting to "NodePort".

    cluster.networking.exposedFeatureTrafficPolicy

    string

    nil

    DEPRECATED - by exposedFeatureServiceTemplate. ExposedFeatureTrafficPolicy defines how packets should be routed from a load balancer service to a Couchbase pod. When local, traffic is routed directly to the pod. When cluster, traffic is routed to any node, then forwarded on. While cluster routing may be slower, there are some situations where it is required for connectivity. This field must be either "Cluster" or "Local", defaulting to "Local",

    cluster.networking.exposedFeatures

    list

    ["client","xdcr"]

    ExposedFeatures is a list of Couchbase features to expose when using a networking model that exposes the Couchbase cluster externally to Kubernetes. This field also triggers the creation of per-pod services used by clients to connect to the Couchbase cluster. When admin, only the administrator port is exposed, allowing remote administration. When xdcr, only the services required for remote replication are exposed. The xdcr feature is only required when the cluster is the destrination of an XDCR replication. When client, all services are exposed as required for client SDK operation. This field may contain any of "admin", "xdcr" and "client". Each feature may only be included once.

    cluster.networking.loadBalancerSourceRanges

    string

    nil

    DEPRECATED - by adminConsoleServiceTemplate and exposedFeatureServiceTemplate. LoadBalancerSourceRanges applies only when an exposed service is of type LoadBalancer and limits the source IP ranges that are allowed to use the service. Items must use IPv4 class-less interdomain routing (CIDR) notation e.g. 10.0.0.0/16.

    cluster.networking.networkPlatform

    string

    nil

    NetworkPlatform is used to enable support for various networking technologies. This field must be one of "Istio".

    cluster.networking.serviceAnnotations

    string

    nil

    DEPRECATED - by adminConsoleServiceTemplate and exposedFeatureServiceTemplate. ServiceAnnotations allows services to be annotated with custom labels. Operator annotations are merged on top of these so have precedence as they are required for correct operation.

    cluster.networking.tls

    object

    {"cipherSuites":null,"clientCertificatePaths":{"delimiter":null,"path":null,"prefix":null},"clientCertificatePolicy":null,"nodeToNodeEncryption":null,"secretSource":{"clientSecretName":null,"serverSecretName":null},"static":{"operatorSecret":null,"serverSecret":null},"tlsMinimumVersion":"TLS1.2"}

    TLS defines the TLS configuration for the cluster including server and client certificate configuration, and TLS security policies.

    cluster.networking.tls.cipherSuites

    string

    nil

    CipherSuites specifies a list of cipher suites for Couchbase server to select from when negotiating TLS handshakes with a client. Suites are not validated by the Operator. Run "openssl ciphers -v" in a Couchbase server pod to interrogate supported values.

    cluster.networking.tls.clientCertificatePaths

    object

    {"delimiter":null,"path":null,"prefix":null}

    ClientCertificatePaths defines where to look in client certificates in order to extract the user name.

    cluster.networking.tls.clientCertificatePolicy

    string

    nil

    ClientCertificatePolicy defines the client authentication policy to use. If set, the Operator expects TLS configuration to contain a valid certificate/key pair for the Administrator account.

    cluster.networking.tls.nodeToNodeEncryption

    string

    nil

    NodeToNodeEncryption specifies whether to encrypt data between Couchbase nodes within the same cluster. This may come at the expense of performance. When control plane only encryption is used, only cluster management traffic is encrypted between nodes. When all, all traffic is encrypted, including database documents. This field must be either "ControlPlaneOnly" or "All".

    cluster.networking.tls.secretSource

    object

    {"clientSecretName":null,"serverSecretName":null}

    SecretSource enables the user to specify a secret conforming to the Kubernetes TLS secret specification.

    cluster.networking.tls.static

    object

    {"operatorSecret":null,"serverSecret":null}

    Static enables user to generate static x509 certificates and keys, put them into Kubernetes secrets, and specify them here. Static secrets are very Couchbase specific.

    cluster.networking.tls.tlsMinimumVersion

    string

    "TLS1.2"

    TLSMinimumVersion specifies the minimum TLS version the Couchbase server can negotiate with a client. Must be one of TLS1.0, TLS1.1 or TLS1.2, defaulting to TLS1.2.

    cluster.paused

    bool

    false

    Paused is to pause the control of the operator for the Couchbase cluster. This does not pause the cluster itself, instead stopping the operator from taking any action.

    cluster.platform

    string

    nil

    Platform gives a hint as to what platform we are running on and how to configure services. This field must be one of "aws", "gke" or "azure".

    cluster.recoveryPolicy

    string

    nil

    RecoveryPolicy controls how aggressive the Operator is when recovering cluster topology. When PrioritizeDataIntegrity, the Operator will delegate failover exclusively to Couchbase server, relying on it to only allow recovery when safe to do so. When PrioritizeUptime, the Operator will wait for a period after the expected auto-failover of the cluster, before forcefully failing-over the pods. This may cause data loss, and is only expected to be used on clusters with ephemeral data, where the loss of the pod means that the data is known to be unrecoverable. This field must be either "PrioritizeDataIntegrity" or "PrioritizeUptime", defaulting to "PrioritizeDataIntegrity".

    cluster.rollingUpgrade

    object

    {"maxUpgradable":null,"maxUpgradablePercent":null}

    When spec.upgradeStrategy is set to RollingUpgrade it will, by default, upgrade one pod at a time. If this field is specified then that number can be increased.

    cluster.rollingUpgrade.maxUpgradable

    string

    nil

    MaxUpgradable allows the number of pods affected by an upgrade at any one time to be increased. By default a rolling upgrade will upgrade one pod at a time. This field allows that limit to be removed. This field must be greater than zero. The smallest of maxUpgradable and maxUpgradablePercent takes precedence if both are defined.

    cluster.rollingUpgrade.maxUpgradablePercent

    string

    nil

    MaxUpgradablePercent allows the number of pods affected by an upgrade at any one time to be increased. By default a rolling upgrade will upgrade one pod at a time. This field allows that limit to be removed. This field must be an integer percentage, e.g. "10%", in the range 1% to 100%. Percentages are relative to the total cluster size, and rounded down to the nearest whole number, with a minimum of 1. For example, a 10 pod cluster, and 25% allowed to upgrade, would yield 2.5 pods per iteration, rounded down to 2. The smallest of maxUpgradable and maxUpgradablePercent takes precedence if both are defined.

    cluster.security

    object

    {"adminSecret":null,"ldap":{},"password":"","rbac":{"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}},"username":"Administrator"}

    Security defines Couchbase cluster security options such as the administrator account username and password, and user RBAC settings.

    cluster.security.adminSecret

    string

    nil

    AdminSecret is the name of a Kubernetes secret to use for administrator authentication. The admin secret must contain the keys "username" and "password". The password data must be at least 6 characters in length, and not contain the any of the characters ()<>,;:\"/[]?={}.

    cluster.security.ldap

    object

    {}

    LDAP Settings

    cluster.security.password

    string

    ""

    Cluster administrator pasword, auto-generated when empty

    cluster.security.rbac

    object

    {"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}}

    Couchbase RBAC Users

    cluster.security.rbac.managed

    bool

    true

    Managed defines whether RBAC is managed by us or the clients.

    cluster.security.rbac.selector

    object

    {"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}

    Selector is a label selector used to list RBAC resources in the namespace that are managed by the Operator.

    cluster.security.username

    string

    "Administrator"

    Cluster administrator username

    cluster.securityContext

    object

    {"fsGroup":1000,"fsGroupChangePolicy":null,"runAsGroup":null,"runAsNonRoot":true,"runAsUser":1000,"seLinuxOptions":{"level":null,"role":null,"type":null,"user":null},"seccompProfile":null,"supplementalGroups":null,"sysctls":[],"windowsOptions":{"gmsaCredentialSpec":null,"gmsaCredentialSpecName":null,"runAsUserName":null}}

    SecurityContext allows the configuration of the security context for all Couchbase server pods. When using persistent volumes you may need to set the fsGroup field in order to write to the volume. For non-root clusters you must also set runAsUser to 1000, corresponding to the Couchbase user in official container images. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

    cluster.securityContext.fsGroup

    int

    1000

    A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR’d with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume.

    cluster.securityContext.fsGroupChangePolicy

    string

    nil

    fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified defaults to "Always".

    cluster.securityContext.runAsGroup

    string

    nil

    The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.

    cluster.securityContext.runAsNonRoot

    bool

    true

    Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

    cluster.securityContext.runAsUser

    int

    1000

    The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.

    cluster.securityContext.seLinuxOptions

    object

    {"level":null,"role":null,"type":null,"user":null}

    The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.

    cluster.securityContext.seLinuxOptions.level

    string

    nil

    Level is SELinux level label that applies to the container.

    cluster.securityContext.seLinuxOptions.role

    string

    nil

    Role is a SELinux role label that applies to the container.

    cluster.securityContext.seLinuxOptions.type

    string

    nil

    Type is a SELinux type label that applies to the container.

    cluster.securityContext.seLinuxOptions.user

    string

    nil

    User is a SELinux user label that applies to the container.

    cluster.securityContext.seccompProfile

    string

    nil

    The seccomp options to use by the containers in this pod.

    cluster.securityContext.supplementalGroups

    string

    nil

    A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.

    cluster.securityContext.sysctls

    list

    []

    Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.

    cluster.securityContext.windowsOptions

    object

    {"gmsaCredentialSpec":null,"gmsaCredentialSpecName":null,"runAsUserName":null}

    The Windows specific settings applied to all containers. If unspecified, the options within a container’s SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

    cluster.securityContext.windowsOptions.gmsaCredentialSpec

    string

    nil

    GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.

    cluster.securityContext.windowsOptions.gmsaCredentialSpecName

    string

    nil

    GMSACredentialSpecName is the name of the GMSA credential spec to use.

    cluster.securityContext.windowsOptions.runAsUserName

    string

    nil

    The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

    cluster.serverGroups

    string

    nil

    ServerGroups define the set of availability zones you want to distribute pods over, and construct Couchbase server groups for. By default, most cloud providers will label nodes with the key "failure- domain.beta.kubernetes.io/zone", the values associated with that key are used here to provide explicit scheduling by the Operator. You may manually label nodes using the "failure-domain.beta.kubernetes.io/zone" key, to provide failure-domain aware scheduling when none is provided for you. Global server groups are applied to all server classes, and may be overridden on a per-server class basis to give more control over scheduling and server groups.

    cluster.servers

    object

    {"default":{"autoscaleEnabled":false,"env":[],"envFrom":[],"pod":{"metadata":{"annotations":null,"labels":null},"spec":{}},"resources":{"limits":null,"requests":null},"serverGroups":null,"services":["data","index","query","search","analytics","eventing"],"size":3,"volumeMounts":{"analytics":null,"data":null,"default":null,"index":null,"logs":null}}}

    Servers defines server classes for the Operator to provision and manage. A server class defines what services are running and how many members make up that class. Specifying multiple server classes allows the Operator to provision clusters with Multi-Dimensional Scaling (MDS). At least one server class must be defined, and at least one server class must be running the data service.

    cluster.servers.default

    object

    {"autoscaleEnabled":false,"env":[],"envFrom":[],"pod":{"metadata":{"annotations":null,"labels":null},"spec":{}},"resources":{"limits":null,"requests":null},"serverGroups":null,"services":["data","index","query","search","analytics","eventing"],"size":3,"volumeMounts":{"analytics":null,"data":null,"default":null,"index":null,"logs":null}}

    Name for the server configuration. It must be unique.

    cluster.servers.default.autoscaleEnabled

    bool

    false

    AutoscaledEnabled defines whether the autoscaling feature is enabled for this class. When true, the Operator will create a CouchbaseAutoscaler resource for this server class. The CouchbaseAutoscaler implements the Kubernetes scale API and can be controlled by the Kubernetes horizontal pod autoscaler (HPA).

    cluster.servers.default.env

    list

    []

    Env allows the setting of environment variables in the Couchbase server container.

    cluster.servers.default.envFrom

    list

    []

    EnvFrom allows the setting of environment variables in the Couchbase server container.

    cluster.servers.default.pod

    object

    {"metadata":{"annotations":null,"labels":null},"spec":{}}

    Pod defines a template used to create pod for each Couchbase server instance. Modifying pod metadata such as labels and annotations will update the pod in-place. Any other modification will result in a cluster upgrade in order to fulfill the request. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes- api/v1.19/#pod-v1-core

    cluster.servers.default.resources

    object

    {"limits":null,"requests":null}

    Resources are the resource requirements for the Couchbase server container. This field overrides any automatic allocation as defined by spec.autoResourceAllocation.

    cluster.servers.default.serverGroups

    string

    nil

    ServerGroups define the set of availability zones you want to distribute pods over, and construct Couchbase server groups for. By default, most cloud providers will label nodes with the key "failure- domain.beta.kubernetes.io/zone", the values associated with that key are used here to provide explicit scheduling by the Operator. You may manually label nodes using the "failure-domain.beta.kubernetes.io/zone" key, to provide failure-domain aware scheduling when none is provided for you. Global server groups are applied to all server classes, and may be overridden on a per-server class basis to give more control over scheduling and server groups.

    cluster.servers.default.services

    list

    ["data","index","query","search","analytics","eventing"]

    Services is the set of Couchbase services to run on this server class. At least one class must contain the data service. The field may contain any of "data", "index", "query", "search", "eventing" or "analytics". Each service may only be specified once.

    cluster.servers.default.size

    int

    3

    Size is the expected requested of the server class. This field must be greater than or equal to 1.

    cluster.servers.default.volumeMounts

    object

    {"analytics":null,"data":null,"default":null,"index":null,"logs":null}

    VolumeMounts define persistent volume claims to attach to pod.

    cluster.softwareUpdateNotifications

    bool

    false

    SoftwareUpdateNotifications enables software update notifications in the UI. When enabled, the UI will alert when a Couchbase server upgrade is available.

    cluster.upgradeStrategy

    string

    nil

    UpgradeStrategy controls how aggressive the Operator is when performing a cluster upgrade. When a rolling upgrade is requested, pods are upgraded one at a time. This strategy is slower, however less disruptive. When an immediate upgrade strategy is requested, all pods are upgraded at the same time. This strategy is faster, but more disruptive. This field must be either "RollingUpgrade" or "ImmediateUpgrade", defaulting to "RollingUpgrade".

    cluster.volumeClaimTemplates

    list

    []

    VolumeClaimTemplates define the desired characteristics of a volume that can be requested/claimed by a pod, for example the storage class to use and the volume size. Volume claim templates are referred to by name by server class volume mount configuration.

    cluster.xdcr

    object

    {"managed":false,"remoteClusters":[]}

    XDCR defines whether the Operator should manage XDCR, remote clusters and how to lookup replication resources.

    cluster.xdcr.managed

    bool

    false

    Managed defines whether XDCR is managed by the operator or not.

    cluster.xdcr.remoteClusters

    list

    []

    RemoteClusters is a set of named remote clusters to establish replications to.

    coredns

    object

    {"searches":["default.svc.cluster.local","svc.cluster.local","cluster.local"],"service":null}

    coredns service config to be applied to pods for cross-cluster deployments

    coredns.searches

    list

    ["default.svc.cluster.local","svc.cluster.local","cluster.local"]

    search list for host-name lookup

    coredns.service

    string

    nil

    name kubernete service which exposes nameserver (ie coredns)

    couchbaseOperator.commandArgs

    object

    {"pod-create-timeout":"10m"}

    additional command arguments will be translated to --key=value

    couchbaseOperator.commandArgs.pod-create-timeout

    string

    "10m"

    pod creation timeout

    couchbaseOperator.image

    object

    {"repository":"couchbase/operator","tag":"2.2.0"}

    image config

    couchbaseOperator.imagePullPolicy

    string

    "IfNotPresent"

    couchbaseOperator.imagePullSecrets

    list

    []

    imagePullSecrets is an optional list of references to secrets to use for pulling images

    couchbaseOperator.name

    string

    "couchbase-operator"

    name of the couchbase operator

    couchbaseOperator.nodeSelector

    object

    {}

    nodeSelector for couchbase-operator pod assignment — Ref: https://kubernetes.io/docs/user-guide/node-selection/

    couchbaseOperator.resources

    object

    {}

    resources of couchbase-operator

    couchbaseOperator.tolerations

    list

    []

    tolerations of pod match nodes with corresponding taints

    install.admissionController

    bool

    true

    install the admission controller

    install.couchbaseCluster

    bool

    true

    install couchbase cluster

    install.couchbaseOperator

    bool

    true

    install the couchbase operator

    install.syncGateway

    bool

    false

    install sync gateway

    syncGateway.admin.enabled

    bool

    false

    defines if the admin api will be exposed by sync gateway

    syncGateway.affinity

    object

    {}

    affinity to apply to the pods

    syncGateway.config

    object

    {"databases":{"db":{"allow_conflicts":false,"bucket":"default","cacert":null,"enable_shared_bucket_access":true,"password":null,"revs_limit":20,"server":null,"username":null,"users":{"GUEST":{"admin_channels":[""],"disabled":false}}}},"logging":{"console":{"enabled":true,"log_keys":[""],"log_level":"debug"}}}

    database config

    syncGateway.config.databases

    object

    {"db":{"allow_conflicts":false,"bucket":"default","cacert":null,"enable_shared_bucket_access":true,"password":null,"revs_limit":20,"server":null,"username":null,"users":{"GUEST":{"admin_channels":["*"],"disabled":false}}}}

    databases is a list containing bucket replication configs

    syncGateway.config.databases.db.bucket

    string

    "default"

    bucket replicated to sync gateway

    syncGateway.config.databases.db.cacert

    string

    nil

    optional ca.cert for tls connection (auto-generated when tls.generate true)

    syncGateway.config.databases.db.password

    string

    nil

    password of db admin, defaults to cluster admin password

    syncGateway.config.databases.db.server

    string

    nil

    server to connect db to, defaults to cluster server

    syncGateway.config.databases.db.username

    string

    nil

    username of db admin, defaults to cluster admin username

    syncGateway.config.databases.db.users

    object

    {"GUEST":{"admin_channels":["*"],"disabled":false}}

    guest user config

    syncGateway.config.databases.db.users.GUEST.admin_channels

    list

    ["*"]

    channels guest user may access. defaults to all channels

    syncGateway.config.databases.db.users.GUEST.disabled

    bool

    false

    disable creation of guest user

    syncGateway.configSecret

    string

    nil

    Optional secret to use with prepoulated database config

    syncGateway.exposeServiceType

    string

    "ClusterIP"

    Type of service to use for exposing Sync Gateway Set as empty string to prevent service creation

    syncGateway.image

    object

    {"repository":"couchbase/sync-gateway","tag":"2.8.0-enterprise"}

    image of the sync gateway container

    syncGateway.imagePullPolicy

    string

    "IfNotPresent"

    syncGateway.labels

    object

    {}

    labels to apply to the deployment resource

    syncGateway.monitoring.prometheus.enabled

    bool

    false

    defines whether Prometheus metric collection is enabled

    syncGateway.monitoring.prometheus.image

    object

    {"repository":"couchbasesamples/sync-gateway-prometheus-exporter","tag":"latest"}

    image used by the Sync Gateway to perform metric collection (injected as a "sidecar" in each Sync Gateway Pod)

    syncGateway.monitoring.prometheus.resources

    object

    {}

    syncGateway.name

    string

    nil

    name of the sync gatway pod. defaults to name of chart

    syncGateway.nodeSelector

    object

    {}

    which nodes to run the pods on

    syncGateway.podLabels

    object

    {}

    labels to apply to the pods

    syncGateway.replicas

    int

    1

    how many sync gateway pods to create horizontally scale the deployment

    syncGateway.resources

    object

    {}

    resources to apply to the pods

    syncGateway.revisionHistoryLimit

    string

    nil

    optional set to change cleanup policy

    syncGateway.service.annotations

    object

    {}

    additional annotations to add to the Sync Gateway service. useful for setting cloud provider specific annotations controlling the services deployed.

    syncGateway.service.externalTrafficPolicy

    string

    nil

    optionally configure traffic policy for LoadBalancer and NodePort

    syncGateway.tolerations

    list

    []

    tolerations to apply to the pods

    tls.expiration

    int

    365

    Expiry time of CA in days for generated certs

    tls.generate

    bool

    false

    enable to auto create certs

    tls.nodeToNodeEncryption

    string

    nil

    This field defines whether node-to-node encryption is enabled. Must be either 'All' or 'ControlPlaneOnly'. If not specified, data between Couchbase Server nodes is not encrypted.

    users

    object

    {}

    About Resource Names

    All resources/objects created by the Couchbase Chart adhere to the following naming scheme: <release-name>-<component-name>

    • <release-name>

      • This is name of the installed instance.

    • <component-name>

      • This is the name of the Operator, Admission, and Couchbase component..

      • If the resource is created for the Operator, then <component-name> will be whatever is specified in couchbaseOperator.name.

      • If the resource is created for the admission controller, then <component-name> will be whatever is specified in admissionController.name.

      • If the resource is created for the Couchbase cluster, then <component-name> will be whatever is specified in cluster.name.

    Specifying Your Own Resources

    The chart allows you to override certain resources such as TLS certificates with ones that you’ve already created. In this case, the names of the resources are determined by you and not the chart, and therefore do not adhere to the naming scheme described in the previous section. Check the specs below for the value you are attempting to override for additional information on what type of resource is expected and how it should be formatted.

    Install Values

    Installation values for selective deployment of components within the chart.

      # Select what to install
      install:
        # install the couchbase operator
        couchbaseOperator: true
        # install the admission controller
        admissionController: true
        # install couchbase cluster
        couchbaseCluster: true
        # install sync gateway
        syncGateway: false

    The Couchbase Chart is capable of installing the Operator, Admission Controller, Couchbase Cluster, and Sync Gateway.

    couchbaseOperator

    This field specifies whether or not the Couchbase Autonomous Operator will be installed.

    Field Rules:

    The couchbaseOperator field defaults to true.

    admissionController

    This field specifies whether or not the Couchbase Admission Controller will be installed.

    Field Rules:

    The admissionController field defaults to true.

    couchbaseCluster

    This field specifies whether or not a Couchbase Cluster will be installed.

    Field Rules:

    The couchbaseCluster field defaults to true.

    syncGateway

    This field specifies whether or not an instance of the Sync Gateway will be installed.

    Field Rules:

    The syncGateway field defaults to false.

    Couchbase Cluster

    The cluster configuration represents the CouchbaseCluster resources to be installed. If install.couchbaseCluster is set to false then the cluster will not be installed.

    cluster

      cluster:
        name:
        security:
          username: Administrator
          password:
          adminSecret:

    name

    The name of the cluster to create.

    Value rules: The couchbaseCluster.name value defaults to the name of the chart if not specified. Must be unique from any other clusters in the namespace.

    username

    The username to use as the cluster admin.

    This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

    Value rules: The couchbaseCluster.username value is a string set to Administrator by default.

    password

    The password to use as the cluster admin.

    This should only be used for experimental and test clusters. Consider using adminSecret to provide a secret containing your own username and password.

    Value rules: The couchbaseCluster.password value is a string that is auto-generated by default.

    adminSecret

    The secret to use for overriding the auto-generated secret. When specified the username and password from the secret are used for Administrator login.

    Value rules: The couchbaseCluster.adminSecret value is the name of a Kubernetes secret and is not set by default.

    Persistent Volumes

    The best way to create a cluster with persistent volumes is to make a custom value file. The following example shows how volume mounts can be added to created a persisted cluster.

    Create a file named values-persistent.yaml with the following values:

    cluster:
      servers:
        default:
          pod:
            volumeMounts:
              default: couchbase
              data:  couchbase
      securityContext:
          fsGroup: 1000
      volumeClaimTemplates:
        - metadata:
            name: couchbase
          spec:
            storageClassName: "default"
            resources:
              requests:
                storage: 1Gi

    Install the cluster chart using the custom value file:

    helm install my-release -f values-persistent.yaml couchbase/couchbase-cluster

    additional values

    All of the remaining values which can be overridden in this spec are described in the CouchbaseCluster documentation.

    TLS

    Certificates can be auto-generated or overridden by user supplied certs. Also since Couchbase certs are represented as plain Kubernetes secrets, the secret itself can be overridden.

    tls:
      generate: false
      expiration: 365
      nodeToNodeEncryption: All

    generate

    This value determines whether the chart should create the cluster with TLS.

    Value rules: The tls.generate is a boolean which defaults to false. When set to true all of the certs and keys required for TLS will be auto-generated unless manually specified. When value is false certs are not generated, but manual Secrets can be provided by overriding cluster.networking.tls.

    expiration

    Expiration of CA in days

    Value rules: The couchbaseTLS.expiration defaults to 365 days.

    nodeToNodeEncryption

    This field defines whether node-to-node encryption is enabled.

    When set to All, all data between Couchbase server nodes is encrypted. When set to ControlPlaneOnly, only internal Couchbase server messages are encrypted, user data is not. If not specified, data between Couchbase Server nodes is not encrypted.

    As with all encryption protocols, this setting may negatively affect performance with the increased data protection.

    Field rules: This field is optional and must be either All or ControlPlaneOnly.

    Custom TLS

    Create cluster with auto-generated TLS certs

    helm install my-release --set tls.generate=true couchbase/couchbase-cluster

    Use manually created secrets . Create a file named tls_values.yaml with the following custom override values for the Couchbase Chart:

    +

    cluster:
       networking:
         tls:
           static:
             operatorSecret: tls-operator-secret
             serverSecret: tls-server-secret
    helm install  my-release -f tls_values.yaml couchbase/couchbase-cluster

    Buckets

    The buckets configuration represent CouchbaseBucket resources to be installed by the cluster.

    buckets:
      default:
        name: default
        kind: CouchbaseBucket
    Buckets are automatically provisioned with label selectors matching the corresponding Couchbase cluster.

    At least one bucket will be created whenever install.CouchbaseCluster is set to true (if you don’t actively configure at least one bucket, then a default bucket is created automatically). If zero buckets are desired, then you must disable bucket creation completely by setting the contents to null.

    buckets: null
    The buckets field must be explicitly set to null in order to avoid bucket creation. Even if the section is completely empty, unless buckets: null is specified, the default bucket will be created.

    name

    This value determines the name of the bucket to create within Couchbase Server.

    Value rules: The bucket.name value is a string. This value is optional and when not set, the object key name is used instead. The object key name is used for the Kubernetes CRD, whereas this value is used for the bucket name that is recognized within the Couchbase Server application.

    kind

    This is the type of the bucket to create and can be one of the supported types provided by Couchbase Server.

    Value rules: The bucket.kind value takes one of the supported values: CouchbaseBucket, CouchbaseEphemeralBucket, or CouchbaseMemcachedBucket. This value is optional and defaults to CouchbaseBucket when not set.

    additional values

    All of the remaining values which can be overridden in this spec are described in the CouchbaseCluster documentation.

    Users

    The users configuration represent CouchbaseUser, CouchbaseGroup, and CouchbaseRoleBinding resources to be installed by the cluster. Users are installed whenever install.CouchbaseCluster is set to true.

      users:
        developer:   # username (1)
          password: password
          authSecret:
          authDomain: local
          roles:
            - name: bucket_admin
              bucket: default
    1 The username is set from the key of each user configuration. NOTE: Users are automatically provisioned with label selectors matching the corresponding Couchbase cluster.

    password

    The user password.

    This should only be used for experimental and test clusters. Consider using authSecret or setting authDomain: external to improve security .

    Value rules: The user.<name>.password value is a string. This value is required when authDomain is local.

    authSecret

    The Kubernetes Secret containing the user password.

    Value rules: The user.<name>.authSecret value is a string. This value is optional and must refer to a Kubernetes Secret resource when specified. The Secret must contain the path data.password with the base64 encoded value of the secret

    authDomain

    The Couchbase RBAC Domain to use when authenticating the user.

    Value rules: The user.<name>.authDomain value is a string. This value is required and must be either local or external.

    roles

    The Couchbase Roles to assign to the user

    Value rules: The user.<name>.roles value is a list. This value is required and must provide the name of a valid Couchbase Server role. If the Couchbase Server role is a bucket role, then the name of a bucket value may also be provided. If the name of a bucket is not provided for a bucket role then the value defaults to * which means the role applies to all buckets.

    Refer to CouchbaseGroups documentation for list of Administrator and Bucket roles.

    Backups

    This object defines parameters and variables for automated backup. When set, the chart will create a backup job.

    backups:
      default-backup:
        name: my-backup
        strategy: full_incremental
        full:
          schedule: "0 3 * * 0"
        incremental:
          schedule: "0 3 * * 1-6"

    All of the provided values for this spec are described here in the Couchbase Cluster Configuration documentation.

    Backup Restores

    This object defines parameters and variables for automated backup restores. When set, the chart will create a backup restore job.

    backuprestores:
      default-restore:
        name: my-restore
        backup: my-backup
        repo: cb-example-2020-11-12T19_00_03
        start:
          int: 1
          str: oldest
        end:
          int: 1
          str: latest
        backOffLimit: 2
        logRetention: 24h

    All of the provided values for this spec are described here in the Couchbase Cluster Configuration documentation.

    Sync Gateway

    The Sync Gateway configuration provides defaults for deploying Sync Gateway along with associated services. The Sync Gateway server is installed when install.syncGateway is set to true. When installed, Sync Gateway is automatically connected to Couchbase cluster.

    syncGateway:
      name:
      config:
        logging:
          console:
            enabled: true
            log_level: "debug"
            log_keys:
            - "*"
        databases:
          db:
            bucket: default
            users:
              GUEST:
                disabled: false
                admin_channels: ["*"]
            server:
            username:
            password:
            allow_conflicts: false
            revs_limit: 20
            enable_shared_bucket_access: true
            cacert:
      exposeServiceType: ClusterIP
      image:
        repository: couchbase/sync-gateway
        tag: 2.8.2-enterprise
      imagePullPolicy: IfNotPresent
      configSecret:
    If you install a bucket with a name other than default then you will need to update databases.db.bucket accordingly.

    exposeServiceType

    The type of service to use for exposing the Sync Gateway server.

    Value rules: The exposeServiceType value is a string. This value is optional and defaults to ClusterIP. When specified the value must be either ClusterIP, NOodePort, or LoadBalancer. When the value is not specified then the exposing service is not created.

    configSecret

    A Kubernetes Secret containing values that override config.databases This allows for sync-gateway configurations to be shared across clusters, since the Secret will contain the same configuration information about connecting to a particular Couchbase Cluster.

    Value rules: The configSecret value is a string This value is optional. When specified the content of the Secret will be used to override the values of config.databases.

    coredns

    DNS settings to apply to the Couchbase and Sync Gateway Deployments

    coredns:
      service:
      searches:
      - default.svc.cluster.local
      - svc.cluster.local
      - cluster.local

    coredns.service

    The name of a Kubernetes Service resource which exposes Kubernetes DNS. By default the kube-dns service is used, but user may decide to install CoreDNS for Inter-Cluster Deployments.

    Value rules: The coredns.service value is a string. This value is optional. When specified the value must refer to a Kubernetes Service resource that is capable of providing DNS to the Sync Gateway server.

    coredns.searches

    The search domains to use when looking up hostnames

    Value rules: The coredns.searches value is an optional list of strings.

    Autonomous Operator

    The Helm chart deploys the Operator as a Kubernetes Deployment.

    couchbaseOperator:
      name: "couchbase-operator"
      image:
        repository: couchbase/operator
        tag: 2.2.0
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      commandArgs:
        pod-create-timeout: 10m
      resources: {}
      nodeSelector: {}
      tolerations: []

    commandArgs

    This spec allows you to specify command line arguments to pass on to the Operator.

    value rules: The commandArgs value is a key-value map of arguments that can be used to modify the behavior of the Operator image. The -pod-create-timeout: argument is set to 10m by default, which means that the Operator will wait 10 minutes for a Couchbase Server Pod to start. The -debug: argument can also be used here, and set to debug for more verbose logging.

    Additional Values

    The couchbaseOperator parameters are described in the Operator Deployment Settings documentation.

    Admission Controller

    admissionController:
      name: "couchbase-admission-controller"
      image:
        repository: couchbase/admission-controller
        tag: 2.2.0
      imagePullPolicy: IfNotPresent
      imagePullSecrets: []
      verboseLogging: true

    The Helm chart deploys the admission controller as a Kubernetes Deployment.

    name

    This field specifies the name of the admission controller deployment.

    Field Rules:

    The name field defaults to couchbase-admission-controller.

    image

      image:
        repository: couchbase/admission-controller
        tag: 2.2.0

    The repository and tag to use for pulling the admission controller image.

    Field Rules:

    The image.repository value can refer to any repository. The image.tag field can refer to any version of the admission controller image in the repository.

    imagePullPolicy

    The policy for pulling images from the repository onto hosts.

    Field Rules:

    The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never.

    imagePullSecrets

    An optional list referencing secrets to use for pulling the image.

    Field Rules:

    The imagePullSecrets value is a list which is not set by default. Refer to the Operator documentation about creating pull secrets. When using the Helm CLI to override pull secrets, the list should be denoted as a comma delimited list within curly braces:

    helm install --set admissionController.imagePullSecrets={pullsecret1,pullsecret2} couchbase/couchbase-operator

    verboseLogging

    Determines whether the admission controller should log all of its validation notices within the console.

    Field Rules:

    The verboseLogging field is a boolean value that is set to false by default, which means only validation errors are logged within the pod’s console.

    Admission Service

      admissionService:
        name:
        port: 443
        targetPort: 8443

    The admission service is used by the webhooks to access the admission operator. Certificates are auto-generated for this service whenever this object is enabled. The admission service is always created when install.admissionController is set to true.

    name

    Name of the admission service.

    port

    Port exposed by the admission service to the validation webhooks.

    targetPort

    Port of the admission controller targeted by the admission Service.

    Field Rules:

    The name value defaults to whatever is specified in admissionController.name.

    Admission Controller Certificate Authority

    admissionCA:
      cert:
      key:
      expiration: 365

    The admissionCA spec specifies the CA certificates that are applied to validating webhooks.

    By default, the CA certificate and key is auto-generated. The following example shows how to use a self-signed certificate:

    1. Create Certificates

      Use OpenSSL to create myCA.key and myCA.pem in your current directory:

      openssl genrsa -out myCA.key 2048
      openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -outform PEM -out myCA.pem
    2. Install the chart with certificates

      Use --set-file to import the files from your current directory:

      helm install  --set-file admissionCA.cert=myCA.pem \
                    --set-file admissionCA.key=myCA.key \
                    couchbase/couchbase-operator

    Refer to the TLS documentation for manually creating certificates and keys that can be used to override the auto-generated secret.

    cert

    The PEM format CA certificate.

    Field Rules:

    The cert value defaults to an auto-generated CA certificate.

    key

    The PEM format CA key.

    Field Rules:

    The key value defaults to an auto-generated CA key.

    expiration

    Expiration of CA certificate in days.

    Field Rules:

    The expiration value defaults to 365 days.

    Admission Controller Secret

    admissionSecret:
      name:
      cert:
      key:

    The admissionSecret spec specifies the secret for the admission controller to use for validating cluster specs securely over the admission service.

    To use a custom secret, you will also need to provide the CA that was used to generate the certificates and keys within the secret. The following example shows how to use a self-signed CA and client:

    1. Create CA and client certificates

      Use EasyRSA CA and signed client cert with DNS cb-example.default.svc

      ./easyrsa build-ca nopasss
      ./easyrsa --subject-alt-name=DNS:cb-example.default.svc build-server-full admission-controller nopas
    2. Install chart with client certificates

      Install chart with custom certs and be sure to set admissionService.name to DNS name.

      This example also sets --namespace default option since this is also included in the DNS of cert we created:

      helm install  --namespace ci-testcluster \
                    --set admissionService.name=ci-testcluster \
                    --set-file admissionCA.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/ca.crt \
                    --set-file admissionCA.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/ca.key \
                    --set-file admissionSecret.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/issued/admission-controller.crt \
                    --set-file admissionSecret.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/admission-controller.key \
                    couchbase/couchbase-operator

    name

    This value is the name of the secret that contains the certificates for the admission operator. This value must refer to a native Kubernetes secret which contains values for TLS cert and key.

    Field Rules:

    The admissionSecret.name value defaults to the name of the admission controller deployment.

    cert

    PEM format certificate to use as the admission controller’s public key during validation.

    Field Rules:

    The admissionSecret.cert value is auto-generated by default from admissionCA.

    key

    PEM format key to use as the admission controllers private key during validation.

    Field Rules:

    The admissionSecret.key value is auto-generated by default from admissionCA.