Configure Client Certificate Authentication

    How to configure Couchbase Server and the Operator to use client certificate based authentication.

    By default a Couchbase Server deployment uses basic authentication, commonly known as username and password. Basic authentication may be used over a plain text network communication where a malicious party can see the password. Basic authentication may also be used over a server-side TLS protected network connection which encrypts the password and prevents a malicious party from acquiring it.

    Couchbase Server also supports a mode of authentication using client certificates. It uses the same technology that a client uses to assert the validity of a server certificate, but the server validates the client as well. This is known as mutual TLS (mTLS). Couchbase server does not support basic authentication over mTLS, instead requiring a username to be encoded into the client certificate. This page documents configuration of mTLS.

    Creating Secrets

    Secrets are specified in the CouchbaseCluster resource, therefore they may have any name you choose. The format of individual secrets is discussed below.

    Please see the TLS certificate tutorial for a simple guide to creating TLS certificates.

    Server Secret

    Server secrets need to be mounted as a volume within the Couchbase Server pod with specific names. The certificate chain must be named tls.crt and the private key tls.key.

    $ kubectl create secret generic couchbase-server-tls \
      --from-file example/tls/certs/tls.crt \
      --from-file example/tls/certs/tls.key \
      --from-file example/tls/certs/ca.crt

    Operator Secret

    The Operator client secrets are read directly from the API. It expects only a single value to be present; ca.crt is the top-level CA which is used to authenticate all TLS server certificate chains. When using client certificate authentication you will also need to specify the client certificate chain and key pair with the keys tls.crt and tls.key respectively:

    $ kubectl create secret generic couchbase-operator-tls \
      --from-file example/tls/certs/tls.crt \
      --from-file example/tls/certs/tls.key

    Couchbase Cluster Configuration

    TLS certificate configuration is done in the networking section of the CouchbaseCluster resource.

    apiVersion: couchbase/v2
    kind: CouchbaseCluster
        adminSecret: my-admin-secret
            serverSecretName: couchbase-server-tls (1)
            clientSecretName: couchbase-operator-tls (2)
          clientCertificatePolicy: mandatory (3)
          clientCertificatePaths: (4)
          - path:
          - path:
            delimiter: @
    1 couchbaseclusters.spec.networking.tls.secretSource.serverSecretName defines a secret that will be mounted to all Couchbase Server pods. It contains the server wildcard certificate and it’s private key. As the private key is securely mounted to the pod by Kubernetes it is never exposed over the network.
    2 couchbaseclusters.spec.networking.tls.secretSource.clientSecretName defines a secret containing client related certificates. The client certificate contains a subject common name e.g. Administrator. The administrator user Administrator is configured by the
    3 couchbaseclusters.spec.networking.tls.clientCertificatePolicy is set to mandatory meaning all clients will need to provide a valid client certificate in order to authenticate against the cluster.
    4 couchbaseclusters.spec.networking.tls.clientCertificatePaths defines a path that is able to correctly parse and extract the Operator’s Administrator use from the client certificate. In this example all we need to specify is that the user name is explicitly encoded in the certificate’s subject common name. This covers the base requirements in order for the Operator to be able to connect to the cluster.

    In a more realistic setup users will likely be identified by an email address. In this illustration it is encoded in a subject alternative name (SAN). When Couchbase Server looks at a client certificate it will not find a valid user using the first path (but it would match for our Administrator user). It then proceeds down the list of paths in order trying to extract a valid username. If the client certificate contained a SAN, then it would resolve to jane.doe with our second path rule. If jane.doe matched a local or LDAP user then they would be granted permission to access the Couchbase Server instance.