cao

      +

      Installation

      Make sure that you have downloaded the Operator package and unpacked it.

      After you unpack the download, the resulting directory will be titled something like couchbase-autonomous-operator-kubernetes_x.x.x-linux_x86_64.

      • macOS

      • Linux

      • Windows

      1. Open a Terminal window and go to the directory where the cao binary is located:

        $ cd couchbase-autonomous-operator-kubernetes_x.x.x-macos_x86_64/bin/
      2. Make the cao binary executable:

        $ chmod +x ./cao
      3. Move the binary into your PATH:

        $ sudo mv ./cao /usr/local/bin/cao
      On newer versions of macOS, you may encounter errors such as cannot execute binary file when trying to use the tools included in the Autonomous Operator package. If you encounter such an error, you’ll need to update your security settings as outlined in Apple’s support article on macOS Gatekeeper. In System Preferences, click Security & Privacy, then click General. Click the lock and enter your password to make changes. Select App Store and identified developers under the header “Allow apps downloaded from.”
      1. Open a command prompt and go to the directory where the cao binary is located:

        $ cd couchbase-autonomous-operator-kubernetes_x.x.x-linux_x86_64/bin/
      2. Make the cao binary executable:

        $ chmod +x ./cao
      3. Move the binary into your PATH:

        $ sudo mv ./cao /usr/local/bin/cao
      1. Open a command prompt and go to the directory where the cao binary is located:

        $ cd couchbase-autonomous-operator-kubernetes_x.x.x-windows_x86_64\bin\
      2. Add the cao binary into your PATH.

      cao

      Couchbase Autonomous Operator Utility Tool

      cao certify [flags]

      Runs the platform certification suite

      It’s impossible to officially test every combination of Kubernetes platform, CNI and CSI plugin in order to give confidence that your specific combination will work as intended with the Operator. To this end, the certify command will run a platform certification subset of the official Operator tests to give confidence that your plaform will work in a safe and supportable manner with managed Couchbase Server.

      The certification process is relatively invasive, so we recommend that this command be executed on a dedicated test Kubernetes cluster and not a production one.

      The certification process requires that it be allowed to create and delete namespaces in order to facilitate testing concurrently. It also requires permission to create roles and rolebindings in order to deploy the operator and dynamic admission controller. As such it will not be able to run without cluster wide roles that allow such functionality.

      Resource access is scoped so that only couchbase.com CRDs are managed and namespace with the name 'test-*'.

      When running on a platform with Istio network service mesh, the dynamic admission controller will be installed into the default namespace, and MUST NOT have Istio injection enabled. The certification image MUST be installed in a non-default namespace with Istio injecton enabled.

      Examples

      # Run platform certification with defaults
      cao certify
      
      # Run platform certification with a custom storage class
      cao certify -storage-class my-class
      
      # Run platform certification with private image repository
      cao certify --registry=https://index.docker.io/v1/,username,password
      
      # Run certification on an Istio enabled platform.
      cao certify --namespace istio-enabled-namespace -- -istio

      Flags

      --archive-name

      Type: string

      Default: couchbase-operator-certification

      Set the default test archive name

      --clean

      Type: bool

      Default: false

      Force a cleanup of existing resources on start up. These may have been left over from an earlier aborted run

      --collected-log-level

      Type: int

      Default: 0

      Log level to be collected by cbopinfo

      --fsgroup

      Type: int

      Default: 1000

      Set the file system group for persistent volumes.

      --image

      Type: string

      Default: couchbase/operator-certification:

      Certification image to use

      --image-pull-policy

      Type: string

      Default: IfNotPresent

      Pull Policy to use when downloading the Certification container

      --ipv6

      Type: bool

      Default: false

      Force the use of IPv6 with Couchbase Server.

      --parallel

      Type: int

      Default: 8

      Test concurrency

      --registry

      Type: string

      Allows container image registry configuration e.g. SERVER,USERNAME,PASSWORD. This will be added as an image pull secret. Can be specified multiple times.

      --storage-class

      Type: string

      Storage class to use for result artifacts and test volumes. The default storage class of the platform is used if not specified.

      --timeout

      Type: string

      Default: 12h

      Maximum runtime to allow. 4h is enough for all tests on most platforms with 8 way concurrency. It may take over a day running with 1 way concurrency

      --use-fsgroup

      Type: bool

      Default: true

      Use a file system group for persistent volumes.

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao collect-logs [flags]

      Log and resource collection for Couchbase Autonomous Operator support.

      When you encounter a problem with the Autonomous Operator, our support teams require more than just the last line of the logs to diagnose and, ultimately, resolve the issue quickly.

      Log collection, in its most basic form, collects all resources associated with the Autonomous Operator and Couchbase clusters in the specified namespace, this includes associated logs and events. Most resource types are filtered, so the tool collects only what is necessary. Where filtering is not possible, all instances of that resource are collected, so it may be desirable to segregate the Autonomous Operator into its own namespace. Secrets, for example, are not filtered, but the tool redacts values, so if your support request relates to TLS, you may need to manually collect these resources and include them in your support request.

      Collected Resources

      Collected resources are categorised based on log level and scope.

      Log level

      Required: Couchbase resources and those scoped to the cluster.

      Sensitive: may include secrets, roles, etc

      Scope

      all: All resources found

      cluster: All resources associated with a cluster

      name: All resources limited by cluster names

      namespace: All resources limited by namespace name

      group: All resources limited by resource name

      operator: Only the Operator deployment

      Log Level - Required

      CouchbaseCollectionGroup

      Log Level: Required

      Scope: all

      CouchbaseBucket

      Log Level: Required

      Scope: all

      CouchbaseEphemeralBucket

      Log Level: Required

      Scope: all

      CouchbaseMemcachedBucket

      Log Level: Required

      Scope: all

      CouchbaseReplication

      Log Level: Required

      Scope: all

      CouchbaseUser

      Log Level: Required

      Scope: all

      CouchbaseGroup

      Log Level: Required

      Scope: all

      CouchbaseRoleBinding

      Log Level: Required

      Scope: all

      CouchbaseBackup

      Log Level: Required

      Scope: all

      CouchbaseBackupRestore

      Log Level: Required

      Scope: all

      CouchbaseAutoscaler

      Log Level: Required

      Scope: all

      CouchbaseScope

      Log Level: Required

      Scope: all

      CouchbaseScopeGroup

      Log Level: Required

      Scope: all

      CouchbaseCollection

      Log Level: Required

      Scope: all

      Service

      Log Level: Required

      Scope: cluster

      ConfigMap

      Log Level: Required

      Scope: cluster

      Reason: Used to determine issues with Couchbase Cluster state, server environment variables, and logging configuration

      Endpoints

      Log Level: Required

      Scope: cluster

      PodDisruptionBudget

      Log Level: Required

      Scope: cluster

      Reason: Used to determine issues with automatic Kubernetes upgrades

      Pod

      Log Level: Required

      Scope: cluster

      CronJob

      Log Level: Required

      Scope: cluster

      Reason: Used to determine issues with Cronjobs for scheduled backups

      PersistentVolumeClaim

      Log Level: Required

      Scope: cluster

      Reason: Used to determine compatibility issues with underlying persistent volume

      Job

      Log Level: Required

      Scope: cluster

      Reason: Used to determine issues with Jobs created for restoring from backup

      CustomResourceDefinition

      Log Level: Required

      Scope: group

      Reason: Used to determine issues with installed CRD version against installed Operator and DAC version

      CouchbaseCluster

      Log Level: Required

      Scope: name

      Namespace

      Log Level: Required

      Scope: namespace

      Deployment

      Log Level: Required

      Scope: operator

      Reason: Used to determine issues with Operator and Dynamic Admission Control deployments

      Log Level - Sensitive

      ServiceAccount

      Log Level: Sensitive

      Scope: all

      ClusterRole

      Log Level: Sensitive

      Scope: all

      Reason: Used to determine whether RBAC Is correctly setup for the running Operator version.

      Role

      Log Level: Sensitive

      Scope: all

      Reason: Used to determine whether RBAC Is correctly setup for the running Operator version.

      RoleBinding

      Log Level: Sensitive

      Scope: all

      Reason: Used to determine whether RBAC Is correctly setup for the running Operator version.

      Secret

      Log Level: Sensitive

      Scope: all

      Reason: Used to determine issues with stored cluster passwords, TLS configurations and other private keys stored in secrets

      PersistentVolume

      Log Level: Sensitive

      Scope: all

      Reason: Used to determine compatibility issues with underlying persistent volume

      Node

      Log Level: Sensitive

      Scope: all

      Reason: Used to determine issues with orchestration platform and identify potential images problems

      ClusterRoleBinding

      Log Level: Sensitive

      Scope: all

      Reason: Used to determine whether RBAC Is correctly setup for the running Operator version.

      Examples

      # Collect operator and all couchbase cluster resources
      cao collect-logs
      
      # Collect operator and a named cluster's resources
      cao collect-logs --couchbase-cluster my-cluster
      
      # Collect operator resources and Couchbase Server logs
      cao collect-logs --collectinfo --collectinfo-collect=all
      
      # Collect operator and system (kube-system) resources
      cao collect-logs --system
      
      # Collect all known resources, applying no filtering
      cao collect-logs --all
      
      # Collect only required resources, filtering potentially sensitive information
      cao collect-logs --log-level 0

      Flags

      --all

      Type: bool

      Default: false

      Collect all resources from the namespace

      --collectinfo

      Type: bool

      Default: false

      Collect couchbase server logs

      --collectinfo-collect

      Type: string

      Collect couchbase server logs non-interactively, requires the -collectinfo flag to be set

      --collectinfo-list

      Type: bool

      Default: false

      List all log sources in json and exit, requires the -collectinfo flag to be set

      --collectinfo-redact

      Type: bool

      Default: false

      Redact couchbase server logs, requires the -collectinfo flag to be set

      --couchbase-cluster

      Type: string

      Collect only resource for the named CouchbaseCluster, may be used multiple times

      --directory

      Type: string

      Collect logs in a specific directory

      --log-level

      Type: int

      Default: 0

      Control the verbosity of collection, 0 will collect couchbase resources and those scoped to the cluster, 1 will collect more sensitive things that may be required for support such as secrets, roles etc.

      --operator-image

      Type: string

      Default: couchbase/operator:

      Operator image name

      --operator-metrics-port

      Type: string

      Default: 8383

      Operator metrics port

      --operator-rest-port

      Type: string

      Default: 8080

      Operator rest port

      --server-image

      Type: string

      Default: couchbase/server:6.6.2

      Couchbase server image

      --system

      Type: bool

      Default: false

      Collect kube-system resources and logs

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao create

      Creates Couchbase Autonomous Operator components

      cao create admission [flags]

      Creates the dynamic admission controller.

      The DAC is designed to be deployed at the cluster scope (default). It monitors Couchbase resources as they are created and modified, accepting, or rejecting them, before they are persisted in etcd.

      Use of the DAC is encouraged as it will report any configuration errors that are specific to deployment of Couchbase resources that aren’t available by default in the Kubernetes API. For example, this includes validating memory quotas are satisfiable, TLS certificates are correctly configured, and any resources referenced actually exist.

      Examples

      # Create admission controller (recommended).
      cao create admission
      
      # Create admission controller scoped to a namespace.
      cao create admission --scope namespace --namespace-selector key=value
      
      # Create admission controller with custom image and secure image registry.
      cao create admission --image acme.corp/admission:1.0.0 --image-pull-secret secret-name
      
      # Create admission controller without secret access.
      cao create admission --validate-secrets=false
      
      # Create admission controller with debug logging.
      cao create admission --log-level debug

      Flags

      --cpu-limit

      Type: quantity

      Default: 1

      CPU limit for constraining, only valid when used with --with-resources

      --cpu-request

      Type: quantity

      Default: 500m

      CPU requested for scheduling, only valid when used with --with-resources

      --image

      Type: string

      Default: couchbase/admission-controller:

      Operator image to use

      --image-pull-policy

      Type: string

      Default: IfNotPresent

      Image pull policy to affect when the image is downloaded.

      --image-pull-secret

      Type: string

      Image pull secret to allow access to the operator image

      --log-level

      Type: string

      Default: info

      Log level to generate logs at. "info", or "0", prints basic operations. "debug", or "1" prints extended information.

      --memory-limit

      Type: quantity

      Default: 200Mi

      Memory limit for constraining, only valid when used with --with-resources

      --memory-request

      Type: quantity

      Default: 100Mi

      Memory requested for scheduling, only valid when used with --with-resources

      --namespace-selector

      Type: map

      Required namespace selector to use when scope is set to 'namespace'. Format label=value[,label=value].

      --replicas

      Type: int

      Default: 1

      The number of replicas in the deployment

      --scope

      Type: string

      Default: cluster

      Whether to scope the Operator to a 'namespace' or to the 'cluster'.

      --validate-secrets

      Type: bool

      Default: true

      Validates secrets referenced by Couchbase resources, and their contents e.g. TLS configuration, for validity

      --validate-storage-classes

      Type: bool

      Default: true

      Validates storage classes referenced by Couchbase resources

      --with-resources

      Type: bool

      Default: false

      Populates pod resource requests and limits

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao create backup [flags]

      Creates backup roles.

      Flags

      --iam-role-arn

      Type: string

      Adds the IAM Role ARN to the backup service account’s annotation. e.g arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao create operator [flags]

      Creates the Couchbase Autonomous Operator.

      The Operator is designed to be run at the namespace scope (default). It watches for creation of CouchbaseCluster resources in that namespace and provides automated provisioning, management and disaster recovery of Couchbase Server.

      Examples

      # Create operator (recommended).
      cao create operator
      
      # Create operator scoped to the cluster.
      cao create operator --scope cluster
      
      # Create operator with a custom image and secure image registry.
      cao create operator --image acme.corp/operator:1.0.0 --image-pull-secret secret-name
      
      # Create operator with debug logging.
      cao create operator --log-level debug
      
      # Create operator with extended timeouts (for slow platforms).
      cao create operator --pod-creation-timeout 1h

      Flags

      --cpu-limit

      Type: quantity

      Default: 1

      CPU limit for constraining

      --cpu-request

      Type: quantity

      Default: 500m

      CPU requested for scheduling

      --image

      Type: string

      Default: couchbase/operator:

      Operator image to use.

      --image-pull-policy

      Type: string

      Default: IfNotPresent

      Image pull policy to affect when the image is downloaded.

      --image-pull-secret

      Type: string

      Image pull secret to allow access to the operator image.

      --log-level

      Type: string

      Default: info

      Log level to generate logs at. "info", or "0", prints basic operations. "debug", or "1" prints extended information and API calls. "2" prints very detailed logs, including full API payloads that may contain passwords and keys.

      --memory-limit

      Type: quantity

      Default: 400Mi

      Memory limit for constraining

      --memory-request

      Type: quantity

      Default: 200Mi

      Memory requested for scheduling

      --pod-creation-timeout

      Type: string

      Default: 10m0s

      How long to wait before declaring an error when provisioning a pod.

      --scope

      Type: string

      Default: namespace

      Whether to scope the Operator to a 'namespace' or to the 'cluster'.

      --with-resources

      Type: bool

      Default: false

      Populates pod resource requests and limits

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao delete

      Deletes Couchbase Autonomous Operator components

      cao delete admission [flags]

      Deletes the dynamic admission controller.

      Examples

      # Delete admission controller (recommended).
      cao delete admission
      
      # Delete admission controller scoped to a namespace.
      cao delete admission --scope namespace

      Flags

      --scope

      Type: string

      Default: cluster

      Whether to scope the Operator to a 'namespace' or to the 'cluster'.

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao delete backup

      Deletes backup roles.

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao delete operator [flags]

      Deletes the Couchbase Autonomous Operator.

      Examples

      # Delete operator (recommended).
      cao delete operator
      
      # Delete operator scoped to the cluster.
      cao delete operator --scope cluster

      Flags

      --scope

      Type: string

      Default: namespace

      Whether to scope the Operator to a 'namespace' or to the 'cluster'.

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao generate

      Generates YAML manifests for various Operator components

      cao generate admission [flags]

      Generates YAML for the dynamic admission controller.

      The DAC is designed to be deployed at the cluster scope (default). It monitors Couchbase resources as they are created and modified, accepting, or rejecting them, before they are persisted in etcd.

      Use of the DAC is encouraged as it will report any configuration errors that are specific to deployment of Couchbase resources that aren’t available by default in the Kubernetes API. For example, this includes validating memory quotas are satisfiable, TLS certificates are correctly configured, and any resources referenced actually exist.

      Examples

      # Create admission controller (recommended).
      cao generate admission
      
      # Create admission controller scoped to a namespace.
      cao generate admission --scope namespace --namespace-selector key=value
      
      # Create admission controller with custom image and secure image registry.
      cao generate admission --image acme.corp/admission:1.0.0 --image-pull-secret secret-name
      
      # Create admission controller without secret access.
      cao generate admission --validate-secrets=false
      
      # Create admission controller with debug logging.
      cao generate admission --log-level debug

      Flags

      --cpu-limit

      Type: quantity

      Default: 1

      CPU limit for constraining, only valid when used with --with-resources

      --cpu-request

      Type: quantity

      Default: 500m

      CPU requested for scheduling, only valid when used with --with-resources

      --image

      Type: string

      Default: couchbase/admission-controller:

      Operator image to use

      --image-pull-policy

      Type: string

      Default: IfNotPresent

      Image pull policy to affect when the image is downloaded.

      --image-pull-secret

      Type: string

      Image pull secret to allow access to the operator image

      --log-level

      Type: string

      Default: info

      Log level to generate logs at. "info", or "0", prints basic operations. "debug", or "1" prints extended information.

      --memory-limit

      Type: quantity

      Default: 200Mi

      Memory limit for constraining, only valid when used with --with-resources

      --memory-request

      Type: quantity

      Default: 100Mi

      Memory requested for scheduling, only valid when used with --with-resources

      --namespace-selector

      Type: map

      Required namespace selector to use when scope is set to 'namespace'. Format label=value[,label=value].

      --replicas

      Type: int

      Default: 1

      The number of replicas in the deployment

      --scope

      Type: string

      Default: cluster

      Whether to scope the Operator to a 'namespace' or to the 'cluster'.

      --validate-secrets

      Type: bool

      Default: true

      Validates secrets referenced by Couchbase resources, and their contents e.g. TLS configuration, for validity

      --validate-storage-classes

      Type: bool

      Default: true

      Validates storage classes referenced by Couchbase resources

      --with-resources

      Type: bool

      Default: false

      Populates pod resource requests and limits

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao generate backup [flags]

      Generates YAML for backup jobs.

      Flags

      --iam-role-arn

      Type: string

      Adds the IAM Role ARN to the backup service account’s annotation. e.g arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao generate operator [flags]

      Generates YAML for the Couchbase Autonomous Operator.

      The Operator is designed to be run at the namespace scope (default). It watches for creation of CouchbaseCluster resources in that namespace and provides automated provisioning, management and disaster recovery of Couchbase Server.

      Examples

      # Create operator (recommended).
      cao generate operator
      
      # Create operator scoped to the cluster.
      cao generate operator --scope cluster
      
      # Create operator with a custom image and secure image registry.
      cao generate operator --image acme.corp/operator:1.0.0 --image-pull-secret secret-name
      
      # Create operator with debug logging.
      cao generate operator --log-level debug
      
      # Create operator with extended timeouts (for slow platforms).
      cao generate operator --pod-creation-timeout 1h

      Flags

      --cpu-limit

      Type: quantity

      Default: 1

      CPU limit for constraining

      --cpu-request

      Type: quantity

      Default: 500m

      CPU requested for scheduling

      --image

      Type: string

      Default: couchbase/operator:

      Operator image to use.

      --image-pull-policy

      Type: string

      Default: IfNotPresent

      Image pull policy to affect when the image is downloaded.

      --image-pull-secret

      Type: string

      Image pull secret to allow access to the operator image.

      --log-level

      Type: string

      Default: info

      Log level to generate logs at. "info", or "0", prints basic operations. "debug", or "1" prints extended information and API calls. "2" prints very detailed logs, including full API payloads that may contain passwords and keys.

      --memory-limit

      Type: quantity

      Default: 400Mi

      Memory limit for constraining

      --memory-request

      Type: quantity

      Default: 200Mi

      Memory requested for scheduling

      --pod-creation-timeout

      Type: string

      Default: 10m0s

      How long to wait before declaring an error when provisioning a pod.

      --scope

      Type: string

      Default: namespace

      Whether to scope the Operator to a 'namespace' or to the 'cluster'.

      --with-resources

      Type: bool

      Default: false

      Populates pod resource requests and limits

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao restore [flags]

      Restore a cluster’s data topology

      In a development environment it may be desirable to manually manage the data topology in a rapid and agile fashion, rather than use the native Kubernetes resource types we provide. For example you may wish to create buckets, scopes and collections using the UI, or an SDK, without having the overhead of change control, review and auditing of changes that using native resources would provide.

      This command allows existing save data (as generated by 'cao save') to be applied to the selected cluster. Restoration of data topology occurs as follows: the Couchbase cluster is interrogated for all data topology (including unmanaged buckets, scopes and collections). This is then compared with the contents of the save data to detect resources that will be added, updated or deleted as a result of this restore operation. The user will be prompted for confimation that the outcome is as desired, giving you an opportunity to back out of unintentionally destructive operations.

      A new, full tree of resources (buckets, scopes and collections) is created then atomically swapped with the old tree, providing roll back in the event of an error. Finally any old Kubernetes resources are automatically cleaned up.

      The atomic swap of resources is performed using label selectors, allowing restores when multiple Couchbase clusters are running in the same namespace. As a precaution, the tool will only function if your cluster’s buckets are unmanaged, there is no label selector set and there are no existing resources, or a label selector is already in use. It is your reponsibility to ensure that when multiple Couchbase clusters are running in the same namespace, they will not be affected by a restore operation e.g. they are not sharing any resources that may be modified or deleted. It is usually safest to run a single Couchbase cluster per-namespace.

      All resources discovered when polling the Couchbase cluster will be backed by a Kubernetes resource, and managed by the Operator after a restore. You may manually disable management of a particular bucket or scope if you so wish.

      Save and restore of resources will modify Kubernetes resources, so therefore should never be used with any other form of lifecycle management tool (e.g. Helm or Red Hat OLM) as these may revert changes and lead to catastrophic data loss.

      Examples

      # Restore the full data topology on the only cluster in a namespace
      cao restore -f save-data.yaml
      
      # Restore the full data topology to the specific cluster
      cao restore --couchbase-cluster squirrel -f save-data.yaml
      
      # Restore all scope and collections in a bucket
      cao restore --path /bucket -f save-data.yaml
      
      # Restore all collections in a scope
      cao restore --path /bucket/scope -f save-data.yaml

      Flags

      --couchbase-cluster

      Type: string

      Cluster to save from (CouchbaseCluster resource name)

      --filename, -f

      Type: string

      Filename to read the save data from.

      --path

      Type: string

      Default: /

      Path restore data to. Default will restore all buckets, scopes and collections. '/bucket' will restore all scopes and collection in Couchbase bucket 'bucket'. '/bucket/scope' will restore all collections in Couchbase bucket 'bucket' and Couchbase scope 'scope'.

      --strategy

      Type: string

      Default: merge

      Strategy to use when merging the save data with the current cluster’s data. When 'merge', this will retain any existing items that are in the current cluster, but not in the save. When 'replace', this will fully replace the existing items that exist in the current cluster, but don’t exist in the save. Merging protects the user from accidental data loss, whereas replacement may cause data loss, but ensures old data is purged to enforce data retention policies. This flag defaults to 'merge'.

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao save [flags]

      Save a cluster’s data topology

      In a development environment it may be desirable to manually manage the data topology in a rapid and agile fashion, rather than use the native Kubernetes resource types we provide. For example you may wish to create buckets, scopes and collections using the UI, or an SDK, without having the overhead of change control, review and auditing of changes that using native resources would provide.

      This command allows a specific cluster to be probed and all data topology resources saved, direct from the Couchbase cluster. Saved data topology represents data as Kubernetes native resource types and can later be used to restore data topology, allow it to be managed by the Operator, or even replicated to a completely new cluster.

      Save and restore of resources will modify Kubernetes resources, so therefore should never be used with any other form of lifecycle management tool (e.g. Helm or Red Hat OLM) as these may revert changes and lead to catastrophic data loss.

      Examples

      # Save the full data topology on the only cluster in a namespace
      cao save --filename save.yaml
      
      # Save the full data topology for a specific cluster
      cao save --couchbase-cluster cluster-name --filename save.yaml
      
      # Save all scope and collections in a bucket
      cao save --path /bucket --filename save.yaml
      
      # Save all collections in a scope
      cao save --path /bucket/scope --filename save.yaml

      Flags

      --couchbase-cluster

      Type: string

      Cluster to save from (CouchbaseCluster resource name)

      --filename, -f

      Type: string

      Filename to write the save data to. This flag is required.

      --path

      Type: string

      Default: /

      Path to save data from. Default will save all buckets, scopes and collections. '/bucket' will save all scopes and collection in Couchbase bucket 'bucket'. '/bucket/scope' will save all collections in Couchbase bucket 'bucket' and Couchbase scope 'scope'.

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use

      cao version

      Prints the command version

      Inherited Flags

      --as

      Type: string

      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

      --as-group

      Type: stringArray

      Default: []

      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

      --as-uid

      Type: string

      UID to impersonate for the operation.

      --cache-dir

      Type: string

      Default: $HOME/.kube/cache

      Default cache directory

      --certificate-authority

      Type: string

      Path to a cert file for the certificate authority

      --client-certificate

      Type: string

      Path to a client certificate file for TLS

      --client-key

      Type: string

      Path to a client key file for TLS

      --cluster

      Type: string

      The name of the kubeconfig cluster to use

      --context

      Type: string

      The name of the kubeconfig context to use

      --insecure-skip-tls-verify

      Type: bool

      Default: false

      If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure

      --kubeconfig

      Type: string

      Path to the kubeconfig file to use for CLI requests.

      --namespace, -n

      Type: string

      If present, the namespace scope for this CLI request

      --request-timeout

      Type: string

      Default: 0

      The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests.

      --server, -s

      Type: string

      The address and port of the Kubernetes API server

      --tls-server-name

      Type: string

      Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

      --token

      Type: string

      Bearer token for authentication to the API server

      --user

      Type: string

      The name of the kubeconfig user to use