Couchbase Helm Chart Specification
The official Couchbase Helm Chart for the Autonomous Operator comes with a default configuration that can be customized to fit your deployment needs.
This page describes the parameters of the official Couchbase Helm Chart. In particular, this page describes the contents of the chart’s values.yaml, which contains the chart’s default values. Each of the deployed resources is listed and described, along with any user definable parameters.
For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to Helm Deployment.
The official Couchbase Helm Chart may only be used with Enterprise Edition products, such as Couchbase Server Enterprise Edition and Sync Gateway Enterprise Edition. |
Key | Type | Default | Description |
---|---|---|---|
admissionCA.cert |
string |
|
A base64 encoded PEM format certificate |
admissionCA.expiration |
int |
|
Expiry time of CA in days for generated certs |
admissionCA.key |
string |
|
A base64 encoded PEM format private key |
admissionController.commandArgs |
object |
|
Set of command-line flags to pass on to the Admission Controller to modify its behavior. Do not change. |
admissionController.disableValidatingWebhook |
bool |
|
Disable the creation of Validation webhook. Setting to 'false' may be helpful when installing into a restricted environments (ie Strict mTLS), since disabling avoids performing resource fetching and validation from the Kubernetes API server. |
admissionController.image |
object |
|
Image specifies repository and tag of the Couchbase Admission container. |
admissionController.imagePullPolicy |
string |
|
The policy for pulling images from the repository onto hosts. The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never. |
admissionController.imagePullSecrets |
list |
|
ImagePullSecrets is an optional list of references to secrets to use for pulling images |
admissionController.name |
string |
|
|
admissionController.nodeSelector |
object |
|
Specify a node selection constraint for couchbase-admission-controller pod assignment. Ref: https://kubernetes.io/docs/user-guide/node-selection/ |
admissionController.resources |
object |
|
Resource Limits and requests for Pod CPU and Memory |
admissionController.runAsNonRoot |
bool |
|
Specify whether to run as a non-root user. Running as non-root ensures least privilege. |
admissionController.scope |
string |
|
RBAC Scope of the Admission Controller. Must be either 'Role' or 'ClusterRole'. When scope is 'ClusterRole' the admission controller is able to validate resources in all namespaces. 'Role' scope limits validation to a single a namespace. |
admissionController.tolerations |
list |
|
Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints. |
admissionController.verboseLogging |
bool |
|
Determines whether the admission controller should log all of its validation notices within the console. When set to false, only validation errors are logged within the pod’s console. |
admissionSecret.cert |
string |
|
PEM format certificate (auto-generated) override via --set-file |
admissionSecret.key |
string |
|
PEM format certificate (auto-generated) override via --set-file |
admissionSecret.name |
string |
|
Name of the secret (auto-generated) |
admissionService.name |
string |
|
Name of the service (auto-generated) |
admissionService.port |
int |
|
Port service exposes |
admissionService.targetPort |
int |
|
|
backuprestores |
object |
|
|
backups |
object |
|
CouchbaseBackups runs a job which preserves data into backups |
buckets.default.compressionMode |
string |
|
CompressionMode defines how Couchbase server handles document compression. When off, documents are stored in memory, and transferred to the client uncompressed. When passive, documents are stored compressed in memory, and transferred to the client compressed when requested. When active, documents are stored compresses in memory and when transferred to the client. This field must be "off", "passive" or "active", defaulting to "passive". Be aware "off" in YAML 1.2 is a boolean, so must be quoted as a string in configuration files. |
buckets.default.conflictResolution |
string |
|
ConflictResolution defines how XDCR handles concurrent write conflicts. Sequence number based resolution selects the document with the highest sequence number as the most recent. Timestamp based resolution selects the document that was written to most recently as the most recent. This field must be "seqno" (sequence based), or "lww" (timestamp based), defaulting to "seqno". |
buckets.default.enableFlush |
bool |
|
EnableFlush defines whether a client can delete all documents in a bucket. This field defaults to false. |
buckets.default.enableIndexReplica |
bool |
|
EnableIndexReplica defines whether indexes for this bucket are replicated. This field defaults to false. |
buckets.default.evictionPolicy |
string |
|
EvictionPolicy controls how Couchbase handles memory exhaustion. Value only eviction flushes documents to disk but maintains document metadata in memory in order to improve query performance. Full eviction removes all data from memory after the document is flushed to disk. This field must be "valueOnly" or "fullEviction", defaulting to "valueOnly". |
buckets.default.ioPriority |
string |
|
IOPriority controls how many threads a bucket has, per pod, to process reads and writes. This field must be "low" or "high", defaulting to "low". Modification of this field will cause a temporary service disruption as threads are restarted. |
buckets.default.kind |
string |
|
The type of the bucket to create by default. Removed from CRD as only used by Helm. |
buckets.default.maxTTL |
string |
|
MaxTTL defines how long a document is permitted to exist for, without modification, until it is automatically deleted. This is a default and maximum time-to-live and may be set to a lower value by the client. If the client specifies a higher value, then it is truncated to the maximum durability. Documents are removed by Couchbase, after they have expired, when either accessed, the expiry pager is run, or the bucket is compacted. When set to 0, then documents are not expired by default. This field must be a duration in the range 0-2147483648s, defaulting to 0. More info: https://golang.org/pkg/time/#ParseDuration |
buckets.default.memoryQuota |
string |
|
MemoryQuota is a memory limit to the size of a bucket. When this limit is exceeded, documents will be evicted from memory to disk as defined by the eviction policy. The memory quota is defined per Couchbase pod running the data service. This field defaults to, and must be greater than or equal to 100Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes |
buckets.default.minimumDurability |
string |
|
MiniumumDurability defines how durable a document write is by default, and can be made more durable by the client. This feature enables ACID transactions. When none, Couchbase server will respond when the document is in memory, it will become eventually consistent across the cluster. When majority, Couchbase server will respond when the document is replicated to at least half of the pods running the data service in the cluster. When majorityAndPersistActive, Couchbase server will respond when the document is replicated to at least half of the pods running the data service in the cluster and the document has been persisted to disk on the document master pod. When persistToMajority, Couchbase server will respond when the document is replicated and persisted to disk on at least half of the pods running the data service in the cluster. This field must be either "none", "majority", "majorityAndPersistActive" or "persistToMajority", defaulting to "none". |
buckets.default.name |
string |
|
Name is the name of the bucket within Couchbase server. By default the Operator will use the |
buckets.default.replicas |
int |
|
Replicas defines how many copies of documents Couchbase server maintains. This directly affects how fault tolerant a Couchbase cluster is. With a single replica, the cluster can tolerate one data pod going down and still service requests without data loss. The number of replicas also affect memory use. With a single replica, the effective memory quota for documents is halved, with two replicas it is one third. The number of replicas must be between 0 and 3, defaulting to 1. |
buckets.default.scopes |
object |
|
Scopes defines whether the Operator manages scopes for the bucket or not, and the set of scopes defined for the bucket. |
buckets.default.scopes.managed |
bool |
|
Managed defines whether scopes are managed for this bucket. This field is |
buckets.default.scopes.resources |
list |
|
Resources is an explicit list of named resources that will be considered for inclusion in this bucket. If a resource reference doesn’t match a resource, then no error conditions are raised due to undefined resource creation ordering and eventual consistency. |
buckets.default.scopes.selector |
object |
|
Selector allows resources to be implicitly considered for inclusion in this bucket. More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#labelselector-v1-meta |
buckets.default.scopes.selector.matchExpressions |
object |
|
matchExpressions is a list of label selector requirements. The requirements are ANDed. |
buckets.default.scopes.selector.matchLabels |
string |
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. |
cluster.antiAffinity |
bool |
|
AntiAffinity forces the Operator to schedule different Couchbase server pods on different Kubernetes nodes. Anti-affinity reduces the likelihood of unrecoverable failure in the event of a node issue. Use of anti-affinity is highly recommended for production clusters. |
cluster.autoResourceAllocation |
object |
|
AutoResourceAllocation populates pod resource requests based on the services running on that pod. When enabled, this feature will calculate the memory request as the total of service allocations defined in |
cluster.autoResourceAllocation.cpuLimits |
string |
|
CPULimits automatically populates the CPU limits across all Couchbase server pods. This field defaults to "4" CPUs. Explicitly specifying the CPU limit for a particular server class will override this value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes |
cluster.autoResourceAllocation.cpuRequests |
string |
|
CPURequests automatically populates the CPU requests across all Couchbase server pods. The default value of "2", is the minimum recommended number of CPUs required to run Couchbase Server. Explicitly specifying the CPU request for a particular server class will override this value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes |
cluster.autoResourceAllocation.enabled |
bool |
|
Enabled defines whether auto-resource allocation is enabled. |
cluster.autoResourceAllocation.overheadPercent |
int |
|
OverheadPercent defines the amount of memory above that required for individual services on a pod. For Couchbase Server this should be approximately 25%. |
cluster.autoscaleStabilizationPeriod |
string |
|
AutoscaleStabilizationPeriod defines how long after a rebalance the corresponding HorizontalPodAutoscaler should remain in maintenance mode. During maintenance mode all autoscaling is disabled since every HorizontalPodAutoscaler associated with the cluster becomes inactive. Since certain metrics can be unpredictable when Couchbase is rebalancing or upgrading, setting a stabilization period helps to prevent scaling recommendations from the HorizontalPodAutoscaler for a provided period of time. Values must be a valid Kubernetes duration of 0s or higher: https://golang.org/pkg/time/#ParseDuration A value of 0, puts the cluster in maintenance mode during rebalance but immediately exits this mode once the rebalance has completed. When undefined, the HPA is never put into maintenance mode during rebalance. |
cluster.backup |
object |
|
Backup defines whether the Operator should manage automated backups, and how to lookup backup resources. Refer to the documentation for supported values https://docs.couchbase.com/operator/current/howto-backup.html#enable-automated-backup |
cluster.backup.image |
string |
|
The Backup Image to run on backup pods. |
cluster.backup.imagePullSecrets |
object |
|
ImagePullSecrets allow you to use an image from private repositories and non-dockerhub ones. |
cluster.backup.imagePullSecrets.name |
string |
|
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid? |
cluster.backup.managed |
bool |
|
Managed defines whether backups are managed by us or the clients. |
cluster.backup.nodeSelector |
string |
|
NodeSelector defines which nodes to constrain the pods that run any backup and restore operations to. |
cluster.backup.objectEndpoint |
object |
|
ObjectEndpoint contains the configuration for connecting to a custom S3 compliant object store. |
cluster.backup.objectEndpoint.secret |
string |
|
The name of the secret, in this namespace, that contains the CA certificate for verification of a TLS endpoint (when required, e.g. not signed by a public CA). The secret must have the key with the name "tls.crt" |
cluster.backup.objectEndpoint.url |
string |
|
The host/address of the custom object endpoint. |
cluster.backup.objectEndpoint.useVirtualPath |
bool |
|
UseVirtualPath will force the AWS SDK to use the new virtual style paths. by default alternative path style URLs which are often required by S3 compatible object stores. |
cluster.backup.resources |
object |
|
Resources is the resource requirements for the backup and restore containers. Will be populated by defaults if not specified. |
cluster.backup.resources.limits |
string |
|
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
cluster.backup.resources.requests |
string |
|
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
cluster.backup.s3Secret |
string |
|
S3Secret contains the region and credentials for operating backups in S3. This field must be popluated when the |
cluster.backup.selector |
object |
|
Selector allows CouchbaseBackup and CouchbaseBackupRestore resources to be filtered based on labels. |
cluster.backup.selector.matchExpressions |
object |
|
matchExpressions is a list of label selector requirements. The requirements are ANDed. |
cluster.backup.selector.matchLabels |
string |
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. |
cluster.backup.serviceAccountName |
string |
|
The Service Account to run backup (and restore) pods under. Without this backup pods will not be able to update status. |
cluster.backup.tolerations |
object |
|
Tolerations specifies all backup and restore pod tolerations. |
cluster.backup.tolerations.effect |
string |
|
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. |
cluster.backup.tolerations.key |
string |
|
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. |
cluster.backup.tolerations.operator |
string |
|
Operator represents a key’s relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. |
cluster.backup.tolerations.tolerationSeconds |
string |
|
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. |
cluster.backup.tolerations.value |
string |
|
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. |
cluster.backup.useIAMRole |
bool |
|
UseIAMRole enables backup to fetch EC2 instance metadata. This allows the AWS SDK to use the EC2’s IAM Role for S3 access. UseIAMRole will ignore credentials in s3Secret. |
cluster.buckets |
object |
|
Buckets defines whether the Operator should manage buckets, and how to lookup bucket resources. |
cluster.buckets.managed |
bool |
|
Managed defines whether buckets are managed by the Operator (true), or user managed (false). When Operator managed, all buckets must be defined with either CouchbaseBucket, CouchbaseEphemeralBucket or CouchbaseMemcachedBucket resources. Manual addition of buckets will be reverted by the Operator. When user managed, the Operator will not interrogate buckets at all. This field defaults to false. |
cluster.buckets.selector |
object |
|
Selector is a label selector used to list buckets in the namespace that are managed by the Operator. |
cluster.buckets.selector.matchExpressions |
object |
|
matchExpressions is a list of label selector requirements. The requirements are ANDed. |
cluster.buckets.selector.matchLabels |
string |
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. |
cluster.buckets.synchronize |
bool |
|
Synchronize allows unmanaged buckets, scopes, and collections to be synchronized as Kubernetes resources by the Operator. This feature is intended for development only and should not be used for production workloads. The synchronization workflow starts with |
cluster.cluster |
object |
|
ClusterSettings define Couchbase cluster-wide settings such as memory allocation, failover characteristics and index settings. |
cluster.cluster.analyticsServiceMemoryQuota |
string |
|
AnalyticsServiceMemQuota is the amount of memory that should be allocated to the analytics service. This value is per-pod, and only applicable to pods belonging to server classes running the analytics service. This field must be a quantity greater than or equal to 1Gi. This field defaults to 1Gi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes |
cluster.cluster.autoCompaction |
object |
|
AutoCompaction allows the configuration of auto-compaction, including on what conditions disk space is reclaimed and when it is allowed to run. |
cluster.cluster.autoCompaction.databaseFragmentationThreshold |
object |
|
DatabaseFragmentationThreshold defines triggers for when database compaction should start. |
cluster.cluster.autoCompaction.parallelCompaction |
bool |
|
ParallelCompaction controls whether database and view compactions can happen in parallel. |
cluster.cluster.autoCompaction.timeWindow |
object |
|
TimeWindow allows restriction of when compaction can occur. |
cluster.cluster.autoCompaction.tombstonePurgeInterval |
string |
|
TombstonePurgeInterval controls how long to wait before purging tombstones. This field must be in the range 1h-1440h, defaulting to 72h. More info: https://golang.org/pkg/time/#ParseDuration |
cluster.cluster.autoCompaction.viewFragmentationThreshold |
object |
|
ViewFragmentationThreshold defines triggers for when view compaction should start. |
cluster.cluster.autoFailoverMaxCount |
int |
|
AutoFailoverMaxCount is the maximum number of automatic failovers Couchbase server will allow before not allowing any more. This field must be between 1-3, default 3. |
cluster.cluster.autoFailoverOnDataDiskIssues |
bool |
|
AutoFailoverOnDataDiskIssues defines whether Couchbase server should failover a pod if a disk issue was detected. |
cluster.cluster.autoFailoverOnDataDiskIssuesTimePeriod |
string |
|
AutoFailoverOnDataDiskIssuesTimePeriod defines how long to wait for transient errors before failing over a faulty disk. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration |
cluster.cluster.autoFailoverServerGroup |
bool |
|
AutoFailoverServerGroup whether to enable failing over a server group. |
cluster.cluster.autoFailoverTimeout |
string |
|
AutoFailoverTimeout defines how long Couchbase server will wait between a pod being witnessed as down, until when it will failover the pod. Couchbase server will only failover pods if it deems it safe to do so, and not result in data loss. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration |
cluster.cluster.clusterName |
string |
|
ClusterName defines the name of the cluster, as displayed in the Couchbase UI. By default, the cluster name is that specified in the CouchbaseCluster resource’s metadata. |
cluster.cluster.data |
object |
|
Data allows the data service to be configured. |
cluster.cluster.data.readerThreads |
string |
|
ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. |
cluster.cluster.data.writerThreads |
string |
|
ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This setting is especially relevant when using "durable writes", increasing this field will have a large impact on performance. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. |
cluster.cluster.dataServiceMemoryQuota |
string |
|
DataServiceMemQuota is the amount of memory that should be allocated to the data service. This value is per-pod, and only applicable to pods belonging to server classes running the data service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes |
cluster.cluster.eventingServiceMemoryQuota |
string |
|
EventingServiceMemQuota is the amount of memory that should be allocated to the eventing service. This value is per-pod, and only applicable to pods belonging to server classes running the eventing service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes |
cluster.cluster.indexServiceMemoryQuota |
string |
|
IndexServiceMemQuota is the amount of memory that should be allocated to the index service. This value is per-pod, and only applicable to pods belonging to server classes running the index service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes |
cluster.cluster.indexStorageSetting |
string |
|
DEPRECATED - by indexer. The index storage mode to use for secondary indexing. This field must be one of "memory_optimized" or "plasma", defaulting to "memory_optimized". This field is immutable and cannot be changed unless there are no server classes running the index service in the cluster. |
cluster.cluster.indexer |
object |
|
Indexer allows the indexer to be configured. |
cluster.cluster.indexer.logLevel |
string |
|
LogLevel controls the verbosity of indexer logs. This field must be one of "silent", "fatal", "error", "warn", "info", "verbose", "timing", "debug" or "trace", defaulting to "info". |
cluster.cluster.indexer.maxRollbackPoints |
int |
|
MaxRollbackPoints controls the number of checkpoints that can be rolled back to. The default is 2, with a minimum of 1. |
cluster.cluster.indexer.memorySnapshotInterval |
string |
|
MemorySnapshotInterval controls when memory indexes should be snapshotted. This defaults to 200ms, and must be greater than or equal to 1ms. |
cluster.cluster.indexer.stableSnapshotInterval |
string |
|
StableSnapshotInterval controls when disk indexes should be snapshotted. This defaults to 5s, and must be greater than or equal to 1ms. |
cluster.cluster.indexer.storageMode |
string |
|
StorageMode controls the underlying storage engine for indexes. Once set it can only be modified if there are no nodes in the cluster running the index service. The field must be one of "memory_optimized" or "plasma", defaulting to "memory_optimized". |
cluster.cluster.indexer.threads |
string |
|
Threads controls the number of processor threads to use for indexing. A value of 0 means 1 per CPU. This attribute must be greater than or equal to 0, defaulting to 0. |
cluster.cluster.indexer.numReplica |
int |
|
NumberOfReplica specifies number of secondary index replicas to be created by the Index Service whenever CREATE INDEX is invoked. The default is 0, with a minimum of 0. |
cluster.cluster.indexer.redistributeIndexes |
bool |
|
RedistributeIndexes when true, Couchbase Server redistributes indexes when rebalance occurs, in order to optimize performance. If false (the default), such redistribution does not occur. |
cluster.cluster.query |
object |
|
Query allows the query service to be configured. |
cluster.cluster.query.backfillEnabled |
bool |
|
BackfillEnabled allows the query service to backfill. |
cluster.cluster.query.temporarySpace |
string |
|
TemporarySpace allows the temporary storage used by the query service backfill, per-pod, to be modified. This field requires |
cluster.cluster.query.temporarySpaceUnlimited |
bool |
|
TemporarySpaceUnlimited allows the temporary storage used by the query service backfill, per-pod, to be unconstrained. This field requires |
cluster.cluster.queryServiceMemoryQuota |
string |
|
QueryServiceMemQuota is a dummy field. By default, Couchbase server provides no memory resource constraints for the query service, so this has no effect on Couchbase server. It is, however, used when the spec.autoResourceAllocation feature is enabled, and is used to define the amount of memory reserved by the query service for use with Kubernetes resource scheduling. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes |
cluster.cluster.searchServiceMemoryQuota |
string |
|
SearchServiceMemQuota is the amount of memory that should be allocated to the search service. This value is per-pod, and only applicable to pods belonging to server classes running the search service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes |
cluster.enableOnlineVolumeExpansion |
bool |
|
EnableOnlineVolumeExpansion enables online expansion of Persistent Volumes. You can only expand a PVC if its storage class’s "allowVolumeExpansion" field is set to true. Additionally, Kubernetes feature "ExpandInUsePersistentVolumes" must be enabled in order to expand the volumes which are actively bound to Pods. Volumes can only be expanded and not reduced to a smaller size. See: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#resizing-an- in-use-persistentvolumeclaim If "EnableOnlineVolumeExpansion" is enabled for use within an environment that does not actually support online volume and file system expansion then the cluster will fallback to rolling upgrade procedure to create a new set of Pods for use with resized Volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims |
cluster.enablePreviewScaling |
bool |
|
DEPRECATED - This option only exists for backwards compatibility and no longer restricts autoscaling to ephemeral services. EnablePreviewScaling enables autoscaling for stateful services and buckets. |
cluster.hibernate |
bool |
|
Hibernate is whether to hibernate the cluster. |
cluster.hibernationStrategy |
string |
|
HibernationStrategy defines how to hibernate the cluster. When Immediate the Operator will immediately delete all pods and take no further action until the hibernate field is set to false. |
cluster.image |
string |
|
Image is the container image name that will be used to launch Couchbase server instances. Updating this field will cause an automatic upgrade of the cluster. |
cluster.logging |
object |
|
Logging defines Operator logging options. |
cluster.logging.audit |
object |
|
Used to manage the audit configuration directly |
cluster.logging.audit.disabledEvents |
string |
|
The list of event ids to disable for auditing purposes. This is passed to the REST API with no verification by the operator. Refer to the documentation for details: https://docs.couchbase.com/server/current/audit-event-reference/audit-event-reference.html |
cluster.logging.audit.disabledUsers |
string |
|
The list of users to ignore for auditing purposes. This is passed to the REST API with minimal validation it meets an acceptable regex pattern. Refer to the documentation for full details on how to configure this: https://docs.couchbase.com/server/current/manage/manage-security/manage-auditing.html#ignoring-events-by-user |
cluster.logging.audit.enabled |
bool |
|
Enabled is a boolean that enables the audit capabilities. |
cluster.logging.audit.garbageCollection |
object |
|
Handle all optional garbage collection (GC) configuration for the audit functionality. This is not part of the audit REST API, it is intended to handle GC automatically for the audit logs. By default the Couchbase Server rotates the audit logs but does not clean up the rotated logs. This is left as an operation for the cluster administrator to manage, the operator allows for us to automate this: https://docs.couchbase.com/server/current/manage/manage-security/manage-auditing.html |
cluster.logging.audit.rotation |
object |
|
The interval to optionally rotate the audit log. This is passed to the REST API, see here for details: https://docs.couchbase.com/server/current/manage/manage-security/manage-auditing.html |
cluster.logging.logRetentionCount |
string |
|
LogRetentionCount gives the number of persistent log PVCs to keep. |
cluster.logging.logRetentionTime |
string |
|
LogRetentionTime gives the time to keep persistent log PVCs alive for. |
cluster.logging.server |
object |
|
Specification of all logging configuration required to manage the sidecar containers in each pod. |
cluster.logging.server.configurationName |
string |
|
ConfigurationName is the name of the Secret to use holding the logging configuration in the namespace. A Secret is used to ensure we can safely store credentials but this can be populated from plaintext if acceptable too. If it does not exist then one will be created with defaults in the namespace so it can be easily updated whilst running. Note that if running multiple clusters in the same kubernetes namespace then you should use a separate Secret for each, otherwise the first cluster will take ownership (if created) and the Secret will be cleaned up when that cluster is removed. If running clusters in separate namespaces then they will be separate Secrets anyway. |
cluster.logging.server.enabled |
bool |
|
Enabled is a boolean that enables the logging sidecar container. |
cluster.logging.server.manageConfiguration |
bool |
|
A boolean which indicates whether the operator should manage the configuration or not. If omitted then this defaults to true which means the operator will attempt to reconcile it to default values. To use a custom configuration make sure to set this to false. Note that the ownership of any Secret is not changed so if a Secret is created externally it can be updated by the operator but it’s ownership stays the same so it will be cleaned up when it’s owner is. |
cluster.logging.server.sidecar |
object |
|
Any specific logging sidecar container configuration. |
cluster.monitoring |
object |
|
Monitoring defines any Operator managed integration into 3rd party monitoring infrastructure. |
cluster.name |
string |
|
Name of the cluster, defaults to name of chart release |
cluster.networking |
object |
|
Networking defines Couchbase cluster networking options such as network topology, TLS and DDNS settings. |
cluster.networking.addressFamily |
string |
|
AddressFamily allows the manual selection of the address family to use. When this field is not set, Couchbase server will default to using IPv4 for internal communication and also support IPv6 on dual stack systems. Setting this field to either IPv4 or IPv6 will force Couchbase to use the selected protocol for internal communication, and also disable all other protocols to provide added security and simplicty when defining firewall rules. Disabling of address families is only supported in Couchbase Server 7.0.2+. |
cluster.networking.adminConsoleServiceTemplate |
object |
|
AdminConsoleServiceTemplate provides a template used by the Operator to create and manage the admin console service. This allows services to be annotated, the service type defined and any other options that Kubernetes provides. When using a LoadBalancer service type, TLS and dynamic DNS must also be enabled. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#service-v1-core |
cluster.networking.adminConsoleServiceTemplate.metadata |
object |
|
Standard objects metadata. This is a curated version for use with Couchbase resource templates. |
cluster.networking.adminConsoleServiceTemplate.spec |
object |
|
ServiceSpec describes the attributes that a user creates on a service. |
cluster.networking.adminConsoleServices |
list |
|
DEPRECATED - not required by Couchbase Server 6.5.0 onward. AdminConsoleServices is a selector to choose specific services to expose via the admin console. This field may contain any of "data", "index", "query", "search", "eventing" and "analytics". Each service may only be included once. |
cluster.networking.disableUIOverHTTP |
bool |
|
DisableUIOverHTTP is used to explicitly enable and disable UI access over the HTTP protocol. If not specified, this field defaults to false. |
cluster.networking.disableUIOverHTTPS |
bool |
|
DisableUIOverHTTPS is used to explicitly enable and disable UI access over the HTTPS protocol. If not specified, this field defaults to false. |
cluster.networking.dns |
object |
|
DNS defines information required for Dynamic DNS support. |
cluster.networking.dns.domain |
string |
|
Domain is the domain to create pods in. When populated the Operator will annotate the admin console and per-pod services with the key "external-dns.alpha.kubernetes.io/hostname". These annotations can be used directly by a Kubernetes External-DNS controller to replicate load balancer service IP addresses into a public DNS server. |
cluster.networking.exposeAdminConsole |
bool |
|
ExposeAdminConsole creates a service referencing the admin console. The service is configured by the adminConsoleServiceTemplate field. |
cluster.networking.exposedFeatureServiceTemplate |
object |
|
ExposedFeatureServiceTemplate provides a template used by the Operator to create and manage per-pod services. This allows services to be annotated, the service type defined and any other options that Kubernetes provides. When using a LoadBalancer service type, TLS and dynamic DNS must also be enabled. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#service-v1-core |
cluster.networking.exposedFeatureServiceTemplate.metadata |
object |
|
Standard objects metadata. This is a curated version for use with Couchbase resource templates. |
cluster.networking.exposedFeatureServiceTemplate.spec |
object |
|
ServiceSpec describes the attributes that a user creates on a service. |
cluster.networking.exposedFeatureTrafficPolicy |
string |
|
DEPRECATED - by exposedFeatureServiceTemplate. ExposedFeatureTrafficPolicy defines how packets should be routed from a load balancer service to a Couchbase pod. When local, traffic is routed directly to the pod. When cluster, traffic is routed to any node, then forwarded on. While cluster routing may be slower, there are some situations where it is required for connectivity. This field must be either "Cluster" or "Local", defaulting to "Local", |
cluster.networking.exposedFeatures |
list |
|
ExposedFeatures is a list of Couchbase features to expose when using a networking model that exposes the Couchbase cluster externally to Kubernetes. This field also triggers the creation of per-pod services used by clients to connect to the Couchbase cluster. When admin, only the administrator port is exposed, allowing remote administration. When xdcr, only the services required for remote replication are exposed. The xdcr feature is only required when the cluster is the destination of an XDCR replication. When client, all services are exposed as required for client SDK operation. This field may contain any of "admin", "xdcr" and "client". Each feature may only be included once. |
cluster.networking.loadBalancerSourceRanges |
string |
|
DEPRECATED - by adminConsoleServiceTemplate and exposedFeatureServiceTemplate. LoadBalancerSourceRanges applies only when an exposed service is of type LoadBalancer and limits the source IP ranges that are allowed to use the service. Items must use IPv4 class-less interdomain routing (CIDR) notation e.g. 10.0.0.0/16. |
cluster.networking.networkPlatform |
string |
|
NetworkPlatform is used to enable support for various networking technologies. This field must be one of "Istio". |
cluster.networking.serviceAnnotations |
string |
|
DEPRECATED - by adminConsoleServiceTemplate and exposedFeatureServiceTemplate. ServiceAnnotations allows services to be annotated with custom labels. Operator annotations are merged on top of these so have precedence as they are required for correct operation. |
cluster.networking.waitForAddressReachable |
string |
|
WaitForAddressReachable is used to set the timeout between when polling of external addresses is started, and when it is deemed a failure. Polling of DNS name availability inherently dangerous due to negative caching, so prefer the use of an initial |
cluster.networking.waitForAddressReachableDelay |
string |
|
WaitForAddressReachableDelay is used to defer operator checks that ensure external addresses are reachable before new nodes are balanced in to the cluster. This prevents negative DNS caching while waiting for external-DDNS controllers to propagate addresses. |
cluster.paused |
bool |
|
Paused is to pause the control of the operator for the Couchbase cluster. This does not pause the cluster itself, instead stopping the operator from taking any action. |
cluster.platform |
string |
|
Platform gives a hint as to what platform we are running on and how to configure services. This field must be one of "aws", "gke" or "azure". |
cluster.recoveryPolicy |
string |
|
RecoveryPolicy controls how aggressive the Operator is when recovering cluster topology. When PrioritizeDataIntegrity, the Operator will delegate failover exclusively to Couchbase server, relying on it to only allow recovery when safe to do so. When PrioritizeUptime, the Operator will wait for a period after the expected auto-failover of the cluster, before forcefully failing-over the pods. This may cause data loss, and is only expected to be used on clusters with ephemeral data, where the loss of the pod means that the data is known to be unrecoverable. This field must be either "PrioritizeDataIntegrity" or "PrioritizeUptime", defaulting to "PrioritizeDataIntegrity". |
cluster.rollingUpgrade |
object |
|
When |
cluster.rollingUpgrade.maxUpgradable |
string |
|
MaxUpgradable allows the number of pods affected by an upgrade at any one time to be increased. By default a rolling upgrade will upgrade one pod at a time. This field allows that limit to be removed. This field must be greater than zero. The smallest of |
cluster.rollingUpgrade.maxUpgradablePercent |
string |
|
MaxUpgradablePercent allows the number of pods affected by an upgrade at any one time to be increased. By default a rolling upgrade will upgrade one pod at a time. This field allows that limit to be removed. This field must be an integer percentage, e.g. "10%", in the range 1% to 100%. Percentages are relative to the total cluster size, and rounded down to the nearest whole number, with a minimum of 1. For example, a 10 pod cluster, and 25% allowed to upgrade, would yield 2.5 pods per iteration, rounded down to 2. The smallest of |
cluster.security |
object |
|
Security defines Couchbase cluster security options such as the administrator account username and password, and user RBAC settings. |
cluster.security.adminSecret |
string |
|
AdminSecret is the name of a Kubernetes secret to use for administrator authentication. The admin secret must contain the keys "username" and "password". The password data must be at least 6 characters in length, and not contain the any of the characters |
cluster.security.password |
string |
|
Cluster administrator pasword, auto-generated when empty |
cluster.security.rbac |
object |
|
Couchbase RBAC Users |
cluster.security.rbac.managed |
bool |
|
Managed defines whether RBAC is managed by us or the clients. |
cluster.security.rbac.selector |
object |
|
Selector is a label selector used to list RBAC resources in the namespace that are managed by the Operator. |
cluster.security.username |
string |
|
Cluster administrator username |
cluster.securityContext |
object |
|
SecurityContext allows the configuration of the security context for all Couchbase server pods. When using persistent volumes you may need to set the fsGroup field in order to write to the volume. For non-root clusters you must also set runAsUser to 1000, corresponding to the Couchbase user in official container images. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
cluster.securityContext.fsGroup |
int |
|
A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR’d with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. |
cluster.securityContext.fsGroupChangePolicy |
string |
|
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows. |
cluster.securityContext.runAsGroup |
string |
|
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. |
cluster.securityContext.runAsNonRoot |
bool |
|
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. |
cluster.securityContext.runAsUser |
int |
|
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. |
cluster.securityContext.seLinuxOptions |
object |
|
The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. |
cluster.securityContext.seLinuxOptions.level |
string |
|
Level is SELinux level label that applies to the container. |
cluster.securityContext.seLinuxOptions.role |
string |
|
Role is a SELinux role label that applies to the container. |
cluster.securityContext.seLinuxOptions.type |
string |
|
Type is a SELinux type label that applies to the container. |
cluster.securityContext.seLinuxOptions.user |
string |
|
User is a SELinux user label that applies to the container. |
cluster.securityContext.seccompProfile |
object |
|
The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows. |
cluster.securityContext.seccompProfile.localhostProfile |
string |
|
localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet’s configured seccomp profile location. Must only be set if type is "Localhost". |
cluster.securityContext.seccompProfile.type |
string |
|
type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. |
cluster.securityContext.supplementalGroups |
string |
|
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows. |
cluster.securityContext.sysctls |
list |
|
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows. |
cluster.securityContext.windowsOptions |
object |
|
The Windows specific settings applied to all containers. If unspecified, the options within a container’s SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. |
cluster.serverGroups |
string |
|
ServerGroups define the set of availability zones you want to distribute pods over, and construct Couchbase server groups for. By default, most cloud providers will label nodes with the key "topology.kubernetes.io/zone", the values associated with that key are used here to provide explicit scheduling by the Operator. You may manually label nodes using the "topology.kubernetes.io/zone" key, to provide failure-domain aware scheduling when none is provided for you. Global server groups are applied to all server classes, and may be overridden on a per-server class basis to give more control over scheduling and server groups. |
cluster.servers |
object |
|
Servers defines server classes for the Operator to provision and manage. A server class defines what services are running and how many members make up that class. Specifying multiple server classes allows the Operator to provision clusters with Multi-Dimensional Scaling (MDS). At least one server class must be defined, and at least one server class must be running the data service. |
cluster.servers.default |
object |
|
Name for the server configuration. It must be unique. |
cluster.servers.default.autoscaleEnabled |
bool |
|
AutoscaledEnabled defines whether the autoscaling feature is enabled for this class. When true, the Operator will create a CouchbaseAutoscaler resource for this server class. The CouchbaseAutoscaler implements the Kubernetes scale API and can be controlled by the Kubernetes horizontal pod autoscaler (HPA). |
cluster.servers.default.env |
list |
|
Env allows the setting of environment variables in the Couchbase server container. |
cluster.servers.default.envFrom |
list |
|
EnvFrom allows the setting of environment variables in the Couchbase server container. |
cluster.servers.default.pod |
object |
|
Pod defines a template used to create pod for each Couchbase server instance. Modifying pod metadata such as labels and annotations will update the pod in-place. Any other modification will result in a cluster upgrade in order to fulfill the request. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#pod-v1-core |
cluster.servers.default.services |
list |
|
Services is the set of Couchbase services to run on this server class. At least one class must contain the data service. The field may contain any of "data", "index", "query", "search", "eventing" or "analytics". Each service may only be specified once. |
cluster.servers.default.size |
int |
|
Size is the expected requested of the server class. This field must be greater than or equal to 1. |
cluster.softwareUpdateNotifications |
bool |
|
SoftwareUpdateNotifications enables software update notifications in the UI. When enabled, the UI will alert when a Couchbase server upgrade is available. |
cluster.upgradeStrategy |
string |
|
UpgradeStrategy controls how aggressive the Operator is when performing a cluster upgrade. When a rolling upgrade is requested, pods are upgraded one at a time. This strategy is slower, however less disruptive. When an immediate upgrade strategy is requested, all pods are upgraded at the same time. This strategy is faster, but more disruptive. This field must be either "RollingUpgrade" or "ImmediateUpgrade", defaulting to "RollingUpgrade". |
cluster.volumeClaimTemplates |
object |
|
VolumeClaimTemplates define the desired characteristics of a volume that can be requested/claimed by a pod, for example the storage class to use and the volume size. Volume claim templates are referred to by name by server class volume mount configuration. |
cluster.volumeClaimTemplates.metadata |
object |
|
Standard objects metadata. This is a curated version for use with Couchbase resource templates. |
cluster.volumeClaimTemplates.metadata.annotations |
string |
|
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations |
cluster.volumeClaimTemplates.metadata.labels |
string |
|
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels |
cluster.volumeClaimTemplates.metadata.name |
string |
|
Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names |
cluster.volumeClaimTemplates.spec |
object |
|
PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes |
cluster.volumeClaimTemplates.spec.accessModes |
string |
|
AccessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 |
cluster.volumeClaimTemplates.spec.dataSourceRef |
object |
|
Specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any local object from a non- empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the DataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, both fields (DataSource and DataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. There are two important differences between DataSource and DataSourceRef: * While DataSource only allows two specific types of objects, DataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While DataSource ignores disallowed values (dropping them), DataSourceRef preserves all values, and generates an error if a disallowed value is specified. (Alpha) Using this field requires the AnyVolumeDataSource feature gate to be enabled. |
cluster.volumeClaimTemplates.spec.resources |
object |
|
Resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources |
cluster.volumeClaimTemplates.spec.selector |
object |
|
A label query over volumes to consider for binding. |
cluster.volumeClaimTemplates.spec.storageClassName |
string |
|
Name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 |
cluster.volumeClaimTemplates.spec.volumeMode |
string |
|
volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec. |
cluster.volumeClaimTemplates.spec.volumeName |
string |
|
VolumeName is the binding reference to the PersistentVolume backing this claim. |
cluster.xdcr |
object |
|
XDCR defines whether the Operator should manage XDCR, remote clusters and how to lookup replication resources. |
cluster.xdcr.managed |
bool |
|
Managed defines whether XDCR is managed by the operator or not. |
cluster.xdcr.remoteClusters |
object |
|
RemoteClusters is a set of named remote clusters to establish replications to. |
cluster.xdcr.remoteClusters.authenticationSecret |
string |
|
AuthenticationSecret is a secret used to authenticate when establishing a remote connection. It is only required when not using mTLS. The secret must contain a username (secret key "username") and password (secret key "password"). |
cluster.xdcr.remoteClusters.hostname |
string |
|
Hostname is the connection string to use to connect the remote cluster. |
cluster.xdcr.remoteClusters.name |
string |
|
Name of the remote cluster. |
cluster.xdcr.remoteClusters.replications |
object |
|
Replications are replication streams from this cluster to the remote one. This field defines how to look up CouchbaseReplication resources. By default any CouchbaseReplication resources in the namespace will be considered. |
cluster.xdcr.remoteClusters.tls |
object |
|
TLS if specified references a resource containing the necessary certificate data for an encrypted connection. |
cluster.xdcr.remoteClusters.uuid |
string |
|
UUID of the remote cluster. The UUID of a CouchbaseCluster resource is advertised in the status.clusterId field of the resource. |
collectiongroups |
object |
|
Uncomment to create a "couchbasecollectiongroups" resource Defines a group of collections. A collection is a data container, defined on Couchbase Server, within a bucket whose type is either Couchbase or Ephemeral. See https://docs.couchbase.com/operator/current/resource/couchbasecollectiongroup.html |
collections |
object |
|
Uncomment to create a "couchbasecollections" resource A collection is a data container, defined on Couchbase Server, within a bucket whose type is either Couchbase or Ephemeral. See https://docs.couchbase.com/operator/current/resource/couchbasecollection.html |
coredns |
object |
|
Coredns service configuration to be applied to pods for cross-cluster deployments |
coredns.searches |
list |
|
Search list for host-name lookup |
coredns.service |
string |
|
Name of Kubernetes service which exposes DNS endpoints |
couchbaseOperator.commandArgs |
object |
|
Set of command-line flags to pass on to the Operator to modify its behavior. see: https://docs.couchbase.com/operator/2.0/reference-operator-configuration.html#command-line-arguments |
couchbaseOperator.commandArgs.pod-create-timeout |
string |
|
Pod creation timeout. The Operator allows the timeout of pod creation to be manually configured. It is primarily intended for use on cloud platforms where the deployment of multiple volumes and pulling of a Couchbase Server container image may take a longer time than the default timeout period. |
couchbaseOperator.image |
object |
|
Image specifies repository and tag of the Couchbase Operator container. |
couchbaseOperator.imagePullPolicy |
string |
|
The policy for pulling images from the repository onto hosts. The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never. |
couchbaseOperator.imagePullSecrets |
list |
|
ImagePullSecrets is an optional list of references to secrets to use for pulling images. |
couchbaseOperator.name |
string |
|
Name of the couchbase operator Deployment |
couchbaseOperator.nodeSelector |
object |
|
Specify a node selection constraint for couchbase-admission-operator pod assignment. — Ref: https://kubernetes.io/docs/user-guide/node-selection/ |
couchbaseOperator.resources |
object |
|
Resource Limits and requests for Pod CPU and Memory |
couchbaseOperator.scope |
string |
|
RBAC Scope of the Operator. Must be either 'Role' or 'ClusterRole' |
couchbaseOperator.tolerations |
list |
|
Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints. |
install.admissionController |
bool |
|
Install the admission controller |
install.couchbaseCluster |
bool |
|
Install couchbase cluster |
install.couchbaseOperator |
bool |
|
Install the couchbase operator |
install.syncGateway |
bool |
|
Install sync gateway |
scopegroups |
object |
|
Uncomment to create a "couchbasescopegroups" resource CouchbaseScopeGroup represents a logical unit of data storage that sits between buckets and collections e.g. a bucket may contain multiple scopes, and a scope may contain multiple collections. See https://docs.couchbase.com/operator/current/resource/couchbasescopegroup.html |
scopes |
object |
|
Uncomment to create a "couchbasescopes" resource A scope is simply a single-tier namespace for a group of collections to exist within. Collections within a scope must all have unique names, but collections in different scopes may share the same name. This property allows multi-tenancy. See https://docs.couchbase.com/operator/current/resource/couchbasescope.html |
syncGateway.admin.enabled |
bool |
|
Defines if the admin API will be exposed by sync gateway |
syncGateway.affinity |
object |
|
Affinity to apply to the pods |
syncGateway.config |
object |
|
Database config |
syncGateway.config.databases |
object |
|
Databases is a list containing bucket replication configs |
syncGateway.config.databases.db.bucket |
string |
|
Bucket replicated to sync gateway |
syncGateway.config.databases.db.cacert |
string |
|
Optional ca.cert for tls connection (auto-generated when tls.generate true) |
syncGateway.config.databases.db.password |
string |
|
Password of db admin, defaults to cluster admin password |
syncGateway.config.databases.db.server |
string |
|
Server to connect db to, defaults to cluster server |
syncGateway.config.databases.db.username |
string |
|
Username of db admin, defaults to cluster admin username |
syncGateway.config.databases.db.users |
object |
|
Guest user config |
syncGateway.config.databases.db.users.GUEST.admin_channels |
list |
|
Channels guest user may access. defaults to all channels |
syncGateway.config.databases.db.users.GUEST.disabled |
bool |
|
Disable creation of guest user |
syncGateway.configSecret |
string |
|
Optional secret to use with prepoulated database config |
syncGateway.exposeServiceType |
string |
|
Type of service to use for exposing Sync Gateway Set as empty string to prevent service creation |
syncGateway.image |
object |
|
Image of the sync gateway container |
syncGateway.imagePullPolicy |
string |
|
|
syncGateway.kind |
string |
|
Kind of resource to use when installing sync gateway resource. suppports (Deployment |
Statefulset) |
syncGateway.labels |
object |
|
Labels to apply to the deployment resource |
syncGateway.monitoring.prometheus.enabled |
bool |
|
Defines whether Prometheus metric collection is enabled |
syncGateway.monitoring.prometheus.image |
object |
|
Image used by the Sync Gateway to perform metric collection (injected as a "sidecar" in each Sync Gateway Pod) |
syncGateway.monitoring.prometheus.resources |
object |
|
syncGateway.name |
string |
|
|
Name of the sync gateway pod. defaults to name of chart |
syncGateway.nodeSelector |
object |
|
Which nodes to run the pods on |
syncGateway.podLabels |
object |
|
Labels to apply to the pods |
syncGateway.replicas |
int |
|
How many sync gateway pods to create horizontally scale the deployment |
syncGateway.resources |
object |
|
Resources to apply to the pods |
syncGateway.revisionHistoryLimit |
string |
|
Optional set to change cleanup policy |
syncGateway.service.annotations |
object |
|
Additional annotations to add to the Sync Gateway service. Useful for setting cloud provider specific annotations controlling the services deployed. |
syncGateway.service.externalTrafficPolicy |
string |
|
Optionally configure traffic policy for LoadBalancer and NodePort |
syncGateway.tolerations |
list |
|
Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints. |
syncGateway.volumeClaimTemplates |
list |
|
Volume claim template to define size of persistent volumes to provide for stateful sets |
syncGateway.volumeMounts |
list |
|
Location within sync gateway to back with persistent volume |
tls.expiration |
int |
|
Expiry time of CA in days for generated certs |
tls.generate |
bool |
|
Enable to auto create certs |
tls.legacy |
bool |
|
Legacy TLS configuration with static format which requires PKCS#1 formatted keys. Legacy format is used implicitly during upgrade when old static keys exist. The default is 'false' which supports additional formats and multiple root CAs. |
tls.nodeToNodeEncryption |
string |
|
This field defines whether node-to-node encryption is enabled. Must be either 'All' or 'ControlPlaneOnly'. If not specified, data between Couchbase Server nodes is not encrypted. |
users |
object |
|
About Resource Names
All resources/objects created by the Couchbase Chart adhere to the following naming scheme: <release-name>-<component-name>
-
<release-name>
-
This is name of the installed instance.
-
-
<component-name>
-
This is the name of the Operator, Admission, and Couchbase component..
-
If the resource is created for the Operator, then
<component-name>
will be whatever is specified incouchbaseOperator.name
. -
If the resource is created for the admission controller, then
<component-name>
will be whatever is specified inadmissionController.name
. -
If the resource is created for the Couchbase cluster, then
<component-name>
will be whatever is specified incluster.name
.
-
Specifying Your Own Resources
The chart allows you to override certain resources such as TLS
certificates with ones that you’ve already created.
In this case, the names of the resources are determined by you and not the chart, and therefore do not adhere to the naming scheme described in the previous section.
Check the specs below for the value you are attempting to override for additional information on what type of resource is expected and how it should be formatted.
Install Values
Installation values for selective deployment of components within the chart.
# Select what to install
install:
# install the couchbase operator
couchbaseOperator: true
# install the admission controller
admissionController: true
# install couchbase cluster
couchbaseCluster: true
# install sync gateway
syncGateway: false
The Couchbase Chart is capable of installing the Operator, Admission Controller, Couchbase Cluster, and Sync Gateway.
couchbaseOperator
This field specifies whether or not the Couchbase Autonomous Operator will be installed.
Field Rules: |
---|
The |
admissionController
This field specifies whether or not the Couchbase Admission Controller will be installed.
Field Rules: |
---|
The |
Couchbase Cluster
The cluster
configuration represents the CouchbaseCluster
resources to be installed.
If install.couchbaseCluster
is set to false
then the cluster will not be installed.
name
The name of the cluster to create.
Value rules: The couchbaseCluster.name
value defaults to the name of the chart if not specified.
Must be unique from any other clusters in the namespace.
username
The username to use as the cluster admin.
This should only be used for experimental and test clusters.
Consider using adminSecret to provide a secret containing your own username and password.
|
Value rules: The couchbaseCluster.username
value is a string set to Administrator
by default.
password
The password to use as the cluster admin.
This should only be used for experimental and test clusters.
Consider using adminSecret to provide a secret containing your own username and password.
|
Value rules: The couchbaseCluster.password
value is a string that is auto-generated by default.
adminSecret
The secret to use for overriding the auto-generated secret. When specified the username and password from the secret are used for Administrator login.
Value rules: The couchbaseCluster.adminSecret
value is the name of a Kubernetes secret and is not set by default.
Persistent Volumes
The best way to create a cluster with persistent volumes is to make a custom value file. The following example shows how volume mounts can be added to created a persisted cluster.
Create a file named values-persistent.yaml
with the following values:
cluster:
servers:
default:
pod:
volumeMounts:
default: couchbase
data: couchbase
securityContext:
fsGroup: 1000
volumeClaimTemplates:
- metadata:
name: couchbase
spec:
storageClassName: "default"
resources:
requests:
storage: 1Gi
Install the Couchbase Helm Chart using the custom value file:
helm install my-release -f values-persistent.yaml couchbase/couchbase-operator
TLS
Certificates can be auto-generated or overridden by user supplied certs. Also since Couchbase certs are represented as plain Kubernetes secrets, the secret itself can be overridden.
tls:
generate: false
legacy: false
expiration: 365
nodeToNodeEncryption: All
generate
This value determines whether the chart should create the cluster with TLS.
Value rules: The tls.generate
is a boolean which defaults to false
.
When set to true
all of the certs and keys required for TLS will be auto-generated unless manually specified.
When value is false
certs are not generated, but manual Secrets can be provided by overriding cluster.networking.tls
.
legacy
This value determines whether legacy or Native TLS format will be used.
Value rules: The tls.legacy
is a boolean which defaults to false
.
When value is 'true' legacy TLS configuration with static format which requires PKCS#1 formatted keys.
When value is 'false' native TLS is used and a root CA is generated along with separate client and server keys.
nodeToNodeEncryption
This field defines whether node-to-node encryption is enabled.
When set to All
, all data between Couchbase server nodes is encrypted.
When set to ControlPlaneOnly
, only internal Couchbase server messages are encrypted, user data is not.
If not specified, data between Couchbase Server nodes is not encrypted.
As with all encryption protocols, this setting may negatively affect performance with the increased data protection.
Field rules: This field is optional and must be either
All
orControlPlaneOnly
.
Custom TLS
Create cluster with auto-generated TLS certs
helm install my-release --set tls.generate=true -f values-persistent.yaml couchbase/couchbase-operator
Use manually created secrets
. Create a file named tls_values.yaml
with the following custom override values for the Couchbase Chart:
cluster:
networking:
tls:
rootCAs:
- secure-couchbase-cluster-ca-tls
secretSource:
clientSecretName: secure-couchbase-cluster-operator-tls
serverSecretName: secure-couchbase-cluster-server-tls
Refer to TLS Concept documentation for additional information about available security options.
helm install my-release -f tls_values.yaml couchbase/couchbase-operator
Buckets
The buckets
configuration represent CouchbaseBucket
resources to be installed by the cluster.
buckets:
default:
name: default
kind: CouchbaseBucket
Buckets are automatically provisioned with label selectors matching the corresponding Couchbase cluster. |
At least one bucket will be created whenever install.CouchbaseCluster
is set to true
(if you don’t actively configure at least one bucket, then a default bucket is created automatically).
If zero buckets are desired, then you must disable bucket creation completely by setting the contents to null
.
buckets: null
The buckets field must be explicitly set to null in order to avoid bucket creation.
Even if the section is completely empty, unless buckets: null is specified, the default bucket will be created.
|
name
This value determines the name of the bucket to create within Couchbase Server.
Value rules: The bucket.name
value is a string.
This value is optional and when not set, the object key name is used instead.
The object key name is used for the Kubernetes CRD, whereas this value is used for the bucket name that is recognized within the Couchbase Server application.
kind
This is the type of the bucket to create and can be one of the supported types provided by Couchbase Server.
Value rules: The bucket.kind
value takes one of the supported values: CouchbaseBucket
, CouchbaseEphemeralBucket
, or CouchbaseMemcachedBucket
.
This value is optional and defaults to CouchbaseBucket
when not set.
Users
The users
configuration represent CouchbaseUser
, CouchbaseGroup
, and CouchbaseRoleBinding
resources to be installed by the cluster.
Users are installed whenever install.CouchbaseCluster
is set to true
.
users:
developer: # username (1)
autobind: true
password: password
authSecret:
authDomain: local
roles:
- name: bucket_admin
bucket: default
1 | The username is set from the key of each user configuration. NOTE: Users are automatically provisioned with label selectors matching the corresponding Couchbase cluster. |
autobind
Value rules: The user.<name>.autobind
value is a boolean.
If autobind
is set, then Users are automatically created
alongside groups with specified roles. To manually create
groups and bind users then set autobind
to 'false' and
specify groups
and rolebindings
resources
password
The user password.
This should only be used for experimental and test clusters.
Consider using authSecret or setting authDomain: external to improve security .
|
Value rules: The user.<name>.password
value is a string.
This value is required when authDomain
is local
.
authSecret
The Kubernetes Secret containing the user password.
Value rules: The user.<name>.authSecret
value is a string.
This value is optional and must refer to a Kubernetes Secret resource when specified.
The Secret must contain the path data.password
with the base64 encoded value of the secret
authDomain
The Couchbase RBAC Domain to use when authenticating the user.
Value rules: The user.<name>.authDomain
value is a string.
This value is required and must be either local
or external
.
roles
The Couchbase Roles to assign to the user
Value rules: The user.<name>.roles
value is a list.
This value is required and must provide the name
of a valid Couchbase Server role.
If the Couchbase Server role is a bucket role, then the name of a bucket
value may also be provided.
If the name of a bucket is not provided for a bucket role then the value defaults to *
which means the role applies to all buckets.
Refer to CouchbaseGroups
documentation for list of Administrator and Bucket roles.
Backups
This object defines parameters and variables for automated backup. When set, the chart will create a backup job.
backups:
default-backup:
name: my-backup
strategy: full_incremental
full:
schedule: "0 3 * * 0"
incremental:
schedule: "0 3 * * 1-6"
All of the provided values for this spec are described here in the Couchbase Cluster Configuration documentation.
Backup Restores
This object defines parameters and variables for automated backup restores. When set, the chart will create a backup restore job.
backuprestores:
default-restore:
name: my-restore
backup: my-backup
repo: cb-example-2020-11-12T19_00_03
start:
int: 1
str: oldest
end:
int: 1
str: latest
backOffLimit: 2
logRetention: 24h
All of the provided values for this spec are described here in the Couchbase Cluster Configuration documentation.
Sync Gateway
The Sync Gateway configuration provides defaults for deploying Sync Gateway along with associated services.
The Sync Gateway server is installed when install.syncGateway
is set to true
.
When installed, Sync Gateway is automatically connected to Couchbase cluster.
syncGateway:
name:
config:
logging:
console:
enabled: true
log_level: "debug"
log_keys:
- "*"
databases:
db:
bucket: default
users:
GUEST:
disabled: false
admin_channels: ["*"]
server:
username:
password:
allow_conflicts: false
revs_limit: 20
enable_shared_bucket_access: true
cacert:
exposeServiceType: ClusterIP
image:
repository: couchbase/sync-gateway
tag: 2.8.3-enterprise
imagePullPolicy: IfNotPresent
configSecret:
If you install a bucket with a name other than default then you will need to update databases.db.bucket accordingly.
|
exposeServiceType
The type of service to use for exposing the Sync Gateway server.
Value rules: The exposeServiceType
value is a string.
This value is optional and defaults to ClusterIP
.
When specified the value must be either ClusterIP
, NOodePort
, or LoadBalancer
.
When the value is not specified then the exposing service is not created.
configSecret
A Kubernetes Secret containing values that override config.databases
This allows for sync-gateway configurations to be shared across clusters, since the Secret will contain the same configuration information about connecting to a particular Couchbase Cluster.
Value rules: The configSecret
value is a string
This value is optional.
When specified the content of the Secret will be used to override the values of config.databases
.
coredns
DNS settings to apply to the Couchbase and Sync Gateway Deployments
coredns:
service:
searches:
- default.svc.cluster.local
- svc.cluster.local
- cluster.local
coredns.service
The name of a Kubernetes Service resource which exposes Kubernetes DNS.
By default the kube-dns
service is used, but user may decide to install CoreDNS for Inter-Cluster Deployments.
Value rules: The coredns.service
value is a string.
This value is optional.
When specified the value must refer to a Kubernetes Service resource that is capable of providing DNS to the Sync Gateway server.
Autonomous Operator
The Helm chart deploys the Operator as a Kubernetes Deployment.
couchbaseOperator:
name: "couchbase-operator"
image:
repository: couchbase/operator
tag: 2.7.0
imagePullPolicy: IfNotPresent
imagePullSecrets: []
commandArgs:
pod-create-timeout: 10m
resources: {}
nodeSelector: {}
tolerations: []
commandArgs
This spec allows you to specify command line arguments to pass on to the Operator.
value rules: The commandArgs
value is a key-value map of arguments that can be used to modify the behavior of the Operator image.
The -pod-create-timeout:
argument is set to 10m
by default, which means that the Operator will wait 10 minutes for a Couchbase Server Pod to start.
The -debug:
argument can also be used here, and set to debug
for more verbose logging.
Additional Values
The couchbaseOperator
parameters are described in the Operator Deployment Settings documentation.
Admission Controller
admissionController:
name: "couchbase-admission-controller"
image:
repository: couchbase/admission-controller
tag: 2.7.0
imagePullPolicy: IfNotPresent
imagePullSecrets: []
verboseLogging: true
The Helm chart deploys the admission controller as a Kubernetes Deployment.
name
This field specifies the name of the admission controller deployment.
Field Rules: |
---|
The |
image
image:
repository: couchbase/admission-controller
tag: 2.7.0
The repository and tag to use for pulling the admission controller image.
Field Rules: |
---|
The |
imagePullPolicy
The policy for pulling images from the repository onto hosts.
Field Rules: |
---|
The |
imagePullSecrets
An optional list referencing secrets to use for pulling the image.
Field Rules: |
---|
The
|
Admission Service
admissionService:
name:
port: 443
targetPort: 8443
The admission service is used by the webhooks to access the admission operator.
Certificates are auto-generated for this service whenever this object is enabled.
The admission service is always created when install.admissionController
is set to true
.
targetPort
Port of the admission controller targeted by the admission Service.
Field Rules: |
---|
The |
Admission Controller Certificate Authority
admissionCA:
cert:
key:
expiration: 365
The admissionCA
spec specifies the CA certificates that are applied to validating webhooks.
By default, the CA certificate and key is auto-generated. The following example shows how to use a self-signed certificate:
-
Create Certificates
Use OpenSSL to create
myCA.key
andmyCA.pem
in your current directory:openssl genrsa -out myCA.key 2048 openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -outform PEM -out myCA.pem
-
Install the chart with certificates
Use
--set-file
to import the files from your current directory:helm install --set-file admissionCA.cert=myCA.pem \ --set-file admissionCA.key=myCA.key \ couchbase/couchbase-operator
Refer to the TLS documentation for manually creating certificates and keys that can be used to override the auto-generated secret.
Admission Controller Secret
admissionSecret:
name:
cert:
key:
The admissionSecret
spec specifies the secret for the admission controller to use for validating cluster specs securely over the admission service.
To use a custom secret, you will also need to provide the CA that was used to generate the certificates and keys within the secret. The following example shows how to use a self-signed CA and client:
-
Create CA and client certificates
Use EasyRSA CA and signed client cert with DNS
cb-example.default.svc
./easyrsa build-ca nopasss ./easyrsa --subject-alt-name=DNS:cb-example.default.svc build-server-full admission-controller nopas
-
Install chart with client certificates
Install chart with custom certs and be sure to set
admissionService.name
to DNS name.This example also sets
--namespace default
option since this is also included in the DNS of cert we created:helm install --namespace ci-testcluster \ --set admissionService.name=ci-testcluster \ --set-file admissionCA.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/ca.crt \ --set-file admissionCA.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/ca.key \ --set-file admissionSecret.cert=/home/ubuntu/easy-rsa/easyrsa3/pki/issued/admission-controller.crt \ --set-file admissionSecret.key=/home/ubuntu/easy-rsa/easyrsa3/pki/private/admission-controller.key \ couchbase/couchbase-operator
name
This value is the name of the secret that contains the certificates for the admission operator.
This value must refer to a native Kubernetes secret which contains values for TLS cert
and key
.
Field Rules: |
---|
The |
cert
PEM format certificate to use as the admission controller’s public key during validation.
Field Rules: |
---|
The |
key
PEM format key to use as the admission controllers private key during validation.
Field Rules: |
---|
The |