From 42c58a78a42f3c43f7c9fe80af8f4d26f4c68661 Mon Sep 17 00:00:00 2001 From: alex emery Date: Wed, 9 Aug 2023 15:05:10 +0100 Subject: [PATCH] K8S-3144: prepare helm for 2.5 release - updated github actions - updated crd.yaml - deprecated the `couchbaseCluster.spec.securityContext` in favor of `couchbaseCluster.spec.security.podSecurityContext` - Added a default for `couchbaseClutser.spec.security.securityContext.allowPrivilegeEscalation=false` --- .github/workflows/publish-ci.yml | 2 +- .github/workflows/validate-ci.yml | 2 +- charts/couchbase-operator/Chart.yaml | 4 +- charts/couchbase-operator/README.md | 50 +- charts/couchbase-operator/README.md.adoc | 55 +- .../crds/couchbase.crds.yaml | 477 ++++++++++++++++-- charts/couchbase-operator/values-all.yaml | 263 ++++++---- charts/couchbase-operator/values.yaml | 82 +-- charts/couchbase-operator/values.yamltmpl | 4 +- tools/value-generation/gen.py | 16 +- 10 files changed, 736 insertions(+), 219 deletions(-) diff --git a/.github/workflows/publish-ci.yml b/.github/workflows/publish-ci.yml index 4ec714e..21ba99b 100644 --- a/.github/workflows/publish-ci.yml +++ b/.github/workflows/publish-ci.yml @@ -7,7 +7,7 @@ on: # Triggers the workflow on push or pull request events but only for the main branch push: branches: - - 2.4.x + - 2.5.x # Ignore anything unrelated to a chart release paths-ignore: - 'charts/couchbase-operator/examples/**' diff --git a/.github/workflows/validate-ci.yml b/.github/workflows/validate-ci.yml index df7dbfb..ce99791 100644 --- a/.github/workflows/validate-ci.yml +++ b/.github/workflows/validate-ci.yml @@ -5,7 +5,7 @@ name: Validate CI on: pull_request: branches: - - 2.4.x + - 2.5.x # Ignore anything unrelated to a chart release paths-ignore: - 'charts/couchbase-operator/examples/**' diff --git a/charts/couchbase-operator/Chart.yaml b/charts/couchbase-operator/Chart.yaml index 45e88d0..45eb677 100644 --- a/charts/couchbase-operator/Chart.yaml +++ b/charts/couchbase-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: couchbase-operator description: A Helm chart to deploy the Couchbase Autonomous Operator for easily deploying, managing, and maintaining Couchbase Clusters. Couchbase Server is a NoSQL document database with a distributed architecture for performance, scalability, and availability. It enables developers to build applications easier and faster by leveraging the power of SQL with the flexibility of JSON. -version: 2.42.1 -appVersion: 2.4.2 +version: 2.50.1 +appVersion: 2.5.0 type: application keywords: - couchbase diff --git a/charts/couchbase-operator/README.md b/charts/couchbase-operator/README.md index 3a29b75..7ab8901 100644 --- a/charts/couchbase-operator/README.md +++ b/charts/couchbase-operator/README.md @@ -3,7 +3,7 @@ A Helm chart to deploy the Couchbase Autonomous Operator for easily deploying, managing, and maintaining Couchbase Clusters. Couchbase Server is a NoSQL document database with a distributed architecture for performance, scalability, and availability. It enables developers to build applications easier and faster by leveraging the power of SQL with the flexibility of JSON. -![Version: 2.42.1](https://img.shields.io/badge/Version-2.42.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.4.2](https://img.shields.io/badge/AppVersion-2.4.2-informational?style=flat-square) +![Version: 2.50.1](https://img.shields.io/badge/Version-2.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.5.0](https://img.shields.io/badge/AppVersion-2.5.0-informational?style=flat-square) Deploying the Operator and Couchbase Server =========================================== @@ -40,7 +40,7 @@ for more information about customizing and managing your charts. | admissionCA.key | string | `nil` | A base64 encoded PEM format private key | | admissionController.commandArgs | object | `{"default-file-system-group":true,"validate-secrets":true,"validate-storage-classes":true}` | Set of command-line flags to pass on to the Admission Controller to modify its behavior. Do not change. | | admissionController.disableValidatingWebhook | bool | `false` | Disable the creation of Validation webhook. Setting to 'false' may be helpful when installing into a restricted environments (ie Strict mTLS), since disabling avoids performing resource fetching and validation from the Kubernetes API server. | -| admissionController.image | object | `{"repository":"couchbase/admission-controller","tag":"2.4.2"}` | Image specifies repository and tag of the Couchbase Admission container. | +| admissionController.image | object | `{"repository":"couchbase/admission-controller","tag":"2.5.0"}` | Image specifies repository and tag of the Couchbase Admission container. | | admissionController.imagePullPolicy | string | `"IfNotPresent"` | The policy for pulling images from the repository onto hosts. The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never. | | admissionController.imagePullSecrets | list | `[]` | ImagePullSecrets is an optional list of references to secrets to use for pulling images | | admissionController.name | string | `"couchbase-admission-controller"` | | @@ -123,15 +123,17 @@ for more information about customizing and managing your charts. | cluster.cluster.autoCompaction.timeWindow | object | `{"abortCompactionOutsideWindow":false,"end":null,"start":null}` | TimeWindow allows restriction of when compaction can occur. | | cluster.cluster.autoCompaction.tombstonePurgeInterval | string | `"72h"` | TombstonePurgeInterval controls how long to wait before purging tombstones. This field must be in the range 1h-1440h, defaulting to 72h. More info: https://golang.org/pkg/time/#ParseDuration | | cluster.cluster.autoCompaction.viewFragmentationThreshold | object | `{"percent":30,"size":null}` | ViewFragmentationThreshold defines triggers for when view compaction should start. | -| cluster.cluster.autoFailoverMaxCount | int | `3` | AutoFailoverMaxCount is the maximum number of automatic failovers Couchbase server will allow before not allowing any more. This field must be between 1-3 for server versions prior to 7.1.0 default is 3. | +| cluster.cluster.autoFailoverMaxCount | int | `1` | AutoFailoverMaxCount is the maximum number of automatic failovers Couchbase server will allow before not allowing any more. This field must be between 1-3 for server versions prior to 7.1.0 default is 1. | | cluster.cluster.autoFailoverOnDataDiskIssues | bool | `false` | AutoFailoverOnDataDiskIssues defines whether Couchbase server should failover a pod if a disk issue was detected. | | cluster.cluster.autoFailoverOnDataDiskIssuesTimePeriod | string | `"120s"` | AutoFailoverOnDataDiskIssuesTimePeriod defines how long to wait for transient errors before failing over a faulty disk. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration | | cluster.cluster.autoFailoverServerGroup | bool | `false` | AutoFailoverServerGroup whether to enable failing over a server group. This field is ignored in server versions 7.1+ as it has been removed from the Couchbase API | | cluster.cluster.autoFailoverTimeout | string | `"120s"` | AutoFailoverTimeout defines how long Couchbase server will wait between a pod being witnessed as down, until when it will failover the pod. Couchbase server will only failover pods if it deems it safe to do so, and not result in data loss. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration | | cluster.cluster.clusterName | string | `nil` | ClusterName defines the name of the cluster, as displayed in the Couchbase UI. By default, the cluster name is that specified in the CouchbaseCluster resource's metadata. | -| cluster.cluster.data | object | `{"readerThreads":null,"writerThreads":null}` | Data allows the data service to be configured. | +| cluster.cluster.data | object | `{"auxIOThreads":null,"nonIOThreads":null,"readerThreads":null,"writerThreads":null}` | Data allows the data service to be configured. | +| cluster.cluster.data.auxIOThreads | string | `nil` | AuxIOThreads allows the number of threads used by the data service, per pod, to be altered. This indicates the number of threads that are to be used in the AuxIO thread pool to run auxiliary I/O tasks. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. | +| cluster.cluster.data.nonIOThreads | string | `nil` | NonIOThreads allows the number of threads used by the data service, per pod, to be altered. This indicates the number of threads that are to be used in the NonIO thread pool to run in memory tasks. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. | | cluster.cluster.data.readerThreads | string | `nil` | ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. | -| cluster.cluster.data.writerThreads | string | `nil` | ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This setting is especially relevant when using "durable writes", increasing this field will have a large impact on performance. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. | +| cluster.cluster.data.writerThreads | string | `nil` | WriterThreads allows the number of threads used by the data service, per pod, to be altered. This setting is especially relevant when using "durable writes", increasing this field will have a large impact on performance. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. | | cluster.cluster.dataServiceMemoryQuota | string | `"256Mi"` | DataServiceMemQuota is the amount of memory that should be allocated to the data service. This value is per-pod, and only applicable to pods belonging to server classes running the data service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage- resources-containers/#resource-units-in-kubernetes | | cluster.cluster.eventingServiceMemoryQuota | string | `"256Mi"` | EventingServiceMemQuota is the amount of memory that should be allocated to the eventing service. This value is per-pod, and only applicable to pods belonging to server classes running the eventing service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources- containers/#resource-units-in-kubernetes | | cluster.cluster.indexServiceMemoryQuota | string | `"256Mi"` | IndexServiceMemQuota is the amount of memory that should be allocated to the index service. This value is per-pod, and only applicable to pods belonging to server classes running the index service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage- resources-containers/#resource-units-in-kubernetes | @@ -156,7 +158,7 @@ for more information about customizing and managing your charts. | cluster.envImagePrecedence | bool | `false` | EnvImagePrecedence gives precedence over the default container image name in `spec.Image` to an image name provided through Operator environment variables. For more info on using Operator environment variables: https://docs.couchbase.com/operator/current/reference-operator- configuration.html | | cluster.hibernate | bool | `false` | Hibernate is whether to hibernate the cluster. | | cluster.hibernationStrategy | string | `nil` | HibernationStrategy defines how to hibernate the cluster. When Immediate the Operator will immediately delete all pods and take no further action until the hibernate field is set to false. | -| cluster.image | string | `"couchbase/server:7.1.3"` | Image is the container image name that will be used to launch Couchbase server instances. Updating this field will cause an automatic upgrade of the cluster. | +| cluster.image | string | `"couchbase/server:7.2.0"` | Image is the container image name that will be used to launch Couchbase server instances. Updating this field will cause an automatic upgrade of the cluster. | | cluster.logging.audit.disabledEvents | string | `nil` | The list of event ids to disable for auditing purposes. This is passed to the REST API with no verification by the operator. Refer to the documentation for details: https://docs.couchbase.com/server/current/audit-event-reference/audit- event-reference.html | | cluster.logging.audit.disabledUsers | string | `nil` | The list of users to ignore for auditing purposes. This is passed to the REST API with minimal validation it meets an acceptable regex pattern. Refer to the documentation for full details on how to configure this: https://docs.couchbase.com/server/current/manage/manage- security/manage-auditing.html#ignoring-events-by-user | | cluster.logging.audit.enabled | bool | `false` | Enabled is a boolean that enables the audit capabilities. | @@ -175,6 +177,9 @@ for more information about customizing and managing your charts. | cluster.networking.adminConsoleServiceTemplate.metadata | object | `{"annotations":null,"labels":null}` | Standard objects metadata. This is a curated version for use with Couchbase resource templates. | | cluster.networking.adminConsoleServiceTemplate.spec | object | `{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}` | ServiceSpec describes the attributes that a user creates on a service. | | cluster.networking.adminConsoleServices | list | `["data"]` | DEPRECATED - not required by Couchbase Server. AdminConsoleServices is a selector to choose specific services to expose via the admin console. This field may contain any of "data", "index", "query", "search", "eventing" and "analytics". Each service may only be included once. | +| cluster.networking.cloudNativeGateway | object | `{"image":null,"tls":{"serverSecretName":null}}` | DEVELOPER PREVIEW - This feature is in developer preview. CloudNativeGateway is used to provision a gRPC gateway proxying a Couchbase cluster. | +| cluster.networking.cloudNativeGateway.image | string | `nil` | DEVELOPER PREVIEW - This feature is in developer preview. Image is the Cloud Native Gateway image to be used to run the sidecar container. No validation is carried out as this can be any arbitrary repo and tag. TODO: provide a default kubebuilder default image tag as field is mandatory. | +| cluster.networking.cloudNativeGateway.tls | object | `{"serverSecretName":null}` | DEVELOPER PREVIEW - This feature is in developer preview. TLS defines the TLS configuration for the Cloud Native Gateway server including server and client certificate configuration, and TLS security policies. | | cluster.networking.disableUIOverHTTP | bool | `false` | DisableUIOverHTTP is used to explicitly enable and disable UI access over the HTTP protocol. If not specified, this field defaults to false. | | cluster.networking.disableUIOverHTTPS | bool | `false` | DisableUIOverHTTPS is used to explicitly enable and disable UI access over the HTTPS protocol. If not specified, this field defaults to false. | | cluster.networking.dns | object | `{"domain":null}` | DNS defines information required for Dynamic DNS support. | @@ -198,27 +203,24 @@ for more information about customizing and managing your charts. | cluster.rollingUpgrade.maxUpgradablePercent | string | `nil` | MaxUpgradablePercent allows the number of pods affected by an upgrade at any one time to be increased. By default a rolling upgrade will upgrade one pod at a time. This field allows that limit to be removed. This field must be an integer percentage, e.g. "10%", in the range 1% to 100%. Percentages are relative to the total cluster size, and rounded down to the nearest whole number, with a minimum of 1. For example, a 10 pod cluster, and 25% allowed to upgrade, would yield 2.5 pods per iteration, rounded down to 2. The smallest of `maxUpgradable` and `maxUpgradablePercent` takes precedence if both are defined. | | cluster.security.adminSecret | string | `""` | AdminSecret is the name of a Kubernetes secret to use for administrator authentication. The admin secret must contain the keys "username" and "password". The password data must be at least 6 characters in length, and not contain the any of the characters `()<>,;:\"/[]?={}`. | | cluster.security.password | string | `""` | Cluster administrator pasword, auto-generated when empty | +| cluster.security.podSecurityContext | object | `{"fsGroup":1000,"fsGroupChangePolicy":null,"runAsGroup":null,"runAsNonRoot":true,"runAsUser":1000,"seLinuxOptions":{"level":null,"role":null,"type":null,"user":null},"seccompProfile":{"localhostProfile":null,"type":null},"supplementalGroups":null,"sysctls":{"name":null,"value":null},"windowsOptions":{"gmsaCredentialSpec":null,"gmsaCredentialSpecName":null,"hostProcess":false,"runAsUserName":null}}` | PodSecurityContext allows the configuration of the security context for all Couchbase server pods. When using persistent volumes you may need to set the fsGroup field in order to write to the volume. For non-root clusters you must also set runAsUser to 1000, corresponding to the Couchbase user in official container images. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| cluster.security.podSecurityContext.fsGroup | int | `1000` | A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. | +| cluster.security.podSecurityContext.fsGroupChangePolicy | string | `nil` | fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows. | +| cluster.security.podSecurityContext.runAsGroup | string | `nil` | The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. | +| cluster.security.podSecurityContext.runAsNonRoot | bool | `true` | Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. | +| cluster.security.podSecurityContext.runAsUser | int | `1000` | The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. | +| cluster.security.podSecurityContext.seLinuxOptions | object | `{"level":null,"role":null,"type":null,"user":null}` | The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. | +| cluster.security.podSecurityContext.seccompProfile | object | `{"localhostProfile":null,"type":null}` | The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows. | +| cluster.security.podSecurityContext.supplementalGroups | string | `nil` | A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows. | +| cluster.security.podSecurityContext.sysctls | object | `{"name":null,"value":null}` | Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows. | +| cluster.security.podSecurityContext.windowsOptions | object | `{"gmsaCredentialSpec":null,"gmsaCredentialSpecName":null,"hostProcess":false,"runAsUserName":null}` | The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. | | cluster.security.rbac | object | `{"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}}` | RBAC is the options provided for enabling and selecting RBAC User resources to manage. | | cluster.security.rbac.managed | bool | `true` | Managed defines whether RBAC is managed by us or the clients. | | cluster.security.rbac.selector | object | `{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}` | Selector is a label selector used to list RBAC resources in the namespace that are managed by the Operator. | +| cluster.security.securityContext | object | `{"allowPrivilegeEscalation":false}` | SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. Use securityContext.allowPrivilegeEscalation field to grant more privileges than its parent process. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| cluster.security.securityContext.allowPrivilegeEscalation | bool | `false` | AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows. | | cluster.security.uiSessionTimeout | int | `0` | UISessionTimeout sets how long, in minutes, before a user is declared inactive and signed out from the Couchbase Server UI. 0 represents no time out. | | cluster.security.username | string | `"Administrator"` | Cluster administrator username | -| cluster.securityContext.fsGroup | int | `1000` | A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. | -| cluster.securityContext.fsGroupChangePolicy | string | `nil` | fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows. | -| cluster.securityContext.runAsGroup | string | `nil` | The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. | -| cluster.securityContext.runAsNonRoot | bool | `true` | Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. | -| cluster.securityContext.runAsUser | int | `1000` | The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. | -| cluster.securityContext.seLinuxOptions | object | `{"level":null,"role":null,"type":null,"user":null}` | The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. | -| cluster.securityContext.seLinuxOptions.level | string | `nil` | Level is SELinux level label that applies to the container. | -| cluster.securityContext.seLinuxOptions.role | string | `nil` | Role is a SELinux role label that applies to the container. | -| cluster.securityContext.seLinuxOptions.type | string | `nil` | Type is a SELinux type label that applies to the container. | -| cluster.securityContext.seLinuxOptions.user | string | `nil` | User is a SELinux user label that applies to the container. | -| cluster.securityContext.seccompProfile | object | `{"localhostProfile":null,"type":null}` | The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows. | -| cluster.securityContext.seccompProfile.localhostProfile | string | `nil` | localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost". | -| cluster.securityContext.seccompProfile.type | string | `nil` | type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. | -| cluster.securityContext.supplementalGroups | string | `nil` | A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows. | -| cluster.securityContext.sysctls | list | `[]` | Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows. | -| cluster.securityContext.windowsOptions | object | `{}` | The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. | | cluster.serverGroups | string | `nil` | ServerGroups define the set of availability zones you want to distribute pods over, and construct Couchbase server groups for. By default, most cloud providers will label nodes with the key "topology.kubernetes.io/zone", the values associated with that key are used here to provide explicit scheduling by the Operator. You may manually label nodes using the "topology.kubernetes.io/zone" key, to provide failure-domain aware scheduling when none is provided for you. Global server groups are applied to all server classes, and may be overridden on a per-server class basis to give more control over scheduling and server groups. | | cluster.servers.default.autoscaleEnabled | bool | `false` | AutoscaledEnabled defines whether the autoscaling feature is enabled for this class. When true, the Operator will create a CouchbaseAutoscaler resource for this server class. The CouchbaseAutoscaler implements the Kubernetes scale API and can be controlled by the Kubernetes horizontal pod autoscaler (HPA). | | cluster.servers.default.services | list | `["data","index","query","search","analytics","eventing"]` | Services is the set of Couchbase services to run on this server class. At least one class must contain the data service. The field may contain any of "data", "index", "query", "search", "eventing" or "analytics". Each service may only be specified once. | @@ -243,7 +245,7 @@ for more information about customizing and managing your charts. | cluster.xdcr.remoteClusters | object | `{"authenticationSecret":null,"hostname":null,"name":null,"replications":{"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}},"tls":{"secret":null},"uuid":null}` | RemoteClusters is a set of named remote clusters to establish replications to. | | cluster.xdcr.remoteClusters.authenticationSecret | string | `nil` | AuthenticationSecret is a secret used to authenticate when establishing a remote connection. It is only required when not using mTLS. The secret must contain a username (secret key "username") and password (secret key "password"). | | cluster.xdcr.remoteClusters.hostname | string | `nil` | Hostname is the connection string to use to connect the remote cluster. To use IPv6, place brackets (`[`, `]`) around the IPv6 value. | -| cluster.xdcr.remoteClusters.name | string | `nil` | Name of the remote cluster. | +| cluster.xdcr.remoteClusters.name | string | `nil` | Name of the remote cluster. Note that, -operator-managed is added as suffix by operator automatically to the name in order to diffrentiate from non operator managed remote clusters. | | cluster.xdcr.remoteClusters.replications | object | `{"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}}` | Replications are replication streams from this cluster to the remote one. This field defines how to look up CouchbaseReplication resources. By default any CouchbaseReplication resources in the namespace will be considered. | | cluster.xdcr.remoteClusters.tls | object | `{"secret":null}` | TLS if specified references a resource containing the necessary certificate data for an encrypted connection. | | cluster.xdcr.remoteClusters.uuid | string | `nil` | UUID of the remote cluster. The UUID of a CouchbaseCluster resource is advertised in the status.clusterId field of the resource. | @@ -254,7 +256,7 @@ for more information about customizing and managing your charts. | coredns.service | string | `nil` | Name of Kubernetes service which exposes DNS endpoints | | couchbaseOperator.commandArgs | object | `{"pod-create-timeout":"10m"}` | Set of command-line flags to pass on to the Operator to modify its behavior. see: https://docs.couchbase.com/operator/2.0/reference-operator-configuration.html#command-line-arguments | | couchbaseOperator.commandArgs.pod-create-timeout | string | `"10m"` | Pod creation timeout. The Operator allows the timeout of pod creation to be manually configured. It is primarily intended for use on cloud platforms where the deployment of multiple volumes and pulling of a Couchbase Server container image may take a longer time than the default timeout period. | -| couchbaseOperator.image | object | `{"repository":"couchbase/operator","tag":"2.4.2"}` | Image specifies repository and tag of the Couchbase Operator container. | +| couchbaseOperator.image | object | `{"repository":"couchbase/operator","tag":"2.5.0"}` | Image specifies repository and tag of the Couchbase Operator container. | | couchbaseOperator.imagePullPolicy | string | `"IfNotPresent"` | The policy for pulling images from the repository onto hosts. The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never. | | couchbaseOperator.imagePullSecrets | list | `[]` | ImagePullSecrets is an optional list of references to secrets to use for pulling images. | | couchbaseOperator.name | string | `"couchbase-operator"` | Name of the couchbase operator Deployment | diff --git a/charts/couchbase-operator/README.md.adoc b/charts/couchbase-operator/README.md.adoc index 449b349..de11b51 100644 --- a/charts/couchbase-operator/README.md.adoc +++ b/charts/couchbase-operator/README.md.adoc @@ -5,7 +5,7 @@ | admissionCA.key | string | `nil` | A base64 encoded PEM format private key | admissionController.commandArgs | object | `{"default-file-system-group":true,"validate-secrets":true,"validate-storage-classes":true}` | Set of command-line flags to pass on to the Admission Controller to modify its behavior. Do not change. | admissionController.disableValidatingWebhook | bool | `false` | Disable the creation of Validation webhook. Setting to 'false' may be helpful when installing into a restricted environments (ie Strict mTLS), since disabling avoids performing resource fetching and validation from the Kubernetes API server. -| admissionController.image | object | `{"repository":"couchbase/admission-controller","tag":"2.4.2"}` | Image specifies repository and tag of the Couchbase Admission container. +| admissionController.image | object | `{"repository":"couchbase/admission-controller","tag":"2.5.0"}` | Image specifies repository and tag of the Couchbase Admission container. | admissionController.imagePullPolicy | string | `"IfNotPresent"` | The policy for pulling images from the repository onto hosts. The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never. | admissionController.imagePullSecrets | list | `[]` | ImagePullSecrets is an optional list of references to secrets to use for pulling images | admissionController.name | string | `"couchbase-admission-controller"` | @@ -82,7 +82,7 @@ | cluster.buckets.selector.matchExpressions | object | `{"key":null,"operator":null,"values":null}` | matchExpressions is a list of label selector requirements. The requirements are ANDed. | cluster.buckets.selector.matchLabels | string | `nil` | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | cluster.buckets.synchronize | bool | `false` | Synchronize allows unmanaged buckets, scopes, and collections to be synchronized as Kubernetes resources by the Operator. This feature is intended for development only and should not be used for production workloads. The synchronization workflow starts with `spec.buckets.managed` being set to false, the user can manually create buckets, scopes, and collections using the Couchbase UI, or other tooling. When you wish to commit to Kubernetes resources, you must specify a unique label selector in the `spec.buckets.selector` field, and this field is set to true. The Operator will create Kubernetes resources for you, and upon completion set the cluster's `Synchronized` status condition. You may then safely set `spec.buckets.managed` to true and the Operator will manage these resources as per usual. To update an already managed data topology, you must first set it to unmanaged, make any changes, and delete any old resources, then follow the standard synchronization workflow. The Operator can not, and will not, ever delete, or make modifications to resource specifications that are intended to be user managed, or managed by a life cycle management tool. These actions must be instigated by an end user. For a more complete experience, refer to the documentation for the `cao save` and `cao restore` CLI commands. -| cluster.cluster | object | `{"analyticsServiceMemoryQuota":"1Gi","autoCompaction":{"databaseFragmentationThreshold":{"percent":30,"size":null},"parallelCompaction":false,"timeWindow":{"abortCompactionOutsideWindow":false,"end":null,"start":null},"tombstonePurgeInterval":"72h","viewFragmentationThreshold":{"percent":30,"size":null}},"autoFailoverMaxCount":3,"autoFailoverOnDataDiskIssues":false,"autoFailoverOnDataDiskIssuesTimePeriod":"120s","autoFailoverServerGroup":false,"autoFailoverTimeout":"120s","clusterName":null,"data":{"readerThreads":null,"writerThreads":null},"dataServiceMemoryQuota":"256Mi","eventingServiceMemoryQuota":"256Mi","indexServiceMemoryQuota":"256Mi","indexStorageSetting":"memory_optimized","indexer":{"logLevel":"info","maxRollbackPoints":2,"memorySnapshotInterval":"200ms","numReplica":0,"redistributeIndexes":false,"stableSnapshotInterval":"5s","storageMode":"memory_optimized","threads":null},"query":{"backfillEnabled":true,"temporarySpace":"5Gi","temporarySpaceUnlimited":false},"queryServiceMemoryQuota":null,"searchServiceMemoryQuota":"256Mi"}` | ClusterSettings define Couchbase cluster-wide settings such as memory allocation, failover characteristics and index settings. +| cluster.cluster | object | `{"analyticsServiceMemoryQuota":"1Gi","autoCompaction":{"databaseFragmentationThreshold":{"percent":30,"size":null},"parallelCompaction":false,"timeWindow":{"abortCompactionOutsideWindow":false,"end":null,"start":null},"tombstonePurgeInterval":"72h","viewFragmentationThreshold":{"percent":30,"size":null}},"autoFailoverMaxCount":1,"autoFailoverOnDataDiskIssues":false,"autoFailoverOnDataDiskIssuesTimePeriod":"120s","autoFailoverServerGroup":false,"autoFailoverTimeout":"120s","clusterName":null,"data":{"auxIOThreads":null,"nonIOThreads":null,"readerThreads":null,"writerThreads":null},"dataServiceMemoryQuota":"256Mi","eventingServiceMemoryQuota":"256Mi","indexServiceMemoryQuota":"256Mi","indexStorageSetting":"memory_optimized","indexer":{"logLevel":"info","maxRollbackPoints":2,"memorySnapshotInterval":"200ms","numReplica":0,"redistributeIndexes":false,"stableSnapshotInterval":"5s","storageMode":"memory_optimized","threads":null},"query":{"backfillEnabled":true,"temporarySpace":"5Gi","temporarySpaceUnlimited":false},"queryServiceMemoryQuota":null,"searchServiceMemoryQuota":"256Mi"}` | ClusterSettings define Couchbase cluster-wide settings such as memory allocation, failover characteristics and index settings. | cluster.cluster.analyticsServiceMemoryQuota | string | `"1Gi"` | AnalyticsServiceMemQuota is the amount of memory that should be allocated to the analytics service. This value is per-pod, and only applicable to pods belonging to server classes running the analytics service. This field must be a quantity greater than or equal to 1Gi. This field defaults to 1Gi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes | cluster.cluster.autoCompaction | object | `{"databaseFragmentationThreshold":{"percent":30,"size":null},"parallelCompaction":false,"timeWindow":{"abortCompactionOutsideWindow":false,"end":null,"start":null},"tombstonePurgeInterval":"72h","viewFragmentationThreshold":{"percent":30,"size":null}}` | AutoCompaction allows the configuration of auto-compaction, including on what conditions disk space is reclaimed and when it is allowed to run. | cluster.cluster.autoCompaction.databaseFragmentationThreshold | object | `{"percent":30,"size":null}` | DatabaseFragmentationThreshold defines triggers for when database compaction should start. @@ -90,15 +90,17 @@ | cluster.cluster.autoCompaction.timeWindow | object | `{"abortCompactionOutsideWindow":false,"end":null,"start":null}` | TimeWindow allows restriction of when compaction can occur. | cluster.cluster.autoCompaction.tombstonePurgeInterval | string | `"72h"` | TombstonePurgeInterval controls how long to wait before purging tombstones. This field must be in the range 1h-1440h, defaulting to 72h. More info: https://golang.org/pkg/time/#ParseDuration | cluster.cluster.autoCompaction.viewFragmentationThreshold | object | `{"percent":30,"size":null}` | ViewFragmentationThreshold defines triggers for when view compaction should start. -| cluster.cluster.autoFailoverMaxCount | int | `3` | AutoFailoverMaxCount is the maximum number of automatic failovers Couchbase server will allow before not allowing any more. This field must be between 1-3 for server versions prior to 7.1.0 default is 3. +| cluster.cluster.autoFailoverMaxCount | int | `1` | AutoFailoverMaxCount is the maximum number of automatic failovers Couchbase server will allow before not allowing any more. This field must be between 1-3 for server versions prior to 7.1.0 default is 1. | cluster.cluster.autoFailoverOnDataDiskIssues | bool | `false` | AutoFailoverOnDataDiskIssues defines whether Couchbase server should failover a pod if a disk issue was detected. | cluster.cluster.autoFailoverOnDataDiskIssuesTimePeriod | string | `"120s"` | AutoFailoverOnDataDiskIssuesTimePeriod defines how long to wait for transient errors before failing over a faulty disk. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration | cluster.cluster.autoFailoverServerGroup | bool | `false` | AutoFailoverServerGroup whether to enable failing over a server group. This field is ignored in server versions 7.1+ as it has been removed from the Couchbase API | cluster.cluster.autoFailoverTimeout | string | `"120s"` | AutoFailoverTimeout defines how long Couchbase server will wait between a pod being witnessed as down, until when it will failover the pod. Couchbase server will only failover pods if it deems it safe to do so, and not result in data loss. This field must be in the range 5-3600s, defaulting to 120s. More info: https://golang.org/pkg/time/#ParseDuration | cluster.cluster.clusterName | string | `nil` | ClusterName defines the name of the cluster, as displayed in the Couchbase UI. By default, the cluster name is that specified in the CouchbaseCluster resource's metadata. -| cluster.cluster.data | object | `{"readerThreads":null,"writerThreads":null}` | Data allows the data service to be configured. +| cluster.cluster.data | object | `{"auxIOThreads":null,"nonIOThreads":null,"readerThreads":null,"writerThreads":null}` | Data allows the data service to be configured. +| cluster.cluster.data.auxIOThreads | string | `nil` | AuxIOThreads allows the number of threads used by the data service, per pod, to be altered. This indicates the number of threads that are to be used in the AuxIO thread pool to run auxiliary I/O tasks. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. +| cluster.cluster.data.nonIOThreads | string | `nil` | NonIOThreads allows the number of threads used by the data service, per pod, to be altered. This indicates the number of threads that are to be used in the NonIO thread pool to run in memory tasks. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. | cluster.cluster.data.readerThreads | string | `nil` | ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. -| cluster.cluster.data.writerThreads | string | `nil` | ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This setting is especially relevant when using "durable writes", increasing this field will have a large impact on performance. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. +| cluster.cluster.data.writerThreads | string | `nil` | WriterThreads allows the number of threads used by the data service, per pod, to be altered. This setting is especially relevant when using "durable writes", increasing this field will have a large impact on performance. This value must be between 4 and 64 threads, and should only be increased where there are sufficient CPU resources allocated for their use. If not specified, this defaults to the default value set by Couchbase Server. | cluster.cluster.dataServiceMemoryQuota | string | `"256Mi"` | DataServiceMemQuota is the amount of memory that should be allocated to the data service. This value is per-pod, and only applicable to pods belonging to server classes running the data service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes | cluster.cluster.eventingServiceMemoryQuota | string | `"256Mi"` | EventingServiceMemQuota is the amount of memory that should be allocated to the eventing service. This value is per-pod, and only applicable to pods belonging to server classes running the eventing service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes | cluster.cluster.indexServiceMemoryQuota | string | `"256Mi"` | IndexServiceMemQuota is the amount of memory that should be allocated to the index service. This value is per-pod, and only applicable to pods belonging to server classes running the index service. This field must be a quantity greater than or equal to 256Mi. This field defaults to 256Mi. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes @@ -123,7 +125,7 @@ | cluster.envImagePrecedence | bool | `false` | EnvImagePrecedence gives precedence over the default container image name in `spec.Image` to an image name provided through Operator environment variables. For more info on using Operator environment variables: https://docs.couchbase.com/operator/current/reference-operator-configuration.html | cluster.hibernate | bool | `false` | Hibernate is whether to hibernate the cluster. | cluster.hibernationStrategy | string | `nil` | HibernationStrategy defines how to hibernate the cluster. When Immediate the Operator will immediately delete all pods and take no further action until the hibernate field is set to false. -| cluster.image | string | `"couchbase/server:7.1.3"` | Image is the container image name that will be used to launch Couchbase server instances. Updating this field will cause an automatic upgrade of the cluster. +| cluster.image | string | `"couchbase/server:7.2.0"` | Image is the container image name that will be used to launch Couchbase server instances. Updating this field will cause an automatic upgrade of the cluster. | cluster.logging | object | `{"audit":{"disabledEvents":null,"disabledUsers":null,"enabled":false,"garbageCollection":{"sidecar":{"age":"1h","enabled":false,"image":"busybox:1.33.1","interval":"20m","resources":{"limits":null,"requests":null}}},"rotation":{"interval":"15m","size":"20Mi"}},"logRetentionCount":null,"logRetentionTime":null,"server":{"configurationName":"fluent-bit-config","enabled":false,"manageConfiguration":true,"sidecar":{"configurationMountPath":"/fluent-bit/config/","image":"couchbase/fluent-bit:1.2.1","resources":{"limits":null,"requests":null}}}}` | Logging defines Operator logging options. | cluster.logging.audit | object | `{"disabledEvents":null,"disabledUsers":null,"enabled":false,"garbageCollection":{"sidecar":{"age":"1h","enabled":false,"image":"busybox:1.33.1","interval":"20m","resources":{"limits":null,"requests":null}}},"rotation":{"interval":"15m","size":"20Mi"}}` | Used to manage the audit configuration directly | cluster.logging.audit.disabledEvents | string | `nil` | The list of event ids to disable for auditing purposes. This is passed to the REST API with no verification by the operator. Refer to the documentation for details: https://docs.couchbase.com/server/current/audit-event-reference/audit-event-reference.html @@ -140,12 +142,15 @@ | cluster.logging.server.sidecar | object | `{"configurationMountPath":"/fluent-bit/config/","image":"couchbase/fluent-bit:1.2.1","resources":{"limits":null,"requests":null}}` | Any specific logging sidecar container configuration. | cluster.monitoring | object | `{}` | Monitoring defines any Operator managed integration into 3rd party monitoring infrastructure. | cluster.name | string | `nil` | Name of the cluster, defaults to name of chart release -| cluster.networking | object | `{"addressFamily":null,"adminConsoleServiceTemplate":{"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}},"adminConsoleServices":["data"],"disableUIOverHTTP":false,"disableUIOverHTTPS":false,"dns":{"domain":null},"exposeAdminConsole":true,"exposedFeatureServiceTemplate":{"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}},"exposedFeatureTrafficPolicy":null,"exposedFeatures":["client","xdcr"],"loadBalancerSourceRanges":null,"networkPlatform":null,"serviceAnnotations":null,"waitForAddressReachable":"10m","waitForAddressReachableDelay":"2m"}` | Networking defines Couchbase cluster networking options such as network topology, TLS and DDNS settings. +| cluster.networking | object | `{"addressFamily":null,"adminConsoleServiceTemplate":{"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}},"adminConsoleServices":["data"],"cloudNativeGateway":{"image":null,"tls":{"serverSecretName":null}},"disableUIOverHTTP":false,"disableUIOverHTTPS":false,"dns":{"domain":null},"exposeAdminConsole":true,"exposedFeatureServiceTemplate":{"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}},"exposedFeatureTrafficPolicy":null,"exposedFeatures":["client","xdcr"],"loadBalancerSourceRanges":null,"networkPlatform":null,"serviceAnnotations":null,"waitForAddressReachable":"10m","waitForAddressReachableDelay":"2m"}` | Networking defines Couchbase cluster networking options such as network topology, TLS and DDNS settings. | cluster.networking.addressFamily | string | `nil` | AddressFamily allows the manual selection of the address family to use. When this field is not set, Couchbase server will default to using IPv4 for internal communication and also support IPv6 on dual stack systems. Setting this field to either IPv4 or IPv6 will force Couchbase to use the selected protocol for internal communication, and also disable all other protocols to provide added security and simplicty when defining firewall rules. Disabling of address families is only supported in Couchbase Server 7.0.2+. | cluster.networking.adminConsoleServiceTemplate | object | `{"metadata":{"annotations":null,"labels":null},"spec":{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}}` | AdminConsoleServiceTemplate provides a template used by the Operator to create and manage the admin console service. This allows services to be annotated, the service type defined and any other options that Kubernetes provides. When using a LoadBalancer service type, TLS and dynamic DNS must also be enabled. The Operator reserves the right to modify or replace any field. More info: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#service-v1-core | cluster.networking.adminConsoleServiceTemplate.metadata | object | `{"annotations":null,"labels":null}` | Standard objects metadata. This is a curated version for use with Couchbase resource templates. | cluster.networking.adminConsoleServiceTemplate.spec | object | `{"clusterIP":null,"clusterIPs":null,"externalIPs":null,"externalName":null,"externalTrafficPolicy":null,"healthCheckNodePort":null,"internalTrafficPolicy":null,"ipFamilies":null,"ipFamilyPolicy":null,"loadBalancerClass":null,"loadBalancerIP":null,"loadBalancerSourceRanges":null,"sessionAffinity":null,"sessionAffinityConfig":{"clientIP":{"timeoutSeconds":null}},"type":"NodePort"}` | ServiceSpec describes the attributes that a user creates on a service. | cluster.networking.adminConsoleServices | list | `["data"]` | DEPRECATED - not required by Couchbase Server. AdminConsoleServices is a selector to choose specific services to expose via the admin console. This field may contain any of "data", "index", "query", "search", "eventing" and "analytics". Each service may only be included once. +| cluster.networking.cloudNativeGateway | object | `{"image":null,"tls":{"serverSecretName":null}}` | DEVELOPER PREVIEW - This feature is in developer preview. CloudNativeGateway is used to provision a gRPC gateway proxying a Couchbase cluster. +| cluster.networking.cloudNativeGateway.image | string | `nil` | DEVELOPER PREVIEW - This feature is in developer preview. Image is the Cloud Native Gateway image to be used to run the sidecar container. No validation is carried out as this can be any arbitrary repo and tag. TODO: provide a default kubebuilder default image tag as field is mandatory. +| cluster.networking.cloudNativeGateway.tls | object | `{"serverSecretName":null}` | DEVELOPER PREVIEW - This feature is in developer preview. TLS defines the TLS configuration for the Cloud Native Gateway server including server and client certificate configuration, and TLS security policies. | cluster.networking.disableUIOverHTTP | bool | `false` | DisableUIOverHTTP is used to explicitly enable and disable UI access over the HTTP protocol. If not specified, this field defaults to false. | cluster.networking.disableUIOverHTTPS | bool | `false` | DisableUIOverHTTPS is used to explicitly enable and disable UI access over the HTTPS protocol. If not specified, this field defaults to false. | cluster.networking.dns | object | `{"domain":null}` | DNS defines information required for Dynamic DNS support. @@ -167,31 +172,27 @@ | cluster.rollingUpgrade | object | `{"maxUpgradable":null,"maxUpgradablePercent":null}` | When `spec.upgradeStrategy` is set to `RollingUpgrade` it will, by default, upgrade one pod at a time. If this field is specified then that number can be increased. | cluster.rollingUpgrade.maxUpgradable | string | `nil` | MaxUpgradable allows the number of pods affected by an upgrade at any one time to be increased. By default a rolling upgrade will upgrade one pod at a time. This field allows that limit to be removed. This field must be greater than zero. The smallest of `maxUpgradable` and `maxUpgradablePercent` takes precedence if both are defined. | cluster.rollingUpgrade.maxUpgradablePercent | string | `nil` | MaxUpgradablePercent allows the number of pods affected by an upgrade at any one time to be increased. By default a rolling upgrade will upgrade one pod at a time. This field allows that limit to be removed. This field must be an integer percentage, e.g. "10%", in the range 1% to 100%. Percentages are relative to the total cluster size, and rounded down to the nearest whole number, with a minimum of 1. For example, a 10 pod cluster, and 25% allowed to upgrade, would yield 2.5 pods per iteration, rounded down to 2. The smallest of `maxUpgradable` and `maxUpgradablePercent` takes precedence if both are defined. -| cluster.security | object | `{"adminSecret":"","password":"","rbac":{"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}},"uiSessionTimeout":0,"username":"Administrator"}` | Security defines Couchbase cluster security options such as the administrator account username and password, and user RBAC settings. +| cluster.security | object | `{"adminSecret":"","password":"","podSecurityContext":{"fsGroup":1000,"fsGroupChangePolicy":null,"runAsGroup":null,"runAsNonRoot":true,"runAsUser":1000,"seLinuxOptions":{"level":null,"role":null,"type":null,"user":null},"seccompProfile":{"localhostProfile":null,"type":null},"supplementalGroups":null,"sysctls":{"name":null,"value":null},"windowsOptions":{"gmsaCredentialSpec":null,"gmsaCredentialSpecName":null,"hostProcess":false,"runAsUserName":null}},"rbac":{"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}},"securityContext":{"allowPrivilegeEscalation":false},"uiSessionTimeout":0,"username":"Administrator"}` | Security defines Couchbase cluster security options such as the administrator account username and password, and user RBAC settings. | cluster.security.adminSecret | string | `""` | AdminSecret is the name of a Kubernetes secret to use for administrator authentication. The admin secret must contain the keys "username" and "password". The password data must be at least 6 characters in length, and not contain the any of the characters `()<>,;:\"/[]?={}`. | cluster.security.password | string | `""` | Cluster administrator pasword, auto-generated when empty +| cluster.security.podSecurityContext | object | `{"fsGroup":1000,"fsGroupChangePolicy":null,"runAsGroup":null,"runAsNonRoot":true,"runAsUser":1000,"seLinuxOptions":{"level":null,"role":null,"type":null,"user":null},"seccompProfile":{"localhostProfile":null,"type":null},"supplementalGroups":null,"sysctls":{"name":null,"value":null},"windowsOptions":{"gmsaCredentialSpec":null,"gmsaCredentialSpecName":null,"hostProcess":false,"runAsUserName":null}}` | PodSecurityContext allows the configuration of the security context for all Couchbase server pods. When using persistent volumes you may need to set the fsGroup field in order to write to the volume. For non-root clusters you must also set runAsUser to 1000, corresponding to the Couchbase user in official container images. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +| cluster.security.podSecurityContext.fsGroup | int | `1000` | A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. +| cluster.security.podSecurityContext.fsGroupChangePolicy | string | `nil` | fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows. +| cluster.security.podSecurityContext.runAsGroup | string | `nil` | The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. +| cluster.security.podSecurityContext.runAsNonRoot | bool | `true` | Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +| cluster.security.podSecurityContext.runAsUser | int | `1000` | The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. +| cluster.security.podSecurityContext.seLinuxOptions | object | `{"level":null,"role":null,"type":null,"user":null}` | The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. +| cluster.security.podSecurityContext.seccompProfile | object | `{"localhostProfile":null,"type":null}` | The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows. +| cluster.security.podSecurityContext.supplementalGroups | string | `nil` | A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows. +| cluster.security.podSecurityContext.sysctls | object | `{"name":null,"value":null}` | Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows. +| cluster.security.podSecurityContext.windowsOptions | object | `{"gmsaCredentialSpec":null,"gmsaCredentialSpecName":null,"hostProcess":false,"runAsUserName":null}` | The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. | cluster.security.rbac | object | `{"managed":true,"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}}` | RBAC is the options provided for enabling and selecting RBAC User resources to manage. | cluster.security.rbac.managed | bool | `true` | Managed defines whether RBAC is managed by us or the clients. | cluster.security.rbac.selector | object | `{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}` | Selector is a label selector used to list RBAC resources in the namespace that are managed by the Operator. +| cluster.security.securityContext | object | `{"allowPrivilegeEscalation":false}` | SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. Use securityContext.allowPrivilegeEscalation field to grant more privileges than its parent process. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +| cluster.security.securityContext.allowPrivilegeEscalation | bool | `false` | AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows. | cluster.security.uiSessionTimeout | int | `0` | UISessionTimeout sets how long, in minutes, before a user is declared inactive and signed out from the Couchbase Server UI. 0 represents no time out. | cluster.security.username | string | `"Administrator"` | Cluster administrator username -| cluster.securityContext | object | `{"fsGroup":1000,"fsGroupChangePolicy":null,"runAsGroup":null,"runAsNonRoot":true,"runAsUser":1000,"seLinuxOptions":{"level":null,"role":null,"type":null,"user":null},"seccompProfile":{"localhostProfile":null,"type":null},"supplementalGroups":null,"sysctls":[],"windowsOptions":{}}` | SecurityContext allows the configuration of the security context for all Couchbase server pods. When using persistent volumes you may need to set the fsGroup field in order to write to the volume. For non-root clusters you must also set runAsUser to 1000, corresponding to the Couchbase user in official container images. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -| cluster.securityContext.fsGroup | int | `1000` | A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. -| cluster.securityContext.fsGroupChangePolicy | string | `nil` | fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows. -| cluster.securityContext.runAsGroup | string | `nil` | The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. -| cluster.securityContext.runAsNonRoot | bool | `true` | Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. -| cluster.securityContext.runAsUser | int | `1000` | The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. -| cluster.securityContext.seLinuxOptions | object | `{"level":null,"role":null,"type":null,"user":null}` | The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. -| cluster.securityContext.seLinuxOptions.level | string | `nil` | Level is SELinux level label that applies to the container. -| cluster.securityContext.seLinuxOptions.role | string | `nil` | Role is a SELinux role label that applies to the container. -| cluster.securityContext.seLinuxOptions.type | string | `nil` | Type is a SELinux type label that applies to the container. -| cluster.securityContext.seLinuxOptions.user | string | `nil` | User is a SELinux user label that applies to the container. -| cluster.securityContext.seccompProfile | object | `{"localhostProfile":null,"type":null}` | The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows. -| cluster.securityContext.seccompProfile.localhostProfile | string | `nil` | localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost". -| cluster.securityContext.seccompProfile.type | string | `nil` | type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. -| cluster.securityContext.supplementalGroups | string | `nil` | A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows. -| cluster.securityContext.sysctls | list | `[]` | Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows. -| cluster.securityContext.windowsOptions | object | `{}` | The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. | cluster.serverGroups | string | `nil` | ServerGroups define the set of availability zones you want to distribute pods over, and construct Couchbase server groups for. By default, most cloud providers will label nodes with the key "topology.kubernetes.io/zone", the values associated with that key are used here to provide explicit scheduling by the Operator. You may manually label nodes using the "topology.kubernetes.io/zone" key, to provide failure-domain aware scheduling when none is provided for you. Global server groups are applied to all server classes, and may be overridden on a per-server class basis to give more control over scheduling and server groups. | cluster.servers | object | `{"default":{"autoscaleEnabled":false,"env":[],"envFrom":[],"pod":{"spec":{}},"services":["data","index","query","search","analytics","eventing"],"size":3}}` | Servers defines server classes for the Operator to provision and manage. A server class defines what services are running and how many members make up that class. Specifying multiple server classes allows the Operator to provision clusters with Multi-Dimensional Scaling (MDS). At least one server class must be defined, and at least one server class must be running the data service. | cluster.servers.default | object | `{"autoscaleEnabled":false,"env":[],"envFrom":[],"pod":{"spec":{}},"services":["data","index","query","search","analytics","eventing"],"size":3}` | Name for the server configuration. It must be unique. @@ -221,7 +222,7 @@ | cluster.xdcr.remoteClusters | object | `{"authenticationSecret":null,"hostname":null,"name":null,"replications":{"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}},"tls":{"secret":null},"uuid":null}` | RemoteClusters is a set of named remote clusters to establish replications to. | cluster.xdcr.remoteClusters.authenticationSecret | string | `nil` | AuthenticationSecret is a secret used to authenticate when establishing a remote connection. It is only required when not using mTLS. The secret must contain a username (secret key "username") and password (secret key "password"). | cluster.xdcr.remoteClusters.hostname | string | `nil` | Hostname is the connection string to use to connect the remote cluster. To use IPv6, place brackets (`[`, `]`) around the IPv6 value. -| cluster.xdcr.remoteClusters.name | string | `nil` | Name of the remote cluster. +| cluster.xdcr.remoteClusters.name | string | `nil` | Name of the remote cluster. Note that, -operator-managed is added as suffix by operator automatically to the name in order to diffrentiate from non operator managed remote clusters. | cluster.xdcr.remoteClusters.replications | object | `{"selector":{"matchExpressions":{"key":null,"operator":null,"values":null},"matchLabels":null}}` | Replications are replication streams from this cluster to the remote one. This field defines how to look up CouchbaseReplication resources. By default any CouchbaseReplication resources in the namespace will be considered. | cluster.xdcr.remoteClusters.tls | object | `{"secret":null}` | TLS if specified references a resource containing the necessary certificate data for an encrypted connection. | cluster.xdcr.remoteClusters.uuid | string | `nil` | UUID of the remote cluster. The UUID of a CouchbaseCluster resource is advertised in the status.clusterId field of the resource. @@ -232,7 +233,7 @@ | coredns.service | string | `nil` | Name of Kubernetes service which exposes DNS endpoints | couchbaseOperator.commandArgs | object | `{"pod-create-timeout":"10m"}` | Set of command-line flags to pass on to the Operator to modify its behavior. see: https://docs.couchbase.com/operator/2.0/reference-operator-configuration.html#command-line-arguments | couchbaseOperator.commandArgs.pod-create-timeout | string | `"10m"` | Pod creation timeout. The Operator allows the timeout of pod creation to be manually configured. It is primarily intended for use on cloud platforms where the deployment of multiple volumes and pulling of a Couchbase Server container image may take a longer time than the default timeout period. -| couchbaseOperator.image | object | `{"repository":"couchbase/operator","tag":"2.4.2"}` | Image specifies repository and tag of the Couchbase Operator container. +| couchbaseOperator.image | object | `{"repository":"couchbase/operator","tag":"2.5.0"}` | Image specifies repository and tag of the Couchbase Operator container. | couchbaseOperator.imagePullPolicy | string | `"IfNotPresent"` | The policy for pulling images from the repository onto hosts. The imagePullPolicy value defaults to IfNotPresent, which means that images are only pulled if they’re not present on the Kubernetes node. Values allowed are Always, IfNotPresent, and Never. | couchbaseOperator.imagePullSecrets | list | `[]` | ImagePullSecrets is an optional list of references to secrets to use for pulling images. | couchbaseOperator.name | string | `"couchbase-operator"` | Name of the couchbase operator Deployment diff --git a/charts/couchbase-operator/crds/couchbase.crds.yaml b/charts/couchbase-operator/crds/couchbase.crds.yaml index 3466f68..00f7771 100644 --- a/charts/couchbase-operator/crds/couchbase.crds.yaml +++ b/charts/couchbase-operator/crds/couchbase.crds.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbaseautoscalers.couchbase.com spec: @@ -92,7 +92,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasebackuprestores.couchbase.com spec: @@ -526,7 +526,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasebackups.couchbase.com spec: @@ -685,6 +685,15 @@ spec: type: array x-kubernetes-list-type: set type: object + defaultRecoveryType: + default: none + description: DefaultRecoveryMethod specifies how cbbackupmgr should + recover from broken backup/restore attempts. + enum: + - none + - resume + - purge + type: string ephemeralVolume: default: false description: EphemeralVolume sets backup to use an ephemeral volume @@ -874,6 +883,8 @@ spec: format: int32 minimum: 0 type: integer + required: + - defaultRecoveryType type: object status: description: CouchbaseBackupStatus provides status notifications about @@ -971,7 +982,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasebuckets.couchbase.com spec: @@ -1269,7 +1280,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbaseclusters.couchbase.com spec: @@ -1778,11 +1789,11 @@ spec: type: object type: object autoFailoverMaxCount: - default: 3 + default: 1 description: AutoFailoverMaxCount is the maximum number of automatic failovers Couchbase server will allow before not allowing any more. This field must be between 1-3 for server versions prior - to 7.1.0 default is 3. + to 7.1.0 default is 1. format: int64 minimum: 1 type: integer @@ -1819,6 +1830,30 @@ spec: data: description: Data allows the data service to be configured. properties: + auxIOThreads: + description: AuxIOThreads allows the number of threads used + by the data service, per pod, to be altered. This indicates + the number of threads that are to be used in the AuxIO thread + pool to run auxiliary I/O tasks. This value must be between + 4 and 64 threads, and should only be increased where there + are sufficient CPU resources allocated for their use. If + not specified, this defaults to the default value set by + Couchbase Server. + maximum: 64 + minimum: 1 + type: integer + nonIOThreads: + description: NonIOThreads allows the number of threads used + by the data service, per pod, to be altered. This indicates + the number of threads that are to be used in the NonIO thread + pool to run in memory tasks. This value must be between + 4 and 64 threads, and should only be increased where there + are sufficient CPU resources allocated for their use. If + not specified, this defaults to the default value set by + Couchbase Server. + maximum: 64 + minimum: 1 + type: integer readerThreads: description: ReaderThreads allows the number of threads used by the data service, per pod, to be altered. This value @@ -1827,10 +1862,10 @@ spec: use. If not specified, this defaults to the default value set by Couchbase Server. maximum: 64 - minimum: 4 + minimum: 1 type: integer writerThreads: - description: ReaderThreads allows the number of threads used + description: WriterThreads allows the number of threads used by the data service, per pod, to be altered. This setting is especially relevant when using "durable writes", increasing this field will have a large impact on performance. This @@ -1839,7 +1874,7 @@ spec: for their use. If not specified, this defaults to the default value set by Couchbase Server. maximum: 64 - minimum: 4 + minimum: 1 type: integer type: object dataServiceMemoryQuota: @@ -2303,12 +2338,14 @@ spec: type: string enabled: description: Enabled is a boolean that enables/disables the - metrics sidecar container. + metrics sidecar container. This must be set to true, when + image is provided. type: boolean image: description: Image is the metrics image to be used to collect metrics. No validation is carried out as this can be any - arbitrary repo and tag. + arbitrary repo and tag. enabled must be set to true, when + image is provided. type: string refreshRate: default: 60 @@ -2691,6 +2728,36 @@ spec: type: string type: array x-kubernetes-list-type: set + cloudNativeGateway: + description: DEVELOPER PREVIEW - This feature is in developer + preview. CloudNativeGateway is used to provision a gRPC gateway + proxying a Couchbase cluster. + properties: + image: + description: 'DEVELOPER PREVIEW - This feature is in developer + preview. Image is the Cloud Native Gateway image to be used + to run the sidecar container. No validation is carried out + as this can be any arbitrary repo and tag. TODO: provide + a default kubebuilder default image tag as field is mandatory.' + type: string + tls: + description: DEVELOPER PREVIEW - This feature is in developer + preview. TLS defines the TLS configuration for the Cloud + Native Gateway server including server and client certificate + configuration, and TLS security policies. + properties: + serverSecretName: + description: DEVELOPER PREVIEW - This feature is in developer + preview. ServerSecretName specifies the secret name, + in the same namespace as the cluster, that contains + Cloud Native Gateway gRPC server TLS data. The secret + is expected to contain "tls.crt" and "tls.key" as per + the kubernetes.io/tls secret type. + type: string + type: object + required: + - image + type: object disableUIOverHTTP: description: DisableUIOverHTTP is used to explicitly enable and disable UI access over the HTTP protocol. If not specified, @@ -3512,6 +3579,181 @@ spec: - hosts - port type: object + podSecurityContext: + description: 'PodSecurityContext allows the configuration of the + security context for all Couchbase server pods. When using + persistent volumes you may need to set the fsGroup field in + order to write to the volume. For non-root clusters you must + also set runAsUser to 1000, corresponding to the Couchbase user + in official container images. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + fsGroup: + description: "A special supplemental group that applies to + all containers in a pod. Some volume types allow the Kubelet + to change the ownership of that volume to be owned by the + pod: \n 1. The owning GID will be the FSGroup 2. The setgid + bit is set (new files created in the volume will be owned + by FSGroup) 3. The permission bits are OR'd with rw-rw---- + \n If unset, the Kubelet will not modify the ownership and + permissions of any volume. Note that this field cannot be + set when spec.os.name is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. This field will only apply to volume types which + support fsGroup based ownership(and permissions). It will + have no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used. Note that + this field cannot be set when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this field + cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail + to start the container if it does. If unset or false, no + such validation will be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + SecurityContext. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile + should be used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's primary + GID. If unspecified, no groups will be added to any container. + Note that this field cannot be set when spec.os.name is + windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used + for the pod. Pods with unsupported sysctls (by the container + runtime) might fail to launch. Note that this field cannot + be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options within a container's + SecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components that + enable the WindowsHostProcessContainers feature flag. + Setting this field without the feature flag will result + in errors when validating the Pod. All of a Pod's containers + must have the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, if HostProcess + is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object rbac: description: RBAC is the options provided for enabling and selecting RBAC User resources to manage. @@ -3567,6 +3809,178 @@ spec: type: object type: object type: object + securityContext: + description: 'SecurityContext defines the security options the + container should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext. Use securityContext.allowPrivilegeEscalation + field to grant more privileges than its parent process. More + info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a + process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag will + be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be set + when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the + container runtime. Note that this field cannot be set when + spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes in + privileged containers are essentially equivalent to root + on the host. Defaults to false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount to use + for the containers. The default is DefaultProcMount which + uses the container runtime defaults for readonly paths and + masked paths. This requires the ProcMountType feature flag + to be enabled. Note that this field cannot be set when spec.os.name + is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root filesystem. + Default is false. Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail + to start the container if it does. If unset or false, no + such validation will be performed. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. Note + that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile + should be used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options from the PodSecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components that + enable the WindowsHostProcessContainers feature flag. + Setting this field without the feature flag will result + in errors when validating the Pod. All of a Pod's containers + must have the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, if HostProcess + is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object uiSessionTimeout: default: 0 description: UISessionTimeout sets how long, in minutes, before @@ -3579,12 +3993,12 @@ spec: - adminSecret type: object securityContext: - description: 'SecurityContext allows the configuration of the security - context for all Couchbase server pods. When using persistent volumes - you may need to set the fsGroup field in order to write to the volume. For - non-root clusters you must also set runAsUser to 1000, corresponding - to the Couchbase user in official container images. More info: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + description: 'DEPRECATED - by spec.security.securityContext SecurityContext + allows the configuration of the security context for all Couchbase + server pods. When using persistent volumes you may need to set + the fsGroup field in order to write to the volume. For non-root + clusters you must also set runAsUser to 1000, corresponding to the + Couchbase user in official container images. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: fsGroup: description: "A special supplemental group that applies to all @@ -5839,7 +6253,10 @@ spec: pattern: ^((couchbase|http)(s)?(://))?((\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}\b)|((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))|\[(\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*\]))(:[0-9]{0,5})?(\\{0,1}\?network=[^&]+)?$ type: string name: - description: Name of the remote cluster. + description: Name of the remote cluster. Note that, -operator-managed + is added as suffix by operator automatically to the name + in order to diffrentiate from non operator managed remote + clusters. type: string replications: description: Replications are replication streams from this @@ -6207,7 +6624,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasecollectiongroups.couchbase.com spec: @@ -6293,7 +6710,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasecollections.couchbase.com spec: @@ -6366,7 +6783,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbaseephemeralbuckets.couchbase.com spec: @@ -6641,7 +7058,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasegroups.couchbase.com spec: @@ -7008,7 +7425,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasememcachedbuckets.couchbase.com spec: @@ -7089,7 +7506,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasemigrationreplications.couchbase.com spec: @@ -7237,7 +7654,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasereplications.couchbase.com spec: @@ -7442,7 +7859,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbaserolebindings.couchbase.com spec: @@ -7522,7 +7939,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasescopegroups.couchbase.com spec: @@ -7697,7 +8114,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbasescopes.couchbase.com spec: @@ -7869,7 +8286,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - config.couchbase.com/version: 2.4.2 + config.couchbase.com/version: 2.5.0 controller-gen.kubebuilder.io/version: v0.8.0 name: couchbaseusers.couchbase.com spec: diff --git a/charts/couchbase-operator/values-all.yaml b/charts/couchbase-operator/values-all.yaml index eb7b0b4..b54a1c2 100644 --- a/charts/couchbase-operator/values-all.yaml +++ b/charts/couchbase-operator/values-all.yaml @@ -20,7 +20,7 @@ couchbaseOperator: # -- Image specifies repository and tag of the Couchbase Operator container. image: repository: couchbase/operator - tag: 2.4.2 + tag: 2.5.0 # -- The policy for pulling images from the repository onto hosts. # The imagePullPolicy value defaults to IfNotPresent, which means # that images are only pulled if they’re not present on the Kubernetes node. @@ -53,7 +53,7 @@ admissionController: # -- Image specifies repository and tag of the Couchbase Admission container. image: repository: couchbase/admission-controller - tag: 2.4.2 + tag: 2.5.0 # -- The policy for pulling images from the repository onto hosts. # The imagePullPolicy value defaults to IfNotPresent, which means # that images are only pulled if they’re not present on the Kubernetes node. @@ -311,8 +311,6 @@ scopes: {} # # contain only [a-zA-Z0-9_-%] and not start with either _ or %. # name: - - # -- Uncomment to create a "couchbasegroups" resource groups: {} # default: @@ -1007,8 +1005,8 @@ cluster: size: # -- AutoFailoverMaxCount is the maximum number of automatic failovers # Couchbase server will allow before not allowing any more. This field must - # be between 1-3 for server versions prior to 7.1.0 default is 3. - autoFailoverMaxCount: 3 + # be between 1-3 for server versions prior to 7.1.0 default is 1. + autoFailoverMaxCount: 1 # -- AutoFailoverOnDataDiskIssues defines whether Couchbase server should # failover a pod if a disk issue was detected. autoFailoverOnDataDiskIssues: false @@ -1033,13 +1031,27 @@ cluster: clusterName: # -- Data allows the data service to be configured. data: + # -- AuxIOThreads allows the number of threads used by the data service, + # per pod, to be altered. This indicates the number of threads that are + # to be used in the AuxIO thread pool to run auxiliary I/O tasks. This + # value must be between 4 and 64 threads, and should only be increased + # where there are sufficient CPU resources allocated for their use. If not + # specified, this defaults to the default value set by Couchbase Server. + auxIOThreads: + # -- NonIOThreads allows the number of threads used by the data service, + # per pod, to be altered. This indicates the number of threads that are + # to be used in the NonIO thread pool to run in memory tasks. This value + # must be between 4 and 64 threads, and should only be increased where + # there are sufficient CPU resources allocated for their use. If not + # specified, this defaults to the default value set by Couchbase Server. + nonIOThreads: # -- ReaderThreads allows the number of threads used by the data service, # per pod, to be altered. This value must be between 4 and 64 threads, # and should only be increased where there are sufficient CPU resources # allocated for their use. If not specified, this defaults to the default # value set by Couchbase Server. readerThreads: - # -- ReaderThreads allows the number of threads used by the data service, + # -- WriterThreads allows the number of threads used by the data service, # per pod, to be altered. This setting is especially relevant when using # "durable writes", increasing this field will have a large impact on # performance. This value must be between 4 and 64 threads, and should @@ -1177,7 +1189,7 @@ cluster: # -- Image is the container image name that will be used to launch Couchbase # server instances. Updating this field will cause an automatic upgrade of # the cluster. - image: couchbase/server:7.1.3 + image: couchbase/server:7.2.0 # -- Logging defines Operator logging options. logging: # -- Used to manage the audit configuration directly @@ -1530,6 +1542,26 @@ cluster: # "eventing" and "analytics". Each service may only be included once. adminConsoleServices: - data + # -- DEVELOPER PREVIEW - This feature is in developer preview. + # CloudNativeGateway is used to provision a gRPC gateway proxying a + # Couchbase cluster. + cloudNativeGateway: + # -- DEVELOPER PREVIEW - This feature is in developer preview. Image is + # the Cloud Native Gateway image to be used to run the sidecar container. + # No validation is carried out as this can be any arbitrary repo and tag. + # TODO: provide a default kubebuilder default image tag as field is + # mandatory. + image: + # -- DEVELOPER PREVIEW - This feature is in developer preview. TLS defines + # the TLS configuration for the Cloud Native Gateway server including + # server and client certificate configuration, and TLS security policies. + tls: + # DEVELOPER PREVIEW - This feature is in developer preview. + # ServerSecretName specifies the secret name, in the same namespace as + # the cluster, that contains Cloud Native Gateway gRPC server TLS data. + # The secret is expected to contain "tls.crt" and "tls.key" as per the + # kubernetes.io/tls secret type. + serverSecretName: # -- DisableUIOverHTTP is used to explicitly enable and disable UI access # over the HTTP protocol. If not specified, this field defaults to false. disableUIOverHTTP: false @@ -1847,6 +1879,118 @@ cluster: adminSecret: '' # -- Cluster administrator pasword, auto-generated when empty password: '' + # -- PodSecurityContext allows the configuration of the security context for + # all Couchbase server pods. When using persistent volumes you may need to + # set the fsGroup field in order to write to the volume. For non-root + # clusters you must also set runAsUser to 1000, corresponding to the + # Couchbase user in official container images. More info: + # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + podSecurityContext: + # -- A special supplemental group that applies to all containers in a pod. + # Some volume types allow the Kubelet to change the ownership of that + # volume to be owned by the pod: 1. The owning GID will be the FSGroup + # 2. The setgid bit is set (new files created in the volume will be owned + # by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, + # the Kubelet will not modify the ownership and permissions of any volume. + # Note that this field cannot be set when spec.os.name is windows. + fsGroup: 1000 + # -- fsGroupChangePolicy defines behavior of changing ownership and + # permission of the volume before being exposed inside Pod. This field + # will only apply to volume types which support fsGroup based + # ownership(and permissions). It will have no effect on ephemeral volume + # types such as: secret, configmaps and emptydir. Valid values are + # "OnRootMismatch" and "Always". If not specified, "Always" is used. Note + # that this field cannot be set when spec.os.name is windows. + fsGroupChangePolicy: + # -- The GID to run the entrypoint of the container process. Uses runtime + # default if unset. May also be set in SecurityContext. If set in both + # SecurityContext and PodSecurityContext, the value specified in + # SecurityContext takes precedence for that container. Note that this + # field cannot be set when spec.os.name is windows. + runAsGroup: + # -- Indicates that the container must run as a non-root user. If true, + # the Kubelet will validate the image at runtime to ensure that it does + # not run as UID 0 (root) and fail to start the container if it does. If + # unset or false, no such validation will be performed. May also be set in + # SecurityContext. If set in both SecurityContext and PodSecurityContext, + # the value specified in SecurityContext takes precedence. + runAsNonRoot: true + # -- The UID to run the entrypoint of the container process. Defaults to + # user specified in image metadata if unspecified. May also be set in + # SecurityContext. If set in both SecurityContext and PodSecurityContext, + # the value specified in SecurityContext takes precedence for that + # container. Note that this field cannot be set when spec.os.name is + # windows. + runAsUser: 1000 + # -- The SELinux context to be applied to all containers. If unspecified, + # the container runtime will allocate a random SELinux context for each + # container. May also be set in SecurityContext. If set in both + # SecurityContext and PodSecurityContext, the value specified in + # SecurityContext takes precedence for that container. Note that this + # field cannot be set when spec.os.name is windows. + seLinuxOptions: + # Level is SELinux level label that applies to the container. + level: + # Role is a SELinux role label that applies to the container. + role: + # Type is a SELinux type label that applies to the container. + type: + # User is a SELinux user label that applies to the container. + user: + # -- The seccomp options to use by the containers in this pod. Note that + # this field cannot be set when spec.os.name is windows. + seccompProfile: + # localhostProfile indicates a profile defined in a file on the node + # should be used. The profile must be preconfigured on the node to work. + # Must be a descending path, relative to the kubelet's configured + # seccomp profile location. Must only be set if type is "Localhost". + localhostProfile: + # type indicates which kind of seccomp profile will be applied. Valid + # options are: Localhost - a profile defined in a file on the node + # should be used. RuntimeDefault - the container runtime default profile + # should be used. Unconfined - no profile should be applied. + type: + # -- A list of groups applied to the first process run in each container, + # in addition to the container's primary GID. If unspecified, no groups + # will be added to any container. Note that this field cannot be set when + # spec.os.name is windows. + supplementalGroups: + # -- Sysctls hold a list of namespaced sysctls used for the pod. Pods with + # unsupported sysctls (by the container runtime) might fail to launch. + # Note that this field cannot be set when spec.os.name is windows. + sysctls: + # Name of a property to set + name: + # Value of a property to set + value: + # -- The Windows specific settings applied to all containers. If + # unspecified, the options within a container's SecurityContext will be + # used. If set in both SecurityContext and PodSecurityContext, the value + # specified in SecurityContext takes precedence. Note that this field + # cannot be set when spec.os.name is linux. + windowsOptions: + # GMSACredentialSpec is where the GMSA admission webhook + # (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents + # of the GMSA credential spec named by the GMSACredentialSpecName field. + gmsaCredentialSpec: + # GMSACredentialSpecName is the name of the GMSA credential spec to use. + gmsaCredentialSpecName: + # HostProcess determines if a container should be run as a 'Host + # Process' container. This field is alpha-level and will only be honored + # by components that enable the WindowsHostProcessContainers feature + # flag. Setting this field without the feature flag will result in + # errors when validating the Pod. All of a Pod's containers must have + # the same effective HostProcess value (it is not allowed to have a mix + # of HostProcess containers and non-HostProcess containers). In + # addition, if HostProcess is true then HostNetwork must also be set to + # true. + hostProcess: false + # The UserName in Windows to run the entrypoint of the container + # process. Defaults to the user specified in image metadata if + # unspecified. May also be set in PodSecurityContext. If set in both + # SecurityContext and PodSecurityContext, the value specified in + # SecurityContext takes precedence. + runAsUserName: # -- RBAC is the options provided for enabling and selecting RBAC User # resources to manage. rbac: @@ -1873,98 +2017,25 @@ cluster: # key field is "key", the operator is "In", and the values array # contains only "value". The requirements are ANDed. matchLabels: + # -- SecurityContext defines the security options the container should be + # run with. If set, the fields of SecurityContext override the equivalent + # fields of PodSecurityContext. Use securityContext.allowPrivilegeEscalation + # field to grant more privileges than its parent process. More info: + # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext: + # -- AllowPrivilegeEscalation controls whether a process can gain more + # privileges than its parent process. This bool directly controls if the + # no_new_privs flag will be set on the container process. + # AllowPrivilegeEscalation is true always when the container is: 1) run as + # Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when + # spec.os.name is windows. + allowPrivilegeEscalation: false # -- UISessionTimeout sets how long, in minutes, before a user is declared # inactive and signed out from the Couchbase Server UI. 0 represents no time # out. uiSessionTimeout: 0 # -- Cluster administrator username username: Administrator - # -- SecurityContext allows the configuration of the security context for all - # Couchbase server pods. When using persistent volumes you may need to set - # the fsGroup field in order to write to the volume. For non-root clusters - # you must also set runAsUser to 1000, corresponding to the Couchbase user in - # official container images. More info: - # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - securityContext: - # -- A special supplemental group that applies to all containers in a pod. - # Some volume types allow the Kubelet to change the ownership of that volume - # to be owned by the pod: 1. The owning GID will be the FSGroup 2. The - # setgid bit is set (new files created in the volume will be owned by - # FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the - # Kubelet will not modify the ownership and permissions of any volume. Note - # that this field cannot be set when spec.os.name is windows. - fsGroup: 1000 - # -- fsGroupChangePolicy defines behavior of changing ownership and - # permission of the volume before being exposed inside Pod. This field will - # only apply to volume types which support fsGroup based ownership(and - # permissions). It will have no effect on ephemeral volume types such as: - # secret, configmaps and emptydir. Valid values are "OnRootMismatch" and - # "Always". If not specified, "Always" is used. Note that this field cannot - # be set when spec.os.name is windows. - fsGroupChangePolicy: - # -- The GID to run the entrypoint of the container process. Uses runtime - # default if unset. May also be set in SecurityContext. If set in both - # SecurityContext and PodSecurityContext, the value specified in - # SecurityContext takes precedence for that container. Note that this field - # cannot be set when spec.os.name is windows. - runAsGroup: - # -- Indicates that the container must run as a non-root user. If true, the - # Kubelet will validate the image at runtime to ensure that it does not run - # as UID 0 (root) and fail to start the container if it does. If unset or - # false, no such validation will be performed. May also be set in - # SecurityContext. If set in both SecurityContext and PodSecurityContext, - # the value specified in SecurityContext takes precedence. - runAsNonRoot: true - # -- The UID to run the entrypoint of the container process. Defaults to - # user specified in image metadata if unspecified. May also be set in - # SecurityContext. If set in both SecurityContext and PodSecurityContext, - # the value specified in SecurityContext takes precedence for that - # container. Note that this field cannot be set when spec.os.name is - # windows. - runAsUser: 1000 - # -- The SELinux context to be applied to all containers. If unspecified, - # the container runtime will allocate a random SELinux context for each - # container. May also be set in SecurityContext. If set in both - # SecurityContext and PodSecurityContext, the value specified in - # SecurityContext takes precedence for that container. Note that this field - # cannot be set when spec.os.name is windows. - seLinuxOptions: - # -- Level is SELinux level label that applies to the container. - level: - # -- Role is a SELinux role label that applies to the container. - role: - # -- Type is a SELinux type label that applies to the container. - type: - # -- User is a SELinux user label that applies to the container. - user: - # -- The seccomp options to use by the containers in this pod. Note that - # this field cannot be set when spec.os.name is windows. - seccompProfile: - # -- localhostProfile indicates a profile defined in a file on the node - # should be used. The profile must be preconfigured on the node to work. - # Must be a descending path, relative to the kubelet's configured seccomp - # profile location. Must only be set if type is "Localhost". - localhostProfile: - # -- type indicates which kind of seccomp profile will be applied. Valid - # options are: Localhost - a profile defined in a file on the node - # should be used. RuntimeDefault - the container runtime default profile - # should be used. Unconfined - no profile should be applied. - type: - # -- A list of groups applied to the first process run in each container, in - # addition to the container's primary GID. If unspecified, no groups will - # be added to any container. Note that this field cannot be set when - # spec.os.name is windows. - supplementalGroups: - # -- Sysctls hold a list of namespaced sysctls used for the pod. Pods with - # unsupported sysctls (by the container runtime) might fail to launch. Note - # that this field cannot be set when spec.os.name is windows. - sysctls: [] - # -- The Windows specific settings applied to all containers. If - # unspecified, the options within a container's SecurityContext will be - # used. If set in both SecurityContext and PodSecurityContext, the value - # specified in SecurityContext takes precedence. Note that this field cannot - # be set when spec.os.name is linux. - windowsOptions: {} # -- ServerGroups define the set of availability zones you want to distribute # pods over, and construct Couchbase server groups for. By default, most # cloud providers will label nodes with the key "topology.kubernetes.io/zone", @@ -2152,7 +2223,9 @@ cluster: # -- Hostname is the connection string to use to connect the remote # cluster. To use IPv6, place brackets (`[`, `]`) around the IPv6 value. hostname: - # -- Name of the remote cluster. + # -- Name of the remote cluster. Note that, -operator-managed is added as + # suffix by operator automatically to the name in order to diffrentiate + # from non operator managed remote clusters. name: # -- Replications are replication streams from this cluster to the remote # one. This field defines how to look up CouchbaseReplication resources. diff --git a/charts/couchbase-operator/values.yaml b/charts/couchbase-operator/values.yaml index 94ec034..67ef359 100644 --- a/charts/couchbase-operator/values.yaml +++ b/charts/couchbase-operator/values.yaml @@ -20,7 +20,7 @@ couchbaseOperator: # -- Image specifies repository and tag of the Couchbase Operator container. image: repository: couchbase/operator - tag: 2.4.2 + tag: 2.5.0 # -- The policy for pulling images from the repository onto hosts. # The imagePullPolicy value defaults to IfNotPresent, which means # that images are only pulled if they’re not present on the Kubernetes node. @@ -53,7 +53,7 @@ admissionController: # -- Image specifies repository and tag of the Couchbase Admission container. image: repository: couchbase/admission-controller - tag: 2.4.2 + tag: 2.5.0 # -- The policy for pulling images from the repository onto hosts. # The imagePullPolicy value defaults to IfNotPresent, which means # that images are only pulled if they’re not present on the Kubernetes node. @@ -311,8 +311,6 @@ scopes: {} # # contain only [a-zA-Z0-9_-%] and not start with either _ or %. # name: - - # -- Uncomment to create a "couchbasegroups" resource groups: {} # default: @@ -739,7 +737,7 @@ cluster: useVirtualPath: false # -- The Service Account to run backup (and restore) pods under. Without # this backup pods will not be able to update status. - serviceAccountName: + serviceAccountName: couchbase-backup # -- Deprecated: by CouchbaseBackup.spec.objectStore.useIAM UseIAMRole # enables backup to fetch EC2 instance metadata. This allows the AWS SDK to # use the EC2's IAM Role for S3 access. UseIAMRole will ignore credentials @@ -817,8 +815,8 @@ cluster: percent: 30 # -- AutoFailoverMaxCount is the maximum number of automatic failovers # Couchbase server will allow before not allowing any more. This field must - # be between 1-3 for server versions prior to 7.1.0 default is 3. - autoFailoverMaxCount: 3 + # be between 1-3 for server versions prior to 7.1.0 default is 1. + autoFailoverMaxCount: 1 # -- AutoFailoverOnDataDiskIssues defines whether Couchbase server should # failover a pod if a disk issue was detected. autoFailoverOnDataDiskIssues: false @@ -947,7 +945,7 @@ cluster: envImagePrecedence: false # -- Hibernate is whether to hibernate the cluster. hibernate: false - image: couchbase/server:7.1.3 + image: couchbase/server:7.2.0 # -- Logging defines Operator logging options. logging: # -- Used to manage the audit configuration directly @@ -1095,40 +1093,62 @@ cluster: adminSecret: '' # -- Cluster administrator pasword, auto-generated when empty password: '' + # -- PodSecurityContext allows the configuration of the security context for + # all Couchbase server pods. When using persistent volumes you may need to + # set the fsGroup field in order to write to the volume. For non-root + # clusters you must also set runAsUser to 1000, corresponding to the + # Couchbase user in official container images. More info: + # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + podSecurityContext: + fsGroup: 1000 + # -- Indicates that the container must run as a non-root user. If true, + # the Kubelet will validate the image at runtime to ensure that it does + # not run as UID 0 (root) and fail to start the container if it does. If + # unset or false, no such validation will be performed. May also be set in + # SecurityContext. If set in both SecurityContext and PodSecurityContext, + # the value specified in SecurityContext takes precedence. + runAsNonRoot: true + runAsUser: 1000 + # -- The Windows specific settings applied to all containers. If + # unspecified, the options within a container's SecurityContext will be + # used. If set in both SecurityContext and PodSecurityContext, the value + # specified in SecurityContext takes precedence. Note that this field + # cannot be set when spec.os.name is linux. + windowsOptions: + # HostProcess determines if a container should be run as a 'Host + # Process' container. This field is alpha-level and will only be honored + # by components that enable the WindowsHostProcessContainers feature + # flag. Setting this field without the feature flag will result in + # errors when validating the Pod. All of a Pod's containers must have + # the same effective HostProcess value (it is not allowed to have a mix + # of HostProcess containers and non-HostProcess containers). In + # addition, if HostProcess is true then HostNetwork must also be set to + # true. + hostProcess: false # -- RBAC is the options provided for enabling and selecting RBAC User # resources to manage. rbac: # -- Managed defines whether RBAC is managed by us or the clients. managed: true + # -- SecurityContext defines the security options the container should be + # run with. If set, the fields of SecurityContext override the equivalent + # fields of PodSecurityContext. Use securityContext.allowPrivilegeEscalation + # field to grant more privileges than its parent process. More info: + # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext: + # -- AllowPrivilegeEscalation controls whether a process can gain more + # privileges than its parent process. This bool directly controls if the + # no_new_privs flag will be set on the container process. + # AllowPrivilegeEscalation is true always when the container is: 1) run as + # Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when + # spec.os.name is windows. + allowPrivilegeEscalation: false # -- UISessionTimeout sets how long, in minutes, before a user is declared # inactive and signed out from the Couchbase Server UI. 0 represents no time # out. uiSessionTimeout: 0 # -- Cluster administrator username username: Administrator - # -- SecurityContext allows the configuration of the security context for all - # Couchbase server pods. When using persistent volumes you may need to set - # the fsGroup field in order to write to the volume. For non-root clusters - # you must also set runAsUser to 1000, corresponding to the Couchbase user in - # official container images. More info: - # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - securityContext: - fsGroup: 1000 - # -- Indicates that the container must run as a non-root user. If true, the - # Kubelet will validate the image at runtime to ensure that it does not run - # as UID 0 (root) and fail to start the container if it does. If unset or - # false, no such validation will be performed. May also be set in - # SecurityContext. If set in both SecurityContext and PodSecurityContext, - # the value specified in SecurityContext takes precedence. - runAsNonRoot: true - runAsUser: 1000 - sysctls: [] - # -- The Windows specific settings applied to all containers. If - # unspecified, the options within a container's SecurityContext will be - # used. If set in both SecurityContext and PodSecurityContext, the value - # specified in SecurityContext takes precedence. Note that this field cannot - # be set when spec.os.name is linux. - windowsOptions: {} # -- Servers defines server classes for the Operator to provision and manage. # A server class defines what services are running and how many members make # up that class. Specifying multiple server classes allows the Operator to diff --git a/charts/couchbase-operator/values.yamltmpl b/charts/couchbase-operator/values.yamltmpl index 2309b05..0f87c82 100644 --- a/charts/couchbase-operator/values.yamltmpl +++ b/charts/couchbase-operator/values.yamltmpl @@ -20,7 +20,7 @@ couchbaseOperator: # -- Image specifies repository and tag of the Couchbase Operator container. image: repository: couchbase/operator - tag: 2.4.2 + tag: 2.5.0 # -- The policy for pulling images from the repository onto hosts. # The imagePullPolicy value defaults to IfNotPresent, which means # that images are only pulled if they’re not present on the Kubernetes node. @@ -53,7 +53,7 @@ admissionController: # -- Image specifies repository and tag of the Couchbase Admission container. image: repository: couchbase/admission-controller - tag: 2.4.2 + tag: 2.5.0 # -- The policy for pulling images from the repository onto hosts. # The imagePullPolicy value defaults to IfNotPresent, which means # that images are only pulled if they’re not present on the Kubernetes node. diff --git a/tools/value-generation/gen.py b/tools/value-generation/gen.py index cb2dd6b..cf415f5 100644 --- a/tools/value-generation/gen.py +++ b/tools/value-generation/gen.py @@ -158,7 +158,7 @@ def postProcessCluster(crd_value, value_map, comment_map) : value_map[crd_value]['backup']['managed'] = True value_map[crd_value]['buckets']['managed'] = True - value_map[crd_value]['image'] = 'couchbase/server:7.1.3' + value_map[crd_value]['image'] = 'couchbase/server:7.2.0' comment_map[(crd_value, 'backup')] += " Refer to the documentation for supported values https://docs.couchbase.com/operator/current/howto-backup.html#enable-automated-backup" value_map[crd_value]['networking']['adminConsoleServices'] = ['data'] @@ -178,11 +178,16 @@ def postProcessCluster(crd_value, value_map, comment_map) : if 'rbac' not in value_map[crd_value]['security']: value_map[crd_value]['security']['rbac'] = {} value_map[crd_value]['security']['rbac']['managed'] = True + # spec.securityContext is deprecated for spec.security.podSecurityContext + del value_map[crd_value]['securityContext'] + + # clear out security context so we can set defaults + value_map[crd_value]['security']['securityContext'] = {} + value_map[crd_value]['security']['securityContext']['allowPrivilegeEscalation'] = False # Default the security context to reasonable values - value_map[crd_value]['securityContext']['fsGroup'] = 1000 - value_map[crd_value]['securityContext']['sysctls'] = [] - value_map[crd_value]['securityContext']['runAsUser'] = 1000 - value_map[crd_value]['securityContext']['runAsNonRoot'] = True + value_map[crd_value]['security']['podSecurityContext']['fsGroup'] = 1000 + value_map[crd_value]['security']['podSecurityContext']['runAsUser'] = 1000 + value_map[crd_value]['security']['podSecurityContext']['runAsNonRoot'] = True # Set this empty to ensure we auto-generate it by default value_map[crd_value]['security']['adminSecret'] = '' @@ -206,7 +211,6 @@ def postProcessCluster(crd_value, value_map, comment_map) : # Removing some alpha features which are disabled by default value_map[crd_value]['networking']['adminConsoleServiceTemplate']['spec'].pop('allocateLoadBalancerNodePorts') value_map[crd_value]['networking']['exposedFeatureServiceTemplate']['spec'].pop('allocateLoadBalancerNodePorts') - value_map[crd_value]['securityContext']['windowsOptions'] = {} # For servers we take the name and translate it into a new top-level key defaultServer = {}