Details
-
Page
-
Resolution: Fixed
-
Major
-
None
-
None
-
16: Autoscaling/PE/Docs
-
1
Description
From the values.yaml for Helm we have the following:
# TLS Certs that will be used to encrypt traffic between operator and couchbase
|
tls:
|
# enable to auto create certs
|
generate: false
|
# Expiry time of CA in days for generated certs
|
expiration: 365
|
|
We need to explain this bit better, when customer set this to true, the Operator will actually go through the process of creating the certs (https://docs.couchbase.com/operator/current/tutorial-tls.html#creating-a-client-certificate) and then create and config the secrets (https://docs.couchbase.com/operator/current/howto-tls.html) for the cluster.
This causes an issue with upgrade as noted in https://issues.couchbase.com/browse/K8S-1900 because with Operator 2.1 requires an extra SAN
```
DNS:host.${cluster}.${namespace}.svc.cluster.local
```
Without this, when upgrading the Operator will report this error:
{"level":"error","ts":1611102051.5212724,"logger":"cluster","msg":"Reconciliation failed","cluster":"default/demo","error":"certificate cannot be verified for zone: x509: certificate is valid for localhost, *.demo-couchbase-cluster.default.svc, *.demo-couchbase-cluster.default, *.demo-couchbase-cluster, *.demo-couchbase-cluster-srv.default.svc, *.demo-couchbase-cluster-srv.default, *.demo-couchbase-cluster-srv, demo-couchbase-cluster-srv.default.svc, demo-couchbase-cluster-srv.default, demo-couchbase-cluster-srv, *.demo-couchbase-cluster-srv.default.svc.cluster.local, host.demo-couchbase-cluster.default.svc.cluster.local, not host.demo
|
We need to document the workaround, which is to regenerate the secrets using the values.yaml with the 2.1 chart
```
helm template demo --values values.yaml couchbase/couchbase-operator > secretsdemo.yaml
```
Then replace the secrets, after this we can then proceed to upgrade the Operator.
Draft Documentation
- Added Auto-Generated Certificates section that describes the workaround in
K8S-1900/K8S-1955.