Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-1955

Document Helm 2.1 upgrade process with tls.generate=true

    XMLWordPrintable

Details

    • Page
    • Resolution: Fixed
    • Major
    • 2.2.0
    • None
    • documentation, helm
    • None
    • 16: Autoscaling/PE/Docs
    • 1

    Description

      From the values.yaml for Helm we have the following:

        # TLS Certs that will be used to encrypt traffic between operator and couchbase
      		 
        tls:
      		 
          # enable to auto create certs
      		 
          generate: false
      		 
          # Expiry time of CA in days for generated certs
      		 
          expiration: 365

      We need to explain this bit better, when customer set this to true, the Operator will actually go through the process of creating the certs (https://docs.couchbase.com/operator/current/tutorial-tls.html#creating-a-client-certificate) and then create and config the secrets (https://docs.couchbase.com/operator/current/howto-tls.html) for the cluster.

      This causes an issue with upgrade as noted in https://issues.couchbase.com/browse/K8S-1900 because with Operator 2.1 requires an extra SAN

      ```
      DNS:host.${cluster}.${namespace}.svc.cluster.local
      ```

      Without this, when upgrading the Operator will report this error:

      {"level":"error","ts":1611102051.5212724,"logger":"cluster","msg":"Reconciliation failed","cluster":"default/demo","error":"certificate cannot be verified for zone: x509: certificate is valid for localhost, *.demo-couchbase-cluster.default.svc, *.demo-couchbase-cluster.default, *.demo-couchbase-cluster, *.demo-couchbase-cluster-srv.default.svc, *.demo-couchbase-cluster-srv.default, *.demo-couchbase-cluster-srv, demo-couchbase-cluster-srv.default.svc, demo-couchbase-cluster-srv.default, demo-couchbase-cluster-srv, *.demo-couchbase-cluster-srv.default.svc.cluster.local, host.demo-couchbase-cluster.default.svc.cluster.local, not host.demo

      We need to document the workaround, which is to regenerate the secrets using the values.yaml with the 2.1 chart

      ```
      helm template demo --values values.yaml couchbase/couchbase-operator > secretsdemo.yaml
      ```

      Then replace the secrets, after this we can then proceed to upgrade the Operator.

      Draft Documentation

      Manage. Helm. Helm Deployment

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. K8S-1900 Upgrade errors with Helm 2.1 when TLS enabled

          • Major - Major loss of function.
          • Closed

          Page - A new page either standalone or within a series of pages must be added K8S-2033 Improve Helm Documentation

          • Major - Major loss of function.
          • Closed
          mentioned in

          Page Loading...

          For Gerrit Dashboard: K8S-1955
          # Subject Branch Project Status CR V
          151272,7 K8S-1955: Document TLS upgrade workaround master couchbase-operator Status: MERGED +2 +1
          152315,3 K8S-1955: Document TLS upgrade workaround 2.1.x couchbase-operator Status: MERGED +2 +1

          Activity

            People

              arunkumar Arunkumar Senthilnathan (Inactive)
              tin.tran Tin Tran (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty