Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-2267

TLS error when using tls.generate=true in Helm Chart 2.2

    XMLWordPrintable

Details

    • Task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • None
    • helm, kubernetes
    • None
    • 1

    Description

      Background
      Customer is deploying Couchbase Server with tls.generate=true with Helm Chart and LoadBalancer.

      helm upgrade --install apicbdev -n couchbase --values values_dev.yaml couchbase/couchbase-operator

      tls:
      generate: true
      expiration: 365

      cluster:
      networking:
      adminConsoleServiceType: LoadBalancer
      exposedFeatureServiceType: LoadBalancer

      Problem

      The following error would occur

      {"level":"info","ts":1623863121.2887464,"logger":"cluster","msg":"Reconciliation failed","cluster":"couchbase/apicbdev-couchbase-cluster","error":"unexpected status code: request failed POST https://apicbdev-couchbase-cluster-0002.apicbdev-couchbase-cluster.couchbase.svc:18091/settings/security 400 Bad Request: {\"errors\":[\"tlsMinVersion - Supported TLS versions are tlsv1.2, tlsv1.1, tlsv1\"]}","stack":"github.com/couchbase/couchbase-
      

      This seems to be related to the combination of DNS and TLs version of the chart.

      Logs
      s3://cb-customers-secure/swiss-shakti-foundation/40319/2021-06-21/cbopinfo-20210621t162717+0000.tar.gz

      config yaml: values_dev_orig.yaml

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          simon.murray Simon Murray added a comment -

          This field has both a CRD default, and an internal one (to handle the fact that defaults are applied only on a resource write e.g. handle upgrade), so how this is being screwed up is anyone's guess for now.  You can set operator logs to level 2 to see what's being passed at the couchbase API level.

          simon.murray Simon Murray added a comment - This field has both a CRD default, and an internal one (to handle the fact that defaults are applied only on a resource write e.g. handle upgrade), so how this is being screwed up is anyone's guess for now.  You can set operator logs to level 2 to see what's being passed at the couchbase API level.

          Can you also attach these logs from s3?

          It must be that this is only reproducible with external dns.  I had to get my permissions renewed in Azure to deploy this again.

          tommie Tommie McAfee added a comment - Can you also attach these logs from s3? It must be that this is only reproducible with external dns.  I had to get my permissions renewed in Azure to deploy this again.

          The problem here is that the CRD's from 2.1.0 are still installed.  Helm doesn't automatically update these so user needs to download the 2.2 build package and run:

          kubectl replace -f crds.yaml 

          (an update to the docs to clarify this is still in staging)

           

          Verify this is the case by running this command.  If it does not return anything then the tls min version isn't being set

          kubectl get crd couchbaseclusters.couchbase.com -o yaml | grep tlsMinimumVersion -A2 

           

          tommie Tommie McAfee added a comment - The problem here is that the CRD's from 2.1.0 are still installed.  Helm doesn't automatically update these so user needs to download the 2.2 build package and run: kubectl replace -f crds.yaml (an update to the docs to clarify this is still in staging)   Verify this is the case by running this command.  If it does not return anything then the tls min version isn't being set kubectl get crd couchbaseclusters.couchbase.com -o yaml | grep tlsMinimumVersion -A2  

          People

            tommie Tommie McAfee
            tin.tran Tin Tran (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty