Major Description
Vbucket maps contain the list of servers on which the bucket is deployed. When the cluster is running encrypted query (go-couchbase) needs to figure out what the TLS port before opening connections to KV. The vbucket maps are retrieved from the pools/default/buckets/bucket-name REST API. The TLS ports are retrieved from the pools/default/nodeServices REST API.
Of course, it's possible that during rebalance the server list will be found to be "[node1:11210, node2:11210]" and by the time the nodeServices endpoint is read the servers list might just be node1. This may cause queries to fail. The reverse may also happen where the server list might have fewer entries than servers and we won't open some connections to memcached until the next refresh.
One way to fix this is have go-couchbase move off pools/default/buckets/bucket-name and move to pools/default/b/bucket-name. This latter API is called the "terse bucket info" and is what the SDKs use to bootstrap. It's a faster REST API because it's efficiently cacheable; more importantly it contains the nodeServices information so the vbucket map and the TLS endpoint information are guaranteed to be compatible. However, it's missing some information and we'd need to sweep all users of go-couchbase to make sure it's ok to drop this information.
A second way would be to add the nodeServices information to pools/default and then update go-couchbase to pick up this information in the bucket refresh.
Note that the effects of this issue may not be that serious. In theory queries can fail; in practice it might be very very rare. I don't know enough about query to say more on this.
