In my previous article I discussed—from a high level—the new Public Connectivity feature in Autonomous Operator 1.2.0. This was intentionally an abstract overview in order to coax the user to learn about the joys of DDNS, TLS and layer 3 Networking.
Give a man a fish, and you feed him for a day. Teach a man to fish, and you feed him for a lifetime
Hopefully you have all invested the time to learn how to fish! (or at least ready to get your feet wet.)Â This article gives a practical tutorial on configuration of the Operator in order to be able to expose your Couchbase clusters safely on the public internet.
Why Use This Feature?
Today’s tech startups are more cloud-focused than the traditional enterprise. Some would argue that the traditional enterprise is entrenched—guarding data behind firewalls in private data centers—and arguably, from a security standpoint, this is the correct thing to do.
Increased cloud exposure, while a bigger risk, is also becoming less of a concern as time goes on. Cloud more importantly opens myriad doors to agility and innovation gains. Connecting public service offerings over the public internet is a huge benefit, and one that cannot be easily and economically achieved with services that live on-premises, hidden behind NAT boundaries.
The one example that I am personally quite fond of, is the rise of Function as a Service (FaaS). Functions are short lived jobs (typically based on containers) that respond to stimuli and return a result. They are created on demand, and automatically scale horizontally instantaneously to handle the required workload. You can use public FaaS service offerings today, with no time wasted installing and configuring virtual or physical infrastructure. AWS Lambda is one such incarnation you may well be familiar with.
Unless your function is pure (in the sense that it just processes data) it will require inputs, typically in the form of a database. These FaaS offerings, given they operate on the public internet, will also require a connection to a public database. Establishing private VPN tunnels between these services may be difficult or impossible.
It is for these reasons—interconnectivity, simplicity, and agility—that we offer the option of public connectivity.
Security, Security, Security
A service placed on the public internet will be faced with scrutiny from malicious 3rd-party actors. The internet is awash with attempts to glean and exploit personal information. As a simple test, connect a UNIX system to the internet. Your SSH logs will fill up fairly quickly with attempts to access the machine using dictionaries of common/stolen usernames and passwords. Firewalls will show attempts to scan for open ports. This is just the accepted normal, and has been for as long as I can remember.
Databases in particular are honey pots to criminals trying to exploit systems in order to gain access to mailing lists for phishing attacks, or extract credit card details for fraud and identity theft. You quite simply have to make these services secure.
The Public Connectivity feature of the Operator mandates the use of full end-to-end encryption. This prevents snoopers from seeing confidential information while on public networks. Digital certificates form a trust between clients and servers. A client will verify that a server is valid for the host name it tried to connect to, and that it is signed by a trusted certificate authority.
The Operator allows the use of server certificate chains only, and does not act as a certificate authority, signing server certificates for individual servers as the topology changes. Acting as a CA would allow any certificate to be created and signed, so we opt for the safe approach. As a result, we support a wildcard certificate for the cluster as a whole. When using wildcard certificates we also need to use public DNS in order for the client to confirm that the client can verify the server certificate is valid for the host being contacted.
This background gives us enough knowledge to begin deploying our database with public connectivity.
Let’s Get Started
DNS
As discussed, we need to use public DNS in order to contact the Couchbase cluster nodes when using public connectivity. These can be bought relatively cheaply online from registrars such as Gandi, GoDaddy, Namecheap etc.
We also need to be able to use Dynamic DNS. As nodes are added and removed from our Couchbase cluster, we need corresponding entries to be added and removed from the DNS. They also need to be updated if public IP addresses of these nodes change. This is due to high performance, client-side sharding used by Couchbase clients and XDCR. We will be using the Kubernetes external-dns service to perform DDNS updates. The link lists supported DDNS providers. Once you have purchased a DNS domain you will need to delegate its name servers to your chosen DDNS provider. My personal choice for this example is Cloudflare. The final preparation step is the creation of an API key or other credentials for the external-dns controller to authenticate with the DDNS provider and control the DNS records required by the Couchbase cluster.
TLS
For most people this is the most mystical part of the process. HTTPS web pages just work transparently, so there is little need to be concerned with this from day to day by the average user. I’m not going to go into any detail (as that is for another post), but what we need to discuss are the main things that need to be tied to your chosen DNS configuration.
I’m using my personal DNS domain, spjmurray.co.uk, for this demonstration. I will be installing my Couchbase cluster in its own namespace called 6c3c0075-b44a-11e9-9518-4a8d7629c69a, and the cluster itself will be called couchbase. These are important parameters to know because they allow us to uniquely address a Couchbase cluster within our Kubernetes cluster. The Couchbase cluster will be configured so that its domain is couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk. The operator will require the creation of A records within this domain for each node as well as the Couchbase Web Console.
Knowing our domain, we can now determine the DNS wildcard certificate subject alternative name *.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk.
OpenVPN’s EasyRSA tool is a simple method of generating certificates. First, clone the repository and initialize it.
|
1 |
git clone https://github.com/OpenVPN/easy-rsa |
|
1 |
cd easy-rsa/easyrsa3 |
|
1 |
./easyrsa init-pki |
Generate the CA certificate and key pair. If you recall, the CA’s private key is used to digitally sign a server certificate. A client can then verify the server certificate is authentic with the CA’s public key. This command will prompt you for a CA name and a password. After completion the CA certificate can be found in pki/ca.crt.
|
1 |
./easy-rsa build-ca |
The server certificate and key pair are created next. When TLS is specified in your Couchbase cluster configuration the Operator will use TLS to communicate with the cluster. This prevents any passwords or sensitive data being transmitted in plain text. To support Kubernetes’ private DNS names we need another DNS wildcard subject alternative name. The nopass option must also be specified so that the private key is not encrypted and can be read by Couchbase server. The following command will prompt for a password; this is the CA private key’s password used to digitally sign the certificate.
|
1 |
./easy-rsa --subject-alt-name=DNS:*.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.svc,DNS:*.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk build-server-full server nopass |
You can verify that the certificate is as expected by examining it in OpenSSL:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
openssl x509 -in cert -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: b8:a2:ab:74:2c:8a:88:bf:67:3f:a8:d3:9b:fd:09:19 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Couchbase CA Validity Not Before: Aug 1 10:52:15 2019 GMT Not After : Jul 29 10:52:15 2029 GMT Subject: CN = Couchbase Server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b8:85:b5:41:16:67:1f:79:32:4c:ed:e1:44:cc: 55:65:db:a1:d1:99:6e:d1:d7:90:a6:5e:eb:4c:96: de:a4:70:dd:74:6c:76:13:75:01:5e:36:a2:5f:f0: 8b:cd:e8:8b:bd:68:2a:f2:5c:e8:3c:78:6d:71:92: db:2c:58:7c:e7:40:a5:73:cc:cd:f4:b7:c8:69:16: d3:c5:15:18:c0:56:d9:b3:f6:86:c6:22:8b:05:22: 77:c7:5c:ce:2a:3d:b8:e8:96:ea:c8:17:a8:3a:27: 7b:94:66:a1:80:89:a2:8b:25:5b:ed:72:ac:d5:29: 37:a1:e5:dd:9f:16:ac:a4:04:14:d8:89:cc:d0:08: f9:f1:58:1f:a7:fa:ee:2d:1a:e5:bd:03:ba:e7:9a: 79:f7:10:d7:0f:9b:bc:f9:cc:c9:03:97:58:78:9f: 68:78:b7:20:cf:5e:a8:67:7b:33:41:91:4a:8c:7c: 44:1a:25:86:ca:15:eb:9a:25:5e:80:23:65:9b:7a: 40:e4:55:c1:9c:93:c8:d6:72:e7:d8:d7:ac:dd:f9: 92:a8:89:c1:bc:ff:1a:7d:a5:e9:ab:6b:b8:3e:c4: 5f:b6:e6:30:45:5c:b4:5a:ce:fa:d9:12:28:ad:e6: 39:7b:39:4b:2e:a2:2a:16:f8:64:36:75:7d:59:78: 41:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: B8:7D:84:E9:AE:DF:38:90:B4:B5:CC:82:EA:B5:38:D2:35:12:4C:3F X509v3 Authority Key Identifier: keyid:78:49:35:9B:B4:03:26:81:B4:5A:68:8C:94:18:CE:2A:5A:12:FE:EE X509v3 Subject Alternative Name: DNS:*.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.svc, DNS:*.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk Signature Algorithm: sha256WithRSAEncryption 79:75:3c:81:ca:78:50:64:4b:4a:4c:67:9a:22:12:28:e6:76: a0:00:18:87:0f:09:bc:18:28:fb:5c:06:52:51:91:fe:2b:5f: 9c:a2:0f:96:67:ec:0d:44:fd:e4:7d:cc:90:f5:5f:8a:9f:e1: 56:c1:aa:67:fb:fe:8d:6d:fa:fb:04:36:c4:cf:b6:24:ce:4d: e8:87:d9:f0:40:b3:9b:7d:d1:a7:77:6a:1b:ea:11:67:46:14: 84:0b:37:0a:c1:35:b8:53:bd:98:58:3f:98:b5:20:d7:9c:0f: 99:eb:48:71:03:88:1b:8d:ef:b3:08:76:27:53:87:09:cd:4a: 5c:26:fc:bd:ad:82:e4:38:0b:6c:e1:8c:e8:61:8e:38:f5:c0: aa:7c:69:b1:2d:f3:5e:85:8c:0f:42:fc:19:b0:aa:17:81:44: 54:6e:8f:5d:d7:1f:f6:27:5c:fc:a3:78:de:45:e2:d3:3e:30: 14:53:65:fd:01:07:e8:af:b9:a7:fd:04:fb:ec:79:2c:1b:b9: d7:f2:d2:90:2c:6f:ac:ca:09:29:07:73:a3:88:c2:bc:d7:a6: 09:49:31:a6:5b:96:40:12:5e:6f:82:bd:32:7f:ba:dc:6c:ad: d2:ed:a8:70:42:99:4e:6c:8a:4f:43:c3:a3:a0:70:42:ea:23: e3:a5:61:60 |
EasyRSA creates private keys in the modern PKCS#7 format, however Couchbase Server only supports PKCS#1. To remedy this we need to convert formats.
|
1 |
openssl rsa -in pki/private/server.key -out server.key.der -outform DER |
|
1 |
openssl rsa -in server.key.der -inform DER -out server.key -outform PEM |
Now that TLS is configured, collect your CA certificate and server certificate/private key pair, as they will be needed when configuring your Couchbase cluster in a later step.
DDNS Setup
Now we can start deploying some actual Kubernetes resources. First up, let’s create our namespace for the external-dns controller to run in and a service account to run as.
|
1 |
kubectl create namespace 6c3c0075-b44a-11e9-9518-4a8d7629c69a |
|
1 |
kubectl -n 6c3c0075-b44a-11e9-9518-4a8d7629c69a create serviceaccount external-dns |
A role is required to grant permission for the external-dns controller to interrogate Kubernetes resources in the namespace it is running in. The role is bound to the service account that the external-dns controller will run as. I will use a cluster role in this example so it can be shared between all instances of the external-dns controller. It will be bound within the namespace, however, as the controller does not need access to all namespaces. OpenShift users: You will need admin privileges for role creation and binding, as they require privilege escalation, and for security reasons, cannot be performed by normal users. The role looks like the following:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: external-dns rules: - apiGroups: - "" resources: - services - pods - nodes verbs: - get - watch - list |
And is installed with the following:
|
1 |
kubectl create -f external-dns-cluster-role.yaml |
|
1 |
kubectl -n 6c3c0075-b44a-11e9-9518-4a8d7629c69a create rolebinding --clusterrole external-dns --serviceaccount 6c3c0075-b44a-11e9-9518-4a8d7629c69a:external-dns external-dns |
The final step is to install the external-dns controller. We will configure it to look for services within the namespace. If a service has an annotation external-dns.alpha.kubernetes.io/hostname then the external-dns controller will create DNS A records in our DDNS provider mapping to the service’s IP address.
It is possible that multiple instances of external-dns are synchronizing DNS records to the same domain. If it sees a record that doesn’t correspond to a service it is managing, it will delete it. To prevent two or more controllers from continuously adding their own and deleting others’ records, we add in a GUID so that the controller only responds to records it owns. For your curiosity, ownership is managed through DNS TXT records. The deployment YAML looks like the following. You should substitute your own Cloudflare API key and email address in the environment parameters.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: external-dns spec: selector: matchLabels: app: external-dns template: metadata: labels: app: external-dns spec: serviceAccountName: external-dns containers: - name: external-dns image: registry.opensource.zalan.do/teapot/external-dns:latest args: - --source=service - --domain-filter=spjmurray.co.uk - --provider=cloudflare - --txt-owner-id=6c3c0075-b44a-11e9-9518-4a8d7629c69a env: - name: CF_API_KEY value: REDACTED - name: CF_API_EMAIL value: REDACTED |
This can be created with the following:
|
1 |
kubectl -n 6c3c0075-b44a-11e9-9518-4a8d7629c69a create -f external-dns.yaml |
Check that the deployment is running and we are ready to install our Couchbase cluster.
Install the Operator
This is covered extensively in the official documentation. First, you will need to install the custom resource definitions. Then install the dynamic admission controller into a namespace of your choice and connect it to the Kubernetes API.
The admission controller is a required component of the Operator 1.2.0 deployment. It applies default values to the cluster, and most importantly, does validation outside of the scope of native JSON schema validation. The most important validation it performs for this setup is ensuring that your DNS and TLS are configured correctly in your Couchbase cluster definition.
The Operator is installed into the same namespace as the external-dns controller using a very similar process to the external-dns controller.
Public Couchbase Cluster
The final step is actually the easiest. Here’s the YAML definition:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
apiVersion: couchbase.com/v1 kind: CouchbaseCluster metadata: name: couchbase spec: authSecret: 6c3c0075-b44a-11e9-9518-4a8d7629c69a baseImage: couchbase/server version: enterprise-6.0.1 exposeAdminConsole: true adminConsoleServiceType: LoadBalancer adminConsoleServices: - data exposedFeatureServiceType: LoadBalancer exposedFeatures: - xdcr - client dns: domain: 6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk tls: static: operatorSecret: couchbase-ca member: serverSecret: couchbase-cert servers: - name: default services: - data - index - query size: 3 |
The admin console and exposed features (per pod services) are exposed with new parameters that allow the service type to be specified. On this occasion I’m running in GKE. When a LoadBalancer service is created it gets a public IP address associated with it.
The new DNS setting, when specified, will annotate admin console and per-pod services with the labels understood by the external dns-controller. For the admin console setting this is console.${metadata.name}.${spec.dns.domain} for example.
Finally, as we are using public connectivity and DNS, the dynamic admission controller will force us to use TLS. The TLS parameters are populated with secrets containing the TLS certificates we created earlier for this cluster.
Create the cluster and watch the status or Operator logs for completion. Eventually you should be able to connect to the console with the url https://console.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk:18091/ as load balancer IPs are allocated and DNS records are added. You can use this same address to establish XDCR remote clusters and bootstrap Couchbase client SDKs. Congratulations you have enabled public connectivity!
Troubleshooting
Merely explaining how to configure public connectivity is half the job. You need to be able to determine where the problem lies before raising support cases. Given it’s always the network’s fault (well mostly), here are some tips to help you.
DNS is not instantaneous, it takes time for records to appear, and it takes time for modifications to propagate as TTLs expire. To check that DNS is as expected, first look up the expected DNS names. Find the service names:
|
1 2 3 4 5 6 7 8 |
kubectl -n 6c3c0075-b44a-11e9-9518-4a8d7629c69a get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE couchbase ClusterIP None 8091/TCP,18091/TCP 26h couchbase-0000-exposed-ports LoadBalancer 10.40.8.108 34.66.243.123 18091:32281/TCP,18092:32677/TCP,11207:31661/TCP,18093:32233/TCP 26h couchbase-0001-exposed-ports LoadBalancer 10.40.6.37 35.232.231.230 18091:32171/TCP,18092:31995/TCP,11207:30711/TCP,18093:31243/TCP 26h couchbase-0002-exposed-ports LoadBalancer 10.40.4.46 35.238.213.211 18091:32117/TCP,18092:30313/TCP,11207:32609/TCP,18093:32433/TCP 26h couchbase-srv ClusterIP None 11210/TCP,11207/TCP 26h couchbase-ui LoadBalancer 10.40.13.78 35.238.226.107 18091:32508/TCP 26h |
Look up the calculated DNS name:
|
1 2 |
kubectl -n 6c3c0075-b44a-11e9-9518-4a8d7629c69a get svc couchbase-0000-exposed-ports -o yaml | grep external-dns.alpha.kubernetes.io/hostname external-dns.alpha.kubernetes.io/hostname: couchbase-0000.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk |
Does the DNS A record exist? Does the IP address correspond to the service’s public IP address?
|
1 2 |
dig +short couchbase-0000.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk 34.66.243.123 |
Next you need to be sure that the requested ports are listening. We can check that the TLS enabled Admin port is listening and we can establish a TCP session on that port:
|
1 2 |
nc -vz couchbase-0000.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk 18091 Connection to couchbase-0000.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk 18091 port [tcp/*] succeeded! |
The final thing to do is establish whether TLS is working as expected using the CA certificate:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
openssl s_client -host couchbase-0000.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk -port 18091 -CAfile ca.crt CONNECTED(00000005) depth=1 CN = Couchbase CA verify return:1 depth=0 CN = Couchbase Server verify return:1 --- Certificate chain 0 s:CN = Couchbase Server i:CN = Couchbase CA 1 s:CN = Couchbase CA i:CN = Couchbase CA --- Server certificate -----BEGIN CERTIFICATE----- MIIDuDCCAqCgAwIBAgIRALiiq3Qsioi/Zz+o05v9CRkwDQYJKoZIhvcNAQELBQAw FzEVMBMGA1UEAxMMQ291Y2hiYXNlIENBMB4XDTE5MDgwMTEwNTIxNVoXDTI5MDcy OTEwNTIxNVowGzEZMBcGA1UEAxMQQ291Y2hiYXNlIFNlcnZlcjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBALiFtUEWZx95Mkzt4UTMVWXbodGZbtHXkKZe 60yW3qRw3XRsdhN1AV42ol/wi83oi71oKvJc6Dx4bXGS2yxYfOdApXPMzfS3yGkW 08UVGMBW2bP2hsYiiwUid8dczio9uOiW6sgXqDone5RmoYCJooslW+1yrNUpN6Hl 3Z8WrKQEFNiJzNAI+fFYH6f67i0a5b0DuueaefcQ1w+bvPnMyQOXWHifaHi3IM9e qGd7M0GRSox8RBolhsoV65olXoAjZZt6QORVwZyTyNZy59jXrN35kqiJwbz/Gn2l 6atruD7EX7bmMEVctFrO+tkSKK3mOXs5Sy6iKhb4ZDZ1fVl4Qc8CAwEAAaOB+jCB 9zAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/ BAIwADAdBgNVHQ4EFgQUuH2E6a7fOJC0tcyC6rU40jUSTD8wHwYDVR0jBBgwFoAU eEk1m7QDJoG0WmiMlBjOKloS/u4wgYEGA1UdEQR6MHiCNCouY291Y2hiYXNlLjZj M2MwMDc1LWI0NGEtMTFlOS05NTE4LTRhOGQ3NjI5YzY5YS5zdmOCQCouY291Y2hi YXNlLjZjM2MwMDc1LWI0NGEtMTFlOS05NTE4LTRhOGQ3NjI5YzY5YS5zcGptdXJy YXkuY28udWswDQYJKoZIhvcNAQELBQADggEBAHl1PIHKeFBkS0pMZ5oiEijmdqAA GIcPCbwYKPtcBlJRkf4rX5yiD5Zn7A1E/eR9zJD1X4qf4VbBqmf7/o1t+vsENsTP tiTOTeiH2fBAs5t90ad3ahvqEWdGFIQLNwrBNbhTvZhYP5i1INecD5nrSHEDiBuN 77MIdidThwnNSlwm/L2tguQ4C2zhjOhhjjj1wKp8abEt816FjA9C/BmwqheBRFRu j13XH/YnXPyjeN5F4tM+MBRTZf0BB+ivuaf9BPvseSwbudfy0pAsb6zKCSkHc6OI wrzXpglJMaZblkASXm+CvTJ/utxsrdLtqHBCmU5sik9Dw6OgcELqI+OlYWA= -----END CERTIFICATE----- subject=CN = Couchbase Server issuer=CN = Couchbase CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: DH, 2048 bits --- SSL handshake has read 2714 bytes and written 737 bytes Verification: OK --- New, TLSv1.2, Cipher is DHE-RSA-AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-SHA256 Session-ID: 1D4242B756A51A14F1CA360DD7BB2DB74CEB4897E3365576658D2E5A7C7B36A0 Session-ID-ctx: Master-Key: 11D43F8E21FD57A07D091913A892D1BBEC32A701491FCE0EAA1EAEA68084F3754CA746921F9E80FBA3EDB4F809A791A7 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1564751720 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- |
Additionally, for the particularly brave, you can check that the DNS addresses passed to the clients are correct:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
curl -s https://couchbase-0000.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk:18091/pools/default/nodeServices -u Administrator:BIH6mSJQ33jcIb24LZagxn0GHpxsJEWiiXSHNnyoXxp2GITJWMgc4aEOxVVllcCR --cacert ca.crt | python -m json.tool { "nodesExt": [ { "alternateAddresses": { "external": { "hostname": "couchbase-0000.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.spjmurray.co.uk" } }, "hostname": "couchbase-0000.couchbase.6c3c0075-b44a-11e9-9518-4a8d7629c69a.svc", "services": { "capi": 8092, "capiSSL": 18092, "indexAdmin": 9100, "indexHttp": 9102, "indexHttps": 19102, "indexScan": 9101, "indexStreamCatchup": 9104, "indexStreamInit": 9103, "indexStreamMaint": 9105, "kv": 11210, "kvSSL": 11207, "mgmt": 8091, "mgmtSSL": 18091, "moxi": 11211, "n1ql": 8093, "n1qlSSL": 18093, "projector": 9999 }, "thisNode": true }, |
Next Steps
Couchbase Autonomous Operator 1.2.0 is a big release with many new features. The main focuses are upgradability and ease of use. We hope you enjoy doing cool new things with it as much as we have enjoyed creating it. As always your feedback is key!
- Try it out: https://staging.couchbase.com/downloads
- Support forums: https://staging.couchbase.com/forums/c/couchbase-server/Kubernetes
- Documentation: https://docs.couchbase.com/operator/1.2/whats-new.html
Read More
- Autonomous Operator 1.2.0 Networking: https://staging.couchbase.com/blog/autonomous-operator-1-2-0-networking
Great feature. But I can only set one value to
exposedFeatures, otherwise I will get an error:spec.exposedFeatures in body should be one of [admin xdcr client]
And another question, I can’t find the operator’s source code. Will the operator be open source?