How to disable tls?

Good evening,

Could you describe how to uninstall certificates & disable tls in couchbase operator 2.4?
I enabled it and after that I want to do a revert.

This is part of couchbasecluster definition in the helm chart I used for installation

apiVersion: ""
kind: "CouchbaseCluster"
  name: {{ template "couchbase-cluster.clustername" . }}
        - couchbase-server-ca
        clientSecretName: couchbase-admin-secret
        serverSecretName: couchbase-server-tls

After that I removed tls section with hope of disabling it but it didn’t work. I decided to do a backup of data and reinstalled release using helm uninstall & helm install commands with the same release name.

I realized operator stored tls configuration somewhere and is not taking cluster definition into account and installed certs on new nodes.
In the operator logs I see log entry:

{"level":"info","ts":1688593274.59158,"logger":"cluster","msg":"Creating TLS secret `couchbase-release-tls-ca-shadow`","cluster":"apps/couchbase-release"}

Could you tell what need to be deleted to stop cluster from enabling it?

Best regards

Hi, any idea what to check?

@abhi.bose is this something you could help out with?

Hello @perry , @abhi.bose sorry for pinging you so many times.

It is doable? I cannot find operator source code to investigate it by myself & logs are not telling where to look at.

I appreciate any hint.

Best regards,

Hey @Pacyfik apologies for the delay. It’s been very busy for last couple of weeks.

Could you please confirm if you had generate: false to start with and supplied your own certs using secrets? Could you kindly share all the files you used (redacted as needed)?

Hello @abhi.bose , I attached dry run from helm.

I can confirm flag generate is set to false:

  expiration: 365
  generate: false
  legacy: false
  nodeToNodeEncryption: null

I supplied my own certs as secrets, enabled it in couchbasecluster resource and tried to revert by removing it from networking.tls.

Best regards,
Grzegorz Głuszek (3.4 KB)

Hey @Pacyfik , thanks for sharing the files!

I would like to explain a little bit what happens. With tls settings generate: true/false, you are saying the operator (via Helm) to self-certify the CB db (generate: true) or you can generate your own certs and supply to the operator (generate: false) which reloads the certs in the CB db.

But unfortunately, once you have opted false in the beginning and supplied the certs, those certs are permanently loaded now and operator can’t remove it anymore :frowning: and replace with a self-signed cert. Although, you can rotate/supply new certs via secrets again, which will be reloaded.

Also another point about TLS you mentioned in the beginning, which I guess was more about TLS certs than enabling/disabling TLS itself. But just to clarify, from CB server 7.0+, TLS is always enabled by default, which is a server(db) feature rather than operator.

By default, both TLS and non-TLS ports are active and will accept traffic. You can see the all ports listed here

Thank you @abhi.bose for clarification.