Why does Couchbase server tls requires localhost in SANs?


I am deploying a couchbase cluster on kubernetes using the couchbase operator. While trying to setup TLS, I was able to obtain a certificate/key pair with the required SAN’s except localhost.

Couchbase operator is not accepting the TLS crt without localhost in the SAN.

Why does couchbase server need a TLS crt with localhost in SAN ?
is there a way to override this behavior in the couchbase operator ?


Localhost is required by any sidecars (especially the prometheus exporter), when running in TLS mode. Rather than have 1,000,000 different ways to configure a certificate, many of which will only work in certain situations, it’s far easier to just to it one way, that works all of the time, and avoid all the bugs that come with complexity! That said, with the arrival of Couchbase Server 7.0, that provides its own metrics rather than us having to provide them, we will be able to retire the exporter and relax the TLS rules.

Sounds good. Will move forward for now, and wait for the change in operator.