How to disable tls?

Pacyfik · July 5, 2023, 9:15pm

Good evening,

Could you describe how to uninstall certificates & disable tls in couchbase operator 2.4?
I enabled it and after that I want to do a revert.

This is part of couchbasecluster definition in the helm chart I used for installation

apiVersion: "couchbase.com/v2"
kind: "CouchbaseCluster"
metadata:
  name: {{ template "couchbase-cluster.clustername" . }}
spec:
...
    tls:
      rootCAs:
        - couchbase-server-ca
      secretSource:
        clientSecretName: couchbase-admin-secret
        serverSecretName: couchbase-server-tls

After that I removed tls section with hope of disabling it but it didn’t work. I decided to do a backup of data and reinstalled release using helm uninstall & helm install commands with the same release name.

I realized operator stored tls configuration somewhere and is not taking cluster definition into account and installed certs on new nodes.
In the operator logs I see log entry:

{"level":"info","ts":1688593274.59158,"logger":"cluster","msg":"Creating TLS secret `couchbase-release-tls-ca-shadow`","cluster":"apps/couchbase-release"}

Could you tell what need to be deleted to stop cluster from enabling it?

Best regards

Pacyfik · July 7, 2023, 8:10am

Hi, any idea what to check?

perry · July 7, 2023, 2:49pm

@abhi.bose is this something you could help out with?

Pacyfik · July 11, 2023, 8:09am

Hello @perry , @abhi.bose sorry for pinging you so many times.

It is doable? I cannot find operator source code to investigate it by myself & logs are not telling where to look at.

I appreciate any hint.

Best regards,
GG

abhi.bose · July 11, 2023, 9:53am

Hey @Pacyfik apologies for the delay. It’s been very busy for last couple of weeks.

Could you please confirm if you had generate: false to start with and supplied your own certs using secrets? Could you kindly share all the files you used (redacted as needed)?

Pacyfik · July 12, 2023, 10:05am

Hello @abhi.bose , I attached dry run from helm.

I can confirm flag generate is set to false:

tls:
  expiration: 365
  generate: false
  legacy: false
  nodeToNodeEncryption: null

I supplied my own certs as secrets, enabled it in couchbasecluster resource and tried to revert by removing it from networking.tls.

Best regards,
Grzegorz Głuszek
helm-dry-run.zip (3.4 KB)

abhi.bose · July 12, 2023, 10:44am

Hey @Pacyfik , thanks for sharing the files!

I would like to explain a little bit what happens. With tls settings generate: true/false, you are saying the operator (via Helm) to self-certify the CB db (generate: true) or you can generate your own certs and supply to the operator (generate: false) which reloads the certs in the CB db.

But unfortunately, once you have opted false in the beginning and supplied the certs, those certs are permanently loaded now and operator can’t remove it anymore and replace with a self-signed cert. Although, you can rotate/supply new certs via secrets again, which will be reloaded.

Also another point about TLS you mentioned in the beginning, which I guess was more about TLS certs than enabling/disabling TLS itself. But just to clarify, from CB server 7.0+, TLS is always enabled by default, which is a server(db) feature rather than operator.

By default, both TLS and non-TLS ports are active and will accept traffic. You can see the all ports listed here

Pacyfik · July 12, 2023, 1:11pm

Thank you @abhi.bose for clarification.

Topic		Replies	Views
K8s renew tls certs Kubernetes kubernetes	1	808	May 27, 2022
Not able to enable Cluster encryption Couchbase Server	2	175	June 16, 2024
How to configure the minimum TLS version on port 21150 Couchbase Server security	1	1305	September 18, 2021
Why does Couchbase server tls requires localhost in SANs? Kubernetes	2	845	December 17, 2021
How to know whether the cluster is ssl enabled Couchbase Server backup	5	600	October 10, 2023

How to disable tls?

Related topics