Hello - I am trying to expose the admin UI and xdcr without needing domain and certs. Basically want to access services with standard kubernetes service type LoadBalancer. How can I do this without need for TLS and creating certificates?
It cannot be done. Why would you want to setup this internet-only architecture without? Data, usernames and passwords would all be exposed in plaintext.
this is running inside a private datacenter, when Kubernetes creates Service type LoadBalancer, the IP provided is behind firewall. the couchbase clusters are currently deployed on VMs without TLS… we are trying to shift to K8s. This isn’t a public cloud use case though. I agree everything should be TLS everywhere regardless but in this case it’s not needed immediately.
The recommended way to hit the UI, for now, is with a kubectl port-forward command - it’s simple enough to not be too much of a burden. I believe if you are running Couchbase 6.5.0 this gets a lot better.
How you’ve set set up networking is the most important factor for accessing stuff from outside of Kubernetes e.g. XDCR. If you have flat-layer 3 (e.g. the client system can ping the remote one) then life is much simpler. If there is some form of overlay network in use, then options are very much limited from a security and high-availability perspective. Let me know what your set up looks like and I can make some recommendations.
we do have an overlay with network automation opening things up (NSX-T). I went ahead and generated some self signed certs and seem to be on my way. Accessing via the internally LAN routable IPs assigned to the LoadBalancer services seems to be working fine now.
thank you for responding!
Great! Good luck.
You should be mostly fine using XDCR this way as it will automatically update client addresses as the topology changes. For things like SDKs and Sync-Gateway we’d insist on using SRV based service discovery for high-availability, which is a whole different ballpark, all will be revealed in Operator 2.0 – coming soon!