github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/cloud/kubernetes/bring-your-own-certs/cockroachdb-statefulset.yaml

github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/cloud/kubernetes/bring-your-own-certs/cockroachdb-statefulset.yaml (about)

     1  # This config file defines a CockroachDB StatefulSet that uses certificates
     2  # created outside of Kubernetes. You may want to use it if you want to use a
     3  # different certificate authority from the one being used by Kubernetes or if
     4  # your Kubernetes cluster doesn't fully support certificate-signing requests
     5  # (e.g. as of July 2018, EKS doesn't work properly).
     6  #
     7  # To use this config file, first set up your certificates and load them into
     8  # your Kubernetes cluster as Secrets using the commands below:
     9  #
    10  # mkdir certs
    11  # mkdir my-safe-directory
    12  # cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key
    13  # cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key
    14  # kubectl create secret generic cockroachdb.client.root --from-file=certs
    15  # cockroach cert create-node --certs-dir=certs --ca-key=my-safe-directory/ca.key localhost 127.0.0.1 cockroachdb-public cockroachdb-public.default cockroachdb-public.default.svc.cluster.local *.cockroachdb *.cockroachdb.default *.cockroachdb.default.svc.cluster.local
    16  # kubectl create secret generic cockroachdb.node --from-file=certs
    17  # kubectl create -f bring-your-own-certs-statefulset.yaml
    18  # kubectl exec -it cockroachdb-0 -- /cockroach/cockroach init --certs-dir=/cockroach/cockroach-certs
    19  apiVersion: v1
    20  kind: ServiceAccount
    21  metadata:
    22    name: cockroachdb
    23    labels:
    24      app: cockroachdb
    25  ---
    26  apiVersion: rbac.authorization.k8s.io/v1beta1
    27  kind: Role
    28  metadata:
    29    name: cockroachdb
    30    labels:
    31      app: cockroachdb
    32  rules:
    33  - apiGroups:
    34    - ""
    35    resources:
    36    - secrets
    37    verbs:
    38    - get
    39  ---
    40  apiVersion: rbac.authorization.k8s.io/v1beta1
    41  kind: RoleBinding
    42  metadata:
    43    name: cockroachdb
    44    labels:
    45      app: cockroachdb
    46  roleRef:
    47    apiGroup: rbac.authorization.k8s.io
    48    kind: Role
    49    name: cockroachdb
    50  subjects:
    51  - kind: ServiceAccount
    52    name: cockroachdb
    53    namespace: default
    54  ---
    55  apiVersion: v1
    56  kind: Service
    57  metadata:
    58    # This service is meant to be used by clients of the database. It exposes a ClusterIP that will
    59    # automatically load balance connections to the different database pods.
    60    name: cockroachdb-public
    61    labels:
    62      app: cockroachdb
    63  spec:
    64    ports:
    65    # The main port, served by gRPC, serves Postgres-flavor SQL, internode
    66    # traffic and the cli.
    67    - port: 26257
    68      targetPort: 26257
    69      name: grpc
    70    # The secondary port serves the UI as well as health and debug endpoints.
    71    - port: 8080
    72      targetPort: 8080
    73      name: http
    74    selector:
    75      app: cockroachdb
    76  ---
    77  apiVersion: v1
    78  kind: Service
    79  metadata:
    80    # This service only exists to create DNS entries for each pod in the stateful
    81    # set such that they can resolve each other's IP addresses. It does not
    82    # create a load-balanced ClusterIP and should not be used directly by clients
    83    # in most circumstances.
    84    name: cockroachdb
    85    labels:
    86      app: cockroachdb
    87    annotations:
    88      # Use this annotation in addition to the actual publishNotReadyAddresses
    89      # field below because the annotation will stop being respected soon but the
    90      # field is broken in some versions of Kubernetes:
    91      # https://github.com/kubernetes/kubernetes/issues/58662
    92      service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
    93      # Enable automatic monitoring of all instances when Prometheus is running in the cluster.
    94      prometheus.io/scrape: "true"
    95      prometheus.io/path: "_status/vars"
    96      prometheus.io/port: "8080"
    97  spec:
    98    ports:
    99    - port: 26257
   100      targetPort: 26257
   101      name: grpc
   102    - port: 8080
   103      targetPort: 8080
   104      name: http
   105    # We want all pods in the StatefulSet to have their addresses published for
   106    # the sake of the other CockroachDB pods even before they're ready, since they
   107    # have to be able to talk to each other in order to become ready.
   108    publishNotReadyAddresses: true
   109    clusterIP: None
   110    selector:
   111      app: cockroachdb
   112  ---
   113  apiVersion: policy/v1beta1
   114  kind: PodDisruptionBudget
   115  metadata:
   116    name: cockroachdb-budget
   117    labels:
   118      app: cockroachdb
   119  spec:
   120    selector:
   121      matchLabels:
   122        app: cockroachdb
   123    maxUnavailable: 1
   124  ---
   125  apiVersion: apps/v1
   126  kind: StatefulSet
   127  metadata:
   128    name: cockroachdb
   129  spec:
   130    serviceName: "cockroachdb"
   131    replicas: 3
   132    selector:
   133      matchLabels:
   134        app: cockroachdb
   135    template:
   136      metadata:
   137        labels:
   138          app: cockroachdb
   139      spec:
   140        serviceAccountName: cockroachdb
   141        affinity:
   142          podAntiAffinity:
   143            preferredDuringSchedulingIgnoredDuringExecution:
   144            - weight: 100
   145              podAffinityTerm:
   146                labelSelector:
   147                  matchExpressions:
   148                  - key: app
   149                    operator: In
   150                    values:
   151                    - cockroachdb
   152                topologyKey: kubernetes.io/hostname
   153        containers:
   154        - name: cockroachdb
   155          image: cockroachdb/cockroach:v20.1.1
   156          imagePullPolicy: IfNotPresent
   157          ports:
   158          - containerPort: 26257
   159            name: grpc
   160          - containerPort: 8080
   161            name: http
   162          livenessProbe:
   163            httpGet:
   164              path: "/health"
   165              port: http
   166              scheme: HTTPS
   167            initialDelaySeconds: 30
   168            periodSeconds: 5
   169          readinessProbe:
   170            httpGet:
   171              path: "/health?ready=1"
   172              port: http
   173              scheme: HTTPS
   174            initialDelaySeconds: 10
   175            periodSeconds: 5
   176            failureThreshold: 2
   177          volumeMounts:
   178          - name: datadir
   179            mountPath: /cockroach/cockroach-data
   180          - name: certs
   181            mountPath: /cockroach/cockroach-certs
   182          env:
   183          - name: COCKROACH_CHANNEL
   184            value: kubernetes-secure
   185          command:
   186            - "/bin/bash"
   187            - "-ecx"
   188            # The use of qualified `hostname -f` is crucial:
   189            # Other nodes aren't able to look up the unqualified hostname.
   190            - "exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --advertise-host $(hostname -f) --http-addr 0.0.0.0 --join cockroachdb-0.cockroachdb,cockroachdb-1.cockroachdb,cockroachdb-2.cockroachdb --cache 25% --max-sql-memory 25%"
   191        # No pre-stop hook is required, a SIGTERM plus some time is all that's
   192        # needed for graceful shutdown of a node.
   193        terminationGracePeriodSeconds: 60
   194        volumes:
   195        - name: datadir
   196          persistentVolumeClaim:
   197            claimName: datadir
   198        - name: certs
   199          secret:
   200            secretName: cockroachdb.node
   201            defaultMode: 256
   202    podManagementPolicy: Parallel
   203    updateStrategy:
   204      type: RollingUpdate
   205    volumeClaimTemplates:
   206    - metadata:
   207        name: datadir
   208      spec:
   209        accessModes:
   210          - "ReadWriteOnce"
   211        resources:
   212          requests:
   213            storage: 100Gi