github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/cloud/kubernetes/client-secure.yaml (about) 1 apiVersion: v1 2 kind: Pod 3 metadata: 4 name: cockroachdb-client-secure 5 labels: 6 app: cockroachdb-client 7 spec: 8 serviceAccountName: cockroachdb 9 initContainers: 10 # The init-certs container sends a certificate signing request to the 11 # kubernetes cluster. 12 # You can see pending requests using: kubectl get csr 13 # CSRs can be approved using: kubectl certificate approve <csr name> 14 # 15 # In addition to the client certificate and key, the init-certs entrypoint will symlink 16 # the cluster CA to the certs directory. 17 - name: init-certs 18 image: cockroachdb/cockroach-k8s-request-cert:0.4 19 imagePullPolicy: IfNotPresent 20 command: 21 - "/bin/ash" 22 - "-ecx" 23 - "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=client -user=root -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" 24 env: 25 - name: POD_NAMESPACE 26 valueFrom: 27 fieldRef: 28 fieldPath: metadata.namespace 29 volumeMounts: 30 - name: client-certs 31 mountPath: /cockroach-certs 32 containers: 33 - name: cockroachdb-client 34 image: cockroachdb/cockroach:v20.1.1 35 imagePullPolicy: IfNotPresent 36 volumeMounts: 37 - name: client-certs 38 mountPath: /cockroach-certs 39 # Keep a pod open indefinitely so kubectl exec can be used to get a shell to it 40 # and run cockroach client commands, such as cockroach sql, cockroach node status, etc. 41 command: 42 - sleep 43 - "2147483648" # 2^31 44 # This pod isn't doing anything important, so don't bother waiting to terminate it. 45 terminationGracePeriodSeconds: 0 46 volumes: 47 - name: client-certs 48 emptyDir: {}