github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/cloud/kubernetes/cockroachdb-statefulset-secure.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: cockroachdb 5 labels: 6 app: cockroachdb 7 --- 8 apiVersion: rbac.authorization.k8s.io/v1beta1 9 kind: Role 10 metadata: 11 name: cockroachdb 12 labels: 13 app: cockroachdb 14 rules: 15 - apiGroups: 16 - "" 17 resources: 18 - secrets 19 verbs: 20 - create 21 - get 22 --- 23 apiVersion: rbac.authorization.k8s.io/v1beta1 24 kind: ClusterRole 25 metadata: 26 name: cockroachdb 27 labels: 28 app: cockroachdb 29 rules: 30 - apiGroups: 31 - certificates.k8s.io 32 resources: 33 - certificatesigningrequests 34 verbs: 35 - create 36 - get 37 - watch 38 --- 39 apiVersion: rbac.authorization.k8s.io/v1beta1 40 kind: RoleBinding 41 metadata: 42 name: cockroachdb 43 labels: 44 app: cockroachdb 45 roleRef: 46 apiGroup: rbac.authorization.k8s.io 47 kind: Role 48 name: cockroachdb 49 subjects: 50 - kind: ServiceAccount 51 name: cockroachdb 52 namespace: default 53 --- 54 apiVersion: rbac.authorization.k8s.io/v1beta1 55 kind: ClusterRoleBinding 56 metadata: 57 name: cockroachdb 58 labels: 59 app: cockroachdb 60 roleRef: 61 apiGroup: rbac.authorization.k8s.io 62 kind: ClusterRole 63 name: cockroachdb 64 subjects: 65 - kind: ServiceAccount 66 name: cockroachdb 67 namespace: default 68 --- 69 apiVersion: v1 70 kind: Service 71 metadata: 72 # This service is meant to be used by clients of the database. It exposes a ClusterIP that will 73 # automatically load balance connections to the different database pods. 74 name: cockroachdb-public 75 labels: 76 app: cockroachdb 77 spec: 78 ports: 79 # The main port, served by gRPC, serves Postgres-flavor SQL, internode 80 # traffic and the cli. 81 - port: 26257 82 targetPort: 26257 83 name: grpc 84 # The secondary port serves the UI as well as health and debug endpoints. 85 - port: 8080 86 targetPort: 8080 87 name: http 88 selector: 89 app: cockroachdb 90 --- 91 apiVersion: v1 92 kind: Service 93 metadata: 94 # This service only exists to create DNS entries for each pod in the stateful 95 # set such that they can resolve each other's IP addresses. It does not 96 # create a load-balanced ClusterIP and should not be used directly by clients 97 # in most circumstances. 98 name: cockroachdb 99 labels: 100 app: cockroachdb 101 annotations: 102 # Use this annotation in addition to the actual publishNotReadyAddresses 103 # field below because the annotation will stop being respected soon but the 104 # field is broken in some versions of Kubernetes: 105 # https://github.com/kubernetes/kubernetes/issues/58662 106 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" 107 # Enable automatic monitoring of all instances when Prometheus is running in the cluster. 108 prometheus.io/scrape: "true" 109 prometheus.io/path: "_status/vars" 110 prometheus.io/port: "8080" 111 spec: 112 ports: 113 - port: 26257 114 targetPort: 26257 115 name: grpc 116 - port: 8080 117 targetPort: 8080 118 name: http 119 # We want all pods in the StatefulSet to have their addresses published for 120 # the sake of the other CockroachDB pods even before they're ready, since they 121 # have to be able to talk to each other in order to become ready. 122 publishNotReadyAddresses: true 123 clusterIP: None 124 selector: 125 app: cockroachdb 126 --- 127 apiVersion: policy/v1beta1 128 kind: PodDisruptionBudget 129 metadata: 130 name: cockroachdb-budget 131 labels: 132 app: cockroachdb 133 spec: 134 selector: 135 matchLabels: 136 app: cockroachdb 137 maxUnavailable: 1 138 --- 139 apiVersion: apps/v1 140 kind: StatefulSet 141 metadata: 142 name: cockroachdb 143 spec: 144 serviceName: "cockroachdb" 145 replicas: 3 146 selector: 147 matchLabels: 148 app: cockroachdb 149 template: 150 metadata: 151 labels: 152 app: cockroachdb 153 spec: 154 serviceAccountName: cockroachdb 155 # Init containers are run only once in the lifetime of a pod, before 156 # it's started up for the first time. It has to exit successfully 157 # before the pod's main containers are allowed to start. 158 initContainers: 159 # The init-certs container sends a certificate signing request to the 160 # kubernetes cluster. 161 # You can see pending requests using: kubectl get csr 162 # CSRs can be approved using: kubectl certificate approve <csr name> 163 # 164 # All addresses used to contact a node must be specified in the --addresses arg. 165 # 166 # In addition to the node certificate and key, the init-certs entrypoint will symlink 167 # the cluster CA to the certs directory. 168 - name: init-certs 169 image: cockroachdb/cockroach-k8s-request-cert:0.4 170 imagePullPolicy: IfNotPresent 171 command: 172 - "/bin/ash" 173 - "-ecx" 174 - "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=node -addresses=localhost,127.0.0.1,$(hostname -f),$(hostname -f|cut -f 1-2 -d '.'),cockroachdb-public,cockroachdb-public.$(hostname -f|cut -f 3- -d '.'),cockroachdb-public.$(hostname -f|cut -f 3-4 -d '.'),cockroachdb-public.$(hostname -f|cut -f 3 -d '.') -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" 175 env: 176 - name: POD_NAMESPACE 177 valueFrom: 178 fieldRef: 179 fieldPath: metadata.namespace 180 volumeMounts: 181 - name: certs 182 mountPath: /cockroach-certs 183 affinity: 184 podAntiAffinity: 185 preferredDuringSchedulingIgnoredDuringExecution: 186 - weight: 100 187 podAffinityTerm: 188 labelSelector: 189 matchExpressions: 190 - key: app 191 operator: In 192 values: 193 - cockroachdb 194 topologyKey: kubernetes.io/hostname 195 containers: 196 - name: cockroachdb 197 image: cockroachdb/cockroach:v20.1.1 198 imagePullPolicy: IfNotPresent 199 # TODO: Change these to appropriate values for the hardware that you're running. You can see 200 # the amount of allocatable resources on each of your Kubernetes nodes by running: 201 # kubectl describe nodes 202 # resources: 203 # requests: 204 # cpu: "16" 205 # memory: "8Gi" 206 # limits: 207 # NOTE: Unless you have enabled the non-default Static CPU Management Policy 208 # and are using an integer number of CPUs, we don't recommend setting a CPU limit. 209 # See: 210 # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy 211 # https://github.com/kubernetes/kubernetes/issues/51135 212 # cpu: "16" 213 # memory: "8Gi" 214 ports: 215 - containerPort: 26257 216 name: grpc 217 - containerPort: 8080 218 name: http 219 livenessProbe: 220 httpGet: 221 path: "/health" 222 port: http 223 scheme: HTTPS 224 initialDelaySeconds: 30 225 periodSeconds: 5 226 readinessProbe: 227 httpGet: 228 path: "/health?ready=1" 229 port: http 230 scheme: HTTPS 231 initialDelaySeconds: 10 232 periodSeconds: 5 233 failureThreshold: 2 234 volumeMounts: 235 - name: datadir 236 mountPath: /cockroach/cockroach-data 237 - name: certs 238 mountPath: /cockroach/cockroach-certs 239 env: 240 - name: COCKROACH_CHANNEL 241 value: kubernetes-secure 242 command: 243 - "/bin/bash" 244 - "-ecx" 245 # The use of qualified `hostname -f` is crucial: 246 # Other nodes aren't able to look up the unqualified hostname. 247 - "exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --advertise-host $(hostname -f) --http-addr 0.0.0.0 --join cockroachdb-0.cockroachdb,cockroachdb-1.cockroachdb,cockroachdb-2.cockroachdb --cache 25% --max-sql-memory 25%" 248 # No pre-stop hook is required, a SIGTERM plus some time is all that's 249 # needed for graceful shutdown of a node. 250 terminationGracePeriodSeconds: 60 251 volumes: 252 - name: datadir 253 persistentVolumeClaim: 254 claimName: datadir 255 - name: certs 256 emptyDir: {} 257 podManagementPolicy: Parallel 258 updateStrategy: 259 type: RollingUpdate 260 volumeClaimTemplates: 261 - metadata: 262 name: datadir 263 spec: 264 accessModes: 265 - "ReadWriteOnce" 266 resources: 267 requests: 268 storage: 100Gi