github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/cloud/kubernetes/multiregion/cockroachdb-statefulset-secure.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: cockroachdb 5 labels: 6 app: cockroachdb 7 --- 8 apiVersion: rbac.authorization.k8s.io/v1beta1 9 kind: Role 10 metadata: 11 name: cockroachdb 12 labels: 13 app: cockroachdb 14 rules: 15 - apiGroups: 16 - "" 17 resources: 18 - secrets 19 verbs: 20 - create 21 - get 22 --- 23 apiVersion: rbac.authorization.k8s.io/v1beta1 24 kind: ClusterRole 25 metadata: 26 name: cockroachdb 27 labels: 28 app: cockroachdb 29 rules: 30 - apiGroups: 31 - certificates.k8s.io 32 resources: 33 - certificatesigningrequests 34 verbs: 35 - create 36 - get 37 - watch 38 --- 39 apiVersion: rbac.authorization.k8s.io/v1beta1 40 kind: RoleBinding 41 metadata: 42 name: cockroachdb 43 labels: 44 app: cockroachdb 45 roleRef: 46 apiGroup: rbac.authorization.k8s.io 47 kind: Role 48 name: cockroachdb 49 subjects: 50 - kind: ServiceAccount 51 name: cockroachdb 52 namespace: default 53 --- 54 apiVersion: rbac.authorization.k8s.io/v1beta1 55 kind: ClusterRoleBinding 56 metadata: 57 name: cockroachdb 58 labels: 59 app: cockroachdb 60 roleRef: 61 apiGroup: rbac.authorization.k8s.io 62 kind: ClusterRole 63 name: cockroachdb 64 subjects: 65 - kind: ServiceAccount 66 name: cockroachdb 67 namespace: default 68 --- 69 apiVersion: v1 70 kind: Service 71 metadata: 72 # This service is meant to be used by clients of the database. It exposes a ClusterIP that will 73 # automatically load balance connections to the different database pods. 74 name: cockroachdb-public 75 labels: 76 app: cockroachdb 77 spec: 78 ports: 79 # The main port, served by gRPC, serves Postgres-flavor SQL, internode 80 # traffic and the cli. 81 - port: 26257 82 targetPort: 26257 83 name: grpc 84 # The secondary port serves the UI as well as health and debug endpoints. 85 - port: 8080 86 targetPort: 8080 87 name: http 88 selector: 89 app: cockroachdb 90 --- 91 apiVersion: v1 92 kind: Service 93 metadata: 94 # This service only exists to create DNS entries for each pod in the stateful 95 # set such that they can resolve each other's IP addresses. It does not 96 # create a load-balanced ClusterIP and should not be used directly by clients 97 # in most circumstances. 98 name: cockroachdb 99 labels: 100 app: cockroachdb 101 annotations: 102 # Use this annotation in addition to the actual publishNotReadyAddresses 103 # field below because the annotation will stop being respected soon but the 104 # field is broken in some versions of Kubernetes: 105 # https://github.com/kubernetes/kubernetes/issues/58662 106 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" 107 # Enable automatic monitoring of all instances when Prometheus is running in the cluster. 108 prometheus.io/scrape: "true" 109 prometheus.io/path: "_status/vars" 110 prometheus.io/port: "8080" 111 spec: 112 ports: 113 - port: 26257 114 targetPort: 26257 115 name: grpc 116 - port: 8080 117 targetPort: 8080 118 name: http 119 # We want all pods in the StatefulSet to have their addresses published for 120 # the sake of the other CockroachDB pods even before they're ready, since they 121 # have to be able to talk to each other in order to become ready. 122 publishNotReadyAddresses: true 123 clusterIP: None 124 selector: 125 app: cockroachdb 126 --- 127 apiVersion: policy/v1beta1 128 kind: PodDisruptionBudget 129 metadata: 130 name: cockroachdb-budget 131 labels: 132 app: cockroachdb 133 spec: 134 selector: 135 matchLabels: 136 app: cockroachdb 137 maxUnavailable: 1 138 --- 139 apiVersion: apps/v1 140 kind: StatefulSet 141 metadata: 142 name: cockroachdb 143 spec: 144 serviceName: "cockroachdb" 145 replicas: 3 146 selector: 147 matchLabels: 148 app: cockroachdb 149 template: 150 metadata: 151 labels: 152 app: cockroachdb 153 spec: 154 serviceAccountName: cockroachdb 155 affinity: 156 podAntiAffinity: 157 preferredDuringSchedulingIgnoredDuringExecution: 158 - weight: 100 159 podAffinityTerm: 160 labelSelector: 161 matchExpressions: 162 - key: app 163 operator: In 164 values: 165 - cockroachdb 166 topologyKey: kubernetes.io/hostname 167 containers: 168 - name: cockroachdb 169 image: cockroachdb/cockroach:v20.1.1 170 imagePullPolicy: IfNotPresent 171 ports: 172 - containerPort: 26257 173 name: grpc 174 - containerPort: 8080 175 name: http 176 livenessProbe: 177 httpGet: 178 path: "/health" 179 port: http 180 scheme: HTTPS 181 initialDelaySeconds: 30 182 periodSeconds: 5 183 readinessProbe: 184 httpGet: 185 path: "/health?ready=1" 186 port: http 187 scheme: HTTPS 188 initialDelaySeconds: 10 189 periodSeconds: 5 190 failureThreshold: 2 191 volumeMounts: 192 - name: datadir 193 mountPath: /cockroach/cockroach-data 194 - name: certs 195 mountPath: /cockroach/cockroach-certs 196 env: 197 - name: COCKROACH_CHANNEL 198 value: kubernetes-multiregion 199 command: 200 - "/bin/bash" 201 - "-ecx" 202 # The use of qualified `hostname -f` is crucial: 203 # Other nodes aren't able to look up the unqualified hostname. 204 - "exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --advertise-host $(hostname -f) --http-addr 0.0.0.0 --join JOINLIST --locality LOCALITYLIST --cache 25% --max-sql-memory 25%" 205 # No pre-stop hook is required, a SIGTERM plus some time is all that's 206 # needed for graceful shutdown of a node. 207 terminationGracePeriodSeconds: 60 208 volumes: 209 - name: datadir 210 persistentVolumeClaim: 211 claimName: datadir 212 - name: certs 213 secret: 214 secretName: cockroachdb.node 215 defaultMode: 256 216 podManagementPolicy: Parallel 217 updateStrategy: 218 type: RollingUpdate 219 volumeClaimTemplates: 220 - metadata: 221 name: datadir 222 spec: 223 accessModes: 224 - "ReadWriteOnce" 225 resources: 226 requests: 227 storage: 100Gi