github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/cloud/kubernetes/v1.6/cockroachdb-statefulset-secure.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: cockroachdb 5 labels: 6 app: cockroachdb 7 --- 8 apiVersion: rbac.authorization.k8s.io/v1beta1 9 kind: Role 10 metadata: 11 name: cockroachdb 12 labels: 13 app: cockroachdb 14 rules: 15 - apiGroups: 16 - "" 17 resources: 18 - secrets 19 verbs: 20 - create 21 - get 22 --- 23 apiVersion: rbac.authorization.k8s.io/v1beta1 24 kind: ClusterRole 25 metadata: 26 name: cockroachdb 27 labels: 28 app: cockroachdb 29 rules: 30 - apiGroups: 31 - certificates.k8s.io 32 resources: 33 - certificatesigningrequests 34 verbs: 35 - create 36 - get 37 - watch 38 --- 39 apiVersion: rbac.authorization.k8s.io/v1beta1 40 kind: RoleBinding 41 metadata: 42 name: cockroachdb 43 labels: 44 app: cockroachdb 45 roleRef: 46 apiGroup: rbac.authorization.k8s.io 47 kind: Role 48 name: cockroachdb 49 subjects: 50 - kind: ServiceAccount 51 name: cockroachdb 52 namespace: default 53 --- 54 apiVersion: rbac.authorization.k8s.io/v1beta1 55 kind: ClusterRoleBinding 56 metadata: 57 name: cockroachdb 58 labels: 59 app: cockroachdb 60 roleRef: 61 apiGroup: rbac.authorization.k8s.io 62 kind: ClusterRole 63 name: cockroachdb 64 subjects: 65 - kind: ServiceAccount 66 name: cockroachdb 67 namespace: default 68 --- 69 apiVersion: v1 70 kind: Service 71 metadata: 72 # This service is meant to be used by clients of the database. It exposes a ClusterIP that will 73 # automatically load balance connections to the different database pods. 74 name: cockroachdb-public 75 labels: 76 app: cockroachdb 77 spec: 78 ports: 79 # The main port, served by gRPC, serves Postgres-flavor SQL, internode 80 # traffic and the cli. 81 - port: 26257 82 targetPort: 26257 83 name: grpc 84 # The secondary port serves the UI as well as health and debug endpoints. 85 - port: 8080 86 targetPort: 8080 87 name: http 88 selector: 89 app: cockroachdb 90 --- 91 apiVersion: v1 92 kind: Service 93 metadata: 94 # This service only exists to create DNS entries for each pod in the stateful 95 # set such that they can resolve each other's IP addresses. It does not 96 # create a load-balanced ClusterIP and should not be used directly by clients 97 # in most circumstances. 98 name: cockroachdb 99 labels: 100 app: cockroachdb 101 annotations: 102 # This is needed to make the peer-finder work properly and to help avoid 103 # edge cases where instance 0 comes up after losing its data and needs to 104 # decide whether it should create a new cluster or try to join an existing 105 # one. If it creates a new cluster when it should have joined an existing 106 # one, we'd end up with two separate clusters listening at the same service 107 # endpoint, which would be very bad. 108 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" 109 # Enable automatic monitoring of all instances when Prometheus is running in the cluster. 110 prometheus.io/scrape: "true" 111 prometheus.io/path: "_status/vars" 112 prometheus.io/port: "8080" 113 spec: 114 ports: 115 - port: 26257 116 targetPort: 26257 117 name: grpc 118 - port: 8080 119 targetPort: 8080 120 name: http 121 clusterIP: None 122 selector: 123 app: cockroachdb 124 --- 125 apiVersion: apps/v1beta1 126 kind: StatefulSet 127 metadata: 128 name: cockroachdb 129 spec: 130 serviceName: "cockroachdb" 131 replicas: 3 132 template: 133 metadata: 134 labels: 135 app: cockroachdb 136 spec: 137 serviceAccountName: cockroachdb 138 # Init containers are run only once in the lifetime of a pod, before 139 # it's started up for the first time. It has to exit successfully 140 # before the pod's main containers are allowed to start. 141 initContainers: 142 # The init-certs container sends a certificate signing request to the 143 # kubernetes cluster. 144 # You can see pending requests using: kubectl get csr 145 # CSRs can be approved using: kubectl certificate approve <csr name> 146 # 147 # All addresses used to contact a node must be specified in the --addresses arg. 148 # 149 # In addition to the node certificate and key, the init-certs entrypoint will symlink 150 # the cluster CA to the certs directory. 151 - name: init-certs 152 image: cockroachdb/cockroach-k8s-request-cert:0.4 153 imagePullPolicy: IfNotPresent 154 command: 155 - "/bin/ash" 156 - "-ecx" 157 - "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=node -addresses=localhost,127.0.0.1,$(hostname -f),$(hostname -f|cut -f 1-2 -d '.'),cockroachdb-public,cockroachdb-public.$(hostname -f|cut -f 3- -d '.'),cockroachdb-public.$(hostname -f|cut -f 3-4 -d '.'),cockroachdb-public.$(hostname -f|cut -f 3 -d '.') -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" 158 env: 159 - name: POD_NAMESPACE 160 valueFrom: 161 fieldRef: 162 fieldPath: metadata.namespace 163 volumeMounts: 164 - name: certs 165 mountPath: /cockroach-certs 166 affinity: 167 podAntiAffinity: 168 preferredDuringSchedulingIgnoredDuringExecution: 169 - weight: 100 170 podAffinityTerm: 171 labelSelector: 172 matchExpressions: 173 - key: app 174 operator: In 175 values: 176 - cockroachdb 177 topologyKey: kubernetes.io/hostname 178 containers: 179 - name: cockroachdb 180 image: cockroachdb/cockroach:v20.1.1 181 imagePullPolicy: IfNotPresent 182 ports: 183 - containerPort: 26257 184 name: grpc 185 - containerPort: 8080 186 name: http 187 volumeMounts: 188 - name: datadir 189 mountPath: /cockroach/cockroach-data 190 - name: certs 191 mountPath: /cockroach/cockroach-certs 192 env: 193 - name: COCKROACH_CHANNEL 194 value: kubernetes-secure 195 command: 196 - "/bin/bash" 197 - "-ecx" 198 # The use of qualified `hostname -f` is crucial: 199 # Other nodes aren't able to look up the unqualified hostname. 200 # Once 2.0 is out, we should be able to switch from --host to --advertise-host to make port-forwarding work to the main port. 201 - "exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --host $(hostname -f) --http-addr 0.0.0.0 --join cockroachdb-0.cockroachdb,cockroachdb-1.cockroachdb,cockroachdb-2.cockroachdb --cache 25% --max-sql-memory 25%" 202 # No pre-stop hook is required, a SIGTERM plus some time is all that's 203 # needed for graceful shutdown of a node. 204 terminationGracePeriodSeconds: 60 205 volumes: 206 - name: datadir 207 persistentVolumeClaim: 208 claimName: datadir 209 - name: certs 210 emptyDir: {} 211 updateStrategy: 212 type: RollingUpdate 213 volumeClaimTemplates: 214 - metadata: 215 name: datadir 216 spec: 217 accessModes: 218 - "ReadWriteOnce" 219 resources: 220 requests: 221 storage: 100Gi