github.com/replicatedhq/ship@v0.55.0/integration/init/cockroach/expected/.ship/upstream/cockroachdb-statefulset-secure.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: cockroachdb 5 labels: 6 app: cockroachdb 7 --- 8 apiVersion: rbac.authorization.k8s.io/v1beta1 9 kind: Role 10 metadata: 11 name: cockroachdb 12 labels: 13 app: cockroachdb 14 rules: 15 - apiGroups: 16 - "" 17 resources: 18 - secrets 19 verbs: 20 - create 21 - get 22 --- 23 apiVersion: rbac.authorization.k8s.io/v1beta1 24 kind: ClusterRole 25 metadata: 26 name: cockroachdb 27 labels: 28 app: cockroachdb 29 rules: 30 - apiGroups: 31 - certificates.k8s.io 32 resources: 33 - certificatesigningrequests 34 verbs: 35 - create 36 - get 37 - watch 38 --- 39 apiVersion: rbac.authorization.k8s.io/v1beta1 40 kind: RoleBinding 41 metadata: 42 name: cockroachdb 43 labels: 44 app: cockroachdb 45 roleRef: 46 apiGroup: rbac.authorization.k8s.io 47 kind: Role 48 name: cockroachdb 49 subjects: 50 - kind: ServiceAccount 51 name: cockroachdb 52 namespace: default 53 --- 54 apiVersion: rbac.authorization.k8s.io/v1beta1 55 kind: ClusterRoleBinding 56 metadata: 57 name: cockroachdb 58 labels: 59 app: cockroachdb 60 roleRef: 61 apiGroup: rbac.authorization.k8s.io 62 kind: ClusterRole 63 name: cockroachdb 64 subjects: 65 - kind: ServiceAccount 66 name: cockroachdb 67 namespace: default 68 --- 69 apiVersion: v1 70 kind: Service 71 metadata: 72 # This service is meant to be used by clients of the database. It exposes a ClusterIP that will 73 # automatically load balance connections to the different database pods. 74 name: cockroachdb-public 75 labels: 76 app: cockroachdb 77 spec: 78 ports: 79 # The main port, served by gRPC, serves Postgres-flavor SQL, internode 80 # traffic and the cli. 81 - port: 26257 82 targetPort: 26257 83 name: grpc 84 # The secondary port serves the UI as well as health and debug endpoints. 85 - port: 8080 86 targetPort: 8080 87 name: http 88 selector: 89 app: cockroachdb 90 --- 91 apiVersion: v1 92 kind: Service 93 metadata: 94 # This service only exists to create DNS entries for each pod in the stateful 95 # set such that they can resolve each other's IP addresses. It does not 96 # create a load-balanced ClusterIP and should not be used directly by clients 97 # in most circumstances. 98 name: cockroachdb 99 labels: 100 app: cockroachdb 101 annotations: 102 # This is needed to make the peer-finder work properly and to help avoid 103 # edge cases where instance 0 comes up after losing its data and needs to 104 # decide whether it should create a new cluster or try to join an existing 105 # one. If it creates a new cluster when it should have joined an existing 106 # one, we'd end up with two separate clusters listening at the same service 107 # endpoint, which would be very bad. 108 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" 109 # Enable automatic monitoring of all instances when Prometheus is running in the cluster. 110 prometheus.io/scrape: "true" 111 prometheus.io/path: "_status/vars" 112 prometheus.io/port: "8080" 113 spec: 114 ports: 115 - port: 26257 116 targetPort: 26257 117 name: grpc 118 - port: 8080 119 targetPort: 8080 120 name: http 121 clusterIP: None 122 selector: 123 app: cockroachdb 124 --- 125 apiVersion: policy/v1beta1 126 kind: PodDisruptionBudget 127 metadata: 128 name: cockroachdb-budget 129 labels: 130 app: cockroachdb 131 spec: 132 selector: 133 matchLabels: 134 app: cockroachdb 135 maxUnavailable: 1 136 --- 137 apiVersion: apps/v1beta1 138 kind: StatefulSet 139 metadata: 140 name: cockroachdb 141 spec: 142 serviceName: "cockroachdb" 143 replicas: 3 144 template: 145 metadata: 146 labels: 147 app: cockroachdb 148 spec: 149 serviceAccountName: cockroachdb 150 # Init containers are run only once in the lifetime of a pod, before 151 # it's started up for the first time. It has to exit successfully 152 # before the pod's main containers are allowed to start. 153 initContainers: 154 # The init-certs container sends a certificate signing request to the 155 # kubernetes cluster. 156 # You can see pending requests using: kubectl get csr 157 # CSRs can be approved using: kubectl certificate approve <csr name> 158 # 159 # All addresses used to contact a node must be specified in the --addresses arg. 160 # 161 # In addition to the node certificate and key, the init-certs entrypoint will symlink 162 # the cluster CA to the certs directory. 163 - name: init-certs 164 image: cockroachdb/cockroach-k8s-request-cert:0.2 165 imagePullPolicy: IfNotPresent 166 command: 167 - "/bin/ash" 168 - "-ecx" 169 - "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=node -addresses=localhost,127.0.0.1,${POD_IP},$(hostname -f),$(hostname -f|cut -f 1-2 -d '.'),cockroachdb-public -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" 170 env: 171 - name: POD_IP 172 valueFrom: 173 fieldRef: 174 fieldPath: status.podIP 175 - name: POD_NAMESPACE 176 valueFrom: 177 fieldRef: 178 fieldPath: metadata.namespace 179 volumeMounts: 180 - name: certs 181 mountPath: /cockroach-certs 182 183 affinity: 184 podAntiAffinity: 185 preferredDuringSchedulingIgnoredDuringExecution: 186 - weight: 100 187 podAffinityTerm: 188 labelSelector: 189 matchExpressions: 190 - key: app 191 operator: In 192 values: 193 - cockroachdb 194 topologyKey: kubernetes.io/hostname 195 containers: 196 - name: cockroachdb 197 image: cockroachdb/cockroach:v1.1.5 198 imagePullPolicy: IfNotPresent 199 ports: 200 - containerPort: 26257 201 name: grpc 202 - containerPort: 8080 203 name: http 204 volumeMounts: 205 - name: datadir 206 mountPath: /cockroach/cockroach-data 207 - name: certs 208 mountPath: /cockroach/cockroach-certs 209 command: 210 - "/bin/bash" 211 - "-ecx" 212 # The use of qualified `hostname -f` is crucial: 213 # Other nodes aren't able to look up the unqualified hostname. 214 # Once 2.0 is out, we should be able to switch from --host to --advertise-host to make port-forwarding work to the main port. 215 - "exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --host $(hostname -f) --http-host 0.0.0.0 --join cockroachdb-0.cockroachdb,cockroachdb-1.cockroachdb,cockroachdb-2.cockroachdb --cache 25% --max-sql-memory 25%" 216 # No pre-stop hook is required, a SIGTERM plus some time is all that's 217 # needed for graceful shutdown of a node. 218 terminationGracePeriodSeconds: 60 219 volumes: 220 - name: datadir 221 persistentVolumeClaim: 222 claimName: datadir 223 - name: certs 224 emptyDir: {} 225 updateStrategy: 226 type: RollingUpdate 227 volumeClaimTemplates: 228 - metadata: 229 name: datadir 230 spec: 231 accessModes: 232 - "ReadWriteOnce" 233 resources: 234 requests: 235 storage: 1Gi