apiVersion: v1 kind: ServiceAccount metadata: name: cockroachdb labels: app: cockroachdb --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: cockroachdb labels: app: cockroachdb rules: - apiGroups: - "" resources: - secrets verbs: - create - get --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cockroachdb labels: app: cockroachdb rules: - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - create - get - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: cockroachdb labels: app: cockroachdb roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cockroachdb subjects: - kind: ServiceAccount name: cockroachdb namespace: default --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: cockroachdb labels: app: cockroachdb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cockroachdb subjects: - kind: ServiceAccount name: cockroachdb namespace: default --- apiVersion: v1 kind: Service metadata: # This service is meant to be used by clients of the database. It exposes a ClusterIP that will # automatically load balance connections to the different database pods. name: cockroachdb-public labels: app: cockroachdb spec: ports: # The main port, served by gRPC, serves Postgres-flavor SQL, internode # traffic and the cli. - port: 26257 targetPort: 26257 name: grpc # The secondary port serves the UI as well as health and debug endpoints. - port: 8080 targetPort: 8080 name: http selector: app: cockroachdb --- apiVersion: v1 kind: Service metadata: # This service only exists to create DNS entries for each pod in the stateful # set such that they can resolve each other's IP addresses. It does not # create a load-balanced ClusterIP and should not be used directly by clients # in most circumstances. name: cockroachdb labels: app: cockroachdb annotations: # This is needed to make the peer-finder work properly and to help avoid # edge cases where instance 0 comes up after losing its data and needs to # decide whether it should create a new cluster or try to join an existing # one. If it creates a new cluster when it should have joined an existing # one, we'd end up with two separate clusters listening at the same service # endpoint, which would be very bad. service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" # Enable automatic monitoring of all instances when Prometheus is running in the cluster. prometheus.io/scrape: "true" prometheus.io/path: "_status/vars" prometheus.io/port: "8080" spec: ports: - port: 26257 targetPort: 26257 name: grpc - port: 8080 targetPort: 8080 name: http clusterIP: None selector: app: cockroachdb --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: cockroachdb-budget labels: app: cockroachdb spec: selector: matchLabels: app: cockroachdb maxUnavailable: 1 --- apiVersion: apps/v1beta1 kind: StatefulSet metadata: name: cockroachdb spec: serviceName: "cockroachdb" replicas: 3 template: metadata: labels: app: cockroachdb spec: serviceAccountName: cockroachdb # Init containers are run only once in the lifetime of a pod, before # it's started up for the first time. It has to exit successfully # before the pod's main containers are allowed to start. initContainers: # The init-certs container sends a certificate signing request to the # kubernetes cluster. # You can see pending requests using: kubectl get csr # CSRs can be approved using: kubectl certificate approve # # All addresses used to contact a node must be specified in the --addresses arg. # # In addition to the node certificate and key, the init-certs entrypoint will symlink # the cluster CA to the certs directory. - name: init-certs image: cockroachdb/cockroach-k8s-request-cert:0.2 imagePullPolicy: IfNotPresent command: - "/bin/ash" - "-ecx" - "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=node -addresses=localhost,127.0.0.1,${POD_IP},$(hostname -f),$(hostname -f|cut -f 1-2 -d '.'),$(CDB_PUBLIC_SVC) -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" env: - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: certs mountPath: /cockroach-certs affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - cockroachdb topologyKey: kubernetes.io/hostname containers: - name: cockroachdb image: cockroachdb/cockroach:v1.1.5 imagePullPolicy: IfNotPresent ports: - containerPort: 26257 name: grpc - containerPort: 8080 name: http volumeMounts: - name: datadir mountPath: /cockroach/cockroach-data - name: certs mountPath: /cockroach/cockroach-certs command: - "/bin/bash" - "-ecx" # The use of qualified `hostname -f` is crucial: # Other nodes aren't able to look up the unqualified hostname. # Once 2.0 is out, we should be able to switch from --host to --advertise-host to make port-forwarding work to the main port. - "exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --host $(hostname -f) --http-host 0.0.0.0 --join $(CDB_STATEFULSET_NAME)-0.$(CDB_STATEFULSET_SVC),$(CDB_STATEFULSET_NAME)-1.$(CDB_STATEFULSET_SVC),$(CDB_STATEFULSET_NAME)-2.$(CDB_STATEFULSET_SVC) --cache 25% --max-sql-memory 25%" # No pre-stop hook is required, a SIGTERM plus some time is all that's # needed for graceful shutdown of a node. terminationGracePeriodSeconds: 60 volumes: - name: datadir persistentVolumeClaim: claimName: datadir - name: certs emptyDir: {} updateStrategy: type: RollingUpdate volumeClaimTemplates: - metadata: name: datadir spec: accessModes: - "ReadWriteOnce" resources: requests: storage: 1Gi