# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/cockroachdb-statefulset-secure.yaml apiVersion: v1 kind: ServiceAccount metadata: name: cockroachdb labels: app: cockroachdb --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cockroachdb labels: app: cockroachdb rules: - apiGroups: - "" resources: - secrets verbs: - create - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cockroachdb labels: app: cockroachdb rules: - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - create - get - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cockroachdb labels: app: cockroachdb roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cockroachdb subjects: - kind: ServiceAccount name: cockroachdb namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cockroachdb labels: app: cockroachdb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cockroachdb subjects: - kind: ServiceAccount name: cockroachdb namespace: default --- apiVersion: v1 kind: Service metadata: # This service is meant to be used by clients of the database. It exposes a ClusterIP that will # automatically load balance connections to the different database pods. name: cockroachdb-public labels: app: cockroachdb spec: ports: # The main port, served by gRPC, serves Postgres-flavor SQL, internode # traffic and the cli. - port: 26257 targetPort: 26257 name: grpc # The secondary port serves the UI as well as health and debug endpoints. - port: 8080 targetPort: 8080 name: http selector: app: cockroachdb --- apiVersion: v1 kind: Service metadata: # This service only exists to create DNS entries for each pod in the stateful # set such that they can resolve each other's IP addresses. It does not # create a load-balanced ClusterIP and should not be used directly by clients # in most circumstances. name: cockroachdb labels: app: cockroachdb annotations: # Use this annotation in addition to the actual publishNotReadyAddresses # field below because the annotation will stop being respected soon but the # field is broken in some versions of Kubernetes: # https://github.com/kubernetes/kubernetes/issues/58662 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" # Enable automatic monitoring of all instances when Prometheus is running in the cluster. prometheus.io/scrape: "true" prometheus.io/path: "_status/vars" prometheus.io/port: "8080" spec: ports: - port: 26257 targetPort: 26257 name: grpc - port: 8080 targetPort: 8080 name: http # We want all pods in the StatefulSet to have their addresses published for # the sake of the other CockroachDB pods even before they're ready, since they # have to be able to talk to each other in order to become ready. publishNotReadyAddresses: true clusterIP: None selector: app: cockroachdb --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: cockroachdb-budget labels: app: cockroachdb spec: selector: matchLabels: app: cockroachdb maxUnavailable: 1 --- apiVersion: apps/v1 kind: StatefulSet metadata: name: cockroachdb spec: serviceName: "cockroachdb" replicas: 3 selector: matchLabels: app: cockroachdb template: metadata: labels: app: cockroachdb spec: serviceAccountName: cockroachdb # Init containers are run only once in the lifetime of a pod, before # it's started up for the first time. It has to exit successfully # before the pod's main containers are allowed to start. initContainers: # The init-certs container sends a certificate signing request to the # kubernetes cluster. # You can see pending requests using: kubectl get csr # CSRs can be approved using: kubectl certificate approve # # All addresses used to contact a node must be specified in the --addresses arg. # # In addition to the node certificate and key, the init-certs entrypoint will symlink # the cluster CA to the certs directory. - name: init-certs image: cockroachdb/cockroach-k8s-request-cert:0.4 imagePullPolicy: IfNotPresent command: - "/bin/ash" - "-ecx" - "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=node -addresses=localhost,127.0.0.1,$(hostname -f),$(hostname -f|cut -f 1-2 -d '.'),cockroachdb-public,cockroachdb-public.$(hostname -f|cut -f 3- -d '.'),cockroachdb-public.$(hostname -f|cut -f 3-4 -d '.'),cockroachdb-public.$(hostname -f|cut -f 3 -d '.') -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: certs mountPath: /cockroach-certs affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - cockroachdb topologyKey: kubernetes.io/hostname containers: - name: cockroachdb image: cockroachdb/cockroach:v23.2.4 imagePullPolicy: IfNotPresent # TODO: Change these to appropriate values for the hardware that you're running. You can see # the resources that can be allocated on each of your Kubernetes nodes by running: # kubectl describe nodes # Note that requests and limits should have identical values. resources: requests: cpu: "2" memory: "8Gi" limits: cpu: "2" memory: "8Gi" ports: - containerPort: 26257 name: grpc - containerPort: 8080 name: http # We recommend that you do not configure a liveness probe on a production environment, as this can impact the availability of production databases. # livenessProbe: # httpGet: # path: "/health" # port: http # scheme: HTTPS # initialDelaySeconds: 30 # periodSeconds: 5 readinessProbe: httpGet: path: "/health?ready=1" port: http scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 5 failureThreshold: 2 volumeMounts: - name: datadir mountPath: /cockroach/cockroach-data - name: certs mountPath: /cockroach/cockroach-certs env: - name: COCKROACH_CHANNEL value: kubernetes-secure - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu divisor: "1" - name: MEMORY_LIMIT_MIB valueFrom: resourceFieldRef: resource: limits.memory divisor: "1Mi" command: - "/bin/bash" - "-ecx" # The use of qualified `hostname -f` is crucial: # Other nodes aren't able to look up the unqualified hostname. # Memory caches are set as a fraction of the pod's memory limit. - exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --advertise-host $(hostname -f) --http-addr 0.0.0.0 --join cockroachdb-0.cockroachdb,cockroachdb-1.cockroachdb,cockroachdb-2.cockroachdb --cache $(expr $MEMORY_LIMIT_MIB / 4)MiB --max-sql-memory $(expr $MEMORY_LIMIT_MIB / 4)MiB # No pre-stop hook is required, a SIGTERM plus some time is all that's # needed for graceful shutdown of a node. terminationGracePeriodSeconds: 60 volumes: - name: datadir persistentVolumeClaim: claimName: datadir - name: certs emptyDir: {} podManagementPolicy: Parallel updateStrategy: type: RollingUpdate volumeClaimTemplates: - metadata: name: datadir spec: accessModes: - "ReadWriteOnce" resources: requests: storage: 100Gi