apiVersion: v1 kind: ServiceAccount metadata: name: cockroachdb # namespace: cockroachdb labels: app: cockroachdb --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cockroachdb # namespace: cockroachdb labels: app: cockroachdb rules: - apiGroups: - "" resources: - secrets verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cockroachdb # namespace: cockroachdb labels: app: cockroachdb roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cockroachdb subjects: - kind: ServiceAccount name: cockroachdb # namespace: default --- apiVersion: v1 kind: Service metadata: # This service is meant to be used by clients of the database. It exposes a ClusterIP that will # automatically load balance connections to the different database pods. name: cockroachdb-public # namespace: cockroachdb labels: app: cockroachdb spec: ports: # The main port, served by gRPC, serves Postgres-flavor SQL, internode # traffic and the cli. - port: 26257 targetPort: 26257 name: grpc # The secondary port serves the UI as well as health and debug endpoints. - port: 8080 targetPort: 8080 name: http selector: app: cockroachdb --- apiVersion: v1 kind: Service metadata: # This service only exists to create DNS entries for each pod in the stateful # set such that they can resolve each other's IP addresses. It does not # create a load-balanced ClusterIP and should not be used directly by clients # in most circumstances. name: cockroachdb # namespace: cockroachdb labels: app: cockroachdb annotations: # Use this annotation in addition to the actual publishNotReadyAddresses # field below because the annotation will stop being respected soon but the # field is broken in some versions of Kubernetes: # https://github.com/kubernetes/kubernetes/issues/58662 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" # Enable automatic monitoring of all instances when Prometheus is running in the cluster. prometheus.io/scrape: "true" prometheus.io/path: "_status/vars" prometheus.io/port: "8080" spec: ports: - port: 26257 targetPort: 26257 name: grpc - port: 8080 targetPort: 8080 name: http # We want all pods in the StatefulSet to have their addresses published for # the sake of the other CockroachDB pods even before they're ready, since they # have to be able to talk to each other in order to become ready. publishNotReadyAddresses: true clusterIP: None selector: app: cockroachdb --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: cockroachdb-budget # namespace: cockroachdb labels: app: cockroachdb spec: selector: matchLabels: app: cockroachdb maxUnavailable: 1 --- apiVersion: apps/v1 kind: StatefulSet metadata: name: cockroachdb # namespace: cockroachdb spec: serviceName: "cockroachdb" replicas: 3 selector: matchLabels: app: cockroachdb template: metadata: labels: app: cockroachdb spec: serviceAccountName: cockroachdb affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - cockroachdb topologyKey: kubernetes.io/hostname containers: - name: cockroachdb image: cockroachdb/cockroach:v24.1.2 imagePullPolicy: IfNotPresent args: ["-- insecure"] # TODO: Change these to appropriate values for the hardware that you're running. You can see # the resources that can be allocated on each of your Kubernetes nodes by running: # kubectl describe nodes # Note that requests and limits should have identical values. resources: requests: cpu: "2" memory: "2Gi" limits: cpu: "2" memory: "2Gi" ports: - containerPort: 26257 name: grpc - containerPort: 8080 name: http # We recommend that you do not configure a liveness probe on a production environment, as this can impact the availability of production databases. # livenessProbe: # httpGet: # path: "/health" # port: http # scheme: HTTPS # initialDelaySeconds: 30 # periodSeconds: 5 readinessProbe: httpGet: path: "/health?ready=1" port: http scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 5 failureThreshold: 2 volumeMounts: - name: datadir mountPath: /cockroach/cockroach-data - name: certs mountPath: /cockroach/cockroach-certs env: - name: COCKROACH_CHANNEL value: kubernetes-secure - name: GOMAXPROCS valueFrom: resourceFieldRef: resource: limits.cpu divisor: "1" - name: MEMORY_LIMIT_MIB valueFrom: resourceFieldRef: resource: limits.memory divisor: "1Mi" command: - "/bin/bash" - "-ecx" # The use of qualified `hostname -f` is crucial: # Other nodes aren't able to look up the unqualified hostname. - exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --advertise-host $(hostname -f) --http-addr 0.0.0.0 --join cockroachdb-0.cockroachdb,cockroachdb-1.cockroachdb,cockroachdb-2.cockroachdb --cache $(expr $MEMORY_LIMIT_MIB / 4)MiB --max-sql-memory $(expr $MEMORY_LIMIT_MIB / 4)MiB # No pre-stop hook is required, a SIGTERM plus some time is all that's # needed for graceful shutdown of a node. terminationGracePeriodSeconds: 60 volumes: - name: datadir persistentVolumeClaim: claimName: datadir - name: certs secret: secretName: cockroachdb.node defaultMode: 256 podManagementPolicy: Parallel updateStrategy: type: RollingUpdate volumeClaimTemplates: - metadata: name: datadir spec: accessModes: - "ReadWriteOnce" resources: requests: storage: 1Gi --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRouteTCP metadata: name: cockroach-tls # namespace: cockroachdb spec: entryPoints: - websecure routes: - match: HostSNI(`cockroach-prod.allarddcs.nl`) services: - name: cockroachdb-public port: 8080 tls: passthrough: true --- # Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/bring-your-own-certs/client.yaml # This config file demonstrates how to connect to the CockroachDB StatefulSet # defined in bring-your-own-certs-statefulset.yaml that uses certificates # created outside of Kubernetes. See that file for why you may want to use it. # You should be able to adapt the core ideas to deploy your own custom # applications and connect them to the database similarly. # # The pod that this file defines will sleep in the cluster not using any # resources. After creating the pod, you can use it to open up a SQL shell to # the database by running: # # kubectl exec -it cockroachdb-client-secure -- ./cockroach sql --url="postgres://root@cockroachdb-public:26257/?sslmode=verify-full&sslcert=/cockroach-certs/client.root.crt&sslkey=/cockroach-certs/client.root.key&sslrootcert=/cockroach-certs/ca.crt" apiVersion: v1 kind: Pod metadata: name: cockroachdb-client-secure # namespace: cockroachdb labels: app: cockroachdb-client spec: serviceAccountName: cockroachdb containers: - name: cockroachdb-client image: cockroachdb/cockroach:v24.1.2 # Keep a pod open indefinitely so kubectl exec can be used to get a shell to it # and run cockroach client commands, such as cockroach sql, cockroach node status, etc. command: - sleep - "2147483648" # 2^31 volumeMounts: - name: client-certs mountPath: /cockroach-certs volumes: - name: client-certs secret: secretName: cockroachdb.client.root defaultMode: 256