Skip to content

C
charts
Unverified Commit 8eaa2c2e by Denise Committed by GitHub
Options

Merge pull request #324 from keith-mcclellan/master

Add CockroachDB
parents ca1542c0 d74a391d
Showing with 1118 additions and 0 deletions
charts/cockroachdb/19.1.5/Chart.yaml 0 → 100755
apiVersion: v1
name: cockroachdb
home: https://www.cockroachlabs.com
version: 2.1.16
appVersion: 19.1.5
description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png
sources:
- https://github.com/cockroachdb/cockroach
maintainers:
- name: a-robinson
email: alexdwanerobinson@gmail.com
- name: DuskEagle
email: Joel.A.Kenny@gmail.com
- name: joshimhoff
email: joshimhoff13@gmail.com
- name: keith-mcclellan
email: keith.mcclellan@gmail.com
charts/cockroachdb/19.1.5/OWNERS 0 → 100644
approvers:
- a-robinson
- DuskEagle
- joshimhoff
- keith-mcclellan
reviewers:
- a-robinson
- DuskEagle
- joshimhoff
- keith-mcclellan
charts/cockroachdb/19.1.5/README.md 0 → 100644
# CockroachDB Helm Chart
## Documentation
Below is a brief overview of operating the CockroachDB Helm Chart and some specific implementation details. For additional information, please see https://www.cockroachlabs.com/docs/v19.1/orchestrate-cockroachdb-with-kubernetes-insecure.html
## Prerequisites Details
* Kubernetes 1.8
* PV support on the underlying infrastructure. [Docker for windows hostpath provisioner is not supported](https://github.com/cockroachdb/docs/issues/3184).
* If you want to secure your cluster to use TLS certificates for all network
communication, [Helm must be installed with RBAC
privileges](https://github.com/kubernetes/helm/blob/master/docs/rbac.md)
or else you will get an "attempt to grant extra privileges" error.
## StatefulSet Details
* http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/
## StatefulSet Caveats
* http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/#limitations
## Chart Details
This chart will do the following:
* Set up a dynamically scalable CockroachDB cluster using a Kubernetes StatefulSet
## Installing the Chart
To install the chart with the release name `my-release`:
```shell
helm install --name my-release stable/cockroachdb
```
Note that for a production cluster, you are very likely to want to modify the
`Storage` and `StorageClass` parameters. This chart defaults to 100 GiB of
disk space per pod, but you may want more or less depending on your use case,
and the default persistent volume `StorageClass` in your environment may not be
what you want for a database (e.g. on GCE and Azure the default is not SSD).
If you are running in secure mode (with configuration parameter `Secure.Enabled`
set to `true`), then you will have to manually approve the cluster's security
certificates as the pods are created. You can see the pending
certificate-signing requests by running `kubectl get csr`, and approve them by
running `kubectl certificate approve <csr-name>`. You'll have to approve one
certificate for each node (e.g. `default.node.eerie-horse-cockroachdb-0` and
one client certificate for the job that initializes the cluster (e.g.
`default.node.root`).
Confirm that three pods are ```running``` successfully and init has completed:
```shell
kubectl get pods
```
```
NAME READY STATUS RESTARTS AGE
my-release-cockroachdb-0 1/1 Running 0 1m
my-release-cockroachdb-1 1/1 Running 0 1m
my-release-cockroachdb-2 1/1 Running 0 1m
my-release-cockroachdb-init-k6jcr 0/1 Completed 0 1m
```
Confirm that persistent volumes are created and claimed for each pod:
```shell
kubectl get persistentvolumes
```
```
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-64878ebf-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-0 standard 51s
pvc-64945b4f-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-1 standard 51s
pvc-649d920d-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-2 standard 51s
```
## Upgrading
### From 2.0.0 on
Launch a temporary interactive pod and start the built-in SQL client:
```shell
kubectl run cockroachdb -it \
--image=cockroachdb/cockroach \
--rm \
--restart=Never \
-- sql \
--insecure \
--host=my-release-cockroachdb-public
```
Set the ```cluster.preserve_downgrade_option``` cluster setting where $current_version = the version of CRDB currently running, e.g. 2.1:
```> SET CLUSTER SETTING cluster.preserve_downgrade_option = '$current_version';```
Exit the shell and delete the temp pod:
```> \q ```
Kick off the upgrade process by changing to the new Docker image, where $new_version is the version being upgraded to:
```shell
kubectl delete job my-release-cockroachdb-init
```
```shell
helm upgrade \
my-release \
stable/cockroachdb \
--set ImageTag=$new_version \
--reuse-values
```
Monitor the cluster's pods until all have been successfully restarted:
```shell
kubectl get pods
```
```
NAME READY STATUS RESTARTS AGE
my-release-cockroachdb-0 1/1 Running 0 2m
my-release-cockroachdb-1 1/1 Running 0 3m
my-release-cockroachdb-2 1/1 Running 0 3m
my-release-cockroachdb-3 0/1 ContainerCreating 0 25s
my-release-cockroachdb-init-nwjkh 0/1 ContainerCreating 0 6s
```
```shell
kubectl get pods \
-o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[0].image}{"\n"}'
```
```
my-release-cockroachdb-0 cockroachdb/cockroach:v19.1.5
my-release-cockroachdb-1 cockroachdb/cockroach:v19.1.5
my-release-cockroachdb-2 cockroachdb/cockroach:v19.1.5
my-release-cockroachdb-3 cockroachdb/cockroach:v19.1.5
```
Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post upgrade, finalize it by running the following:
```shell
kubectl run cockroachdb -it \
--image=cockroachdb/cockroach \
--rm \
--restart=Never \
-- sql \
--insecure \
--host=my-release-cockroachdb-public
```
```
> RESET CLUSTER SETTING cluster.preserve_downgrade_option;
```
```
\q
```
### To 2.0.0
Due to having no explicit selector set for the StatefulSet before version 2.0.0 of
this chart, upgrading from any version that uses a version of kubernetes that locks
the selector labels to any other version is impossible without deleting the StatefulSet.
Luckily there is a way to do it without actually deleting all the resources managed
by the StatefulSet. Use the workaround below to upgrade from charts versions previous
to 2.0.0. The following example assumes that the release name is crdb:
```console
$ kubectl delete statefulset crdb-cockroachdb --cascade=false
```
Verify that no pod is deleted and then upgrade as normal. A new StatefulSet will
be created taking over the management of the existing pods upgrading them if needed.
For more information about the upgrading bug see https://github.com/helm/charts/issues/7680.
## Configuration
The following table lists the configurable parameters of the CockroachDB chart and their default values.
| Parameter | Description | Default |
| ------------------------------ | ------------------------------------------------ | ----------------------------------------- |
| `Name` | Chart name | `cockroachdb` |
| `Image` | Container image name | `cockroachdb/cockroach` |
| `ImageTag` | Container image tag | `v19.1.5` |
| `ImagePullPolicy` | Container pull policy | `Always` |
| `Replicas` | k8s statefulset replicas | `3` |
| `MaxUnavailable` | k8s PodDisruptionBudget parameter | `1` |
| `Component` | k8s selector key | `cockroachdb` |
| `ExternalGrpcPort` | CockroachDB primary serving port | `26257` |
| `ExternalGrpcName` | CockroachDB primary serving port name | `grpc` |
| `InternalGrpcPort` | CockroachDB inter-cockroachdb port | `26257` |
| `InternalGrpcName` | CockroachDB inter-cockroachdb port name | `grpc` |
| `InternalHttpPort` | CockroachDB HTTP port | `8080` |
| `ExternalHttpPort` | CockroachDB HTTP port on service | `8080` |
| `HttpName` | Name given to the http service port | `http` |
| `Resources` | Resource requests and limits | `{}` |
| `InitPodResources` | Resource requests and limits for the short-lived init pod | `{}` |
| `Storage` | Persistent volume size | `100Gi` |
| `StorageClass` | Persistent volume class | `null` |
| `CacheSize` | Size of CockroachDB's in-memory cache | `25%` |
| `MaxSQLMemory` | Max memory to use processing SQL queries | `25%` |
| `ClusterDomain` | Cluster's default DNS domain | `cluster.local` |
| `NetworkPolicy.Enabled` | Enable NetworkPolicy | `false` |
| `NetworkPolicy.AllowExternal` | Don't require client label for connections | `true` |
| `Service.Type` | Public service type | `ClusterIP` |
| `Service.Annotations` | Annotations to apply to the service | `{}` |
| `Service.labels` | Labels to apply to the service | `{}` |
| `ServiceDiscovery.labels` | Labels to apply to the service for discovery | `{}` |
| `PodManagementPolicy` | `OrderedReady` or `Parallel` pod creation/deletion order | `Parallel` |
| `UpdateStrategy.type` | allows setting of RollingUpdate strategy | `RollingUpdate` |
| `NodeSelector` | Node labels for pod assignment | `{}` |
| `Tolerations` | List of node taints to tolerate | `{}` |
| `Secure.Enabled` | Whether to run securely using TLS certificates | `false` |
| `Secure.RequestCertsImage` | Image to use for requesting TLS certificates | `cockroachdb/cockroach-k8s-request-cert` |
| `Secure.RequestCertsImageTag` | Image tag to use for requesting TLS certificates | `0.4` |
| `Secure.ServiceAccount.Create` | Whether to create a new RBAC service account | `true` |
| `Secure.ServiceAccount.Name` | Name of RBAC service account to use | `""` |
| `JoinExisting` | List of already-existing cockroach instances | `[]` |
| `Locality` | Locality attribute for this deployment | `""` |
| `ExtraArgs` | Additional command-line arguments | `[]` |
| `ExtraSecretMounts` | Additional secrets to mount at cluster members | `[]` |
| `ExtraEnvArgs` | Allows to set extra ENV args | `[]` |
| `ExtraAnnotations` | Allows to set extra Annotations | `[]` |
| `ExtraInitAnnotations` | Allows to set extra Annotations to init pod | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```shell
helm install --name my-release -f values.yaml stable/cockroachdb
```
> **Tip**: You can use the default [values.yaml](values.yaml)
# Deep dive
## Connecting to the CockroachDB cluster
Once you've created the cluster, you can start talking to it by connecting
to its "public" service. CockroachDB is PostgreSQL wire protocol compatible so
there's a [wide variety of supported
clients](https://www.cockroachlabs.com/docs/install-client-drivers.html). For
the sake of example, we'll open up a SQL shell using CockroachDB's built-in
shell and play around with it a bit, like this (likely needing to replace
"my-release-cockroachdb-public" with the name of the "-public" service that
was created with your installed chart):
```console
$ kubectl run -it --rm cockroach-client \
--image=cockroachdb/cockroach \
--restart=Never \
--command -- ./cockroach sql --insecure --host my-release-cockroachdb-public
Waiting for pod default/cockroach-client to be running, status is Pending,
pod ready: false
If you don't see a command prompt, try pressing enter.
root@my-release-cockroachdb-public:26257> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| pg_catalog |
| system |
+--------------------+
(3 rows)
root@my-release-cockroachdb-public:26257> CREATE DATABASE bank;
CREATE DATABASE
root@my-release-cockroachdb-public:26257> CREATE TABLE bank.accounts (id INT
PRIMARY KEY, balance DECIMAL);
CREATE TABLE
root@my-release-cockroachdb-public:26257> INSERT INTO bank.accounts VALUES
(1234, 10000.50);
INSERT 1
root@my-release-cockroachdb-public:26257> SELECT * FROM bank.accounts;
+------+---------+
| id | balance |
+------+---------+
| 1234 | 10000.5 |
+------+---------+
(1 row)
root@my-release-cockroachdb-public:26257> \q
Waiting for pod default/cockroach-client to terminate, status is Running
pod "cockroach-client" deleted
```
If you are running in secure mode, you will have to provide a client certificate
to the cluster in order to authenticate, so the above command will not work. See
[here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml)
for an example of how to set up an interactive SQL shell against a secure
cluster or
[here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml)
for an example application connecting to a secure cluster.
## Cluster health
Because our pod spec includes regular health checks of the CockroachDB processes,
simply running `kubectl get pods` and looking at the `STATUS` column is sufficient
to determine the health of each instance in the cluster.
If you want more detailed information about the cluster, the best place to look
is the admin UI.
## Accessing the admin UI
If you want to see information about how the cluster is doing, you can try
pulling up the CockroachDB admin UI by port-forwarding from your local machine
to one of the pods (replacing "my-release-cockroachdb-0" with one of your pods'
names):
```shell
kubectl port-forward my-release-cockroachdb-0 8080
```
Once you’ve done that, you should be able to access the admin UI by visiting
http://localhost:8080/ in your web browser.
## Failover
If any CockroachDB member fails it gets restarted or recreated automatically by
the Kubernetes infrastructure, and will rejoin the cluster automatically when
it comes back up. You can test this scenario by killing any of the pods:
```shell
kubectl delete pod my-release-cockroachdb-1
```
```shell
$ kubectl get pods -l "component=my-release-cockroachdb"
NAME READY STATUS RESTARTS AGE
my-release-cockroachdb-0 1/1 Running 0 5m
my-release-cockroachdb-2 1/1 Running 0 5m
```
After a while:
```console
$ kubectl get pods -l "component=my-release-cockroachdb"
NAME READY STATUS RESTARTS AGE
my-release-cockroachdb-0 1/1 Running 0 5m
my-release-cockroachdb-1 1/1 Running 0 20s
my-release-cockroachdb-2 1/1 Running 0 5m
```
You can check state of re-joining from the new pod's logs:
```console
$ kubectl logs my-release-cockroachdb-1
[...]
I161028 19:32:09.754026 1 server/node.go:586 [n1] node connected via gossip and
verified as part of cluster {"35ecbc27-3f67-4e7d-9b8f-27c31aae17d6"}
[...]
cockroachdb-0.my-release-cockroachdb.default.svc.cluster.local:26257
build: beta-20161027-55-gd2d3c7f @ 2016/10/28 19:27:25 (go1.7.3)
admin: http://0.0.0.0:8080
sql:
postgresql://root@my-release-cockroachdb-1.my-release-cockroachdb.default.svc.cluster.local:26257?sslmode=disable
logs: cockroach-data/logs
store[0]: path=cockroach-data
status: restarted pre-existing node
clusterID: {35ecbc27-3f67-4e7d-9b8f-27c31aae17d6}
nodeID: 2
[...]
```
## NetworkPolicy
To enable network policy for CockroachDB,
install [a networking plugin that implements the Kubernetes
NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin),
and set `NetworkPolicy.Enabled` to `true`.
For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting
the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
For more precise policy, set `networkPolicy.allowExternal=false`. This will
only allow pods with the generated client label to connect to CockroachDB.
This label will be displayed in the output of a successful install.
## Scaling
Scaling should typically be managed via the `helm upgrade` command, but StatefulSets
don't yet work with `helm upgrade`. In the meantime until `helm upgrade` works,
if you want to change the number of replicas, you can use the `kubectl scale`
as shown below:
```shell
kubectl scale statefulset my-release-cockroachdb --replicas=4
```
Note that if you are running in secure mode and increase the size of your
cluster, you will also have to approve the certificate-signing request of each
new node (using `kubectl get csr` and `kubectl certificate approve`).
charts/cockroachdb/19.1.5/app-readme.md 0 → 100644
# CockroachDB Chart
CockroachDB is a Distributed SQL database that runs natively in Kubernetes. It gives you resilient, horizontal scale across multiple clouds with always-on availability and data partitioned by location.
CockroachDB scales horizontally without reconfiguration or need for a massive architectural overhaul. Simply add a new node to the cluster and CockroachDB takes care of the underlying complexity.
- Scale by simply adding new nodes to a CockroachDB cluster
- Automate balancing and distribution of ranges, not shards
- Optimize server utilization evenly across all nodes
charts/cockroachdb/19.1.5/questions.yml 0 → 100644
labels:
io.rancher.certified: partner
categories:
- Database
questions:
- default: 100Gi
variable: Storage
description: "Size of volume for each CockroachDB Node/Pod"
group: Config
label: "Storage per Node/Pod"
required: true
type: string
charts/cockroachdb/19.1.5/templates/NOTES.txt 0 → 100644
CockroachDB can be accessed via port {{ .Values.ExternalGrpcPort }} at the
following DNS name from within your cluster:
{{ .Release.Name }}-public.{{ .Release.Namespace }}.svc.cluster.local
Because CockroachDB supports the PostgreSQL wire protocol, you can connect to
the cluster using any available PostgreSQL client.
{{- if not .Values.Secure.Enabled }}
For example, you can open up a SQL shell to the cluster by running:
kubectl run -it --rm cockroach-client \
--image=cockroachdb/cockroach \
--restart=Never \{{- if and (.Values.NetworkPolicy.Enabled) (not .Values.NetworkPolicy.AllowExternal) }}
--labels="{{.Release.Name}}-{{.Values.Component}}-client=true" \{{- end }}
--command -- ./cockroach sql --insecure --host {{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-public.{{ .Release.Namespace }}
From there, you can interact with the SQL shell as you would any other SQL shell,
confident that any data you write will be safe and available even if parts of
your cluster fail.
{{- else }}
Note that because the cluster is running in secure mode, any client application
that you attempt to connect will either need to have a valid client certificate
or a valid username and password.
{{- end }}
{{- if and (.Values.NetworkPolicy.Enabled) (not .Values.NetworkPolicy.AllowExternal) }}
Note: Since NetworkPolicy is enabled, only pods with label
{{.Release.Name}}-{{.Values.Component}}-client=true"
will be able to connect to this cockroachdb cluster.
{{- end }}
Finally, to open up the CockroachDB admin UI, you can port-forward from your
local machine into one of the instances in the cluster:
kubectl port-forward {{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-0 {{ .Values.InternalHttpPort }}
{{- if not .Values.Secure.Enabled }}
Then you can access the admin UI at http://localhost:{{ .Values.InternalHttpPort }}/ in your web browser.
{{- else }}
Then you can access the admin UI at https://localhost:{{ .Values.InternalHttpPort }}/ in your web browser.
{{- end }}
For more information on using CockroachDB, please see the project's docs at
https://www.cockroachlabs.com/docs/
charts/cockroachdb/19.1.5/templates/_helpers.tpl 0 → 100644
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "cockroachdb.networkPolicy.apiVersion" -}}
{{- if semverCompare ">=1.4-0, <=1.7-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "cockroachdb.serviceAccountName" -}}
{{- if .Values.Secure.ServiceAccount.Create -}}
{{ default (printf "%s-%s" .Release.Name .Values.Name | trunc 56) .Values.Secure.ServiceAccount.Name }}
{{- else -}}
{{ default "default" .Values.Secure.ServiceAccount.Name }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for StatefulSets
*/}}
{{- define "statefulset.apiVersion" -}}
{{- if semverCompare "<1.12-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
charts/cockroachdb/19.1.5/templates/cluster-init.yaml 0 → 100644
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-init"
labels:
heritage: {{.Release.Service | quote }}
release: {{.Release.Name | quote }}
chart: "{{.Chart.Name}}-{{.Chart.Version}}"
spec:
template:
metadata:
{{- if and (.Values.NetworkPolicy.Enabled) (not .Values.NetworkPolicy.AllowExternal) }}
labels:
{{.Release.Name}}-{{.Values.Component}}-client: "true"
{{- end }}
{{- if .Values.ExtraInitAnnotations }}
annotations:
{{ toYaml .Values.ExtraInitAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.Secure.Enabled }}
serviceAccountName: {{ template "cockroachdb.serviceAccountName" . }}
initContainers:
# The init-certs container sends a certificate signing request to the
# kubernetes cluster.
# You can see pending requests using: kubectl get csr
# CSRs can be approved using: kubectl certificate approve <csr name>
#
# In addition to the client certificate and key, the init-certs entrypoint will symlink
# the cluster CA to the certs directory.
- name: init-certs
image: "{{ .Values.Secure.RequestCertsImage }}:{{ .Values.Secure.RequestCertsImageTag }}"
imagePullPolicy: "{{ .Values.ImagePullPolicy }}"
command:
- "/bin/ash"
- "-ecx"
- "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=client -user=root -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: client-certs
mountPath: /cockroach-certs
{{- end }}
containers:
- name: cluster-init
image: "{{ .Values.Image }}:{{ .Values.ImageTag }}"
imagePullPolicy: "{{ .Values.ImagePullPolicy }}"
resources:
{{ toYaml .Values.InitPodResources | indent 10 }}
{{- if .Values.Secure.Enabled }}
volumeMounts:
- name: client-certs
mountPath: /cockroach-certs
{{- end }}
# Run the command in an `until` loop because this job is bound to come
# up before the cockroach pods (due to the time needed to get
# persistent volumes attached to nodes), and sleeping 5 seconds between
# attempts is much better than letting the pod fail when the init
# command does and waiting out Kubernetes' non-configurable exponential
# backoff for pod restarts.
command:
- "/bin/bash"
- "-ecx"
- "until /cockroach/cockroach init {{ if .Values.Secure.Enabled }}--certs-dir=/cockroach-certs{{ else }}--insecure{{ end }} --host={{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-0.{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }} --port {{ .Values.InternalGrpcPort }}; do sleep 5; done"
restartPolicy: OnFailure
{{- if .Values.Secure.Enabled }}
volumes:
- name: client-certs
emptyDir: {}
{{- end }}
charts/cockroachdb/19.1.5/templates/clusterrole.yaml 0 → 100644
{{- if .Values.Secure.Enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
rules:
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- get
- watch
{{- end }}
\ No newline at end of file
charts/cockroachdb/19.1.5/templates/clusterrolebinding.yaml 0 → 100644
{{- if .Values.Secure.Enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
subjects:
- kind: ServiceAccount
name: {{ template "cockroachdb.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
\ No newline at end of file
charts/cockroachdb/19.1.5/templates/networkpolicy.yaml 0 → 100644
{{- if .Values.NetworkPolicy.Enabled }}
kind: NetworkPolicy
apiVersion: {{ template "cockroachdb.networkPolicy.apiVersion" . }}
metadata:
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
spec:
podSelector:
matchLabels:
component: "{{.Release.Name}}-{{.Values.Component}}"
ingress:
- ports:
- port: {{ .Values.ExternalGrpcPort}}
{{- if not .Values.NetworkPolicy.AllowExternal }}
from:
# Allow clients to connect.
- podSelector:
matchLabels:
{{.Release.Name}}-{{.Values.Component}}-client: "true"
# Allow other cockroachdb's to connect to form cluster.
- podSelector:
matchLabels:
component: "{{.Release.Name}}-{{.Values.Component}}"
{{- end }}
{{- if ne .Values.InternalGrpcPort .Values.ExternalGrpcPort }}
- ports:
- port: {{ .Values.InternalGrpcPort}}
from:
# Allow other cockroachdb's to connect to form cluster.
- podSelector:
matchLabels:
component: "{{.Release.Name}}-{{.Values.Component}}"
{{- end }}
# Allow connections to admin UI.
- ports:
- port: {{.Values.ExternalHttpPort}}
# Allow connections from Prometheus.
- ports:
- port: {{.Values.ExternalHttpPort}}
{{- end }}
charts/cockroachdb/19.1.5/templates/pdb.yaml 0 → 100644
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-budget"
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
spec:
selector:
matchLabels:
component: "{{ .Release.Name }}-{{ .Values.Component }}"
maxUnavailable: {{ .Values.MaxUnavailable }}
\ No newline at end of file
charts/cockroachdb/19.1.5/templates/role.yaml 0 → 100644
{{- if .Values.Secure.Enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
{{- end }}
\ No newline at end of file
charts/cockroachdb/19.1.5/templates/rolebinding.yaml 0 → 100644
{{- if .Values.Secure.Enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
subjects:
- kind: ServiceAccount
name: {{ template "cockroachdb.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
\ No newline at end of file
charts/cockroachdb/19.1.5/templates/service-discovery.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
# This service only exists to create DNS entries for each pod in the stateful
# set such that they can resolve each other's IP addresses. It does not
# create a load-balanced ClusterIP and should not be used directly by clients
# in most circumstances.
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
{{- if .Values.ServiceDiscovery.labels }}
{{ toYaml .Values.ServiceDiscovery.labels | indent 4 }}
{{- end }}
annotations:
# Use this annotation in addition to the actual field below because the
# annotation will stop being respected soon but the field is broken in
# some versions of Kubernetes:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
# Enable automatic monitoring of all instances when Prometheus is running in the cluster.
prometheus.io/scrape: "true"
prometheus.io/path: "_status/vars"
prometheus.io/port: "{{ .Values.ExternalHttpPort }}"
spec:
ports:
- port: {{ .Values.ExternalGrpcPort }}
targetPort: {{ .Values.InternalGrpcPort }}
name: {{ .Values.ExternalGrpcName }}
# The secondary port serves the UI as well as health and debug endpoints.
- port: {{ .Values.ExternalHttpPort }}
targetPort: {{ .Values.InternalHttpPort }}
name: {{ .Values.HttpName }}
{{- if ne .Values.InternalGrpcPort .Values.ExternalGrpcPort }}
- port: {{ .Values.InternalGrpcPort }}
targetPort: {{ .Values.InternalGrpcPort }}
name: {{ .Values.InternalGrpcName }}
{{- end }}
# We want all pods in the StatefulSet to have their addresses published for
# the sake of the other CockroachDB pods even before they're ready, since they
# have to be able to talk to each other in order to become ready.
publishNotReadyAddresses: true
clusterIP: None
selector:
component: "{{ .Release.Name }}-{{ .Values.Component }}"
\ No newline at end of file
charts/cockroachdb/19.1.5/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
# This service is meant to be used by clients of the database. It exposes a ClusterIP that will
# automatically load balance connections to the different database pods.
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-public"
annotations:
{{ toYaml .Values.Service.annotations | indent 4 }}
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
{{- if .Values.Service.labels }}
{{ toYaml .Values.Service.labels | indent 4 }}
{{- end }}
spec:
type: {{ .Values.Service.type }}
ports:
# The main port, served by gRPC, serves Postgres-flavor SQL, internode
# traffic and the cli.
- port: {{ .Values.ExternalGrpcPort }}
targetPort: {{ .Values.InternalGrpcPort }}
name: {{ .Values.ExternalGrpcName }}
# The secondary port serves the UI as well as health and debug endpoints.
- port: {{ .Values.ExternalHttpPort }}
targetPort: {{ .Values.InternalHttpPort }}
name: {{ .Values.HttpName }}
{{- if ne .Values.InternalGrpcPort .Values.ExternalGrpcPort }}
- port: {{ .Values.InternalGrpcPort }}
targetPort: {{ .Values.InternalGrpcPort }}
name: {{ .Values.InternalGrpcName }}
{{- end }}
selector:
component: "{{ .Release.Name }}-{{ .Values.Component }}"
\ No newline at end of file
charts/cockroachdb/19.1.5/templates/serviceaccount.yaml 0 → 100644
{{- if and .Values.Secure.Enabled .Values.Secure.ServiceAccount.Create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "cockroachdb.serviceAccountName" . }}
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
{{- end }}
\ No newline at end of file
charts/cockroachdb/19.1.5/templates/statefulset.yaml 0 → 100644
apiVersion: {{ template "statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
spec:
serviceName: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
replicas: {{ default 3 .Values.Replicas }}
selector:
matchLabels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
component: "{{ .Release.Name }}-{{ .Values.Component }}"
template:
metadata:
{{- if .Values.ExtraAnnotations }}
annotations:
{{ toYaml .Values.ExtraAnnotations | indent 8 }}
{{- end }}
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
component: "{{ .Release.Name }}-{{ .Values.Component }}"
spec:
{{- if .Values.Secure.Enabled }}
serviceAccountName: {{ template "cockroachdb.serviceAccountName" . }}
initContainers:
# The init-certs container sends a certificate signing request to the
# kubernetes cluster.
# You can see pending requests using: kubectl get csr
# CSRs can be approved using: kubectl certificate approve <csr name>
#
# All addresses used to contact a node must be specified in the --addresses arg.
#
# In addition to the node certificate and key, the init-certs entrypoint will symlink
# the cluster CA to the certs directory.
- name: init-certs
image: "{{ .Values.Secure.RequestCertsImage }}:{{ .Values.Secure.RequestCertsImageTag }}"
imagePullPolicy: "{{ .Values.ImagePullPolicy }}"
command:
- "/bin/ash"
- "-ecx"
- "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=node -addresses=localhost,127.0.0.1,$(hostname -f),$(hostname -f|cut -f 1-2 -d '.'),{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-public,{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-public.$(hostname -f|cut -f 3- -d '.') -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: certs
mountPath: /cockroach-certs
{{- end }}
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: component
operator: In
values:
- "{{ .Release.Name }}-{{ .Values.Component }}"
topologyKey: kubernetes.io/hostname
{{- if .Values.NodeSelector }}
nodeSelector:
{{ toYaml .Values.NodeSelector | indent 8 }}
{{- end }}
{{- if .Values.Tolerations }}
tolerations:
{{ toYaml .Values.Tolerations | indent 8 }}
{{- end }}
containers:
- name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
image: "{{ .Values.Image }}:{{ .Values.ImageTag }}"
imagePullPolicy: "{{ .Values.ImagePullPolicy }}"
ports:
- containerPort: {{ .Values.InternalGrpcPort }}
name: grpc
- containerPort: {{ .Values.InternalHttpPort }}
name: http
livenessProbe:
httpGet:
path: "/health"
port: http
{{- if .Values.Secure.Enabled }}
scheme: HTTPS
{{- end }}
initialDelaySeconds: 30
periodSeconds: 5
readinessProbe:
httpGet:
path: "/health?ready=1"
port: http
{{- if .Values.Secure.Enabled }}
scheme: HTTPS
{{- end }}
initialDelaySeconds: 10
periodSeconds: 5
failureThreshold: 2
resources:
{{ toYaml .Values.Resources | indent 10 }}
env:
- name: STATEFULSET_NAME
value: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}"
- name: STATEFULSET_FQDN
value: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}.{{ .Release.Namespace }}.svc.{{ .Values.ClusterDomain }}"
- name: COCKROACH_CHANNEL
value: kubernetes-helm
{{- if .Values.ExtraEnvArgs }}
{{ toYaml .Values.ExtraEnvArgs | indent 8 }}
{{- end }}
volumeMounts:
- name: datadir
mountPath: /cockroach/cockroach-data
{{- if .Values.Secure.Enabled }}
- name: certs
mountPath: /cockroach/cockroach-certs
{{- end }}
{{- range .Values.ExtraSecretMounts }}
- name: extra-secret-{{ . }}
mountPath: /etc/cockroach/secrets/{{ . }}
readOnly: true
{{- end }}
command:
- "/bin/bash"
- "-ecx"
# The use of qualified `hostname -f` is crucial:
# Other nodes aren't able to look up the unqualified hostname.
- "exec /cockroach/cockroach start --logtostderr {{ if .Values.Secure.Enabled }}--certs-dir /cockroach/cockroach-certs{{ else }}--insecure{{ end }} --advertise-host $(hostname).${STATEFULSET_FQDN} --http-host 0.0.0.0 --http-port {{ .Values.InternalHttpPort }} --port {{ .Values.InternalGrpcPort }} --cache {{ .Values.CacheSize }} --max-sql-memory {{ .Values.MaxSQLMemory }} {{ if .Values.Locality }}--locality={{.Values.Locality }}{{ end }} --join {{ if .Values.JoinExisting }}{{ join "," .Values.JoinExisting }}{{ else }}${STATEFULSET_NAME}-0.${STATEFULSET_FQDN}:{{ .Values.InternalGrpcPort }},${STATEFULSET_NAME}-1.${STATEFULSET_FQDN}:{{ .Values.InternalGrpcPort }},${STATEFULSET_NAME}-2.${STATEFULSET_FQDN}:{{ .Values.InternalGrpcPort }}{{ end }}{{ range .Values.ExtraArgs }} {{ . }}{{ end }}"
# No pre-stop hook is required, a SIGTERM plus some time is all that's
# needed for graceful shutdown of a node.
terminationGracePeriodSeconds: 60
volumes:
- name: datadir
persistentVolumeClaim:
claimName: datadir
{{- if .Values.Secure.Enabled }}
- name: certs
emptyDir: {}
{{- end }}
{{- range .Values.ExtraSecretMounts }}
- name: extra-secret-{{ . }}
secret:
secretName: {{ . }}
{{- end }}
podManagementPolicy: {{ .Values.PodManagementPolicy }}
updateStrategy:
{{ toYaml .Values.UpdateStrategy | indent 4 }}
volumeClaimTemplates:
- metadata:
name: datadir
spec:
accessModes:
- "ReadWriteOnce"
{{- if .Values.StorageClass }}
{{- if (eq "-" .Values.StorageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.StorageClass }}"
{{- end }}
{{- end }}
resources:
requests:
storage: "{{ .Values.Storage }}"
charts/cockroachdb/19.1.5/templates/tests/client-test.yaml 0 → 100644
apiVersion: v1
kind: Pod
metadata:
name: "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-test"
annotations:
"helm.sh/hook": test-success
{{- if and (.Values.NetworkPolicy.Enabled) (not .Values.NetworkPolicy.AllowExternal) }}
labels:
"{{.Release.Name}}-{{.Values.Component}}-client": true
{{- end }}
spec:
containers:
- name: "client-test"
image: "{{ .Values.Image }}:{{ .Values.ImageTag }}"
imagePullPolicy: "{{ .Values.ImagePullPolicy }}"
command:
- "/cockroach/cockroach"
- "sql"
- "--insecure"
- "--host"
- "{{ printf "%s-%s" .Release.Name .Values.Name | trunc 56 }}-public.{{ .Release.Namespace }}"
- "--port"
- "{{ .Values.ExternalGrpcPort }}"
- "-e"
- "SHOW DATABASES;"
restartPolicy: Never
charts/cockroachdb/19.1.5/values.yaml 0 → 100644
# Default values for cockroachdb.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
Name: "cockroachdb"
Image: "cockroachdb/cockroach"
ImageTag: "v19.1.5"
ImagePullPolicy: "Always"
Replicas: 3
MaxUnavailable: 1
Component: "cockroachdb"
# You can set a different external and internal GRPC port and service name. If using istio set InternalGrpcName to "cockroach"
InternalGrpcPort: 26257
ExternalGrpcPort: 26257
# If the port numbers are different then then port names must be different as well.
InternalGrpcName: grpc
ExternalGrpcName: grpc
InternalHttpPort: 8080
ExternalHttpPort: 8080
HttpName: http
# Uncomment the following resources definitions or pass them from command line
# to control the cpu and memory resources allocated by the Kubernetes cluster
Resources: {}
# requests:
# cpu: "100m"
# memory: "512Mi"
# The init pod runs at cluster creation to initialize CockroachDB. It finishes
# quickly and doesn't continue to consume resources in the Kubernetes
# cluster. Normally, you should leave this section commented out, but if your
# Kubernetes cluster uses Resource Quotas and requires all pods to specify
# resource requests or limits, you can set those here.
InitPodResources: {}
# requests:
# cpu: "10m"
# memory: "128Mi"
# limits:
# cpu: "10m"
# memory: "128Mi"
Storage: "100Gi"
## Persistent Volume Storage Class for database data
## If defined, storageClassName: <StorageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
StorageClass: null
CacheSize: "25%"
MaxSQLMemory: "25%"
ClusterDomain: "cluster.local"
NetworkPolicy:
Enabled: false
AllowExternal: true
Service:
type: ClusterIP
annotations: {}
labels: {}
ServiceDiscovery:
labels: {}
PodManagementPolicy: Parallel
UpdateStrategy:
type: RollingUpdate
NodeSelector: {}
Tolerations: {}
Secure:
Enabled: false
RequestCertsImage: "cockroachdb/cockroach-k8s-request-cert"
RequestCertsImageTag: "0.4"
ServiceAccount:
# Specifies whether a service account should be created.
Create: true
# The name of the service account to use.
# If not set and create is true, a name is generated.
Name:
# If you are deploying a second cockroach instance that should join a first, use the below list to join to the existing instance.
# Each item in the array should be a FQDN (and port if needed) resolvable by the new pods.
JoinExisting: []
# Set a locality (e.g. "region=us-central1,datacenter=us-centra1-a") if you're doing multi-cluster so data is distributed properly
Locality: ""
# Additional command-line arguments you want to pass to the `cockroach start` commands
ExtraArgs: []
# ExtraSecretMounts is a list of names from secrets in the same namespace as the cockroachdb cluster, which shall be mounted into /etc/cockroach/secrets/ for every cluster member.
ExtraSecretMounts: []
# ExtraEnvArgs is a list of name,value tuples providing extra ENV variables.
# e.g.:
# ExtraEnvArgs:
# - name: COCKROACH_ENGINE_MAX_SYNC_DURATION
# value: "24h"
ExtraEnvArgs: []
# ExtraAnnotations is an object to provide additional annotations to the Statefulset
# e.g.:
# ExtraAnnotations:
# key: values
ExtraAnnotations: {}
# ExtraInitAnnotations is an object to provide additional annotations to the ClusterInit Pod
# e.g.:
# ExtraInitAnnotations:
# key: values
ExtraInitAnnotations: {}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment