forked from hswaw/hscloud
cluster/kube/lib/cockroachdb: refactor
We refactor this library to: - support multiple databases, but with a strong suggestion of having one per k8s cluster - drop the database creation logic - redo naming (allowing for two options: multiple clusters per namespace or an exclusive namespace for the cluster) - unhardcode dns namesmaster
parent
224a50bbfe
commit
662a3cdcca
|
@ -1,419 +1,414 @@
|
||||||
# Deploy a 3-node CockroachDB cluster in secure mode.
|
# Deploy a 3-node CockroachDB cluster in secure mode.
|
||||||
|
|
||||||
|
# Can be used either in own namespace or in an existing one:
|
||||||
|
# crdb: cockroachdb.Cluster("q3kdb") {
|
||||||
|
# cfg+: {
|
||||||
|
# namespace: "q3k", // if not given, will create 'q3kdb' namespace
|
||||||
|
# },
|
||||||
|
#},
|
||||||
|
#
|
||||||
|
# After the cluster is up, you can get to an administrateive SQL shell:
|
||||||
|
# $ kubectl -n q3k exec -it q3kdb-client /cockroach/cockroach sql
|
||||||
|
# root@q3kdb-cockroachdb-0.q3kdb-internal.q3k.svc.cluster.local:26257/defaultdb>
|
||||||
|
#
|
||||||
|
# Then, you can create some users and databases for applications:
|
||||||
|
# defaultdb> CREATE DATABASE wykop;
|
||||||
|
# defaultdb> CREATE USER bialkov PASSWORD hackme;
|
||||||
|
# defaultdb> GRANT ALL ON DATABASE wykop to bialkov;
|
||||||
|
#
|
||||||
|
# You are then ready to access the database via the public service from your application.
|
||||||
|
#
|
||||||
|
# PGCLIENTENCODING=utf8 psql -h q3kdb-public -p 26257 -U bialkov wykop
|
||||||
|
# Password for user bialkov:
|
||||||
|
# psql (10.9 (Ubuntu 10.9-0ubuntu0.18.04.1), server 9.5.0)
|
||||||
|
# SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES128-GCM-SHA256, bits: 128, compression: off)
|
||||||
|
# Type "help" for help.
|
||||||
|
#
|
||||||
|
# wykop=>
|
||||||
|
|
||||||
|
|
||||||
local kube = import "../../../kube/kube.libsonnet";
|
local kube = import "../../../kube/kube.libsonnet";
|
||||||
local cm = import "cert-manager.libsonnet";
|
local cm = import "cert-manager.libsonnet";
|
||||||
|
|
||||||
{
|
{
|
||||||
local cockroachdb = self,
|
Cluster(name): {
|
||||||
local crdb = cockroachdb,
|
local cluster = self,
|
||||||
local cfg = crdb.cfg,
|
|
||||||
|
|
||||||
cfg:: {
|
cfg:: {
|
||||||
namespace: error "namespace must be set",
|
image: "cockroachdb/cockroach:v19.1.0",
|
||||||
appName: error "app name must be set",
|
namespace: null,
|
||||||
prefix: "", # if set, should be 'foo-',
|
ownNamespace: cluster.cfg.namespace == null,
|
||||||
|
|
||||||
image: "cockroachdb/cockroach:v19.1.0",
|
|
||||||
database: error "database name must be set",
|
|
||||||
username: error "username must be set",
|
|
||||||
password: error "password must be set",
|
|
||||||
},
|
|
||||||
|
|
||||||
makeName(suffix):: cfg.prefix + suffix,
|
|
||||||
|
|
||||||
metadata:: {
|
|
||||||
namespace: cfg.namespace,
|
|
||||||
labels: {
|
|
||||||
"app.kubernetes.io/name": cfg.appName,
|
|
||||||
"app.kubernetes.io/managed-by": "kubecfg",
|
|
||||||
"app.kubernetes.io/component": "cockroachdb",
|
|
||||||
},
|
},
|
||||||
},
|
|
||||||
|
|
||||||
pki: {
|
namespaceName:: if cluster.cfg.namespace != null then cluster.cfg.namespace else name,
|
||||||
selfSignedIssuer: cm.Issuer("cockroachdb-selfsigned-issuer") {
|
|
||||||
metadata+: crdb.metadata,
|
metadata:: {
|
||||||
spec: {
|
namespace: cluster.namespaceName,
|
||||||
selfSigned: {},
|
labels: {
|
||||||
|
"app.kubernetes.io/name": "cockroachdb",
|
||||||
|
"app.kubernetes.io/managed-by": "kubecfg",
|
||||||
|
"app.kubernetes.io/component": "cockroachdb",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
selfSignedKeypair: cm.Certificate("cockroachdb-cluster-ca-keypair") {
|
namespace: {
|
||||||
metadata+: crdb.metadata,
|
[if cluster.cfg.ownNamespace then "ns"]: kube.Namespace(cluster.namespaceName),
|
||||||
spec: {
|
},
|
||||||
secretName: "cockroachdb-cluster-ca-keypair",
|
|
||||||
duration: "43800h0m0s", // 5 years
|
name(suffix):: if cluster.cfg.ownNamespace then suffix else name + "-" + suffix,
|
||||||
isCA: true,
|
|
||||||
issuerRef: {
|
hosts:: ["%s-%d.%s.cluster.local" % [cluster.statefulSet.metadata.name, n, cluster.internalService.host] for n in std.range(0, cluster.statefulSet.spec.replicas)],
|
||||||
name: crdb.pki.selfSignedIssuer.metadata.name,
|
|
||||||
|
pki: {
|
||||||
|
selfSignedIssuer: cm.Issuer(cluster.name("selfsigned")) {
|
||||||
|
metadata+: cluster.metadata,
|
||||||
|
spec: {
|
||||||
|
selfSigned: {},
|
||||||
},
|
},
|
||||||
commonName: "cockroachdb-cluster-ca",
|
|
||||||
},
|
},
|
||||||
},
|
|
||||||
|
|
||||||
clusterIssuer: cm.Issuer("cockroachdb-cluster-ca") {
|
selfSignedKeypair: cm.Certificate(cluster.name("cluster-ca")) {
|
||||||
metadata+: crdb.metadata,
|
metadata+: cluster.metadata,
|
||||||
spec: {
|
spec: {
|
||||||
ca: {
|
secretName: cluster.name("cluster-ca"),
|
||||||
secretName: crdb.pki.selfSignedKeypair.metadata.name,
|
duration: "43800h0m0s", // 5 years
|
||||||
|
isCA: true,
|
||||||
|
issuerRef: {
|
||||||
|
name: cluster.pki.selfSignedIssuer.metadata.name,
|
||||||
|
},
|
||||||
|
commonName: "cockroachdb-cluster-ca",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
clusterIssuer: cm.Issuer(cluster.name("cluster-ca")) {
|
||||||
|
metadata+: cluster.metadata,
|
||||||
|
spec: {
|
||||||
|
ca: {
|
||||||
|
secretName: cluster.pki.selfSignedKeypair.metadata.name,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
nodeCertificate: cm.Certificate(cluster.name("node")) {
|
||||||
|
metadata+: cluster.metadata,
|
||||||
|
spec: {
|
||||||
|
secretName: "cockroachdb-node-cert",
|
||||||
|
duration: "43800h0m0s", // 5 years
|
||||||
|
issuerRef: {
|
||||||
|
name: cluster.pki.clusterIssuer.metadata.name,
|
||||||
|
},
|
||||||
|
commonName: "node",
|
||||||
|
dnsNames: [
|
||||||
|
"localhost",
|
||||||
|
"127.0.0.1",
|
||||||
|
cluster.publicService.metadata.name,
|
||||||
|
std.join(".", [cluster.publicService.metadata.name, cluster.metadata.namespace ]),
|
||||||
|
std.join(".", [cluster.publicService.host, "cluster.local" ]),
|
||||||
|
std.join(".", [ "*", cluster.internalService.metadata.name ]),
|
||||||
|
std.join(".", [ "*", cluster.internalService.metadata.name, cluster.metadata.namespace ]),
|
||||||
|
std.join(".", [ "*", cluster.internalService.host, "cluster.local" ]),
|
||||||
|
],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
clientCertificate: cm.Certificate(cluster.name("client")) {
|
||||||
|
metadata+: cluster.metadata,
|
||||||
|
spec: {
|
||||||
|
secretName: cluster.name("client-certificate"),
|
||||||
|
duration: "43800h0m0s", // 5 years
|
||||||
|
issuerRef: {
|
||||||
|
name: cluster.pki.clusterIssuer.metadata.name,
|
||||||
|
},
|
||||||
|
commonName: "root",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
nodeCertificate: cm.Certificate("cockroachdb-node-cert") {
|
serviceAccount: kube.ServiceAccount(cluster.name("cockroachdb")) {
|
||||||
metadata+: crdb.metadata,
|
metadata+: cluster.metadata,
|
||||||
spec: {
|
},
|
||||||
secretName: "cockroachdb-node-cert",
|
|
||||||
duration: "43800h0m0s", // 5 years
|
role: kube.Role(cluster.name("cockroachdb")) {
|
||||||
issuerRef: {
|
metadata+: cluster.metadata,
|
||||||
name: crdb.pki.clusterIssuer.metadata.name,
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: [ "" ],
|
||||||
|
resources: [ "secrets" ],
|
||||||
|
verbs: [ "get" ],
|
||||||
},
|
},
|
||||||
commonName: "node",
|
],
|
||||||
dnsNames: [
|
},
|
||||||
"localhost",
|
|
||||||
"127.0.0.1",
|
roleBinding: kube.RoleBinding(cluster.name("cockroachdb")) {
|
||||||
crdb.publicService.metadata.name,
|
metadata+: cluster.metadata,
|
||||||
std.join(".", [crdb.publicService.metadata.name, cfg.namespace ]),
|
roleRef_: cluster.role,
|
||||||
std.join(".", [crdb.publicService.host, "cluster.local" ]),
|
subjects_: [cluster.serviceAccount],
|
||||||
std.join(".", [ "*", crdb.internalService.metadata.name ]),
|
},
|
||||||
std.join(".", [ "*", crdb.internalService.metadata.name, cfg.namespace ]),
|
|
||||||
std.join(".", [ "*", crdb.internalService.host, "cluster.local" ]),
|
publicService: kube.Service(cluster.name("public")) {
|
||||||
|
metadata+: cluster.metadata,
|
||||||
|
target_pod:: cluster.statefulSet.spec.template,
|
||||||
|
spec+: {
|
||||||
|
ports: [
|
||||||
|
{ name: "grpc", port: 26257, targetPort: 26257 },
|
||||||
|
{ name: "http", port: 8080, targetPort: 8080 },
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
clientCertificate: cm.Certificate("cockroachdb-client-cert") {
|
internalService: kube.Service(cluster.name("internal")) {
|
||||||
metadata+: crdb.metadata,
|
metadata+: cluster.metadata + {
|
||||||
|
annotations+: {
|
||||||
|
"service.alpha.kubernetes.io/tolerate-unready-endpoints": "true",
|
||||||
|
"prometheus.io/scrape": "true",
|
||||||
|
"prometheus.io/path": "_status/vars",
|
||||||
|
"prometheus.io/port": "8080",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
target_pod:: cluster.statefulSet.spec.template,
|
||||||
|
spec+: {
|
||||||
|
ports: [
|
||||||
|
{ name: "grpc", port: 26257, targetPort: 26257 },
|
||||||
|
{ name: "http", port: 8080, targetPort: 8080 },
|
||||||
|
],
|
||||||
|
publishNotReadyAddresses: true,
|
||||||
|
clusterIP: "None",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
podDisruptionBudget: kube.PodDisruptionBudget(cluster.name("pod")) {
|
||||||
|
metadata+: cluster.metadata,
|
||||||
spec: {
|
spec: {
|
||||||
secretName: "cockroachdb-client-cert",
|
selector: {
|
||||||
duration: "43800h0m0s", // 5 years
|
matchLabels: {
|
||||||
issuerRef: {
|
"app.kubernetes.io/component": "cockroachdb",
|
||||||
name: crdb.pki.clusterIssuer.metadata.name,
|
},
|
||||||
},
|
},
|
||||||
commonName: "root",
|
maxUnavailable: 1,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
|
||||||
|
|
||||||
serviceAccount: kube.ServiceAccount("cockroachdb") {
|
statefulSet: kube.StatefulSet(cluster.name("cockroachdb")) {
|
||||||
metadata+: crdb.metadata,
|
metadata+: cluster.metadata {
|
||||||
},
|
labels+: {
|
||||||
|
"app.kubernetes.io/component": "server",
|
||||||
role: kube.Role("cockroachdb") {
|
|
||||||
metadata+: crdb.metadata,
|
|
||||||
rules: [
|
|
||||||
{
|
|
||||||
apiGroups: [ "" ],
|
|
||||||
resources: [ "secrets" ],
|
|
||||||
verbs: [ "get" ],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
|
|
||||||
roleBinding: kube.RoleBinding("cockroachdb") {
|
|
||||||
metadata+: crdb.metadata,
|
|
||||||
roleRef: {
|
|
||||||
apiGroup: "rbac.authorization.k8s.io",
|
|
||||||
kind: "Role",
|
|
||||||
name: "cockroachdb",
|
|
||||||
},
|
|
||||||
subjects: [
|
|
||||||
{
|
|
||||||
kind: "ServiceAccount",
|
|
||||||
name: crdb.serviceAccount.metadata.name,
|
|
||||||
namespace: cfg.namespace,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
|
|
||||||
publicService: kube.Service(crdb.makeName("cockroachdb-public")) {
|
|
||||||
metadata+: crdb.metadata,
|
|
||||||
target_pod:: crdb.statefulSet.spec.template,
|
|
||||||
spec+: {
|
|
||||||
ports: [
|
|
||||||
{ name: "grpc", port: 26257, targetPort: 26257 },
|
|
||||||
{ name: "http", port: 8080, targetPort: 8080 },
|
|
||||||
],
|
|
||||||
},
|
|
||||||
},
|
|
||||||
|
|
||||||
internalService: kube.Service(crdb.makeName("cockroachdb")) {
|
|
||||||
metadata+: crdb.metadata + {
|
|
||||||
annotations+: {
|
|
||||||
"service.alpha.kubernetes.io/tolerate-unready-endpoints": "true",
|
|
||||||
"prometheus.io/scrape": "true",
|
|
||||||
"prometheus.io/path": "_status/vars",
|
|
||||||
"prometheus.io/port": "8080",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
target_pod:: crdb.statefulSet.spec.template,
|
|
||||||
spec+: {
|
|
||||||
ports: [
|
|
||||||
{ name: "grpc", port: 26257, targetPort: 26257 },
|
|
||||||
{ name: "http", port: 8080, targetPort: 8080 },
|
|
||||||
],
|
|
||||||
publishNotReadyAddresses: true,
|
|
||||||
clusterIP: "None",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
|
|
||||||
podDisruptionBudget: kube.PodDisruptionBudget(crdb.makeName("cockroachdb-budget")) {
|
|
||||||
metadata+: crdb.metadata,
|
|
||||||
spec: {
|
|
||||||
selector: {
|
|
||||||
matchLabels: {
|
|
||||||
"app.kubernetes.io/component": "cockroachdb",
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
maxUnavailable: 1,
|
spec+: {
|
||||||
},
|
serviceName: cluster.internalService.metadata.name,
|
||||||
},
|
replicas: 3,
|
||||||
|
template: {
|
||||||
statefulSet: kube.StatefulSet(crdb.makeName("cockroachdb")) {
|
metadata: cluster.statefulSet.metadata,
|
||||||
metadata+: crdb.metadata,
|
spec+: {
|
||||||
spec+: {
|
dnsPolicy: "ClusterFirst",
|
||||||
serviceName: crdb.internalService.metadata.name,
|
serviceAccountName: cluster.serviceAccount.metadata.name,
|
||||||
replicas: 3,
|
affinity: {
|
||||||
template: {
|
podAntiAffinity: {
|
||||||
metadata+: crdb.metadata,
|
preferredDuringSchedulingIgnoredDuringExecution: [
|
||||||
spec+: {
|
{
|
||||||
dnsPolicy: "ClusterFirst",
|
weight: 100,
|
||||||
serviceAccountName: crdb.serviceAccount.metadata.name,
|
podAffinityTerm: {
|
||||||
affinity: {
|
labelSelector: {
|
||||||
podAntiAffinity: {
|
matchExpressions: [
|
||||||
preferredDuringSchedulingIgnoredDuringExecution: [
|
{
|
||||||
{
|
key: "app.kubernetes.io/component",
|
||||||
weight: 100,
|
operator: "In",
|
||||||
podAffinityTerm: {
|
values: [ "cockroachdb" ],
|
||||||
labelSelector: {
|
},
|
||||||
matchExpressions: [
|
],
|
||||||
{
|
},
|
||||||
key: "app.kubernetes.io/component",
|
topologyKey: "kubernetes.io/hostname",
|
||||||
operator: "In",
|
|
||||||
values: [ "cockroachdb" ],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
},
|
||||||
topologyKey: "kubernetes.io/hostname",
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
containers: [
|
||||||
|
kube.Container("cockroachdb") {
|
||||||
|
image: cluster.cfg.image,
|
||||||
|
imagePullPolicy: "IfNotPresent",
|
||||||
|
resources: {
|
||||||
|
requests: {
|
||||||
|
cpu: "2",
|
||||||
|
memory: "6Gi",
|
||||||
|
},
|
||||||
|
limits: {
|
||||||
|
memory: "6Gi",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
],
|
ports_: {
|
||||||
},
|
"grpc": { containerPort: 26257 },
|
||||||
|
"http": { containerPort: 8080 },
|
||||||
|
},
|
||||||
|
livenessProbe: {
|
||||||
|
httpGet: {
|
||||||
|
path: "/health",
|
||||||
|
port: "http",
|
||||||
|
},
|
||||||
|
initialDelaySeconds: 30,
|
||||||
|
periodSeconds: 5,
|
||||||
|
},
|
||||||
|
readinessProbe: {
|
||||||
|
httpGet: {
|
||||||
|
path: "/health?ready=1",
|
||||||
|
port: "http",
|
||||||
|
},
|
||||||
|
initialDelaySeconds: 10,
|
||||||
|
periodSeconds: 5,
|
||||||
|
failureThreshold: 2,
|
||||||
|
},
|
||||||
|
volumeMounts: [
|
||||||
|
{
|
||||||
|
name: "datadir",
|
||||||
|
mountPath: "/cockroach/cockroach-data",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
mountPath: "/cockroach/cockroach-certs/node.crt",
|
||||||
|
subPath: "tls.crt",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
mountPath: "/cockroach/cockroach-certs/node.key",
|
||||||
|
subPath: "tls.key",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
mountPath: "/cockroach/cockroach-certs/ca.crt",
|
||||||
|
subPath: "ca.crt",
|
||||||
|
},
|
||||||
|
],
|
||||||
|
env_: {
|
||||||
|
"COCKROACH_CERTS_DIR": "/cockroach/cockroach-certs",
|
||||||
|
},
|
||||||
|
command: [
|
||||||
|
"/bin/bash",
|
||||||
|
"-ecx",
|
||||||
|
"exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --advertise-host $(hostname -f) --http-addr 0.0.0.0 --cache 25% --max-sql-memory 25% --join " + std.join(",", cluster.hosts),
|
||||||
|
],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
terminationGracePeriodSeconds: 60,
|
||||||
|
volumes: [
|
||||||
|
{
|
||||||
|
name: "datadir",
|
||||||
|
emptyDir: {},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
secret: {
|
||||||
|
secretName: cluster.pki.nodeCertificate.spec.secretName,
|
||||||
|
defaultMode: kube.parseOctal("400"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
],
|
||||||
},
|
},
|
||||||
containers: [
|
|
||||||
kube.Container("cockroachdb") {
|
|
||||||
image: cfg.image,
|
|
||||||
imagePullPolicy: "IfNotPresent",
|
|
||||||
resources: {
|
|
||||||
requests: {
|
|
||||||
cpu: "2",
|
|
||||||
memory: "6Gi",
|
|
||||||
},
|
|
||||||
limits: {
|
|
||||||
memory: "6Gi",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
ports_: {
|
|
||||||
"grpc": { containerPort: 26257 },
|
|
||||||
"http": { containerPort: 8080 },
|
|
||||||
},
|
|
||||||
livenessProbe: {
|
|
||||||
httpGet: {
|
|
||||||
path: "/health",
|
|
||||||
port: "http",
|
|
||||||
},
|
|
||||||
initialDelaySeconds: 30,
|
|
||||||
periodSeconds: 5,
|
|
||||||
},
|
|
||||||
readinessProbe: {
|
|
||||||
httpGet: {
|
|
||||||
path: "/health?ready=1",
|
|
||||||
port: "http",
|
|
||||||
},
|
|
||||||
initialDelaySeconds: 10,
|
|
||||||
periodSeconds: 5,
|
|
||||||
failureThreshold: 2,
|
|
||||||
},
|
|
||||||
volumeMounts: [
|
|
||||||
{
|
|
||||||
name: "datadir",
|
|
||||||
mountPath: "/cockroach/cockroach-data",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/node.crt",
|
|
||||||
subPath: "tls.crt",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/node.key",
|
|
||||||
subPath: "tls.key",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/ca.crt",
|
|
||||||
subPath: "ca.crt",
|
|
||||||
},
|
|
||||||
],
|
|
||||||
env_: {
|
|
||||||
"COCKROACH_CERTS_DIR": "/cockroach/cockroach-certs",
|
|
||||||
},
|
|
||||||
command: [
|
|
||||||
"/bin/bash",
|
|
||||||
"-ecx",
|
|
||||||
"exec /cockroach/cockroach start --logtostderr --certs-dir /cockroach/cockroach-certs --advertise-host $(hostname -f) --http-addr 0.0.0.0 --join cockroachdb-0.cockroachdb,cockroachdb-1.cockroachdb,cockroachdb-2.cockroachdb --cache 25% --max-sql-memory 25%",
|
|
||||||
],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
terminationGracePeriodSeconds: 60,
|
|
||||||
volumes: [
|
|
||||||
{
|
|
||||||
name: "datadir",
|
|
||||||
emptyDir: {},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
secret: {
|
|
||||||
secretName: crdb.pki.nodeCertificate.spec.secretName,
|
|
||||||
defaultMode: kube.parseOctal("400"),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
},
|
||||||
},
|
podManagementPolicy: "Parallel",
|
||||||
podManagementPolicy: "Parallel",
|
updateStrategy: {
|
||||||
updateStrategy: {
|
type: "RollingUpdate",
|
||||||
type: "RollingUpdate",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
|
|
||||||
initJob: kube.Job(crdb.makeName("cockroachdb-init")) {
|
|
||||||
metadata+: crdb.metadata,
|
|
||||||
spec: {
|
|
||||||
template: {
|
|
||||||
metadata+: crdb.metadata,
|
|
||||||
spec+: {
|
|
||||||
serviceAccountName: crdb.serviceAccount.metadata.name,
|
|
||||||
initContainers: [
|
|
||||||
kube.Container("cluster-init") {
|
|
||||||
image: cfg.image,
|
|
||||||
imagePullPolicy: "IfNotPresent",
|
|
||||||
env_: {
|
|
||||||
"COCKROACH_CERTS_DIR": "/cockroach/cockroach-certs",
|
|
||||||
},
|
|
||||||
command: [
|
|
||||||
"/bin/bash",
|
|
||||||
"-ecx",
|
|
||||||
"/cockroach/cockroach init --host=cockroachdb-0.cockroachdb",
|
|
||||||
],
|
|
||||||
volumeMounts: [
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/ca.crt",
|
|
||||||
subPath: "ca.crt",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/client.root.crt",
|
|
||||||
subPath: "tls.crt",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/client.root.key",
|
|
||||||
subPath: "tls.key",
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
containers: [
|
|
||||||
kube.Container("db-init") {
|
|
||||||
image: cfg.image,
|
|
||||||
imagePullPolicy: "IfNotPresent",
|
|
||||||
env_: {
|
|
||||||
"COCKROACH_CERTS_DIR": "/cockroach/cockroach-certs",
|
|
||||||
"DB_NAME": cfg.database,
|
|
||||||
"DB_USERNAME": cfg.username,
|
|
||||||
"DB_PASSWORD": cfg.password,
|
|
||||||
},
|
|
||||||
command: [
|
|
||||||
"/bin/bash",
|
|
||||||
"-ec",
|
|
||||||
"/cockroach/cockroach sql -e \"CREATE DATABASE ${DB_NAME}; CREATE USER ${DB_USERNAME} PASSWORD '${DB_PASSWORD}'; GRANT ALL ON DATABASE ${DB_NAME} TO ${DB_USERNAME};\" --host=cockroachdb-0.cockroachdb",
|
|
||||||
],
|
|
||||||
volumeMounts: [
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/ca.crt",
|
|
||||||
subPath: "ca.crt",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/client.root.crt",
|
|
||||||
subPath: "tls.crt",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/client.root.key",
|
|
||||||
subPath: "tls.key",
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
restartPolicy: "OnFailure",
|
|
||||||
volumes: [
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
secret: {
|
|
||||||
secretName: crdb.pki.clientCertificate.spec.secretName,
|
|
||||||
defaultMode: kube.parseOctal("400")
|
|
||||||
}
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
|
||||||
|
|
||||||
clientPod: kube.Pod(crdb.makeName("cockroachdb-client")) {
|
initJob: kube.Job(cluster.name("init")) {
|
||||||
metadata+: crdb.metadata,
|
metadata+: cluster.metadata,
|
||||||
spec: {
|
spec: {
|
||||||
terminationGracePeriodSeconds: 5,
|
template: {
|
||||||
containers: [
|
metadata+: cluster.metadata,
|
||||||
kube.Container("cockroachdb-client") {
|
spec+: {
|
||||||
image: cfg.image,
|
serviceAccountName: cluster.serviceAccount.metadata.name,
|
||||||
env_: {
|
containers: [
|
||||||
"COCKROACH_CERTS_DIR": "/cockroach/cockroach-certs",
|
kube.Container("cluster-init") {
|
||||||
|
image: cluster.cfg.image,
|
||||||
|
imagePullPolicy: "IfNotPresent",
|
||||||
|
env_: {
|
||||||
|
"COCKROACH_CERTS_DIR": "/cockroach/cockroach-certs",
|
||||||
|
},
|
||||||
|
command: [
|
||||||
|
"/bin/bash",
|
||||||
|
"-ecx",
|
||||||
|
"/cockroach/cockroach init --host=" + cluster.hosts[0],
|
||||||
|
],
|
||||||
|
volumeMounts: [
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
mountPath: "/cockroach/cockroach-certs/ca.crt",
|
||||||
|
subPath: "ca.crt",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
mountPath: "/cockroach/cockroach-certs/client.root.crt",
|
||||||
|
subPath: "tls.crt",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
mountPath: "/cockroach/cockroach-certs/client.root.key",
|
||||||
|
subPath: "tls.key",
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
restartPolicy: "OnFailure",
|
||||||
|
volumes: [
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
secret: {
|
||||||
|
secretName: cluster.pki.clientCertificate.spec.secretName,
|
||||||
|
defaultMode: kube.parseOctal("400")
|
||||||
|
}
|
||||||
|
},
|
||||||
|
],
|
||||||
},
|
},
|
||||||
command: ["sleep", "2147483648"], //(FIXME) keep the client pod running indefinitely
|
|
||||||
volumeMounts: [
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/ca.crt",
|
|
||||||
subPath: "ca.crt",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/client.root.crt",
|
|
||||||
subPath: "tls.crt",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "certs",
|
|
||||||
mountPath: "/cockroach/cockroach-certs/client.root.key",
|
|
||||||
subPath: "tls.key",
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
},
|
||||||
],
|
},
|
||||||
volumes: [
|
},
|
||||||
{
|
|
||||||
name: "certs",
|
clientPod: kube.Pod(cluster.name("client")) {
|
||||||
secret: {
|
metadata+: cluster.metadata {
|
||||||
secretName: crdb.pki.clientCertificate.spec.secretName,
|
labels+: {
|
||||||
defaultMode: kube.parseOctal("400")
|
"app.kubernetes.io/component": "client",
|
||||||
}
|
|
||||||
},
|
},
|
||||||
],
|
},
|
||||||
|
spec: {
|
||||||
|
terminationGracePeriodSeconds: 5,
|
||||||
|
containers: [
|
||||||
|
kube.Container("cockroachdb-client") {
|
||||||
|
image: cluster.cfg.image,
|
||||||
|
env_: {
|
||||||
|
"COCKROACH_CERTS_DIR": "/cockroach/cockroach-certs",
|
||||||
|
"COCKROACH_HOST": cluster.hosts[0],
|
||||||
|
},
|
||||||
|
command: ["sleep", "2147483648"], //(FIXME) keep the client pod running indefinitely
|
||||||
|
volumeMounts: [
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
mountPath: "/cockroach/cockroach-certs/ca.crt",
|
||||||
|
subPath: "ca.crt",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
mountPath: "/cockroach/cockroach-certs/client.root.crt",
|
||||||
|
subPath: "tls.crt",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
mountPath: "/cockroach/cockroach-certs/client.root.key",
|
||||||
|
subPath: "tls.key",
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
volumes: [
|
||||||
|
{
|
||||||
|
name: "certs",
|
||||||
|
secret: {
|
||||||
|
secretName: cluster.pki.clientCertificate.spec.secretName,
|
||||||
|
defaultMode: kube.parseOctal("400")
|
||||||
|
}
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue