Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release: automate orchestration version update #77018

Merged
merged 1 commit into from
Mar 3, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cloud/kubernetes/bring-your-own-certs/client.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/bring-your-own-certs/client.yaml
# This config file demonstrates how to connect to the CockroachDB StatefulSet
# defined in bring-your-own-certs-statefulset.yaml that uses certificates
# created outside of Kubernetes. See that file for why you may want to use it.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/bring-your-own-certs/cockroachdb-statefulset.yaml
# This config file defines a CockroachDB StatefulSet that uses certificates
# created outside of Kubernetes. You may want to use it if you want to use a
# different certificate authority from the one being used by Kubernetes or if
Expand Down
1 change: 1 addition & 0 deletions cloud/kubernetes/client-secure.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/client-secure.yaml
apiVersion: v1
kind: Pod
metadata:
Expand Down
1 change: 1 addition & 0 deletions cloud/kubernetes/cluster-init-secure.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/cluster-init-secure.yaml
apiVersion: batch/v1
kind: Job
metadata:
Expand Down
1 change: 1 addition & 0 deletions cloud/kubernetes/cluster-init.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/cluster-init.yaml
apiVersion: batch/v1
kind: Job
metadata:
Expand Down
1 change: 1 addition & 0 deletions cloud/kubernetes/cockroachdb-statefulset-secure.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/cockroachdb-statefulset-secure.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
1 change: 1 addition & 0 deletions cloud/kubernetes/cockroachdb-statefulset.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/cockroachdb-statefulset.yaml
apiVersion: v1
kind: Service
metadata:
Expand Down
1 change: 1 addition & 0 deletions cloud/kubernetes/multiregion/client-secure.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/multiregion/client-secure.yaml
apiVersion: v1
kind: Pod
metadata:
Expand Down
1 change: 1 addition & 0 deletions cloud/kubernetes/multiregion/cluster-init-secure.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/multiregion/cluster-init-secure.yaml
apiVersion: batch/v1
kind: Job
metadata:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/multiregion/cockroachdb-statefulset-secure.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/multiregion/eks/cockroachdb-statefulset-secure-eks.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/performance/cockroachdb-daemonset-insecure.yaml
# This configuration file sets up a DaemonSet running CockroachDB in insecure
# mode. For more information on why you might want to use a DaemonSet instead
# of a StatefulSet, see our docs:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/performance/cockroachdb-daemonset-secure.yaml
# This configuration file sets up a secure DaemonSet running CockroachDB.
# For more information on why you might want to use a DaemonSet instead
# of a StatefulSet, see our docs:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/performance/cockroachdb-statefulset-insecure.yaml
# This configuration file sets up an insecure StatefulSet running CockroachDB with
# tweaks to make it more performant than our default configuration files. All
# changes from the default insecure configuration have been marked with a comment
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Generated file, DO NOT EDIT. Source: cloud/kubernetes/templates/performance/cockroachdb-statefulset-secure.yaml
# This configuration file sets up a secure StatefulSet running CockroachDB with
# tweaks to make it more performant than our default configuration files. All
# changes from the default secure configuration have been marked with a comment
Expand Down
35 changes: 35 additions & 0 deletions cloud/kubernetes/templates/bring-your-own-certs/client.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# This config file demonstrates how to connect to the CockroachDB StatefulSet
# defined in bring-your-own-certs-statefulset.yaml that uses certificates
# created outside of Kubernetes. See that file for why you may want to use it.
# You should be able to adapt the core ideas to deploy your own custom
# applications and connect them to the database similarly.
#
# The pod that this file defines will sleep in the cluster not using any
# resources. After creating the pod, you can use it to open up a SQL shell to
# the database by running:
#
# kubectl exec -it cockroachdb-client-secure -- ./cockroach sql --url="postgres://root@cockroachdb-public:26257/?sslmode=verify-full&sslcert=/cockroach-certs/client.root.crt&sslkey=/cockroach-certs/client.root.key&sslrootcert=/cockroach-certs/ca.crt"
apiVersion: v1
kind: Pod
metadata:
name: cockroachdb-client-secure
labels:
app: cockroachdb-client
spec:
serviceAccountName: cockroachdb
containers:
- name: cockroachdb-client
image: cockroachdb/cockroach:@VERSION@
# Keep a pod open indefinitely so kubectl exec can be used to get a shell to it
# and run cockroach client commands, such as cockroach sql, cockroach node status, etc.
command:
- sleep
- "2147483648" # 2^31
volumeMounts:
- name: client-certs
mountPath: /cockroach-certs
volumes:
- name: client-certs
secret:
secretName: cockroachdb.client.root
defaultMode: 256
Original file line number Diff line number Diff line change
@@ -0,0 +1,244 @@
# This config file defines a CockroachDB StatefulSet that uses certificates
# created outside of Kubernetes. You may want to use it if you want to use a
# different certificate authority from the one being used by Kubernetes or if
# your Kubernetes cluster doesn't fully support certificate-signing requests
# (e.g. as of July 2018, EKS doesn't work properly).
#
# To use this config file, first set up your certificates and load them into
# your Kubernetes cluster as Secrets using the commands below:
#
# mkdir certs
# mkdir my-safe-directory
# cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key
# cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key
# kubectl create secret generic cockroachdb.client.root --from-file=certs
# cockroach cert create-node --certs-dir=certs --ca-key=my-safe-directory/ca.key localhost 127.0.0.1 cockroachdb-public cockroachdb-public.default cockroachdb-public.default.svc.cluster.local *.cockroachdb *.cockroachdb.default *.cockroachdb.default.svc.cluster.local
# kubectl create secret generic cockroachdb.node --from-file=certs
# kubectl create -f bring-your-own-certs-statefulset.yaml
# kubectl exec -it cockroachdb-0 -- /cockroach/cockroach init --certs-dir=/cockroach/cockroach-certs
apiVersion: v1
kind: ServiceAccount
metadata:
name: cockroachdb
labels:
app: cockroachdb
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cockroachdb
labels:
app: cockroachdb
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cockroachdb
labels:
app: cockroachdb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cockroachdb
subjects:
- kind: ServiceAccount
name: cockroachdb
namespace: default
---
apiVersion: v1
kind: Service
metadata:
# This service is meant to be used by clients of the database. It exposes a ClusterIP that will
# automatically load balance connections to the different database pods.
name: cockroachdb-public
labels:
app: cockroachdb
spec:
ports:
# The main port, served by gRPC, serves Postgres-flavor SQL, internode
# traffic and the cli.
- port: 26257
targetPort: 26257
name: grpc
# The secondary port serves the UI as well as health and debug endpoints.
- port: 8080
targetPort: 8080
name: http
selector:
app: cockroachdb
---
apiVersion: v1
kind: Service
metadata:
# This service only exists to create DNS entries for each pod in the stateful
# set such that they can resolve each other's IP addresses. It does not
# create a load-balanced ClusterIP and should not be used directly by clients
# in most circumstances.
name: cockroachdb
labels:
app: cockroachdb
annotations:
# Use this annotation in addition to the actual publishNotReadyAddresses
# field below because the annotation will stop being respected soon but the
# field is broken in some versions of Kubernetes:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
# Enable automatic monitoring of all instances when Prometheus is running in the cluster.
prometheus.io/scrape: "true"
prometheus.io/path: "_status/vars"
prometheus.io/port: "8080"
spec:
ports:
- port: 26257
targetPort: 26257
name: grpc
- port: 8080
targetPort: 8080
name: http
# We want all pods in the StatefulSet to have their addresses published for
# the sake of the other CockroachDB pods even before they're ready, since they
# have to be able to talk to each other in order to become ready.
publishNotReadyAddresses: true
clusterIP: None
selector:
app: cockroachdb
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: cockroachdb-budget
labels:
app: cockroachdb
spec:
selector:
matchLabels:
app: cockroachdb
maxUnavailable: 1
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: cockroachdb
spec:
serviceName: "cockroachdb"
replicas: 3
selector:
matchLabels:
app: cockroachdb
template:
metadata:
labels:
app: cockroachdb
spec:
serviceAccountName: cockroachdb
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- cockroachdb
topologyKey: kubernetes.io/hostname
containers:
- name: cockroachdb
image: cockroachdb/cockroach:@VERSION@
imagePullPolicy: IfNotPresent
# TODO: Change these to appropriate values for the hardware that you're running. You can see
# the resources that can be allocated on each of your Kubernetes nodes by running:
# kubectl describe nodes
# Note that requests and limits should have identical values.
resources:
requests:
cpu: "2"
memory: "8Gi"
limits:
cpu: "2"
memory: "8Gi"
ports:
- containerPort: 26257
name: grpc
- containerPort: 8080
name: http
# We recommend that you do not configure a liveness probe on a production environment, as this can impact the availability of production databases.
# livenessProbe:
# httpGet:
# path: "/health"
# port: http
# scheme: HTTPS
# initialDelaySeconds: 30
# periodSeconds: 5
readinessProbe:
httpGet:
path: "/health?ready=1"
port: http
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 5
failureThreshold: 2
volumeMounts:
- name: datadir
mountPath: /cockroach/cockroach-data
- name: certs
mountPath: /cockroach/cockroach-certs
env:
- name: COCKROACH_CHANNEL
value: kubernetes-secure
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
divisor: "1"
- name: MEMORY_LIMIT_MIB
valueFrom:
resourceFieldRef:
resource: limits.memory
divisor: "1Mi"
command:
- "/bin/bash"
- "-ecx"
# The use of qualified `hostname -f` is crucial:
# Other nodes aren't able to look up the unqualified hostname.
- exec
/cockroach/cockroach
start
--logtostderr
--certs-dir /cockroach/cockroach-certs
--advertise-host $(hostname -f)
--http-addr 0.0.0.0
--join cockroachdb-0.cockroachdb,cockroachdb-1.cockroachdb,cockroachdb-2.cockroachdb
--cache $(expr $MEMORY_LIMIT_MIB / 4)MiB
--max-sql-memory $(expr $MEMORY_LIMIT_MIB / 4)MiB
# No pre-stop hook is required, a SIGTERM plus some time is all that's
# needed for graceful shutdown of a node.
terminationGracePeriodSeconds: 60
volumes:
- name: datadir
persistentVolumeClaim:
claimName: datadir
- name: certs
secret:
secretName: cockroachdb.node
defaultMode: 256
podManagementPolicy: Parallel
updateStrategy:
type: RollingUpdate
volumeClaimTemplates:
- metadata:
name: datadir
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 100Gi
Loading