158 lines
5.9 KiB
YAML
158 lines
5.9 KiB
YAML
|
{{- if not (index .Values.conf `single-node`) }}
|
||
|
|
kind: Job
|
||
|
|
apiVersion: batch/v1
|
||
|
|
metadata:
|
||
|
|
name: {{ template "cockroachdb.fullname" . }}-init
|
||
|
|
namespace: {{ .Release.Namespace | quote }}
|
||
|
|
labels:
|
||
|
|
helm.sh/chart: {{ template "cockroachdb.chart" . }}
|
||
|
|
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
|
||
|
|
app.kubernetes.io/instance: {{ .Release.Name | quote }}
|
||
|
|
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
|
||
|
|
{{- with .Values.init.labels }}
|
||
|
|
{{- toYaml . | nindent 4 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.labels }}
|
||
|
|
{{- toYaml . | nindent 4 }}
|
||
|
|
{{- end }}
|
||
|
|
spec:
|
||
|
|
template:
|
||
|
|
metadata:
|
||
|
|
labels:
|
||
|
|
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
|
||
|
|
app.kubernetes.io/instance: {{ .Release.Name | quote }}
|
||
|
|
{{- with .Values.init.labels }}
|
||
|
|
{{- toYaml . | nindent 8 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.init.annotations }}
|
||
|
|
annotations: {{- toYaml . | nindent 8 }}
|
||
|
|
{{- end }}
|
||
|
|
spec:
|
||
|
|
restartPolicy: OnFailure
|
||
|
|
terminationGracePeriodSeconds: 0
|
||
|
|
{{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.init.image.credentials (not .Values.tls.certs.provided)) }}
|
||
|
|
imagePullSecrets:
|
||
|
|
{{- if .Values.image.credentials }}
|
||
|
|
- name: {{ template "cockroachdb.fullname" . }}.db.registry
|
||
|
|
{{- end }}
|
||
|
|
{{- if and .Values.tls.enabled .Values.tls.init.image.credentials (not .Values.tls.certs.provided) }}
|
||
|
|
- name: {{ template "cockroachdb.fullname" . }}.init-certs.registry
|
||
|
|
{{- end }}
|
||
|
|
{{- end }}
|
||
|
|
{{- if and .Values.tls.enabled (not .Values.tls.certs.provided)}}
|
||
|
|
serviceAccountName: {{ template "cockroachdb.tls.serviceAccount.name" . }}
|
||
|
|
initContainers:
|
||
|
|
# The init-certs container sends a CSR (certificate signing request) to
|
||
|
|
# the Kubernetes cluster.
|
||
|
|
# You can see pending requests using:
|
||
|
|
# kubectl get csr
|
||
|
|
# CSRs can be approved using:
|
||
|
|
# kubectl certificate approve <csr-name>
|
||
|
|
#
|
||
|
|
# In addition to the Node certificate and key, the init-certs entrypoint
|
||
|
|
# will symlink the cluster CA to the certs directory.
|
||
|
|
- name: init-certs
|
||
|
|
image: "{{ .Values.tls.init.image.repository }}:{{ .Values.tls.init.image.tag }}"
|
||
|
|
imagePullPolicy: {{ .Values.tls.init.image.pullPolicy | quote }}
|
||
|
|
command:
|
||
|
|
- /bin/ash
|
||
|
|
- -ecx
|
||
|
|
- >-
|
||
|
|
/request-cert
|
||
|
|
-namespace=${POD_NAMESPACE}
|
||
|
|
-certs-dir=/cockroach-certs/
|
||
|
|
-symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||
|
|
-type=client
|
||
|
|
-user=root
|
||
|
|
env:
|
||
|
|
- name: POD_NAMESPACE
|
||
|
|
valueFrom:
|
||
|
|
fieldRef:
|
||
|
|
fieldPath: metadata.namespace
|
||
|
|
volumeMounts:
|
||
|
|
- name: client-certs
|
||
|
|
mountPath: /cockroach-certs/
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.init.affinity }}
|
||
|
|
affinity: {{- toYaml . | nindent 8 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.init.nodeSelector }}
|
||
|
|
nodeSelector: {{- toYaml . | nindent 8 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.init.tolerations }}
|
||
|
|
tolerations: {{- toYaml . | nindent 8 }}
|
||
|
|
{{- end }}
|
||
|
|
containers:
|
||
|
|
- name: cluster-init
|
||
|
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||
|
|
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||
|
|
# Run the command in an `while true` loop because this Job is bound
|
||
|
|
# to come up before the CockroachDB Pods (due to the time needed to
|
||
|
|
# get PersistentVolumes attached to Nodes), and sleeping 5 seconds
|
||
|
|
# between attempts is much better than letting the Pod fail when
|
||
|
|
# the init command does and waiting out Kubernetes' non-configurable
|
||
|
|
# exponential back-off for Pod restarts.
|
||
|
|
# Command completes either when cluster initialization succeeds,
|
||
|
|
# or when cluster has been initialized already.
|
||
|
|
command:
|
||
|
|
- /bin/bash
|
||
|
|
- -c
|
||
|
|
- >-
|
||
|
|
while true; do
|
||
|
|
initOUT=$(set -x;
|
||
|
|
/cockroach/cockroach init
|
||
|
|
{{- if .Values.tls.enabled }}
|
||
|
|
--certs-dir=/cockroach-certs/
|
||
|
|
{{- else }}
|
||
|
|
--insecure
|
||
|
|
{{- end }}
|
||
|
|
{{- with index .Values.conf "cluster-name" }}
|
||
|
|
--cluster-name={{.}}
|
||
|
|
{{- end }}
|
||
|
|
--host={{ template "cockroachdb.fullname" . }}-0.{{ template "cockroachdb.fullname" . -}}
|
||
|
|
:{{ .Values.service.ports.grpc.internal.port | int64 }}
|
||
|
|
2>&1);
|
||
|
|
initRC="$?";
|
||
|
|
echo $initOUT;
|
||
|
|
[[ "$initRC" == "0" ]] && exit 0;
|
||
|
|
[[ "$initOUT" == *"cluster has already been initialized"* ]] && exit 0;
|
||
|
|
sleep 5;
|
||
|
|
done
|
||
|
|
{{- if .Values.tls.enabled }}
|
||
|
|
volumeMounts:
|
||
|
|
- name: client-certs
|
||
|
|
mountPath: /cockroach-certs/
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.init.resources }}
|
||
|
|
resources: {{- toYaml . | nindent 12 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- if .Values.tls.enabled }}
|
||
|
|
volumes:
|
||
|
|
- name: client-certs
|
||
|
|
{{- if .Values.tls.certs.provided }}
|
||
|
|
{{- if .Values.tls.certs.tlsSecret }}
|
||
|
|
projected:
|
||
|
|
sources:
|
||
|
|
- secret:
|
||
|
|
name: {{ .Values.tls.certs.clientRootSecret }}
|
||
|
|
items:
|
||
|
|
- key: ca.crt
|
||
|
|
path: ca.crt
|
||
|
|
mode: 0400
|
||
|
|
- key: tls.crt
|
||
|
|
path: client.root.crt
|
||
|
|
mode: 0400
|
||
|
|
- key: tls.key
|
||
|
|
path: client.root.key
|
||
|
|
mode: 0400
|
||
|
|
{{- else }}
|
||
|
|
secret:
|
||
|
|
secretName: {{ .Values.tls.certs.clientRootSecret }}
|
||
|
|
defaultMode: 0400
|
||
|
|
{{- end }}
|
||
|
|
{{- else }}
|
||
|
|
emptyDir: {}
|
||
|
|
{{- end }}
|
||
|
|
{{- end }}
|
||
|
|
{{- end }}
|