From 0e1d3d0e9421de928e3d368c7065eabf45ed951b Mon Sep 17 00:00:00 2001 From: Samuel Attwood Date: Wed, 26 Oct 2022 04:01:31 -0400 Subject: [PATCH] Migrating cockroachdb --- .../cockroachdb-4.1.200.tgz | Bin assets/cockroach-labs/cockroachdb-8.1.8.tgz | Bin 0 -> 30374 bytes .../cockroachdb/4.1.200/Chart.yaml | 0 .../cockroachdb/4.1.200/README.md | 0 .../cockroachdb/4.1.200/app-readme.md | 0 .../cockroachdb/4.1.200/questions.yml | 0 .../cockroachdb/4.1.200/templates/NOTES.txt | 0 .../4.1.200/templates/_helpers.tpl | 0 .../4.1.200/templates/clusterrole.yaml | 0 .../4.1.200/templates/clusterrolebinding.yaml | 0 .../4.1.200/templates/ingress.yaml | 0 .../4.1.200/templates/job.init.yaml | 0 .../4.1.200/templates/networkpolicy.yaml | 0 .../templates/poddisruptionbudget.yaml | 0 .../cockroachdb/4.1.200/templates/role.yaml | 0 .../4.1.200/templates/rolebinding.yaml | 0 .../4.1.200/templates/secret.registry.yaml | 0 .../4.1.200/templates/service.discovery.yaml | 0 .../4.1.200/templates/service.public.yaml | 0 .../4.1.200/templates/serviceaccount.yaml | 0 .../4.1.200/templates/statefulset.yaml | 0 .../4.1.200/templates/tests/client.yaml | 0 .../cockroachdb/4.1.200/values.yaml | 0 .../cockroachdb/8.1.8/CONTRIBUTING.md | 14 + .../cockroachdb/8.1.8/Chart.yaml | 17 + .../cockroachdb/8.1.8/README.md | 582 ++++++++++++++++++ .../cockroachdb/8.1.8}/app-readme.md | 0 .../cockroachdb/8.1.8/templates/NOTES.txt | 50 ++ .../cockroachdb/8.1.8/templates/_helpers.tpl | 257 ++++++++ .../8.1.8/templates/backendconfig.yaml | 21 + .../8.1.8/templates/certificate.client.yaml | 48 ++ .../8.1.8/templates/certificate.node.yaml | 58 ++ .../8.1.8/templates/clusterrole.yaml | 19 + .../8.1.8/templates/clusterrolebinding.yaml | 23 + .../templates/cronjob-ca-certSelfSigner.yaml | 46 ++ .../cronjob-client-node-certSelfSigner.yaml | 53 ++ .../cockroachdb/8.1.8/templates/ingress.yaml | 90 +++ .../8.1.8/templates/job-certSelfSigner.yaml | 53 ++ .../8.1.8/templates/job-cleaner.yaml | 40 ++ .../cockroachdb/8.1.8/templates/job.init.yaml | 265 ++++++++ .../8.1.8/templates/networkpolicy.yaml | 59 ++ .../8.1.8/templates/poddisruptionbudget.yaml | 26 + .../templates/role-certRotateSelfSigner.yaml | 27 + .../8.1.8/templates/role-certSelfSigner.yaml | 33 + .../cockroachdb/8.1.8/templates/role.yaml | 23 + .../rolebinding-certRotateSelfSigner.yaml | 23 + .../templates/rolebinding-certSelfSigner.yaml | 29 + .../8.1.8/templates/rolebinding.yaml | 23 + .../8.1.8/templates/secret.backendconfig.yaml | 25 + .../8.1.8/templates/secret.logconfig.yaml | 19 + .../8.1.8/templates/secret.registry.yaml | 23 + .../8.1.8/templates/secrets.init.yaml | 20 + .../8.1.8/templates/service.discovery.yaml | 64 ++ .../8.1.8/templates/service.public.yaml | 55 ++ .../8.1.8/templates/serviceMonitor.yaml | 51 ++ .../serviceaccount-certRotateSelfSigner.yaml | 16 + .../serviceaccount-certSelfSigner.yaml | 22 + .../8.1.8/templates/serviceaccount.yaml | 15 + .../8.1.8/templates/statefulset.yaml | 370 +++++++++++ .../8.1.8/templates/tests/client.yaml | 65 ++ .../cockroachdb/8.1.8/values.schema.json | 97 +++ .../cockroachdb/8.1.8/values.yaml | 540 ++++++++++++++++ index.yaml | 23 +- .../cockroachdb/overlay/app-readme.md | 9 + .../cockroach-labs/cockroachdb/upstream.yaml | 6 + .../generated-changes/overlay/questions.yml | 8 - .../generated-changes/patch/Chart.yaml.patch | 9 - packages/cockroachdb/package.yaml | 2 - 68 files changed, 3298 insertions(+), 20 deletions(-) rename assets/{cockroachdb => cockroach-labs}/cockroachdb-4.1.200.tgz (100%) create mode 100644 assets/cockroach-labs/cockroachdb-8.1.8.tgz rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/Chart.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/README.md (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/app-readme.md (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/questions.yml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/NOTES.txt (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/_helpers.tpl (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/clusterrole.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/clusterrolebinding.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/ingress.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/job.init.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/networkpolicy.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/poddisruptionbudget.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/role.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/rolebinding.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/secret.registry.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/service.discovery.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/service.public.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/serviceaccount.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/statefulset.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/templates/tests/client.yaml (100%) rename charts/{cockroachdb => cockroach-labs}/cockroachdb/4.1.200/values.yaml (100%) create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/CONTRIBUTING.md create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/Chart.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/README.md rename {packages/cockroachdb/generated-changes/overlay => charts/cockroach-labs/cockroachdb/8.1.8}/app-readme.md (100%) create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/NOTES.txt create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/_helpers.tpl create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/backendconfig.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/certificate.client.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/certificate.node.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/clusterrole.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/clusterrolebinding.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/cronjob-ca-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/cronjob-client-node-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/ingress.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/job-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/job-cleaner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/job.init.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/networkpolicy.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/poddisruptionbudget.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/role-certRotateSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/role-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/role.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding-certRotateSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.backendconfig.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.logconfig.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.registry.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/secrets.init.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/service.discovery.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/service.public.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceMonitor.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount-certRotateSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount-certSelfSigner.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/statefulset.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/templates/tests/client.yaml create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/values.schema.json create mode 100644 charts/cockroach-labs/cockroachdb/8.1.8/values.yaml create mode 100644 packages/cockroach-labs/cockroachdb/overlay/app-readme.md create mode 100644 packages/cockroach-labs/cockroachdb/upstream.yaml delete mode 100644 packages/cockroachdb/generated-changes/overlay/questions.yml delete mode 100644 packages/cockroachdb/generated-changes/patch/Chart.yaml.patch delete mode 100644 packages/cockroachdb/package.yaml diff --git a/assets/cockroachdb/cockroachdb-4.1.200.tgz b/assets/cockroach-labs/cockroachdb-4.1.200.tgz similarity index 100% rename from assets/cockroachdb/cockroachdb-4.1.200.tgz rename to assets/cockroach-labs/cockroachdb-4.1.200.tgz diff --git a/assets/cockroach-labs/cockroachdb-8.1.8.tgz b/assets/cockroach-labs/cockroachdb-8.1.8.tgz new file mode 100644 index 0000000000000000000000000000000000000000..baa9546452daa7c930bac1cf4b615223aa1024f2 GIT binary patch literal 30374 zcmV)uK$gEBiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvHdmA^hAP&#p{1mmcXKm$GQ=%@mhvz7}ilihuv1N@UPj=pH zHUhgr5>d0!0nn0p9Dn!Ug96ZvzVRZ-jx)o4W@51$C=`G~-B2imJiHN{gp+8vbu=MD z^=4!m|K(Ai?d|RD7khj7@Amd~_1}Jfcl$5>z1^J`{TF+?FZchl-QV5Y>;DC|9~X`0 zCzFbZzidCat!n4~Bo9dvu83khk%JCENEC_rxEB(oV%lSTE2KiP5u?!nQX*7BMPspu z$uuUjAR$vafFnm$$KN!TzR89(xTQieo($mG*9ZOHt6=+CV_89CN+h+AJ$mhsl>NiO zxb1gHn&v-uc6$BZ-#QVMpKx=B|?kh|WPsYy1>Bo!e~ zG*n$~%U^%_-&<266%|_%59QXBMvN5Seu;*?G#PiMge8iwgbF$61VE>R#RHhocp8Ly z9n1e+M+%@ai26&XKCqH!BBTh{^}t}?j&diT%~!pC?^WlIrt9^y+~ZH?Er~NKA722> z=l}ct?Y+G!|9{!vUi1IY@jQX=XhH>1G=dS+{O|ZJoV~q*ljGB?9$X?P7{D-NakQoA zG>wU((kGP;o02ir!b8xMOQyJ(mDq{LBmfi{58&3aXMi+|<8vOfa5jL`(HU3gf=Zew zEeQmTXrdU2>;M2f0YS%1D&0cF!y77kjN31ovl>?RE1x94M4Z|WDUtGyi)aAh zgd}4+rJYXa2^>Zd(}ID-5R)N|B`6LgP2(B<5y$XDHl!kZ2#e?w4X1aLSJz@p3(tU$1~8okBux>8qd3!i{+Wb`jz|_OI6k|Ch-=>7>pX#f z@(kpJXK@7lmWn&U6a}V$jbO&JXM#c|SuzF!5gU!D(4vYbbhGmWxSCLL$0RL@y@W?p zLd0aK;mzQVC(jhzadFe@ga(;oY<&RsXD{X+~c_~~a$Kmq7)`Hyj$b+G;wS0o0>{+j|zU^vsg8*u?42`5x;f}9XNNc5H_@k~#e zo)d}#FwJ7c(wHI~skk6x3K6|!A(cJ2)F5Rx8nO3wz+{%DTxhy8NMHBA`{o)*66wF# zH`g0>m?5Piq>0kt_z2R;OtO%~Fr`y2W)PADNGv%F?MP|G&VlUh>>D_U{{VLO|7!Yq zNtITY^y1P>UeFsBi*9s_rOFaCI44EU>s` z1g)OEg2# zy%v;2v%qg9$0{XEAV)!PJT?7cYGMZ^Vp8j;fvte*aNu`-05d9a*!&^`=yol&(m2LJ zkyPC3@!`P62^Z8h;Mcl_DUZt3AfFbPvi5`|QrNovMhkW(^(LyAI5%F+nMgyK2nKtk_I9oZ~(%~E;Z10zSqgsn;j3HKL|rKAaw zkZ_=*5e-p*G>r{Iw{DS6;UDlH-Ky*K~?Lgr?~O$L`)l|uqeAO1NV4>ONHw>ZP$#N~Sv01~%4SU< zn;^MRaucWu^_noM1D{gGrdmsID5NZoHRGiMJqHR|ik=4jRU_ndg)pS4l2$X4rb;TP zGEx@RnN6eJnV(&8xRmW6N37ry^nHpP$EXJ$3Y%~}CGP{A1`Rr}(}%3i>u|@I7BNxmmO4Iw zXj{C>DjJ}w!NN%mD=WU!n1nRyVHb6~AX5@*4MxMzT$XAH9P%tNGUASiNGmoo3kC}s z9hJmt!n3hvJrHrNF=?$58@9-xbf_S*0g`VbjT>=mm%9 zHq}$CfyeBI#%#iQ1bk$vpF~FJd45kliaj_@w9zXa@z~M2GkgX=8K9aGnc3hVs5LS9 z2u6g(nb15+!kyMaiJ_*Epuc4_39(R?gj6WP5;Zd%GsnuQL{<|$;|et=q}m)CG%|(; z52=+(?pqm_f0VTgYsPA9jbi}x;I&oCTab#UsYOpRZOD;?@=V4v)Cvm?G+&om)FYM! zb(k3(!2b63RF;V%H`SIBFjlIdL=Dj)X|7@nD3vsjzNMb%!dTBdsF_#`&9mOdqc)SX5Z+&L+3 z=qxbAqHQfJc+C!hAskD)DIW`xPIA6w{SiI5Dn6B+4#>#GY!e4kcZV7=&jkn)-sncy zI5E2{Jver(DN}q(l>;VCo#gEiVy*payl8F`TRCPL@3g`RiGvf8fRZvC`zqKm zVD@TI(wHPv9Z(|FWHS}~mL(xQn39AkJ|vqVkNJTyf{2)Hru>eIgWZk~!P)#5S<+}H zA#>AzMkLnqb;={FM>sOnI+->746A$Ye;JWbaRCR=x4PVk)}M0$VQo&WV^~hlwWQPE zjpJBT=a5?eLuBS7XfjDlUly98<>Kf@(r@tXkB1j$r)S>{=Anu!%b1!p($<;L0WPl& z&yEjYzdbwYI4cC7rjgAT(xoDbjrR{ez(_Cn? z)U?%ylE|k}&sCm4RJL+jmJ-&ytNCK>yn4Ho5TP2@SN)Q0mn4oX_Ns z$dW`)*vZZbC@QrLG%8jzQlM5&Vj5^BQSwKejv(PlK&PqZamIJAXY}u{fn*U=+T3%3 zzHmiGOi)eWsLpA5gJlD>dfn3UCjXf<_P*jMYbbgWP&x)$7G;SgPs8Snl+OJkS|oG; z0SsX0#m@fA<=}sRb#)G?KuMz+Y1=UTJRE?VJb_$5b0J#^qojOv(FqNv?Vhpl=;5R+sV|@ThJj zQ4q6)0ukfPtYgiU?nr`En-VFlRqed4mK=<8_}T%%-4`(~Z@vVDkFIZw~*@FPHy3 zJNo7L-NoV6>D#l8b4{US8$fqwZ_+K}b4f!%wc<>sg;{~R&6$3Kt^sQj`69(_4InJz zZjckL3Js}Q#K?;khwCk>LN9tmn)bE~zolq~Szyjo9U2wPlzgLs$-)6Se`gdWgfHFn z^3iB9C3BCa-3~QWT-yr``84GTO;kDTq}sR_n^eJoVneyJ!ovnB$ct%$4<9Yu(TF8l z^%YrcUDGn0&?rM)pbebXKF?6|?D+oGa(9r=g*-v?Xsg5_w}{lLe~|JBh11p({ojCC zWIBL)t-~$fK0Za^p%sw(q5Wvs8Y!lKJCp;x)=8q6--(n*wLTpBWxj0m%})E2%<{cM zJ|4%^>Os=(6=>w$K0T>-Zqu23mboLD-c5K+K~lps8%9Lyjg&;zAe;8=U?z&?18O-8 z8cRIoF(1!)8@V-aaXMg3)_ILcyibEyZJi$} zn&En4OiN9b-RK-^B|PEE@)2DLgCr_-bR)LT9fBV~f7@zPniGJevC-SK_>f8vrp4Xo zrfi%<#00k#^v_HCv*3B>*4#geiIiH_z?j_{^|1}Xd*Y`NbIyez6;w~Ne*eV13^fXx zxT`368`Neb4P7f9(_C$O?9oIwBXR=UjDFbxD1Ld;a2fD-T-?N*L{bj~{wHt?DKN`0 z@QB4UWjPmq?WD%f8+dv`~96aERP&Bw$k$Tj2VQRobXyN z9Bpl6GX0T`kSv7YGAzY`Y%+7voyeV6zWwdA>3{7Og!Md*!1w+Nf^oM^+D+pfud@%i}z#97a1%BAL) zE>86H-0WH4kd=22wD5r;i7^Pqb1k{;IOFVhGvb=c&9yWe#w_%G2YHjuv$2Ft=+BOC z0IpyH)*5TK0jn)GT75VVb}0c*;+cu=L0HxsczkvVG*P%ShW0WECt3#wmgM^;zC|cA z-1j$|<|d@lME6ir6_v_o5>C&HNT_^HBd3Jsu1Gy|ft|U?n`v}P83&gx@94(3CatH} zBO;c-luHF66Ja*BUVan(}30%o|B3t0dS zQf4>kw%6`OC$X3nu9oN4W#vMq5?*id8mAsm zRH{u2&hBG6k5}Fz6~(+vxTFa@AE!H-NDqI!+_byOA_AURK;QjvvZ=qp|Ae&ehN5qlJGBTF!XIv3!;|y_68{KKz zT#?4*k6RBmbkbIGjxQ|}jO)yx>AVO^b8(nZLE9W|Ev~a}e|y@k`OdoiomX#Icb>0q zens>W7vk+<#~q~7^>Qs;Ql(fjmKcCwjy;$!m-a((*uYIL7h{sJ|F&mcy3fAl{D_Mb z0(i|s62le6(<0Bhc};2pBblVVn1wWvTBJXFuOC|~leBWe5FH4fr^y~!&EKrlS(F`t zZo~vyq(qP@RVGx)>uaROVs;K z$8*dkpg9x>*WbQ-{TjYGJo@3?IUK(J@$jFQ*B;1G7RP3?b(0Zc@yu`0b<`jG#~rc! zLw(HrQNx1_zlbb>19+D3yJtV6X87ZT+I?kBa9SK>g2prJmb`j>2{z42NbtzCiW>}e zaE`3Q5aUc;XD_YUCgILCTGV?8&G9)u&p4EXirws(T zHUR4;qCG!sOO~aCI#}HG?qU zK!!9Sf^m%SLQxW-trp83su4~aJ2S?Hp&CqF`AVo6`dLgDiUS%L$S1f~*Qro;K=JJb z=gQP6dBp-q|FNn#^oy5b{Yc zlR@s(O2$-_qATsrdn_F;{-~4@$Roar=&oq!Ia;;N;U>wEy0HRjJi27#gnCE)jHPT( z$olYb(j4`)!>li!I$SLv-MX;TZgwsYeR!x>v2kLf1+rD9~kZWqG>lV-9iC*!xB77a^&?Qaxt5Fa)~_(?svu< zeK9L2FYK1cEs2>q(2OUNr8#@!keHhGbaThH<^W#o>`iiv+-po0Q5s&W>I=05A4lwe-w}_Ri@YmZ%KW%bhv>3magr)JG4%yng10mHXP()tpn9`n_#!760%`!hat0d;NW*oWyiY!WkT096Oumb@9e*soPz_+Scf89}dq? z!6s#t&hv3pknTVF8j5#fr>Y7*fm5yj!+A_Xsx>Jpa{b$5$C<)I6FsxvUu;ikeby#w zLB;MAb6t&MekXGm6aig^}kZl*?DOgm5fJRCMM&4!-1$dPATUp@P|!${f~W$^@#jB#Cp z|MoD`W@W)WOf(TyPGYjizR{+m-OA7(PVHG-^UGS6>s+q?!cRl~SBzdIyvfYWctS`};fV{I8$m`OpFAJ~dO`9Y7a(>DCse=dy&r#ds?cWTb-ams{rDlkTRj zmkQ0p6{E5{fDgz>yDBbz=%2HcYPfu;Icay(y>FQo1NfWHI8<-*&Xu7;#Bphd>Pn$IpgDbNf#s1%H)?~rJc54#or!|?IQNxLK__~ z50=-3$3}~6MaKG{!rgKY$?ZX0AZ0BjEXU5t_%XqGJzNfIBf0s+`uq^%JAOZ-w^aP@ zJE=Ar2>4#))ban-|NYqc_($u-|1OVj{}tCeoV~p|x$LR;>QUNQVE^s)_jc;`-}?Ti z&+?Sw&`tgbuhk@DlSOB?4R z_|zrz#h@J%cg9Z?Yi` zRg7Ca0aFkJV(KOMvL3+yo3q~_K#6Q_ET|&))F1$a1m}sMh?cok?$eXWjvkSZIwzq6|3|Y8Urwcrv zOP(9>TrbV%=EPKUQRkP}EN^2YAFTmgvLvK%<`?!d%9~IU+$P1%6PNPY8wh(^rqggF z2#BDAPN(04@5!w@9fHee0QXuxoz6}V-VhZ|95gTShe_R|M@{j6l4-oeNWkxqumtII zTaSr9{NJ*~=9J_)BdcyGnZ1;Er^Ry7TsatVaYsaC9fd*kh+xvpyQsH zKYXymIM~|4u4_IuSOt+Sa5DCe4q+(xour~?-Nr-qTfv7=eiTLXE?$H;F4@doQZ`|BLOl{{MNN z4YTh!ZFZPajIzDj?yD`!*v;AEGP5*{GAK&mVd0*+N*Gg)DyZ>1dAyA z4oYN62>UPaPd2^8jPcM73SgQ621br=ebqT~2{T+9noZB(w~WLlQjVml&1~}{HPErV zf)~5k6PfEYl284keAYB!G>%MQJf2yjQGSf|xjp-6%@_=6Oli2$>zt0jUQcU)*c3(f zRzQ2=L6uM4V@hd_yv26z@D{Sjjfy8T+{b)W1FH<{a;=4y8hWh|`p}+YR|W^m&#+&c zjf#;mkV^V{a9J9@rN_3vOLXcHfL>bm zc3eIAF8xow!i++q7UJ?)}$Zl|Qtc3!2*x zt>=`FG4)#MyP>Q-O5#t8qsZs(HikB3Zet$c#L;0R`MWl{_K)uJpjrv#f~ri|o5a#o z@KoSk9L1&97|T|&D;DwMQrQAfX>cW--coVIr>SOj-LDV&y}e+26JtJK2HTpJ{ChVw zo3vnZlJZ9e2@$&Vy`l+5d2ZeIhg6Y%g_+b_{(lc?&vun1{{(|Fhrg@7%lJBu(2!xV`iW15Q-q(BBF>yeQtosvFoq9luTrGGnss>cD(>+j_oc(t|f21f%%unXt z1}AVngr{aCwDe=4DiHfczminB0%mUop8MS{kmB4h6ySm&# zw~W4iw=oa6?pXms|2k-Gt8HK^Gcvb5Okv-xx>h`hSfIIs_^H}Mua<4N^Wg)8dU=Hk zp4%f9Pwg#eznhyKyPI8TB>Q7S$$p|63n4${>7AkTBFXL}G>*b9pBT zCotuSnqVTd-9AKQCO2V1-N6&A{VN}0j(L$KFrs%@2q+OTLw*7TW|W8?oa#SI*l%|3 zXnq3NB!0#3d}MFInh;mrwR)#*;F(J}kmJA-lfRO{9hntZKjJq$6NHBe74HxUVaz3k zluOC%sQ`03u6MYp2jBBMdP~J7UP~{%(i${^bzOEnMP%!c=CRU{T;OcEG}fMSpy)LH z9;ZqRp2h2nJcyX%){sey?`+d|lG)QvBwM7v(m} zBXVq8j@WGrFoT@e99G%wH@1dl^HS9w9sr3V`***L$D6#fIVRP1+<d)1GtAFFI&G6i*qYlbO<1`-RlJl!A6rA;HH6^{Vkq8I2)Px<})&`=| zTr_~URI**AvNF|M4fAGBRUPCh2W||XiE|u7bZw%1@(Gk z=^FmX*va>&9kZ`Q-oU$eB@?2SBdJWaMOVhSS+Js7u#wk!u!T_g4k}&5?zqHDShsuw zKx|@3Na8XsVTPxCWNJRH2ln@iFsE7vD{pnml1##<9K-70OY)1lFQ=J1FxAKnn$l|B ziyP#4v~YywmUgW-OD*q4UsP?07mUCQ z76rxpk@U_+CRd~j&{VOs#)XYvE;d1;a-OG()7fQPD&m6|lJgQ~gG0;vte4;1S#@>l zg}lsS4c3FDO;bHj!vsxzN5!|H^Va8#7a%J(rEO{p#%(WLWaSXL@q1dRjHOaz-Q7Z*bFNULVHENjhoR%45|HOhj||al%OIpV=xxng$TYJd1i`%rk}I{Wc7#W0FdKV@T!*Nv1QUibO<_LC0m7T=KYu ze^nP&YVaZb4!>nw*)4bf`kD!ir#(5@!eGfcP1<0}o@2CaIoDbNl<=LOf34buGWJb% zjeLlL;jCQST_;%rpyv+{mbn?UH~)Ad#2x1G&g$$zbt_$_6z_kuiN>1JXLFLNiRHCk zVnQn-{hR2PoNG;O9Y7s`XX=uM1L*H;dy3f~y*U02o@V~9=2qG`({r$xdUesVu zPOe4LA1jigJk7F~hoF%lO=9aNUmwC2G@*CjV5;SNz$*Da5MCz9nA&*`AYx;tNQ@RB z-gaZ(-_RM*BxLD?imA)(8|0^@Gc{R#5doxv-4aEAp!Qy05|6oHYBC+b#pNNsGFMmb zZ1275l%o`H=OvBKQ2}0B#uFpi@&1x~per*>+GB9_Z`8{5hoFc(ub^AH zfUDD3)}dNaLK-HxayyHumM2~};FCG^YXpL)JuGP(2DD^FUD#E$N!ypKiKQzpto!o+ z#qwWU#Sb$97v+E1ep$```SL}7E&o5uvzGtO^50&wv=;n-Cc$6Z>$tbrZ`|~FxX_nW z+)`nL{-0S5z}4~PssT}g*IMVZ)Xh_9blsc&&dc6*Z@brbZ$5nR55bsBKT92isjQ)9 zNWCRb)hyyLbKqm_Pr&S;>tbi|0^{=;*{%q>I$s^a%(wL;|J1soq0DkJ0?!zd5y|G6V7oOFL)?;tJzEad+~mP9OhP!PZ({=dJ!TiyTJ z-QHjG|IhLKQT+cKLsn}s@UJTdcucK{|TjemJ);f@dwER+Uh0cfch_sh~VBYlubuS3bP5<;@s6kop;t z@P>~@ui2ET0rc%#RVrVtV{I5kgmSm}Vvc<8v(0}=h4d>0?)q&iRA3V-{mO@>OH<56 z#F*~8oOCc>B3Pp5t_6mVAGa2lb$8jo$B%&$B*4QR_EUJ#S8H(uBNF0BVt?{ z7CkU#G%7EHAS4a10=H9i(CE=@Kd|`mV-qxU$Ye=a^&O%bJS|NRRwdFhl>A!$;Epi0 z5Vg`R{!Q>w9t9a*s~_0#%Y`tj7x7oY(&V-}hlaQ>uMV$HzJ2%l^5p85v%@zhr9xox zt*xTX*IUp~FV7E;+Cewp*U$v(==HnHtCNdgj^DmHJUwd%*t9KB0$Ele8vuAtV zs;o7pbXqHHe`Jv{c~FN^j6{g*GR=YL;pzg+A8pXI5Z|FsieO)2p-B{mUcwWRq_l*3Cky>g`s zLyK~HNu1d`WfsNd`AH$3F0dte@gJEs_4!5B=GN(ay#kyv8sW`~PsBNin4 z@nc|NEn^J+S&YD^53>TF&NBmBxJ?c;pbpa%!TrWUoSXnRnoo>Lg(2^DrU=0Ho%T-3*J&(ow8ez6CGrwC` zvy=|tbehI=N)xlfFH;(_5et_xxC$WWf{xhxW$c}n*ET)LprXHhic!iny=r4^oWaE7 z*9vR#R|nw(F*j;!dg>(&3vlrO=ct}7kC?4-&MhZe5euJV&-vjY8?0B%dc~|)%z_^c z(o4AzET#2`Ir37~h2@;>q-OgM_kJE8_+y`i`#-z=YW(N+%NJ|=?{hpWpZ{&x6KdP7 zF{a59n=Vb4X5A|=red`KJb|kTlfWe0O^C9&@ua!d)kU3~8(Alu-}K-|rY1a7ra;UR zlSJNv`jrngq>v|)MO4rTQX-VQ4b!F{?_uGtQ}Q*~?f_Cj1Jt(TcvJtKrDH*?3$#== zxT9=5QQZM__qq+ABN|ghgB1Pp-2tK<$Se#gjcBxqKSzYcH2QN`9iM*dsk{^9QzA6S zg3h5v{rH3Wkb!-S!F}ieKX{O#vavR2Q>|%3t+bssrU@1G4Ye~8;+Mj9H>`UGtt85Z2wMBIA4WjwmLvuHW8ddZqwuqM9AX>ON)GA^=`^L~5{XeGU zfr`I<7RCSfU)1)0_Ft~^zkZhIi`M@g4gPD{0Y-&i>-LYJ+t*{i9!=Z#Xb;v}|EJOV zOCt>bp1M8`LYCGwGsoEumI!e9Y>L-I!d||dpqKTNKdt&-k0tCuS)Yq%zW%qf_wwb7 zs{YsCU7!E_EYF7z@RUh===wBa>clE_g9CE`3;hkA$22J{9-fSPzjBsrz_va9|C}We zeP1d8*ODdUn4*DsZO(g|rjCgsLn0|UDzw7LlCjrjv75n^Ni$%}_}XR>+tQ5tf@bWF zNc-{c+65qmCflg!-apNx?&kVL!2=T%Ag$apOTpviJ7};veC>V!DVM6)1kgYHU4V8= zU;sl*UK!vgOnSq3k|S3iieLHguqg^_UPl@eaL!kzt19syuhuR@8FPl>RT+}!GHeFi z5b9PYf`tuLnwg_hzfHa+EOrS-_0)(dOR$~q1PSRm6^uuhG~`Jn2e6%kufzbNf*Kar zchpb#H<|u56}JT85pu+MH~!}OwsAq{1XkS_ui@cMaIhL1?nT4gq-Z99y!kI;v>wt` z@2a}MK%U?8hMz6h&n<5xtd?yBK(Dr=d4?oUXQnfCTe9la=IIO%D4MBhb_Lf=z7;IK zMt~uoPDwTVCV;IWOSa^sYWszi7u_(0U<8oGYaM&l^YX4>%W97DF8{OIM{j#vJc$Jvy=(eqz3 zk)5}|9J#4Xvwo(!nrWog`({}BliduP2djXvoIn_j^uIGt8rU~0i-P6`Od{EshKh@# z5&!KYHKceZ(Gq?F7n!+d-Y#Zf36KP? z?qr~LY7+f4q@jBt&hKfa~?@}9%Xpd zr2eSbltO~eU{JgSZA=xMYr8}$ny7!^Vv<0VBH;u}!x@jL+}K0`CSyudmW*K^q|q2k zz=l-aQJU!Lbebx3n@_WFqCez!^Tt#u4MHP!&LeX>=G}xQP!i30^SQs}{Xfq_~h7wxVD+u2IN2l>)!HkQ) z3_1MY#`4Rl7u6>)oIZ${IH$b(4|o*HmfiGQ9o%|bq$v*$adxjaCvg&B7F4USEpy+VHAHEgznh^ zJbT*k<#!M?jY&wM+v`I27tOeTaWO*{;9-F`th$^;L`JZx&8Az_;&Szjiayh(-y}L;0!S+TrUT5C3_& z%n&Z>ytck;csrtO|FQx-ain`zT~MG&bNZiOZ$;K3GK_<1!`8cN<+}<%Qv0=fzBGe`9%}n;51P04V~372^`{`ITO+H z>T?(hZjhT`whr|@Y=b{!BIe^6bWOagaWY9$=pNIwjP3pD_jy{7tM75-w+@vt^e!W6 z+2iQ%%o&Vj2Eq(N<331Z-{~|}vtuR(@WIElzP(@HPhN0?@3QgzHAI^?(B@&JVrdVR zJuXVf?|-GCqLuwsH;ol4Gf3AL)iUSn=D3qqi~F(@-M9mZCRCfUHt(*;#=Fhykdvs< z8^jcy%KESbhKq!x7m7NjVAFB5exCA(4sc_-4Kj9M9%$@VPjIdt)W!{+E!9SIxyCk{ zwdy7UyXVF9#S_sH$zt`U6^*J!(;miAN&wLu|7#O|nE0~?2LUh2|FH9NuX_Lc?#?>@ z-)DI$T+dFt*$DU9or!=w^FNnjVcUcJN)U@GHo#|v(Ahg$88f|x5G?EFcxXpj7WKj zxI8|(e1XuYWF$O+!#L)55b`9Uq48qeG6G>H6`z_+c)gN_IzQaigJ|xfF90LlRM5aX z?uet+EA_B4`?=VxQ$c~%Dyq@|x=LiUTSJ&*Fozd6BTZ-x;;;W4aWMtrf;JwC^?7vG^P(Z3b;W3@4u+u|GU4v&j0pV9;4Tv^XNFA?{9Fv^PIi& zQ$rdPaqG6f)c~WG{W>q*`OtEYPhO&y==%PL>%K`kj=^RFyXmgD~qa|15&|82kAuI~T5=&$2{Kg;vQ^Z&IQ zu*nU$yLJQqiweV5dcVIYoO_|&S`hwQKMUpmr@#NHzqeDn|LNuS`u?ZS@+|BBdu*}3 zb_4#)OR_mre1BQCTI%Sva9i{=^MB*!?b%!7O*+>53xb95f7SD!JKKBvYy0oBJQe=W zNLuIr=0tLd^*@Bc>qgd0{*PhuYL?OgyiLh(8SS{)vot_|gKoD(3FheCsdtpfqrx-&3jn6FqbJzq=Xe zfj*!`{QqTtyUPFfch~V>pXKq=>uC*>n1v!LQWb20U%>TW!Gegf^D`_^}fN!Q;!br`o9b z@WHnE@uPpER#~z={e+_J=>tXEocblv_Vi)0?dg)j?dhXPw=yab4{xY2lImBTyHe=J9{|NOu4))c?0@`M#gAh3%2v=v)SG=-D^{xSc5`yr`DSNzsA$X|IH0B z5tAXmr4O_K7V!W5o&9S3*Y@_>|NnU&8w6!19C#AXfWBu^nKWt`Y7fU}mp~IG7?qeC zijr^wDUX099dpOur9FLiNfpQ}oPe4TrN7J|BngI7#kbT{#EfmvB%GcDi6TLzq_Wp} z0;kH{4yX+R+c1HclPDOHSgW5AxNGmu%{7J-p2ZQCA5zF9jUZxzhAN(Qp1^QsJ+u;7 z0#hy(giM6l)abIZ*D38gKALB1?aq3jJFCuozQnuTpTIkJ$7k^k?*xq^hJV{zJ4vWA z5}S)~VMt?s=iLzM!UsJNcPx%UD!fQkOK(ACirK9}a-M9$5JM2D1;``}1;4=y=PWGA zrxb2&mL}jM?|My#`b4Qz4z{+&Oii+3FXYp$Vg~&`nUoooTl=qGyx76IZgNPRPDo|i z?ftMc$P&B=FQ7@3a+WAr%HH?{%(ZbqGR3Dvu@I&_VT$8zDtrVaj=_!=6EfupEIzc)}}==yGjag?+fEwG89CsmL9g{0w!JbFH#Ye$*o%=WK$t7 z%KJg(3)S@CyL;4X0X;Ut$tj51Nw>Z%8t$K8IV)4>IO+h-%>98+;71B~BvCjIcnPf? zVV}t>4ij>VB+Nv?$05yzF_RODNd!CY3Rp>QsEdWICG0e9&|8{#H{s5n2?|I>n;=;d znwJRBw97TmM>5jujKnwk-$K46aL%O~3o3(AOm4Y=%fG+g1iW7_ zNOoycqcPsmsGy-2UKQ&`00f3;L4A43s%ZHr8prb5jv9rs~{JUh7B|utji}IEAio(?D+r&;Tnh}1udTL6vf3=m z_ySC}dUk>ej=ugp@9f-4^KSPtOXhptu@x`Xcb zS6AnkUA!`KUURj+0}QDmy)fok)Ejd?jw#xYHdfe%jbKam&YJE3x=Sv`7JMo;i*f%q z*;i(~_4hKhuJ!q~KEKxI*ZTbWsXlY{|2M`h_lfoY-Tq#`s{ilx*ZTiwc|MrCZvE+Q zkc{q2U^jsmiO|5?RIkudOFTj00q%udP%cra@S+TSAnVPU&#C4&Ok$PkJD%TC?lWur zRV-@ycWpDLy$62Xf5}@87Hqbyc-O(g*<2A`zF7UcpIW9lFPr0n!(UHz+OXz}>GU$r zkz|(d2$ZlY_O&|2JxEI^gl6|>tG0dA(jnA*Z%OQ`yWgg*1%(@?rJ)J4;dRBPlxO*o zsnW~F#u}@wbMXBMpSk)UF{i2@ngVd~`LAmH&+h&@{`2!ZkCgvu&UKEBRc}emA{47u zv^C}cSk1?~&J_5ioiJOAfiM19n*To_1>hq7U%&rpXLoOJ&Hq2g^Do5z*O>yFG6nY6 znF80su>Dzv|9@itZ-4v6Zq5I@v%Tj3pW|79|5s9N*%1B5;oYmG^;)a)Ywopv9_eY} z|K0}gr_TSmyT89zJ^%aS<%_ld=d(PPcNdZUCC1&#;CuopDp;1c-ktlyg76+5nDHqt z{zlZ#R-^<$)0l-smLt8q4!Q#6SQ>MO-lY;m(J>BUEoYGrq+Gn-pOi=Ds-h`P)H&Kq ztq3)gEzj4VZgcRlu0VIl+m3tuK|gV63?5??9ySgujzsHNyeb3qcH@@VCcOvLxmY&@ zp_V-z3)`!-=9YI;plvPTk4fXR*urQ}83fN0uIAh`w$WC=yKQV^qv$#|aGu4nNnnwa zUp4-8o5Af>>`tYX+h7Mx2xv_J?C=8+K3Cp z%i>(o%QeaprjB@`2urB&c$OQVkf$@#;rx@OwUXGt0q5!L2!{s0*SS!MOdDiRBN3!| z*=B$tpH4{<4ZK$x`>i2Mw&bMpHV7*(x?u{z2)3|?TVKIeKE|fgTmJ#!WXdDh-rL@; zfBmX=LuXwNCQWXun3!=qe|!AP+2Na$%k#sdlTrzQTiyL{1)mNoAHW=nwpq*@znxraORXlMO`pik(aLBoe&Xq%ltvm-!dj>besv6j4#6pjk1^}CSe0OHE|jLb)Xv3vBx;18!#NElho(n3Z&TOT`hNrbJNaetppI^oEI3r{w+R4ZSmcvp@XrH4f6k9_}VId6!6{m>e-}J($w9*Q=1*Ty4q` zM*+}(yRuzBPX!T-3#MjAF_H4jBt*1L);_g!*)|}n^xLKyDtj}$mn-)g;0c^@jIhAm zOB2p-Fx8M%hc_}l@x=QxnFC8OlmgSGjRgrc;vgrP ziuhfENse%qdJc6erYu3+ztg49sbD<1#50R>057&}xp0o@84c?uXV<@#0_{UVQ!bg} zLKE$v_F0iJeEis5(gI!1RDO$zfb=j+Ac7{(RGu&>*3+A%7;=*(1!xDkR|Zu9d>sV8a+X}f z(d$zf#bm6J(7JTU^_(jX^gRhxJcC`#U9jmgepNB-_uzYS%aU;c5{+AkXiD+IHQ)(c zH+j9UE1)#zVVVpD8;_}gEQzSplna7NWh0C*v!8~FDVH=$szdR!JTVC}Br%O3OSd%T z_VVOViknZkMtP>{fNZvjo*-1iRY8o^nAOd$Zev zQ}qnVVH#6u5+>$-acQ%5y`)#VKtDL=Q5^+~zTAYn35zK(1!HzgC1etKnsT8s)NJy} z$Wn)J9T;*fY}TiQe1rrAD3LtbsP^)bY8q99#S-ZIG}b&R0zE`k z5^qQ~H=*&=Y}3gt%{#XGum1M8-6xo9F67fGO;oVI|LW!6_WRpA6&~?*P|+djdm4Hk zm*TIQTERx3g~0pL-4$>xSu&0(p4GputEfoAfmfymwyu`u^}tN~LFL=UL9VY zeEaV8<;fL#@ID3~KIqyXKlaKWzy1618A_n1&3W?Xoc?cWyB)6vdjfm~qlqe9dSopO z8pt9D`~nABBsPK1N$zPGdc>rbL?s}>Efs9ULR118n_O6{PMgiWUjDUimPEHyC?;v3 zrQ^ZV=T1m&G)-vJ7|ivkdqavI(TItIruE$9OKm6iAYh54VI~?D>>N@ktuUgLXfShw z06*wSH!E{+-8}m($SgrsTaQ z$D2S~lv-mJWZb+?8cVh=m{pglhR#PLNmXm(=JP5ox|;I0IGEBY7qhmRDwnFE&`ee_ z4@q2c2)kz8w?`WwjUCA%ru4dM9HUZ+RoktKF+IO@-WtaO2kpT*Igkd2#0q#+t}v?) zv%B9a7_pf8{HFM{Rk;OgY0eY#vEouiREXMA^S-UnJtMRmxAn!ifkiDni>>=_RViL+ z0Iif&qIu@Gpe4tHTIjVM>+Z?hu;)*Lk)6jJ6Faq_cJ%h>hl{s|N8kT)^!?%4*~#l> z+zRJdpjFys9bYuLeJrmRfS22<-Vd7($$xSO!g)1G@e=aGB@!FJ)zNuli#Bu7{1)#k z^V*tUykQ#=MIt6D@EW&lw`xN|)C4|$+^WpOa%#=WJI3?%oyMliksWg}SYo@mK%}kt z8U?n#Y-d{r4>M(L7#BA%bxrZ$ud<8lqh;g5>xWl&i>lD;mc80&YXK}lN%S^}iv$o0 zJG+7iay=~Ffw_1_T8poSY|L(HLZv(xd{{Eq=Xid@Oe#Ko?bodHuz7niO#l`!x(4a0 zxx{x=Rd>^DUJaAFt@_Q+sMgxoxt56xCsa=trc7K$WV3`RM&e@{lUeS=-Q6ygNy{GI z{YA5;=a}7Z+Ac~}?=x=|2%l!+{ukzFKj?p{6WCvR0s*g_&IG-h2r4H$js~zZe}d;~ z4DO7ntdfL%-5$EKGk2fU2+pRhgo?bZkr-NWy_5>cq@s!X2SRF|foiFvn6SzYeW+iZ zwKnZy7OL$}xI`{lZqL0fH<3EI&Vm)GttjPLb_=2+ZtWfI6}B)(n_ASoc~(m_ zo$!b@D`3ck+nlyZbu+cV((Lp4x7}A^w)kn8qSJ<$lmKq%YyctYg`$q5TSKj%r#zwq z*x7&41{g7)0~vQj9{~G?&gR2zF3<$KdF40Jk$G3!@?K_^Y=Y!BZS5~qv>RWnu65r_ z<6dSgnom~DW0Uh#=ecV066macFMS2$dx^o@Lg-z&1C|EOpmq`lTI6r_gv?_F`8+hl zr$K9J8Iq=GpC#gLm(!IV5BTyOYCKP~+=-gG0ma3!8U%;C-I_tj0sPd}dialmDf%`E zY4_*mCDe+t{eXctwFUT`{)ShBt^}oYM8yAK)?Byi_p-uG>%|+Cv-y3n6gi){REVcg znoFAWZyA+U?~!e5NyONHx80TcN1ySX_cWjXR(deD%&i}v{Ql?Nm)kFD_doBh&wqcG z$DIE@=h5R`sG^By#gp6>4wg`L$Hk3_DJx4;UlJ~hkfG!JR=*E(?{)O^Bn?3KC9p9^ z`GIB|*yQ5j&gd-_)h@K08*Dyx_>gmiALd_qva)&T=`0oO%rKS?w>^gKm-FTZldi_9 zn@zbnCXzw=f^*fZf;U(~^Q@pb7Lc(bw)eKTo1itDJ{Fwevx0MVFSvE9rVh7WrUthz zq^o1S(A1eX+9hMB+HAvZFZE#83L#oP1CJK%`mjjX$69;PvZFO;8O}X@*rp2A4uS^r z!{`E#zr|IL;G^^wV}Fb2pGJf#{cTbxgQlP#+wDrR375)yvD#H(t$WR-CQ>dcP0WdM zt6rv4GqeH-sQ2UY`?o*B@!{3sH;0!em;dnq4b#{Ej^3VKU7UXN?&|dHyWTW$2FVXTRtpEpDW`;@4au)szL4`V*uni8p~ zD3vL|ZS*=<0I9feLA4VHv)7EvI{tb%~eaf%?lVEs-18ZMH|IzvIp z4aTV3cI^$3r2v23%ba`5UgwLpw!gf`Ur`q)hsSSD9+UH%XD*WYL|@Pu_=xtUv#I0|Ikjd`c5*2yOyiI~gQIv0Dm}wt%&)q7hvF{k3;3ZRg1o zIObudxtocM?|egJeuroEU?>|{nW7SoO@}+3ui%Hg9q9L7b-sf0e}K&Jh?4HJIcFD95o5<$G7>~8 zk%cM~6rS@Wo@sL;lXw=c&B=Pb(Sx6kd3Zwwo|?L2Nu=ewR_8HH4=oQZW2n$mt!1@E zf<_A|562V_A<3=X{;R!>Ugs+~9l?xe#gR9(F7zvrpPW)0k0@TfzQiqZa~gx1gI^?$ z!FsdM;K~wvRAUop*_Nw~G4 zrwUCX#Fxb}jHxDC=xTjtnj-#Vp*up~D?vQ)U7$j6JH`I_KW~DOAO~Ap+4!GN92|g^~lXUiP@A{*Pdz8EaSXSnA6?p4>(+r z(JqYA$dd6u|bluK5Xg)S92GGg@-597I3e(jc&@Q$tueZ!;|UiaUxcbVWmXUJ`nAIKcIE z7T6cpgDPqcNKpnFnRzrc2o=l+SBGA(QHC?=#&5Hr-b+Pso+ z%rzST^P<>x(mnB~J>?N1?z5DhMyWWNW81|S)e|S$LbFX64D8M8dJ@f9$_OM?Mz(S2 zZ|ynzfDHL9^{y{42s57a;KvC~Kx9c$6Hd>h5K;TL zCN&&h&89vysIJsRx2yqKChfR}PCU~M{DISuRO7LVH&%AlSnbDXU z1!4xI0?hOUTO9Cr&JN$4z=B8X!2iU*F0T%+-d(!4msf`u zSNhlCcPE{KIhICX+XvL&>N}8j(dfr3(x0}$=|2*jokxPB2R*oX@oOk_jU3LA8~qv_ z9P!fp7HiUNMd3`FD+eN+S_~Pr2{tGRCwlT)=k<2AS#=m6o*y2aUg`NgJUTkLyo5Jz zk54Xff{$Jwp1y(ex35o+{#lxR^I@sy^6Kry;ddI;r2%?)`SuJf(WJLw@M7=P%U5(b z3P!u5?V#VMuL3gM9|n6n+x>0wif(W3?&~4c4AM^4k8k}Jj`5xs@5MJfOCtQsva>B4 zY81>NQmIH15fRlou-}&!&%f>M5BL5^Jo`)H8U1Z%JNg6h+*yRD)!Uxr>#oepJDt-6 zxQLA1A)R(=OZW<+(?@lgvJ9!n4Xp_mxh?L<48^XAfzv<>=uShkilS4Wd**s1&6EX2 z-vH*h;CDv1^lc*D2AWur)vjHZSOL%N2yS$~f+H$aU{axr&R6h;BpHcuSf2QGtPao0 z0(wX%UBESPSpJq z#l+zl>1o>pFClJyNE~Au&PwGnWn8J6$LSv0R5rR(oGZH%h`%)uJT{A|Q;6NE?REai zGYCmy^4&NvrRHtZgJ#ZYPfO+O)07BBG%QhdNNiwpjileE+B@0@)0>D1dmO|4n$7}AMl^_+z?^Ec&eMX` zVp+S4f{>K*Sm0lnb|JW-vx6F(t&m`3Mk_e8!g00V53XCx_O>QV>tmWw!9rhN1hx@9 z|K?D<83R*et5(wTjaJk(Io}6oz!V4*E*125UiP+o+r2)t2vf5kKmTiQIt%hpv=xft z!EtAgBTn#Dueo~bhjQCXm8v(p(j?kZUt$umq?<%!USGo*S9E|m*JL*Qm4@2T!oUP{ zw!1fX#s<^8)Z;sSf{hTQ0;1iEx)CZi=*u^|$;tXfg(-;@Z$h$mj|~-dJnHotY_q zU@N*%IjpSq&S3M+3{Ww|(QJs`yGD%sLDR#T$LgVTpIfdf^ioFbagsMN!zA@mW&-T7+n6evvqS@~7+PpLT!NDwpcy(@+gRs;j|mB~P`!YRZ!Y z%&!YNg6BlqzNIN8LerKnQge^r2Be%N&I3oBXfl9MlHy;+xrW){tl+cj$CmGO>{h%j zZ^RZRCaHw(y8HO>q**IdljqP-;m@`Rh9fo< zxuLV4J8G7e5@uMXsuKi3344DMb(z~fiPH($wS6*Uwx~}Uh8d&w&be6L(4M{VLmMjt zU!ehzAjPMo z?B4B0smjP# zQY|Eu9!HH+uTWM=5W#aD#F=5vR+^oxCtwkJX5pg)=?X{UklWn-oQ*s3S?n1;scw2G zi9@2i3*gZR5K*g?P2~|dJ*5YkQ5QoC!-?<=iydt3pePEjjpHeM_$q2mSQ7?o}r z76imirB@cBV_A3NprU_WghcG!$4mN|3pz;56<4~MGJ|^K>>ilkc zMf6fq&-%+`Rvi#$=5)}w|E)6^AF5UH$+!N9?ym09#jAIB_gA;#=lkn7KcHG%=q1|E zBijE?&g!dQs9cU}m;w(;;$*ocCTlshJOYmQpXBR5Quh(Dsr0res%A0gUBWr&7Y{g? zX>k&eXQVvauyE7v3dnP#u8Nr93lZxu*79o2Yp21~d+k6ji20kuOTRP$DM1o*VoT3~ zYI%ANle!WP!zFluFcL~X8ih={Bo&f$f*1IGqc~zA#eVAFwT%hdonTH~JNXkQQTJ&#+ z^fquwA{kvapRzEL$-s3a6pyfqTorH|?R)Cnh8B!RnvcJO zrZm7l{gs%a|9`atmuz0QR~v1k-x>SfnnKJaJAl}sKsC0k%b2LM5JdLslMY<&L()Ml zzRN1qFbvw~&`Gzq)WV-Q*o|%4jJ-jxV)v0s8*C^O_oHVF0Sg{OG}5`u5q6^(B7LAB zi04s}GHD!#VrmsT`C2{ixU5`gpEv{`5ttgm468O@Ftp0(9kZjz6J;?^`s&=WevqLS zpdzT7?un6B$N`Q*5_lw(SpGu%`Pzn`+-|X_Dn!6}!ajGFbH8-ww|_z9gwW`{wL;5J zC`2}3aP*_8ypm8;K~$Epz&w>z;Nkj&6MHl6()cAPpi=>)VV- zJ5UpITqZupiP;{{K|*LB^kLCDmlGQ*E0xFZOM2*KRvjzvB4eEwK9}^-%e5}LEL<xqLk(X2Kb0Vw%8wu%jDVJ}+;5}k+<`l-@fABCg3E*%P6i5!T# zIdpPi!O9y9(a!pQhfM>0!NVu!l?-u^oe~_yLIh7p^enXEM4}CP&H(yUK$fA=Do$E9 z5$@(>+XfqY8idFqGXS=tt@>U`R}~>+iVE@D3jd*u$GkB8!r%`#0t}^|;8U)wvxyT~ zd~HM@s@b%DJ4H=k8YV7k9eQZ=M%o!w5sXvn6UVYv=tkFz+J08(l5jVq^7y;SN0cDj z(egcOg>3!VpjO-7{OwE$ZQrw2iG@QZ4j#9v^&&Y$>hZsPbB8>cg1Au$#xZfyMqA04oSqbC4y{-DY0WU>Ct(WqxLfoJpnI#nC4%k+>CAm(^x6v!g zK?lG-WFEB>J-}>;)~*Vs{Py#^ghrtT_iOx18aRv>*iB-D$b12}pz2B(_cnl?!>wr- z8ov#=vDj6Khg_dY>!{Eb1@;D$euc&-z23a7Aj{!4qvxCBR-!|N(I_jfm@7j2`4p3o zmP?fF<%y<+Xt(dY(nJ%9+*ToApj?YnAZWo=xVMxi8E&P23R z8`2E^gK@VzJrv_^b9C4WcRue^E8NPTBE6kbcWqO@u`W$xY8?avcZ6q~$dfGY2shhr z4BX0M(ynd;cbXV$qy84JqlHYY)e86Z^bLz{Lc&SVeD5%D8wvWFpVP)V`QEsL#xWJY?9E6dPCxGg{Ddi7 zUN0+hg&tpUf$);@Fa|5(_wasd>#VCEjr%*9Cpet7*>|oWt$_*wvwa#6gu@x6w`gRr z+Uh)?WB6*b&r94SctTG&Y-U=^m9Qh+W`6kE@>Xb=rZ~}eEFz{%cbGY z_8oDaA5Nz z+(AT}VPBz{wxXVC4hDFAButSmh&iXTpwzgzyLA~-xHOq?7*uMLXmpc*{=?|_LvwX@t8=l5 zJ7T_$jB6qXp})mRO>Xe&ZGtAt#<+L0&uiguw+IRLE?6Lr1hhn1S)tLrdLGFaknx6| z)+ZHGac6R{6t_^x?;gqXID`9=%tAuafNnrE$4fLJC=SRI3H)Uy`Q2K}ccg!p<1Uco zQhq-YNI)7GOSF0YXspZ4saC(Tpki&c!2SF{f_DMO5#>`VPeCg*zH=Xl7yD!wET6GB zsa>)+EYjbOVTH!#TgWwLQb7qD_IDCo*rb3Jy4AUx^et+6Fe z7czT-ejY7=RI)|=?Qxet&hlDTZ1D>6Es>A^;~>}M3a^6Pz^iko@7WeZ-rTEGg}YKC zYk(WfvgP1cXe{d6P@7uE4R^L$_BXs^XA(Zv_W7>+JHg$eze{mf^ttM9Ti4erIw_0$ zA&M3aeV7&Azp6={#l5-ruK;(mSf4W7HIq7vThzBDZkh0)xhHLfZe+3r1+bL^P2*O9 zaMw4j;us2WH#hi{SbG-P#?;{6!rGI?-Q3_)W$kGOe!JaW;r1wZ*%JwuO}o6Lzmsz6 zyL>18o#JlT3M!b^b0Mn7kkZ7l23FA?BgJXOKx2UcqZgURn z9@d7vhEYD7TOTy;$cHS7;p2c8hEDZLc(z7ZTIlB$Xk`lLP}Rq|)iO!L9Zkb#=T2 z_7%F2Nu5S_nIZ~PKBT>4%e$>CEd0()0+FFX=z4_HS>VjQuN7j|Nr$O1K}ZPhhIk=5 zV@{%wx;l5-DDAPgs;=J%XUs`x&tmEk-kr((jJCR2FTfWRwiX4dx_6V!t!PNMRynid zTT{aJs+-2W8xHnfhb>4QdkKVM2zg?l>gfl;m zhzzi0fz*B?rb1e4Z%%CKfT?DSuQ1X4^dN*?!ZdP|E1|XpE1BqQ$GGdlSy$^o+eEJ> z4#pqoR`aALzkeg#GChAA+`qv*soQ}{_MLoVE__VqrMS0o2-Gv>7nWVM?=%Cy<&lcE zj36q)o%T0y4*WNpm{CNfCDfZbL~;2r#T56?Y%<*C5mp=xlLpWTG7%T!-mbq}pSv62 z7X57Y|8Ii3arlr~>u6XQ`;;IppCP-#-73N&sWl&HkpWy2WU(9Ets)h&xQhc88uj^> zCIi~ilbh69>(H&4=3Di5h9aQV+opaJ#yabxzf`BjHDa`a61KRoCvYoWcIdh+4kAb9 z{;1bu4cscVGKPF2z`mx+L|7JDT*4N5RRQj%E+lha&TbXRu52iaLkq7bbtixvq9BO{EZ-&4^YA2n7CUF zkojWeAc-m1erzgQDx_=O+Q|-1x{)_uJ1aDPadz5k1H2w`)!Hc-oD_Gfp-EojwaaIP z#{JV>t{hnn=UqP?liunLZ2qZ7r(thiW3iyO5RjgQ)T zo637i5lYh%@J9e1VPQ>*aQda#tjv#l;rg}Y#f{ikR>X^UGZKlSsfO7*GHd7350 zX{+%M?JRgv@Ppah(aZtd-skkZ|*|9UJiR}mC z&uy9GJxvE>rzVsT$g0NWxSQkyN^s-ZhS*nV+;cX#GFXngNj{(zQ2CZabZgTCZIuA1 z5Oy?fKmm!KS@w~fap36XqbmXMDV-!Dyjv88=7i(3b%Hn^%Kjw3W8KIM@? zzYsBmfp`baZf`E+C7QLIzp5o$`SXf#H@JfH&%|w6Z=XmQQjcV!y^U<;DI4xsGCVz! zbhbpyWuk|4s(j6` z7m|Ik!H=HBqQ}?0*}c7xK9P_sHUc!{1|3}oJ(GPO=zIdn zcArw`$yuCTJPCPXO53*Z@e(N_7C7zE2w^m#Q72_qMF-+Xe+g6%suRVz7`x>(Ai8@K zdRol}BG*-}_vM;+#yMJBaAK(b5WOhocp-~OhAl{QL;og}LDf9TDW}U%n8JJ$>v_RE zy*|2YC?%JzGAeYysvx88Z%80IyJLyh!6b8zBr}L&l=N7z9|1W+lG;nm()l9lpeS6T zMW_-nlK}V#L&l;%Rl+}qYqozxcYk^N6S^GU55FJYUEO_W{lPBy{J~mDnRB?Z|<#|+w0fE+rOh9um0Xa6YK+p*5%d3_3PoQ z!=!E~p+&{lZ|<&c??nY~bM^jh`0Cx&opsP3936L1zt`*aoRi++cb0mk-)2f&y}G)% zN8g}7-@bjFttXiuf5^@a>WO_?w{unel)#2o8eH*H2YoTRZ3g%Kr&bFvBH^3{k~1|~ ze~Mxcmfv3ftv$`b^E=DyzdOq-=rIcL1HpduU|HW27Yofu>|bL32yGA1!1ZH~a1@eR z>|^~javzBMSV)qilIauPL7dJP2G{F2&zC6ASw3T+`6%MPvE;=ZBbWK{JOER4Je^Wk zPkfKasV{Xng-26%={sRLwrwY69>+l>Ii4g_4}^5&$(}NL8ZbB$9wDhbL<|sX?$)6< zrvZ9*tvYq+Y9;~mkJ;K`b`^0W0W`<%19T!oEJ(B*;LJLZiV}=jIb+(ImZXYVstHs`EoP!BCr^9Pd(o3Z zN~rA0s05^86CpHwVw}6oeirS1qFf5m{}k)*yxWE53N`3l6x;oym>PibnM}|`Y{AKr z_%o(Hds000I9O&nS0=thQ%QD3Be-R#31SgYe`!T9xwQzagNjnnpwXqlG{ig#V>gOJ z(m{#z3yJ+R%TC=~VPLjSJX{m(KB9QxBu5)yA_M(b2hfP>AE}%&qDe(dwweb{2!k^A z&^ks`+eZZ<@dX@rorVl|drjze%Sd(`)9aRz)*5WECsp*f&EAKW45u*2@`PN)GyHGa zm;FZX4|=6kzwHJ?FC*CAG>>cqVofd0M3ia<$_4ZGIr7=8a0!X;>lcqTavbM_b=^Ph z_XaOe|J(DU!Flgn=j`OTH#kLohzcfQH((xdX6*dr#VJCgp#MSH-sN^rJoH2{nla9) z&|ExAGBpW-#L)sv)07q~pZAVVh&yoyXZF$b^vpgcXP*7-?Mos37OI0P;Rk8r!O{aDvT1ltYTTbB*AhFG5_*T zZF=>|L2p<@&gJ$E>HrZcqD!>1L=3@4?E4?(exUS(q^KhKqe>^nC0=dy+zUwLh*g+p zsm=7|%g^ukl$HGb-nsaNGaul--#dT5XEf^l-j^?GM@e{87a?&e*A3_tjX>6Q0FIX` z8$DdPQbEDcM=bD{l7~$83e3DYj$EmnCKhOT5$=XaX_+Ho)m*SH7MhY}sUHlFre=s1 zG8P6D4AhE>b*xXZ4w4&sNI3m932IIbhk^c`#U3KT6AhWXbag*6)%sKO)}<0S?A?s5RWIYm51^cW+3!zWy9x+9n$P( z!)yWTQ`;`^Ld*vF-o@Q5IxuV(wsu^q%UXxYky32(u+1Jw^K|AI>vHWa)Zd!+5LMy$ z(6Ovh|HC<|kZ~>xT(SVqvO&evmG|=O1@qwIL-%W$)KC1bZ!g+7@a#;MXKOUrO=aT$ zMyW?esksoOt~EN|s7_It&b(|dLPF+1Qqlcde+jp>t*)1*z0>1k__x>V<^S#XkIug8A0G`)`=`f8 zXD46v`p3P~-dCu%Lky*#Sm;e(^|r1n-?;xHpRY6L`iln~MwXRx5@K{|B%8kb>nq4J zF_8ilM?x}lq`kmGKBr2MgRUbqqfcs^5qliiR6FQ_h4fbzMA(;`55jK9I7jo?kLbcD za>rA_nb?2EOK!6ODf${Jc`XA^ro0eG6}TBrJfTGir5p64Y*U~fZq)2A6N>wgWC`t9 z2!23mGevVD=bi|{q5D81;zn_ZeV~+oz_IV3J88F+J8UBUbH;6f)`Sz`N5YXS_BLf= zi35*>{!;DR3!nT#qore6LJPM+(}1XJp40{^zN$`!78JUc<@-Zv79z@7A `4.1.4`. For changes which +affect the backwards compatibility of the chart, the major version must be +incremented, e.g. `4.1.3` -> `5.0.0`. Examples of changes which affect backwards +compatibility include any major version releases of CockroachDB, as well as any +breaking changes to the CockroachDB chart templates. + diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/Chart.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/Chart.yaml new file mode 100644 index 000000000..f9b45c7e5 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/Chart.yaml @@ -0,0 +1,17 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CockroachDB + catalog.cattle.io/kube-version: '>=1.8-0' + catalog.cattle.io/release-name: cockroachdb +apiVersion: v1 +appVersion: 22.1.9 +description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. +home: https://www.cockroachlabs.com +icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png +maintainers: +- email: helm-charts@cockroachlabs.com + name: cockroachlabs +name: cockroachdb +sources: +- https://github.com/cockroachdb/cockroach +version: 8.1.8 diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/README.md b/charts/cockroach-labs/cockroachdb/8.1.8/README.md new file mode 100644 index 000000000..0258c1dd8 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/README.md @@ -0,0 +1,582 @@ + +# CockroachDB Helm Chart + +[CockroachDB](https://github.com/cockroachdb/cockroach) - the open source, cloud-native distributed SQL database. + +## Documentation + +Below is a brief overview of operating the CockroachDB Helm Chart and some specific implementation details. For additional information on deploying CockroachDB, please see: +> + +Note that the documentation requires Helm 3.0 or higher. + +## Prerequisites Details + +* Kubernetes 1.8 +* PV support on the underlying infrastructure (only if using `storage.persistentVolume`). [Docker for windows hostpath provisioner is not supported](https://github.com/cockroachdb/docs/issues/3184). +* If you want to secure your cluster to use TLS certificates for all network communication, [Helm must be installed with RBAC privileges](https://helm.sh/docs/topics/rbac/) or else you will get an "attempt to grant extra privileges" error. + +## StatefulSet Details + +* + +## StatefulSet Caveats + +* + +## Chart Details + +This chart will do the following: + +* Set up a dynamically scalable CockroachDB cluster using a Kubernetes StatefulSet. + +## Add the CockroachDB Repository + +```shell +helm repo add cockroachdb https://charts.cockroachdb.com/ +``` + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```shell +helm install my-release cockroachdb/cockroachdb +``` + +Note that for a production cluster, you will likely want to override the following parameters in [`values.yaml`](values.yaml) with your own values. + +- `statefulset.resources.requests.memory` and `statefulset.resources.limits.memory` allocate memory resources to CockroachDB pods in your cluster. +- `conf.cache` and `conf.max-sql-memory` are memory limits that we recommend setting to 1/4 of the above resource allocation. When running CockroachDB, you must set these limits explicitly to avoid running out of memory. +- `storage.persistentVolume.size` defaults to `100Gi` of disk space per pod, which you may increase or decrease for your use case. +- `storage.persistentVolume.storageClass` uses the default storage class for your environment. We strongly recommend that you specify a storage class which uses an SSD. +- `tls.enabled` must be set to `yes`/`true` to deploy in secure mode. + +For more information on overriding the `values.yaml` parameters, please see: +> + +Confirm that all pods are `Running` successfully and init has been completed: + +```shell +kubectl get pods +``` + +``` +NAME READY STATUS RESTARTS AGE +my-release-cockroachdb-0 1/1 Running 0 1m +my-release-cockroachdb-1 1/1 Running 0 1m +my-release-cockroachdb-2 1/1 Running 0 1m +my-release-cockroachdb-init-k6jcr 0/1 Completed 0 1m +``` + +Confirm that persistent volumes are created and claimed for each pod: + +```shell +kubectl get pv +``` + +``` +NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE +pvc-64878ebf-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-0 standard 51s +pvc-64945b4f-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-1 standard 51s +pvc-649d920d-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-2 standard 51s +``` + +### Running in secure mode + +In order to set up a secure cockroachdb cluster set `tls.enabled` to `yes`/`true` + +There are 3 ways to configure a secure cluster, with this chart. This all relates to how the certificates are issued: + +* Self-signer (default) +* Cert-manager +* Manual + +#### Self-signer + +This is the default behaviour, and requires no configuration beyond setting certificate durations if user wants to set custom duration. + +If you are running in this mode, self-signed certificates are created by self-signed utility for the nodes and root client and are stored in a secret. +You can look for the certificates created: +```shell +kubectl get secrets +``` + +```shell +crdb-cockroachdb-ca-secret Opaque 2 23s +crdb-cockroachdb-client-secret kubernetes.io/tls 3 22s +crdb-cockroachdb-node-secret kubernetes.io/tls 3 23s +``` + + +#### Manual + +If you wish to supply the certificates to the nodes yourself set `tls.certs.provided` to `yes`/`true`. You may want to use this if you want to use a different certificate authority from the one being used by Kubernetes or if your Kubernetes cluster doesn't fully support certificate-signing requests. To use this, first set up your certificates and load them into your Kubernetes cluster as Secrets using the commands below: + +```shell +$ mkdir certs +$ mkdir my-safe-directory +$ cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key +$ cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key +$ kubectl create secret generic cockroachdb-root --from-file=certs +secret/cockroachdb-root created +$ cockroach cert create-node --certs-dir=certs --ca-key=my-safe-directory/ca.key localhost 127.0.0.1 my-release-cockroachdb-public my-release-cockroachdb-public.my-namespace my-release-cockroachdb-public.my-namespace.svc.cluster.local *.my-release-cockroachdb *.my-release-cockroachdb.my-namespace *.my-release-cockroachdb.my-namespace.svc.cluster.local +$ kubectl create secret generic cockroachdb-node --from-file=certs +secret/cockroachdb-node created +``` + +> Note: The subject alternative names are based on a release called `my-release` in the `my-namespace` namespace. Make sure they match the services created with the release during `helm install` + +If your certificates are stored in tls secrets such as secrets generated by cert-manager, the secret will contain files named: + +* `ca.crt` +* `tls.crt` +* `tls.key` + +Cockroachdb, however, expects the files to be named like this: + +* `ca.crt` +* `node.crt` +* `node.key` +* `client.root.crt` +* `client.root.key` + +By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correct filenames, when they are mounted to the cockroachdb pods. + +#### Cert-manager + +If you wish to supply certificates with [cert-manager][3], set + +* `tls.certs.certManager` to `yes`/`true` +* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster + +Example issuer: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: cockroachdb-ca + namespace: cockroachdb +data: + tls.crt: [BASE64 Encoded ca.crt] + tls.key: [BASE64 Encoded ca.key] +type: kubernetes.io/tls +--- +apiVersion: cert-manager.io/v1alpha3 +kind: Issuer +metadata: + name: cockroachdb-cert-issuer + namespace: cockroachdb +spec: + ca: + secretName: cockroachdb-ca +``` + +## Upgrading the cluster + +### Chart version 3.0.0 and after + +Launch a temporary interactive pod and start the built-in SQL client: + +```shell +kubectl run cockroachdb --rm -it \ +--image=cockroachdb/cockroach \ +--restart=Never \ +-- sql --insecure --host=my-release-cockroachdb-public +``` + +> If you are running in secure mode, you will have to provide a client certificate to the cluster in order to authenticate, so the above command will not work. See [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml) for an example of how to set up an interactive SQL shell against a secure cluster or [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml) for an example application connecting to a secure cluster. + +Set `cluster.preserve_downgrade_option`, where `$current_version` is the CockroachDB version currently running (e.g., `19.2`): + +```sql +> SET CLUSTER SETTING cluster.preserve_downgrade_option = '$current_version'; +``` + +Exit the shell and delete the temporary pod: + +```sql +> \q +``` + +Kick off the upgrade process by changing the new Docker image, where `$new_version` is the CockroachDB version to which you are upgrading: + +```shell +helm upgrade my-release cockroachdb/cockroachdb \ +--set image.tag=$new_version \ +--reuse-values +``` + +Kubernetes will carry out a safe [rolling upgrade](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) of your CockroachDB nodes one-by-one. Monitor the cluster's pods until all have been successfully restarted: + +```shell +kubectl get pods +``` + +``` +NAME READY STATUS RESTARTS AGE +my-release-cockroachdb-0 1/1 Running 0 2m +my-release-cockroachdb-1 1/1 Running 0 3m +my-release-cockroachdb-2 1/1 Running 0 3m +my-release-cockroachdb-3 0/1 ContainerCreating 0 25s +my-release-cockroachdb-init-nwjkh 0/1 ContainerCreating 0 6s +``` + +```shell +kubectl get pods \ +-o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[0].image}{"\n"}' +``` + +``` +my-release-cockroachdb-0 cockroachdb/cockroach:v22.1.9 +my-release-cockroachdb-1 cockroachdb/cockroach:v22.1.9 +my-release-cockroachdb-2 cockroachdb/cockroach:v22.1.9 +my-release-cockroachdb-3 cockroachdb/cockroach:v22.1.9 +``` + +Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post-upgrade, finalize the upgrade: + +```shell +kubectl run cockroachdb --rm -it \ +--image=cockroachdb/cockroach \ +--restart=Never \ +-- sql --insecure --host=my-release-cockroachdb-public +``` + +```sql +> RESET CLUSTER SETTING cluster.preserve_downgrade_option; +> \q +``` + +### Chart versions prior to 3.0.0 + +Due to a change in the label format in version 3.0.0 of this chart, upgrading requires that you delete the StatefulSet. Luckily there is a way to do it without actually deleting all the resources managed by the StatefulSet. Use the workaround below to upgrade from charts versions previous to 3.0.0: + +Get the new labels from the specs rendered by Helm: + +```shell +helm template -f deploy.vals.yml cockroachdb/cockroachdb -x templates/statefulset.yaml \ +| yq r - spec.template.metadata.labels +``` + +``` +app.kubernetes.io/name: cockroachdb +app.kubernetes.io/instance: my-release +app.kubernetes.io/component: cockroachdb +``` + +Place the new labels on all pods of the StatefulSet (change `my-release-cockroachdb-0` to the name of each pod): + +```shell +kubectl label pods my-release-cockroachdb-0 \ +app.kubernetes.io/name=cockroachdb \ +app.kubernetes.io/instance=my-release \ +app.kubernetes.io/component=cockroachdb +``` + +Delete the StatefulSet without deleting pods: + +```shell +kubectl delete statefulset my-release-cockroachdb --cascade=false +``` + +Verify that no pod is deleted and then upgrade as normal. A new StatefulSet will be created, taking over the management of the existing pods and upgrading them if needed. + +### See also + +For more information about upgrading a cluster to the latest major release of CockroachDB, see [Upgrade to CockroachDB v21.1](https://www.cockroachlabs.com/docs/stable/upgrade-cockroach-version.html). + +Note that there are some backward-incompatible changes to SQL features between versions 20.2 and 21.1. For details, see the [CockroachDB v22.1.9 release notes](https://www.cockroachlabs.com/docs/releases/v22.1.9.html#backward-incompatible-changes). + +## Configuration + +The following table lists the configurable parameters of the CockroachDB chart and their default values. +For details see the [`values.yaml`](values.yaml) file. + +| Parameter | Description | Default | +| --------- | ----------- | ------- | +| `clusterDomain` | Cluster's default DNS domain | `cluster.local` | +| `conf.attrs` | CockroachDB node attributes | `[]` | +| `conf.cache` | Size of CockroachDB's in-memory cache | `25%` | +| `conf.cluster-name` | Name of CockroachDB cluster | `""` | +| `conf.disable-cluster-name-verification` | Disable CockroachDB cluster name verification | `no` | +| `conf.join` | List of already-existing CockroachDB instances | `[]` | +| `conf.max-disk-temp-storage` | Max storage capacity for temp data | `0` | +| `conf.max-offset` | Max allowed clock offset for CockroachDB cluster | `500ms` | +| `conf.max-sql-memory` | Max memory to use processing SQL querie | `25%` | +| `conf.locality` | Locality attribute for this deployment | `""` | +| `conf.single-node` | Disable CockroachDB clustering (standalone mode) | `no` | +| `conf.sql-audit-dir` | Directory for SQL audit log | `""` | +| `conf.port` | CockroachDB primary serving port in Pods | `26257` | +| `conf.http-port` | CockroachDB HTTP port in Pods | `8080` | +| `conf.path` | CockroachDB data directory mount path | `cockroach-data` | +| `conf.store.enabled` | Enable store configuration for CockroachDB | `false` | +| `conf.store.type` | CockroachDB storage type | `""` | +| `conf.store.size` | CockroachDB storage size | `""` | +| `conf.store.attrs` | CockroachDB storage attributes | `""` | +| `image.repository` | Container image name | `cockroachdb/cockroach` | +| `image.tag` | Container image tag | `v22.1.9` | +| `image.pullPolicy` | Container pull policy | `IfNotPresent` | +| `image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` | +| `statefulset.replicas` | StatefulSet replicas number | `3` | +| `statefulset.updateStrategy` | Update strategy for StatefulSet Pods | `{"type": "RollingUpdate"}` | +| `statefulset.podManagementPolicy` | `OrderedReady`/`Parallel` Pods creation/deletion order | `Parallel` | +| `statefulset.budget.maxUnavailable` | k8s PodDisruptionBudget parameter | `1` | +| `statefulset.args` | Extra command-line arguments | `[]` | +| `statefulset.env` | Extra env vars | `[]` | +| `statefulset.secretMounts` | Additional Secrets to mount at cluster members | `[]` | +| `statefulset.labels` | Additional labels of StatefulSet and its Pods | `{"app.kubernetes.io/component": "cockroachdb"}` | +| `statefulset.annotations` | Additional annotations of StatefulSet Pods | `{}` | +| `statefulset.nodeAffinity` | [Node affinity rules][2] of StatefulSet Pods | `{}` | +| `statefulset.podAffinity` | [Inter-Pod affinity rules][1] of StatefulSet Pods | `{}` | +| `statefulset.podAntiAffinity` | [Anti-affinity rules][1] of StatefulSet Pods | auto | +| `statefulset.podAntiAffinity.topologyKey` | The topologyKey for auto [anti-affinity rules][1] | `kubernetes.io/hostname` | +| `statefulset.podAntiAffinity.type` | Type of auto [anti-affinity rules][1] | `soft` | +| `statefulset.podAntiAffinity.weight` | Weight for `soft` auto [anti-affinity rules][1] | `100` | +| `statefulset.nodeSelector` | Node labels for StatefulSet Pods assignment | `{}` | +| `statefulset.priorityClassName` | [PriorityClassName][4] for StatefulSet Pods | `""` | +| `statefulset.tolerations` | Node taints to tolerate by StatefulSet Pods | `[]` | +| `statefulset.topologySpreadConstraints` | [Topology Spread Constraints rules][5] of StatefulSet Pods | auto | +| `statefulset.topologySpreadConstraints.maxSkew` | Degree to which Pods may be unevenly distributed | `1` | +| `statefulset.topologySpreadConstraints.topologyKey` | The key of node labels | `topology.kubernetes.io/zone` | +| `statefulset.topologySpreadConstraints.whenUnsatisfiable` | `ScheduleAnyway`/`DoNotSchedule` for unsatisfiable constraints | `ScheduleAnyway` | +| `statefulset.resources` | Resource requests and limits for StatefulSet Pods | `{}` | +| `statefulset.customLivenessProbe` | Custom Liveness probe | `{}` | +| `statefulset.customReadinessProbe` | Custom Rediness probe | `{}` | +| `service.ports.grpc.external.port` | CockroachDB primary serving port in Services | `26257` | +| `service.ports.grpc.external.name` | CockroachDB primary serving port name in Services | `grpc` | +| `service.ports.grpc.internal.port` | CockroachDB inter-communication port in Services | `26257` | +| `service.ports.grpc.internal.name` | CockroachDB inter-communication port name in Services | `grpc-internal` | +| `service.ports.http.port` | CockroachDB HTTP port in Services | `8080` | +| `service.ports.http.name` | CockroachDB HTTP port name in Services | `http` | +| `service.public.type` | Public Service type | `ClusterIP` | +| `service.public.labels` | Additional labels of public Service | `{"app.kubernetes.io/component": "cockroachdb"}` | +| `service.public.annotations` | Additional annotations of public Service | `{}` | +| `service.discovery.labels` | Additional labels of discovery Service | `{"app.kubernetes.io/component": "cockroachdb"}` | +| `service.discovery.annotations` | Additional annotations of discovery Service | `{}` | +| `ingress.enabled` | Enable ingress resource for CockroachDB | `false` | +| `ingress.labels` | Additional labels of Ingress | `{}` | +| `ingress.annotations` | Additional annotations of Ingress | `{}` | +| `ingress.paths` | Paths for the default host | `[/]` | +| `ingress.hosts` | CockroachDB Ingress hostnames | `[]` | +| `ingress.tls[0].hosts` | CockroachDB Ingress tls hostnames | `nil` | +| `ingress.tls[0].secretName` | CockroachDB Ingress tls secret name | `nil` | +| `prometheus.enabled` | Enable automatic monitoring of all instances when Prometheus is running | `true` | +| `serviceMonitor.enabled` | Create [ServiceMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor) Resource for scraping metrics using [PrometheusOperator](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md#prometheus-operator) | `false` | +| `serviceMonitor.labels` | Additional labels of ServiceMonitor | `{}` | +| `serviceMonitor.annotations` | Additional annotations of ServiceMonitor | `{}` | +| `serviceMonitor.interval` | ServiceMonitor scrape metrics interval | `10s` | +| `serviceMonitor.scrapeTimeout` | ServiceMonitor scrape timeout | `nil` | +| `serviceMonitor.namespaced` | Limit ServiceMonitor to current namespace | `false` | +| `storage.hostPath` | Absolute path on host to store data | `""` | +| `storage.persistentVolume.enabled` | Whether to use PersistentVolume to store data | `yes` | +| `storage.persistentVolume.size` | PersistentVolume size | `100Gi` | +| `storage.persistentVolume.storageClass` | PersistentVolume class | `""` | +| `storage.persistentVolume.labels` | Additional labels of PersistentVolumeClaim | `{}` | +| `storage.persistentVolume.annotations` | Additional annotations of PersistentVolumeClaim | `{}` | +| `init.labels` | Additional labels of init Job and its Pod | `{"app.kubernetes.io/component": "init"}` | +| `init.jobAnnotations` | Additional annotations of the init Job itself | `{}` | +| `init.annotations` | Additional annotations of the Pod of init Job | `{}` | +| `init.affinity` | [Affinity rules][2] of init Job Pod | `{}` | +| `init.nodeSelector` | Node labels for init Job Pod assignment | `{}` | +| `init.tolerations` | Node taints to tolerate by init Job Pod | `[]` | +| `init.resources` | Resource requests and limits for the Pod of init Job | `{}` | +| `tls.enabled` | Whether to run securely using TLS certificates | `no` | +| `tls.serviceAccount.create` | Whether to create a new RBAC service account | `yes` | +| `tls.serviceAccount.name` | Name of RBAC service account to use | `""` | +| `tls.copyCerts.image` | Image used in copy certs init container | `busybox` | +| `tls.certs.provided` | Bring your own certs scenario, i.e certificates are provided | `no` | +| `tls.certs.clientRootSecret` | If certs are provided, secret name for client root cert | `cockroachdb-root` | +| `tls.certs.nodeSecret` | If certs are provided, secret name for node cert | `cockroachdb-node` | +| `tls.certs.tlsSecret` | Own certs are stored in TLS secret | `no` | +| `tls.certs.selfSigner.enabled` | Whether cockroachdb should generate its own self-signed certs | `true` | +| `tls.certs.selfSigner.caProvided` | Bring your own CA scenario. This CA will be used to generate node and client cert | `false` | +| `tls.certs.selfSigner.caSecret` | If CA is provided, secret name for CA cert | `""` | +| `tls.certs.selfSigner.minimumCertDuration` | Minimum cert duration for all the certs, all certs duration will be validated against this duration | `624h` | +| `tls.certs.selfSigner.caCertDuration` | Duration of CA cert in hour | `43824h` | +| `tls.certs.selfSigner.caCertExpiryWindow` | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated | `648h` | +| `tls.certs.selfSigner.clientCertDuration` | Duration of client cert in hour | `672h | +| `tls.certs.selfSigner.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` | +| `tls.certs.selfSigner.nodeCertDuration` | Duration of node cert in hour | `8760h` | +| `tls.certs.selfSigner.nodeCertExpiryWindow` | Expiry window of node cert means a window before actual expiry in which node certs should be rotated | `168h` | +| `tls.certs.selfSigner.rotateCerts` | Whether to rotate the certs generate by cockroachdb | `true` | +| `tls.certs.selfSigner.readinessWait` | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true | `30s` | +| `tls.certs.selfSigner.podUpdateTimeout` | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true | `2m` | +| `tls.certs.certManager` | Provision certificates with cert-manager | `false` | +| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` | +| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` | +| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` | +| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` | +| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` | +| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` | +| `tls.certs.certManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` | +| `tls.selfSigner.image.repository` | Image to use for self signing TLS certificates | `cockroachlabs-helm-charts/cockroach-self-signer-cert`| +| `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` | +| `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` | +| `tls.selfSigner.image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` | +| `networkPolicy.enabled` | Enable NetworkPolicy for CockroachDB's Pods | `no` | +| `networkPolicy.ingress.grpc` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` | +| `networkPolicy.ingress.http` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` | + + +Override the default parameters using the `--set key=value[,key=value]` argument to `helm install`. + +Alternatively, a YAML file that specifies custom values for the parameters can be provided while installing the chart. For example: + +```shell +helm install my-release -f my-values.yaml cockroachdb/cockroachdb +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Deep dive + +### Connecting to the CockroachDB cluster + +Once you've created the cluster, you can start talking to it by connecting to its `-public` Service. CockroachDB is PostgreSQL wire protocol compatible, so there's a [wide variety of supported clients](https://www.cockroachlabs.com/docs/install-client-drivers.html). As an example, we'll open up a SQL shell using CockroachDB's built-in shell and play around with it a bit, like this (likely needing to replace `my-release-cockroachdb-public` with the name of the `-public` Service that was created with your installed chart): + +```shell +kubectl run cockroach-client --rm -it \ +--image=cockroachdb/cockroach \ +--restart=Never \ +-- sql --insecure --host my-release-cockroachdb-public +``` + +``` +Waiting for pod default/cockroach-client to be running, status is Pending, +pod ready: false +If you don't see a command prompt, try pressing enter. +root@my-release-cockroachdb-public:26257> SHOW DATABASES; ++--------------------+ +| Database | ++--------------------+ +| information_schema | +| pg_catalog | +| system | ++--------------------+ +(3 rows) +root@my-release-cockroachdb-public:26257> CREATE DATABASE bank; +CREATE DATABASE +root@my-release-cockroachdb-public:26257> CREATE TABLE bank.accounts (id INT +PRIMARY KEY, balance DECIMAL); +CREATE TABLE +root@my-release-cockroachdb-public:26257> INSERT INTO bank.accounts VALUES +(1234, 10000.50); +INSERT 1 +root@my-release-cockroachdb-public:26257> SELECT * FROM bank.accounts; ++------+---------+ +| id | balance | ++------+---------+ +| 1234 | 10000.5 | ++------+---------+ +(1 row) +root@my-release-cockroachdb-public:26257> \q +Waiting for pod default/cockroach-client to terminate, status is Running +pod "cockroach-client" deleted +``` + +> If you are running in secure mode, you will have to provide a client certificate to the cluster in order to authenticate, so the above command will not work. See [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml) for an example of how to set up an interactive SQL shell against a secure cluster or [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml) for an example application connecting to a secure cluster. + +### Cluster health + +Because our pod spec includes regular health checks of the CockroachDB processes, simply running `kubectl get pods` and looking at the `STATUS` column is sufficient to determine the health of each instance in the cluster. + +If you want more detailed information about the cluster, the best place to look is the Admin UI. + +### Accessing the Admin UI + +If you want to see information about how the cluster is doing, you can try pulling up the CockroachDB Admin UI by port-forwarding from your local machine to one of the pods (replacing `my-release-cockroachdb-0` with the name of one of your pods: + +```shell +kubectl port-forward my-release-cockroachdb-0 8080 +``` + +You should then be able to access the Admin UI by visiting in your web browser. + +### Failover + +If any CockroachDB member fails, it is restarted or recreated automatically by the Kubernetes infrastructure, and will re-join the cluster automatically when it comes back up. You can test this scenario by killing any of the CockroachDB pods: + +```shell +kubectl delete pod my-release-cockroachdb-1 +``` + +```shell +kubectl get pods -l "app.kubernetes.io/instance=my-release,app.kubernetes.io/component=cockroachdb" +``` + +``` +NAME READY STATUS RESTARTS AGE +my-release-cockroachdb-0 1/1 Running 0 5m +my-release-cockroachdb-2 1/1 Running 0 5m +``` + +After a while: + +```shell +kubectl get pods -l "app.kubernetes.io/instance=my-release,app.kubernetes.io/component=cockroachdb" +``` + +``` +NAME READY STATUS RESTARTS AGE +my-release-cockroachdb-0 1/1 Running 0 5m +my-release-cockroachdb-1 1/1 Running 0 20s +my-release-cockroachdb-2 1/1 Running 0 5m +``` + +You can check the state of re-joining from the new pod's logs: + +```shell +kubectl logs my-release-cockroachdb-1 +``` + +``` +[...] +I161028 19:32:09.754026 1 server/node.go:586 [n1] node connected via gossip and +verified as part of cluster {"35ecbc27-3f67-4e7d-9b8f-27c31aae17d6"} +[...] +cockroachdb-0.my-release-cockroachdb.default.svc.cluster.local:26257 +build: beta-20161027-55-gd2d3c7f @ 2016/10/28 19:27:25 (go1.7.3) +admin: http://0.0.0.0:8080 +sql: +postgresql://root@my-release-cockroachdb-1.my-release-cockroachdb.default.svc.cluster.local:26257?sslmode=disable +logs: cockroach-data/logs +store[0]: path=cockroach-data +status: restarted pre-existing node +clusterID: {35ecbc27-3f67-4e7d-9b8f-27c31aae17d6} +nodeID: 2 +[...] +``` + +### NetworkPolicy + +To enable NetworkPolicy for CockroachDB, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `yes`/`true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the `DefaultDeny` Namespace annotation. Note: this will enforce policy for _all_ pods in the Namespace: + +```shell +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +For more precise policy, set `networkPolicy.ingress.grpc` and `networkPolicy.ingress.http` rules. This will only allow pods that match the provided rules to connect to CockroachDB. + +### Scaling + +Scaling should be managed via the `helm upgrade` command. After resizing your cluster on your cloud environment (e.g., GKE or EKS), run the following command to add a pod. This assumes you scaled from 3 to 4 nodes: + +```shell +helm upgrade \ +my-release \ +cockroachdb/cockroachdb \ +--set statefulset.replicas=4 \ +--reuse-values +``` + +Note, that if you are running in secure mode (`tls.enabled` is `yes`/`true`) and increase the size of your cluster, you will also have to approve the CSR (certificate-signing request) of each new node (using `kubectl get csr` and `kubectl certificate approve`). + +[1]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity +[2]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity +[3]: https://cert-manager.io/ +[4]: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass +[5]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ diff --git a/packages/cockroachdb/generated-changes/overlay/app-readme.md b/charts/cockroach-labs/cockroachdb/8.1.8/app-readme.md similarity index 100% rename from packages/cockroachdb/generated-changes/overlay/app-readme.md rename to charts/cockroach-labs/cockroachdb/8.1.8/app-readme.md diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/NOTES.txt b/charts/cockroach-labs/cockroachdb/8.1.8/templates/NOTES.txt new file mode 100644 index 000000000..797d5292d --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/NOTES.txt @@ -0,0 +1,50 @@ +CockroachDB can be accessed via port {{ .Values.service.ports.grpc.external.port }} at the +following DNS name from within your cluster: + +{{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}.svc.cluster.local + +Because CockroachDB supports the PostgreSQL wire protocol, you can connect to +the cluster using any available PostgreSQL client. + +{{- if not .Values.tls.enabled }} + +For example, you can open up a SQL shell to the cluster by running: + + kubectl run -it --rm cockroach-client \ + --image=cockroachdb/cockroach \ + --restart=Never \ + {{- if .Values.networkPolicy.enabled }} + --labels="{{ template "cockroachdb.fullname" . }}-client=true" \ + {{- end }} + --command -- \ + ./cockroach sql --insecure --host={{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }} + +From there, you can interact with the SQL shell as you would any other SQL +shell, confident that any data you write will be safe and available even if +parts of your cluster fail. +{{- else }} + +Note that because the cluster is running in secure mode, any client application +that you attempt to connect will either need to have a valid client certificate +or a valid username and password. +{{- end }} + +{{- if and (.Values.networkPolicy.enabled) (not (empty .Values.networkPolicy.ingress.grpc)) }} + +Note: Since NetworkPolicy is enabled, the only Pods allowed to connect to this +CockroachDB cluster are: + +1. Having the label: "{{ template "cockroachdb.fullname" . }}-client=true" + +2. Matching the following rules: {{- toYaml .Values.networkPolicy.ingress.grpc | nindent 0 }} +{{- end }} + +Finally, to open up the CockroachDB admin UI, you can port-forward from your +local machine into one of the instances in the cluster: + + kubectl port-forward {{ template "cockroachdb.fullname" . }}-0 {{ index .Values.conf `http-port` | int64 }} + +Then you can access the admin UI at http{{ if .Values.tls.enabled }}s{{ end }}://localhost:{{ index .Values.conf `http-port` | int64 }}/ in your web browser. + +For more information on using CockroachDB, please see the project's docs at: +https://www.cockroachlabs.com/docs/ diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/_helpers.tpl b/charts/cockroach-labs/cockroachdb/8.1.8/templates/_helpers.tpl new file mode 100644 index 000000000..4f62a955d --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/_helpers.tpl @@ -0,0 +1,257 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cockroachdb.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 56 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cockroachdb.fullname" -}} +{{- if .Values.fullnameOverride -}} + {{- .Values.fullnameOverride | trunc 56 | trimSuffix "-" -}} +{{- else -}} + {{- $name := default .Chart.Name .Values.nameOverride -}} + {{- if contains $name .Release.Name -}} + {{- .Release.Name | trunc 56 | trimSuffix "-" -}} + {{- else -}} + {{- printf "%s-%s" .Release.Name $name | trunc 56 | trimSuffix "-" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cockroachdb.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 56 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the ServiceAccount to use. +*/}} +{{- define "cockroachdb.tls.serviceAccount.name" -}} +{{- if .Values.tls.serviceAccount.create -}} + {{- default (include "cockroachdb.fullname" .) .Values.tls.serviceAccount.name -}} +{{- else -}} + {{- default "default" .Values.tls.serviceAccount.name -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for NetworkPolicy. +*/}} +{{- define "cockroachdb.networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <=1.7-0" .Capabilities.KubeVersion.Version -}} + {{- print "extensions/v1beta1" -}} +{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.Version -}} + {{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for StatefulSets +*/}} +{{- define "cockroachdb.statefulset.apiVersion" -}} +{{- if semverCompare "<1.12-0" .Capabilities.KubeVersion.Version -}} + {{- print "apps/v1beta1" -}} +{{- else -}} + {{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return CockroachDB store expression +*/}} +{{- define "cockroachdb.conf.store" -}} +{{- $isInMemory := eq (.Values.conf.store.type | toString) "mem" -}} +{{- $persistentSize := empty .Values.conf.store.size | ternary .Values.storage.persistentVolume.size .Values.conf.store.size -}} + +{{- $store := dict -}} +{{- $_ := set $store "type" ($isInMemory | ternary "type=mem" "") -}} +{{- $_ := set $store "path" ($isInMemory | ternary "" (print "path=" .Values.conf.path)) -}} +{{- $_ := set $store "size" (print "size=" ($isInMemory | ternary .Values.conf.store.size $persistentSize)) -}} +{{- $_ := set $store "attrs" (empty .Values.conf.store.attrs | ternary "" (print "attrs=" .Values.conf.store.attrs)) -}} + +{{ compact (values $store) | join "," }} +{{- end -}} + +{{/* +Define the default values for the certificate selfSigner inputs +*/}} +{{- define "selfcerts.fullname" -}} + {{- printf "%s-%s" (include "cockroachdb.fullname" .) "self-signer" | trunc 56 | trimSuffix "-" -}} +{{- end -}} + +{{- define "rotatecerts.fullname" -}} + {{- printf "%s-%s" (include "cockroachdb.fullname" .) "rotate-self-signer" | trunc 56 | trimSuffix "-" -}} +{{- end -}} + +{{- define "selfcerts.minimumCertDuration" -}} + {{- if .Values.tls.certs.selfSigner.minimumCertDuration -}} + {{- print (.Values.tls.certs.selfSigner.minimumCertDuration | trimSuffix "h") -}} + {{- else }} + {{- $minCertDuration := min (sub (.Values.tls.certs.selfSigner.clientCertDuration | trimSuffix "h" ) (.Values.tls.certs.selfSigner.clientCertExpiryWindow | trimSuffix "h")) (sub (.Values.tls.certs.selfSigner.nodeCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.nodeCertExpiryWindow | trimSuffix "h")) -}} + {{- print $minCertDuration -}} + {{- end }} +{{- end -}} + +{{/* +Define the cron schedules for certificate rotate jobs and converting from hours to valid cron string. +We assume that each month has 31 days, hence the cron job may run few days earlier in a year. In a cron schedule, +we can not set a cron of more than a year, hence we try to run the cron in such a way that the cron run comes to +as close possible to the expiry window. However, it is possible that cron may run earlier than the expiry window. +*/}} +{{- define "selfcerts.caRotateSchedule" -}} +{{- $tempHours := sub (.Values.tls.certs.selfSigner.caCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h") -}} +{{- $days := "*" -}} +{{- $months := "*" -}} +{{- $hours := mod $tempHours 24 -}} +{{- if not (eq $hours $tempHours) -}} +{{- $tempDays := div $tempHours 24 -}} +{{- $days = mod $tempDays 31 -}} +{{- if not (eq $days $tempDays) -}} +{{- $days = add $days 1 -}} +{{- $tempMonths := div $tempDays 31 -}} +{{- $months = mod $tempMonths 12 -}} +{{- if not (eq $months $tempMonths) -}} +{{- $months = add $months 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if ne (toString $months) "*" -}} +{{- $months = printf "*/%s" (toString $months) -}} +{{- else -}} +{{- if ne (toString $days) "*" -}} +{{- $days = printf "*/%s" (toString $days) -}} +{{- else -}} +{{- if ne $hours 0 -}} +{{- $hours = printf "*/%s" (toString $hours) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- printf "0 %s %s %s *" (toString $hours) (toString $days) (toString $months) -}} +{{- end -}} + +{{- define "selfcerts.clientRotateSchedule" -}} +{{- $tempHours := int64 (include "selfcerts.minimumCertDuration" .) -}} +{{- $days := "*" -}} +{{- $months := "*" -}} +{{- $hours := mod $tempHours 24 -}} +{{- if not (eq $hours $tempHours) -}} +{{- $tempDays := div $tempHours 24 -}} +{{- $days = mod $tempDays 31 -}} +{{- if not (eq $days $tempDays) -}} +{{- $days = add $days 1 -}} +{{- $tempMonths := div $tempDays 31 -}} +{{- $months = mod $tempMonths 12 -}} +{{- if not (eq $months $tempMonths) -}} +{{- $months = add $months 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if ne (toString $months) "*" -}} +{{- $months = printf "*/%s" (toString $months) -}} +{{- else -}} +{{- if ne (toString $days) "*" -}} +{{- $days = printf "*/%s" (toString $days) -}} +{{- else -}} +{{- if ne $hours 0 -}} +{{- $hours = printf "*/%s" (toString $hours) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- printf "0 %s %s %s *" (toString $hours) (toString $days) (toString $months) -}} +{{- end -}} + +{{/* +Define the appropriate validations for the certificate selfSigner inputs +*/}} + +{{/* +Validate that if caProvided is true, then the caSecret must not be empty and secret must be present in the namespace. +*/}} +{{- define "cockroachdb.tls.certs.selfSigner.caProvidedValidation" -}} +{{- if .Values.tls.certs.selfSigner.caProvided -}} +{{- if eq "" .Values.tls.certs.selfSigner.caSecret -}} + {{ fail "CA secret can't be empty if caProvided is set to true" }} +{{- else -}} + {{- if not (lookup "v1" "Secret" .Release.Namespace .Values.tls.certs.selfSigner.caSecret) }} + {{ fail "CA secret is not present in the release namespace" }} + {{- end }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate that if caCertDuration or caCertExpiryWindow must not be empty and caCertExpiryWindow must be greater than +minimumCertDuration. +*/}} +{{- define "cockroachdb.tls.certs.selfSigner.caCertValidation" -}} +{{- if not .Values.tls.certs.selfSigner.caProvided -}} +{{- if or (not .Values.tls.certs.selfSigner.caCertDuration) (not .Values.tls.certs.selfSigner.caCertExpiryWindow) }} + {{ fail "CA cert duration or CA cert expiry window can not be empty" }} +{{- else }} +{{- if gt (int64 (include "selfcerts.minimumCertDuration" .)) (int64 (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h")) -}} + {{ fail "CA cert expiration window should not be less than minimum Cert duration" }} +{{- end -}} +{{- if gt (int64 (include "selfcerts.minimumCertDuration" .)) (sub (.Values.tls.certs.selfSigner.caCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h")) -}} + {{ fail "CA cert Duration minus CA cert expiration window should not be less than minimum Cert duration" }} +{{- end -}} +{{- end -}} +{{- end }} +{{- end -}} + +{{/* +Validate that if clientCertDuration must not be empty and it must be greater than minimumCertDuration. +*/}} +{{- define "cockroachdb.tls.certs.selfSigner.clientCertValidation" -}} +{{- if or (not .Values.tls.certs.selfSigner.clientCertDuration) (not .Values.tls.certs.selfSigner.clientCertExpiryWindow) }} + {{ fail "Client cert duration can not be empty" }} +{{- else }} +{{- if lt (sub (.Values.tls.certs.selfSigner.clientCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.clientCertExpiryWindow | trimSuffix "h")) (int64 (include "selfcerts.minimumCertDuration" .)) }} + {{ fail "Client cert duration minus client cert expiry window should not be less than minimum Cert duration" }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Validate that nodeCertDuration must not be empty and nodeCertDuration minus nodeCertExpiryWindow must be greater than minimumCertDuration. +*/}} +{{- define "cockroachdb.tls.certs.selfSigner.nodeCertValidation" -}} +{{- if or (not .Values.tls.certs.selfSigner.nodeCertDuration) (not .Values.tls.certs.selfSigner.nodeCertExpiryWindow) }} + {{ fail "Node cert duration can not be empty" }} +{{- else }} +{{- if lt (sub (.Values.tls.certs.selfSigner.nodeCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.nodeCertExpiryWindow | trimSuffix "h")) (int64 (include "selfcerts.minimumCertDuration" .))}} + {{ fail "Node cert duration minus node cert expiry window should not be less than minimum Cert duration" }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Validate that if user enabled tls, then either self-signed certificates or certificate manager is enabled +*/}} +{{- define "cockroachdb.tlsValidation" -}} +{{- if .Values.tls.enabled -}} +{{- if and .Values.tls.certs.selfSigner.enabled .Values.tls.certs.certManager -}} + {{ fail "Can not enable the self signed certificates and certificate manager at the same time" }} +{{- end -}} +{{- if and (not .Values.tls.certs.selfSigner.enabled) (not .Values.tls.certs.certManager) -}} + {{- if not .Values.tls.certs.provided -}} + {{ fail "You have to enable either self signed certificates or certificate manager, if you have enabled tls" }} + {{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + + +{{- define "cockroachdb.tls.certs.selfSigner.validation" -}} +{{ include "cockroachdb.tls.certs.selfSigner.caProvidedValidation" . }} +{{ include "cockroachdb.tls.certs.selfSigner.caCertValidation" . }} +{{ include "cockroachdb.tls.certs.selfSigner.clientCertValidation" . }} +{{ include "cockroachdb.tls.certs.selfSigner.nodeCertValidation" . }} +{{- end -}} + diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/backendconfig.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/backendconfig.yaml new file mode 100644 index 000000000..2edc88619 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/backendconfig.yaml @@ -0,0 +1,21 @@ +{{- if .Values.iap.enabled }} +apiVersion: cloud.google.com/v1beta1 +kind: BackendConfig +metadata: + name: {{ template "cockroachdb.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + iap: + enabled: true + oauthclientCredentials: + secretName: {{ template "cockroachdb.fullname" . }}.iap + timeoutSec: 120 +{{- end }} \ No newline at end of file diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/certificate.client.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/certificate.client.yaml new file mode 100644 index 000000000..b32d0c760 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/certificate.client.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.certManager }} +{{- if .Values.tls.certs.useCertManagerV1CRDs }} +apiVersion: cert-manager.io/v1 +{{- else }} +apiVersion: cert-manager.io/v1alpha2 +{{- end }} +kind: Certificate +metadata: + name: {{ template "cockroachdb.fullname" . }}-root-client + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + duration: {{ .Values.tls.certs.certManagerIssuer.clientCertDuration }} + renewBefore: {{ .Values.tls.certs.certManagerIssuer.clientCertExpiryWindow }} + usages: + - digital signature + - key encipherment + - client auth +{{- if .Values.tls.certs.useCertManagerV1CRDs }} + privateKey: + algorithm: RSA + size: 2048 +{{- else }} + keySize: 2048 + keyAlgorithm: rsa +{{- end }} + commonName: root +{{- if .Values.tls.certs.useCertManagerV1CRDs }} + subject: + organizations: + - Cockroach +{{- else }} + organization: + - Cockroach +{{- end }} + secretName: {{ .Values.tls.certs.clientRootSecret }} + issuerRef: + name: {{ .Values.tls.certs.certManagerIssuer.name }} + kind: {{ .Values.tls.certs.certManagerIssuer.kind }} + group: {{ .Values.tls.certs.certManagerIssuer.group }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/certificate.node.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/certificate.node.yaml new file mode 100644 index 000000000..38ff1bff8 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/certificate.node.yaml @@ -0,0 +1,58 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.certManager }} +{{- if .Values.tls.certs.useCertManagerV1CRDs }} +apiVersion: cert-manager.io/v1 +{{- else }} +apiVersion: cert-manager.io/v1alpha2 +{{- end }} +kind: Certificate +metadata: + name: {{ template "cockroachdb.fullname" . }}-node + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + duration: {{ .Values.tls.certs.certManagerIssuer.nodeCertDuration }} + renewBefore: {{ .Values.tls.certs.certManagerIssuer.nodeCertExpiryWindow }} + usages: + - digital signature + - key encipherment + - server auth + - client auth +{{- if .Values.tls.certs.useCertManagerV1CRDs }} + privateKey: + algorithm: RSA + size: 2048 +{{- else }} + keySize: 2048 + keyAlgorithm: rsa +{{- end }} + commonName: node +{{- if .Values.tls.certs.useCertManagerV1CRDs }} + subject: + organizations: + - Cockroach +{{- else }} + organization: + - Cockroach +{{- end }} + dnsNames: + - "localhost" + - "127.0.0.1" + - {{ printf "%s-public" (include "cockroachdb.fullname" .) | quote }} + - {{ printf "%s-public.%s" (include "cockroachdb.fullname" .) .Release.Namespace | quote }} + - {{ printf "%s-public.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }} + - {{ printf "*.%s" (include "cockroachdb.fullname" .) | quote }} + - {{ printf "*.%s.%s" (include "cockroachdb.fullname" .) .Release.Namespace | quote }} + - {{ printf "*.%s.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }} + secretName: {{ .Values.tls.certs.nodeSecret }} + issuerRef: + name: {{ .Values.tls.certs.certManagerIssuer.name }} + kind: {{ .Values.tls.certs.certManagerIssuer.kind }} + group: {{ .Values.tls.certs.certManagerIssuer.group }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/clusterrole.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/clusterrole.yaml new file mode 100644 index 000000000..3171f14dc --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.tls.enabled (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cockroachdb.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "watch"] +{{- end }} \ No newline at end of file diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/clusterrolebinding.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..984948dc1 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.tls.enabled (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cockroachdb.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cockroachdb.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "cockroachdb.tls.serviceAccount.name" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/cronjob-ca-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/cronjob-ca-certSelfSigner.yaml new file mode 100644 index 000000000..903c42f76 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/cronjob-ca-certSelfSigner.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.tls.enabled (and .Values.tls.certs.selfSigner.enabled (not .Values.tls.certs.selfSigner.caProvided)) }} + {{- if .Values.tls.certs.selfSigner.rotateCerts }} + {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }} +apiVersion: batch/v1 + {{- else }} +apiVersion: batch/v1beta1 + {{- end }} +kind: CronJob +metadata: + name: {{ template "rotatecerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +spec: + schedule: {{ template "selfcerts.caRotateSchedule" . }} + jobTemplate: + spec: + backoffLimit: 1 + template: + spec: + restartPolicy: Never + containers: + - name: cert-rotate-job + image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}" + imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}" + args: + - rotate + - --ca + - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }} + - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }} + - --ca-cron={{ template "selfcerts.caRotateSchedule" . }} + - --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }} + - --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }} + env: + - name: STATEFULSET_NAME + value: {{ template "cockroachdb.fullname" . }} + - name: NAMESPACE + value: {{ .Release.Namespace }} + - name: CLUSTER_DOMAIN + value: {{ .Values.clusterDomain}} + serviceAccountName: {{ template "rotatecerts.fullname" . }} + {{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/cronjob-client-node-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/cronjob-client-node-certSelfSigner.yaml new file mode 100644 index 000000000..5c9f6d992 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/cronjob-client-node-certSelfSigner.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.tls.certs.selfSigner.enabled .Values.tls.certs.selfSigner.rotateCerts }} + {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }} +apiVersion: batch/v1 + {{- else }} +apiVersion: batch/v1beta1 + {{- end }} +kind: CronJob +metadata: + name: {{ template "rotatecerts.fullname" . }}-client + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +spec: + schedule: {{ template "selfcerts.clientRotateSchedule" . }} + jobTemplate: + spec: + backoffLimit: 1 + template: + spec: + restartPolicy: Never + containers: + - name: cert-rotate-job + image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}" + imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}" + args: + - rotate + {{- if .Values.tls.certs.selfSigner.caProvided }} + - --ca-secret={{ .Values.tls.certs.selfSigner.caSecret }} + {{- else }} + - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }} + - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }} + {{- end }} + - --client + - --client-duration={{ .Values.tls.certs.selfSigner.clientCertDuration }} + - --client-expiry={{ .Values.tls.certs.selfSigner.clientCertExpiryWindow }} + - --node + - --node-duration={{ .Values.tls.certs.selfSigner.nodeCertDuration }} + - --node-expiry={{ .Values.tls.certs.selfSigner.nodeCertExpiryWindow }} + - --node-client-cron={{ template "selfcerts.clientRotateSchedule" . }} + - --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }} + - --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }} + env: + - name: STATEFULSET_NAME + value: {{ template "cockroachdb.fullname" . }} + - name: NAMESPACE + value: {{ .Release.Namespace }} + - name: CLUSTER_DOMAIN + value: {{ .Values.clusterDomain}} + serviceAccountName: {{ template "rotatecerts.fullname" . }} + {{- end}} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/ingress.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/ingress.yaml new file mode 100644 index 000000000..2fa6373c8 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/ingress.yaml @@ -0,0 +1,90 @@ +{{- if .Values.ingress.enabled -}} +{{- $paths := .Values.ingress.paths -}} +{{- $ports := .Values.service.ports -}} +{{- $fullName := include "cockroachdb.fullname" . -}} +{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} +apiVersion: networking.k8s.io/v1 +{{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" }} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: +{{- if or .Values.ingress.annotations .Values.iap.enabled }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if .Values.iap.enabled }} + kubernetes.io/ingress.class: "gce" + kubernetes.io/ingress.allow-http: "false" + {{- end }} +{{- end }} + name: {{ $fullName }}-ingress + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ $.Release.Name | quote }} + app.kubernetes.io/managed-by: {{ $.Release.Service | quote }} +{{- if .Values.ingress.labels }} +{{- toYaml .Values.ingress.labels | nindent 4 }} +{{- end }} +spec: + rules: + {{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + {{- range $path := $paths }} + - path: {{ $path | quote }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + {{- if $.Values.iap.enabled }} + pathType: ImplementationSpecific + {{- else }} + pathType: Prefix + {{- end }} + {{- end }} + backend: + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + service: + name: {{ $fullName }}-public + port: + name: {{ $ports.http.name | quote }} + {{- else }} + serviceName: {{ $fullName }}-public + servicePort: {{ $ports.http.name | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + - http: + paths: + {{- range $path := $paths }} + - path: {{ $path | quote }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + {{- if $.Values.iap.enabled }} + pathType: ImplementationSpecific + {{- else }} + pathType: Prefix + {{- end }} + {{- end }} + backend: + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + service: + name: {{ $fullName }}-public + port: + name: {{ $ports.http.name | quote }} + {{- else }} + serviceName: {{ $fullName }}-public + servicePort: {{ $ports.http.name | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: +{{- toYaml .Values.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/job-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/job-certSelfSigner.yaml new file mode 100644 index 000000000..fdf091cb5 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/job-certSelfSigner.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "selfcerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "4" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +spec: + template: + metadata: + name: {{ template "selfcerts.fullname" . }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + spec: + restartPolicy: Never + containers: + - name: cert-generate-job + image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}" + imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}" + args: + - generate + {{- if .Values.tls.certs.selfSigner.caProvided }} + - --ca-secret={{ .Values.tls.certs.selfSigner.caSecret }} + {{- else }} + - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }} + - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }} + {{- end }} + - --client-duration={{ .Values.tls.certs.selfSigner.clientCertDuration }} + - --client-expiry={{ .Values.tls.certs.selfSigner.clientCertExpiryWindow }} + - --node-duration={{ .Values.tls.certs.selfSigner.nodeCertDuration }} + - --node-expiry={{ .Values.tls.certs.selfSigner.nodeCertExpiryWindow }} + env: + - name: STATEFULSET_NAME + value: {{ template "cockroachdb.fullname" . }} + - name: NAMESPACE + value: {{ .Release.Namespace | quote }} + - name: CLUSTER_DOMAIN + value: {{ .Values.clusterDomain}} + serviceAccountName: {{ template "selfcerts.fullname" . }} +{{- end}} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/job-cleaner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/job-cleaner.yaml new file mode 100644 index 000000000..e87f3743c --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/job-cleaner.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "selfcerts.fullname" . }}-cleaner + namespace: {{ .Release.Namespace | quote }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +spec: + backoffLimit: 1 + template: + metadata: + name: {{ template "selfcerts.fullname" . }}-cleaner + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + spec: + restartPolicy: Never + containers: + - name: cleaner + image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}" + imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}" + args: + - cleanup + - --namespace={{ .Release.Namespace }} + env: + - name: STATEFULSET_NAME + value: {{ template "cockroachdb.fullname" . }} + serviceAccountName: {{ template "rotatecerts.fullname" . }} +{{- end}} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/job.init.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/job.init.yaml new file mode 100644 index 000000000..72ddaf1bb --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/job.init.yaml @@ -0,0 +1,265 @@ +{{ $isClusterInitEnabled := and (eq (len .Values.conf.join) 0) (not (index .Values.conf `single-node`)) }} +{{ $isDatabaseProvisioningEnabled := .Values.init.provisioning.enabled }} +{{- if or $isClusterInitEnabled $isDatabaseProvisioningEnabled }} + {{ template "cockroachdb.tlsValidation" . }} +kind: Job +apiVersion: batch/v1 +metadata: + name: {{ template "cockroachdb.fullname" . }}-init + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.init.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation + {{- with .Values.init.jobAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.init.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.init.annotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: + restartPolicy: OnFailure + terminationGracePeriodSeconds: 0 + {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }} + imagePullSecrets: + {{- if .Values.image.credentials }} + - name: {{ template "cockroachdb.fullname" . }}.db.registry + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }} + - name: {{ template "cockroachdb.fullname" . }}.self-signed-certs.registry + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + serviceAccountName: {{ template "cockroachdb.tls.serviceAccount.name" . }} + initContainers: + - name: copy-certs + image: {{ .Values.tls.copyCerts.image | quote }} + imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }} + command: + - /bin/sh + - -c + - "cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: client-certs + mountPath: /cockroach-certs/ + - name: certs-secret + mountPath: /certs/ + {{- end }} + {{- with .Values.init.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.init.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.init.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: cluster-init + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + # Run the command in an `while true` loop because this Job is bound + # to come up before the CockroachDB Pods (due to the time needed to + # get PersistentVolumes attached to Nodes), and sleeping 5 seconds + # between attempts is much better than letting the Pod fail when + # the init command does and waiting out Kubernetes' non-configurable + # exponential back-off for Pod restarts. + # Command completes either when cluster initialization succeeds, + # or when cluster has been initialized already. + command: + - /bin/bash + - -c + - >- + {{- if $isClusterInitEnabled }} + initCluster() { + while true; do + local output=$( + set -x; + + /cockroach/cockroach init \ + {{- if .Values.tls.enabled }} + --certs-dir=/cockroach-certs/ \ + {{- else }} + --insecure \ + {{- end }} + {{- with index .Values.conf "cluster-name" }} + --cluster-name={{.}} \ + {{- end }} + --host={{ template "cockroachdb.fullname" . }}-0.{{ template "cockroachdb.fullname" . -}} + :{{ .Values.service.ports.grpc.internal.port | int64 }} + 2>&1); + + local exitCode="$?"; + echo $output; + + if [[ "$exitCode" == "0" || "$output" == *"cluster has already been initialized"* ]] + then break; + fi + + sleep 5; + done + } + + initCluster; + {{- end }} + + {{- if $isDatabaseProvisioningEnabled }} + provisionCluster() { + while true; do + /cockroach/cockroach sql \ + {{- if .Values.tls.enabled }} + --certs-dir=/cockroach-certs/ \ + {{- else }} + --insecure \ + {{- end }} + --host={{ template "cockroachdb.fullname" . }}-0.{{ template "cockroachdb.fullname" . -}} + :{{ .Values.service.ports.grpc.internal.port | int64 }} \ + --execute=" + {{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }} + SET CLUSTER SETTING {{ $clusterSetting }} = '${{ $clusterSetting | replace "." "_" }}_CLUSTER_SETTING'; + {{- end }} + + {{- range $user := .Values.init.provisioning.users }} + CREATE USER IF NOT EXISTS {{ $user.name }} WITH + {{- if $user.password }} + PASSWORD '${{ $user.name }}_PASSWORD' + {{- else }} + PASSWORD null + {{- end }} + {{ join " " $user.options }} + ; + {{- end }} + + {{- range $database := .Values.init.provisioning.databases }} + CREATE DATABASE IF NOT EXISTS {{ $database.name }} + {{- if $database.options }} + {{ join " " $database.options }} + {{- end }} + ; + + {{- range $owner := $database.owners }} + GRANT ALL ON DATABASE {{ $database.name }} TO {{ $owner }}; + {{- end }} + + {{- if $database.backup }} + CREATE SCHEDULE IF NOT EXISTS {{ $database.name }}_scheduled_backup + FOR BACKUP DATABASE {{ $database.name }} INTO '{{ $database.backup.into }}' + + {{- if $database.backup.options }} + WITH {{ join "," $database.backup.options }} + {{- end }} + RECURRING '{{ $database.backup.recurring }}' + {{- if $database.backup.fullBackup }} + FULL BACKUP '{{ $database.backup.fullBackup }}' + {{- else }} + FULL BACKUP ALWAYS + {{- end }} + + {{- if and $database.backup.schedule $database.backup.schedule.options }} + WITH SCHEDULE OPTIONS {{ join "," $database.backup.schedule.options }} + {{- end }} + ; + {{- end }} + {{- end }} + " + &>/dev/null; + + local exitCode="$?"; + + if [[ "$exitCode" == "0" ]] + then break; + fi + + sleep 5; + done + + echo "Provisioning completed successfully"; + } + + provisionCluster; + {{- end }} + env: + {{- $secretName := printf "%s-init" (include "cockroachdb.fullname" .) }} + {{- range $user := .Values.init.provisioning.users }} + {{- if $user.password }} + - name: {{ $user.name }}_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $secretName }} + key: {{ $user.name }}-password + {{- end }} + {{- end }} + {{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }} + {{- if $clusterSettingValue }} + - name: {{ $clusterSetting | replace "." "_" }}_CLUSTER_SETTING + valueFrom: + secretKeyRef: + name: {{ $secretName }} + key: {{ $clusterSetting | replace "." "-" }}-cluster-setting + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + volumeMounts: + - name: client-certs + mountPath: /cockroach-certs/ + {{- end }} + {{- with .Values.init.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.tls.enabled }} + volumes: + - name: client-certs + emptyDir: {} + {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }} + - name: certs-secret + {{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }} + projected: + sources: + - secret: + {{- if .Values.tls.certs.selfSigner.enabled }} + name: {{ template "cockroachdb.fullname" . }}-client-secret + {{ else }} + name: {{ .Values.tls.certs.clientRootSecret }} + {{ end -}} + items: + - key: ca.crt + path: ca.crt + mode: 0400 + - key: tls.crt + path: client.root.crt + mode: 0400 + - key: tls.key + path: client.root.key + mode: 0400 + {{- else }} + secret: + secretName: {{ .Values.tls.certs.clientRootSecret }} + defaultMode: 0400 + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/networkpolicy.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/networkpolicy.yaml new file mode 100644 index 000000000..1739c45e5 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/networkpolicy.yaml @@ -0,0 +1,59 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "cockroachdb.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "cockroachdb.tls.serviceAccount.name" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} + ingress: + - ports: + - port: grpc + {{- with .Values.networkPolicy.ingress.grpc }} + from: + # Allow connections via custom rules. + {{- toYaml . | nindent 8 }} + # Allow client connection via pre-considered label. + - podSelector: + matchLabels: + {{ template "cockroachdb.fullname" . }}-client: "true" + # Allow other CockroachDBs to connect to form a cluster. + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 14 }} + {{- end }} + {{- if gt (.Values.statefulset.replicas | int64) 1 }} + # Allow init Job to connect to bootstrap a cluster. + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.init.labels }} + {{- toYaml . | nindent 14 }} + {{- end }} + {{- end }} + {{- end }} + # Allow connections to admin UI and for Prometheus. + - ports: + - port: http + {{- with .Values.networkPolicy.ingress.http }} + from: {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/poddisruptionbudget.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..7e96a0177 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/poddisruptionbudget.yaml @@ -0,0 +1,26 @@ +kind: PodDisruptionBudget +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +metadata: + name: {{ template "cockroachdb.fullname" . }}-budget + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} + maxUnavailable: {{ .Values.statefulset.budget.maxUnavailable | int64 }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/role-certRotateSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/role-certRotateSelfSigner.yaml new file mode 100644 index 000000000..f0e2b90ce --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/role-certRotateSelfSigner.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "rotatecerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "update", "delete"] + - apiGroups: ["apps"] + resources: ["statefulsets"] + verbs: ["get"] + resourceNames: + - {{ template "cockroachdb.fullname" . }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete", "get"] +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/role-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/role-certSelfSigner.yaml new file mode 100644 index 000000000..1cbaab3dd --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/role-certSelfSigner.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "selfcerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "update", "delete"] + - apiGroups: ["apps"] + resources: ["statefulsets"] + verbs: ["get"] + resourceNames: + - {{ template "cockroachdb.fullname" . }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete", "get"] +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/role.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/role.yaml new file mode 100644 index 000000000..ebe5ce8ae --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/role.yaml @@ -0,0 +1,23 @@ +{{- if .Values.tls.enabled }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cockroachdb.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: [""] + resources: ["secrets"] + {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }} + verbs: ["get"] + {{- else }} + verbs: ["create", "get"] + {{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding-certRotateSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding-certRotateSelfSigner.yaml new file mode 100644 index 000000000..c1a45f797 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding-certRotateSelfSigner.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "rotatecerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "rotatecerts.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "rotatecerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding-certSelfSigner.yaml new file mode 100644 index 000000000..5725d02a4 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding-certSelfSigner.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "selfcerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "selfcerts.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "selfcerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding.yaml new file mode 100644 index 000000000..c65441b42 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.tls.enabled }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cockroachdb.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "cockroachdb.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "cockroachdb.tls.serviceAccount.name" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.backendconfig.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.backendconfig.yaml new file mode 100644 index 000000000..61103060a --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.backendconfig.yaml @@ -0,0 +1,25 @@ +{{- if .Values.iap.enabled }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "cockroachdb.fullname" . }}.iap + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if eq "" .Values.iap.clientId }} + {{ fail "iap.clientID can't be empty if iap.enabled is set to true" }} + {{- end }} + client_id: {{ .Values.iap.clientId | b64enc }} + {{- if eq "" .Values.iap.clientSecret }} + {{ fail "iap.clientSecret can't be empty if iap.enabled is set to true" }} + {{- end }} + client_secret: {{ .Values.iap.clientSecret | b64enc }} +{{- end }} \ No newline at end of file diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.logconfig.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.logconfig.yaml new file mode 100644 index 000000000..40b929ae7 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.logconfig.yaml @@ -0,0 +1,19 @@ +{{- if .Values.conf.log.enabled }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "cockroachdb.fullname" . }}-log-config + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + log-config.yaml: | + {{- toYaml .Values.conf.log.config | nindent 4 }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.registry.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.registry.yaml new file mode 100644 index 000000000..a054069fb --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/secret.registry.yaml @@ -0,0 +1,23 @@ +{{- range $name, $cred := dict "db" (.Values.image.credentials) "init-certs" (.Values.tls.selfSigner.image.credentials) }} +{{- if not (empty $cred) }} +{{- if or (and (eq $name "init-certs") $.Values.tls.enabled) (ne $name "init-certs") }} +--- +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "cockroachdb.fullname" $ }}.{{ $name }}.registry + namespace: {{ $.Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" $ }} + app.kubernetes.io/name: {{ template "cockroachdb.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name | quote }} + app.kubernetes.io/managed-by: {{ $.Release.Service | quote }} + {{- with $.Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ printf `{"auths":{%s:{"auth":"%s"}}}` ($cred.registry | quote) (printf "%s:%s" $cred.username $cred.password | b64enc) | b64enc | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/secrets.init.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/secrets.init.yaml new file mode 100644 index 000000000..4d13a35ff --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/secrets.init.yaml @@ -0,0 +1,20 @@ +{{- if .Values.init.provisioning.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "cockroachdb.fullname" . }}-init + namespace: {{ .Release.Namespace | quote }} +type: Opaque +stringData: + +{{- range $user := .Values.init.provisioning.users }} +{{- if $user.password }} + {{ $user.name }}-password: {{ $user.password | quote }} +{{- end }} +{{- end }} + +{{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }} + {{ $clusterSetting | replace "." "-" }}-cluster-setting: {{ $clusterSettingValue | quote }} +{{- end }} + +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/service.discovery.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/service.discovery.yaml new file mode 100644 index 000000000..8fe2a427a --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/service.discovery.yaml @@ -0,0 +1,64 @@ +# This service only exists to create DNS entries for each pod in +# the StatefulSet such that they can resolve each other's IP addresses. +# It does not create a load-balanced ClusterIP and should not be used directly +# by clients in most circumstances. +kind: Service +apiVersion: v1 +metadata: + name: {{ template "cockroachdb.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.service.discovery.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + # Use this annotation in addition to the actual field below because the + # annotation will stop being respected soon, but the field is broken in + # some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + # Enable automatic monitoring of all instances when Prometheus is running + # in the cluster. + {{- if .Values.prometheus.enabled }} + prometheus.io/scrape: "true" + prometheus.io/path: _status/vars + prometheus.io/port: {{ .Values.service.ports.http.port | quote }} + {{- end }} + {{- with .Values.service.discovery.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + clusterIP: None + # We want all Pods in the StatefulSet to have their addresses published for + # the sake of the other CockroachDB Pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + {{- $ports := .Values.service.ports }} + # The main port, served by gRPC, serves Postgres-flavor SQL, inter-node + # traffic and the CLI. + - name: {{ $ports.grpc.external.name | quote }} + port: {{ $ports.grpc.external.port | int64 }} + targetPort: grpc + {{- if ne ($ports.grpc.internal.port | int64) ($ports.grpc.external.port | int64) }} + - name: {{ $ports.grpc.internal.name | quote }} + port: {{ $ports.grpc.internal.port | int64 }} + targetPort: grpc + {{- end }} + # The secondary port serves the UI as well as health and debug endpoints. + - name: {{ $ports.http.name | quote }} + port: {{ $ports.http.port | int64 }} + targetPort: http + selector: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/service.public.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/service.public.yaml new file mode 100644 index 000000000..251e9ab08 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/service.public.yaml @@ -0,0 +1,55 @@ +# This Service is meant to be used by clients of the database. +# It exposes a ClusterIP that will automatically load balance connections +# to the different database Pods. +kind: Service +apiVersion: v1 +metadata: + name: {{ template "cockroachdb.fullname" . }}-public + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.service.public.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.service.public.annotations .Values.tls.enabled .Values.iap.enabled }} + annotations: + {{- with .Values.service.public.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.tls.enabled }} + service.alpha.kubernetes.io/app-protocols: '{"http":"HTTPS"}' + {{- end }} + {{- if .Values.iap.enabled }} + beta.cloud.google.com/backend-config: '{"default": "{{ template "cockroachdb.fullname" . }}"}' + {{- end }} + {{- end }} +spec: + type: {{ .Values.service.public.type | quote }} + ports: + {{- $ports := .Values.service.ports }} + # The main port, served by gRPC, serves Postgres-flavor SQL, inter-node + # traffic and the CLI. + - name: {{ $ports.grpc.external.name | quote }} + port: {{ $ports.grpc.external.port | int64 }} + targetPort: grpc + {{- if ne ($ports.grpc.internal.port | int64) ($ports.grpc.external.port | int64) }} + - name: {{ $ports.grpc.internal.name | quote }} + port: {{ $ports.grpc.internal.port | int64 }} + targetPort: grpc + {{- end }} + # The secondary port serves the UI as well as health and debug endpoints. + - name: {{ $ports.http.name | quote }} + port: {{ $ports.http.port | int64 }} + targetPort: http + selector: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceMonitor.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceMonitor.yaml new file mode 100644 index 000000000..e322cc41a --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceMonitor.yaml @@ -0,0 +1,51 @@ +{{- $serviceMonitor := .Values.serviceMonitor -}} +{{- $ports := .Values.service.ports -}} +{{- if $serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "cockroachdb.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- if $serviceMonitor.labels }} + {{ toYaml $serviceMonitor.labels | nindent 4 }} + {{- end }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $serviceMonitor.annotations }} + annotations: + {{ toYaml $serviceMonitor.annotations | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.service.discovery.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} + namespaceSelector: + {{- if $serviceMonitor.namespaced }} + matchNames: + - {{ .Release.Namespace }} + {{- else }} + any: true + {{- end }} + endpoints: + - port: {{ $ports.http.name | quote }} + path: /_status/vars + {{- if $serviceMonitor.interval }} + interval: {{ $serviceMonitor.interval }} + {{- end }} + {{- if $serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ $serviceMonitor.scrapeTimeout }} + {{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount-certRotateSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount-certRotateSelfSigner.yaml new file mode 100644 index 000000000..44e08dcb3 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount-certRotateSelfSigner.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }} + {{ template "cockroachdb.tls.certs.selfSigner.validation" . }} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ template "rotatecerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount-certSelfSigner.yaml new file mode 100644 index 000000000..9b669d45b --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount-certSelfSigner.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }} + {{ template "cockroachdb.tls.certs.selfSigner.validation" . }} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ template "selfcerts.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount.yaml new file mode 100644 index 000000000..45c3fe09c --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.tls.enabled .Values.tls.serviceAccount.create }} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ template "cockroachdb.tls.serviceAccount.name" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/statefulset.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/statefulset.yaml new file mode 100644 index 000000000..043ec4fb3 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/statefulset.yaml @@ -0,0 +1,370 @@ +kind: StatefulSet +apiVersion: {{ template "cockroachdb.statefulset.apiVersion" . }} +metadata: + name: {{ template "cockroachdb.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "cockroachdb.chart" . }} + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "cockroachdb.fullname" . }} + replicas: {{ .Values.statefulset.replicas | int64 }} + updateStrategy: {{- toYaml .Values.statefulset.updateStrategy | nindent 4 }} + podManagementPolicy: {{ .Values.statefulset.podManagementPolicy | quote }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.statefulset.annotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }} + imagePullSecrets: + {{- if .Values.image.credentials }} + - name: {{ template "cockroachdb.fullname" . }}.db.registry + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }} + - name: {{ template "cockroachdb.fullname" . }}.self-signed-certs.registry + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + serviceAccountName: {{ template "cockroachdb.tls.serviceAccount.name" . }} + {{- if .Values.tls.enabled }} + initContainers: + - name: copy-certs + image: {{ .Values.tls.copyCerts.image | quote }} + imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }} + command: + - /bin/sh + - -c + - "cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: certs + mountPath: /cockroach-certs/ + - name: certs-secret + mountPath: /certs/ + {{- end }} + {{- end }} + {{- if or .Values.statefulset.nodeAffinity .Values.statefulset.podAffinity .Values.statefulset.podAntiAffinity }} + affinity: + {{- with .Values.statefulset.nodeAffinity }} + nodeAffinity: {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.statefulset.podAffinity }} + podAffinity: {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.statefulset.podAntiAffinity }} + podAntiAffinity: + {{- if .Values.statefulset.podAntiAffinity.type }} + {{- if eq .Values.statefulset.podAntiAffinity.type "hard" }} + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 18 }} + {{- end }} + {{- else if eq .Values.statefulset.podAntiAffinity.type "soft" }} + preferredDuringSchedulingIgnoredDuringExecution: + - weight: {{ .Values.statefulset.podAntiAffinity.weight | int64 }} + podAffinityTerm: + topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 20 }} + {{- end }} + {{- end }} + {{- else }} + {{- toYaml .Values.statefulset.podAntiAffinity | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.Version }} + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.statefulset.labels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.statefulset.topologySpreadConstraints }} + maxSkew: {{ .maxSkew }} + topologyKey: {{ .topologyKey }} + whenUnsatisfiable: {{ .whenUnsatisfiable }} + {{- end }} + {{- end }} + {{- with .Values.statefulset.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.statefulset.priorityClassName }} + priorityClassName: {{ .Values.statefulset.priorityClassName }} + {{- end }} + {{- with .Values.statefulset.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + # No pre-stop hook is required, a SIGTERM plus some time is all that's + # needed for graceful shutdown of a node. + terminationGracePeriodSeconds: 60 + containers: + - name: db + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + args: + - shell + - -ecx + # The use of qualified `hostname -f` is crucial: + # Other nodes aren't able to look up the unqualified hostname. + # + # `--join` CLI flag is hardcoded to exactly 3 Pods, because: + # 1. Having `--join` value depending on `statefulset.replicas` + # will trigger undesired restart of existing Pods when + # StatefulSet is scaled up/down. We want to scale without + # restarting existing Pods. + # 2. At least one Pod in `--join` is enough to successfully + # join CockroachDB cluster and gossip with all other existing + # Pods, even if there are 3 or more Pods. + # 3. It's harmless for `--join` to have 3 Pods even for 1-Pod + # clusters, while it gives us opportunity to scale up even if + # some Pods of existing cluster are down (for whatever reason). + # See details explained here: + # https://github.com/helm/charts/pull/18993#issuecomment-558795102 + - >- + exec /cockroach/cockroach + {{- if index .Values.conf `single-node` }} + start-single-node + {{- else }} + start --join= + {{- if .Values.conf.join }} + {{- join `,` .Values.conf.join -}} + {{- else }} + {{- range $i, $_ := until 3 -}} + {{- if gt $i 0 -}},{{- end -}} + ${STATEFULSET_NAME}-{{ $i }}.${STATEFULSET_FQDN}:{{ $.Values.service.ports.grpc.internal.port | int64 -}} + {{- end -}} + {{- end }} + {{- with index .Values.conf `cluster-name` }} + --cluster-name={{ . }} + {{- if index $.Values.conf `disable-cluster-name-verification` }} + --disable-cluster-name-verification + {{- end }} + {{- end }} + {{- end }} + --advertise-host=$(hostname).${STATEFULSET_FQDN} + {{- if .Values.tls.enabled }} + --certs-dir=/cockroach/cockroach-certs/ + {{- else }} + --insecure + {{- end }} + {{- with .Values.conf.attrs }} + --attrs={{ join `:` . }} + {{- end }} + --http-port={{ index .Values.conf `http-port` | int64 }} + --port={{ .Values.conf.port | int64 }} + --cache={{ .Values.conf.cache }} + {{- with index .Values.conf `max-disk-temp-storage` }} + --max-disk-temp-storage={{ . }} + {{- end }} + {{- with index .Values.conf `max-offset` }} + --max-offset={{ . }} + {{- end }} + --max-sql-memory={{ index .Values.conf `max-sql-memory` }} + {{- with .Values.conf.locality }} + --locality={{ . }} + {{- end }} + {{- with index .Values.conf `sql-audit-dir` }} + --sql-audit-dir={{ . }} + {{- end }} + {{- if .Values.conf.store.enabled }} + --store={{ template "cockroachdb.conf.store" . }} + {{- end }} + {{- if .Values.conf.log.enabled }} + --log-config-file=/cockroach/log-config/log-config.yaml + {{- else }} + --logtostderr={{ .Values.conf.logtostderr }} + {{- end }} + {{- range .Values.statefulset.args }} + {{ . }} + {{- end }} + env: + - name: STATEFULSET_NAME + value: {{ template "cockroachdb.fullname" . }} + - name: STATEFULSET_FQDN + value: {{ template "cockroachdb.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + - name: COCKROACH_CHANNEL + value: kubernetes-helm + {{- with .Values.statefulset.env }} + {{- toYaml . | nindent 12 }} + {{- end }} + ports: + - name: grpc + containerPort: {{ .Values.conf.port | int64 }} + protocol: TCP + - name: http + containerPort: {{ index .Values.conf `http-port` | int64 }} + protocol: TCP + volumeMounts: + - name: datadir + mountPath: /cockroach/{{ .Values.conf.path }}/ + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /cockroach/cockroach-certs/ + {{- if .Values.tls.certs.provided }} + - name: certs-secret + mountPath: /cockroach/certs/ + {{- end }} + {{- end }} + {{- range .Values.statefulset.secretMounts }} + - name: {{ printf "secret-%s" . | quote }} + mountPath: {{ printf "/etc/cockroach/secrets/%s" . | quote }} + readOnly: true + {{- end }} + {{- if .Values.conf.log.enabled }} + - name: log-config + mountPath: /cockroach/log-config + readOnly: true + {{- end }} + livenessProbe: + {{- if .Values.statefulset.customLivenessProbe }} + {{ toYaml .Values.statefulset.customLivenessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health + port: http + {{- if .Values.tls.enabled }} + scheme: HTTPS + {{- end }} + initialDelaySeconds: 30 + periodSeconds: 5 + {{- end }} + readinessProbe: + {{- if .Values.statefulset.customReadinessProbe }} + {{ toYaml .Values.statefulset.customReadinessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health?ready=1 + port: http + {{- if .Values.tls.enabled }} + scheme: HTTPS + {{- end }} + initialDelaySeconds: 10 + periodSeconds: 5 + failureThreshold: 2 + {{- end }} + {{- with .Values.statefulset.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + - name: datadir + {{- if .Values.storage.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: datadir + {{- else if .Values.storage.hostPath }} + hostPath: + path: {{ .Values.storage.hostPath | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }} + - name: certs-secret + {{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }} + projected: + sources: + - secret: + {{- if .Values.tls.certs.selfSigner.enabled }} + name: {{ template "cockroachdb.fullname" . }}-node-secret + {{ else }} + name: {{ .Values.tls.certs.nodeSecret }} + {{ end -}} + items: + - key: ca.crt + path: ca.crt + mode: 256 + - key: tls.crt + path: node.crt + mode: 256 + - key: tls.key + path: node.key + mode: 256 + {{- else }} + secret: + secretName: {{ .Values.tls.certs.nodeSecret }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.statefulset.secretMounts }} + - name: {{ printf "secret-%s" . | quote }} + secret: + secretName: {{ . | quote }} + {{- end }} + {{- if .Values.conf.log.enabled }} + - name: log-config + secret: + secretName: {{ template "cockroachdb.fullname" . }}-log-config + {{- end }} +{{- if .Values.storage.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: datadir + labels: + app.kubernetes.io/name: {{ template "cockroachdb.name" . }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + {{- with .Values.storage.persistentVolume.labels }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.labels }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.storage.persistentVolume.annotations }} + annotations: {{- toYaml . | nindent 10 }} + {{- end }} + spec: + accessModes: ["ReadWriteOnce"] + {{- if .Values.storage.persistentVolume.storageClass }} + {{- if (eq "-" .Values.storage.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: {{ .Values.storage.persistentVolume.storageClass | quote}} + {{- end }} + {{- end }} + resources: + requests: + storage: {{ .Values.storage.persistentVolume.size | quote }} +{{- end }} diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/templates/tests/client.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/templates/tests/client.yaml new file mode 100644 index 000000000..8656b8ed6 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/templates/tests/client.yaml @@ -0,0 +1,65 @@ +kind: Pod +apiVersion: v1 +metadata: + name: {{ template "cockroachdb.fullname" . }}-test + namespace: {{ .Release.Namespace | quote }} +{{- if .Values.networkPolicy.enabled }} + labels: + {{ template "cockroachdb.fullname" . }}-client: "true" +{{- end }} + annotations: + helm.sh/hook: test-success +spec: + restartPolicy: Never +{{- if .Values.image.credentials }} + imagePullSecrets: + - name: {{ template "cockroachdb.fullname" . }}.db.registry +{{- end }} + {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }} + volumes: + - name: client-certs + {{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager }} + projected: + sources: + - secret: + name: {{ .Values.tls.certs.clientRootSecret }} + items: + - key: ca.crt + path: ca.crt + mode: 0400 + - key: tls.crt + path: client.root.crt + mode: 0400 + - key: tls.key + path: client.root.key + mode: 0400 + {{- else }} + secret: + secretName: {{ .Values.tls.certs.clientRootSecret }} + defaultMode: 0400 + {{- end }} + {{- end }} + containers: + - name: client-test + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }} + volumeMounts: + - name: client-certs + mountPath: /cockroach-certs + {{- end }} + command: + - /cockroach/cockroach + - sql + {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }} + - --certs-dir + - /cockroach-certs + {{- else }} + - --insecure + {{- end}} + - --host + - {{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }} + - --port + - {{ .Values.service.ports.grpc.external.port | quote }} + - -e + - SHOW DATABASES; diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/values.schema.json b/charts/cockroach-labs/cockroachdb/8.1.8/values.schema.json new file mode 100644 index 000000000..b23c47974 --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/values.schema.json @@ -0,0 +1,97 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "properties": { + "tls": { + "type": "object", + "properties": { + "certs": { + "type": "object", + "properties": { + "selfSigner": { + "type": "object", + "required": ["enabled", "caProvided"], + "properties": { + "enabled": { + "type": "boolean" + }, + "caProvided": { + "type": "boolean" + } + }, + "if": { + "properties": { + "enabled": { + "const": true + } + } + }, + "then": { + "if": { + "properties": { + "caProvided": { + "const": false + } + } + }, + "then": { + "properties": { + "caCertDuration" : { + "type": "string", + "pattern": "^[0-9]*h$" + }, + "caCertExpiryWindow": { + "type": "string", + "pattern": "^[0-9]*h$" + } + } + }, + "properties": { + "clientCertDuration": { + "type": "string", + "pattern": "^[0-9]*h$" + }, + "clientCertExpiryWindow": { + "type": "string", + "pattern": "^[0-9]*h$" + }, + "nodeCertDuration": { + "type": "string", + "pattern": "^[0-9]*h$" + }, + "nodeCertExpiryWindow": { + "type": "string", + "pattern": "^[0-9]*h$" + }, + "rotateCerts": { + "type": "boolean" + } + } + } + } + } + }, + "selfSigner": { + "type": "object", + "properties": { + "image": { + "type": "object", + "required": ["repository", "tag", "pullPolicy"], + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + }, + "pullPolicy": { + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/charts/cockroach-labs/cockroachdb/8.1.8/values.yaml b/charts/cockroach-labs/cockroachdb/8.1.8/values.yaml new file mode 100644 index 000000000..898ecb07c --- /dev/null +++ b/charts/cockroach-labs/cockroachdb/8.1.8/values.yaml @@ -0,0 +1,540 @@ +# Generated file, DO NOT EDIT. Source: build/templates/values.yaml +image: + repository: cockroachdb/cockroach + tag: v22.1.9 + pullPolicy: IfNotPresent + credentials: {} + # registry: docker.io + # username: john_doe + # password: changeme + + +# Additional labels to apply to all Kubernetes resources created by this chart. +labels: {} + # app.kubernetes.io/part-of: my-app + + +# Cluster's default DNS domain. +# You should overwrite it if you're using a different one, +# otherwise CockroachDB nodes discovery won't work. +clusterDomain: cluster.local + + +conf: + # An ordered list of CockroachDB node attributes. + # Attributes are arbitrary strings specifying machine capabilities. + # Machine capabilities might include specialized hardware or number of cores + # (e.g. "gpu", "x16c"). + attrs: [] + # - x16c + # - gpu + + # Total size in bytes for caches, shared evenly if there are multiple + # storage devices. Size suffixes are supported (e.g. `1GB` and `1GiB`). + # A percentage of physical memory can also be specified (e.g. `.25`). + cache: 25% + + # Sets a name to verify the identity of a cluster. + # The value must match between all nodes specified via `conf.join`. + # This can be used as an additional verification when either the node or + # cluster, or both, have not yet been initialized and do not yet know their + # cluster ID. + # To introduce a cluster name into an already-initialized cluster, pair this + # option with `conf.disable-cluster-name-verification: yes`. + cluster-name: "" + + # Tell the server to ignore `conf.cluster-name` mismatches. + # This is meant for use when opting an existing cluster into starting to use + # cluster name verification, or when changing the cluster name. + # The cluster should be restarted once with `conf.cluster-name` and + # `conf.disable-cluster-name-verification: yes` combined, and once all nodes + # have been updated to know the new cluster name, the cluster can be restarted + # again with `conf.disable-cluster-name-verification: no`. + # This option has no effect if `conf.cluster-name` is not specified. + disable-cluster-name-verification: false + + # The addresses for connecting a CockroachDB nodes to an existing cluster. + # If you are deploying a second CockroachDB instance that should join a first + # one, use the below list to join to the existing instance. + # Each item in the array should be a FQDN (and port if needed) resolvable by + # new Pods. + join: [] + + # New logging configuration. + log: + enabled: false + # https://www.cockroachlabs.com/docs/v21.1/configure-logs + config: {} + # file-defaults: + # dir: /custom/dir/path/ + # fluent-defaults: + # format: json-fluent + # sinks: + # stderr: + # channels: [DEV] + + # Logs at or above this threshold to STDERR. Ignored when "log" is enabled + logtostderr: INFO + + # Maximum storage capacity available to store temporary disk-based data for + # SQL queries that exceed the memory budget (e.g. join, sorts, etc are + # sometimes able to spill intermediate results to disk). + # Accepts numbers interpreted as bytes, size suffixes (e.g. `32GB` and + # `32GiB`) or a percentage of disk size (e.g. `10%`). + # The location of the temporary files is within the first store dir. + # If expressed as a percentage, `max-disk-temp-storage` is interpreted + # relative to the size of the storage device on which the first store is + # placed. The temp space usage is never counted towards any store usage + # (although it does share the device with the first store) so, when + # configuring this, make sure that the size of this temp storage plus the size + # of the first store don't exceed the capacity of the storage device. + # If the first store is an in-memory one (i.e. `type=mem`), then this + # temporary "disk" data is also kept in-memory. + # A percentage value is interpreted as a percentage of the available internal + # memory. + # max-disk-temp-storage: 0GB + + # Maximum allowed clock offset for the cluster. If observed clock offsets + # exceed this limit, servers will crash to minimize the likelihood of + # reading inconsistent data. Increasing this value will increase the time + # to recovery of failures as well as the frequency of uncertainty-based + # read restarts. + # Note, that this value must be the same on all nodes in the cluster. + # In order to change it, all nodes in the cluster must be stopped + # simultaneously and restarted with the new value. + # max-offset: 500ms + + # Maximum memory capacity available to store temporary data for SQL clients, + # including prepared queries and intermediate data rows during query + # execution. Accepts numbers interpreted as bytes, size suffixes + # (e.g. `1GB` and `1GiB`) or a percentage of physical memory (e.g. `.25`). + max-sql-memory: 25% + + # An ordered, comma-separated list of key-value pairs that describe the + # topography of the machine. Topography might include country, datacenter + # or rack designations. Data is automatically replicated to maximize + # diversities of each tier. The order of tiers is used to determine + # the priority of the diversity, so the more inclusive localities like + # country should come before less inclusive localities like datacenter. + # The tiers and order must be the same on all nodes. Including more tiers + # is better than including fewer. For example: + # locality: country=us,region=us-west,datacenter=us-west-1b,rack=12 + # locality: country=ca,region=ca-east,datacenter=ca-east-2,rack=4 + # locality: planet=earth,province=manitoba,colo=secondary,power=3 + locality: "" + + # Run CockroachDB instances in standalone mode with replication disabled + # (replication factor = 1). + # Enabling this option makes the following values to be ignored: + # - `conf.cluster-name` + # - `conf.disable-cluster-name-verification` + # - `conf.join` + # + # WARNING: Enabling this option makes each deployed Pod as a STANDALONE + # CockroachDB instance, so the StatefulSet does NOT FORM A CLUSTER. + # Don't use this option for production deployments unless you clearly + # understand what you're doing. + # Usually, this option is intended to be used in conjunction with + # `statefulset.replicas: 1` for temporary one-time deployments (like + # running E2E tests, for example). + single-node: false + + # If non-empty, create a SQL audit log in the specified directory. + sql-audit-dir: "" + + # CockroachDB's port to listen to inter-communications and client connections. + port: 26257 + + # CockroachDB's port to listen to HTTP requests. + http-port: 8080 + + # CockroachDB's data mount path. + path: cockroach-data + + # CockroachDB's storage configuration https://www.cockroachlabs.com/docs/v21.1/cockroach-start.html#storage + # Uses --store flag + store: + enabled: false + # Should be empty or 'mem' + type: + # Required for type=mem. If type and size is empty - storage.persistentVolume.size is used + size: + # Arbitrary strings, separated by colons, specifying disk type or capability + attrs: + +statefulset: + replicas: 3 + updateStrategy: + type: RollingUpdate + podManagementPolicy: Parallel + budget: + maxUnavailable: 1 + + # List of additional command-line arguments you want to pass to the + # `cockroach start` command. + args: [] + # - --disable-cluster-name-verification + + # List of extra environment variables to pass into container + env: [] + # - name: COCKROACH_ENGINE_MAX_SYNC_DURATION + # value: "24h" + + # List of Secrets names in the same Namespace as the CockroachDB cluster, + # which shall be mounted into `/etc/cockroach/secrets/` for every cluster + # member. + secretMounts: [] + + # Additional labels to apply to this StatefulSet and all its Pods. + labels: + app.kubernetes.io/component: cockroachdb + + # Additional annotations to apply to the Pods of this StatefulSet. + annotations: {} + + # Affinity rules for scheduling Pods of this StatefulSet on Nodes. + # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity + nodeAffinity: {} + # Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. + # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity + podAffinity: {} + # Anti-affinity rules for scheduling Pods of this StatefulSet. + # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity + # You may either toggle options below for default anti-affinity rules, + # or specify the whole set of anti-affinity rules instead of them. + podAntiAffinity: + # The topologyKey to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # Type of anti-affinity rules: either `soft`, `hard` or empty value (which + # disables anti-affinity rules). + type: soft + # Weight for `soft` anti-affinity rules. + # Does not apply for other anti-affinity types. + weight: 100 + + # Node selection constraints for scheduling Pods of this StatefulSet. + # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + nodeSelector: {} + + # PriorityClassName given to Pods of this StatefulSet + # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + # Taints to be tolerated by Pods of this StatefulSet. + # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + + # https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + + # Uncomment the following resources definitions or pass them from + # command line to control the CPU and memory resources allocated + # by Pods of this StatefulSet. + resources: {} + # limits: + # cpu: 100m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 512Mi + + # Custom Liveness probe + # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request + customLivenessProbe: {} + # httpGet: + # path: /health + # port: http + # scheme: HTTPS + # initialDelaySeconds: 30 + # periodSeconds: 5 + + # Custom Rediness probe + # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes + customReadinessProbe: {} + # httpGet: + # path: /health + # port: http + # scheme: HTTPS + # initialDelaySeconds: 30 + # periodSeconds: 5 + +service: + ports: + # You can set a different external and internal gRPC ports and their name. + grpc: + external: + port: 26257 + name: grpc + # If the port number is different than `external.port`, then it will be + # named as `internal.name` in Service. + internal: + port: 26257 + # If using Istio set it to `cockroach`. + name: grpc-internal + http: + port: 8080 + name: http + + # This Service is meant to be used by clients of the database. + # It exposes a ClusterIP that will automatically load balance connections + # to the different database Pods. + public: + type: ClusterIP + # Additional labels to apply to this Service. + labels: + app.kubernetes.io/component: cockroachdb + # Additional annotations to apply to this Service. + annotations: {} + + # This service only exists to create DNS entries for each pod in + # the StatefulSet such that they can resolve each other's IP addresses. + # It does not create a load-balanced ClusterIP and should not be used directly + # by clients in most circumstances. + discovery: + # Additional labels to apply to this Service. + labels: + app.kubernetes.io/component: cockroachdb + # Additional annotations to apply to this Service. + annotations: {} + +# CockroachDB's ingress for web ui. +ingress: + enabled: false + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # cert-manager.io/cluster-issuer: letsencrypt + paths: [/] + hosts: [] + # - cockroachlabs.com + tls: [] + # - hosts: [cockroachlabs.com] + # secretName: cockroachlabs-tls + +prometheus: + enabled: true + +# CockroachDB's Prometheus operator ServiceMonitor support +serviceMonitor: + enabled: false + labels: {} + annotations: {} + interval: 10s + # scrapeTimeout: 10s + # Limits the ServiceMonitor to the current namespace if set to `true`. + namespaced: false + +# CockroachDB's data persistence. +# If neither `persistentVolume` nor `hostPath` is used, then data will be +# persisted in ad-hoc `emptyDir`. +storage: + # Absolute path on host to store CockroachDB's data. + # If not specified, then `emptyDir` will be used instead. + # If specified, but `persistentVolume.enabled` is `true`, then has no effect. + hostPath: "" + + # If `enabled` is `true` then a PersistentVolumeClaim will be created and + # used to store CockroachDB's data, otherwise `hostPath` is used. + persistentVolume: + enabled: true + + size: 100Gi + + # If defined, then `storageClassName: `. + # If set to "-", then `storageClassName: ""`, which disables dynamic + # provisioning. + # If undefined or empty (default), then no `storageClassName` spec is set, + # so the default provisioner will be chosen (gp2 on AWS, standard on + # GKE, AWS & OpenStack). + storageClass: "" + + # Additional labels to apply to the created PersistentVolumeClaims. + labels: {} + # Additional annotations to apply to the created PersistentVolumeClaims. + annotations: {} + + +# Kubernetes Job which initializes multi-node CockroachDB cluster. +# It's not created if `statefulset.replicas` is `1`. +init: + # Additional labels to apply to this Job and its Pod. + labels: + app.kubernetes.io/component: init + + # Additional annotations to apply to this Job. + jobAnnotations: {} + + # Additional annotations to apply to the Pod of this Job. + annotations: {} + + # Affinity rules for scheduling the Pod of this Job. + # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity + affinity: {} + + # Node selection constraints for scheduling the Pod of this Job. + # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + nodeSelector: {} + + # Taints to be tolerated by the Pod of this Job. + # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + + # The init Pod runs at cluster creation to initialize CockroachDB. It finishes + # quickly and doesn't continue to consume resources in the Kubernetes + # cluster. Normally, you should leave this section commented out, but if your + # Kubernetes cluster uses Resource Quotas and requires all pods to specify + # resource requests or limits, you can set those here. + resources: {} + # requests: + # cpu: "10m" + # memory: "128Mi" + # limits: + # cpu: "10m" + # memory: "128Mi" + + provisioning: + enabled: false + # https://www.cockroachlabs.com/docs/stable/cluster-settings.html + clusterSettings: + # cluster.organization: "'FooCorp - Local Testing'" + # enterprise.license: "'xxxxx'" + users: [] + # - name: + # password: + # # https://www.cockroachlabs.com/docs/stable/create-user.html#parameters + # options: [LOGIN] + databases: [] + # - name: + # # https://www.cockroachlabs.com/docs/stable/create-database.html#parameters + # options: [encoding='utf-8'] + # owners: [] + # # Backup schedules are not idemponent for now and will fail on next run + # # https://github.com/cockroachdb/cockroach/issues/57892 + # backup: + # into: s3:// + # # Enterprise-only option (revision_history) + # # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#backup-options + # options: [revision_history] + # recurring: '@always' + # # Enterprise-only feature. Remove this value to use `FULL BACKUP ALWAYS` + # fullBackup: '@daily' + # schedule: + # # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#schedule-options + # options: [first_run = 'now'] + + +# Whether to run securely using TLS certificates. +tls: + enabled: true + serviceAccount: + # Specifies whether this ServiceAccount should be created. + create: true + # The name of this ServiceAccount to use. + # If not set and `create` is `true`, then a name is auto-generated. + name: "" + copyCerts: + image: busybox + certs: + # Bring your own certs scenario. If provided, tls.init section will be ignored. + provided: false + # Secret name for the client root cert. + clientRootSecret: cockroachdb-root + # Secret name for node cert. + nodeSecret: cockroachdb-node + # Enable if the secret is a dedicated TLS. + # TLS secrets are created by cert-mananger, for example. + tlsSecret: false + # Enable if the you want cockroach db to create its own certificates + selfSigner: + # If set, the cockroach db will generate its own certificates + enabled: true + # If set, the user should provide the CA certificate to sign other certificates. + caProvided: false + # It holds the name of the secret with caCerts. If caProvided is set, this can not be empty. + caSecret: "" + # Minimum Certificate duration for all the certificates, all certs duration will be validated against this. + minimumCertDuration: 624h + # Duration of CA certificates in hour + caCertDuration: 43800h + # Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated. + caCertExpiryWindow: 648h + # Duration of Client certificates in hour + clientCertDuration: 672h + # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated. + clientCertExpiryWindow: 48h + # Duration of node certificates in hour + nodeCertDuration: 8760h + # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. + nodeCertExpiryWindow: 168h + # If set, the cockroachdb cert selfSigner will rotate the certificates before expiry. + rotateCerts: true + # Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true + readinessWait: 30s + # Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true + podUpdateTimeout: 2m + + # Use cert-manager to issue certificates for mTLS. + certManager: false + # Specify an Issuer or a ClusterIssuer to use, when issuing + # node and client certificates. The values correspond to the + # issuerRef specified in the certificate. + certManagerIssuer: + group: cert-manager.io + kind: Issuer + name: cockroachdb + # Duration of Client certificates in hours + clientCertDuration: 672h + # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated. + clientCertExpiryWindow: 48h + # Duration of node certificates in hours + nodeCertDuration: 8760h + # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. + nodeCertExpiryWindow: 168h + # Enable if you run cert-manager >=1.0 on K8s <=1.15 with legacy CRDs + # Legacy CRDs only support cert-manager.io/v1 API Versions + useCertManagerV1CRDs: false + + selfSigner: + # Image Placeholder for the selfSigner utility. This will be changed once the CI workflows for the image is in place. + image: + repository: cockroachlabs-helm-charts/cockroach-self-signer-cert + tag: "1.3" + pullPolicy: IfNotPresent + credentials: {} + registry: gcr.io + # username: john_doe + # password: changeme + +networkPolicy: + enabled: false + + ingress: + # List of sources which should be able to access the CockroachDB Pods via + # gRPC port. Items in this list are combined using a logical OR operation. + # Rules for allowing inter-communication are applied automatically. + # If empty, then connections from any Pod is allowed. + grpc: [] + # - podSelector: + # matchLabels: + # app.kubernetes.io/name: my-app-django + # app.kubernetes.io/instance: my-app + + # List of sources which should be able to access the CockroachDB Pods via + # HTTP port. Items in this list are combined using a logical OR operation. + # If empty, then connections from any Pod is allowed. + http: [] + # - namespaceSelector: + # matchLabels: + # project: my-project + +# To put the admin interface behind Identity Aware Proxy (IAP) on Google Cloud Platform +# make sure to set ingress.paths: ['/*'] +iap: + enabled: false + # Create Google Cloud OAuth credentials and set client id and secret + # clientId: + # clientSecret: diff --git a/index.yaml b/index.yaml index 6d848808d..87eca962f 100644 --- a/index.yaml +++ b/index.yaml @@ -1025,6 +1025,27 @@ entries: - assets/cloudcasa/cloudcasa-0.1.000.tgz version: 0.1.000 cockroachdb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CockroachDB + catalog.cattle.io/kube-version: '>=1.8-0' + catalog.cattle.io/release-name: cockroachdb + apiVersion: v1 + appVersion: 22.1.9 + created: "2022-10-26T03:59:56.782996-04:00" + description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. + digest: ddde930a55353e02e463e8c706e01c26b369ee5ed8c442f6e52d04f7dd77fb76 + home: https://www.cockroachlabs.com + icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png + maintainers: + - email: helm-charts@cockroachlabs.com + name: cockroachlabs + name: cockroachdb + sources: + - https://github.com/cockroachdb/cockroach + urls: + - assets/cockroach-labs/cockroachdb-8.1.8.tgz + version: 8.1.8 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/release-name: cockroachdb @@ -1042,7 +1063,7 @@ entries: sources: - https://github.com/cockroachdb/cockroach urls: - - assets/cockroachdb/cockroachdb-4.1.200.tgz + - assets/cockroach-labs/cockroachdb-4.1.200.tgz version: 4.1.200 community-operator: - annotations: diff --git a/packages/cockroach-labs/cockroachdb/overlay/app-readme.md b/packages/cockroach-labs/cockroachdb/overlay/app-readme.md new file mode 100644 index 000000000..8fcc1fd6f --- /dev/null +++ b/packages/cockroach-labs/cockroachdb/overlay/app-readme.md @@ -0,0 +1,9 @@ +# CockroachDB Chart + +CockroachDB is a Distributed SQL database that runs natively in Kubernetes. It gives you resilient, horizontal scale across multiple clouds with always-on availability and data partitioned by location. + +CockroachDB scales horizontally without reconfiguration or need for a massive architectural overhaul. Simply add a new node to the cluster and CockroachDB takes care of the underlying complexity. + + - Scale by simply adding new nodes to a CockroachDB cluster + - Automate balancing and distribution of ranges, not shards + - Optimize server utilization evenly across all nodes diff --git a/packages/cockroach-labs/cockroachdb/upstream.yaml b/packages/cockroach-labs/cockroachdb/upstream.yaml new file mode 100644 index 000000000..525fc908f --- /dev/null +++ b/packages/cockroach-labs/cockroachdb/upstream.yaml @@ -0,0 +1,6 @@ +HelmRepo: https://charts.cockroachdb.com +HelmChart: cockroachdb +Vendor: Cockroach Labs +DisplayName: CockroachDB +ChartMetadata: + kubeVersion: '>=1.8-0' diff --git a/packages/cockroachdb/generated-changes/overlay/questions.yml b/packages/cockroachdb/generated-changes/overlay/questions.yml deleted file mode 100644 index 729c1fd58..000000000 --- a/packages/cockroachdb/generated-changes/overlay/questions.yml +++ /dev/null @@ -1,8 +0,0 @@ -questions: -- default: 100Gi - variable: Storage - description: "Size of volume for each CockroachDB Node/Pod" - group: Config - label: "Storage per Node/Pod" - required: true - type: string diff --git a/packages/cockroachdb/generated-changes/patch/Chart.yaml.patch b/packages/cockroachdb/generated-changes/patch/Chart.yaml.patch deleted file mode 100644 index 600121eae..000000000 --- a/packages/cockroachdb/generated-changes/patch/Chart.yaml.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- charts-original/Chart.yaml -+++ charts/Chart.yaml -@@ -10,3 +10,6 @@ - sources: - - https://github.com/cockroachdb/cockroach - version: 4.1.2 -+annotations: -+ catalog.cattle.io/certified: partner -+ catalog.cattle.io/release-name: cockroachdb diff --git a/packages/cockroachdb/package.yaml b/packages/cockroachdb/package.yaml deleted file mode 100644 index e8734ef5e..000000000 --- a/packages/cockroachdb/package.yaml +++ /dev/null @@ -1,2 +0,0 @@ -url: https://charts.cockroachdb.com/cockroachdb-4.1.2.tgz -packageVersion: 00