On this page
Tip:
The CockroachDB operator is a fully-featured Kubernetes operator that is designed for ease of deployment and scaling of multi-region clusters. To learn more, read the CockroachDB operator documentation.
New deployments of CockroachDB on Kubernetes are recommended to use the CockroachDB operator. To migrate an existing deployment to use the CockroachDB operator, read the Helm and Public operator migration guides.
This page shows you how to start and stop a secure 3-node CockroachDB cluster in a single Kubernetes cluster using the following approaches:
Manual StatefulSet configuration
Helm package manager for Kubernetes
Tip:
To try CockroachDB Cloud instead of running CockroachDB yourself, refer to the Cloud Quickstart.
Best practices Kubernetes versionTo deploy CockroachDB v25.3, Kubernetes 1.18 or higher is required. Cockroach Labs strongly recommends that you use a Kubernetes version that is eligible for patch support by the Kubernetes project.
Public operatorThe Public operator deploys clusters in a single region. For multi-region deployments using manual configs, Cockroach Labs recommends using the CockroachDB operator which is designed to support multi-region deployments. For guidance on how to force multi-region support with the Public operator, see Orchestrate CockroachDB Across Multiple Kubernetes Clusters.
Using the Public operator, you can give a new cluster an arbitrary number of labels. However, a cluster's labels cannot be modified after it is deployed. To track the status of this limitation, refer to #993 in the Public operator project's issue tracker.
The CockroachDB Helm chart requires Helm 3.0 or higher. If you attempt to use an incompatible Helm version, an error like the following occurs:
Error: UPGRADE FAILED: template: cockroachdb/templates/tests/client.yaml:6:14: executing "cockroachdb/templates/tests/client.yaml" at <.Values.networkPolicy.enabled>: nil pointer evaluating interface {}.enabled
The public Helm chart is currently not under active development, and no new features are planned. However, Cockroach Labs remains committed to fully supporting the Helm chart by addressing defects, providing security patches, and addressing breaking changes due to deprecations in Kubernetes APIs.
A deprecation notice for the public Helm chart will be provided to customers a minimum of 6 months in advance of actual deprecation.
NetworkService Name Indication (SNI) is an extension to the TLS protocol which allows a client to indicate which hostname it is attempting to connect to at the start of the TCP handshake process. The server can present multiple certificates on the same IP address and TCP port number, and one server can serve multiple secure websites or API services even if they use different certificates.
Due to its order of operations, the PostgreSQL wire protocol's implementation of TLS is not compatible with SNI-based routing in the Kubernetes ingress controller. Instead, use a TCP load balancer for CockroachDB that is not shared with other services.
ResourcesWhen starting Kubernetes, select machines with at least 4 vCPUs and 16 GiB of memory, and provision at least 2 vCPUs and 8 Gi of memory to CockroachDB per pod. These minimum settings are used by default in this deployment guide, and are appropriate for testing purposes only. On a production deployment, you should adjust the resource settings for your workload. For details, see Resource management.
StorageKubernetes deployments use external persistent volumes that are often replicated by the provider. CockroachDB replicates data automatically, and this redundant layer of replication can impact performance. Using local volumes may improve performance.
Step 1. Start KubernetesYou can use the hosted Google Kubernetes Engine (GKE) service or the hosted Amazon Elastic Kubernetes Service (EKS) to quickly start Kubernetes.
Hosted GKEComplete the Before You Begin steps described in the Google Kubernetes Engine Quickstart documentation.
This includes installing gcloud, which is used to create and delete Kubernetes Engine clusters, and kubectl, which is the command-line tool used to manage Kubernetes from your workstation.
Tip:
The documentation offers the choice of using Google's Cloud Shell product or using a local shell on your machine. Choose to use a local shell if you want to be able to view the DB Console using the steps in this guide.
From your local workstation, start the Kubernetes cluster, specifying one of the available regions (e.g., us-east1):
Tip:
Since this region can differ from your default gcloud region, be sure to include the --region flag to run gcloud commands against this cluster.
icon/buttons/copy
$ gcloud container clusters create cockroachdb --machine-type n2-standard-4 --region {region-name} --num-nodes 1
Creating cluster cockroachdb...done.
This creates GKE instances and joins them into a single Kubernetes cluster named cockroachdb. The --region flag specifies a regional three-zone cluster, and --num-nodes specifies one Kubernetes worker node in each zone.
The --machine-type flag tells the node pool to use the n2-standard-4 machine type (4 vCPUs, 16 GB memory), which meets our recommended CPU and memory configuration.
The process can take a few minutes, so do not move on to the next step until you see a Creating cluster cockroachdb...done message and details about your cluster.
Get the email address associated with your Google Cloud account:
icon/buttons/copy
$ gcloud info | grep Account
Account: [your.google.cloud.email@example.org]
Warning:
This command returns your email address in all lowercase. However, in the next step, you must enter the address using the accurate capitalization. For example, if your address is YourName@example.com, you must use YourName@example.com and not yourname@example.com.
Create the RBAC roles CockroachDB needs for running on GKE, using the address from the previous step:
icon/buttons/copy
$ kubectl create clusterrolebinding $USER-cluster-admin-binding \
--clusterrole=cluster-admin \
--user={your.google.cloud.email@example.org}
clusterrolebinding.rbac.authorization.k8s.io/your.username-cluster-admin-binding created
Complete the steps described in the EKS Getting Started documentation.
This includes installing and configuring the AWS CLI and eksctl, which is the command-line tool used to create and delete Kubernetes clusters on EKS, and kubectl, which is the command-line tool used to manage Kubernetes from your workstation.
Note:
If you are running EKS-Anywhere, CockroachDB requires that you configure your default storage class to auto-provision persistent volumes. Alternatively, you can define a custom storage configuration as required by your install pattern.
From your local workstation, start the Kubernetes cluster:
icon/buttons/copy
$ eksctl create cluster \
--name cockroachdb \
--nodegroup-name standard-workers \
--node-type m5.xlarge \
--nodes 3 \
--nodes-min 1 \
--nodes-max 4 \
--node-ami auto
This creates EKS instances and joins them into a single Kubernetes cluster named cockroachdb. The --node-type flag tells the node pool to use the m5.xlarge instance type (4 vCPUs, 16 GB memory), which meets our recommended CPU and memory configuration.
Cluster provisioning usually takes between 10 and 15 minutes. Do not move on to the next step until you see a message like [✔] EKS cluster "cockroachdb" in "us-east-1" region is ready and details about your cluster.
Open the AWS CloudFormation console to verify that the stacks eksctl-cockroachdb-cluster and eksctl-cockroachdb-nodegroup-standard-workers were successfully created. Be sure that your region is selected in the console.
Choose how you want to deploy and maintain the CockroachDB cluster.
Note:
The Public Kubernetes operator eases CockroachDB cluster creation and management on a single Kubernetes cluster.
The Public operator does not provision or apply a license key. To use CockroachDB with the Public operator, set a license in the SQL shell.
Install the OperatorApply the custom resource definition (CRD) for the Public operator:
icon/buttons/copy
$ kubectl apply -f https://raw.githubusercontent.com/cockroachdb/cockroach-operator/v2.18.2/install/crds.yaml
customresourcedefinition.apiextensions.k8s.io/crdbclusters.crdb.cockroachlabs.com created
By default, the Public operator is configured to install in the cockroach-operator-system namespace and to manage CockroachDB instances for all namespaces on the cluster.
icon/buttons/copy
kubectl apply -f https://raw.githubusercontent.com/cockroachdb/cockroach-operator/v2.18.2/install/operator.yaml
clusterrole.rbac.authorization.k8s.io/cockroach-database-role created
serviceaccount/cockroach-database-sa created
clusterrolebinding.rbac.authorization.k8s.io/cockroach-database-rolebinding created
role.rbac.authorization.k8s.io/cockroach-operator-role created
clusterrolebinding.rbac.authorization.k8s.io/cockroach-operator-rolebinding created
clusterrole.rbac.authorization.k8s.io/cockroach-operator-role created
serviceaccount/cockroach-operator-sa created
rolebinding.rbac.authorization.k8s.io/cockroach-operator-default created
deployment.apps/cockroach-operator created
icon/buttons/copy
curl -O https://raw.githubusercontent.com/cockroachdb/cockroach-operator/v2.18.2/install/operator.yaml
namespace: cockroach-operator-system with your desired namespace.WATCH_NAMESPACE environment variable in the Deployment pod spec. This can be set to a single namespace or a comma-delimited set of namespaces. When set, only those CrdbCluster resources in the supplied namespace(s) will be reconciled.icon/buttons/copy
kubectl apply -f operator.yaml
Set your current namespace to the one used by the Public operator. For example, to use the Public operator's default namespace:
icon/buttons/copy
$ kubectl config set-context --current --namespace=cockroach-operator-system
Validate that the operator is running:
icon/buttons/copy
NAME READY STATUS RESTARTS AGE
cockroach-operator-6f7b86ffc4-9ppkv 1/1 Running 0 54s
Note:
After a cluster managed by the Kubernetes operator is initialized, its Kubernetes labels cannot be modified. For more details, refer to Best practices.
Download example.yaml, a custom resource that tells the operator how to configure the Kubernetes cluster.
icon/buttons/copy
$ curl -O https://raw.githubusercontent.com/cockroachdb/cockroach-operator/v2.18.2/examples/example.yaml
By default, this custom resource specifies CPU and memory resources that are appropriate for the virtual machines used in this deployment example. On a production cluster, you should substitute values that are appropriate for your machines and workload. For details on configuring your deployment, see Configure the Cluster.
Note:
By default, the operator will generate and sign 1 client and 1 node certificate to secure the cluster. This means that if you do not provide a CA, a cockroach-generated CA is used. If you want to authenticate using your own CA, specify the generated secrets in the custom resource before proceeding to the next step.
Apply example.yaml:
icon/buttons/copy
$ kubectl apply -f example.yaml
The operator will create a StatefulSet and initialize the nodes as a cluster.
crdbcluster.crdb.cockroachlabs.com/cockroachdb created
Check that the pods were created:
icon/buttons/copy
NAME READY STATUS RESTARTS AGE
cockroach-operator-6f7b86ffc4-9t9zb 1/1 Running 0 3m22s
cockroachdb-0 1/1 Running 0 2m31s
cockroachdb-1 1/1 Running 0 102s
cockroachdb-2 1/1 Running 0 46s
Each pod should have READY status soon after being created.
Download and modify our StatefulSet configuration:
icon/buttons/copy
$ curl -O https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/bring-your-own-certs/cockroachdb-statefulset.yaml
Update secretName with the name of the corresponding node secret.
The secret names depend on your method for generating secrets. For example, if you follow the below steps using cockroach cert, use this secret name:
icon/buttons/copy
secret:
secretName: cockroachdb.node
The StatefulSet configuration deploys CockroachDB into the default namespace. To use a different namespace, search for kind: RoleBinding and change its subjects.namespace property to the name of the namespace. Otherwise, a failed to read secrets error occurs when you attempt to follow the steps in Initialize the cluster.
Note:
By default, this manifest specifies CPU and memory resources that are appropriate for the virtual machines used in this deployment example. On a production cluster, you should substitute values that are appropriate for your machines and workload. For details on configuring your deployment, see Configure the Cluster.
Create certificatesTip:
The StatefulSet configuration sets all CockroachDB nodes to log to stderr, so if you ever need access to a pod/node's logs to troubleshoot, use kubectl logs <podname> rather than checking the log on the persistent volume.
Note:
The below steps use cockroach cert commands to quickly generate and sign the CockroachDB node and client certificates. Read our Authentication docs to learn about other methods of signing certificates.
Create two directories:
icon/buttons/copy
$ mkdir certs my-safe-directory
certs You'll generate your CA certificate and all node and client certificates and keys in this directory. my-safe-directory You'll generate your CA key in this directory and then reference the key when generating node and client certificates.Create the CA certificate and key pair:
icon/buttons/copy
$ cockroach cert create-ca \
--certs-dir=certs \
--ca-key=my-safe-directory/ca.key
Create a client certificate and key pair for the root user:
icon/buttons/copy
$ cockroach cert create-client \
root \
--certs-dir=certs \
--ca-key=my-safe-directory/ca.key
Upload the client certificate and key to the Kubernetes cluster as a secret:
icon/buttons/copy
$ kubectl create secret \
generic cockroachdb.client.root \
--from-file=certs
secret/cockroachdb.client.root created
Create the certificate and key pair for your CockroachDB nodes:
icon/buttons/copy
$ cockroach cert create-node \
localhost 127.0.0.1 \
cockroachdb-public \
cockroachdb-public.default \
cockroachdb-public.default.svc.cluster.local \
*.cockroachdb \
*.cockroachdb.default \
*.cockroachdb.default.svc.cluster.local \
--certs-dir=certs \
--ca-key=my-safe-directory/ca.key
Upload the node certificate and key to the Kubernetes cluster as a secret:
icon/buttons/copy
$ kubectl create secret \
generic cockroachdb.node \
--from-file=certs
secret/cockroachdb.node created
Check that the secrets were created on the cluster:
icon/buttons/copy
NAME TYPE DATA AGE
cockroachdb.client.root Opaque 3 41m
cockroachdb.node Opaque 5 14s
default-token-6qjdb kubernetes.io/service-account-token 3 4m
Use the config file you downloaded to create the StatefulSet that automatically creates 3 pods, each running a CockroachDB node:
icon/buttons/copy
$ kubectl create -f cockroachdb-statefulset.yaml
serviceaccount/cockroachdb created
role.rbac.authorization.k8s.io/cockroachdb created
rolebinding.rbac.authorization.k8s.io/cockroachdb created
service/cockroachdb-public created
service/cockroachdb created
poddisruptionbudget.policy/cockroachdb-budget created
statefulset.apps/cockroachdb created
Initialize the CockroachDB cluster:
Confirm that three pods are Running successfully. Note that they will not be considered Ready until after the cluster has been initialized:
icon/buttons/copy
NAME READY STATUS RESTARTS AGE
cockroachdb-0 0/1 Running 0 2m
cockroachdb-1 0/1 Running 0 2m
cockroachdb-2 0/1 Running 0 2m
Confirm that the persistent volumes and corresponding claims were created successfully for all three pods:
icon/buttons/copy
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-9e435563-fb2e-11e9-a65c-42010a8e0fca 100Gi RWO Delete Bound default/datadir-cockroachdb-0 standard 51m
pvc-9e47d820-fb2e-11e9-a65c-42010a8e0fca 100Gi RWO Delete Bound default/datadir-cockroachdb-1 standard 51m
pvc-9e4f57f0-fb2e-11e9-a65c-42010a8e0fca 100Gi RWO Delete Bound default/datadir-cockroachdb-2 standard 51m
Run cockroach init on one of the pods to complete the node startup process and have them join together as a cluster:
icon/buttons/copy
$ kubectl exec -it cockroachdb-0 \
-- /cockroach/cockroach init \
--certs-dir=/cockroach/cockroach-certs
Cluster successfully initialized
Confirm that cluster initialization has completed successfully. The job should be considered successful and the Kubernetes pods should soon be considered Ready:
icon/buttons/copy
NAME READY STATUS RESTARTS AGE
cockroachdb-0 1/1 Running 0 3m
cockroachdb-1 1/1 Running 0 3m
cockroachdb-2 1/1 Running 0 3m
The CockroachDB Helm chart is compatible with all Kubernetes versions that are supported by the Kubernetes project when cert-manager is used for mTLS.
The CockroachDB Helm chart is currently not under active development, and no new features are planned. However, Cockroach Labs remains committed to fully supporting the Helm chart by addressing defects, providing security patches, and addressing breaking changes due to deprecations in Kubernetes APIs.
A deprecation notice for the Helm chart will be provided to customers a minimum of 6 months in advance of actual deprecation.
Warning:
If you are running a secure Helm deployment on Kubernetes 1.22 and later, you must migrate away from using the Kubernetes CA for cluster authentication. The recommended approach is to use cert-manager for certificate management. For details, refer to Deploy cert-manager for mTLS.
Install the Helm client (version 3.0 or higher) and add the cockroachdb chart repository:
icon/buttons/copy
$ helm repo add cockroachdb https://charts.cockroachdb.com/
"cockroachdb" has been added to your repositories
Update your Helm chart repositories to ensure that you're using the latest CockroachDB chart:
icon/buttons/copy
The cluster configuration is set in the Helm chart's values file.
Note:
By default, the Helm chart specifies CPU and memory resources that are appropriate for the virtual machines used in this deployment example. On a production cluster, you should substitute values that are appropriate for your machines and workload. For details on configuring your deployment, see Configure the Cluster.
Before deploying, modify some parameters in our Helm chart's values file:
my-values.yaml) to specify your custom values. These will be used to override the defaults in values.yaml.To avoid running out of memory when CockroachDB is not the only pod on a Kubernetes node, you must set memory limits explicitly. This is because CockroachDB does not detect the amount of memory allocated to its pod when run in Kubernetes. We recommend setting conf.cache and conf.max-sql-memory each to 1/4 of the memory allocation specified in statefulset.resources.requests and statefulset.resources.limits.
Tip:
For example, if you are allocating 8Gi of memory to each CockroachDB node, allocate 2Gi to cache and 2Gi to max-sql-memory.
icon/buttons/copy
conf:
cache: "2Gi"
max-sql-memory: "2Gi"
The Helm chart defaults to a secure deployment by automatically setting tls.enabled to true.
Note:
By default, the Helm chart will generate and sign 1 client and 1 node certificate to secure the cluster. To authenticate using your own CA, see Certificate management.
Refer to the CockroachDB Helm chart's values.yaml template.
Install the CockroachDB Helm chart, specifying your custom values file.
Provide a "release" name to identify and track this particular deployment of the chart, and override the default values with those in my-values.yaml.
Note:
This tutorial uses my-release as the release name. If you use a different value, be sure to adjust the release name in subsequent commands.
Warning:
To allow the CockroachDB pods to successfully deploy, do not set the --wait flag when using Helm commands.
icon/buttons/copy
$ helm install my-release --values {custom-values}.yaml cockroachdb/cockroachdb
Behind the scenes, this command uses our cockroachdb-statefulset.yaml file to create the StatefulSet that automatically creates 3 pods, each with a CockroachDB node running inside it, where each pod has distinguishable network identity and always binds back to the same persistent storage on restart.
Confirm that CockroachDB cluster initialization has completed successfully, with the pods for CockroachDB showing 1/1 under READY and the pod for initialization showing COMPLETED under STATUS:
icon/buttons/copy
NAME READY STATUS RESTARTS AGE
my-release-cockroachdb-0 1/1 Running 0 8m
my-release-cockroachdb-1 1/1 Running 0 8m
my-release-cockroachdb-2 1/1 Running 0 8m
my-release-cockroachdb-init-hxzsc 0/1 Completed 0 1h
Confirm that the persistent volumes and corresponding claims were created successfully for all three pods:
icon/buttons/copy
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-71019b3a-fc67-11e8-a606-080027ba45e5 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-0 standard 11m
pvc-7108e172-fc67-11e8-a606-080027ba45e5 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-1 standard 11m
pvc-710dcb66-fc67-11e8-a606-080027ba45e5 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-2 standard 11m
Tip:
The StatefulSet configuration sets all CockroachDB nodes to log to stderr, so if you ever need access to logs for a pod, use kubectl logs <podname> rather than checking the log on the persistent volume.
To use the CockroachDB SQL client, first launch a secure pod running the cockroach binary.
icon/buttons/copy
$ kubectl create \
-f https://raw.githubusercontent.com/cockroachdb/cockroach-operator/v2.18.2/examples/client-secure-operator.yaml
Get a shell into the pod and start the CockroachDB built-in SQL client:
icon/buttons/copy
$ kubectl exec -it cockroachdb-client-secure \
-- ./cockroach sql \
--certs-dir=/cockroach/cockroach-certs \
--host=cockroachdb-public
# Welcome to the CockroachDB SQL shell.
# All statements must be terminated by a semicolon.
# To exit, type: \q.
#
# Server version: CockroachDB CCL v21.1.0 (x86_64-unknown-linux-gnu, built 2021/04/23 13:54:57, go1.13.14) (same version as client)
# Cluster ID: a96791d9-998c-4683-a3d3-edbf425bbf11
#
# Enter \? for a brief introduction.
#
root@cockroachdb-public:26257/defaultdb>
Run some basic CockroachDB SQL statements:
icon/buttons/copy
icon/buttons/copy
> CREATE TABLE bank.accounts (id INT PRIMARY KEY, balance DECIMAL);
icon/buttons/copy
> INSERT INTO bank.accounts VALUES (1, 1000.50);
icon/buttons/copy
> SELECT * FROM bank.accounts;
id | balance
+----+---------+
1 | 1000.50
(1 row)
Create a user with a password:
icon/buttons/copy
> CREATE USER roach WITH PASSWORD 'Q7gc8rEdS';
You will need this username and password to access the DB Console later.
Exit the SQL shell and pod:
icon/buttons/copy
icon/buttons/copy
$ kubectl create \
-f https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/bring-your-own-certs/client.yaml
pod/cockroachdb-client-secure created
Get a shell into the pod and start the CockroachDB built-in SQL client:
icon/buttons/copy
$ kubectl exec -it cockroachdb-client-secure \
-- ./cockroach sql \
--certs-dir=/cockroach-certs \
--host=cockroachdb-public
# Welcome to the cockroach SQL interface.
# All statements must be terminated by a semicolon.
# To exit: CTRL + D.
#
# Client version: CockroachDB CCL v19.1.0 (x86_64-unknown-linux-gnu, built 2019/04/29 18:36:40, go1.11.6)
# Server version: CockroachDB CCL v19.1.0 (x86_64-unknown-linux-gnu, built 2019/04/29 18:36:40, go1.11.6)
# Cluster ID: 256a8705-e348-4e3a-ab12-e1aba96857e4
#
# Enter \? for a brief introduction.
#
root@cockroachdb-public:26257/defaultdb>
Tip:
This pod will continue running indefinitely, so any time you need to reopen the built-in SQL client or run any other cockroach client commands (e.g., cockroach node), repeat step 2 using the appropriate cockroach command.
If you'd prefer to delete the pod and recreate it when needed, run kubectl delete pod cockroachdb-client-secure.
Run some basic CockroachDB SQL statements:
icon/buttons/copy
icon/buttons/copy
> CREATE TABLE bank.accounts (id INT PRIMARY KEY, balance DECIMAL);
icon/buttons/copy
> INSERT INTO bank.accounts VALUES (1, 1000.50);
icon/buttons/copy
> SELECT * FROM bank.accounts;
id | balance
+----+---------+
1 | 1000.50
(1 row)
Create a user with a password:
icon/buttons/copy
> CREATE USER roach WITH PASSWORD 'Q7gc8rEdS';
You will need this username and password to access the DB Console later.
Exit the SQL shell and pod:
icon/buttons/copy
From your local workstation, use our client-secure.yaml file to launch a pod and keep it running indefinitely.
Download the file:
icon/buttons/copy
$ curl -OOOOOOOOO \
https://raw.githubusercontent.com/cockroachdb/helm-charts/master/examples/client-secure.yaml
In the file, set the following values:
spec.serviceAccountName: my-release-cockroachdbspec.image: cockroachdb/cockroach: {your CockroachDB version}spec.volumes[0].project.sources[0].secret.name: my-release-cockroachdb-client-secretUse the file to launch a pod and keep it running indefinitely:
icon/buttons/copy
$ kubectl create -f client-secure.yaml
pod "cockroachdb-client-secure" created
Get a shell into the pod and start the CockroachDB built-in SQL client:
icon/buttons/copy
$ kubectl exec -it cockroachdb-client-secure \
-- ./cockroach sql \
--certs-dir=./cockroach-certs \
--host=my-release-cockroachdb-public
# Welcome to the cockroach SQL interface.
# All statements must be terminated by a semicolon.
# To exit: CTRL + D.
#
# Client version: CockroachDB CCL v19.1.0 (x86_64-unknown-linux-gnu, built 2019/04/29 18:36:40, go1.11.6)
# Server version: CockroachDB CCL v19.1.0 (x86_64-unknown-linux-gnu, built 2019/04/29 18:36:40, go1.11.6)
# Cluster ID: 256a8705-e348-4e3a-ab12-e1aba96857e4
#
# Enter \? for a brief introduction.
#
root@my-release-cockroachdb-public:26257/defaultdb>
Tip:
This pod will continue running indefinitely, so any time you need to reopen the built-in SQL client or run any other cockroach client commands (e.g., cockroach node), repeat step 2 using the appropriate cockroach command.
If you'd prefer to delete the pod and recreate it when needed, run kubectl delete pod cockroachdb-client-secure.
Run some basic CockroachDB SQL statements:
icon/buttons/copy
icon/buttons/copy
> CREATE TABLE bank.accounts (id INT PRIMARY KEY, balance DECIMAL);
icon/buttons/copy
> INSERT INTO bank.accounts VALUES (1, 1000.50);
icon/buttons/copy
> SELECT * FROM bank.accounts;
id | balance
+----+---------+
1 | 1000.50
(1 row)
Create a user with a password:
icon/buttons/copy
> CREATE USER roach WITH PASSWORD 'Q7gc8rEdS';
You will need this username and password to access the DB Console later.
Exit the SQL shell and pod:
icon/buttons/copy
To access the cluster's DB Console:
On secure clusters, certain pages of the DB Console can only be accessed by admin users.
Get a shell into the pod and start the CockroachDB built-in SQL client:
icon/buttons/copy
$ kubectl exec -it cockroachdb-client-secure \
-- ./cockroach sql \
--certs-dir=/cockroach/cockroach-certs \
--host=cockroachdb-public
icon/buttons/copy
$ kubectl exec -it cockroachdb-client-secure \
-- ./cockroach sql \
--certs-dir=/cockroach-certs \
--host=cockroachdb-public
$ kubectl exec -it cockroachdb-client-secure \ -- ./cockroach sql \ --certs-dir=/cockroach-certs \ --host=my-release-cockroachdb-public
Assign roach to the admin role (you only need to do this once):
icon/buttons/copy
Exit the SQL shell and pod:
icon/buttons/copy
In a new terminal window, port-forward from your local machine to the cockroachdb-public service:
icon/buttons/copy
$ kubectl port-forward service/cockroachdb-public 8080
icon/buttons/copy
$ kubectl port-forward service/cockroachdb-public 8080
icon/buttons/copy
$ kubectl port-forward service/my-release-cockroachdb-public 8080
Forwarding from 127.0.0.1:8080 -> 8080
Note:
The
port-forward
command must be run on the same machine as the web browser in which you want to view the DB Console. If you have been running these commands from a cloud instance or other non-local shell, you will not be able to view the UI without configuring
kubectl
locally and running the above
port-forward
command on your local machine.
Go to https://localhost:8080 and log in with the username and password you created earlier.
Note:
If you are using Google Chrome, and you are getting an error about not being able to reach localhost because its certificate has been revoked, go to chrome://flags/#allow-insecure-localhost, enable "Allow invalid certificates for resources loaded from localhost", and then restart the browser. Enabling this Chrome feature degrades security for all sites running on localhost, not just CockroachDB's DB Console, so be sure to enable the feature only temporarily.
In the UI, verify that the cluster is running as expected:
bank is listed.To shut down the CockroachDB cluster:
Delete the previously created custom resource:
icon/buttons/copy
kubectl delete -f example.yaml
Remove the Public operator:
icon/buttons/copy
kubectl delete -f https://raw.githubusercontent.com/cockroachdb/cockroach-operator/v2.18.2/install/operator.yaml
This will delete the CockroachDB cluster being run by the Public operator. It intentionally does not delete:
kubectl in the Kubernetes project's documentation.This procedure shuts down the CockroachDB cluster and deletes the resources you just created, including the logs and Prometheus and Alertmanager resources. This command intentionally does not delete:
kubectl in the Kubernetes project's documentation.Warning:
Do not use the --all flag to kubectl delete, to avoid the risk of data loss.
Delete the resources associated with the cockroachdb label, including the logs and Prometheus and Alertmanager resources. This command is very long; you may need to scroll your browser to read all of it.
icon/buttons/copy
kubectl delete \
pods,statefulsets,services,poddisruptionbudget,jobs,rolebinding,clusterrolebinding,role,clusterrole,serviceaccount,alertmanager,prometheus,prometheusrule,serviceMonitor \
-l app=cockroachdb
pod "cockroachdb-0" deleted
pod "cockroachdb-1" deleted
pod "cockroachdb-2" deleted
statefulset.apps "alertmanager-cockroachdb" deleted
statefulset.apps "prometheus-cockroachdb" deleted
service "alertmanager-cockroachdb" deleted
service "cockroachdb" deleted
service "cockroachdb-public" deleted
poddisruptionbudget.policy "cockroachdb-budget" deleted
job.batch "cluster-init-secure" deleted
rolebinding.rbac.authorization.k8s.io "cockroachdb" deleted
clusterrolebinding.rbac.authorization.k8s.io "cockroachdb" deleted
clusterrolebinding.rbac.authorization.k8s.io "prometheus" deleted
role.rbac.authorization.k8s.io "cockroachdb" deleted
clusterrole.rbac.authorization.k8s.io "cockroachdb" deleted
clusterrole.rbac.authorization.k8s.io "prometheus" deleted
serviceaccount "cockroachdb" deleted
serviceaccount "prometheus" deleted
alertmanager.monitoring.coreos.com "cockroachdb" deleted
prometheus.monitoring.coreos.com "cockroachdb" deleted
prometheusrule.monitoring.coreos.com "prometheus-cockroachdb-rules" deleted
servicemonitor.monitoring.coreos.com "cockroachdb" deleted
Delete the pod created for cockroach client commands, if you didn't do so earlier:
icon/buttons/copy
kubectl delete pod cockroachdb-client-secure
pod "cockroachdb-client-secure" deleted
Delete the cluster's cryptographic resources.
cert-manager (recommended but not default), get the names of the cluster's issuers and delete them:
icon/buttons/copy
kubectl delete issuer {issuer_name}
icon/buttons/copy
kubectl delete csr default.client.root default.{node_name}
Uninstall the release:
icon/buttons/copy
helm uninstall my-release
release "my-release" deleted
Delete the pod created for cockroach client commands, if you didn't do so earlier:
icon/buttons/copy
kubectl delete pod cockroachdb-client-secure
pod "cockroachdb-client-secure" deleted
Delete the cluster's cryptographic resources.
cert-manager (recommended but not default), get the names of the cluster's issuers and delete them:
icon/buttons/copy
kubectl delete issuer {issuer_name}
icon/buttons/copy
kubectl delete csr default.client.root default.{node_name}
If you need to free up the storage used by CockroachDB, you can optionally delete the persistent volumes that were attached to the pods, after first backing up your data.
Warning:
Before you delete a cluster's persistent volumes, be sure you have a backup copy of your data. Data cannot be recovered once the persistent volumes are deleted. For more information, see the Kubernetes documentation.
Refer to the Kubernetes project's documentation for more information and recommendations.
Stop KubernetesTo delete the Kubernetes cluster:
Hosted GKE:
icon/buttons/copy
$ gcloud container clusters delete cockroachdb --region {region-name}
Hosted EKS:
icon/buttons/copy
$ eksctl delete cluster --name cockroachdb
Manual GCE:
icon/buttons/copy
Manual AWS:
icon/buttons/copy
Warning:
If you stop Kubernetes without first deleting the persistent volumes, they will still exist in your cloud project.
See alsoRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4