Orchestrate CockroachDB in a Single Kubernetes Cluster

On this page

Warning:

As of April 30, 2020, CockroachDB v2.1 is no longer supported. For more details, refer to the Release Support Policy.

This page shows you how to orchestrate the deployment, management, and monitoring of a secure 3-node CockroachDB cluster in a single Kubernetes cluster, using the StatefulSet feature directly or via the Helm package manager for Kubernetes.

To deploy across multiple Kubernetes clusters in different geographic regions instead, see Kubernetes Multi-Cluster Deployment. Also, for details about potential performance bottlenecks to be aware of when running CockroachDB in Kubernetes and guidance on how to optimize your deployment for better performance, see CockroachDB Performance on Kubernetes.

Before you begin

Before getting started, it's helpful to review some Kubernetes-specific terminology and current limitations.

Kubernetes terminology

Feature	Description
instance	A physical or virtual machine. In this tutorial, you'll create GCE or AWS instances and join them into a single Kubernetes cluster from your local workstation.
pod	A pod is a group of one or more Docker containers. In this tutorial, each pod will run on a separate instance and include one Docker container running a single CockroachDB node. You'll start with 3 pods and grow to 4.
StatefulSet	A StatefulSet is a group of pods treated as stateful units, where each pod has distinguishable network identity and always binds back to the same persistent storage on restart. StatefulSets are considered stable as of Kubernetes version 1.9 after reaching beta in version 1.5.
persistent volume	A persistent volume is a piece of networked storage (Persistent Disk on GCE, Elastic Block Store on AWS) mounted into a pod. The lifetime of a persistent volume is decoupled from the lifetime of the pod that's using it, ensuring that each CockroachDB node binds back to the same storage on restart. This tutorial assumes that dynamic volume provisioning is available. When that is not the case, persistent volume claims need to be created manually.
CSR	A CSR, or Certificate Signing Request, is a request to have a TLS certificate signed by the Kubernetes cluster's built-in CA. As each pod is created, it issues a CSR for the CockroachDB node running in the pod, which must be manually checked and approved. The same is true for clients as they connect to the cluster.
RBAC	RBAC, or Role-Based Access Control, is the system Kubernetes uses to manage permissions within the cluster. In order to take an action (e.g., `get` or `create`) on an API resource (e.g., a `pod` or `CSR`), the client must have a `Role` that allows it to do so. This tutorial creates the RBAC resources necessary for CockroachDB to create and access certificates.

Limitations

Kubernetes version

Kubernetes 1.18 or higher is required in order to use our most up-to-date configuration files. Earlier Kubernetes releases do not support some of the options used in our configuration files. If you need to run on an older version of Kubernetes, we have kept around configuration files that work on older Kubernetes releases in the versioned subdirectories of https://github.com/cockroachdb/cockroach/tree/master/cloud/kubernetes (e.g., v1.7).

Storage

At this time, orchestrations of CockroachDB with Kubernetes use external persistent volumes that are often replicated by the provider. Because CockroachDB already replicates data automatically, this additional layer of replication is unnecessary and can negatively impact performance. High-performance use cases on a private Kubernetes cluster may want to consider using local volumes.

Step 1. Start Kubernetes

Choose whether you want to orchestrate CockroachDB with Kubernetes using the hosted Google Kubernetes Engine (GKE) service or manually on Google Compute Engine (GCE) or AWS. The instructions below will change slightly depending on your choice.

Hosted GKE
Manual GCE
Manual AWS

Hosted GKE

Complete the Before You Begin steps described in the Google Kubernetes Engine Quickstart documentation.

This includes installing gcloud, which is used to create and delete Kubernetes Engine clusters, and kubectl, which is the command-line tool used to manage Kubernetes from your workstation.

Tip:
The documentation offers the choice of using Google's Cloud Shell product or using a local shell on your machine. Choose to use a local shell if you want to be able to view the CockroachDB Admin UI using the steps in this guide.
From your local workstation, start the Kubernetes cluster:
```
$ gcloud container clusters create cockroachdb --machine-type n1-standard-4
```
```
Creating cluster cockroachdb...done.
```
This creates GKE instances and joins them into a single Kubernetes cluster named cockroachdb. The --machine-type flag tells the node pool to use the n1-standard-4 machine type (4 vCPUs, 15 GB memory), which meets our recommended CPU and memory configuration.

The process can take a few minutes, so do not move on to the next step until you see a Creating cluster cockroachdb...done message and details about your cluster.
Get the email address associated with your Google Cloud account:
```
$ gcloud info | grep Account
```
```
Account: [your.google.cloud.email@example.org]
```
Warning:

This command returns your email address in all lowercase. However, in the next step, you must enter the address using the accurate capitalization. For example, if your address is YourName@example.com, you must use YourName@example.com and not yourname@example.com.

Create the RBAC roles CockroachDB needs for running on GKE, using the address from the previous step:

$ kubectl create clusterrolebinding $USER-cluster-admin-binding --clusterrole=cluster-admin --user=<your.google.cloud.email@example.org>

clusterrolebinding "cluster-admin-binding" created

Manual GCE

From your local workstation, install prerequisites and start a Kubernetes cluster as described in the Running Kubernetes on Google Compute Engine documentation.

The process includes:

Creating a Google Cloud Platform account, installing gcloud, and other prerequisites.
Downloading and installing the latest Kubernetes release.
Creating GCE instances and joining them into a single Kubernetes cluster.
Installing kubectl, the command-line tool used to manage Kubernetes from your workstation.

Manual AWS

From your local workstation, install prerequisites and start a Kubernetes cluster as described in the Running Kubernetes on AWS EC2 documentation.

Step 2. Start CockroachDB

To start your CockroachDB cluster, you can either use our StatefulSet configuration and related files directly, or you can use the Helm package manager for Kubernetes to simplify the process.

Note:

If you want to use a different certificate authority than the one Kubernetes uses, or if your Kubernetes cluster doesn't fully support certificate-signing requests (e.g., in Amazon EKS), use these configuration files instead of the ones referenced below.

From your local workstation, use our cockroachdb-statefulset-secure.yaml file to create the StatefulSet that automatically creates 3 pods, each with a CockroachDB node running inside it:

$ kubectl create -f https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/cockroachdb-statefulset-secure.yaml

serviceaccount "cockroachdb" created
role "cockroachdb" created
clusterrole "cockroachdb" created
rolebinding "cockroachdb" created
clusterrolebinding "cockroachdb" created
service "cockroachdb-public" created
service "cockroachdb" created
poddisruptionbudget "cockroachdb-budget" created
statefulset "cockroachdb" created

Alternatively, if you'd rather start with a configuration file that has been customized for performance:

Download our performance version of cockroachdb-statefulset-secure.yaml:

$ curl -O https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/performance/cockroachdb-statefulset-secure.yaml

Modify the file wherever there is a TODO comment.
Use the file to create the StatefulSet and start the cluster:
```
$ kubectl create -f cockroachdb-statefulset-secure.yaml
```

As each pod is created, it issues a Certificate Signing Request, or CSR, to have the node's certificate signed by the Kubernetes CA. You must manually check and approve each node's certificates, at which point the CockroachDB node is started in the pod.

Get the name of the Pending CSR for the first pod:

$ kubectl get csr

NAME                                                   AGE       REQUESTOR                               CONDITION
default.node.cockroachdb-0                             1m        system:serviceaccount:default:default   Pending
node-csr-0Xmb4UTVAWMEnUeGbW4KX1oL4XV_LADpkwjrPtQjlZ4   4m        kubelet                                 Approved,Issued
node-csr-NiN8oDsLhxn0uwLTWa0RWpMUgJYnwcFxB984mwjjYsY   4m        kubelet                                 Approved,Issued
node-csr-aU78SxyU69pDK57aj6txnevr7X-8M3XgX9mTK0Hso6o   5m        kubelet                                 Approved,Issued

If you do not see a Pending CSR, wait a minute and try again.

Examine the CSR for the first pod:

$ kubectl describe csr default.node.cockroachdb-0

Name:               default.node.cockroachdb-0
Labels:             <none>
Annotations:        <none>
CreationTimestamp:  Thu, 09 Nov 2017 13:39:37 -0500
Requesting User:    system:serviceaccount:default:default
Status:             Pending
Subject:
  Common Name:    node
  Serial Number:
  Organization:   Cockroach
Subject Alternative Names:
         DNS Names:     localhost
                        cockroachdb-0.cockroachdb.default.svc.cluster.local
                        cockroachdb-public
         IP Addresses:  127.0.0.1
                        10.48.1.6
Events:  <none>

If everything looks correct, approve the CSR for the first pod:

$ kubectl certificate approve default.node.cockroachdb-0

certificatesigningrequest "default.node.cockroachdb-0" approved

Repeat steps 1-3 for the other 2 pods.

Initialize the cluster:

Confirm that three pods are Running successfully. Note that they will not be considered Ready until after the cluster has been initialized:

$ kubectl get pods

NAME            READY     STATUS    RESTARTS   AGE
cockroachdb-0   0/1       Running   0          2m
cockroachdb-1   0/1       Running   0          2m
cockroachdb-2   0/1       Running   0          2m

Confirm that the persistent volumes and corresponding claims were created successfully for all three pods:

$ kubectl get persistentvolumes

NAME                                       CAPACITY   ACCESSMODES   RECLAIMPOLICY   STATUS    CLAIM                           REASON    AGE
pvc-52f51ecf-8bd5-11e6-a4f4-42010a800002   1Gi        RWO           Delete          Bound     default/datadir-cockroachdb-0             26s
pvc-52fd3a39-8bd5-11e6-a4f4-42010a800002   1Gi        RWO           Delete          Bound     default/datadir-cockroachdb-1             27s
pvc-5315efda-8bd5-11e6-a4f4-42010a800002   1Gi        RWO           Delete          Bound     default/datadir-cockroachdb-2             27s

Use our cluster-init-secure.yaml file to perform a one-time initialization that joins the nodes into a single cluster:
```
$ kubectl create -f https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/cluster-init-secure.yaml
```
```
job "cluster-init-secure" created
```
Approve the CSR for the one-off pod from which cluster initialization happens:
```
$ kubectl certificate approve default.client.root
```
```
certificatesigningrequest "default.client.root" approved
```

Confirm that cluster initialization has completed successfully. The job should be considered successful and the CockroachDB pods should soon be considered Ready:

$ kubectl get job cluster-init-secure

NAME                  DESIRED   SUCCESSFUL   AGE
cluster-init-secure   1         1            2m

$ kubectl get pods

NAME            READY     STATUS    RESTARTS   AGE
cockroachdb-0   1/1       Running   0          3m
cockroachdb-1   1/1       Running   0          3m
cockroachdb-2   1/1       Running   0          3m

Tip:

The StatefulSet configuration sets all CockroachDB nodes to log to stderr, so if you ever need access to a pod/node's logs to troubleshoot, use kubectl logs <podname> rather than checking the log on the persistent volume.

Install the Helm client.

Install the Helm server, known as Tiller.

In the likely case that your Kubernetes cluster uses RBAC (e.g., if you are using GKE), you need to create RBAC resources to grant Tiller access to the Kubernetes API:

Create a rbac-config.yaml file to define a role and service account:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

Create the service account:

$ kubectl create -f rbac-config.yaml

serviceaccount "tiller" created
clusterrolebinding "tiller" created

Start the Helm server:
```
$ helm init --service-account tiller
```

Install the CockroachDB Helm chart, providing a "release" name to identify and track this particular deployment of the chart and setting the Secure.Enabled parameter to true:

Note:

This tutorial uses my-release as the release name. If you use a different value, be sure to adjust the release name in subsequent commands.
```
$ helm install --name my-release --set Secure.Enabled=true cockroachdb/cockroachdb
```
Behind the scenes, this command uses our cockroachdb-statefulset.yaml file to create the StatefulSet that automatically creates 3 pods, each with a CockroachDB node running inside it, where each pod has distinguishable network identity and always binds back to the same persistent storage on restart.

Note:

You can customize your deployment by passing additional configuration parameters to helm install using the --set key=value[,key=value] flag. For a production cluster, you should consider modifying the Storage and StorageClass parameters. This chart defaults to 100 GiB of disk space per pod, but you may want more or less depending on your use case, and the default persistent volume StorageClass in your environment may not be what you want for a database (e.g., on GCE and Azure the default is not SSD).

Get the name of the Pending CSR for the first pod:

$ kubectl get csr

NAME                                    AGE       REQUESTOR                                              CONDITION
default.client.root                     21s       system:serviceaccount:default:my-release-cockroachdb   Pending
default.node.my-release-cockroachdb-0   15s       system:serviceaccount:default:my-release-cockroachdb   Pending
default.node.my-release-cockroachdb-1   16s       system:serviceaccount:default:my-release-cockroachdb   Pending
default.node.my-release-cockroachdb-2   15s       system:serviceaccount:default:my-release-cockroachdb   Pending

If you do not see a Pending CSR, wait a minute and try again.

Examine the CSR for the first pod:

$ kubectl describe csr default.node.my-release-cockroachdb-0

Name:               default.node.my-release-cockroachdb-0
Labels:             <none>
Annotations:        <none>
CreationTimestamp:  Mon, 10 Dec 2018 05:36:35 -0500
Requesting User:    system:serviceaccount:default:my-release-cockroachdb
Status:             Pending
Subject:
  Common Name:    node
  Serial Number:
  Organization:   Cockroach
Subject Alternative Names:
         DNS Names:     localhost
                        my-release-cockroachdb-0.my-release-cockroachdb.default.svc.cluster.local
                        my-release-cockroachdb-0.my-release-cockroachdb
                        my-release-cockroachdb-public
                        my-release-cockroachdb-public.default.svc.cluster.local
         IP Addresses:  127.0.0.1
                        10.48.1.6
Events:  <none>

If everything looks correct, approve the CSR for the first pod:

$ kubectl certificate approve default.node.my-release-cockroachdb-0

certificatesigningrequest "default.node.my-release-cockroachdb-0" approved

Repeat steps 1-3 for the other 2 pods.

Confirm that three pods are Running successfully:

$ kubectl get pods

NAME                                READY     STATUS     RESTARTS   AGE
my-release-cockroachdb-0            0/1       Running    0          6m
my-release-cockroachdb-1            0/1       Running    0          6m
my-release-cockroachdb-2            0/1       Running    0          6m
my-release-cockroachdb-init-hxzsc   0/1       Init:0/1   0          6m

Approve the CSR for the one-off pod from which cluster initialization happens:
```
$ kubectl certificate approve default.client.root
```
```
certificatesigningrequest "default.client.root" approved
```

Confirm that cluster initialization has completed successfully, with each pod showing 1/1 under READY:

$ kubectl get pods

NAME                       READY     STATUS    RESTARTS   AGE
my-release-cockroachdb-0   1/1       Running   0          8m
my-release-cockroachdb-1   1/1       Running   0          8m
my-release-cockroachdb-2   1/1       Running   0          8m

Confirm that the persistent volumes and corresponding claims were created successfully for all three pods:

$ kubectl get persistentvolumes

NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS    CLAIM                                      STORAGECLASS   REASON    AGE
pvc-71019b3a-fc67-11e8-a606-080027ba45e5   100Gi      RWO            Delete           Bound     default/datadir-my-release-cockroachdb-0   standard                 11m
pvc-7108e172-fc67-11e8-a606-080027ba45e5   100Gi      RWO            Delete           Bound     default/datadir-my-release-cockroachdb-1   standard                 11m
pvc-710dcb66-fc67-11e8-a606-080027ba45e5   100Gi      RWO            Delete           Bound     default/datadir-my-release-cockroachdb-2   standard                 11m

Tip:

Step 3. Use the built-in SQL client

To use the built-in SQL client, you need to launch a pod that runs indefinitely with the cockroach binary inside it, get a shell into the pod, and then start the built-in SQL client.

From your local workstation, use our client-secure.yaml file to launch a pod and keep it running indefinitely:
```
$ kubectl create -f https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/client-secure.yaml
```
```
pod "cockroachdb-client-secure" created
```
The pod uses the root client certificate created earlier to initialize the cluster, so there's no CSR approval required.

Get a shell into the pod and start the CockroachDB built-in SQL client:

$ kubectl exec -it cockroachdb-client-secure -- ./cockroach sql --certs-dir=/cockroach-certs --host=cockroachdb-public

# Welcome to the cockroach SQL interface.
# All statements must be terminated by a semicolon.
# To exit: CTRL + D.
#
# Server version: CockroachDB CCL v1.1.2 (linux amd64, built 2017/11/02 19:32:03, go1.8.3) (same version as client)
# Cluster ID: 3292fe08-939f-4638-b8dd-848074611dba
#
# Enter \? for a brief introduction.
#
root@cockroachdb-public:26257/>

Run some basic CockroachDB SQL statements:

> CREATE DATABASE bank;

> CREATE TABLE bank.accounts (id INT PRIMARY KEY, balance DECIMAL);

> INSERT INTO bank.accounts VALUES (1, 1000.50);

> SELECT * FROM bank.accounts;

+----+---------+
| id | balance |
+----+---------+
|  1 |  1000.5 |
+----+---------+
(1 row)

Create a user with a password:
```
> CREATE USER roach WITH PASSWORD 'Q7gc8rEdS';
```
You will need this username and password to access the Admin UI later.
Exit the SQL shell and pod:
```
> \q
```

From your local workstation, use our client-secure.yaml file to launch a pod and keep it running indefinitely.
1. Download the file:
```
$ curl -OOOOOOOOO \
https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/client-secure.yaml
```
2. In the file, change serviceAccountName: cockroachdb to serviceAccountName: my-release-cockroachdb.
3. Use the file to launch a pod and keep it running indefinitely:
```
$ kubectl create -f client-secure.yaml
```
```
pod "cockroachdb-client-secure" created
```
  The pod uses the root client certificate created earlier to initialize the cluster, so there's no CSR approval required.

Get a shell into the pod and start the CockroachDB built-in SQL client:

$ kubectl exec -it cockroachdb-client-secure -- ./cockroach sql --certs-dir=/cockroach-certs --host=my-release-cockroachdb-public

# Welcome to the cockroach SQL interface.
# All statements must be terminated by a semicolon.
# To exit: CTRL + D.
#
# Server version: CockroachDB CCL v1.1.2 (linux amd64, built 2017/11/02 19:32:03, go1.8.3) (same version as client)
# Cluster ID: 3292fe08-939f-4638-b8dd-848074611dba
#
# Enter \? for a brief introduction.
#
root@my-release-cockroachdb-public:26257/>

Run some basic CockroachDB SQL statements:

> CREATE DATABASE bank;

> CREATE TABLE bank.accounts (id INT PRIMARY KEY, balance DECIMAL);

> INSERT INTO bank.accounts VALUES (1, 1000.50);

> SELECT * FROM bank.accounts;

+----+---------+
| id | balance |
+----+---------+
|  1 |  1000.5 |
+----+---------+
(1 row)

Create a user with a password:
```
> CREATE USER roach WITH PASSWORD 'Q7gc8rEdS';
```
You will need this username and password to access the Admin UI later.
Exit the SQL shell and pod:
```
> \q
```

Tip:

This pod will continue running indefinitely, so any time you need to reopen the built-in SQL client or run any other cockroach client commands (e.g., cockroach node), repeat step 2 using the appropriate cockroach command.

If you'd prefer to delete the pod and recreate it when needed, run kubectl delete pod cockroachdb-client-secure.

Step 4. Access the Admin UI

To access the cluster's Admin UI:

Port-forward from your local machine to one of the pods:
```
$ kubectl port-forward cockroachdb-0 8080
```
```
$ kubectl port-forward my-release-cockroachdb-0 8080
```
```
Forwarding from 127.0.0.1:8080 -> 8080
```
Note:
The port-forward command must be run on the same machine as the web browser in which you want to view the Admin UI. If you have been running these commands from a cloud instance or other non-local shell, you will not be able to view the UI without configuring kubectl locally and running the above port-forward command on your local machine.
Go to https://localhost:8080 and log in with the username and password you created earlier.
In the UI, verify that the cluster is running as expected:
- Click View nodes list on the right to ensure that all nodes successfully joined the cluster.
- Click the Databases tab on the left to verify that bank is listed.

Step 5. Simulate node failure

Based on the replicas: 3 line in the StatefulSet configuration, Kubernetes ensures that three pods/nodes are running at all times. When a pod/node fails, Kubernetes automatically creates another pod/node with the same network identity and persistent storage.

To see this in action:

Terminate one of the CockroachDB nodes:

$ kubectl delete pod cockroachdb-2

pod "cockroachdb-2" deleted

$ kubectl delete pod my-release-cockroachdb-2

pod "my-release-cockroachdb-2" deleted

In the Admin UI, the Cluster Overview will soon show one node as Suspect. As Kubernetes auto-restarts the node, watch how the node once again becomes healthy.

Back in the terminal, verify that the pod was automatically restarted:

$ kubectl get pod cockroachdb-2

NAME            READY     STATUS    RESTARTS   AGE
cockroachdb-2   1/1       Running   0          12s

$ kubectl get pod my-release-cockroachdb-2

NAME                       READY     STATUS    RESTARTS   AGE
my-release-cockroachdb-2   1/1       Running   0          44s

Step 6. Set up monitoring and alerting

Despite CockroachDB's various built-in safeguards against failure, it is critical to actively monitor the overall health and performance of a cluster running in production and to create alerting rules that promptly send notifications when there are events that require investigation or intervention.

Configure Prometheus

Every node of a CockroachDB cluster exports granular timeseries metrics formatted for easy integration with Prometheus, an open source tool for storing, aggregating, and querying timeseries data. This section shows you how to orchestrate Prometheus as part of your Kubernetes cluster and pull these metrics into Prometheus for external monitoring.

This guidance is based on CoreOS's Prometheus Operator, which allows a Prometheus instance to be managed using built-in Kubernetes concepts.

Note:

If you're on Hosted GKE, before starting, make sure the email address associated with your Google Cloud account is part of the cluster-admin RBAC group, as shown in Step 1. Start Kubernetes.

From your local workstation, edit the cockroachdb service to add the prometheus: cockroachdb label:
```
$ kubectl label svc cockroachdb prometheus=cockroachdb
```
```
service "cockroachdb" labeled
```
This ensures that there is a prometheus job and monitoring data only for the cockroachdb service, not for the cockroach-public service.
```
$ kubectl label svc my-release-cockroachdb prometheus=cockroachdb
```
```
service "cockroachdb" labeled
```
This ensures that there is a prometheus job and monitoring data only for the my-release-cockroachdb service, not for the my-release-cockroach-public service.

Install CoreOS's Prometheus Operator:

$ kubectl apply -f https://raw.githubusercontent.com/coreos/prometheus-operator/release-0.20/bundle.yaml

clusterrolebinding "prometheus-operator" created
clusterrole "prometheus-operator" created
serviceaccount "prometheus-operator" created
deployment "prometheus-operator" created

Confirm that the prometheus-operator has started:

$ kubectl get deploy prometheus-operator

NAME                  DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
prometheus-operator   1         1         1            1           1m

Use our prometheus.yaml file to create the various objects necessary to run a Prometheus instance:

$ kubectl apply -f https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/prometheus/prometheus.yaml

clusterrole "prometheus" created
clusterrolebinding "prometheus" created
servicemonitor "cockroachdb" created
prometheus "cockroachdb" created

Access the Prometheus UI locally and verify that CockroachDB is feeding data into Prometheus:
1. Port-forward from your local machine to the pod running Prometheus:
```
$ kubectl port-forward prometheus-cockroachdb-0 9090
```
2. Go to http://localhost:9090 in your browser.
3. To verify that each CockroachDB node is connected to Prometheus, go to Status > Targets. The screen should look like this:
4. To verify that data is being collected, go to Graph, enter the sys_uptime variable in the field, click Execute, and then click the Graph tab. The screen should like this:
Tip:

Prometheus auto-completes CockroachDB time series metrics for you, but if you want to see a full listing, with descriptions, port-forward as described in Access the Admin UI and then point your browser to http://localhost:8080/_status/vars.

For more details on using the Prometheus UI, see their official documentation.

Configure Alertmanager

Active monitoring helps you spot problems early, but it is also essential to send notifications when there are events that require investigation or intervention. This section shows you how to use Alertmanager and CockroachDB's starter alerting rules to do this.

Download our alertmanager-config.yaml configuration file.
Edit the alertmanager-config.yaml file to specify the desired receivers for notifications. Initially, the file contains a placeholder web hook.
Add this configuration to the Kubernetes cluster as a secret, renaming it to alertmanager.yaml and labelling it to make it easier to find:
```
$ kubectl create secret generic alertmanager-cockroachdb --from-file=alertmanager.yaml=alertmanager-config.yaml
```
```
secret "alertmanager-cockroachdb" created
```
```
$ kubectl label secret alertmanager-cockroachdb app=cockroachdb
```
```
secret "alertmanager-cockroachdb" labeled
```
Warning:

The name of the secret, alertmanager-cockroachdb, must match the name used in the altermanager.yaml file. If they differ, the Alertmanager instance will start without configuration, and nothing will happen.
Use our alertmanager.yaml file to create the various objects necessary to run an Alertmanager instance, including a ClusterIP service so that Prometheus can forward alerts:
```
$ kubectl apply -f https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/prometheus/alertmanager.yaml
```
```
alertmanager "cockroachdb" created
service "alertmanager-cockroachdb" created
```
Verify that Alertmanager is running:
1. Port-forward from your local machine to the pod running Alertmanager:
```
$ kubectl port-forward alertmanager-cockroachdb-0 9093
```
2. Go to http://localhost:9093 in your browser. The screen should look like this:
Ensure that the Alertmanagers are visible to Prometheus by opening http://localhost:9090/status. The screen should look like this:

Add CockroachDB's starter alerting rules:

$ kubectl apply -f https://raw.githubusercontent.com/cockroachdb/cockroach/master/cloud/kubernetes/prometheus/alert-rules.yaml

prometheusrule "prometheus-cockroachdb-rules" created

Ensure that the rules are visible to Prometheus by opening http://localhost:9090/rules. The screen should look like this:
Verify that the example alert is firing by opening http://localhost:9090/alerts. The screen should look like this:
To remove the example alert:
1. Use the kubectl edit command to open the rules for editing:
```
$ kubectl edit prometheusrules prometheus-cockroachdb-rules
```
2. Remove the dummy.rules block and save the file:
```
- name: rules/dummy.rules
  rules:
  - alert: TestAlertManager
    expr: vector(1)
```

Step 7. Maintain the cluster

Add nodes

The Kubernetes cluster contains 4 nodes, one master and 3 workers. Pods get placed only on worker nodes, so to ensure that you do not have two pods on the same node (as recommended in our production best practices), you need to add a new worker node and then edit your StatefulSet configuration to add another pod. The Kubernetes cluster we created contains 3 nodes that pods can be run on. To ensure that you do not have two pods on the same node (as recommended in our production best practices), you need to add a new node and then edit your StatefulSet configuration to add another pod.

Add a worker node:
- On GKE, resize your cluster.
- On GCE, resize your Managed Instance Group.
- On AWS, resize your Auto Scaling Group.

Use the kubectl scale command to add a pod to your StatefulSet:

$ kubectl scale statefulset cockroachdb --replicas=4

statefulset "cockroachdb" scaled

$ kubectl scale statefulset my-release-cockroachdb --replicas=4

statefulset "my-release-cockroachdb" scaled

Get the name of the Pending CSR for the new pod:

$ kubectl get csr

NAME                                                   AGE       REQUESTOR                               CONDITION
default.client.root                                    1h        system:serviceaccount:default:default   Approved,Issued
default.node.cockroachdb-0                             1h        system:serviceaccount:default:default   Approved,Issued
default.node.cockroachdb-1                             1h        system:serviceaccount:default:default   Approved,Issued
default.node.cockroachdb-2                             1h        system:serviceaccount:default:default   Approved,Issued
default.node.cockroachdb-3                             2m        system:serviceaccount:default:default   Pending
node-csr-0Xmb4UTVAWMEnUeGbW4KX1oL4XV_LADpkwjrPtQjlZ4   1h        kubelet                                 Approved,Issued
node-csr-NiN8oDsLhxn0uwLTWa0RWpMUgJYnwcFxB984mwjjYsY   1h        kubelet                                 Approved,Issued
node-csr-aU78SxyU69pDK57aj6txnevr7X-8M3XgX9mTK0Hso6o   1h        kubelet                                 Approved,Issued

If you do not see a Pending CSR, wait a minute and try again.

Examine the CSR for the new pod:

$ kubectl describe csr default.node.cockroachdb-3

Name:               default.node.cockroachdb-0
Labels:             <none>
Annotations:        <none>
CreationTimestamp:  Thu, 09 Nov 2017 13:39:37 -0500
Requesting User:    system:serviceaccount:default:default
Status:             Pending
Subject:
  Common Name:    node
  Serial Number:
  Organization:   Cockroach
Subject Alternative Names:
         DNS Names:     localhost
                        cockroachdb-0.cockroachdb.default.svc.cluster.local
                        cockroachdb-public
         IP Addresses:  127.0.0.1
                        10.48.1.6
Events:  <none>

If everything looks correct, approve the CSR for the new pod:

$ kubectl certificate approve default.node.cockroachdb-3

certificatesigningrequest "default.node.cockroachdb-3" approved

Verify that the new pod started successfully:

$ kubectl get pods

NAME                        READY     STATUS    RESTARTS   AGE
cockroachdb-0               1/1       Running   0          51m
cockroachdb-1               1/1       Running   0          47m
cockroachdb-2               1/1       Running   0          3m
cockroachdb-3               1/1       Running   0          1m
cockroachdb-client-secure   1/1       Running   0          15m

Back in the Admin UI, view Node List to ensure that the fourth node successfully joined the cluster.

Remove nodes

To safely remove a node from your cluster, you must first decommission the node and only then adjust the --replicas value of your StatefulSet configuration to permanently remove it. This sequence is important because the decommissioning process lets a node finish in-flight requests, rejects any new requests, and transfers all range replicas and range leases off the node.

Warning:

If you remove nodes without first telling CockroachDB to decommission them, you may cause data or even cluster unavailability. For more details about how this works and what to consider before removing nodes, see Decommission Nodes.

Get a shell into the cockroachdb-client-secure pod you created earlier and use the cockroach node status command to get the internal IDs of nodes:

$ kubectl exec -it cockroachdb-client-secure -- ./cockroach node status --certs-dir=/cockroach-certs --host=cockroachdb-public

  id |               address                                     | build  |            started_at            |            updated_at            | is_available | is_live
+----+---------------------------------------------------------------------------------+--------+----------------------------------+----------------------------------+--------------+---------+
   1 | cockroachdb-0.cockroachdb.default.svc.cluster.local:26257 | v2.1.1 | 2018-11-29 16:04:36.486082+00:00 | 2018-11-29 18:24:24.587454+00:00 | true         | true
   2 | cockroachdb-2.cockroachdb.default.svc.cluster.local:26257 | v2.1.1 | 2018-11-29 16:55:03.880406+00:00 | 2018-11-29 18:24:23.469302+00:00 | true         | true
   3 | cockroachdb-1.cockroachdb.default.svc.cluster.local:26257 | v2.1.1 | 2018-11-29 16:04:41.383588+00:00 | 2018-11-29 18:24:25.030175+00:00 | true         | true
   4 | cockroachdb-3.cockroachdb.default.svc.cluster.local:26257 | v2.1.1 | 2018-11-29 17:31:19.990784+00:00 | 2018-11-29 18:24:26.041686+00:00 | true         | true
(4 rows)

$ kubectl exec -it cockroachdb-client-secure -- ./cockroach node status --certs-dir=/cockroach-certs --host=my-release-cockroachdb-public

  id |                                     address                                     | build  |            started_at            |            updated_at            | is_available | is_live
+----+---------------------------------------------------------------------------------+--------+----------------------------------+----------------------------------+--------------+---------+
   1 | my-release-cockroachdb-0.my-release-cockroachdb.default.svc.cluster.local:26257 | v2.1.1 | 2018-11-29 16:04:36.486082+00:00 | 2018-11-29 18:24:24.587454+00:00 | true         | true
   2 | my-release-cockroachdb-2.my-release-cockroachdb.default.svc.cluster.local:26257 | v2.1.1 | 2018-11-29 16:55:03.880406+00:00 | 2018-11-29 18:24:23.469302+00:00 | true         | true
   3 | my-release-cockroachdb-1.my-release-cockroachdb.default.svc.cluster.local:26257 | v2.1.1 | 2018-11-29 16:04:41.383588+00:00 | 2018-11-29 18:24:25.030175+00:00 | true         | true
   4 | my-release-cockroachdb-3.my-release-cockroachdb.default.svc.cluster.local:26257 | v2.1.1 | 2018-11-29 17:31:19.990784+00:00 | 2018-11-29 18:24:26.041686+00:00 | true         | true
(4 rows)

The pod uses the root client certificate created earlier to initialize the cluster, so there's no CSR approval required.

Note the ID of the node with the highest number in its address (in this case, the address including cockroachdb-3) and use the cockroach node decommission command to decommission it:

Note:

It's important to decommission the node with the highest number in its address because, when you reduce the --replica count, Kubernetes will remove the pod for that node.

$ kubectl exec -it cockroachdb-client-secure -- ./cockroach node decommission <node ID> --insecure --host=cockroachdb-public

$ kubectl exec -it cockroachdb-client-secure -- ./cockroach node decommission <node ID> --insecure --host=my-release-cockroachdb-public

You'll then see the decommissioning status print to stderr as it changes:

 id | is_live | replicas | is_decommissioning | is_draining  
+---+---------+----------+--------------------+-------------+
  4 |  true   |       73 |        true        |    false     
(1 row)

Once the node has been fully decommissioned and stopped, you'll see a confirmation:

 id | is_live | replicas | is_decommissioning | is_draining  
+---+---------+----------+--------------------+-------------+
  4 |  true   |        0 |        true        |    false     
(1 row)

No more data reported on target nodes. Please verify cluster health before removing the nodes.

Once the node has been decommissioned, use the kubectl scale command to remove a pod from your StatefulSet:
```
$ kubectl scale statefulset cockroachdb --replicas=3
```
```
statefulset "cockroachdb" scaled
```
```
$ kubectl scale statefulset my-release-cockroachdb --replicas=3
```
```
statefulset "my-release-cockroachdb" scaled
```

Upgrade the cluster

As new versions of CockroachDB are released, it's strongly recommended to upgrade to newer versions in order to pick up bug fixes, performance improvements, and new features. The general CockroachDB upgrade documentation provides best practices for how to prepare for and execute upgrades of CockroachDB clusters, but the mechanism of actually stopping and restarting processes in Kubernetes is somewhat special.

Kubernetes knows how to carry out a safe rolling upgrade process of the CockroachDB nodes. When you tell it to change the Docker image used in the CockroachDB StatefulSet, Kubernetes will go one-by-one, stopping a node, restarting it with the new image, and waiting for it to be ready to receive client requests before moving on to the next one. For more information, see the Kubernetes documentation.

Decide how the upgrade will be finalized.

Note:

This step is relevant only when upgrading from v2.0.x to v2.1. For upgrades within the v2.1.x series, skip this step.

By default, after all nodes are running the new version, the upgrade process will be auto-finalized. This will enable certain performance improvements and bug fixes introduced in v2.1. After finalization, however, it will no longer be possible to perform a downgrade to v2.0. In the event of a catastrophic failure or corruption, the only option will be to start a new cluster using the old binary and then restore from one of the backups created prior to performing the upgrade.

We recommend disabling auto-finalization so you can monitor the stability and performance of the upgraded cluster before finalizing the upgrade:
1. Get a shell into the pod with the cockroach binary created earlier and start the CockroachDB built-in SQL client:
```
$ kubectl exec -it cockroachdb-client-secure -- ./cockroach sql --certs-dir=/cockroach-certs --host=cockroachdb-public
```
```
$ kubectl exec -it cockroachdb-client-secure -- ./cockroach sql --certs-dir=/cockroach-certs --host=my-release-cockroachdb-public
```
2. Set the cluster.preserve_downgrade_option cluster setting:
```
> SET CLUSTER SETTING cluster.preserve_downgrade_option = '2.0';
```

Kick off the upgrade process by changing the desired Docker image. To do so, pick the version that you want to upgrade to, then run the following command, replacing "VERSION" with your desired new version:

$ kubectl patch statefulset cockroachdb --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value":"cockroachdb/cockroach:VERSION"}]'

statefulset "cockroachdb" patched

$ kubectl patch statefulset my-release-cockroachdb --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value":"cockroachdb/cockroach:VERSION"}]'

statefulset "my-release0-cockroachdb" patched

If you then check the status of your cluster's pods, you should see one of them being restarted:

$ kubectl get pods

NAME            READY     STATUS        RESTARTS   AGE
cockroachdb-0   1/1       Running       0          2m
cockroachdb-1   1/1       Running       0          2m
cockroachdb-2   1/1       Running       0          2m
cockroachdb-3   0/1       Terminating   0          1m

NAME                       READY     STATUS        RESTARTS   AGE
my-release-cockroachdb-0   1/1       Running       0          2m
my-release-cockroachdb-1   1/1       Running       0          2m
my-release-cockroachdb-2   1/1       Running       0          2m
my-release-cockroachdb-3   0/1       Terminating   0          1m

This will continue until all of the pods have restarted and are running the new image. To check the image of each pod to determine whether they've all be upgraded, run:

$ kubectl get pods -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[0].image}{"\n"}'

cockroachdb-0   cockroachdb/cockroach:v2.1.11
cockroachdb-1   cockroachdb/cockroach:v2.1.11
cockroachdb-2   cockroachdb/cockroach:v2.1.11
cockroachdb-3   cockroachdb/cockroach:v2.1.11

my-release-cockroachdb-0    cockroachdb/cockroach:v2.1.11
my-release-cockroachdb-1    cockroachdb/cockroach:v2.1.11
my-release-cockroachdb-2    cockroachdb/cockroach:v2.1.11
my-release-cockroachdb-3    cockroachdb/cockroach:v2.1.11

Finish the upgrade.

Note:
This step is relevant only when upgrading from v2.0.x to v2.1. For upgrades within the v2.1.x series, skip this step.

If you disabled auto-finalization in step 1 above, monitor the stability and performance of your cluster for as long as you require to feel comfortable with the upgrade (generally at least a day). If during this time you decide to roll back the upgrade, repeat the rolling restart procedure with the old binary.

Once you are satisfied with the new version, re-enable auto-finalization:
1. Get a shell into the pod with the cockroach binary created earlier and start the CockroachDB built-in SQL client:
```
$ kubectl exec -it cockroachdb-client-secure -- ./cockroach sql --certs-dir=/cockroach-certs --host=cockroachdb-public
```
```
$ kubectl exec -it cockroachdb-client-secure -- ./cockroach sql --certs-dir=/cockroach-certs --host=my-release-cockroachdb-public
```
2. Re-enable auto-finalization:
```
> RESET CLUSTER SETTING cluster.preserve_downgrade_option;
```

Stop the cluster

To shut down the CockroachDB cluster:

Delete all of the resources associated with the cockroachdb label, including the logs, remote persistent volumes, and Prometheus and Alertmanager resources:

$ kubectl delete pods,statefulsets,services,persistentvolumeclaims,persistentvolumes,poddisruptionbudget,jobs,rolebinding,clusterrolebinding,role,clusterrole,serviceaccount,alertmanager,prometheus,prometheusrule,serviceMonitor -l app=cockroachdb

pod "cockroachdb-0" deleted
pod "cockroachdb-1" deleted
pod "cockroachdb-2" deleted
service "alertmanager-cockroachdb" deleted
service "cockroachdb" deleted
service "cockroachdb-public" deleted
persistentvolumeclaim "datadir-cockroachdb-0" deleted
persistentvolumeclaim "datadir-cockroachdb-1" deleted
persistentvolumeclaim "datadir-cockroachdb-2" deleted
poddisruptionbudget "cockroachdb-budget" deleted
job "cluster-init-secure" deleted
rolebinding "cockroachdb" deleted
clusterrolebinding "cockroachdb" deleted
clusterrolebinding "prometheus" deleted
role "cockroachdb" deleted
clusterrole "cockroachdb" deleted
clusterrole "prometheus" deleted
serviceaccount "cockroachdb" deleted
serviceaccount "prometheus" deleted
alertmanager "cockroachdb" deleted
prometheus "cockroachdb" deleted
prometheusrule "prometheus-cockroachdb-rules" deleted
servicemonitor "cockroachdb" deleted

Delete the pod created for cockroach client commands, if you didn't do so earlier:
```
$ kubectl delete pod cockroachdb-client-secure
```
```
pod "cockroachdb-client-secure" deleted
```

Get the names of the CSRs for the cluster:

$ kubectl get csr

NAME                                                   AGE       REQUESTOR                               CONDITION
default.client.root                                    1h        system:serviceaccount:default:default   Approved,Issued
default.node.cockroachdb-0                             1h        system:serviceaccount:default:default   Approved,Issued
default.node.cockroachdb-1                             1h        system:serviceaccount:default:default   Approved,Issued
default.node.cockroachdb-2                             1h        system:serviceaccount:default:default   Approved,Issued
default.node.cockroachdb-3                             12m       system:serviceaccount:default:default   Approved,Issued
node-csr-0Xmb4UTVAWMEnUeGbW4KX1oL4XV_LADpkwjrPtQjlZ4   1h        kubelet                                 Approved,Issued
node-csr-NiN8oDsLhxn0uwLTWa0RWpMUgJYnwcFxB984mwjjYsY   1h        kubelet                                 Approved,Issued
node-csr-aU78SxyU69pDK57aj6txnevr7X-8M3XgX9mTK0Hso6o   1h        kubelet                                 Approved,Issued

Delete the CSRs that you created:

$ kubectl delete csr default.client.root default.node.cockroachdb-0 default.node.cockroachdb-1 default.node.cockroachdb-2 default.node.cockroachdb-3

certificatesigningrequest "default.client.root" deleted
certificatesigningrequest "default.node.cockroachdb-0" deleted
certificatesigningrequest "default.node.cockroachdb-1" deleted
certificatesigningrequest "default.node.cockroachdb-2" deleted
certificatesigningrequest "default.node.cockroachdb-3" deleted

Get the names of the secrets for the cluster:

$ kubectl get secrets

NAME                         TYPE                                  DATA      AGE
alertmanager-cockroachdb          Opaque                                1         1h
default-token-d9gff               kubernetes.io/service-account-token   3         5h
default.client.root               Opaque                                2         5h
default.node.cockroachdb-0        Opaque                                2         5h
default.node.cockroachdb-1        Opaque                                2         5h
default.node.cockroachdb-2        Opaque                                2         5h
default.node.cockroachdb-3        Opaque                                2         5h
prometheus-operator-token-bpdv8   kubernetes.io/service-account-token   3         3h

Delete the secrets that you created:

$ kubectl delete secrets alertmanager-cockroachdb default.client.root default.node.cockroachdb-0 default.node.cockroachdb-1 default.node.cockroachdb-2 default.node.cockroachdb-3

secret "alertmanager-cockroachdb" deleted
secret "default.client.root" deleted
secret "default.node.cockroachdb-0" deleted
secret "default.node.cockroachdb-1" deleted
secret "default.node.cockroachdb-2" deleted
secret "default.node.cockroachdb-3" deleted

Stop Kubernetes:
- Hosted GKE:
```
$ gcloud container clusters delete cockroachdb
```
- Manual GCE:
```
$ cluster/kube-down.sh
```
- Manual AWS:
```
$ cluster/kube-down.sh
```
Warning:

If you stop Kubernetes without first deleting the persistent volumes, they will still exist in your cloud project.

Cockroach
University

Docs Hub

Orchestrate CockroachDB in a Single Kubernetes Cluster

Before you begin

Kubernetes terminology

Limitations

Kubernetes version

Storage

Step 1. Start Kubernetes

Hosted GKE

Manual GCE

Manual AWS

Step 2. Start CockroachDB

Step 3. Use the built-in SQL client

Step 4. Access the Admin UI

Step 5. Simulate node failure

Step 6. Set up monitoring and alerting

Configure Prometheus

Configure Alertmanager

Step 7. Maintain the cluster

Add nodes

Remove nodes

Upgrade the cluster

Stop the cluster

See also

Cockroach University

Docs Hub

Cockroach University

Docs Hub

Orchestrate CockroachDB in a Single Kubernetes Cluster

Before you begin

Kubernetes terminology

Limitations

Kubernetes version

Storage

Step 1. Start Kubernetes

Hosted GKE

Manual GCE

Manual AWS

Step 2. Start CockroachDB

Step 3. Use the built-in SQL client

Step 4. Access the Admin UI

Step 5. Simulate node failure

Step 6. Set up monitoring and alerting

Configure Prometheus

Configure Alertmanager

Step 7. Maintain the cluster

Add nodes

Remove nodes

Upgrade the cluster

Stop the cluster

See also

Cockroach
University

Cockroach
University