This is no longer recommended way to deploy CockroachDB, please see utilitywarehouse/cockroachdb-manifests for the latest recommended deployment.
Utility to get TLS certificates for cockroach nodes and clients from cfssl CA. It is inspired by a similar tool that uses Kubernetes CA from cockroach.
The Docker image for this tool is intended to be used in initContainers. Below are example configurations of initContainers for a database client and a database node itself.
Note that USER should be the name of the database user that
this certificate is going to be used for. The user name will be
used as a common name in the certificate.
initContainers:
- name: init-certs
image: registry.uw.systems/cockroach-cfssl-certs:initial
imagePullPolicy: Always
command: ["cockroach-certs"]
env:
- name: CERTIFICATE_TYPE
value: "client"
- name: USER
value: "root"
- name: CERTS_DIR
value: "/cockroach-certs"
- name: CA_PROFILE
value: "client"
- name: CA_ADDRESS
valueFrom:
configMapKeyRef:
name: config
key: ca.endpoint
- name: CA_AUTH_KEY
valueFrom:
secretKeyRef:
key: auth.key
name: ca-auth-key
volumeMounts:
- name: client-certs
mountPath: /cockroach-certs
initContainers:
- name: init-certs
image: registry.uw.systems/cockroach-cfssl-certs:initial
imagePullPolicy: Always
command:
- "sh"
- "-c"
- >
cockroach-certs
--host=localhost
--host=127.0.0.1
--host=$(hostname -f)
--host=$(hostname -f|cut -f 1-2 -d '.')
--host=cockroachdb-public
--host=cockroachdb-public.$(hostname -f|cut -f 3- -d '.')
env:
- name: CERTIFICATE_TYPE
value: "node"
- name: CERTS_DIR
value: "/cockroach-certs"
- name: CA_PROFILE
value: "client-server"
- name: CA_ADDRESS
valueFrom:
configMapKeyRef:
name: config
key: ca.endpoint
- name: CA_AUTH_KEY
valueFrom:
secretKeyRef:
key: auth.key
name: ca-auth-key
volumeMounts:
- name: certs
mountPath: /cockroach-certs