{"id":28763777,"url":"https://github.com/cockroachdb/helm-charts","last_synced_at":"2025-06-17T09:10:29.330Z","repository":{"id":37921990,"uuid":"274705319","full_name":"cockroachdb/helm-charts","owner":"cockroachdb","description":"Helm charts for cockroachdb","archived":false,"fork":false,"pushed_at":"2025-06-12T13:55:23.000Z","size":1026,"stargazers_count":92,"open_issues_count":73,"forks_count":153,"subscribers_count":47,"default_branch":"master","last_synced_at":"2025-06-13T14:02:33.076Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cockroachdb.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-06-24T15:35:15.000Z","updated_at":"2025-06-12T13:55:25.000Z","dependencies_parsed_at":"2024-03-25T23:30:34.857Z","dependency_job_id":"b58f5bd0-9827-4e07-9f09-e347fcbe769c","html_url":"https://github.com/cockroachdb/helm-charts","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/cockroachdb/helm-charts","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cockroachdb%2Fhelm-charts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cockroachdb%2Fhelm-charts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cockroachdb%2Fhelm-charts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cockroachdb%2Fhelm-charts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cockroachdb","download_url":"https://codeload.github.com/cockroachdb/helm-charts/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cockroachdb%2Fhelm-charts/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260326793,"owners_count":22992388,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-17T09:10:28.102Z","updated_at":"2025-06-17T09:10:29.299Z","avatar_url":"https://github.com/cockroachdb.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CockroachDB Helm Charts Repository\n\n[CockroachDB](https://github.com/cockroachdb/cockroach) - the open source, cloud-native distributed SQL database.\n\n\n# Charts\n\n- [cockroachdb](cockroachdb)\n\n# Self-Cert-Signer Utility\n\nCertificate Self-Signer utility is developed to allow the cockroachdb helm chart to be able to deploy secure cluster,\nwithout any dependency on the outside tool to create or sign its certificate.\n\nYou can enable/disable this utility by setting the `tls.certs.selfSigner.enabled` option as true/false.\n\n## Certificates and CA managed by cockroachdb\n\nThis option allow cockroachdb to generate the CA, node and client certificates and use those certificates to form a secure\ncockroachdb cluster. User can configure the duration and expiry window of each certificate types. Following are the options provided as\ndefault values in hours.\n\n```shell\n# Minimum Certificate duration for all the certificates, all certs duration will be validated against this.\ntls.certs.selfSigner.minimumCertDuration: 624h\n# Duration of CA certificates in hour\ntls.certs.selfSigner.caCertDuration: 43800h\n# Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.\ntls.certs.selfSigner.caCertExpiryWindow: 648h\n# Duration of Client certificates in hour\ntls.certs.selfSigner.clientCertDuration: 672h\n# Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.\ntls.certs.selfSigner.clientCertExpiryWindow: 48h\n# Duration of node certificates in hour\ntls.certs.selfSigner.nodeCertDuration: 8760h\n# Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.\ntls.certs.selfSigner.nodeCertExpiryWindow: 168h\n```\n\nThese durations can be configured by user with following validations:\n\n1. CaCertExpiryWindow should be be greater than minimumCertDuration.\n2. Other certificateDuration - certificateExpiryWindow should be greater than minimumCertDuration.\n\nThis utility also handles certificate rotation when they come near expiry. You can enable or disable the certificate\nrotation with following setting:\n\n```shell\n # If set, the cockroachdb cert selfSigner will rotate the certificates before expiry.\ntls.certs.selfSigner.rotateCerts: true\n```\n\n## Certificate managed by cockroachdb and CA provided by user\n\nIf user has a custom CA which they already use for certificate signing in their organisation, this utility provides a way\nfor user to provide the custom CA. All the node and client certificates are signed by this user provided CA.\n\nTo provide the CA certificate to the crdb you have to create a tls certificate with `ca.crt` and `ca.key` and provide the\nsecret as:\n\n```shell\n# If set, the user should provide the CA certificate to sign other certificates.\ntls.certs.selfSigner.caProvided: true\n# It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.\ntls.certs.selfSigner.caSecret: \"custom-ca-secret\"\n```\n\nYou will still have options to configure the duration and expiry window of the certificates:\n```shell\n# Minimum Certificate duration for all the certificates, all certs duration will be validated against this.\ntls.certs.selfSigner.minimumCertDuration: 624h\n# Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.\ntls.certs.selfSigner.caCertExpiryWindow: 648h\n# Duration of Client certificates in hour\ntls.certs.selfSigner.clientCertDuration: 672h\n# Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.\ntls.certs.selfSigner.clientCertExpiryWindow: 48h\n# Duration of node certificates in hour\ntls.certs.selfSigner.nodeCertDuration: 8760h\n# Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.\ntls.certs.selfSigner.nodeCertExpiryWindow: 168h\n```\n\nThis utility will only handle the rotation of client and node certificates, the rotation of custom CA should be done by user.\n\n\n## Installation of Helm chart \n\nWhen user install cockroachdb cluster with self-signer enabled, you will see the self-signer job.\n\n```\n$ kubectl get pods\n\nNAME                                 READY   STATUS    RESTARTS   AGE\ncrdb-cockroachdb-self-signer-mmxp8   1/1     Running   0          15s\n```\n\nThis job will generate CA, client and node certificates based on the user input mentioned in previous section. You can \nsee the following secrets representing each certificates:\n\n```\n$ kubectl get secrets \n\nNAME                                       TYPE                                  DATA   AGE\ncrdb-cockroachdb-ca-secret                 Opaque                                2      3m10s\ncrdb-cockroachdb-client-secret             kubernetes.io/tls                     3      3m9s\ncrdb-cockroachdb-node-secret               kubernetes.io/tls                     3      3m10s\ncrdb-cockroachdb-self-signer-token-qcc72   kubernetes.io/service-account-token   3      3m29s\ncrdb-cockroachdb-token-jpbms               kubernetes.io/service-account-token   3      3m8s\ndefault-token-gmhdf                        kubernetes.io/service-account-token   3      11m\nsh.helm.release.v1.crdb.v1                 helm.sh/release.v1                    1      3m30s\n```\n\nAfter this, the cockroachdb init jobs starts and copies this certificate to each nodes:\n\n```\n$ kubectl get pods\n\nNAME                          READY   STATUS     RESTARTS   AGE\ncrdb-cockroachdb-0            0/1     Init:0/1   0          18s\ncrdb-cockroachdb-1            0/1     Init:0/1   0          18s\ncrdb-cockroachdb-2            0/1     Init:0/1   0          18s\ncrdb-cockroachdb-init-fclbb   1/1     Running    0          16s\n```\n\nAt last, the cockroach db cluster comes into running state with following output:\n```\n$ helm install crdb ./cockroachdb\n\nNAME: crdb\nLAST DEPLOYED: Thu Aug 19 18:03:37 2021\nNAMESPACE: crdb\nSTATUS: deployed\nREVISION: 1\nNOTES:\nCockroachDB can be accessed via port 26257 at the\nfollowing DNS name from within your cluster:\n\ncrdb-cockroachdb-public.crdb.svc.cluster.local\n\nBecause CockroachDB supports the PostgreSQL wire protocol, you can connect to\nthe cluster using any available PostgreSQL client.\n\nNote that because the cluster is running in secure mode, any client application\nthat you attempt to connect will either need to have a valid client certificate\nor a valid username and password.\n\nFinally, to open up the CockroachDB admin UI, you can port-forward from your\nlocal machine into one of the instances in the cluster:\n\n    kubectl port-forward crdb-cockroachdb-0 8080\n\nThen you can access the admin UI at https://localhost:8080/ in your web browser.\n\nFor more information on using CockroachDB, please see the project's docs at:\nhttps://www.cockroachlabs.com/docs/\n```\n\n## Upgrade of cockroachdb cluster\n\nKick off the upgrade process by changing the new Docker image, where `$new_version` is the CockroachDB version to which you are upgrading:\n\n```shell\n$ helm upgrade crdb ./cockroachdb \\\n--set image.tag=$new_version \\\n--reuse-values --timeout=20m\n```\n\nKubernetes will carry out a safe [rolling upgrade](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) of your CockroachDB nodes one-by-one. Monitor the cluster's pods until all have been successfully restarted.\n\nIn case the upgrade involves adding new Persistent Volume Claim to the existing pods (e.g. enabling WAL Failover, pushing logs to a separate volume, etc.), then kindly refer to the documentation in [this](https://github.com/cockroachdb/helm-charts/tree/master/cockroachdb#chart-version-300-and-after) section.\n\n## Migration from Kubernetes Signed Certificates to Self-Signer Certificates\n\nKubernetes signed certificates is deprecated from the Kubernetes v1.22+ and user will not be able to use this methods for\nsigning certificates.\n\nUser can move from old kubernetes signing certificates by performing following steps:\n\nRun the upgrade command with upgrade strategy set as \"onDelete\" which only upgrades the pods when deleted by the user.\n\n```shell\n$ helm upgrade crdb cockroachdb --set statefulset.updateStrategy.type=\"OnDelete\" --timeout=20m\n```\n\nWhile monitor all the pods, once the init-job is created, you can delete all the cockroachdb pods with following command:\n\n```shell\n$ kubectl delete pods -l app.kubernetes.io/component=cockroachdb\n```\n\nThis will delete all the cockroachdb pods and restart the cluster with new certificates generated by the self-signer utility.\nThe migration will have some downtime as all the pods are upgraded at the same time instead of rolling update.\n\n## Installation of Helm Chart with Cert Manager\n\nUser should have [cert manager \u003e=1.0](https://cert-manager.io/docs/installation/) version installed.\n\nCreate a Issuer for signing self-signed CA certificate.\n\n```yaml\napiVersion: cert-manager.io/v1\nkind: Issuer\nmetadata:\n  name: cockroachdb\nspec:\n  selfSigned: {}\n```\n\nNow you can enable the cert-manager from `values.yaml` as follows:\n\n```yaml\n# Disable the self signing certificates for cockroachdb\ntls.certs.selfSigner.enabled: false\n# Enable the cert manager\ntls.certs.certManager: true\n# Provide the kind\ntls.certs.certManagerIssuer.kind: Issuer\n# Provide the Issuer you have created in previous step\ntls.certs.certManagerIssuer.name: cockroachdb\n```\n\n```shell\n$ helm install crdb ./cockroachdb\n\nNAME: crdb\nLAST DEPLOYED: Fri Aug  4 14:42:11 2023\nNAMESPACE: crdb\nSTATUS: deployed\nREVISION: 1\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcockroachdb%2Fhelm-charts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcockroachdb%2Fhelm-charts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcockroachdb%2Fhelm-charts/lists"}