Configuring CockroachDB Cluster

When you configure a cluster, an instance, an app, and a default subclient are automatically created.

Before You Begin

The user account must have following privileges:

Backup (System-level)
Restore (System-level)
Create (Database-level): To restore table to existing database (table does not exist)
Drop (Database and Table level): To restore database or tables to existing database or tables.

Pre-requisites

If SSL is configured on the cluster, you need to copy the following to the access node:
- Certificate Authority (CA) certificate. For more information, see cockroach cert.
- Client Certificate and key for CockroachDB user (Optional)
If multiple access nodes are used, then the path to copy has to be the same on all the access nodes.
Configuration requirement for CockroachDB deployed on AWS EC2
1. If access node is outside of the CockroachDB or Load balancer (LB) node virtual private cloud (VPC), then complete the following:
  - Create peering connection between the access node VPC and the CockroachDB/LB node VPC.
  - For CockroachDB VPC security group, the cluster port (by default port 26257) needs to be completely opened.
  - From both access node and CockroachDB cluster nodes, it should be able to access the S3 bucket.
To configure CockroachDB instance, you need to make the following entries while adding CockroachDB cluster:
- Host: Loadbalancer full name or public ip or any CockroachDB host
- Port Number: The listener port configured on loadbalancer (if LB configured) or the CockroachDB port.

To use IAM role authentication for S3 bucket, the user needs to have following minimal permission for the IAM role:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "IAMAssumeRolePrivileges", "Effect": "Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:ListBucketVersions", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetBucketAcl", "s3:GetObjectAcl", "s3:PutBucketAcl", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ] "Resource": "*" } ] }

For more information about the permissions for the IAM role, refer to Amazon S3 assume role.

Procedure

From the Command Center navigation pane, go to Protect > Big data.

The Big data page appears.
Click Add cluster.

The Configure Big Data App appears.
Select CockroachDB, and then click NEXT.

The Configure CockroachDB Cluster page appears.
Select an existing access node from Access node list or add a new access node, and then click Next.
Select an existing backup plan or add a new backup plan, and then click Next.

The Add CockroachDB Cluster page appears.
In the Cluster name box, enter a name of the cluster.
In Host box, enter the name of the Load balancer (LB) or any CockroachDB host.
In Port number, enter the port number used for CockroachDB connection.
Under Database authentication, from the Database credential name list, select a credential or add a new credential. To add a new credential, do the following:
Steps to add a credential
1. Click the + icon beside the Credentials list.
  
  The Add Credential dialog box appears.
2. In the Credential vault box, select a credential vault to store, share, and update account credentials with shared resources in your environment.
3. In the Credential name box, enter the credential name of the database user.
4. In the Username box, enter the user name of the database user account.
5. In the Password box, enter the password of the database user.
6. In the Description box, enter a description of the credential.
7. Click Save.
Under the S3 Authentication, enter the following details:
1. From the Authentication list, you can select the following options:
  - Access and secret keys
  - IAM Role
2. If you select Access and secret keys, From the Storage credential name, select an existing storage credential or add a new credential. To add a new credential, do the following:
  Steps to add a credential
  1. In Vendor Type, Amazon Web Services is selected by default.
  2. In the Authentication type, access & secret keys is selected by default.
  3. From Credential Vault list, select the credential vault that you want to add.
  4. In the Credential name box, enter the name of the credential.
  5. In the Access key ID box, enter the access key ID of the cloud account.
  6. In the Secret access key box, enter the secret access key of the cloud account.
  7. Click Save.
3. In the Service host box, enter the Amazon S3 endpoint in the format s3.amazonaws.com.
  
  For some cloud service providers, the Service host box is populated with the default value for that cloud service provider.
4. In Staging path box, enter the full path of the staging location to be used for backups.
From the CockroachDB SSL credential list, select an existing SSL credential or add a new credential. To add a new credential, do the following:
Steps to add a credential
1. In the Credential name box, enter the name of the credential.
2. In the CA Certificate path box, enter the path of the Certificate Authority (CA) file that will be used with the CockroachDB commands.
3. In the Client certificate path box, enter the path of the client certificate file.
4. In the Client private key path box, enter the path of private key file name.
  Note
  
  If SSL is enabled on cluster node, the user needs to consider the following scenarios:
  - Defining SSL CA Certificate path is mandatory.
  - The user can define SSL CA Certificate path and skip defining Client certificate path and Client private key path.
  - If the user defines either Client certificate path or Client private key path, then it is mandatory to define both the paths.
5. In the Password for the encrypted client private key box, enter the password that is associated with the private key.
6. Click Save.
Click Next.

The Summary page appears, where you can see the CockroachDB cluster configuration details.
Click Finish.