docs/content/v2024.1/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md
YugabyteDB Anywhere allows you to create a universe in one geographic region across multiple availability zones using Kubernetes as a cloud provider.
Before you start creating a universe, ensure that you performed steps described in Create Kubernetes provider configuration.
Note that the provider example used in this document has a cluster-level admin access.
To start, navigate to Dashboard or Universes, click Create Universe and complete the first two fields of the Cloud Configuration section:
In the Name field, enter the name for the YugabyteDB universe using lowercase characters (for example, yb-k8s).
Use the Provider field to select the appropriate Kubernetes cloud (for example, multilane-k8s-portal-yb). Notice that additional fields appear.
Complete the rest of the Cloud Configuration section as follows:
Use the Regions field to select the region. This enables the Availability Zones option that allows you to see zones belonging to that region.
Provide the value in the Pods field. This value should be equal to or greater than the replication factor. The default value is 3. When this value is supplied, the pods (also known as nodes) are automatically placed across all the availability zones to guarantee the maximum availability.
In the Replication Factor field, define the replication factor, as per the following illustration:
Complete the Instance Configuration section {{<tags/feature/ea>}} for TServer and Master as follows:
Number of Cores - specify the total number of processing cores or CPUs assigned to the TServer and Master.
Memory(GiB) - specify the memory allocation of the TServer and Master.
Volume Info - specify the number of volumes multiplied by size for the TServer and Master. The default is 1 x 100GB.
Enable the YSQL and YCQL endpoints and database authentication.
Enter the password to use for the default database admin superuser (for YSQL the user is yugabyte, and for YCQL cassandra). Be sure to save your password; the password is not saved in YugabyteDB Anywhere. For more information, refer to Database authorization.
By default, the API endpoints use ports 5433 (YSQL) and 9042 (YCQL). You can customize these ports.
Enable encryption in transit to encrypt universe traffic. You can enable the following:
Node-to-Node TLS to encrypt traffic between universe nodes.
Client-to-Node TLS to encrypt traffic between universe nodes and external clients.
Note that if you want to enable Client-to-Node encryption, you first must enable Node-to-Node encryption.
Encryption requires a certificate. YugabyteDB Anywhere can generate a self-signed certificate automatically, or you can use your own certificate.
To use your own, you must first add it to YugabyteDB Anywhere; refer to Add certificates.
To have YugabyteDB Anywhere generate a certificate for the universe, use the default Root Certificate setting of Create New Certificate. To use a certificate you added or a previously generated certificate, select it from the Root Certificate menu.
For more information on using and managing certificates, refer to Encryption in transit.
To encrypt the universe data, select the Enable encryption at rest option and select the KMS configuration to use for encryption. For more information, refer to Encryption at rest.
Complete the Advanced section as follows:
Optionally, complete the G-Flags section as follows:
Click Add Flags > Add to Master to specify YB-Master servers parameters, one parameter per field.
Click Add Flags > Add to T-Server to specify YB-TServer servers parameters, one parameter per field.
For details, see the following:
Optionally, use the Helm Overrides section, as follows:
Click Add Kubernetes Overrides to open the Kubernetes Overrides dialog shown in the following illustration:
Using the YAML format (which is sensitive to spacing and indentation), specify the universe-level overrides for YB-Master and YB-TServer, as per the following example:
master:
podLabels:
service-type: 'database'
Add availability zone overrides, which only apply to pods that are deployed in that specific availability zone. For example, to define overrides for the availability zone us-west-2a, you would click Add Availability Zone and use the text area to insert YAML in the following form:
us-west-2a:
master:
podLabels:
service-type: 'database'
If you specify conflicting overrides, YugabyteDB Anywhere would use the following order of precedence: universe availability zone-level overrides, universe-level overrides, provider overrides.
If you want to enable GKE service account-based IAM for backup and restore using GCS at the universe level, add the following overrides:
tserver:
serviceAccount: <KSA_NAME>
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
If you don't provide namespace names for each zone/region during provider creation, add the names using the following steps:
To enable the GKE service account service at the provider level, refer to Overrides.
If you want to enable readiness probes {{<tags/feature/ea>}}, add the following overrides:
master:
readinessProbe:
enabled: true
tserver:
readinessProbe:
enabled: true
Select Force Apply if you want to override any previous overrides.
Click Validate & Save.
If there are any errors in your overrides definitions, a detailed error message is displayed. You can correct the errors and try to save again. To save your Kubernetes overrides regardless of any validation errors, select Force Apply.
The final step is to click Create and wait for the YugabyteDB cluster to appear.
The following illustration shows the universe in its pending state:
The universe view consists of several tabs that provide different information about this universe.
The following illustration shows the Overview tab of a newly-created universe:
If you have defined Helm overrides for your universe, you can modify them at any time through Overview by clicking Actions > Edit Kubernetes Overrides.
The following illustration shows the Nodes tab that allows you to see a list of nodes with their addresses:
You can create a connection to a node as follows:
Click Connect to access the information about the universe's endpoints to which to connect.
On a specific node, click Actions > Connect to access the kubectl commands that you need to copy and use to connect to the node.
For information on how to connect to the universe from the Kubernetes cluster, as well as remotely, see Connect YugabyteDB clusters.
By default, each zone has its own YB-TServer service, and you can use this service to connect to the universe. Optionally, you can create an additional highly available common service across all zones as follows.
Note that this requires all the zone deployments to be in the same namespace.
Set the following Kubernetes overrides to add the universe-name label on the YB-TServer pods. You can do this when you create the universe or by modifying the Kubernetes overrides of an existing universe.
tserver:
podLabels:
universe-name: yb-k8s
Save the following to a file named yb-tserver-common-service.yaml. You can customize the service type, annotations, and the label selector as required.
# yb-tserver-common-service.yaml
apiVersion: v1
kind: Service
metadata:
name: yb-k8s-common-tserver
labels:
app.kubernetes.io/name: yb-tserver
# annotations:
# networking.gke.io/load-balancer-type: "Internal"
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: yb-tserver
# This value should match with the value from step 1.
universe-name: yb-k8s
ports:
# Modify the ports if using non-standard ports.
- name: tcp-yql-port
port: 9042
- name: tcp-ysql-port
port: 5433
Run the following command to create the service in the universe's namespace (yb-prod-yb-k8s in this example).
$ kubectl apply -f yb-tserver-common-service.yaml -n yb-prod-yb-k8s
After the service YAML is applied, in this example you would access the universe at yb-k8s-common-tserver.yb-prod-yb-k8s.svc.cluster.local.