Releases: mariadb-operator/mariadb-operator
0.37.1
mariadb-operator 0.37.1 is here! 🦭
We're excited to introduce TLS 🔐 support in this release, one of the major features of mariadb-operator so far! ✨ Check out the TLS docs, our example catalog and the release notes below to start using it.
Warning
Be sure to follow the UPGRADE GUIDE to ensure a seamless transition from previous versions.
Issue certificates for MariaDB and MaxScale
Issuing and configuring TLS certificates for your instances has never been easier, you just need to set tls.enabled=true:
apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
name: mariadb-galera
spec:
...
tls:
enabled: trueapiVersion: k8s.mariadb.com/v1alpha1
kind: MaxScale
metadata:
name: maxscale
spec:
...
mariaDbRef:
name: mariadb-galera
tls:
enabled: trueA self-signed Certificate Authority (CA) will be automatically generated to issue leaf certificates for your instances. The operator will also manage a CA bundle that your applications can use in order to establish trust.
TLS will be enabled by default in MariaDB, but it will not enforced. You can enforce TLS connections by setting tls.required=true to ensure that all connections are encrypted. In the case of MaxScale, TLS will only be enabled if you explicitly set tls.enabled=true or the referred MariaDB (via mariaDbRef) instance enforces TLS.
Native integration with cert-manager
cert-manager is the de facto standard for managing certificates in Kubernetes. This certificate controller simplifies the automatic provisioning, management, and renewal of certificates. It supports a variety of certificate backends (e.g. in-cluster, Hashicorp Vault), which are configured using Issuer or ClusterIssuer resources.
In your MariaDB and MaxScale resources, you can directly reference ClusterIssuer or Issuer objects to seamlessly issue certificates:
apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
name: mariadb-galera
spec:
...
tls:
enabled: true
serverCertIssuerRef:
name: root-ca
kind: ClusterIssuer
clientCertIssuerRef:
name: root-ca
kind: ClusterIssuerapiVersion: k8s.mariadb.com/v1alpha1
kind: MaxScale
metadata:
name: maxscale-galera
spec:
...
tls:
enabled: true
adminCertIssuerRef:
name: root-ca
kind: ClusterIssuer
listenerCertIssuerRef:
name: root-ca
kind: ClusterIssuerUnder the scenes, the operator will create cert-manager's Certificate resources with all the required Subject Alternative Names (SANs) required by your instances. These certificates will be automatically managed by cert-manager and the CA bundle will be updated by the operator so you can establish trust with your instances.
The advantage of this approach is that you can use any of the cert-manager's certificate backends, such as the in-cluster CA or HashiCorp Vault, and potentially reuse the same Issuer/ClusterIssuer with multiple instances.
Certificate rotation
Whether the certificates are managed by the operator or by cert-manager, they will be automatically renewed before expiration. Additionally, the operator will update the CA bundle whenever the CAs are rotated, temporarily retaining the old CA in the bundle to ensure a seamless update process.
In both scenarios, the standard update strategies apply, allowing you to control how the Pods are restarted during certificate rotation.
TLS requirements for Users
We have extended our User SQL resource to include TLS-specific requirements for user connections over TLS. For example, if you want to enforce the use of a valid x509 certificate for a user to connect:
apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
name: user
spec:
...
require:
x509: trueTo restrict the subject of the user's certificate and/or require a specific issuer, you may set:
apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
name: user
spec:
...
require:
issuer: "/CN=mariadb-galera-ca"
subject: "/CN=mariadb-galera-client"If any of these TLS requirements are not satisfied, the user will be unable to connect to the instance.
Automatic updates when Galera options are changed
Whenever Galera options are changed, for example, adding providerOptions:
apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
name: mariadb-galera
spec:
...
galera:
enabled: true
+ providerOptions:
+ gcs.fc_limit: '64'An update is now automatically triggered, and the Pods are restarted according to the configured update strategy.
Community contributions
- Support startupProbe in MariaDB and MaxScale by @vixns
- Prevent deadlocks on Database reconcile while transactions are running by @vixns
- Update CronJob template on reconcile by @vixns
- Operator configuration via helm by @sakazuki and @indigo-saito
- Support EKS Service Accounts in S3 by @Skaronator
- Add support for configuring priorityClassName, topologySpreadConstraints, PDB in Helm Chart by @Skaronator
- Exclude dollar signs from generated passwords by @simonhammes
- Fix examples SqlJob secret reference by @driv
- FLUSH PRIVILEGES unnecessary for user/grant manipulation by @grooverdan
Huge thanks to our awesome contributors! 🙇
We value your feedback! If you encounter any issues or have suggestions, please open an issue on GitHub. Your input is crucial to improve mariadb-operator🦭.
Join us on Slack: MariaDB Community Slack.
What's Changed
- Fix TLS defaults in embedded
MaxScaleby @mmontes11 in #1143
Full Changelog: 0.37.0...0.37.1
Contributors
Assets 7
0.37.0
Warning
A patch version 0.37.1 to fix a regression has been released. It is recommended to skip this version and upgrade to 0.37.1 instead
mariadb-operator 0.37.0 is here! 🦭
We're excited to introduce TLS 🔐 support in this release, one of the major features of mariadb-operator so far! ✨ Check out the TLS docs, our example catalog and the release notes below to start using it.
Warning
Be sure to follow the UPGRADE GUIDE to ensure a seamless transition from previous versions.
Issue certificates for MariaDB and MaxScale
Issuing and configuring TLS certificates for your instances has never been easier, you just need to set tls.enabled=true:
apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
name: mariadb-galera
spec:
...
tls:
enabled: trueapiVersion: k8s.mariadb.com/v1alpha1
kind: MaxScale
metadata:
name: maxscale
spec:
...
mariaDbRef:
name: mariadb-galera
tls:
enabled: trueA self-signed Certificate Authority (CA) will be automatically generated to issue leaf certificates for your instances. The operator will also manage a CA bundle that your applications can use in order to establish trust.
TLS will be enabled by default in MariaDB, but it will not enforced. You can enforce TLS connections by setting tls.required=true to ensure that all connections are encrypted. In the case of MaxScale, TLS will only be enabled if you explicitly set tls.enabled=true or the referred MariaDB (via mariaDbRef) instance enforces TLS.
Native integration with cert-manager
cert-manager is the de facto standard for managing certificates in Kubernetes. This certificate controller simplifies the automatic provisioning, management, and renewal of certificates. It supports a variety of certificate backends (e.g. in-cluster, Hashicorp Vault), which are configured using Issuer or ClusterIssuer resources.
In your MariaDB and MaxScale resources, you can directly reference ClusterIssuer or Issuer objects to seamlessly issue certificates:
apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
name: mariadb-galera
spec:
...
tls:
enabled: true
serverCertIssuerRef:
name: root-ca
kind: ClusterIssuer
clientCertIssuerRef:
name: root-ca
kind: ClusterIssuerapiVersion: k8s.mariadb.com/v1alpha1
kind: MaxScale
metadata:
name: maxscale-galera
spec:
...
tls:
enabled: true
adminCertIssuerRef:
name: root-ca
kind: ClusterIssuer
listenerCertIssuerRef:
name: root-ca
kind: ClusterIssuerUnder the scenes, the operator will create cert-manager's Certificate resources with all the required Subject Alternative Names (SANs) required by your instances. These certificates will be automatically managed by cert-manager and the CA bundle will be updated by the operator so you can establish trust with your instances.
The advantage of this approach is that you can use any of the cert-manager's certificate backends, such as the in-cluster CA or HashiCorp Vault, and potentially reuse the same Issuer/ClusterIssuer with multiple instances.
Certificate rotation
Whether the certificates are managed by the operator or by cert-manager, they will be automatically renewed before expiration. Additionally, the operator will update the CA bundle whenever the CAs are rotated, temporarily retaining the old CA in the bundle to ensure a seamless update process.
In both scenarios, the standard update strategies apply, allowing you to control how the Pods are restarted during certificate rotation.
TLS requirements for Users
We have extended our User SQL resource to include TLS-specific requirements for user connections over TLS. For example, if you want to enforce the use of a valid x509 certificate for a user to connect:
apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
name: user
spec:
...
require:
x509: trueTo restrict the subject of the user's certificate and/or require a specific issuer, you may set:
apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
name: user
spec:
...
require:
issuer: "/CN=mariadb-galera-ca"
subject: "/CN=mariadb-galera-client"If any of these TLS requirements are not satisfied, the user will be unable to connect to the instance.
Automatic updates when Galera options are changed
Whenever Galera options are changed, for example, adding providerOptions:
apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
name: mariadb-galera
spec:
...
galera:
enabled: true
+ providerOptions:
+ gcs.fc_limit: '64'An update is now automatically triggered, and the Pods are restarted according to the configured update strategy.
Community contributions
- Support startupProbe in MariaDB and MaxScale by @vixns
- Prevent deadlocks on Database reconcile while transactions are running by @vixns
- Update CronJob template on reconcile by @vixns
- Operator configuration via helm by @sakazuki and @indigo-saito
- Support EKS Service Accounts in S3 by @Skaronator
- Add support for configuring priorityClassName, topologySpreadConstraints, PDB in Helm Chart by @Skaronator
- Exclude dollar signs from generated passwords by @simonhammes
- Fix examples SqlJob secret reference by @driv
- Relabeling metrics for ServiceMonitor by @nlamirault
- FLUSH PRIVILEGES unnecessary for user/grant manipulation by @grooverdan
Huge thanks to our awesome contributors! 🙇
We value your feedback! If you encounter any issues or have suggestions, please open an issue on GitHub. Your input is crucial to improve mariadb-operator🦭.
Join us on Slack: MariaDB Community Slack.
What's Changed
- Bump golang.org/x/sync from 0.8.0 to 0.9.0 by @dependabot in #1043
- Bump ubi8/ubi-micro from 8.10-13 to 8.10-15 by @dependabot in #1044
- Bump github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring from 0.78.0 to 0.78.1 by @dependabot in #1042
- Bump golang from 1.23.2-alpine3.20 to 1.23.3-alpine3.20 by @dependabot in #1045
- ci github workflows - optional mariadb_version by @grooverdan in #1048
- Update release workflow to create go pkg compatible tags by @mmontes11 in #1049
- Relabeling metrics for ServiceMonitor by @nlamirault in #1047
- Create gdc-airgapped.md by @mariadb-pieterhumphrey in #1051
- Rename gdc-airgapped.md to GDC_AIRGAPPED.md by @mariadb-pieterhumphrey in #1052
- Update GDC_AIRGAPPED.md by @mariadb-pieterhumphrey in #1066
- Update GDC_AIRGAPPED.md by @mariadb-pieterhumphrey in #1067
- Update NOTES.txt by @mariadb-pieterhumphrey in #1065
- Update GDC_AIRGAPPED.md by @mariadb-pieterhumphrey in #1073
- Bump github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring from 0.78.1 to 0.78.2 by @dependabot in #1057
- Bump k8s.io/api from 0.31.2 to 0.31.3 by @dependabot in #1055
- Bump sigs.k8s.io/controller-runtime from 0.19.1 to 0.19.3 by @dependabot in #1069
- Bump golang from 1.23.3-alpine3.20 to 1.23.4-alpine3.20 by @dependabot in #1068
- Bump github.com/onsi/g...
Contributors
Assets 7
mariadb-operator-crds-0.37.1
mariadb-operator CRDs
mariadb-operator-crds-0.37.0
mariadb-operator CRDs
mariadb-operator-0.37.1
Run and operate MariaDB in a cloud native way
mariadb-operator-0.37.0
Run and operate MariaDB in a cloud native way
0.36.0
mariadb-operator 0.36.0 is here! 🦭
We're thrilled to announce this new release packed with multiple enhancements contributed by our community members. A community-driven release like this one is the best way to celebrate that we are already more than 50 contributors 🎉:
If you're upgrading from previous versions, don't miss the UPGRADE GUIDE for a smooth transition.
Replication (alpha)
Backup
Services
SQL
Huge thanks to our awesome contributors @hedgieinsocks, @onesolpark, @johanjk, and @P4sca1 for making this release possible! 🙇
We value your feedback! If you encounter any issues or have suggestions, please open an issue on GitHub. Your input is crucial to improve mariadb-operator🦭.
Join us on Slack: MariaDB Community Slack.
What's Changed
- Update UPGRADE_0.34.0.md by @mariadb-pieterhumphrey in #978
- Update UPGRADE_0.35.0.md by @mariadb-pieterhumphrey in #979
- Update UPGRADE_0.35.1.md by @mariadb-pieterhumphrey in #980
- Update UPGRADE_v0.0.20.md by @mariadb-pieterhumphrey in #981
- Update UPGRADE_v0.0.21.md by @mariadb-pieterhumphrey in #982
- Update UPGRADE_v0.0.26.md by @mariadb-pieterhumphrey in #984
- Update UPGRADE_v0.0.30.md by @mariadb-pieterhumphrey in #986
- Update UPGRADE_v0.0.32.md by @mariadb-pieterhumphrey in #988
- Update UPGRADE_0.35.0.md by @mariadb-pieterhumphrey in #991
- Update UPGRADE_v0.0.31.md by @mariadb-pieterhumphrey in #987
- Update UPGRADE_v0.0.33.md by @mariadb-pieterhumphrey in #989
- Update UPGRADE_0.34.0.md by @mariadb-pieterhumphrey in #990
- Update UPGRADE_v0.0.24.md by @mariadb-pieterhumphrey in #983
- Update UPGRADE_v0.0.28.md by @mariadb-pieterhumphrey in #985
- Update UPGRADE_0.35.1.md by @mariadb-pieterhumphrey in #994
- Update UPGRADE_0.34.0.md by @mariadb-pieterhumphrey in #993
- Update UPGRADE_0.35.1.md by @mariadb-pieterhumphrey in #995
- Update UPGRADE_v0.0.20.md by @mariadb-pieterhumphrey in #996
- Update UPGRADE_v0.0.21.md by @mariadb-pieterhumphrey in #997
- Update UPGRADE_v0.0.24.md by @mariadb-pieterhumphrey in #998
- Update UPGRADE_v0.0.26.md by @mariadb-pieterhumphrey in #999
- Update UPGRADE_v0.0.30.md by @mariadb-pieterhumphrey in #1001
- Update UPGRADE_v0.0.28.md by @mariadb-pieterhumphrey in #1000
- Update UPGRADE_v0.0.31.md by @mariadb-pieterhumphrey in #1002
- Update UPGRADE_v0.0.32.md by @mariadb-pieterhumphrey in #1003
- Update UPGRADE_v0.0.33.md by @mariadb-pieterhumphrey in #1004
- Bump k8s.io/api from 0.31.1 to 0.31.2 by @dependabot in #969
- Bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 by @dependabot in #970
- Bump github.com/minio/minio-go/v7 from 7.0.78 to 7.0.79 by @dependabot in #968
- Bump k8s.io/client-go from 0.31.1 to 0.31.2 by @dependabot in #972
- Support replication for non-default port by @onesolpark in #974
- Populate secondary service endpoints with custom service ports by @hedgieinsocks in #1009
- Perform proper switchover before updating master in semi-sync replication by @hedgieinsocks in #967
- [backup] fix file close before move by @johanjk in #1008
- Refactor backup compression by @mmontes11 in #1013
- Bump github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring from 0.77.1 to 0.78.0 by @dependabot in #1017
- Bump github.com/minio/minio-go/v7 from 7.0.79 to 7.0.80 by @dependabot in #1018
- Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 by @dependabot in #1019
- Bump github.com/onsi/gomega from 1.34.2 to 1.35.1 by @dependabot in #1016
- ci: test-image{,-ent} display mariadb version by @grooverdan in #1029
- Bump entrypoints by @grooverdan in #1027
- Use accountName for AlterUser by @P4sca1 in #1026
- Update README.md by @mariadb-pieterhumphrey in #1032
- Create quickstart.md by @mariadb-pieterhumphrey in #1033
- Update README.md by @mariadb-pieterhumphrey in #1034
- Update README.md by @mariadb-pieterhumphrey in #1035
- Update README.md by @mariadb-pieterhumphrey in #1036
- Release 0.36.0 by @mmontes11 in #1038
New Contributors
Full Changelog: 0.35.1...0.36.0
Contributors
Assets 7
mariadb-operator-crds-0.36.0
mariadb-operator CRDs
mariadb-operator-0.36.0
Run and operate MariaDB in a cloud native way
0.35.1
0.35.1 is a patch release with a focused scope, aimed at stabilizing Galera cluster recovery and enhancing our new Kubernetes custom types. For an overview of features introduced in this release series, see the 0.35.0 release notes.
To upgrade from older versions, be sure to follow the UPGRADE GUIDE.
We value your feedback! If you encounter any issues or have suggestions, please open an issue on GitHub. Your input is crucial to improve mariadb-operator🦭.
Join us on Slack: MariaDB Community Slack.
What's Changed
- Allow sequence number 0 in Galera cluster recovery by @mmontes11 in #960
- Fix container extra env by @mmontes11 in #962
- Release 0.35.1 by @mmontes11 in #964
Full Changelog: 0.35.0...0.35.1