Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(container): update ghcr.io/mariadb-operator/mariadb-operator ( 0.36.0 → 0.37.1 ) #366

Merged
merged 1 commit into from
Jan 30, 2025
Merged

feat(container): update ghcr.io/mariadb-operator/mariadb-operator ( 0.36.0 → 0.37.1 ) #366

merged 1 commit into from
Jan 30, 2025

Conversation

rk-1b[bot]
Copy link
Contributor

@rk-1b rk-1b bot commented Jan 28, 2025
edited
Loading

This PR contains the following updates:

Package Update Change
ghcr.io/mariadb-operator/mariadb-operator minor 0.36.0 -> 0.37.1

Release Notes

mariadb-operator/mariadb-operator (ghcr.io/mariadb-operator/mariadb-operator)

v0.37.1

Compare Source

mariadb-operator 0.37.1 is here! 🦭

We're excited to introduce TLS 🔐 support in this release, one of the major features of mariadb-operator so far! ✨ Check out the TLS docs, our example catalog and the release notes below to start using it.

[!WARNING]
Be sure to follow the UPGRADE GUIDE to ensure a seamless transition from previous versions.

Issue certificates for MariaDB and MaxScale

Issuing and configuring TLS certificates for your instances has never been easier, you just need to set tls.enabled=true:

apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
apiVersion: k8s.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale
spec:
  ...
  mariaDbRef:
    name: mariadb-galera
  tls:
    enabled: true

A self-signed Certificate Authority (CA) will be automatically generated to issue leaf certificates for your instances. The operator will also manage a CA bundle that your applications can use in order to establish trust.

TLS will be enabled by default in MariaDB, but it will not enforced. You can enforce TLS connections by setting tls.required=true to ensure that all connections are encrypted. In the case of MaxScale, TLS will only be enabled if you explicitly set tls.enabled=true or the referred MariaDB (via mariaDbRef) instance enforces TLS.

Native integration with cert-manager

cert-manager is the de facto standard for managing certificates in Kubernetes. This certificate controller simplifies the automatic provisioning, management, and renewal of certificates. It supports a variety of certificate backends (e.g. in-cluster, Hashicorp Vault), which are configured using Issuer or ClusterIssuer resources.

In your MariaDB and MaxScale resources, you can directly reference ClusterIssuer or Issuer objects to seamlessly issue certificates:

apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
apiVersion: k8s.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer

Under the scenes, the operator will create cert-manager's Certificate resources with all the required Subject Alternative Names (SANs) required by your instances. These certificates will be automatically managed by cert-manager and the CA bundle will be updated by the operator so you can establish trust with your instances.

The advantage of this approach is that you can use any of the cert-manager's certificate backends, such as the in-cluster CA or HashiCorp Vault, and potentially reuse the same Issuer/ClusterIssuer with multiple instances.

Certificate rotation

Whether the certificates are managed by the operator or by cert-manager, they will be automatically renewed before expiration. Additionally, the operator will update the CA bundle whenever the CAs are rotated, temporarily retaining the old CA in the bundle to ensure a seamless update process.

In both scenarios, the standard update strategies apply, allowing you to control how the Pods are restarted during certificate rotation.

TLS requirements for Users

We have extended our User SQL resource to include TLS-specific requirements for user connections over TLS. For example, if you want to enforce the use of a valid x509 certificate for a user to connect:

apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  ...
  require:
    x509: true

To restrict the subject of the user's certificate and/or require a specific issuer, you may set:

apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  ...
  require:
    issuer: "/CN=mariadb-galera-ca"
    subject: "/CN=mariadb-galera-client"

If any of these TLS requirements are not satisfied, the user will be unable to connect to the instance.

Automatic updates when Galera options are changed

Whenever Galera options are changed, for example, adding providerOptions:

apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    enabled: true
+   providerOptions:
+     gcs.fc_limit: '64'

An update is now automatically triggered, and the Pods are restarted according to the configured update strategy.

Community contributions

Huge thanks to our awesome contributors! 🙇

We value your feedback! If you encounter any issues or have suggestions, please open an issue on GitHub. Your input is crucial to improve mariadb-operator🦭.

Join us on Slack: MariaDB Community Slack.

What's Changed

Full Changelog: mariadb-operator/mariadb-operator@0.37.0...0.37.1

v0.37.0

Compare Source

[!WARNING]
A patch version 0.37.1 to fix a regression has been released. It is recommended to skip this version and upgrade to 0.37.1 instead

mariadb-operator 0.37.0 is here! 🦭

We're excited to introduce TLS 🔐 support in this release, one of the major features of mariadb-operator so far! ✨ Check out the TLS docs, our example catalog and the release notes below to start using it.

[!WARNING]
Be sure to follow the UPGRADE GUIDE to ensure a seamless transition from previous versions.

Issue certificates for MariaDB and MaxScale

Issuing and configuring TLS certificates for your instances has never been easier, you just need to set tls.enabled=true:

apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
apiVersion: k8s.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale
spec:
  ...
  mariaDbRef:
    name: mariadb-galera
  tls:
    enabled: true

A self-signed Certificate Authority (CA) will be automatically generated to issue leaf certificates for your instances. The operator will also manage a CA bundle that your applications can use in order to establish trust.

TLS will be enabled by default in MariaDB, but it will not enforced. You can enforce TLS connections by setting tls.required=true to ensure that all connections are encrypted. In the case of MaxScale, TLS will only be enabled if you explicitly set tls.enabled=true or the referred MariaDB (via mariaDbRef) instance enforces TLS.

Native integration with cert-manager

cert-manager is the de facto standard for managing certificates in Kubernetes. This certificate controller simplifies the automatic provisioning, management, and renewal of certificates. It supports a variety of certificate backends (e.g. in-cluster, Hashicorp Vault), which are configured using Issuer or ClusterIssuer resources.

In your MariaDB and MaxScale resources, you can directly reference ClusterIssuer or Issuer objects to seamlessly issue certificates:

apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
apiVersion: k8s.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer

Under the scenes, the operator will create cert-manager's Certificate resources with all the required Subject Alternative Names (SANs) required by your instances. These certificates will be automatically managed by cert-manager and the CA bundle will be updated by the operator so you can establish trust with your instances.

The advantage of this approach is that you can use any of the cert-manager's certificate backends, such as the in-cluster CA or HashiCorp Vault, and potentially reuse the same Issuer/ClusterIssuer with multiple instances.

Certificate rotation

Whether the certificates are managed by the operator or by cert-manager, they will be automatically renewed before expiration. Additionally, the operator will update the CA bundle whenever the CAs are rotated, temporarily retaining the old CA in the bundle to ensure a seamless update process.

In both scenarios, the standard update strategies apply, allowing you to control how the Pods are restarted during certificate rotation.

TLS requirements for Users

We have extended our User SQL resource to include TLS-specific requirements for user connections over TLS. For example, if you want to enforce the use of a valid x509 certificate for a user to connect:

apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  ...
  require:
    x509: true

To restrict the subject of the user's certificate and/or require a specific issuer, you may set:

apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  ...
  require:
    issuer: "/CN=mariadb-galera-ca"
    subject: "/CN=mariadb-galera-client"

If any of these TLS requirements are not satisfied, the user will be unable to connect to the instance.

Automatic updates when Galera options are changed

Whenever Galera options are changed, for example, adding providerOptions:

apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    enabled: true
+   providerOptions:
+     gcs.fc_limit: '64'

An update is now automatically triggered, and the Pods are restarted according to the configured update strategy.

Community contributions

Huge thanks to our awesome contributors! 🙇

We value your feedback! If you encounter any issues or have suggestions, please open an issue on GitHub. Your input is crucial to improve mariadb-operator🦭.

Join us on Slack: MariaDB Community Slack.

What's Changed
New Contributors

Full Changelog: mariadb-operator/mariadb-operator@0.36.0...0.37.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@rk-1b rk-1b bot force-pushed the renovate/main-ghcr.io-mariadb-operator-mariadb-operator-0.x branch from 59849e2 to 4b9e762 Compare January 28, 2025 21:16
@rk-1b rk-1b bot changed the title feat(container): update ghcr.io/mariadb-operator/mariadb-operator ( 0.36.0 → 0.37.0 ) feat(container): update ghcr.io/mariadb-operator/mariadb-operator ( 0.36.0 → 0.37.1 ) Jan 28, 2025
@rkoosaar rkoosaar merged commit 8f1456c into main Jan 30, 2025
9 checks passed
@rkoosaar rkoosaar deleted the renovate/main-ghcr.io-mariadb-operator-mariadb-operator-0.x branch January 30, 2025 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/kubernetes cluster/main renovate/container type/minor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rkoosaar