circle-info
Webinar | The Great Database Exodus: Navigating Strategic Risk in the Post-Oracle MySQL Era
Watch Nowarrow-up-right
search
Download MariaDBContact Us

Connections

MariaDB Enterprise Kubernetes Operator provides the Connection resource to configure connection strings for applications connecting to MariaDB. This resource creates and maintains a Kubernetes Secret containing the credentials and connection details needed by your applications.

hashtag
Connection CR

A Connection resource declares an intent to create a connection string for applications to connect to a MariaDB instance. When reconciled, it creates a Secret containing the DSN and optionally, individual connection parameters:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Connection
metadata:
  name: connection
spec:
  mariaDbRef:
    name: mariadb
  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
  database: mariadb
  secretName: connection
  healthCheck:
    interval: 30s
    retryInterval: 3s

The operator creates a Secret named connection containing a DSN and individual fields like username, password, host, port, and database. Applications can mount this Secret to obtain the connection details.

hashtag
Service selection

By default, the host in the generated Secret points to the Service named after the referenced MariaDB or MaxScale resource (the same as metadata.name). For HA MariaDB, this Service load balances across all pods, so use serviceName to target a specific Service such as <mariadb-name>-primary.

Please refer to the Kubernetes Service documentation to identify which Services are available.

hashtag
Credential generation

The operator can automatically generate credentials for users via the GeneratedSecretKeyRef type with the generate: true field. This feature is available in the MariaDB, MaxScale, and User resources.

For example, when creating a MariaDB resource with an initial user:

The operator will automatically generate a random password and store it in a Secret named app-password. You can then reference this Secret in your Connection resource:

If you prefer to provide your own password, you can opt-out from random password generation by either not providing the generate field or setting it to false. This enables the use of GitOps tools like sealed-secretsarrow-up-right or external-secretsarrow-up-right to seed the password.

hashtag
Secret template

The secretTemplate field allows you to customize the output Secret, allowing you to include individual connection parameters:

The resulting Secret will contain:

  • dsn: The full connection string

  • username: The database username

  • password: The database password

  • host: The database host

  • port: The database port

  • database: The database name

hashtag
Custom DSN format

You can customize the DSN format using Go templates via the format field:

Available template variables:

  • {{ .Username }}: The database username

  • {{ .Password }}: The database password

  • {{ .Host }}: The database host

  • {{ .Port }}: The database port

  • {{ .Database }}: The database name

  • {{ .Params }}: Query parameters (e.g., ?parseTime=true&timeout=5s)

Refer to the Go documentationarrow-up-right for additional details about the template syntax.

hashtag
TLS authentication

Connection supports TLS client certificate authentication as an alternative to password authentication:

When using TLS authentication, provide tlsClientCertSecretRef instead of passwordSecretKeyRef. The referenced Secret must be a Kubernetes TLS Secret containing the client certificate and key.

hashtag
Cross-namespace connections

Connection resources can reference MariaDB instances in different namespaces:

This creates a Connection in the app namespace that references a MariaDB in the mariadb namespace.

hashtag
MaxScale connections

Connection resources can reference MaxScale instances using maxScaleRef:

When referencing a MaxScale, the operator uses the MaxScale Service and its listener port. The health check will consume connections from the MaxScale connection pool.

hashtag
External MariaDB connections

Connection resources can reference ExternalMariaDB instances by specifying kind: ExternalMariaDB in the mariaDbRef:

This is useful for generating connection strings to external MariaDB instances running outside of Kubernetes.

hashtag
Health checking

The healthCheck field configures periodic health checks to verify database connectivity:

  • interval: How often to perform health checks (default: 30s)

  • retryInterval: How often to retry after a failed health check (default: 3s)

The Connection status reflects the health check results, allowing you to monitor connectivity issues through Kubernetes.

This page is: Copyright © 2025 MariaDB. All rights reserved.

spinner
PreviousConfigurationNextUpdates

Last updated

Was this helpful?