1 of 100

Tools

This space includes documentation for clients, utilities, and applications, including AI-focused ones, designed to help you manage, monitor, back up, and interact with your MariaDB Server deployment.

MariaDB Enterprise Manager

MariaDB Enterprise Manager is a comprehensive observability and management solution designed for your entire database fleet. It provides advanced, topology-aware monitoring and a powerful suite of visual tools for query development and schema management, all from a single, centralized interface.

MariaDB Enterprise Operator

MariaDB Enterprise Operator provides a seamless way to run and operate containerized versions of MariaDB Enterprise Server and MaxScale on Kubernetes, allowing you to leverage Kubernetes orchestration and automation capabilities. This document outlines the features and advantages of using Kubernetes and the MariaDB Enterprise Operator to streamline the deployment and management of MariaDB and MaxScale instances.

MariaDB Enterprise MCP Server

MariaDB Enterprise MCP (Model Context Protocol) Server is a secure, enterprise-grade application designed to act as the primary interface between AI assistants and MariaDB data ecosystems. This product solves a key challenge: how to allow powerful AI agents to safely and efficiently leverage an organization's most valuable asset—its data.

MariaDB AI RAG

MariaDB AI RAG is an enterprise-grade Retrieval-Augmented Generation (RAG) solution that integrates with MariaDB to provide AI-powered document processing, semantic search, and natural language generation capabilities.

MariaDB Enterprise Manager

At its core, Enterprise Manager uses lightweight agents to collect deep telemetry from your standalone databases, replicated topologies, and MaxScale clusters via the OpenTelemetry standard. This foundation powers the integrated Grafana dashboards, which come pre-packaged with production-ready visualizations and alerts. Beyond monitoring, the provides a shared environment for developers and DBAs with an advanced Query Editor and a visual ERD Designer. The entire system is secured with role-based access control, audit logging, and can integrate with your corporate identity provider (OIDC) for single sign-on.

Quickstart Guide

MariaDB Enterprise Manager installation and configuration guide

MariaDB Enterprise Manager is a database management and observability solution that provides advanced topology-aware monitoring coupled with visual schema management, query editing, and ERD design across multiple database connections.

This guide describes steps to install MariaDB Enterprise Manager for evaluation purposes.

Prerequisites

Architecture Overview

MariaDB Enterprise Manager is a client/server application for monitoring and managing MariaDB deployments. It provides topology-aware monitoring, visual schema management, and query editing across multiple database connections.

The architecture consists of two primary components: a central Enterprise Manager Server that aggregates data and hosts the user interface, and an Enterprise Manager Agent that is deployed on each monitored host.

Enterprise Manager Server

The Enterprise Manager Server runs on a dedicated host and acts as the central command center. It is delivered as a suite of Docker containers managed by Docker Compose.

Administration

Deployment

This section provides an overview of the deployment process for MariaDB Enterprise Manager, covering installation and upgrades for both the central server and the monitoring agents.

MariaDB Enterprise Manager is designed for a streamlined deployment experience. You can launch the main server with a single-line command for a quick start, and a UI-integrated helper tool simplifies the process of installing and registering agents on your monitored databases.

Installing the Enterprise Manager Server

The Enterprise Manager Server is a Docker-based application installed on a dedicated host. The installation is handled by the installer script, which pulls the necessary container images and starts the application.

As a first step review the hardware, system, and network requirements:

Hardware and System Requirements

This guide outlines the system and hardware requirements for deploying the Enterprise Manager Server and the Enterprise Manager Agent.

Enterprise Manager Server 🖥️

The Enterprise Manager Server is the central component that hosts the UI and stores monitoring data.

Hardware Sizing Guide

Monitored Servers

CPU

Memory (RAM)

Storage (SSD)

Tip: Adjust storage size depending on your requirements for metrics retention.

System Requirements

CPU Architecture: x86-64
Operating System: 64-bit Linux with Docker support.
Software: Docker Engine and Docker Compose must be installed.

Enterprise Manager Agent🕵

The agent must be installed on each and instance you wish to monitor. Below are the supported operating systems.

Supported Platforms for MariaDB Server

MariaDB Server Version

Supported OS (x86_64, ARM64)

Supported Platforms for MariaDB MaxScale

MaxScale Version

Supported OS (x86_64, ARM64)

* Monitoring and Single Sign-On(SSO) are only supported for MaxScale versions 25.10 and Above

Agent Installation

To install mema-agent, you need to setup

The mema-agent is a small application that must be installed on every server you wish to monitor with MariaDB Enterprise Manager, including MariaDB Server nodes and MaxScale nodes.

This guide covers the recommended installation method using a package manager.

Prerequisite: Create the Local Monitor User

Before installing the agent on a MariaDB Server host, you must create a local user that the agent will use to connect to the database and collect metrics.

Replace <password> with a secure password. You will need these credentials later when linking the agent in the Enterprise Manager UI.

Installation via Package Manager (Recommended)

This method uses your OS's native package manager (dnf, apt, zypper) to install the agent from the MariaDB Enterprise repository.

Step 1: Configure the MariaDB Enterprise Repository

If you haven't already configured the MariaDB Enterprise repository on the server, follow these steps.

Get your Customer Download Token

Navigate to the and log in.

Step 2: Install the Agent Package

Once the repository is configured, use your system's package manager to install the agent.

The agent is now installed and running as a service.

Next Steps: Linking the Agent 🔗

After the agent is installed, it is running but not yet configured or linked to your MariaDB Enterprise Manager server.

The final step is to link the agent, which is done from the Enterprise Manager UI. Please refer to the for the specific steps to generate the linking command.

Add Multiple MaxScale Monitors

MariaDB Enterprise Manager allows you to monitor multiple logical databases or clusters that are managed by the same set of high-availability MaxScale instances. After adding your first MaxScale instance, you can easily add more monitors to track different services without re-entering the connection details.

Default Monitor Behavior

If you add a database from a MaxScale setup that has multiple monitors and do not explicitly select one, Enterprise Manager will automatically assign the first available monitor by default. To ensure you are tracking the correct service, it's best to specify the monitor manually.

SSO to MaxScale (Single Sign-On)

For topologies managed by MaxScale, you can seamlessly access the MaxScale GUI directly from Enterprise Manager using Single Sign-On.SSO to MaxScale requires MaxScale 25.10.0 or higher.1

Accessing the MaxScale GUI

Click the three-dot menu (⋮) next to a MaxScale node.
Select "Manage MaxScale".

Configuring SSO in `maxscale.cnf`

To enable SSO, add the following parameters to your MaxScale configuration file (maxscale.cnf) on the MaxScale host:

Parameter

Description

Network and Firewall Requirements

It's recommended to run MariaDB Enterprise Manager on an internal, secured network. Direct public exposure is not recommended.

Before installing MariaDB Enterprise Manager, ensure that your firewall and network rules allow traffic on all required ports. Proper connectivity is essential for the system to function correctly.

The following table details the necessary ports and their purposes.

Service/Component

Port

Protocol

Traffic Direction

Backup & Restore of Enterprise Manager

Note: This is about backing up the data, configuration and collected metrics of the Enterprise Manager (EM), not the databases.

Backing up Enterprise Manager Server

Stop the Enterprise Manager

Change Hostname or IP Address

To set the hostname or IP address for an existing MariaDB Enterprise Management instance, follow these instructions. Changing the hostname or IP address is useful if your server's IP changed or if you need to switch from an IP address to a public DNS name.

Connect to your server

SSH into the server where your Enterprise Manager is running:

Usage

Monitoring

Dashboards

MariaDB Galera Cluster

The dashboard mirrors most sections from the dashboard extending it with Galera Metrics section and the Galera Nodes table. Use this dashboard when you need Galera-specific cluster health alongside the familiar server views.

Galera Metrics

Insights into Galera Cluster health with critical metrics and node-specific status details.

Metric

Alerts and Notifications

MariaDB Enterprise Manager provides a powerful and flexible alerting system, built on the capabilities of the integrated Grafana Alerting engine. It allows you to proactively monitor your entire database fleet, define custom rules for potential issues, and receive notifications through various channels to ensure you can respond quickly.

All persistent Grafana settings are managed through the MariaDB Enterprise Manager configuration files. Changes made directly in the Grafana UI will be lost upon restart.

How It Works: The Alerting Flow

The alerting process in MariaDB Enterprise Manager follows a clear, four-step flow from detection to notification.

Alert Rule is Defined

An alert rule contains a query (what to measure, e.g., disk usage), a condition (the threshold, e.g., > 90%), and labels for routing (e.g., type = server disk).

Key Alerting Concepts

To configure alerting effectively, it's helpful to understand these core concepts from Grafana:

Term

Description

For a deep dive into advanced topics like custom message templating, alert grouping, and more complex routing, see the .

SMTP Server Configuration

This page explains how to configure email alerting for MariaDB Enterprise Manager using Grafana's integrated alerting engine. Configure SMTP credentials and server details in the main environment file so Enterprise Manager can send alert notifications via email.

This is an advanced draft.

Edit the environment file

Database Administration

The MariaDB Enterprise Manager Workspace includes a powerful set of integrated tools that allow DBAs and developers to perform common administrative tasks graphically, without needing to write raw SQL commands. These features are primarily accessed through the Schemas Sidebar and dedicated tabs in the main worksheet area.

Schema Inspector

The Schema Inspector provides detailed, read-only metadata views for any selected schema object. This allows you to quickly understand the structure, data types, constraints, and dependencies of your tables, views, and other objects without querying the information_schema. To use it, simply click on an object in the Object Browser.

Object Browser

The Object Browser is the hierarchical tree view located in the Schemas Sidebar on the left side of the Workspace. It is your primary tool for navigating and exploring your database instances. You can expand databases to see their tables, views, stored procedures, and triggers, and use the filter box at the top to quickly locate specific objects.

Object Editor

The Object Editor allows you to create, modify, and delete schema objects using graphical forms and dialogs. You can access these functions by right-clicking on an object (or object type) in the Object Browser. This will open a context menu with actions such as:

CREATE TABLE, CREATE VIEW
ALTER TABLE
DROP TABLE

User Management

This dedicated tab provides a grid-based interface for managing database users and their privileges directly, without writing GRANT or CREATE USER statements.

From this interface, you can:

View a list of all database users and their assigned global privileges.
Create new database users using a simple form.
Edit an existing user's password or modify their privileges.
Delete users who no longer require access.

Process List Viewer

The Processlist tab provides a real-time view of the database server's active sessions and the commands they are executing, equivalent to running SHOW FULL PROCESSLIST. This is an essential tool for diagnosing performance issues.

Using the Processlist Viewer, you can:

Monitor all active connections, their current status (e.g., Query, Sleep), and how long they have been running.
Identify long-running or problematic queries that may be impacting server performance.
Manage live sessions, which may include the ability to terminate (kill) a specific process.

MariaDB Enterprise Kubernetes Operator

MariaDB Enterprise Kubernetes Operator automates provisioning, scaling, backups, and high availability, making cloud-native database operations efficient and reliable.

Installation

Installation instructions for MariaDB Enterprise Kubernetes Operator in Kubernetes and OpenShift

Topologies

Different topologies supported by the operator.

Standalone

This operator allows you to configure standalone MariaDB Enterprise Server instances. To achieve this, you can either omit the replicas field or set it to 1:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: password

  replicas: 1

  port: 3306

  storage:
    size: 1Gi

  myCnf: |
    [mariadb]
    bind-address=*
    default_storage_engine=InnoDB
    binlog_format=row
    innodb_autoinc_lock_mode=2
    innodb_buffer_pool_size=800M
    max_allowed_packet=256M

  resources:
    requests:
      cpu: 500m
      memory: 1Gi
    limits:
      memory: 1Gi

  metrics:
    enabled: true

Whilst this can be useful for development and testing, it is not recommended for production use because of the following reasons:

Single point of failure
Upgrades require downtime
Only vertical scaling is possible

For achieving high availability, we recommend deploying a highly available topology as described in the .

Backup and Restore

Configure multiple backup strategies and perform restoration.

25.10 LTS version update guide

This guide illustrates, step by step, how to update to 25.10.2 from previous versions.

The Galera data-plane must be updated to the 25.10.2 version. You must set updateStrategy.autoUpdateDataPlane=true in your MariaDB resources before updating the operator. Then, once updated, the operator will also be updating the data-plane based on its version:

Plugins

Learn about the plugins supported by the MariaDB Enterprise Kubernetes Operator and how to configure them.

Supported Docker Images

The following is a list of images that have plugins installed and available to use.

Even though these images have plugins installed, that doesn't necessarily mean that they are enabled by default. You may need to install them. The recommended operator native way to do so is to use:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  # ....
  myCnf: |
    [mariadb]
    plugin_load_add = auth_pam # Load auth plugin
  # ....

Each supported plugin will have a section on how to install it.

Component

Image

Supported Tags

CPU Architecture

Examples Catalog

The examples catalog contains a number of sample manifests that aim to show the operator functionality in a practical way. Follow these instructions for getting started:

Download the examples catalog:

curl -sLO https://operator.mariadb.com/examples/manifests.tar.gz
mkdir -p examples
tar -xzf manifests.tar.gz -C examples

Install the configuration shared by all the examples:

Start deploying examples:

Some examples rely on external dependencies for specific tasks, make sure to install them when it applies:

for metrics
for TLS certificates
for S3 object storage

It is recommended to complement the examples with the documentation to understand the full range of configuration options available.

If you are looking for production-grade examples, you can check the following manifests:

mariadb_replication_production.yaml and maxscale_replication_production.yaml for
mariadb_galera_production.yaml and maxscale_galera_production.yaml for

Migrations

Learn about migrations with MariaDB Enterprise Kubernetes Operator. This section covers strategies and procedures for smoothly migrating your MariaDB databases within Kubernetes environments.

Migrate external MariaDB into Kubernetes

In this guide, we will be migrating an external MariaDB into a new MariaDB instance running in Kubernetes and managed by MariaDB Enterprise Kubernetes Operator. We will be using for achieving this migration.

Ensure you understand the in the MariaDB Enterprise Kubernetes Operator.

1. Take a logical backup of your external MariaDB using one of the commands below:

If you are currently using or migrating to a Galera instance, use the following command instead:

2. Ensure that your backup file matches the following format: backup.2024-08-26T12:24:34Z.sql

MariaDB Enterprise MCP Server

Overview

"Model Context Protocol" (MCP) is a standard or interface designed to bridge the gap between AI development tools (like copilots in your code editor) and your project's specific environment.

In simple terms, it's a way for an AI to understand the context of what you're working on.

The MariaDB Enterprise MCP (Model Context Protocol) Server is a secure, enterprise-grade application designed to act as the primary interface between AI assistants and MariaDB data ecosystems. This product solves a key challenge: how to allow powerful AI agents to safely and efficiently leverage an organization's most valuable asset—its data.

It achieves this by providing a single, hardened endpoint that offers not only standard database operations but also advanced AI workflow orchestration and integration with industry-standard authentication systems.

Token Management

Token management is a critical part of the system's security, handled primarily by the RAG API.

Token Generation

The process involves two main steps:

Example

Usage Examples

Standard SQL Query

{ "tool": "execute_sql", "parameters": { "database_name": "test_db", "sql_query": "SELECT * FROM users WHERE id = %s", "parameters": [123] } }

Create Vector Store

{ "tool": "create_vector_store", "parameters": { "database_name": "test_db", "vector_store_name": "my_vectors", "model_name": "text-embedding-3-small", "distance_function": "cosine" } }

Insert Documents into Vector Store

Semantic Search

RAG Generation

Frequently Asked Questions

Where do you get MCP Server from and what are the installation requirements?

The MCP Server can be launched individually or as part of the RAG-in-a-box system. It is distributed as pre-compiled binaries that can run on various operating systems, including:

Windows

Installation

System Requirements

Operating System: Linux (Debian/Ubuntu/RHEL), macOS 10.15+, or Windows 10/11
CPU: 4+ cores recommended

Service Management

MariaDB AI RAG runs as a web service using Uvicorn/FastAPI. You can manage the service using standard system commands.

Starting the Service

# Start the service using the executable directly
./databridge

Viewing Logs

Logs are stored in the logs directory within the installation path:

mariadb-dump --user=${MARIADB_USER} --password=${MARIADB_PASSWORD} --host=${MARIADB_HOST} --single-transaction --events --routines --all-databases --skip-add-locks --ignore-table=mysql.global_priv > backup.2024-08-26T12:24:34Z.sql

How do you configure the MCP Server and connect it to MariaDB?

The MCP Server does not include its own database. It acts as a client and requires a connection to an external, pre-existing MariaDB server.

The system components are connected as follows:

MCP Server (Port 8002) ---------> MariaDB Server (Port 3306)
                         (connects via MySQL protocol)

Configuration is managed through environment files where you specify the connection details for your MariaDB instance.

{ "tool": "insert_docs_vector_store", "parameters": { "database_name": "test_db", "vector_store_name": "my_vectors", "documents": ["Sample text 1", "Sample text 2"], "metadata": [{"source": "doc1"}, {"source": "doc2"}] } }

Metrics Retention Configuration

By default, MariaDB Enterprise Manager retains detailed metrics for 30 days. You can configure this data retention period to balance your need for historical data with storage costs.

This guide explains how to change the retention period and how the underlying storage system works.

How to Change the Retention Period

Changing the retention time is done by editing the environment file for Enterprise Manager and then restarting the services.

Locate and edit the .env file

Navigate to your Enterprise Manager installation directory and open the .env file in a text editor.

Modify the retention time variable

Find the line containing PROMETHEUS_RETENTION_TIME and change its value. The change will only take effect after the Prometheus service is restarted.

Examples:

Restart services to apply the change

You must restart the services for the new retention period to be applied.

Data Retention Policy

Prometheus, the time-series database used by Enterprise Manager, does not delete expired data instantly.

Block-Based Storage: Prometheus stores metrics data in blocks, which are typically two-hour chunks of time. In the background, these small blocks are compacted into larger ones.
Delayed Cleanup: Data is not deleted on a sample-by-sample basis. Instead, Prometheus removes an entire block once all the data within it has passed the retention period. This cleanup process runs in the background and may not be immediate.

Delayed metrics removal for deleted databases

After you delete a database from MariaDB Enterprise Manager, you may continue to see its historical metrics in Grafana dashboards for a period of time.

This is expected behavior. Enterprise Manager does not immediately delete a database's metric history from Prometheus. Instead, the data is removed automatically by Prometheus's own cleanup process once it passes the configured retention period.

These old metrics will no longer receive new data and will eventually disappear from the dashboards on their own.

Valid Retention Time Units

When setting PROMETHEUS_RETENTION_TIME, you can use the following units:

y - years
w - weeks
d - days

Data Plane

In order to effectively manage the full lifecycle of both replication and Galera topologies, the operator relies on a set of components that run alonside the MariaDB instances and expose APIs for remote management. These components are collectively referred to as the "data-plane".

Components

The mariadb-enterprise-operator data-plane components are implemented as lightweight containers that run alongside the MariaDB instances within the same Pod. These components are available in the operator image. More preciselly, they are subcommands of the CLI shipped as binary inside the image.

Init container

The init container is reponsible for dynamically generating the Pod-specifc configuration files before the MariaDB container starts. It also plays a crucial role in the MariaDB container startup, enabling replica recovery for the replication topolology and guaranteeing ordered deployment of Pods for the Galera topology.

Agent sidecar

The agent sidecar provides an HTTP API that enables the operator to remotely manage MariaDB instances. Through this API, the operator is able to remotely operate the data directory and handle the instance lifecycle, including operations such as replica recovery for replication and cluster recovery for the Galera topology.

It supports methods to ensure that only the operator is able to call the agent API.

Agent auth methods

As previously mentioned, the agent exposes an API to remotely manage the replication and Galera clusters. The following authentication methods are supported to ensure that only the operator is able to call the agent:

`ServiceAccount` based authentication

The operator uses its ServiceAccount token as a mean of authentication for communicating with the agent, which subsequently verifies the token by creating a . This is the default authentication method and will be automatically applied by setting:

This Kubernetes-native authentication mechanism eliminates the need for the operator to manage credentials, as it relies entirely on Kubernetes for this purpose. However, the drawback is that the agent requires cluster-wide permissions to impersonate the ClusterRole and to create , which are cluster-scoped objects.

Basic authentication

As an alternative, the agent also supports basic authentication:

Unlike the , the operator needs to explicitly generate credentials to authenticate. The advantage of this approach is that it is entirely decoupled from Kubernetes and it does not require cluster-wide permissions on the Kubernetes API.

Updates

Please refer to the updates documentation for more information about .

Create monitor user

CREATE USER 'monitor'@'localhost' IDENTIFIED BY '<password>';
GRANT SELECT, PROCESS, REPLICATION CLIENT, RELOAD, REPLICA MONITOR, REPLICATION MASTER ADMIN ON *.* TO 'monitor'@'localhost';

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
  replicas: 3
  galera:
    enabled: true
  storage:
    size: 1Gi
  bootstrapFrom:
    s3:
      bucket: backups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: tls.crt
    targetRecoveryTime: 2024-08-26T12:24:34Z

oc get installplan
NAME            CSV                                     APPROVAL   APPROVED
install-sjgcs   mariadb-enterprise-operator.v25.10.2    Manual     false

oc patch installplan install-sjgcs --type merge -p '{"spec":{"approved":true}}'

installplan.operators.coreos.com/install-sjgcs patched

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: mariadb-enterprise-operator
  namespace: openshift-operators
spec:
  channel: stable-v25.10
  installPlanApproval: Automatic
  name: mariadb-enterprise-operator
  source: certified-operators
  sourceNamespace: openshift-marketplace

Back up all volumes

docker run --rm --volumes-from enterprise-manager-grafana -v $(pwd)/backups/:/backups/ alpine:latest tar -czf /backups/grafana-backup.tar.gz /var/lib/grafana/
docker run --rm --volumes-from enterprise-manager-prometheus -v $(pwd)/backups/:/backups/ alpine:latest tar -czf /backups/prometheus-backup.tar.gz /prometheus/
docker run --rm --volumes-from enterprise-manager-supermax -v $(pwd)/backups/:/backups/ alpine:latest tar -czf /backups/supermax-backup.tar.gz /var/lib/supermax/

# --- Grafana SMTP Email Settings ---
# Set to true to enable email alerting
GF_SMTP_ENABLED=true

# Your SMTP server hostname and port
GF_SMTP_HOST=smtp.example.com:587

# Credentials for your SMTP user
GF_SMTP_USER=my-email-user
GF_SMTP_PASSWORD=my-super-secret-password

# Set to true if your server uses a self-signed certificate
GF_SMTP_SKIP_VERIFY=false

# The "From" address that will appear on alert emails
GF_SMTP_FROM_ADDRESS=alerts@my-domain.com

# The display name for the sender
GF_SMTP_FROM_NAME=MariaDB Enterprise Manager

Run docker compose up -d to start the Enterprise Manager

h

MaxScale

Pods

username

Secret

Provision and Configure MariaDB and MaxScale Declaratively: Define MariaDB Enterprise Server and MaxScale clusters in YAML manifests and deploy them with ease in Kubernetes.
Multiple Highly Available Topologies supported:
- Asynchronous Replication
- Synchronous Multi-Master with Galera
- as a Database proxy to load balance requests and perform failover/switchover operations.
Cluster-Aware Rolling Updates: Perform rolling updates on MariaDB and MaxScale clusters, ensuring zero-downtime upgrades with no disruptions to your applications.
Flexible Storage Configuration and Volume Expansion: Easily configure storage for MariaDB instances, including the ability to expand volumes as needed.
Physical Backups based on and . By leveraging the feature, backups are taken without long read locks or service interruptions.
Logical Backups based on .
Backup Management: Take, restore, and schedule backups with multiple storage types supported: S3, PVCs, Kubernetes volumes and VolumeSnapshots..
Policy-Driven Backup Retention: Implement backup retention policies with bzip2 and gzip compression.
Target Recovery Time: Restore your database to the closest available backup based on a specified recovery time.
Bootstrap New Instances: Initialize new MariaDB instances from backups, S3, PVCs or VolumeSnapshots to quickly spin up new clusters.
TLS Certificate Management: Issue, configure, and rotate TLS certificates and Certificate Authorities (CAs) for secure connections.
Advanced TLS Support: customize certificate lifetime, private key algorithm and TLS version.
Native Integration with cert-manager: Leverage , the de-facto standard for managing certificates in Kubernetes, to enable issuance with private CAs, public CAs and HashiCorp Vault.
Prometheus Metrics: Expose metrics using the MariaDB and MaxScale Prometheus exporters.
Native Integration with prometheus-operator: Leverage to scrape metrics from MariaDB and MaxScale instances.
Declarative User and Database Management: Manage users, grants, and logical databases in a declarative manner using Kubernetes resources.
Secure, immutable and lightweight images based on Red Hat UBI, available for multiple architectires (amd64, arm64 and ppc64le).
by Red Hat.

Did the agent processes start up successfully?

The agent processes run as systemd services. Use normal systemd commands to inspect the state of the agent.

Show the agent status

Show status

sudo systemctl status mema-agent.slice

If the agent didn't start, errors will be shown in the status output. Once errors are fixed, start the agent again.

Start agent

sudo systemctl start mema-agent.target

For a more detailed analysis of errors, inspect the agent logs.

Show the agent logs

The agent uses the systemd journal for logging:

Agent logs

sudo journalctl -u mema-agent.slice --no-pager

Can the agent collect MariaDB metrics?

The credentials that the agent uses to connect to MariaDB require certain grants in order to collect all metrics. Check the Quickstart Guide for the set of grants and verify that the user provided with --mariadb-user has the necessary grants.

If the MariaDB metrics agent is working correctly, the logs should not have any errors. Check the logs with:

MariaDB exporter logs

sudo journalctl -u mema-agent-mariadb-exporter.service

To verify the MariaDB metrics agent is running, inspect the raw metrics output:

Raw metrics check

curl -s http://127.0.0.1:18902/metrics | wc -l

The output should contain about 3000 lines if everything is working.

kubectl scale deployment mariadb-enterprise-operator --replicas=0
kubectl scale deployment mariadb-enterprise-operator-webhook --replicas=0
kubectl delete validatingwebhookconfiguration mariadb-enterprise-operator-webhook
kubectl delete mutatingwebhookconfiguration mariadb-enterprise-operator-webhook

Under the scenes, the operator is configuring the StatefulSet's volumeClaimTemplate property, which you are also able to provide yourself:

{
  "mcpServers": {
    "rag-mcp": {
      "serverUrl": "http://localhost:8002/mcp",
      "headers": {
        "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.xyz.abc"
      }
    }
  }
}

ERD Designer

Enterprise manager provides a visual interface for creating entity relationship diagrams (ERD) and for observing existing database schemas, so you can quickly understand table relationships, identify dependencies, and visually assess the impact of schema changes before implementation.

This procedure outlines the steps required to access and utilize the ERD Designer within the Workspace section of Enterprise Manager UI.

From the main Workspace screen, click the "Run Queries" card.\
In the "Connect to..." dialog, select your target server, enter your credentials, and click Connect.\
Upon successful connection, the main ERD worksheet will appear.\

Creating ERD diagram

Initiate generation

From the ERD Worksheet On ERD Designer worksheet, click Generate ERD

ERD Worksheet Features

The core of the designer is a visual canvas where you can build and manage your database structures.

Model Tables, Indexes, and Relationships

You can graphically manage all core MariaDB schema objects.

Create New Tables

Use the toolbar or right-click on the canvas to add new table entities to your diagram.

Edit Entities

Double-click any table to open the Entity Editor at the bottom of the screen.

Here, you can define and modify columns (including data types and NOT NULL constraints), indexes, and foreign keys through an intuitive interface.

Draw Foreign Keys

To create a new relationship, simply click the connection point on a column in one table and drag it to the column it references in another table.

Auto Layout

For large or complex schemas, the diagram can become cluttered. Use the Auto Arrange Entities feature, typically found in the top toolbar, to automatically rearrange the tables and relationships into a clean, organized, and easily navigable diagram.

Working with the ERD Worksheet

The ERD worksheet provides several tools and shortcuts to streamline your workflow.

Managing Foreign Keys

Right-click on a relationship link between two tables to open a context menu with quick actions, such as editing or removing the foreign key, toggling the relationship type (e.g., one-to-one vs. one-to-many), and changing NOT NULL constraints.

Exporting Your Model

Once your design is complete, you can export it for documentation or deployment. The export options, found in the toolbar or by right-clicking the canvas, include the following:

Export as SQL Script: Generates the CREATE TABLE and ALTER TABLE statements for your entire diagram.
Export as JPEG: Creates an image of your diagram for use in presentations or other documents.
Copy script to clipboard: A quick way to get the SQL for pasting elsewhere.

Applying Changes to a Database

Click the "Apply Script" button (▶) in the toolbar to execute the generated SQL against your connected database. This allows you to deploy your new or modified schema directly from the designer.

Architecture

The MariaDB MCP (Model Context Protocol) Server is a modular, multi-layered system designed to provide secure, scalable, and extensible AI-powered tools and services. Its architecture is centered around a primary gateway (MCP Server), an optional specialized microservice for Retrieval-Augmented Generation (RAG API), and a Shared MariaDB Database that serves as the single source of truth for all components.

This design prioritizes security through multi-layered token validation and promotes flexibility with an adaptive tool registration system, allowing services to be enabled or disabled dynamically.

Architectural Diagram

The following diagram illustrates the flow of a request from a client application through the various components of the MCP ecosystem.

Component Breakdown

Client Applications

These are the consumers of the MCP Server's services. They are responsible for acquiring a JWT Bearer Token and including it in the Authorization header of every request.

Examples: AI assistants, custom applications using the REST API, and dedicated MCP clients.

MCP Server (Port 8002)

The MCP Server acts as the primary gateway and orchestrator. All client requests must pass through it. It performs two critical functions:

Token Extraction & Validation

This is the first layer of security. The MCP Server validates the identity and legitimacy of every incoming request through a three-step process:

Extract Token: It retrieves the JWT from the Authorization header.
Verify Signature: It cryptographically verifies the token's signature to ensure it hasn't been tampered with.
Validate User: It queries the Users table in the shared database to confirm the user exists and is active.

Adaptive Tool Registration

A key feature of the MCP Server is its ability to dynamically adjust the tools it offers based on the availability of dependent services.

Core, Database, & Vector Tools: These are foundational toolsets and are always registered and available.
RAG Tools: These tools, which rely on the RAG API, are only registered if the MCP Server can successfully connect to the RAG API. This makes the RAG component an optional, plug-in extension.

RAG API (Port 8000)

This is a specialized microservice designed for complex, knowledge-based tasks using the Retrieval-Augmented Generation pattern. It operates as a distinct service that the MCP Server communicates with.

Authentication & Authorization

The RAG API implements a second, more granular layer of security. After receiving a forwarded request from the MCP Server, it re-verifies the JWT and performs deeper authorization checks:

Verify JWT Token: Ensures the token is still valid.
Check User Roles: Examines the user's roles and permissions to determine if they are authorized to perform the requested RAG operation.
Enforce Permissions: Applies access control rules, for example, restricting document access based on ownership or group membership.

RAG Pipeline

This is the core logic of the RAG API. It transforms a user's query into a knowledge-rich response.

Document Ingestion: The process of adding new documents to the knowledge base.
Vector Embedding: Documents are converted into numerical representations (vectors) and stored in the Vector Store within the MariaDB database.
Retrieval: When a query is received, the API searches the Vector Store to find the most semantically relevant document chunks.

Shared MariaDB Database

The database is the foundation of the entire architecture, providing a single, consistent source of data for all services.

Users: Stores user credentials, roles, and metadata required for authentication and authorization across both the MCP Server and RAG API.
Documents: Contains the raw content (e.g., text, metadata) that the RAG pipeline uses for retrieval.
Vector Store: A dedicated table or set of tables within MariaDB that stores the vector embeddings of the documents, enabling efficient similarity searches.

Request and Data Flow

Request Initiation: A client application sends a request to the MCP Server (:8002) with a JWT in the Authorization header.
MCP Server Authentication: The MCP Server validates the JWT against the shared database. If invalid, the request is rejected with a 401 Unauthorized error.
Tool Dispatching: The server identifies that the request requires a RAG tool. It's checks if the RAG API is available.

This architecture ensures a clear separation of concerns, enhances security with multiple checkpoints, and provides a highly extensible platform for building advanced AI tools.

Restore backup to all volumes

# Clear out any existing data first
docker run --rm --volumes-from enterprise-manager-grafana -v $(pwd)/backups/:/backups/ alpine:latest find /var/lib/grafana/ -delete -mindepth 1
docker run --rm --volumes-from enterprise-manager-prometheus -v $(pwd)/backups/:/backups/ alpine:latest find /prometheus/ -delete -mindepth 1
docker run --rm --volumes-from enterprise-manager-supermax -v $(pwd)/backups/:/backups/ alpine:latest find /var/lib/supermax/ -delete -mindepth 1

# Restore the data from the backups
docker run --rm --volumes-from enterprise-manager-grafana -v $(pwd)/backups/:/backups/ alpine:latest tar -C / -xzf /backups/grafana-backup.tar.gz
docker run --rm --volumes-from enterprise-manager-prometheus -v $(pwd)/backups/:/backups/ alpine:latest tar -C / -xzf /backups/prometheus-backup.tar.gz
docker run --rm --volumes-from enterprise-manager-supermax -v $(pwd)/backups/:/backups/ alpine:latest tar -C / -xzf /backups/supermax-backup.tar.gz

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: password
  imagePullSecrets:
  -  name: mariadb-enterprise
  maxScaleRef:
    name: maxscale-galera
  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
  database: mariadb
  storage:
    size: 1Gi
  replicas: 3
  galera:
    enabled: true

❯ kubectl get pods
NAME                                                           READY   STATUS    RESTARTS      AGE
mariadb-galera-0                                               2/2     Running   0             101s
mariadb-galera-1                                               2/2     Running   0             101s
mariadb-galera-2                                               2/2     Running   0             101s

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  imagePullSecrets:
   -  name: mariadb-enterprise
  mariaDbRef:
    name: mariadb-galera
  replicas: 2

❯ kubectl get pods
mariadb-galera-0                                               2/2     Running   0             10m
mariadb-galera-1                                               2/2     Running   0             10m
mariadb-galera-2                                               2/2     Running   0             10m
maxscale-galera-0                                              1/1     Running   0             81s
maxscale-galera-1                                              1/1     Running   0             81s

❯ kubectl get maxscale
NAME              READY   STATUS    PRIMARY            AGE
maxscale-galera   True    Running   mariadb-galera-0   65s

❯ kubectl get mariadb
NAME             READY   STATUS    PRIMARY            UPDATES                    AGE
mariadb-galera   True    Running   mariadb-galera-0   ReplicasFirstPrimaryLast   10m

❯ kubectl run mariadb-connect --rm -it --image=docker.mariadb.com/enterprise-server:11.4 -- bash -c "mariadb -u mariadb -p'MariaDB11!' --ssl=false -h maxscale-galera"
If you don't see a command prompt, try pressing enter.
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mariadb            |
+--------------------+
2 rows in set (0.001 sec)

# Save images and archive

cd enterprise-manager
docker compose images | awk 'p{print $2 ":" $3} {p=1}' | xargs docker image save -o images.tar
cd ..
tar -czvf enterprise-manager.tar.gz enterprise-manager

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  inheritMetadata:
    labels:
      database.myorg.io: mariadb
    annotations:
      database.myorg.io: mariadb

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  inheritMetadata:
    labels:
      sidecar.istio.io/inject: "true"
    annotations:
      database.myorg.io: mariadb
  podMetadata:
    labels:
      sidecar.istio.io/inject: "false"

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  service:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.150

  primaryService:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.160

  secondaryService:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.161

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  storage:
    size: 1Gi
    volumeClaimTemplate:
      metadata:
        annotations:
          database.myorg.io: mariadb
        labels:
          database.myorg.io: mariadb
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  service:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.150

apiVersion: enterprise.mariadb.com/v1alpha1
kind: ExternalMariaDB
metadata:
  name: external-mariadb
spec:
  host: mariadb.example.com
  port: 3306
  username: root
  passwordSecretKeyRef:
    name: mariadb
    key: password
  connection:
    secretName: external-mariadb
    healthCheck:
      interval: 5s

apiVersion: enterprise.mariadb.com/v1alpha1
kind: ExternalMariaDB
metadata:
  name: external-mariadb
spec:
  host: mariadb.example.com
  port: 3306
  username: root
  passwordSecretKeyRef:
    name: mariadb
    key: password
  tls:
    enabled: true
    clientCertSecretRef:
      name: client-cert-secret
    serverCASecretRef:
      name: ca-cert-secret
  connection:
    secretName: external-mariadb
    healthCheck:
      interval: 5s
      retryInterval: 10s

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user-external
spec:
  name: user
  mariaDbRef:
    name: external-mariadb
    kind: ExternalMariaDB
  passwordSecretKeyRef:
    name: mariadb
    key: password
  maxUserConnections: 20
  host: "%"
  cleanupPolicy: Delete
  requeueInterval: 10h
  retryInterval: 30s

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  image: docker.mariadb.com/enterprise-server:11.4.4-2
  imagePullPolicy: IfNotPresent
  imagePullSecrets:
    - name: mariadb-enterprise

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale
spec:
  ...
  image: docker.mariadb.com/maxscale-enterprise:25.01.1
  imagePullPolicy: IfNotPresent
  imagePullSecrets:
    - name: mariadb-enterprise

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  image: docker.mariadb.com/enterprise-server:11.4.4-2
  imagePullPolicy: IfNotPresent
  imagePullSecrets:
    - name: mariadb-enterprise

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  galera:
    agent:
-      image: docker.mariadb.com/mariadb-enterprise-operator:1.0.0
+      image: docker.mariadb.com/mariadb-enterprise-operator:25.8.0
    initContainer:
-      image: docker.mariadb.com/mariadb-enterprise-operator:1.0.0
+      image: docker.mariadb.com/mariadb-enterprise-operator:25.8.0

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  storage:
    size: 1Gi
    storageClassName: gp3
    volumeClaimTemplate:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: gp3

# Database Configuration (Required)
DB_HOST=localhost
DB_PORT=3306
DB_USER=your_mysql_username
DB_PASSWORD=your_mysql_password
DB_NAME=rag_db

# Authentication (Required)
SECRET_KEY=your_secret_key_here_generate_a_secure_random_string

# Embedding Configuration (Required)
EMBEDDING_PROVIDER=openai
EMBEDDING_MODEL=text-embedding-3-small

# API Keys (Set based on your embedding/LLM provider)
OPENAI_API_KEY=your_openai_api_key
GEMINI_API_KEY=your_gemini_api_key
VOYAGE_API_KEY=your_voyage_api_key
COHERE_API_KEY=your_cohere_api_key

Web Origins: https://<Your_Enterprise_Manager_Address>:8090

enterprise-manager-nginx

imagePullSecret

Secret

mariadb-enterprise

MariaDB

). For this reason, you must temporarily point your applications to MariaDB during the migration process. You can achieve this by configuring your application to use the

. At the end of the MariaDB migration process, the MaxScale instance will need to be recreated in order to use TLS, and then you will be able to point your application back to MaxScale. Ensure that all applications are pointing to MariaDB before moving on to the next step.

[maxscale]
# ... other settings ...
admin_host=0.0.0.0
admin_oidc_url=https://<Enterprise Manager Host Name>:8090
admin_oidc_client_id=admin
admin_oidc_client_secret=mariadb
admin_oidc_ssl_insecure=true

# prometheus.yml

scrape_configs:
  - job_name: 'mem-federation'
    scrape_interval: 60s
    honor_labels: true
    metrics_path: '/prometheus/federate'
    params:
      'match[]':
        - '{job=~".+"}' # This parameter tells the endpoint to return all series.
    static_configs:
      - targets: ['<Enterprise_Manager_IP>:8090']
    scheme: https
    basic_auth:
      username: admin # default username for Enterprise Manager
      password: mariadb # default password for admin user
    # You may need to add TLS and authentication configurations
    # depending on your network setup and security requirements.
    # tls_config:
    #   insecure_skip_verify: true

MariaDB Server host

sudo mema-agent setup --cluster-name=MyCluster \
  --endpoint=https://<external_ip> --otlp-port=<external_port> \
  --mariadb --host-name=<hostname> \
  --mariadb-user=<user> --mariadb-password=<password> \
  --otlp-insecure --otlp-interval=60s

MaxScale host

sudo mema-agent setup --cluster-name=MyCluster \
  --endpoint=https://<external_ip> --otlp-port=<external_port> \
  --maxscale --host-name=<hostname> \
  --maxscale-user=admin --maxscale-password=mariadb \
  --otlp-insecure --otlp-interval=60s

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: mariadb-enterprise-operator
  namespace: openshift-operators
spec:
  channel: stable
  installPlanApproval: Automatic
  name: mariadb-enterprise-operator
  source: certified-operators
  sourceNamespace: openshift-marketplace

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: mariadb-enterprise-operator
  namespace: my-namespace
spec:
  targetNamespaces:
  - my-namespace
  - my-other-namespace
  - my-other-other-namespace
  upgradeStrategy: Default

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: mariadb-enterprise-operator
  namespace: my-namespace
spec:
  channel: stable
  installPlanApproval: Automatic
  name: mariadb-enterprise-operator
  source: certified-operators
  sourceNamespace: openshift-marketplace

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: mariadb-enterprise-operator
  namespace: openshift-operators
spec:
  channel: stable # Change this to the actual channel you want
  installPlanApproval: Automatic
  name: mariadb-enterprise-operator
  source: certified-operators
  sourceNamespace: openshift-marketplace

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
+   enabled: true
+   required: false
+   galeraSSTEnabled: false
+   galeraServerSSLMode: PROVIDER
+   galeraClientSSLMode: DISABLED

# 1Password references
DB_USER=op://Employee/RAG-Database/username
DB_PASSWORD=op://Employee/RAG-Database/password
SECRET_KEY=op://Employee/RAG-Security/secret-key
JWT_SECRET_KEY=op://Employee/RAG-Security/jwt-secret
GEMINI_API_KEY=op://Employee/RAG-API-Keys/gemini

# Start Vault in dev mode
vault server -dev -dev-root-token-id="rag-root-token"

# Store secrets
vault kv put secret/rag-in-a-box/database \
    DB_USER=root \
    DB_PASSWORD=Password123! \
    DB_NAME=kb_chunks

vault kv put secret/rag-in-a-box/security \
    SECRET_KEY=your_secret_key \
    JWT_SECRET_KEY=your_jwt_secret

vault kv put secret/rag-in-a-box/api-keys \
    GEMINI_API_KEY=your_api_key

# HCP Vault Configuration
VAULT_ADDR=https://your-vault-cluster.hashicorp.cloud:8200
VAULT_NAMESPACE=admin
VAULT_SKIP_VERIFY=false
VAULT_SECRET_PATH=rag-in-a-box
VAULT_MOUNT_POINT=secret

# AppRole Authentication
VAULT_ROLE_ID=your-vault-role-id
VAULT_SECRET_ID=your-vault-secret-id

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
- image: docker.mariadb.com/enterprise-server:10.6.18-14.2
+ image: docker.mariadb.com/enterprise-server:10.6.19-15.1
  resources:
    requests:
      cpu: 200m
      memory: 128Mi
    limits:
-     memory: 1Gi
+     memory: 2Gi

{
  "table_name": "customer_feedback",
  "schema_name": "databridge",
  "column_mapping": {
    "content": "feedback_text",
    "metadata": ["customer_id", "product_id", "rating", "date_submitted"],
    "id_column": "feedback_id"
  },
  "filter_condition": "rating >= 3 AND date_submitted > '2025-01-01'",
  "batch_size": 1000,
  "authorized_users": ["user1@example.com", "user2@example.com"]
}

curl -X POST "http://localhost:8000/documents/ingest-from-table" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"table_name": "customer_feedback", "schema_name": "databridge", "column_mapping": {"content": "feedback_text", "metadata": ["customer_id", "product_id", "rating", "date_submitted"], "id_column": "feedback_id"}, "authorized_users": ["user1@example.com"]}'

{
  "sql_query": "SELECT id, title, content, author, published_date FROM articles WHERE status = 'published' AND category = 'technical'",
  "role": "ai_nexus",
  "document_name": "published_articles"
}

{
  "id": 42,
  "source": "sql://generated/1729425000/published_articles.csv",
  "filename": "published_articles.csv",
  "status": "completed",
  "content": "id,title,content,author,published_date\n1,Article Title,Article content...,John Doe,2025-01-15\n...",
  "error_message": null,
  "created_at": "2025-10-20T12:00:00.123456",
  "updated_at": "2025-10-20T12:00:01.234567"
}

curl -X POST "http://localhost:8000/documents/sql-ingest" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "sql_query": "SELECT id, title, content, author FROM articles WHERE status = '\''published'\''",
    "role": "ai_nexus",
    "document_name": "published_articles"
  }'

{
  "job_id": "db_ingest_xyz123",
  "status": "completed",
  "processed_rows": 5230,
  "created_documents": 5230,
  "failed_rows": 0,
  "completion_time": "2025-08-25T12:34:56.789Z",
  "authorized_users": ["user1@example.com", "user2@example.com"]
}

RESOURCE="<mariadb-name>" \
OLD_API_GROUP="k8s.mariadb.com" \
NEW_API_GROUP="enterprise.mariadb.com" \
NEW_MARIADB_IMAGE="docker.mariadb.com/enterprise-server:11.4.4-2" \
NEW_MARIADB_OPERATOR_IMAGE="docker.mariadb.com/mariadb-enterprise-operator:<operator-version>" \
./migrate_enterprise.sh

for crd in $(kubectl get crds -o json | jq -r '.items[] | select(.spec.group=="k8s.mariadb.com") | .metadata.name'); do
  kubectl get "$crd" -A -o json | jq -r '.items[] | "\(.metadata.namespace)/\(.metadata.name)"' | while read cr; do
    ns=$(echo "$cr" | cut -d'/' -f1)
    name=$(echo "$cr" | cut -d'/' -f2)
    echo "Removing finalizers from $crd: $name in $ns..."
    kubectl patch "$crd" "$name" -n "$ns" --type merge -p '{"metadata":{"finalizers":[]}}'
  done
done
helm uninstall mariadb-operator-crds

for pod in $(kubectl get pods -l app.kubernetes.io/instance=<mariadb-name> -o jsonpath='{.items[*].metadata.name}'); do
  kubectl exec "$pod" -- sh -c 'mariadb-upgrade -u root -p${MARIADB_ROOT_PASSWORD} -f'
done

If you select the sql permission, a "Query editor row limit" dropdown will appear. You can adjust this value as needed.

MariaDB Server

This dashboard provides a unified view of a database topology. It combines topology information, system health, replication or cluster metrics, and query performance in one place. Administrators can use it to monitor availability, troubleshoot issues, and optimize performance.

Topology Overview

Summarizes the overall topology, showing which servers are active, their versions, and how they are organized.

Name — Displays the name of the MariaDB topology currently being monitored.
Project — Shows the associated project or environment label.
Primary/Replica — A table with:
- Instance: Server hostname.
- Type: Instance role.
- Seconds behind primary: Replication delay value.
Topology Info — Count of nodes grouped by type (e.g., server, MaxScale).
MariaDB Server Uptime by Instance — Uptime in seconds for each server instance.

InnoDB Metrics

Shows activity within the InnoDB storage engine.

Metric

Description

Processlist

Shows information about active sessions and thread states collected from information_schema.processlist.

Processlist Count — Table view showing:
- Instance: Database node.
- Client: Client host connected.
- Value: Number of processes/threads from that client.

High Availability

This section provides guidance on how to configure high availability in MariaDB and MaxScale instances. If you are looking for an HA setup for the operator, please refer to the Helm documentation.

Our recommended setup for production is:

Use a highly available topology for MariaDB:
- Asynchronous replication with a primary node and at least 2 replicas.
- Synchronous multi-master with at least 3 nodes. Always an odd number of nodes, as it is quorum-based.
Leverage as database proxy to load balance requests and perform failover/switchover operations. Configure 2 replicas to enable MaxScale upgrades without downtime.
Use to avoid noisy neighbours.
Define .

Highly Available Topologies

: The primary node allows both reads and writes, while secondary nodes only serve reads. The primary has a binary log and the replicas asynchronously replicate the binary log events.
: All nodes support reads and writes, but writes are only sent to one node to avoid contention. The fact that is synchronous and that all nodes are equally configured makes the primary failover/switchover operation seamless and usually instantaneous.

Kubernetes Services

In order to address nodes, MariaDB Enterprise Kubernetes Operator provides you with the following Kubernetes Services:

<mariadb-name>: This is the default Service, only intended for the .
<mariadb-name>-primary: To be used for write requests. It will point to the primary node.
<mariadb-name>-secondary: To be used for read requests. It will load balance requests to all nodes except the primary.

Whenever the primary changes, either by the user or by the operator, both the <mariadb-name>-primary and <mariadb-name>-secondary Services will be automatically updated by the operator to address the right nodes.

The primary may be manually changed by the user at any point by updating the spec.[replication|galera].primary.podIndex field. Alternatively, automatic primary failover can be enabled by setting spec.[replication|galera].primary.autoFailover, which will make the operator to switch primary whenever the primary Pod goes down.

MaxScale

While Kubernetes Services can be used for addressing primary and secondary instances, we recommend utilizing as database proxy for doing so, as it comes with additional advantages:

Enhanced failover/switchover operations for both replication and Galera
Single entrypoint for both reads and writes
Multiple router modules available to define how to route requests
Replay pending transaction when primary goes down

The full lifecyle of the MaxScale proxy is covered by this operator. Please refer to for further detail.

Pod Anti-Affinity

Bear in mind that, when enabling this, you need to have at least as many Nodes available as the replicas specified. Otherwise your Pods will be unscheduled and the cluster won't bootstrap.

To achieve real high availability, we need to run each MariaDB Pod in different Kubernetes Nodes. This practice, known as anti-affinity, helps reducing the blast radius of Nodes being unavailable.

By default, anti-affinity is disabled, which means that multiple Pods may be scheduled in the same Node, something not desired in HA scenarios.

You can selectively enable anti-affinity in all the different Pods managed by the MariaDB resource:

Anti-affinity may also be enabled in the resources that have a reference to MariaDB, resulting in their Pods being scheduled in Nodes where MariaDB is not running. For instance, the Backup and Restore processes can run in different Nodes:

In the case of MaxScale, the Pods will also be placed in Nodes isolated in terms of compute, ensuring isolation not only among themselves but also from the MariaDB Pods. For example, if you run a MariaDB and MaxScale with 3 replicas each, you will need 6 Nodes in total:

Default anti-affinity rules generated by the operator might not satisfy your needs, but you can always define your own rules. For example, if you want the MaxScale Pods to be in different Nodes, but you want them to share Nodes with MariaDB:

Dedicated Nodes

If you want to avoid noisy neighbours running in the same Kubernetes Nodes as your MariaDB, you may consider using dedicated Nodes. For achieving this, you will need:

Taint your Nodes and add the counterpart toleration in your Pods.

Tainting your Nodes is not covered by this operator, it is something you need to do by yourself beforehand. You may take a look at the to understand how to achieve this.

Select the Nodes where Pods will be scheduled in via a nodeSelector.

Although you can use the default Node labels, you may consider adding more significative labels to your Nodes, as you will have to set to them in your Pod nodeSelector. Refer to the .

Add podAntiAffinity to your Pods as described in the section.

The previous steps can be achieved by setting these fields in the MariaDB resource:

Pod Disruption Budgets

Take a look at the if you are unfamiliar to PodDisruptionBudgets

By defining a PodDisruptionBudget, you are telling Kubernetes how many Pods your database tolerates to be down. This quite important for planned maintenance operations such as Node upgrades.

MariaDB Enterprise Kubernetes Operator creates a default PodDisruptionBudget if you are running in HA, but you are able to define your own by setting:

Configuration

This documentation aims to provide guidance on various configuration aspects shared across many MariaDB Enterprise Kubernetes Operator CRs.

my.cnf

An inline can be provisioned in the MariaDB resource via the myCnf field:

In this field, you may provide any or supported by MariaDB.

Under the hood, the operator automatically creates a ConfigMap with the contents of the myCnf field, which will be mounted in the MariaDB instance. Alternatively, you can manage your own configuration using a pre-existing ConfigMap by linking it via myCnfConfigMapKeyRef. It is important to note that the key in this ConfigMap i.e. the config file name, must have a .cnf extension in order to be detected by MariaDB:

To ensure your configuration changes take effect, the operator triggers a MariaDB update whenever the myCnf field or the ConfigMap is updated. For the operator to detect changes in a ConfigMap, it must be labeled with enterprise.mariadb.com/watch. Refer to the section for further detail.

Compute resources

CPU and memory resouces can be configured via the resources field in both the MariaDB and MaxScale CRs:

In the case of MariaDB, it is recommended to set the innodb_buffer_pool_size system variable to a value that is 70-80% of the available memory. This can be done via the :

Timezones

By default, MariaDB does not load timezone data on startup for performance reasons and defaults the timezone to SYSTEM, obtaining the timezone information from the environment where it runs. See the for further information.

You can explicitly configure a timezone in your MariaDB instance by setting the timeZone field:

This setting is immutable and implies loading the timezone data on startup.

In regards to Backup and SqlJob resources, which get reconciled into CronJobs, you can also define a timeZone associated with their cron expression:

If timeZone is not provided, the local timezone will be used, as described in the .

Passwords

Some CRs require passwords provided as Secret references to function properly. For instance, the root password for a MariaDB resource:

By default, fields like rootPasswordSecretKeyRef are optional and defaulted by the operator, resulting in random password generation if not provided:

You may choose to explicitly provide a Secret reference via rootPasswordSecretKeyRef and opt-out from random password generation by either not providing the generate field or setting it to false:

This way, we are telling the operator that we are expecting a Secret to be available eventually, enabling the use of GitOps tools to seed the password:

: The Secret is reconciled from a SealedSecret, which is decrypted by the sealed-secrets controller.
: The Secret is reconciled fom an ExternalSecret, which is read by the external-secrets controller from an external secrets source (Vault, AWS Secrets Manager ...).

External resources

Many CRs have a references to external resources (i.e. ConfigMap, Secret) not managed by the operator.

These external resources should be labeled with enterprise.mariadb.com/watch so the operator can watch them and perform reconciliations based on their changes. For example, see the my.cnf ConfigMap:

Probes

Kubernetes probes serve as an inversion of control mechanism, enabling the application to communicate its health status to Kubernetes. This enables Kubernetes to take appropriate actions when the application is unhealthy, such as restarting or stop sending traffic to Pods.

Make sure you check the if you are unfamiliar with Kubernetes probes.

Fine tunning of probes for databases running in Kubernetes is critical, you may do so by tweaking the following fields:

There isn't an universally correct default value for these thresholds, so we recommend determining your own based on factors like the compute resources, network, storage, and other aspects of the environment where your MariaDB and MaxScale instances are running.

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: bob
spec:
  mariaDbRef:
    name: mariadb
  passwordSecretKeyRef:
    name: bob-password
    key: password
  maxUserConnections: 20
  host: "%"
  cleanupPolicy: Delete

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Grant
metadata:
  name: grant-bob
spec:
  mariaDbRef:
    name: mariadb
  privileges:
    - "SELECT"
    - "INSERT"
    - "UPDATE"
  database: "*"
  table: "*"
  username: bob
  grantOption: true
  host: "%"

apiVersion: v1
kind: Secret
metadata:
  name: mariadb-auth
stringData:
  passwordHash: "*57685B4F0FF9D049082E296E2C39354B7A98774E"
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user-password-hash
spec:
  mariaDbRef:
    name: mariadb
  passwordHashSecretKeyRef:
    name: mariadb-auth
    key: passwordHash
  host: "%"

apiVersion: v1
kind: Secret
metadata:
  name: mariadb-auth
stringData:
  passwordHash: "*57685B4F0FF9D049082E296E2C39354B7A98774E"
  nativePasswordPlugin: mysql_native_password
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user-password-plugin
spec:
  mariaDbRef:
    name: mariadb
  passwordPlugin:
    pluginNameSecretKeyRef:
        name: mariadb-auth
        key: nativePasswordPlugin
    pluginArgSecretKeyRef:
        name: mariadb-auth
        key: passwordHash
  host: "%"

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  myCnf: |
    [mariadb]
    bind-address=*
    default_storage_engine=InnoDB
    binlog_format=row
    innodb_autoinc_lock_mode=2
    innodb_buffer_pool_size=1024M
    max_allowed_packet=256M

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  bootstrapFrom:
    restoreJob:
      affinity:
        antiAffinityEnabled: true
  ...
  metrics:
    exporter:
      affinity:
        antiAffinityEnabled: true
  ...
  affinity:
    antiAffinityEnabled: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  mariaDbRef:
    name: mariadb-galera
  ...
  metrics:
    exporter:
      affinity:
        antiAffinityEnabled: true
  ...
  affinity:
    antiAffinityEnabled: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  mariaDbRef:
    name: mariadb-galera
  ...
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: app.kubernetes.io/instance
            operator: In
            values:
            - maxscale-galera
            # 'mariadb-galera' instance omitted (default anti-affinity rule)
        topologyKey: kubernetes.io/hostname

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tolerations:
    - key: "enterprise.mariadb.com/ha"
      operator: "Exists"
      effect: "NoSchedule"
  nodeSelector:
    "enterprise.mariadb.com/node": "ha" 
  affinity:
    antiAffinityEnabled: true

MariaDB [my_db]> SELECT * from information_schema.INNODB_TABLESPACES_ENCRYPTION;
+-----------------+-------------------+-----------------+---------------------+----------------+----------------------+
| NAME            | ENCRYPTION_SCHEME | MIN_KEY_VERSION | CURRENT_KEY_VERSION | CURRENT_KEY_ID | ROTATING_OR_FLUSHING |
+-----------------+-------------------+-----------------+---------------------+----------------+----------------------+
| innodb_system   |                 1 |               1 |                   2 |              1 |                    0 |
| innodb_undo001  |                 1 |               1 |                   2 |              1 |                    0 |
| innodb_undo002  |                 1 |               1 |                   2 |              1 |                    0 |
| innodb_undo003  |                 1 |               1 |                   2 |              1 |                    0 |
| mysql/innodb_ta |                 1 |               1 |                   2 |              1 |                    0 |
| mysql/innodb_in |                 1 |               1 |                   2 |              1 |                    0 |
| mysql/gtid_slav |                 1 |               1 |                   2 |              1 |                    0 |
| mysql/transacti |                 1 |               1 |                   2 |              1 |                    0 |
| my_db/people    |                 1 |               1 |                   2 |              1 |                    0 |
+-----------------+-------------------+-----------------+---------------------+----------------+----------------------+

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup-scheduled
spec:
  mariaDbRef:
    name: mariadb
  schedule:
    cron: "*/1 * * * *"
    suspend: false
  timeZone: "UTC"

apiVersion: v1
kind: ConfigMap
metadata:
  name: mariadb
  labels:
    enterprise.mariadb.com/watch: ""
data:
  mycnf: |
    [mariadb]
    bind-address=*
    default_storage_engine=InnoDB
    binlog_format=row
    innodb_autoinc_lock_mode=2
    innodb_buffer_pool_size=1024M
    max_allowed_packet=256M

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  # Tune your liveness probe accordingly to avoid Pod restarts.
  livenessProbe:
    periodSeconds: 10
    timeoutSeconds: 5

  # Tune your readiness probe accordingly to prevent disruptions in network traffic.
  readinessProbe:
    periodSeconds: 10
    timeoutSeconds: 5

  # Tune your startup probe accordingly to ensure that the SST completes with a large amount of data.
  # failureThreshold × periodSeconds = 30 × 10 = 300s = 5m until the container gets restarted if unhealthy
  startupProbe:
    failureThreshold: 30
    periodSeconds: 10
    timeoutSeconds: 5

cat <<'EOF' | vault policy write -non-interactive mariadb -
# Allow access to MariaDB secrets
path "mariadb/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# Allow reading the mount configuration
path "sys/mounts/mariadb/tune" {
  capabilities = ["read"]
}
EOF

Key                  Value
---                  -----
token                EXAMPLE_TOKEN
token_accessor       utFtmh98YAAJyYdxEVN3SFQA
token_duration       768h
token_renewable      true
token_policies       ["default" "mariadb"]
identity_policies    []
policies             ["default" "mariadb"]

---
apiVersion: v1
kind: Secret
metadata:
  name: mariadb # Used to hold the mariadb and root user passwords
  labels:
    enterprise.mariadb.com/watch: ""
stringData:
  password: MariaDB11!
  root-password: MariaDB11!
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  image: docker.mariadb.com/enterprise-server:11.4.7-4.3
  rootPasswordSecretKeyRef:
    name: mariadb
    key: password

  username: mariadb
  passwordSecretKeyRef:
    name: mariadb-password
    key: password
    generate: true
  database: mariadb

  port: 3306

  storage:
    size: 1Gi
    # storageClassName: csi-hostpath-sc

  myCnf: |
    [mariadb]
    bind-address=*
    default_storage_engine=InnoDB
    binlog_format=row
    innodb_autoinc_lock_mode=2
    innodb_buffer_pool_size=800M
    max_allowed_packet=256M

    plugin_load_add = hashicorp_key_management
    hashicorp-key-management-vault-url=https://vault-0.vault-internal.default.svc.cluster.local:8200/v1/mariadb
    hashicorp-key-management-caching-enabled=ON
    hashicorp-key-management-vault-ca=/etc/vault/certs/ca.crt

    innodb_encrypt_tables = FORCE
    innodb_encrypt_log = ON
    innodb_encrypt_temporary_tables = ON
    encrypt_tmp_disk_tables = ON
    encrypt_tmp_files = ON
    encrypt_binlog = ON
    aria_encrypt_tables = ON

    innodb_encryption_threads = 4
    innodb_encryption_rotation_iops = 2000

  env:
    - name: VAULT_TOKEN # This is where our token is defined!
      valueFrom:
        secretKeyRef:
          name: mariadb-vault-token
          key: token

  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      memory: 1Gi

  metrics:
    enabled: true

  volumes:
    - name: vault-certificates
      secret:
        secretName: vault-tls
        defaultMode: 0600
  volumeMounts:
    - name: vault-certificates
      mountPath: /etc/vault/certs/

If you don't see a command prompt, try pressing enter.
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 95
Server version: 11.4.7-4-MariaDB-enterprise MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

MariaDB [my_db]> SELECT * from information_schema.INNODB_TABLESPACES_ENCRYPTION;
+-----------------+-------------------+-----------------+---------------------+----------------+----------------------+
| NAME            | ENCRYPTION_SCHEME | MIN_KEY_VERSION | CURRENT_KEY_VERSION | CURRENT_KEY_ID | ROTATING_OR_FLUSHING |
+-----------------+-------------------+-----------------+---------------------+----------------+----------------------+
| innodb_system   |                 1 |               1 |                   1 |              1 |                    0 |
| innodb_undo001  |                 1 |               1 |                   1 |              1 |                    0 |
| innodb_undo002  |                 1 |               1 |                   1 |              1 |                    0 |
| innodb_undo003  |                 1 |               1 |                   1 |              1 |                    0 |
| mysql/innodb_ta |                 1 |               1 |                   1 |              1 |                    0 |
| mysql/innodb_in |                 1 |               1 |                   1 |              1 |                    0 |
| mysql/gtid_slav |                 1 |               1 |                   1 |              1 |                    0 |
| mysql/transacti |                 1 |               1 |                   1 |              1 |                    0 |
| my_db/people    |                 1 |               1 |                   1 |              1 |                    0 |
+-----------------+-------------------+-----------------+---------------------+----------------+----------------------+

PAM

The MariaDB pam plugin facilitates user authentication by interfacing with the Pluggable Authentication Modules (PAM) framework, enabling diverse and centralized authentication schemes.

Currently the enterprise operator utilizes this plugin to provide support for:

LDAP based authentication

LDAP

This guide outlines the process of configuring MariaDB to authenticate users against an LDAP or Active Directory service. The integration is achieved by using MariaDB's Pluggable Authentication Module (PAM) plugin, which delegates authentication requests to the underlying Linux PAM framework.

How Does It Work?

To enable LDAP authentication for MariaDB through PAM, several components work in tandem:

PAM (Pluggable Authentication Modules): A framework used by Linux and other UNIX-like systems to consolidate authentication tasks. Applications like MariaDB can use PAM to authenticate users without needing to understand the underlying authentication mechanism. Operations such as system login, screen unlocking, and sudo access commonly use PAM.
nss-pam-ldapd: This is the software package that provides the necessary bridge between PAM and an LDAP server. It includes the core components required for authentication.
pam_ldap.so: A specific PAM module, provided by the nss-pam-ldapd package. This module is the "plug-in" that the PAM framework loads to handle authentication requests destined for an LDAP server.

The nslcd daemon is ran as a sidecar container and communication happens through the shared unix socket, following container best practices of keeping a single process per container.

What is needed for LDAP Auth?

nslcd is configured with 2 files. nslcd.conf which tells the daemon about the LDAP server and nsswitch.conf, determine the sources from which to obtain name-service information.

nslcd can be configured to run as a specific user based on the uid and gid props specified in the config file, however that user should have sufficient permissions to read/write to /var/run/nslcd, should own both nslcd.conf and nsswitch.conf and they should not be too open (0600).

Both of these configuration files will be attached later on in the example given.

nslcd.conf

The /etc/nslcd.conf is the configuration file for LDAP nameservice daemon.

In a production environment it is recommended to use LDAPS (LDAP secure), which uses traditional TLS encryption to secure data in transit. To do so, you need to add the following to your nslcd.conf file:

nsswitch.conf

The Name Service Switch (NSS) configuration file, located at /etc/nsswitch.conf. It is used by the GNU C Library and certain other applications to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name.

Installing The PAM Plugin

The pam plugin is not enabled by default (even though it is installed). To enable it, you should add the following lines to your MariaDB Custom Resource:

See below for a complete example.

Combining It All Together

Fistly, we need to create our ConfigMaps and Secrets, that will store the nsswitch.conf, nslcd.conf and the mariadb pam module.

Make sure to adapt the nslcd-conf as per your ldap server configuration.

mariadb-nss-config.yaml:

kubectl apply -f mariadb-nss-config.yaml

Now that our configuration is done, we need to create the MariaDB custom resource along with needed configurations.

mariadb.yaml:

kubectl apply -f mariadb.yaml

And in the end we need to create our user in the database, which must have the same name as a user in ldap server. In the example below that's ldap-user. We also create mariadb-ldap secret, which holds the name of the plugin we are using as well as the module we need to load.

mariadb-user.yaml:

kubectl apply -f mariadb-user.yaml

After a few seconds, the user should have been created by the operator. To verify that all is working as expected, modify the <password> field below and run:

You should see something along the lines of:

LDAPS

If you followed the instructions for setting up a basic MariaDB instance with ldap, you need to fetch the public certificate that your LDAP server is set up with and add it to a called mariadb-ldap-tls.

If you have the certificate locally in a file called tls.crt you can run:

Known Issues

Slow Start On KIND

This may be a problem with the maximum number of file-handles a process can allocate. Some systems have this value set to really high, which causes an issue. To remedy this, you need to delete your kind cluster and run:

At this point, the problem should be fixed.

For more information, check .

Deployment Overview

What You Have

One Package: ai-nexus.deb

What's Inside the Package:

RAG API application
MCP Server application
Both applications bundled together

What You Need to Deploy

1. The Application Package (ai-nexus.deb)

This contains your RAG API and MCP Server applications.

2. A Database (MariaDB)

The applications need a database to store documents and vector embeddings.

3. Configuration (Secret Management Mode)

You need to choose HOW to provide secrets (API keys, passwords) to the applications.

Two Deployment Options

Option A: Deploy on Ubuntu (Native) ✅ SIMPLER

What happens: Install the .deb package directly on Ubuntu

Steps:

Install MariaDB on Ubuntu
Install ai-nexus.deb on Ubuntu
Configure secrets (choose a mode)
Start services

Guide: UBUNTU_DEPLOYMENT_GUIDE.md

Option B: Deploy with Docker (on Windows) 🐳

What happens: Package everything in Docker containers

Steps:

Build Docker image (wraps the .deb package)
Start containers with docker-compose
Configure secrets (choose a mode)

Guide: DOCKER_DEPLOYMENT_GUIDE.md

Secret Management Modes (Works with BOTH Options)

After you deploy the application (Ubuntu or Docker), you choose ONE mode:

Mode 1: Standalone (Simplest) ⭐

How it works: Secrets stored in a plain text config file

Config File Location:

Ubuntu: /opt/rag-in-a-box/config/config.env.template
Docker: config.env.secure.local

Example:

How to generate secure keys:

When to use: Development, testing, single developer

Mode 2: Local Vault (Production-Like) 🔐

How it works: Secrets stored in HashiCorp Vault (running locally)

Architecture:

Config File Location:

Ubuntu: /opt/rag-in-a-box/config/config.env.template
Docker: config.env.vault.local

Example:

When to use: Team development, production-like testing

Mode 3: 1Password (Enterprise) 🔑

How it works: Secrets stored in 1Password vault

Architecture:

Config File:

When to use: Enterprise with 1Password subscription

Mode 4: HCP Vault (Production Cloud) ☁️

How it works: Secrets stored in HashiCorp Cloud Platform

Architecture:

When to use: Production cloud deployments

Complete Deployment Flow

Scenario 1: Ubuntu Native + Standalone Mode

Scenario 2: Ubuntu Native + Vault Mode

Scenario 3: Docker + Standalone Mode

Scenario 4: Docker + Vault Mode

Key Points to Understand

1. The Package is the Same

The ai-nexus.deb package is identical regardless of:

Where you deploy it (Ubuntu or Docker)
Which secret mode you use (Standalone, Vault, 1Password, HCP)

2. Deployment Location is Independent of Secret Mode

You can use ANY secret mode with ANY deployment location:

Ubuntu + Standalone ✅
Ubuntu + Vault ✅
Ubuntu + 1Password ✅
Docker + Standalone ✅

3. The Application Decides at Startup

When RAG API and MCP Server start, they:

Read the config file
Check which mode is configured
Fetch secrets accordingly:
- Standalone: Read from config file directly

Which Guide to Use?

I want to deploy on Ubuntu (no Docker)

→ Use: UBUNTU_DEPLOYMENT_GUIDE.md

Then choose secret mode:

Standalone: Edit /opt/rag-in-a-box/config/config.env.template with actual secrets
Vault: Install Vault, store secrets, configure Vault connection in config
1Password: Install 1Password CLI, configure 1Password references in config

I want to deploy with Docker (on Windows)

→ Use: DOCKER_DEPLOYMENT_GUIDE.md

Then choose secret mode:

Standalone: Edit config.env.secure.local with actual secrets
Vault: Run Vault container, store secrets, use config.env.vault.local
1Password: Install 1Password CLI, use config.env.1password.employee

Quick Decision Tree

Example: Complete Ubuntu Deployment (Standalone)

Example: Complete Ubuntu Deployment (Vault)

Summary

One Package (ai-nexus.deb) contains RAG API + MCP Server

Two Deployment Options:

Ubuntu Native (install .deb directly)
Docker (wrap .deb in container)

Four Secret Modes (choose one):

Standalone (secrets in config file)
Local Vault (secrets in local Vault)
1Password (secrets in 1Password)
HCP Vault (secrets in cloud Vault)

The application is the same - only the deployment location and secret source change.

Which Documentation to Read?

Your Situation

Read This

Is this clearer now? The key insight is:

Same package everywhere
Choose where to deploy (Ubuntu or Docker)
Choose how to manage secrets (Standalone/Vault/1Password/HCP)

# /etc/nslcd.conf: Configuration file for nslcd(8)
# The user/group nslcd will run as. Note that these should not be LDAP users.
uid mysql # required to be `mysql`
gid mysql # required to be `mysql`

# The location of the LDAP server.
uri ldap://openldap-service.default.svc.cluster.local:389

# The search base that will be used for all queries.
base dc=openldap-service,dc=default,dc=svc,dc=cluster,dc=local

# The distinguished name with which to bind to the directory server for lookups.
# This is a service account used by the daemon.
binddn cn=admin,dc=openldap-service,dc=default,dc=svc,dc=cluster,dc=local
bindpw PASSWORD_REPLACE-ME

# Change the protocol to `ldaps`
+uri ldaps://openldap-service.default.svc.cluster.local:636
-uri ldap://openldap-service.default.svc.cluster.local:389

# ...

+tls_reqcert demand # Look at: https://linux.die.net/man/5/ldap.conf then search for TLS_REQCERT
+tls_cacertfile /etc/openldap/certs/tls.crt # You will need to mount this certificate (from a secret) later

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: mariadb-nslcd-secret
stringData:
  nslcd.conf: |
    # /etc/nslcd.conf: Configuration file for nslcd(8)
    # The user/group nslcd will run as. Note that these should not be LDAP users.
    uid mysql # required to be `mysql`
    gid mysql # required to be `mysql`

    # The location of the LDAP server.
    uri ldap://openldap-service.default.svc.cluster.local:389

    # The search base that will be used for all queries.
    base dc=openldap-service,dc=default,dc=svc,dc=cluster,dc=local

    # The distinguished name with which to bind to the directory server for lookups.
    # This is a service account used by the daemon.
    binddn cn=admin,dc=openldap-service,dc=default,dc=svc,dc=cluster,dc=local
    bindpw PASSWORD_REPLACE-ME
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: mariadb-nsswitch-configmap
  labels:
    enterprise.mariadb.com/watch: ""
data:
  nsswitch.conf: |
    passwd:     files ldap
    group:      files ldap
    shadow:     files ldap
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: mariadb-pam-configmap
  labels:
    enterprise.mariadb.com/watch: ""
data:
  mariadb: |
    # This is needed to tell PAM to use pam_ldap.so
    auth required pam_ldap.so
    account required pam_ldap.so

---
apiVersion: v1
kind: Secret
metadata:
  name: mariadb # Used to hold the mariadb and root user passwords
  labels:
    enterprise.mariadb.com/watch: ""
stringData:
  password: MariaDB11!
  root-password: MariaDB11!
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password

  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
    generate: true
  database: mariadb

  port: 3306

  storage:
    size: 1Gi

  service:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.20

  myCnf: |
    [mariadb]
    bind-address=*
    default_storage_engine=InnoDB
    binlog_format=row
    innodb_autoinc_lock_mode=2
    innodb_buffer_pool_size=800M
    max_allowed_packet=256M

    plugin_load_add = auth_pam # Load auth plugin

  resources:
    requests:
      cpu: 1
      memory: 128Mi
    limits:
      memory: 1Gi

  metrics:
    enabled: true

  volumes: # Attach `nslcd.conf`, `nsswitch.conf` and `mariadb` (pam). Also add an emptyDir volume for `nslcd` socket
    - name: nslcd
      secret:
        secretName: mariadb-nslcd-secret
        defaultMode: 0600
    - name: nsswitch
      configMap:
        name: mariadb-nsswitch-configmap
        defaultMode: 0600
    - name: mariadb-pam
      configMap:
        name: mariadb-pam-configmap
        defaultMode: 0600
    - name: nslcd-run
      emptyDir: {}

  sidecarContainers:
    # The `nslcd` daemon is ran as a sidecar container
    - name: nslcd
      image: docker.mariadb.com/nslcd:0.9.10-13
      volumeMounts:
        - name: nslcd
          mountPath: /etc/nslcd.conf
          subPath: nslcd.conf
        - name: nsswitch
          mountPath: /etc/nsswitch.conf
          subPath: nsswitch.conf
      # nslcd-run is missing because volumeMounts from main container are shared with sidecar

  volumeMounts:
    - name: mariadb-pam
      mountPath: /etc/pam.d/mariadb
      subPath: mariadb
    - name: nslcd-run
      mountPath: /var/run/nslcd

---
apiVersion: v1
kind: Secret
metadata:
  name: mariadb-ldap
stringData:
  plugin: pam # name of the plugin, must be `pam`
  pamModule: mariadb # This is the name of the pam config file placed in `/etc/pam.d/`
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: ldap-user # This user must exist already in your ldap server.
spec:
  mariaDbRef:
    name: mariadb
  host: "%" # Don't specify the ldap host here. Keep this as is
  passwordPlugin:
    pluginNameSecretKeyRef:
      name: mariadb-ldap
      key: plugin
    pluginArgSecretKeyRef:
      name: mariadb-ldap
      key: pamModule

  cleanupPolicy: Delete
  requeueInterval: 10h
  retryInterval: 30s

If you don't see a command prompt, try pressing enter.
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 95
Server version: 11.4.7-4-MariaDB-enterprise MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

  volumes: # Attach `nslcd.conf`, `nsswitch.conf` and `mariadb` (pam). Also add an emptyDir volume for `nslcd` socket
    - name: nslcd
      secret:
        secretName: mariadb-nslcd-secret
        defaultMode: 0600
    - name: nsswitch
      configMap:
        name: mariadb-nsswitch-configmap
        defaultMode: 0600
    - name: mariadb-pam
      configMap:
        name: mariadb-pam-configmap
        defaultMode: 0600
    - name: nslcd-run
      emptyDir: {}
+    - name: ldap-tls
+      secret:
+        secretName: mariadb-ldap-tls
+        defaultMode: 0600

  sidecarContainers:
    # The `nslcd` daemon is ran as a sidecar container
    - name: nslcd
      image: docker.mariadb.com/nslcd:0.9.10-13
      volumeMounts:
        - name: nslcd
          mountPath: /etc/nslcd.conf
          subPath: nslcd.conf
        - name: nsswitch
          mountPath: /etc/nsswitch.conf
          subPath: nsswitch.conf
+        - name: ldap-tls
+          mountPath: /etc/openldap/certs/
      # nslcd-run is missing because volumeMounts from main container are shared with sidecar

  volumeMounts:
    - name: mariadb-pam
      mountPath: /etc/pam.d/mariadb
      subPath: mariadb
    - name: nslcd-run
      mountPath: /var/run/nslcd

Docker Deployment Guide

System Overview
Prerequisites

System Overview

What is MariaDB AI RAG?

MariaDB AI RAG (RAG-in-a-Box) is a containerized RAG system providing:

Document ingestion & processing (PDF, TXT, DOCX, MD, etc.)
Vector embeddings using Google Gemini
Semantic search & AI-powered queries
RESTful RAG API (Port 8000)

Architecture

Technology Stack

Container: Docker Desktop + Docker Compose
OS: Ubuntu 24.04 LTS
Database: MariaDB 11 with vector support
Embedding: Google Gemini text-embedding-004 (768-dim)

Prerequisites

Hardware Requirements

Component

Minimum

Recommended

Software Requirements

Windows 10/11 Pro/Enterprise (64-bit)
Docker Desktop 4.x+ with WSL 2 backend
PowerShell 5.1+ (built-in)

API Keys

Google Gemini API Key (Required)
- Get from: https://makersuite.google.com/app/apikey
- Free tier available

Port Requirements

8000 (RAG API)
8002 (MCP Server)
3306 (MariaDB)
8200 (Vault - if using Vault mode)

Pre-Deployment Checklist

1. Verify Docker Installation

2. Check Available Ports

3. Navigate to Project Directory

4. Configure API Key

Deployment - Standalone Mode

Standalone Mode = Simplest setup with secrets in config file

Step 1: Build Docker Image

Time: 2-5 minutes (first time)

Step 2: Start Services

Expected Output:

Step 3: Monitor Startup

Wait for:

Press Ctrl+C to exit logs (containers keep running)

Step 4: Verify Services

Expected:

Step 5: Test Accessibility

✅ Deployment Complete!

Access Points:

RAG API: http://localhost:8000/docs
MCP Server: http://localhost:8002/mcp

Deployment - Vault Mode

Vault Mode = Production-like secret management with HashiCorp Vault

Step 1: Build Docker Image

Step 2: Run Automated Vault Setup

Expected:

Step 3: Update Gemini API Key in Vault

Step 4: Start MariaDB AI RAG with Vault Config

Step 5: Monitor & Verify

✅ Deployment Complete!

Vault Management:

Post-Deployment

1. Generate Authentication Token

2. Authorize in Swagger UI

3. Test Document Ingestion

4. Test RAG Query

Usage Guide

Document Ingestion

Via Swagger UI

Open http://localhost:8000/docs
Authorize with Bearer token
Use POST /documents/ingest endpoint
Upload file(s)

Via PowerShell

RAG Query

Via Swagger UI

Open http://localhost:8000/docs
Use POST /orchestrate/generation endpoint
Enter your question
Get AI-generated answer

Via PowerShell

MCP Server Integration

For Windsurf/Claude Desktop

Add to MCP configuration:

Available MCP Tools

Database Tools: execute_sql, list_tables, get_table_schema
Vector Tools: create_vector_store, search_vector_store

Troubleshooting

Services Won't Start

Database Connection Errors

Port Already in Use

Authentication Fails

API Key Invalid

Health Check Timeout

Management Commands

View Status

View Logs

Stop Services

Start Services

Restart Services

Clean Everything (⚠️ Deletes Data)

Access Container Shell

View Resource Usage

Quick Reference

Standalone Mode

Vault Mode

Switching Modes

Access Points

RAG API: http://localhost:8000/docs
MCP Server: http://localhost:8002/mcp
Database: localhost:3306

Support

Check Logs

Verify Configuration

Test Connectivity

🎉 Deployment Complete! Your MariaDB AI RAG is ready to use.

# Generate a secure secret key (Python)
python3 -c "import secrets; print(secrets.token_urlsafe(64))"

# Or using PowerShell
[Convert]::ToBase64String((1..64 | ForEach-Object { Get-Random -Maximum 256 }))

Step 1: Install MariaDB on Ubuntu
    ↓
Step 2: Install ai-nexus.deb on Ubuntu
    ↓
Step# 3. Edit /opt/rag-in-a-box/config/config.env.template
        Put secrets directly in file (Standalone mode)
        GEMINI_API_KEY=your_actual_api_key
        DB_PASSWORD=your_secure_password
    ↓
Step 4: Start services in their own terminals by running:
        /opt/rag-in-a-box/bin/rag-api --config /path/to/config.env
        CONFIG_FILE=/path/to/config.env /opt/rag-in-a-box/bin/mcp-server
    ↓
Step 5: Application reads secrets from config file
    ↓
✅ Done! Application running with Standalone mode

Step 1: Install MariaDB on Ubuntu
    ↓
Step 2: Install HashiCorp Vault on Ubuntu
    ↓
Step# 3. Store secrets in Vault
        vault kv put secret/rag-in-a-box \
          GEMINI_API_KEY="your_api_key" \
          DB_PASSWORD="your_password"
    ↓
Step 4: Install ai-nexus.deb on Ubuntu
    ↓
Step 5: Edit /opt/rag-in-a-box/config/config.env.template
        Configure Vault connection (NOT the secrets themselves)
        VAULT_ADDR=http://127.0.0.1:8200
        VAULT_TOKEN=your_vault_root_token
    ↓
Step 6: Start services in their own terminals by running:
        /opt/rag-in-a-box/bin/rag-api --config /path/to/config.env
        CONFIG_FILE=/path/to/config.env /opt/rag-in-a-box/bin/mcp-server
    ↓
Step 7: Application connects to Vault and fetches secrets
    ↓
✅ Done! Application running with Vault mode

Step 1: Build Docker image (wraps ai-nexus.deb)
        docker build -t ai-nexus-image .
    ↓
Step# 2. Edit config.env.secure.local
        Put secrets directly in file (Standalone mode)
        GEMINI_API_KEY=your_actual_api_key
        DB_PASSWORD=your_secure_password
    ↓
Step 3: Start containers
        docker-compose up -d
        (Starts MariaDB container + ai-nexus container)
    ↓
Step 4: Application reads secrets from config file
    ↓
✅ Done! Application running with Standalone mode

Step 1: Build Docker image (wraps ai-nexus.deb)
        docker build -t ai-nexus-image .
    ↓
Step 2: Start Vault container
        docker-compose -f Localvault/docker-compose.vault.yml up -d
    ↓
Step 3. Store secrets in Vault
        docker exec vault vault kv put secret/rag-in-a-box \
          GEMINI_API_KEY="your_api_key" \
          DB_PASSWORD="your_password"
    ↓
Step 4: Edit config.env.vault.local
        Configure Vault connection
        VAULT_ADDR=http://rag-vault:8200
        VAULT_TOKEN=your_vault_token
    ↓
Step 5: Start containers with Vault config
        docker-compose --env-file config.env.vault.local up -d
    ↓
Step 6: Application connects to Vault and fetches secrets
    ↓
✅ Done! Application running with Vault mode

Do you have Ubuntu system?
├─ Yes → Deploy natively on Ubuntu
│         Guide: UBUNTU_DEPLOYMENT_GUIDE.md
│         
│         Choose secret mode:
│         ├─ Simple testing? → Standalone
│         ├─ Team development? → Local Vault
│         ├─ Have 1Password? → 1Password
│         └─ Production cloud? → HCP Vault
│
└─ No (Windows/Mac) → Deploy with Docker
          Guide: DOCKER_DEPLOYMENT_GUIDE.md
          
          Choose secret mode:
          ├─ Simple testing? → Standalone
          ├─ Team development? → Local Vault (Docker)
          ├─ Have 1Password? → 1Password
          └─ Production cloud? → HCP Vault

# 1. Install database
sudo apt install -y mariadb-server
sudo mysql_secure_installation

# 2. Create database
sudo mariadb -u root -p
CREATE DATABASE kb_chunks;
EXIT;

# 3. Install application
sudo apt install -y ./ai-nexus.deb

# 4. Configure (Standalone mode - secrets in file)
cp /opt/rag-in-a-box/config/config.env.template /path/to/config.env
nano /path/to/config.env

# Add these lines:
GEMINI_API_KEY=your_actual_gemini_api_key_here
DB_PASSWORD=your_secure_database_password
SECRET_KEY=your_generated_secret_key_must_be_same_for_all_three
JWT_SECRET_KEY=your_generated_secret_key_must_be_same_for_all_three
MCP_AUTH_SECRET_KEY=your_generated_secret_key_must_be_same_for_all_three

# 5. Start services in their own terminals:
/opt/rag-in-a-box/bin/rag-api --config /path/to/config.env
CONFIG_FILE=/path/to/config.env /opt/rag-in-a-box/bin/mcp-server

# 6. Verify
curl http://localhost:8000/health

# ✅ Done! Running in Standalone mode

# 1. Install database
sudo apt install -y mariadb-server
sudo mysql_secure_installation
sudo mariadb -u root -p -e "CREATE DATABASE kb_chunks;"

# 2. Install Vault
wget https://releases.hashicorp.com/vault/1.15.0/vault_1.15.0_linux_amd64.zip
unzip vault_1.15.0_linux_amd64.zip
sudo mv vault /usr/local/bin/

# 3. Start Vault
vault server -dev &
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'

# 4. Store secrets in Vault
vault kv put secret/rag-in-a-box \
  GEMINI_API_KEY="your_actual_gemini_api_key" \
  DB_PASSWORD="your_secure_database_password" \
  SECRET_KEY="your_generated_secret_key"

# 5. Install application
sudo apt install -y ./ai-nexus.deb

# 6. Configure (Vault mode - connection info only)
cp /opt/rag-in-a-box/config/config.env.template /path/to/config.env
nano /path/to/config.env

# Add these lines:
VAULT_ADDR=http://127.0.0.1:8200
VAULT_TOKEN=your_vault_root_token
VAULT_SECRET_PATH=rag-in-a-box
VAULT_MOUNT_POINT=secret

# 7. Start services in their own terminals:
/opt/rag-in-a-box/bin/rag-api --config /path/to/config.env
CONFIG_FILE=/path/to/config.env /opt/rag-in-a-box/bin/mcp-server

# 8. Verify
curl http://localhost:8000/health

# ✅ Done! Running in Vault mode
# Application fetched secrets from Vault at startup

ingest_documents

generate_response

API Reference

MariaDB AI RAG exposes a comprehensive RESTful API for programmatic interaction with the system. All API endpoints require authentication except for the login endpoint.

Authentication Endpoints

Purpose: Authenticates a user and provides a JWT token for subsequent API calls.

Request body:

Response:

Usage Example: Authentication should be performed before any other API calls. The returned JWT token must be included in the Authorization header of subsequent requests:

Document Management Endpoints

Upload Documents

Purpose: Uploads and processes one or more documents for ingestion into the system. Documents are processed asynchronously in the background.

Request: multipart/form-data with one or more file attachments

Request Parameters:

files: One or more files to upload (required)

Response:

Status Values:

pending: Document is queued for processing
completed: Document has been successfully processed
failed: Document processing failed (check error_message)

Usage Example: Upload one or more documents for ingestion.

Note: The endpoint accepts both single and multiple files. Documents are processed asynchronously, so the initial status will be pending. Use the document ID to check processing status later.

List Documents

Purpose: Retrieves a paginated list of all documents uploaded by the authenticated user.

Parameters:

skip (optional): Number of records to skip for pagination (default: 0)
limit (optional): Maximum number of records to return (default: 100)

Response:

Usage Example: Use this endpoint to monitor all documents in the system, check their processing status, or select documents for further operations.

Retrieve Document

Purpose: Retrieves detailed information about a specific document.

Response:

Usage Example: Use this endpoint to check the status of a specific document or retrieve its metadata.

Delete Documents

Purpose: Deletes multiple documents and their associated chunks and vector embeddings.

Request body:

Response:

Usage Example: Use this endpoint to remove documents that are no longer needed, freeing up storage space and improving search performance.

Chunking Endpoints

Chunk Documents (Batch)

Purpose: Processes multiple documents into chunks and creates vector embeddings for semantic search. Documents are processed asynchronously in the background.

Request body:

Chunking Methods:

recursive: Recursive text splitting (default)
sentence: Sentence-based chunking
token: Token-based chunking

Response:

Usage Example: Use this endpoint after document ingestion to prepare documents for semantic search. The chunking process divides documents into semantically meaningful segments and creates vector embeddings.

Note: For semantic chunking, the threshold parameter controls how similar adjacent chunks should be before they are merged.

Chunk All Documents

Purpose: Processes all documents in the system into chunks. Useful for batch processing or reprocessing all documents with new chunking parameters.

Request body:

Response:

Usage Example: Use this endpoint to reprocess all documents with new chunking settings.

Filter/Retrieve Chunks

Purpose: Retrieves chunks for specific documents. Use this to check if chunking has completed or to retrieve chunk data.

Request body:

Response: Array of chunk objects

Usage Example: Check if documents have been chunked and retrieve their chunks.

Retrieval and Search Endpoints

Semantic Retrieval

Purpose: Performs semantic search to retrieve relevant document chunks based on a query using vector similarity.

Request body:

Request Parameters:

query (required): The search query
top_k (optional): Number of results to return (default: 20)
document_ids (optional): Filter results to specific document IDs (default: all documents)

Response: Array of retrieval results

Response Fields:

id: Unique chunk identifier
document_id: ID of the source document
content: The chunk text content

Usage Example: Use this endpoint to find semantically relevant information. The system converts your query into a vector embedding and finds the most similar chunks.

Full-Text Search

Purpose: Performs full-text search using MariaDB's FULLTEXT index to find relevant document chunks.

Request body:

Request Parameters:

query (required): The search query
top_k (optional): Number of results to return (default: 10)
document_ids (optional): Filter results to specific document IDs

Response: Array of search results

Response Fields:

id: Unique chunk identifier
document_id: ID of the source document
source: File path of the source document

Usage Example: Use this endpoint for keyword-based search when you need exact term matching.

Hybrid Search

Purpose: Combines semantic search (vector similarity) and full-text search using Reciprocal Rank Fusion (RRF) for optimal results.

Request body:

Request Parameters:

query (required): The search query
top_k (optional): Number of results to return (default: 20)
k (optional): RRF parameter for rank fusion (default: 60)

Response: Array of hybrid search results

Response Fields:

id: Unique chunk identifier
document_id: ID of the source document
source: File path of the source document

Usage Example: Use this endpoint for the best of both worlds - combining semantic understanding with keyword matching.

Generate Text

Purpose: Generates a response to a query using a language model and the provided context chunks.

Request body:

Request Parameters:

query (required): The user's question or prompt
chunks (required): Array of context chunks to use for generation
llm_provider (optional): LLM provider - openai, anthropic, gemini

Response:

Usage Example: Use this endpoint after retrieving relevant chunks to generate a coherent response based on the information in those chunks.

Asynchronous Generation

Purpose: Generates a response asynchronously, useful for long-running generation tasks.

Request body: Same as /generate

Response: Same as /generate

Usage Example: Use this endpoint for generation tasks that may take longer to complete.

Streaming Generation

Purpose: Generates a response with streaming output (Server-Sent Events), allowing for real-time display of results as tokens are generated.

Request body: Same as /generate

Response: Server-Sent Events (SSE) stream with the following event types:

Usage Example: Use this endpoint for a better user experience when generating longer responses, as it allows displaying partial results as they become available.

Windows Host
  └─ Docker Desktop
      ├─ ai-nexus Container (Ubuntu 24.04)
      │   ├─ RAG API (Port 8000) - FastAPI
      │   └─ MCP Server (Port 8002) - FastAPI
      └─ mysql-db Container (MariaDB 11)
          └─ Vector Database (Port 3306)

# Navigate to your MariaDB AI RAG deployment directory
cd "<path-to-your-mariadb-ai-rag-directory>"

# Verify required files exist
Get-ChildItem | Select-Object Name

# Required files:
# ✓ ai-nexus.deb
# ✓ Dockerfile
# ✓ docker-compose.yml
# ✓ start-services.sh
# ✓ config.env.secure.local

# View secrets
docker exec -e VAULT_TOKEN=rag-root-token rag-vault vault kv get secret/rag-in-a-box

# Update secret
docker exec -e VAULT_TOKEN=rag-root-token rag-vault vault kv patch secret/rag-in-a-box KEY="value"

# Restart to apply changes
docker restart ai-nexus

# Open Swagger UI
Start-Process "http://localhost:8000/docs"

# In browser:
# 1. Navigate to POST /token endpoint
# 2. Click "Try it out"
# 3. Enter credentials:
#    {
#      "username": "admin",
#      "password": "your_password"
#    }
# 4. Click "Execute"
# 5. Copy the "access_token" from response

$token = "YOUR_TOKEN_HERE"
$headers = @{
    "Authorization" = "Bearer $token"
}

$file = "C:\path\to\document.pdf"
$form = @{
    file = Get-Item -Path $file
}

Invoke-RestMethod -Uri "http://localhost:8000/documents/ingest" `
    -Method POST `
    -Headers $headers `
    -Form $form

$token = "YOUR_TOKEN_HERE"
$headers = @{
    "Authorization" = "Bearer $token"
    "Content-Type" = "application/json"
}

$body = @{
    query = "What is the main topic of the document?"
} | ConvertTo-Json

Invoke-RestMethod -Uri "http://localhost:8000/orchestrate/generation" `
    -Method POST `
    -Headers $headers `
    -Body $body

# Check MariaDB status
docker logs mysql-db --tail 20

# Wait for healthy status
docker-compose ps
# Look for "(healthy)" next to mysql-db

# Verify DB_HOST in config
# Should be: DB_HOST=mysql-db

# Verify secret keys are identical
docker exec ai-nexus env | Select-String "SECRET"

# All three must match:
# SECRET_KEY
# JWT_SECRET_KEY
# MCP_AUTH_SECRET_KEY

# If different, edit config and restart
docker-compose down
docker-compose up -d

# Test Gemini API key
$apiKey = "YOUR_API_KEY"
$uri = "https://generativelanguage.googleapis.com/v1beta/models?key=$apiKey"
Invoke-RestMethod -Uri $uri

# If error: Get new key from https://makersuite.google.com/app/apikey
# Update in config.env.secure.local or Vault
# Restart: docker restart ai-nexus

# Setup Vault (one-time)
.\Localvault\setup_vault_local.ps1

# Start
docker-compose --env-file config.env.vault.local up -d

# Stop
docker-compose down
docker-compose -f "Localvault/docker-compose.vault.yml" down

# RAG API
Invoke-RestMethod -Uri "http://localhost:8000/health"

# MCP Server
Invoke-RestMethod -Uri "http://localhost:8002/health"

# Database (from container)
docker exec ai-nexus curl -s http://mysql-db:3306

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    volumeSnapshot:
      volumeSnapshotClassName: csi-hostpath-snapclass

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    s3:
      bucket: physicalbackups
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  schedule:
    cron: "*/1 * * * *"
    suspend: false
    immediate: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  bootstrapFrom:
    s3:
      bucket: physicalbackups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt
    backupContentType: Physical

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    s3:
      bucket: physicalbackups
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  serviceAccountName: mariadb-backup
  storage:
    s3:
      bucket: physicalbackups
      prefix: mariadb
      endpoint: s3.us-east-1.amazonaws.com
      region:  us-east-1
      tls:
        enabled: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    s3:
      bucket: physicalbackups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      region:  us-east-1
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt
  stagingStorage:
    persistentVolumeClaim:
      resources:
        requests:
          storage: 1Gi
      accessModes:
        - ReadWriteOnce

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  mariaDbRef:
    name: mariadb
  bootstrapFrom:
    s3:
      bucket: physicalbackups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt
    backupContentType: Physical
    stagingStorage:
      persistentVolumeClaim:
        resources:
          requests:
            storage: 1Gi
        accessModes:
          - ReadWriteOnce

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  bootstrapFrom:
    restoreJob:
      resources:
        requests:
          cpu: 100m
          memory: 128Mi
        limits:
          memory: 1Gi

kubectl get physicalbackups physicalbackup -o json | jq -r '.status'

{
  "conditions": [
    {
      "lastTransitionTime": "2025-07-14T07:01:14Z",
      "message": "Success",
      "reason": "JobComplete",
      "status": "True",
      "type": "Complete"
    }
  ],
  "lastScheduleCheckTime": "2025-07-14T07:00:00Z",
  "lastScheduleTime": "2025-07-14T07:00:00Z",
  "nextScheduleTime": "2025-07-15T07:00:00Z"
}

kubectl get events --field-selector involvedObject.name=physicalbackup

LAST SEEN   TYPE     REASON                  OBJECT                                 MESSAGE
116s        Normal   WaitForFirstConsumer    persistentvolumeclaim/physicalbackup   waiting for first consumer to be created before binding
116s        Normal   JobScheduled            physicalbackup/physicalbackup          Job physicalbackup-20250714140837 scheduled
116s        Normal   ExternalProvisioning    persistentvolumeclaim/physicalbackup   Waiting for a volume to be created either by the external provisioner 'rancher.io/local-path' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.
116s        Normal   Provisioning            persistentvolumeclaim/physicalbackup   External provisioner is provisioning volume for claim "default/physicalbackup"
113s        Normal   ProvisioningSucceeded   persistentvolumeclaim/physicalbackup   Successfully provisioned volume pvc-7b7c71f9-ea7e-4950-b612-2d41d7ab35b7

mariadb [00] 2025-08-04 09:15:57 Was only able to copy log from 58087 to 59916, not 68968; try increasing
innodb_log_file_size
mariadb mariabackup: Stopping log copying thread.[00] 2025-08-04 09:15:57 Retrying read of log at LSN=59916

semantic: Semantic similarity-based chunking (requires threshold)

metadata: Additional metadata about the chunk

content: The chunk text content

provider (optional): Embedding provider for semantic search

content: The chunk text content

cohere

ollama

azure

bedrock

Ubuntu Deployment Guide

MariaDB AI RAG - Ubuntu Native Deployment Guide

Deploy MariaDB AI RAG .deb package directly on Ubuntu (without Docker)

Quick Start

Prerequisites

System Requirements

OS: Ubuntu 22.04 LTS or 24.04 LTS (x86_64)
CPU: 4+ cores (8+ recommended)
RAM: 8+ GB (16+ recommended)
Storage: 20+ GB free

Required

Google Gemini API Key: Get from https://makersuite.google.com/app/apikey

Verify System

Step 1: Install MariaDB

Step 2: Secure MariaDB

Follow prompts:

Enter current password for root: [Press Enter]
Switch to unix_socket authentication? n
Change the root password? Y
- New password: [Choose a secure password]

Step 3: Create Database

In MariaDB shell:

Step 4: Configure MariaDB

Add under [mysqld] section:

Save and restart:

Step 5: Install MariaDB AI RAG Package

Verify installation:

Step 6: Configure MariaDB AI RAG

Update these essential settings:

Save: Ctrl+X, Y, Enter

Step 7: Start Services in their own terminals

Step 8: Verify Deployment

Check listening ports:

Should show LISTEN on both ports

Test Health Endpoints

View Logs

Expected log messages:

Step 9: Test Functionality

Generate Authentication Token

Test Document Upload

Test RAG Query

Verify Database

In MariaDB:

Access Points

After successful deployment:

RAG API Swagger UI: http://<server-ip>:8000/docs
RAG API Health: http://<server-ip>:8000/health
MCP Server: http://<server-ip>:8002/mcp
MCP Health: http://<server-ip>:8002/health

Get server IP:

Troubleshooting

Services Won't Start

Check logs in the terminal windows

Common causes:

MariaDB not running

Configuration errors

Port already in use

Permission issues

Database Connection Fails

Authentication Fails

API Key Invalid

Port Already in Use

Out of Memory

Maintenance

Daily Operations

Backup Database

Update Configuration

Update MariaDB AI RAG

Optimize Database

Uninstall

Security Best Practices

Change Default Passwords

Update config:

Generate New Secret Keys

Configure Firewall

Restrict Database Access

Update config:

Quick Reference

Essential Commands

File Locations

Service Dependencies

Start order: MariaDB → RAG API → MCP Server Stop order: MCP Server → RAG API → MariaDB

Architecture Overview

Performance Tuning

MariaDB Optimization

System Resources

Deployment Complete! 🎉

Your MariaDB AI RAG is now running natively on Ubuntu.

Next Steps:

Access Swagger UI: http://<server-ip>:8000/docs
Generate authentication token
Upload test documents
Start querying with RAG

For support:

Check logs
Verify config: nano /path/to/config.env
Test health: curl http://localhost:8000/health

{
  "message": "2 documents have been queued for ingestion.",
  "documents": [
    {
      "id": 42,
      "source": "/uploaded_files/example1.pdf",
      "filename": "example1.pdf",
      "status": "pending",
      "content": null,
      "error_message": null,
      "created_at": "2025-10-20T12:00:00.123456",
      "updated_at": null
    },
    {
      "id": 43,
      "source": "/uploaded_files/example2.docx",
      "filename": "example2.docx",
      "status": "pending",
      "content": null,
      "error_message": null,
      "created_at": "2025-10-20T12:00:00.234567",
      "updated_at": null
    }
  ]
}

# Upload single document
curl -X POST "http://localhost:8000/documents/ingest" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "files=@/path/to/document.pdf"

# Upload multiple documents
curl -X POST "http://localhost:8000/documents/ingest" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "files=@/path/to/document1.pdf" \
  -F "files=@/path/to/document2.docx"

{
  "documents": [
    {
      "id": 42,
      "filename": "example.pdf",
      "content_type": "application/pdf",
      "size": 1048576,
      "status": "completed",
      "created_at": "2025-08-25T11:42:00.123456",
      "updated_at": "2025-08-25T11:43:30.123456",
      "chunk_count": 15
    },
    {...}
  ],
  "total_count": 42,
  "page": 1,
  "pages": 5
}

{
  "id": 42,
  "filename": "example.pdf",
  "content_type": "application/pdf",
  "size": 1048576,
  "status": "completed",
  "created_at": "2025-08-25T11:42:00.123456",
  "updated_at": "2025-08-25T11:43:30.123456",
  "chunk_count": 15,
  "metadata": {
    "page_count": 10,
    "author": "John Doe",
    "creation_date": "2025-08-20"
  }
}

curl -X POST "http://localhost:8000/chunk" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "document_ids": [42, 43],
    "chunking_method": "semantic",
    "chunk_size": 512,
    "chunk_overlap": 128,
    "threshold": 0.8
  }'

curl -X POST "http://localhost:8000/chunk/all" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "chunking_method": "recursive",
    "chunk_size": 512,
    "chunk_overlap": 128
  }'

[
  {
    "id": "uuid-string",
    "document_id": 42,
    "chunk_text": "This is the content of the first chunk...",
    "chunk_index": 0,
    "embedding": [0.123, 0.456, ...],
    "metadata": {}
  },
  {
    "id": "uuid-string-2",
    "document_id": 42,
    "chunk_text": "This is the content of the second chunk...",
    "chunk_index": 1,
    "embedding": [0.789, 0.012, ...],
    "metadata": {}
  }
]

[
  {
    "id": "uuid-chunk-id",
    "document_id": 42,
    "content": "MariaDB AI RAG is an enterprise-grade RAG solution...",
    "metadata": {},
    "distance": 0.15
  },
  {
    "id": "uuid-chunk-id-2",
    "document_id": 43,
    "content": "Key features include document processing and semantic search...",
    "metadata": {},
    "distance": 0.23
  }
]

curl -X POST "http://localhost:8000/retrieve" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "What is MariaDB AI RAG?",
    "top_k": 5,
    "document_ids": [42, 43]
  }'

[
  {
    "id": "uuid-chunk-id",
    "document_id": 42,
    "source": "/uploaded_files/product_overview.pdf",
    "content": "MariaDB features include vector search, full-text indexing...",
    "score": 15.5
  },
  {
    "id": "uuid-chunk-id-2",
    "document_id": 43,
    "source": "/uploaded_files/technical_docs.pdf",
    "content": "Additional MariaDB capabilities for enterprise applications...",
    "score": 12.3
  }
]

[
  {
    "id": "uuid-chunk-id",
    "document_id": 42,
    "source": "/uploaded_files/product_overview.pdf",
    "content": "MariaDB vector capabilities enable semantic search...",
    "metadata": {},
    "distance": 0.18,
    "score": 14.2
  },
  {
    "id": "uuid-chunk-id-2",
    "document_id": 43,
    "source": "/uploaded_files/technical_docs.pdf",
    "content": "Vector indexing in MariaDB provides fast similarity search...",
    "metadata": {},
    "distance": 0.25,
    "score": 11.8
  }
]

curl -X POST "http://localhost:8000/hybrid_search" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "MariaDB vector capabilities",
    "top_k": 10,
    "k": 60
  }'

{
  "query": "Explain MariaDB AI RAG features",
  "chunks": [
    "MariaDB AI RAG is an enterprise-grade RAG solution that integrates with MariaDB...",
    "Key features include document processing, semantic search, and AI-powered responses..."
  ],
  "llm_provider": "openai",
  "llm_model": "gpt-4",
  "temperature": 0.7,
  "top_p": 0.9,
  "max_tokens": 1000
}

curl -X POST "http://localhost:8000/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "Explain MariaDB AI RAG features",
    "chunks": ["chunk1", "chunk2"],
    "llm_provider": "openai",
    "llm_model": "gpt-4",
    "temperature": 0.7
  }'

curl -X POST "http://localhost:8000/generate-async" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "Provide a detailed analysis",
    "chunks": ["chunk1", "chunk2"],
    "llm_provider": "openai",
    "llm_model": "gpt-4"
  }'

// Start event
{"type": "start", "provider": "openai", "model": "gpt-4"}

// Token events (streamed as generated)
{"type": "token", "content": "MariaDB", "chunk_index": 1}
{"type": "token", "content": " Data", "chunk_index": 2}
{"type": "token", "content": " Bridge", "chunk_index": 3}

// Completion event
{"type": "complete", "duration": 2.5, "chunks_streamed": 150}

// Error event (if error occurs)
{"type": "error", "message": "Error description"}

curl -X POST "http://localhost:8000/generate-stream" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "Explain MariaDB AI RAG features",
    "chunks": ["chunk1", "chunk2"],
    "llm_provider": "openai",
    "llm_model": "gpt-4"
  }'

Although logical backups are a great fit for data mobility and migrations, they are not as efficient as physical backups for large databases. For this reason, physical backups are the recommended method for backing up MariaDB databases, especially in production environments.

Synchronous Multi-Master With Galera

MariaDB Enterprise Kubernetes Operator provides cloud native support for provisioning and operating multi-master MariaDB clusters using Galera. This setup enables the ability to perform writes on a single node and reads in all nodes, enhancing availability and allowing scalability across multiple nodes.

In certain circumstances, it could be the case that all the nodes of your cluster go down at the same time, something that Galera is not able to recover by itself, and it requires manual action to bring the cluster up again, as documented in the Galera documentation. The MariaDB Enterprise Kubernetes Operator encapsulates this operational expertise in the MariaDB CR. You just need to declaratively specify spec.galera, as explained in more detail later in this guide.

To accomplish this, after the MariaDB cluster has been provisioned, the operator will regularly monitor the cluster's status to make sure it is healthy. If any issues are detected, the operator will initiate the recovery process to restore the cluster to a healthy state. During this process, the operator will set status conditions in the MariaDB and emit Events so you have a better understanding of the recovery progress and the underlying activities being performed. For example, you may want to know which Pods were out of sync to further investigate infrastructure-related issues (i.e. networking, storage...) on the nodes where these Pods were scheduled.

`MariaDB` configuration

The easiest way to get a MariaDB Galera cluster up and running is setting spec.galera.enabled = true:

This relies on sensible defaults set by the operator, which may not be suitable for your Kubernetes cluster. This can be solved by overriding the defaults, so you have fine-grained control over the Galera configuration.

Refer to the to better understand the purpose of each field.

Storage

By default, the operator provisions two PVCs for running Galera:

Storage PVC: Used to back the MariaDB data directory, mounted at /var/lib/mysql.
Config PVC: Where the Galera config files are located, mounted at /etc/mysql/conf.d.

However, you are also able to use just one PVC for keeping both the data and the config files:

Wsrep provider

You are able to pass extra options to the Galera wsrep provider by using the galera.providerOptions field:

It is important to note that, the ist.recv_addr cannot be set by the user, as it is automatically configured to the Pod IP by the operator, something that an user won't be able to know beforehand.

A list of the available options can be found in the .

IPv6 support

If you have a Kubernetes cluster running with IPv6, the operator will automatically detect the IPv6 addresses of your Pods and it will configure several options to ensure that the Galera protocol runs smoothly with IPv6.

Galera cluster recovery

MariaDB Enterprise Kubernetes Operator monitors the Galera cluster and acts accordinly to recover it if needed. This feature is enabled by default, but you may tune it as you need:

The minClusterSize field indicates the minimum cluster size (either absolut number of replicas or percentage) for the operator to consider the cluster healthy. If the cluster is unhealthy for more than the period defined in clusterHealthyTimeout (30s by default), a cluster recovery process is initiated by the operator. The process is explained in the and consists of the following steps:

Recover the sequence number from the grastate.dat on each node.
Trigger a to obtain the sequence numbers in case that the previous step didn't manage to.
Mark the node with highest sequence (bootstrap node) as safe to bootstrap.
Bootstrap a new cluster in the bootstrap node.

The operator monitors the Galera cluster health periodically and performs the cluster recovery described above if needed. You are able to tune the monitoring interval via the clusterMonitorInterval field.

Refer to the to better understand the purpose of each field.

Galera recovery `Job`

During the recovery process, a Job is triggered for each MariaDB Pod to obtain the sequence numbers. It's crucial for this Job to succeed; otherwise, the recovery process will fail. As a user, you are responsible for adjusting this Job to allocate sufficient resources and provide the necessary metadata to ensure its successful completion.

For example, if you're using a service mesh like Istio, it's important to add the sidecar.istio.io/inject=false label. Without this label, the Job will not complete, which would prevent the recovery process from finishing successfully.

Force cluster bootstrap

Use this option only in exceptional circumstances. Not selecting the Pod with the highest sequence number may result in data loss.

Ensure you unset forceClusterBootstrapInPod after completing the bootstrap to allow the operator to choose the appropriate Pod to bootstrap from in an event of cluster recovery.

You have the ability to manually select which Pod is used to bootstrap a new cluster during the recovery process by setting forceClusterBootstrapInPod:

This should only be used in exceptional circumstances:

You are absolutely certain that the chosen Pod has the highest sequence number.
The operator has not yet selected a Pod to bootstrap from.

You can verify this with the following command:

In this case, assuming that mariadb-galera-2 sequence is lower than 350454, it should be safe to bootstrap from mariadb-galera-0.

Finally, after your cluster has been bootstrapped, remember to unset forceClusterBootstrapInPod to allow the operator to select the appropriate node for bootstrapping in the event of a cluster recovery.

Bootstrap Galera cluster from existing PVCs

MariaDB Enterprise Kubernetes Operator will never delete your MariaDB PVCs. Whenever you delete a MariaDB resource, the PVCs will remain intact so you could reuse them to re-provision a new cluster.

That said, Galera is unable to form a cluster from pre-existing state, it requires a process to identify which Pod has the highest sequence number to bootstrap a new cluster. That's exactly what the operator does: whenever a new MariaDB Galera cluster is created and previously created PVCs exist, a cluster recovery process is automatically triggered.

Quickstart

Apply the following manifests to get started with Galera in Kubernetes:

Next, check the MariaDB status and the resources created by the operator:

Let's now proceed with simulating a Galera cluster failure by deleting all the Pods at the same time:

After some time, we will see the MariaDB entering a non Ready state:

Eventually, the operator will kick in and recover the Galera cluster:

Finally, the MariaDB resource will become Ready and your Galera cluster will be operational again:

Troubleshooting

The aim of this section is showing you how to diagnose your Galera cluster when something goes wrong. In this situations, observability is a key factor to understand the problem, so we recommend following these steps before jumping into debugging the problem.

Inspect MariaDB status conditions.

Make sure network connectivity is fine by checking that you have an Endpoint per Pod in your Galera cluster.

Check the events associated with the MariaDB object, as they provide significant insights for diagnosis, particularly within the context of cluster recovery.

Enable debug logs in mariadb-enterprise-operator.

Get the logs of all the MariaDB Pod containers, not only of the main mariadb container but also the agent and init ones.

Once you are done with these steps, you will have the context required to jump ahead to the section to see if any of them matches your case.

Common errors

Galera cluster recovery not progressing

If your MariaDB Galera cluster has been in GaleraNotReady state for a long time, the recovery process might not be progressing. You can diagnose this by checking:

Operator logs.
Galera recovery status:

MariaDB events:

If you have Pods named <mariadb-name>-<ordinal>-recovery-<suffix> running for a long time, check its logs to understand if something is wrong.

One of the reasons could be misconfigured Galera recovery Jobs, please make sure you read . If after checking all the points above, there are still no clear symptoms of what could be wrong, continue reading.

First af all, you could attempt to forcefully bootstrap a new cluster as it is described in . Please, refrain from doing so if the conditions described in the docs are not met.

Alternatively, if you can afford some downtime and your PVCs are in healthy state, you may follow this procedure:

Delete your existing MariaDB, this will leave your PVCs intact.
Create your MariaDB again, this will trigger a Galera recovery process as described in .

As a last resource, you can always delete the PVCs and bootstrap a new MariaDB from a backup as documented .

Permission denied writing Galera configuration

This error occurs when the user that runs the container does not have enough privileges to write in /etc/mysql/mariadb.conf.d:

To mitigate this, by default, the operator sets the following securityContext in the MariaDB's StatefulSet :

This enables the CSIDriver and the kubelet to recursively set the ownership ofr the /etc/mysql/mariadb.conf.d folder to the group 999, which is the one expected by MariaDB. It is important to note that not all the CSIDrivers implementations support this feature, see the for further information.

Unauthorized error disabling bootstrap

This situation occurs when the mariadb-enterprise-operator credentials passed to the agent as authentication are either invalid or the agent is unable to verify them. To confirm this, ensure that both the mariadb-enterprise-operator and the MariaDB ServiceAccounts are able to create TokenReview objects:

If that's not the case, check that the following ClusterRole and ClusterRoleBindings are available in your cluster:

mariadb-enterprise-operator:auth-delegator is the ClusterRoleBinding bound to the mariadb-enterprise-operator ServiceAccount which is created by the helm chart, so you can re-install the helm release in order to recreate it:

mariadb-galera:auth-delegator is the ClusterRoleBinding bound to the mariadb-galera ServiceAccount which is created on the flight by the operator as part of the reconciliation logic. You may check the mariadb-enterprise-operator logs to see if there are any issues reconciling it.

Bear in mind that ClusterRoleBindings are cluster-wide resources that are not garbage collected when the MariaDB owner object is deleted, which means that creating and deleting MariaDBs could leave leftovers in your cluster. These leftovers can lead to RBAC misconfigurations, as the ClusterRoleBinding might not be pointing to the right ServiceAccount. To overcome this, you can override the ClusterRoleBinding name setting the spec.galera.agent.kubernetesAuth.authDelegatorRoleName field.

Timeout waiting for Pod to be Synced

This error appears in the mariadb-enterprise-operator logs when a Pod is in non synced state for a duration exceeding the spec.galera.recovery.podRecoveryTimeout. Just after, the operator will restart the Pod.

Increase this timeout if you consider that your Pod may take longer to recover.

Galera cluster bootstrap timed out

This is error is returned by the mariadb-enterprise-operator after exceeding the spec.galera.recovery.clusterBootstrapTimeout when recovering the cluster. At this point, the operator will reset the recovered sequence numbers and start again from a clean state.

Increase this timeout if you consider that your Galera cluster may take longer to recover.

# 1. Install MariaDB
sudo apt update && sudo apt install -y mariadb-server mariadb-client
sudo systemctl start mariadb && sudo systemctl enable mariadb

# 2. Secure MariaDB (set root password during setup)
sudo mysql_secure_installation

# 3. Create database
sudo mariadb -u root -p <<EOF
CREATE DATABASE kb_chunks CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
EXIT;
EOF

# 4. Install MariaDB AI RAG
sudo apt install -y ./ai-nexus.deb

# 5. Configure (update GEMINI_API_KEY)
cp /opt/rag-in-a-box/config/config.env.template /path/to/config.env
nano /path/to/config.env

# 6. Start services in their own terminals
/opt/rag-in-a-box/bin/rag-api --config /path/to/config.env
CONFIG_FILE=/path/to/config.env /opt/rag-in-a-box/bin/mcp-server

# 7. Verify
curl http://localhost:8000/health

# Update package lists
sudo apt update

# Install MariaDB
sudo apt install -y mariadb-server mariadb-client

# Start and enable MariaDB
sudo systemctl start mariadb
sudo systemctl enable mariadb

# Verify running
sudo systemctl status mariadb

# Check installed files
dpkg -L ai-nexus | head -20

# Expected locations:
# /opt/rag-in-a-box/bin/rag-api
# /opt/rag-in-a-box/bin/mcp-server
# /opt/rag-in-a-box/config/config.env.template

# Check binaries exist
ls -lh /opt/rag-in-a-box/bin/

# ===== DATABASE CONFIGURATION =====
DB_HOST=localhost
DB_PORT=3306
DB_USER=root
DB_PASSWORD=your_secure_database_password
DB_NAME=kb_chunks

# ===== API KEYS (REQUIRED - UPDATE THIS!) =====
GEMINI_API_KEY=your_actual_gemini_api_key_here

# ===== SECURITY KEYS (MUST BE IDENTICAL) =====
SECRET_KEY=your_generated_secret_key_must_be_same_for_all_three
JWT_SECRET_KEY=your_generated_secret_key_must_be_same_for_all_three
MCP_AUTH_SECRET_KEY=your_generated_secret_key_must_be_same_for_all_three

# ===== SERVER CONFIGURATION =====
APP_HOST=0.0.0.0
APP_PORT=8000
MCP_HOST=0.0.0.0
MCP_PORT=8002

# ===== EMBEDDING & LLM =====
EMBEDDING_PROVIDER=gemini
embedding_model=text-embedding-004
LLM_PROVIDER=gemini
LLM_MODEL=gemini-2.0-flash

# ===== TABLE NAMES =====
DOCUMENTS_TABLE=documents_DEMO_gemini
VDB_TABLE=vdb_tbl_DEMO_gemini

# ===== MCP CONFIGURATION =====
MCP_ENABLE_AUTH=true
MCP_ENABLE_VECTOR_TOOLS=true
MCP_ENABLE_DATABASE_TOOLS=true
MCP_ENABLE_RAG_TOOLS=true
MCP_READ_ONLY=false
MCP_LOG_LEVEL=INFO

# ===== PROCESSING =====
CHUNK_SIZE=512
CHUNK_OVERLAP=128
DOCUMENT_PROCESSING_BATCH_SIZE=5
EMBEDDING_BATCH_SIZE=32

# Test RAG API
curl http://localhost:8000/health
# Expected: {"status":"healthy","database":"connected"}

# Test MCP Server
curl http://localhost:8002/health
# Expected: {"status":"healthy"}

# Test API info
curl http://localhost:8000/

# Generate token
curl -X POST "http://localhost:8000/token" \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"your_password"}'

# Save token for next commands
export TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

# Create test document
echo "This is a test document for MariaDB AI RAG RAG system. It contains sample text for testing." > test_document.txt

# Upload document
curl -X POST "http://localhost:8000/documents/ingest" \
  -H "Authorization: Bearer $TOKEN" \
  -F "file=@test_document.txt"

# Expected output:
# {"document_id":1,"filename":"test_document.txt","chunks_created":1,"status":"success"}

# Query the document
curl -X POST "http://localhost:8000/orchestrate/generation" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"query":"What is this document about?"}'

# Expected: AI-generated response with sources

# Test MariaDB connection
mariadb -u root -p -e "SELECT 1;"

# Check MariaDB status
sudo systemctl status mariadb

# Restart MariaDB
sudo systemctl restart mariadb

# Check credentials in config
sudo grep DB_ /path/to/config.env

# View MariaDB logs
sudo tail -f /var/log/mysql/error.log

# Verify all three secret keys are identical
sudo grep SECRET_KEY /path/to/config.env

# Should show same value for:
# SECRET_KEY=...
# JWT_SECRET_KEY=...
# MCP_AUTH_SECRET_KEY=...

# If different, fix and restart
nano /path/to/config.env

# Test Gemini API key
API_KEY="YOUR_KEY"
curl -s "https://generativelanguage.googleapis.com/v1beta/models?key=$API_KEY"

# If invalid, update config
nano /path/to/config.env
# Update: GEMINI_API_KEY=...

# Restart services
/opt/rag-in-a-box/bin/rag-api --config /path/to/config.env
CONFIG_FILE=/path/to/config.env /opt/rag-in-a-box/bin/mcp-server

# Check memory
free -h
top

# Add swap if needed (4GB example)
sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

# Make permanent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

# Check service status
sudo systemctl status mariadb

# Test RAG API
curl http://localhost:8000/health
# Expected: {"status":"healthy","database":"connected"}

# Test MCP Server
curl http://localhost:8002/health
# Expected: {"status":"healthy"}

# Test API info
curl http://localhost:8000/

# Monitor disk space
df -h

# Backup
sudo mysqldump -u root -p kb_chunks > kb_chunks_backup_$(date +%Y%m%d).sql

# Compress backup
gzip kb_chunks_backup_$(date +%Y%m%d).sql

# Restore (if needed)
mariadb -u root -p kb_chunks < kb_chunks_backup_20241013.sql

# Edit config
nano /path/to/config.env

# Restart services to apply changes
/opt/rag-in-a-box/bin/rag-api --config /path/to/config.env
CONFIG_FILE=/path/to/config.env /opt/rag-in-a-box/bin/mcp-server

# Install new version
sudo apt install -y ./ai-nexus-new-version.deb

# Start services in their own terminals
/opt/rag-in-a-box/bin/rag-api --config /path/to/config.env
CONFIG_FILE=/path/to/config.env /opt/rag-in-a-box/bin/mcp-server

# Verify
curl http://localhost:8000/health

# Remove package
sudo apt remove --purge rag-in-a-box

# Remove configuration (optional)
sudo rm -rf /opt/rag-in-a-box/

# Remove database (optional - ⚠️ deletes all data)
mariadb -u root -p -e "DROP DATABASE kb_chunks;"

# Install UFW
sudo apt install -y ufw

# Allow SSH (IMPORTANT!)
sudo ufw allow 22/tcp

# Allow RAG API
sudo ufw allow 8000/tcp

# Allow MCP Server
sudo ufw allow 8002/tcp

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status

# Start services
/opt/rag-in-a-box/bin/rag-api --config /path/to/config.env
CONFIG_FILE=/path/to/config.env /opt/rag-in-a-box/bin/mcp-server

# Test health
curl http://localhost:8000/health

# Edit config
nano /path/to/config.env

# Database access
mariadb -u root -p kb_chunks

/opt/rag-in-a-box/bin/rag-api                   # RAG API binary
/opt/rag-in-a-box/bin/mcp-server                # MCP Server binary
/opt/rag-in-a-box/config/config.env.template    # Configuration file
/var/log/mysql/error.log                        # MariaDB logs

Ubuntu System (Native)
├── MariaDB Service (systemd)
│   └── Database: kb_chunks (Port 3306)
├── RAG API Service (systemd)
│   └── FastAPI Server (Port 8000)
└── MCP Server Service (systemd)
    └── FastAPI Server (Port 8002)

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    persistentVolumeClaim:
      resources:
        requests:
          storage: 100Mi
      accessModes:
        - ReadWriteOnce

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    s3:
      bucket: backups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      region:  us-east-1
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: tls.crt

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  serviceAccountName: mariadb-backup
  storage:
    s3:
      bucket: backups
      prefix: mariadb
      endpoint: s3.us-east-1.amazonaws.com
      region:  us-east-1
      tls:
        enabled: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Restore
metadata:
  name: restore
spec:
  mariaDbRef:
    name: mariadb
  s3:
    bucket: backups
    prefix: mariadb
    endpoint: minio.minio.svc.cluster.local:9000
    region:  us-east-1
    accessKeyIdSecretKeyRef:
      name: minio
      key: access-key-id
    secretAccessKeySecretKeyRef:
      name: minio
      key: secret-access-key
    tls:
      enabled: true
      caSecretKeyRef:
        name: minio-ca
        key: tls.crt

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-from-backup
spec:
  storage:
    size: 1Gi
  bootstrapFrom:
    backupRef:
      name: backup
    targetRecoveryTime: 2023-12-19T09:00:00Z

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-from-backup
spec:
  storage:
    size: 1Gi
  bootstrapFrom:
    s3:
      bucket: backups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: tls.crt
    targetRecoveryTime: 2023-12-19T09:00:00Z

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  storage:
    s3:
      ...
  stagingStorage:
    persistentVolumeClaim:
      resources:
        requests:
          storage: 10Gi
      accessModes:
        - ReadWriteOnce

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Restore
metadata:
  name: restore
spec:
  s3:
    ...
  stagingStorage:
    persistentVolumeClaim:
      resources:
        requests:
          storage: 10Gi
      accessModes:
        - ReadWriteOnce

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  bootstrapFrom:
    s3:
      ...
    stagingStorage:
      persistentVolumeClaim:
        resources:
          requests:
            storage: 10Gi
        accessModes:
          - ReadWriteOnce

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  storage:
    size: 1Gi
  bootstrapFrom:
    restoreJob:
      args:
        - --verbose
      resources:
        requests:
          cpu: 100m
          memory: 128Mi
        limits:
          memory: 1Gi

mariadb-dump --user=${MARIADB_USER} --password=${MARIADB_PASSWORD} --host=${MARIADB_HOST} --single-transaction --events --routines --all-databases --skip-add-locks --ignore-table=mysql.global_priv > backup.2024-08-26T12:24:34Z.sql

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
  replicas: 3
  galera:
    enabled: true
  storage:
    size: 1Gi
  bootstrapFrom:
    s3:
      bucket: backups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: tls.crt
    targetRecoveryTime: 2024-08-26T12:24:34Z

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  replicas: 3
  galera:
    enabled: true
  storage:
    size: 1Gi
  bootstrapFrom:
    backupRef:
      name: backup-standalone

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    enabled: true
    recovery:
      enabled: true
      minClusterSize: 1
      clusterMonitorInterval: 10s
      clusterHealthyTimeout: 30s
      clusterBootstrapTimeout: 10m
      podRecoveryTimeout: 5m
      podSyncTimeout: 5m

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    enabled: true
    recovery:
      job:
        metadata:
          labels:
            sidecar.istio.io/inject: "false"
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            memory: 256Mi

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    enabled: true
    recovery:
      enabled: true
      forceClusterBootstrapInPod: "mariadb-galera-0"

kubectl get mariadb mariadb-galera -o jsonpath="{.status.galeraRecovery}" | jq
{
  "recovered": {
    "mariadb-galera-0": {
      "seqno": 350454,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627"
    },
    "mariadb-galera-1": {
      "seqno": 350450,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627"
    }
  },
  "state": {
    "mariadb-galera-0": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627",
      "version": "2.1"
    },
    "mariadb-galera-1": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627",
      "version": "2.1"
    },
    "mariadb-galera-2": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627",
      "version": "2.1"
    }
  }
}

apiVersion: v1
kind: Secret
metadata:
  name: mariadb
stringData:
  root-password: MariaDB11!
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
  storage:
    size: 1Gi
  replicas: 3
  galera:
    enabled: true

kubectl get mariadbs
NAME             READY   STATUS    PRIMARY POD          AGE
mariadb-galera   True    Running   mariadb-galera-0     48m

kubectl get events --field-selector involvedObject.name=mariadb-galera --sort-by='.lastTimestamp'
LAST SEEN   TYPE     REASON                 OBJECT                               MESSAGE
...
45m         Normal   GaleraClusterHealthy   mariadb/mariadb-galera               Galera cluster is healthy

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions[?(@.type=='GaleraReady')]}" | jq
{
  "lastTransitionTime": "2023-07-13T18:22:31Z",
  "message": "Galera ready",
  "reason": "GaleraReady",
  "status": "True",
  "type": "GaleraReady"
}

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions[?(@.type=='GaleraConfigured')]}" | jq
{
  "lastTransitionTime": "2023-07-13T18:22:31Z",
  "message": "Galera configured",
  "reason": "GaleraConfigured",
  "status": "True",
  "type": "GaleraConfigured"
}

kubectl get statefulsets
NAME             READY   AGE
mariadb-galera   3/3     58m

kubectl get pods -o wide
NAME                                        READY   STATUS    RESTARTS   AGE   IP           NODE          NOMINATED NODE   READINESS GATES
mariadb-galera-0                            2/2     Running   0          58m   10.244.2.4   mdb-worker3   <none>           <none>
mariadb-galera-1                            2/2     Running   0          58m   10.244.1.9   mdb-worker2   <none>           <none>
mariadb-galera-2                            2/2     Running   0          58m   10.244.5.4   mdb-worker4   <none>           <none>

kubectl get mariadb mariadb-galera
NAME             READY   STATUS             PRIMARY POD             AGE
mariadb-galera   False   Galera not ready   mariadb-galera-0        67m

kubectl get events --field-selector involvedObject.name=mariadb-galera --sort-by='.lastTimestamp'
LAST SEEN   TYPE      REASON                    OBJECT                       MESSAGE
...
48s         Warning   GaleraClusterNotHealthy   mariadb/mariadb-galera       Galera cluster is not healthy

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions[?(@.type=='GaleraReady')]}" | jq
{
  "lastTransitionTime": "2023-07-13T19:25:17Z",
  "message": "Galera not ready",
  "reason": "GaleraNotReady",
  "status": "False",
  "type": "GaleraReady"
}

kubectl get events --field-selector involvedObject.name=mariadb-galera --sort-by='.lastTimestamp'
LAST SEEN   TYPE      REASON                    OBJECT                       MESSAGE
...
16m         Warning   GaleraClusterNotHealthy   mariadb/mariadb-galera       Galera cluster is not healthy
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-2'
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-1'
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-0'
16m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-1'
16m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-2'
17m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-0'
17m         Normal    GaleraClusterBootstrap    mariadb/mariadb-galera       Bootstrapping Galera cluster in Pod 'mariadb-galera-2'
20m         Normal    GaleraClusterHealthy      mariadb/mariadb-galera       Galera cluster is healthy

kubectl get mariadb mariadb-galera -o jsonpath="{.status.galeraRecovery}" | jq
{
  "bootstrap": {
    "pod": "mariadb-galera-2",
    "time": "2023-07-13T19:25:28Z"
  },
  "recovered": {
    "mariadb-galera-0": {
      "seqno": 3,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285"
    },
    "mariadb-galera-1": {
      "seqno": 3,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285"
    },
    "mariadb-galera-2": {
      "seqno": 3,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285"
    }
  },
  "state": {
    "mariadb-galera-0": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285",
      "version": "2.1"
    },
    "mariadb-galera-1": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285",
      "version": "2.1"
    },
    "mariadb-galera-2": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285",
      "version": "2.1"
    }
  }
}

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions[?(@.type=='GaleraReady')]}" | jq
{
  "lastTransitionTime": "2023-07-13T19:27:51Z",
  "message": "Galera ready",
  "reason": "GaleraReady",
  "status": "True",
  "type": "GaleraReady"
}

kubectl get mariadb mariadb-galera
NAME             READY   STATUS    PRIMARY POD          AGE
mariadb-galera   True    Running   mariadb-galera-0     82m

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions}" | jq
[
  {
    "lastTransitionTime": "2023-08-05T14:58:57Z",
    "message": "Galera not ready",
    "reason": "GaleraNotReady",
    "status": "False",
    "type": "Ready"
  },
  {
    "lastTransitionTime": "2023-08-05T14:58:57Z",
    "message": "Galera not ready",
    "reason": "GaleraNotReady",
    "status": "False",
    "type": "GaleraReady"
  },
  {
    "lastTransitionTime": "2023-08-03T19:21:16Z",
    "message": "Galera configured",
    "reason": "GaleraConfigured",
    "status": "True",
    "type": "GaleraConfigured"
  }
]

kubectl get endpoints mariadb-galera-internal -o yaml
apiVersion: v1
kind: Endpoints
metadata:
  name: mariadb-internal
subsets:
- addresses:
  - hostname: mariadb-1
    ip: 10.255.140.181
    nodeName: k8s-worker-1
    targetRef:
      kind: Pod
      name: mariadb-1
      namespace: mariadb
  - hostname: mariadb-2
    ip: 10.255.20.156
    nodeName: k8s-worker-2
    targetRef:
      kind: Pod
      name: mariadb-2
      namespace: mariadb
  - hostname: mariadb-0
    ip: 10.255.214.164
    nodeName: k8s-worker-0
    targetRef:
      kind: Pod
      name: mariadb-0
      namespace: mariadb
  ports:
  - name: sst
    port: 4568
    protocol: TCP
  - name: ist
    port: 4567
    protocol: TCP
  - name: mariadb
    port: 3306
    protocol: TCP
  - name: agent
    port: 5555
    protocol: TCP
  - name: cluster
    port: 4444
    protocol: TCP

kubectl get events --field-selector involvedObject.name=mariadb-galera --sort-by='.lastTimestamp'
LAST SEEN   TYPE      REASON                    OBJECT                       MESSAGE
...
16m         Warning   GaleraClusterNotHealthy   mariadb/mariadb-galera       Galera cluster is not healthy
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-2'
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-1'
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-0'
16m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-1'
16m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-2'
17m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-0'
17m         Normal    GaleraClusterBootstrap    mariadb/mariadb-galera       Bootstrapping Galera cluster in Pod 'mariadb-galera-2'
20m         Normal    GaleraClusterHealthy      mariadb/mariadb-galera       Galera cluster is healthy

helm upgrade --install mariadb-enterprise-operator mariadb-enterprise-operator/mariadb-enterprise-operator --set logLevel=debug
kubectl logs mariadb-enterprise-operator-546c78f4f5-gq44k
{"level":"info","ts":1691090524.4911606,"logger":"galera.health","msg":"Checking Galera cluster health","controller":"statefulset","controllerGroup":"apps","controllerKind":"StatefulSet","statefulSet":{"name":"mariadb-galera","namespace":"default"},"namespace":"default","name":"mariadb-galera","reconcileID":"098620db-4486-45cc-966a-9f3fec0d165e"}
{"level":"debug","ts":1691090524.4911761,"logger":"galera.health","msg":"StatefulSet ready replicas","controller":"statefulset","controllerGroup":"apps","controllerKind":"StatefulSet","statefulSet":{"name":"mariadb-galera","namespace":"default"},"namespace":"default","name":"mariadb-galera","reconcileID":"098620db-4486-45cc-966a-9f3fec0d165e","replicas":1}

kubectl logs mariadb-galera-0 -c init
{"level":"info","ts":1691090778.5239124,"msg":"Starting init"}
{"level":"info","ts":1691090778.5305626,"msg":"Configuring Galera"}
{"level":"info","ts":1691090778.5307593,"msg":"Already initialized. Init done"}

kubectl logs mariadb-galera-0 -c agent
{"level":"info","ts":1691090779.3193653,"logger":"server","msg":"server listening","addr":":5555"}
2023/08/03 19:26:28 "POST http://mariadb-galera-0.mariadb-galera-internal.default.svc.cluster.local:5555/api/recovery HTTP/1.1" from 10.244.4.2:39162 - 200 58B in 4.112086ms
2023/08/03 19:26:28 "DELETE http://mariadb-galera-0.mariadb-galera-internal.default.svc.cluster.local:5555/api/recovery HTTP/1.1" from 10.244.4.2:39162 - 200 0B in 883.544µs

kubectl logs mariadb-galera-0 -c mariadb
2023-08-03 19:27:10 0 [Note] WSREP: Member 2.0 (mariadb-galera-0) synced with group.
2023-08-03 19:27:10 0 [Note] WSREP: Processing event queue:...100.0% (1/1 events) complete.
2023-08-03 19:27:10 0 [Note] WSREP: Shifting JOINED -> SYNCED (TO: 6)
2023-08-03 19:27:10 2 [Note] WSREP: Server mariadb-galera-0 synced with group
2023-08-03 19:27:10 2 [Note] WSREP: Server status change joined -> synced
2023-08-03 19:27:10 2 [Note] WSREP: Synchronized with group, ready for connections

kubectl auth can-i --list --as=system:serviceaccount:default:mariadb-enterprise-operator | grep tokenreview
tokenreviews.authentication.k8s.io              []                                    []               [create]

kubectl auth can-i --list --as=system:serviceaccount:default:mariadb-galera | grep tokenreview
tokenreviews.authentication.k8s.io              []                                    []               [create]

kubectl get clusterrole system:auth-delegator
NAME                    CREATED AT
system:auth-delegator   2023-08-03T19:12:37Z

kubectl get clusterrolebinding | grep mariadb | grep auth-delegator
mariadb-galera:auth-delegator                     ClusterRole/system:auth-delegator                                                  108m
mariadb-enterprise-operator:auth-delegator                        ClusterRole/system:auth-delegator                                                  112m

├── rag-in-a-box_1.0_amd64.deb
├── Dockerfile
├── docker-compose.yml
├── start-services.sh
├── config.env.secure.local
├── config.env.vault.local
├── config.env.template
└── Localvault/
    ├── docker-compose.vault.yml
    └── setup_vault_local.ps1

# API Key (MUST UPDATE)
GEMINI_API_KEY=YOUR_ACTUAL_API_KEY_HERE

# Database (default values OK)
DB_HOST=mysql-db
DB_PORT=3306
DB_USER=root
DB_PASSWORD=your_secure_database_password
DB_NAME=kb_chunks

# Security Keys (MUST BE IDENTICAL)
SECRET_KEY=your_generated_secret_key_must_be_same_for_all_three
JWT_SECRET_KEY=your_generated_secret_key_must_be_same_for_all_three
MCP_AUTH_SECRET_KEY=your_generated_secret_key_must_be_same_for_all_three

# Server Configuration (default values OK)
APP_HOST=0.0.0.0
APP_PORT=8000
MCP_HOST=0.0.0.0
MCP_PORT=8002

Starting RAG server...
RAG server started with PID: 15
Waiting for RAG API to be ready...
✓ RAG API is ready! (took ~30 seconds)
Starting MCP server...
Adaptive MCP Server ready on 0.0.0.0:8002
INFO:     Uvicorn running on http://0.0.0.0:8000

# Test RAG API
Invoke-RestMethod -Uri "http://localhost:8000/health"

# Open Swagger UI
Start-Process "http://localhost:8000/docs"

# Test MCP Server
Invoke-RestMethod -Uri "http://localhost:8002/health"

# Check all services
docker compose ps

# Check RAG API health
curl http://localhost:8000/health

# Check MCP Server health
curl http://localhost:8002/health

# Check logs
docker logs ai-nexus --tail 50
docker logs mysql-db --tail 50

# Check all services
docker compose ps

# Check RAG API health
Invoke-RestMethod -Uri "http://localhost:8000/health"

# Check MCP Server health
Invoke-RestMethod -Uri "http://localhost:8002/health"

# Check logs
docker logs ai-nexus --tail 50
docker logs mysql-db --tail 50

# Navigate to project
cd "c:\Users\YourUsername\OneDrive\WIP\MariaDB AI RAG Binaries\Ubuntu"
cd "c:\Users\YourUsername\OneDrive\WIP\AI Nexus Binaries\Ubuntu"
cd "c:\DOWNLOAD-LOCATION"

# Build image
docker build -t ai-nexus-image .

# Start (Standalone)
docker-compose up -d

# Start (Vault)
docker-compose --env-file config.env.vault.local up -d

# Stop
docker-compose down

# View logs
docker logs ai-nexus -f

# Check status
docker-compose ps

# Restart
docker-compose restart

# Clean restart
docker-compose down -v && docker-compose up -d

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
...
  mariaDbRef:
    name: mariadb-galera

  services:
    - name: rw-router
      router: readwritesplit
      listener:
        port: 3306

  monitor:
    interval: 2s
    cooperativeMonitoring: majority_of_all
    params:
      disable_master_failback: "false"
      available_when_donor: "false"
      disable_master_role_setting: "false"

  kubernetesService:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.224

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-repl
spec:
...
  mariaDbRef:
    name: mariadb-repl

  services:
    - name: rw-router
      router: readwritesplit
      params:
        transaction_replay: "true"
        transaction_replay_attempts: "10"
        transaction_replay_timeout: "5s"
        max_slave_connections: "255"
        max_replication_lag: "3s"
        master_accept_reads: "true"
      listener:
        port: 3306
        protocol: MariaDBProtocol
        params:
          connection_metadata: "tx_isolation=auto"
    - name: rconn-master-router
      router: readconnroute
      params:
        router_options: "master"
        max_replication_lag: "3s"
        master_accept_reads: "true"
      listener:
        port: 3307
    - name: rconn-slave-router
      router: readconnroute
      params:
        router_options: "slave"
        max_replication_lag: "3s"
      listener:
        port: 3308

  monitor:
    interval: 2s
    cooperativeMonitoring: majority_of_all
    params:
      auto_failover: "true"
      auto_rejoin: "true"
      switchover_on_low_disk_space: "true"

  kubernetesService:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.214

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
...
  maxScale:
    enabled: true

    kubernetesService:
      type: LoadBalancer
      metadata:
        annotations:
          metallb.universe.tf/loadBalancerIPs: 172.18.0.229

  galera:
    enabled: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
...
  servers:
    - name: mariadb-0
      address: mariadb-galera-0.mariadb-galera-internal.default.svc.cluster.local
    - name: mariadb-1
      address: mariadb-galera-1.mariadb-galera-internal.default.svc.cluster.local
    - name: mariadb-2
      address: mariadb-galera-2.mariadb-galera-internal.default.svc.cluster.local

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
...
  servers:
    - name: mariadb-0
      address: 172.18.0.140
      port: 3306
    - name: mariadb-1
      address: 172.18.0.141
    - name: mariadb-2
      address: 172.18.0.142

  monitor:
    name: mariadb-monitor
    module: galeramon
    interval: 2s
    cooperativeMonitoring: majority_of_all
    params:
      disable_master_failback: "false"
      available_when_donor: "false"
      disable_master_role_setting: "false"

  auth:
    adminUsername: mariadb-enterprise-operator
    adminPasswordSecretKeyRef:
      name: maxscale
      key: password
    clientUsername: maxscale-client
    clientPasswordSecretKeyRef:
      name: maxscale
      key: password
    serverUsername: maxscale-server
    serverPasswordSecretKeyRef:
      name: maxscale
      key: password
    monitorUsername: maxscale-monitor
    monitorPasswordSecretKeyRef:
      name: maxscale
      key: password
    syncUsername: maxscale-sync
    syncPasswordSecretKeyRef:
      name: maxscale
      key: password

kubectl patch maxscale maxscale-repl \
  --type='merge' \
  -p '{"spec":{"primaryServer":"mariadb-repl-1"}}'
  
kubectl get maxscale
NAME            READY   STATUS                                  PRIMARY          AGE
maxscale-repl   False   Switching primary to 'mariadb-repl-1'   mariadb-repl-0   2m15s

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  servers:
    - name: mariadb-0
      address: mariadb-galera-0.mariadb-galera-internal.default.svc.cluster.local
      port: 3306
      protocol: MariaDBBackend
      maintenance: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
...
  config:
    params:
      log_info: "true"
    volumeClaimTemplate:
      resources:
        requests:
          storage: 100Mi
      accessModes:
        - ReadWriteOnce

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
...
  auth:
    generate: false
    adminUsername: mariadb-enterprise-operator
    adminPasswordSecretKeyRef:
      name: maxscale
      key: password
    deleteDefaultAdmin: true
    clientUsername: maxscale-client
    clientPasswordSecretKeyRef:
      name: maxscale
      key: password
    clientMaxConnections: 90
    serverUsername: maxscale-server
    serverPasswordSecretKeyRef:
      name: maxscale
      key: password
    serverMaxConnections: 90 
    monitorUsername: maxscale-monitor
    monitorPasswordSecretKeyRef:
      name: maxscale
      key: password
    monitorMaxConnections: 90 
    syncUsername: maxscale-sync
    syncPasswordSecretKeyRef:
      name: maxscale
      key: password
    syncMaxConnections: 90

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
...
  kubernetesService:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.224

apiVersion: v1
kind: Service
metadata:
  annotations:
    metallb.universe.tf/loadBalancerIPs: 172.18.0.229
  name: maxscale-galera
spec:
...
  ports:
  - name: admin
    port: 8989
    targetPort: 8989
  - name: rw-router-listener
    port: 3306
    targetPort: 3306
  selector:
    app.kubernetes.io/instance: maxscale-galera
    app.kubernetes.io/name: maxscale
  type: LoadBalancer

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Connection
metadata:
  name: connection-maxscale
spec:
  maxScaleRef:
    name: maxscale-galera
  username: maxscale-galera-client
  passwordSecretKeyRef:
    name: maxscale-galera-client
    key: password
  secretName: conn-mxs
  port: 3306

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
...
  replicas: 2

  monitor:
    name: mariadb-monitor
    module: galeramon
    interval: 2s
    cooperativeMonitoring: majority_of_all
    params:
      disable_master_failback: "false"
      available_when_donor: "false"
      disable_master_role_setting: "false"   

  config:
    sync:
      database: mysql
      interval: 5s
      timeout: 10s

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
...
  monitor:
    name: mariadb-monitor
    module: galeramon
    interval: 2s
    cooperativeMonitoring: majority_of_all
    params:
      disable_master_failback: "false"
      available_when_donor: "false"
      disable_master_role_setting: "false"   
    suspend: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
...
  admin:
    port: 8989
    guiEnabled: true
  guiKubernetesService:
    type: LoadBalancer
    metadata:
      metadata:
        annotations:
          metallb.universe.tf/loadBalancerIPs: 172.18.0.231

status:
  conditions:
  - lastTransitionTime: "2024-02-08T17:29:01Z"
    message: Running
    reason: MaxScaleReady
    status: "True"
    type: Ready
  configSync:
    databaseVersion: 20
    maxScaleVersion: 20
  listeners:
  - name: rw-router-listener
    state: Running
  monitor:
    name: galeramon-monitor
    state: Running
  primaryServer: mariadb-galera-1
  replicas: 1
  servers:
  - name: mariadb-galera-0
    state: Slave, Synced, Running
  - name: mariadb-galera-1
    state: Master, Synced, Running
  - name: mariadb-galera-2
    state: Slave, Synced, Running
  services:
  - name: rw-router
    state: Started

kubectl get events --field-selector involvedObject.name=mariadb-repl-maxscale --sort-by='.lastTimestamp'

LAST SEEN   TYPE      REASON                         OBJECT                           MESSAGE
24s         Normal    MaxScalePrimaryServerChanged   maxscale/mariadb-repl-maxscale   MaxScale primary server changed from 'mariadb-repl-0' to 'mariadb-repl-1'

Asynchronous Replication

The operator supports provisioning and operating MariaDB clusters with replication as a highly availability topology. In the following sections we will be covering how to manage the full lifecycle of a replication cluster.

In a replication setup, one primary server handles all write operations while one or more replica servers replicate data from the primary, being able to handle read operations. More precisely, the primary has a binary log and the replicas asynchronously replicate the binary log events over the network.

Please refer to the MariaDB documentation for more details about replication.

Provisioning

In order to provision a replication cluster, you need to configure a number of replicas greater than 1 and set the replication.enabled=true in the MariaDB CR:

After applying the previous CR, the operator will provision a replication cluster with one primary and two replicas. The operator will take care of setting up replication, configuring the replication user and monitoring the replication status:

As you can see, the primary can be identified in the PRIMARY column of the kubectl get mariadb output. You may also inspect the current replication status by checking the MariaDB CR status:

The operator continiously monitors the replication status via , taking it into account for internal operations and updating the CR status accordingly.

Asynchronous vs semi-syncrhonous replication

By default, is configured, which requires an acknowledgement from at least one replica before committing the transaction back to the client. This trades off performance for better consistency and facilitates and operations.

If you are aiming for better performance, you can disable semi-synchronous replication, and go fully asynchronous, please refer to section for doing so.

Configuration

The replication settings can be customized under the replication section of the MariaDB CR. The following options are available:

gtidStrictMode: Enables GTID strict mode. It is recommended and enabled by default. See .
semiSyncEnabled: Determines whether semi-synchronous replication should be enabled. It is enabled by default. See .
semiSyncAckTimeout: ACK timeout for the replicas to acknowledge transactions to the primary. It requires semi-synchronous replication. See .

These options are used by the operator to create a replication configuration file that is applied to all nodes in the cluster. When updating any of these options, an will be triggered in order to apply the new configuration.

For replica-specific configuration options, please refer to the section. Additional system variables may be configured via the myCnf configuration field. Refer to the for more details.

Replica configuration

The following options are replica-specific and can be configured under the replication.replica section of the MariaDB CR:

replPasswordSecretKeyRef: Reference to the Secret key containing the password for the replication user, used by the replicas to connect to the primary. By default, a Secret with a random password will be created.
gtid: GTID position mode to be used (CurrentPos and SlavePos allowed). It defaults to CurrentPos. See .

Probes

Kubernetes probes are resolved by the agent (see documentation) in the replication topology, taking into account both the MariaDB and replication status. Additionally, as described in the , probe thresholds may be tuned accordingly for a better reliability based on your environment.

In the following sub-sections we will be covering specifics about the replication topology.

Liveness probe

As part of the liveness probe, the agent checks that the MariaDB server is running and that the replication threads (Slave_IO_Running and Slave_SQL_Running) are both running on replicas. If any of these checks fail, the liveness probe will fail.

If such a behaviour is undesirable, it is possible to opt in for regular standalone startup/liveness probes (default SELECT 1 query). See standaloneProbes in the section.

Readiness probe

The readiness probe checks that the MariaDB server is running and that the Seconds_Behind_Master value is within the acceptable lag range defined by the spec.replication.replica.maxLagSeconds configuration option. If the lag exceeds this value, the readiness probe will fail and the replica will be marked as not ready.

Lagged replicas

A replica is considered to be lagging behind the primary when the Seconds_Behind_Master value reported by SHOW SLAVE STATUS exceeds the spec.replication.replica.maxLagSeconds configuration option. This results in the failing for that replica, and it has the following implications:

When using , queries will not be forwarded to lagged replicas. This doesn't affect MaxScale routing.
When taking a , lagged replicas will not be considered as a target for taking the backup.
During a managed by the operator, lagged replicas will block switchover operations, as all the replicas must be in sync before promoting the new primary. This doesn't affect MaxScale switchover operation.
During a managed by the operator, lagged replicas will not be considered as candidates to be promoted as the new primary. MaxScale failover will not consider lagged replicas either.

Backing up and restoring

In order to back up and restore a replication cluster, all the concepts and procedures described in the documentation apply.

Additionally, for the replication topology, the operator tracks the GTID position at the time of taking the backup, and sets this position in the gtid_slave_pos system variable when restoring the backup, as described in the .

Depending on the PhysicalBackup strategy used, the operator will track the GTID position accordingly:

mariadb-backup

When using PhysicalBackup with the mariadb-backup strategy, the GTID will be restored to a mariadb-enterprise-operator.info file in the data directory, which the agent will expose to the operator via HTTP.

`VolumeSnapshot`

When using PhysicalBackup with the VolumeSnapshot strategy, the GTID position will be kept in a enterprise.mariadb.com/gtid annotation in the VolumeSnapshot object, which later on the operator will read when restoring the backup.

Refrain from removing the enterprise.mariadb.com/gtid annotation in the VolumeSnapshot object, as it is required for configuring the replica when restoring the backup.

Primary switchover

Our recommendation for production environments is to rely on for the , as it provides .

You can declaratively trigger a primary switchover by updating the spec.replication.primary.podIndex field in the MariaDB CR to the index of the replica you want to promote as the new primary. For example, to promote the replica at index 1:

You can also do this imperatively using kubectl:

This will result in the MariaDB object reporting the following status:

The steps involved in the switchover operation are:

Lock the current primary using FLUSH TABLES WITH READ LOCK to ensure no new transactions are being processed.
Set the read_only system variable on the current primary to prevent any write operations.
Wait until all the replicas are in sync with the current primary. The timeout for this step can be configured via the spec.replication.replica.syncTimeout option. If the timeout is reached, the switchover operation will be retried from the beginning.

If the switchover operation is stuck waiting for replicas to be in sync, you can check the MariaDB status to identify which replicas are causing the issue. Furthermore, if still in this step, you can cancel the switchover operation by setting back the spec.replication.primary.podIndex field back to the previous primary index.

Primary failover

Our recommendation for production environments is to rely on for the failover process, as it provides .

You can configure the operator to automatically perform a primary failover whenever the current primary becomes unavailable:

Optionally, you may also specify a autoFailoverDelay, which will add a delay before triggering the failover operation. By default, the failover is immediate, but introducing a delay may be useful to avoid failovers due to transient issues. But note that the delay should be lower than the readiness probe failure threshold (e.g. 20 seconds delay when readiness threshold is 30 seconds), otherwise all the replicas will be marked as not ready and the automatic failover will not be able to proceed.

Whenever the primary becomes unavailable, the following status will be reported in the MariaDB CR:

The criteria for choosing a new primary is:

The Pod should be in Ready state, therefore not considering unavailable or lagged replicas (see and sections).
Both the IO(Slave_IO_Running) and the SQL(Slave_SQL_Running) threads should be running.
The replica should not have relay log events.

Once the new primary is selected, the failover process will be performed, consisting of the following steps:

Wait for the new primary to apply all relay log events.
Promote the selected replica to be the new primary.
Connect replicas to the new primary.

Updates

When updating a replication cluster, all the considerations and procedures described in the documentation apply.

Furthermore, for the replication topology, the operator will trigger an additional once all the replicas have been updated, just before updating the primary. This ensures that the primary is always updated last, minimizing the impact on write operations.

The steps involved in updating a replication cluster are:

Update each replica one by one, waiting for each replica to be ready before proceeding to the next one (see section).
Once all replicas are up to date and synced, perform a to promote one of the replicas as the new primary. If MariaDB CR has a MaxScale configured using the spec.maxScaleRef field, the operator will trigger the instead.
Update the previous primary, now running as a replica.

Scaling out

Scaling out a replication cluster implies adding new replicas to the cluster i.e scaling horizontally. The process involves taking a physical backup from a ready replica to setup the new replica PVC, and upscaling the replication cluster afterwards.

The first step is to define the to be used for taking the backup. For doing so, we will be defining a PhysicalBackup CR, that will be used by the operator as template for creating the actual PhysicalBackup object during scaling out events. For instance, to use the mariadb-backup strategy, we can define the following PhysicalBackup:

It is important to note that, we set the spec.schedule.suspend=true to prevent scheduling this backup, as it will be only be used as a template.

Alternatively, you may also use a VolumeSnapshot strategy for taking the backup:

Once the PhysicalBackup template is created, you neeed to set a reference to it in the spec.replication.replica.bootstrapFrom, indicating that this will be the source for creating new replicas:

At this point, you can proceed to scale out the cluster by increasing the spec.replicas field in the MariaDB CR. For example, to scale out from 3 to 4 replicas:

You can also do this imperatively using kubectl:

This will trigger an scaling out operation, resulting in:

A PhysicalBackup based on the template being created.
Creating a new PVC for the new replica based on the PhysicalBackup.
Upscaling the StatefulSet, adding a Pod that mounts the newly created PVC.

It is important to note that, if there are no ready replicas available at the time of the scaling out operation, the PhysicalBackup will not become ready, and the scaling out operation will be stuck until a replica becomes ready. You have the ability to cancel the scaling out operation by setting back the spec.replicas field to the previous value.

Replica recovery

The operator has the ability to automatically recover replicas that become unavailable and report a specific error code in the replication status. For doing so, the operator continiously monitors the replication status of each replica, and whenever a replica reports an error code listed in the table below, the operator will trigger an automated recovery process for that replica:

Error Code

Thread

Description

Documentation

To perform the recovery, the operator will take a physical backup from a ready replica, restore it to the failed replica PVC, and reconfigure the replica to connect to the primary from the GTID position stored in the backup.

Similarly to the operation, you need to define a PhysicalBackup template and set a reference to it in the spec.replication.replica.bootstrapFrom field of the MariaDB CR. Additionally, you need to explicitly enable the replica recovery, as it is disabled by default:

The errorDurationThreshold option defines the duration after which, a replica reporting an unknown error code will be considered for recovery. This is useful to avoid recovering replicas due to transient issues. It defaults to 5m.

We will be simulating a 1236 error in a replica to demostrate how the recovery process works:

Do not perform the following steps in a production environment.

Purge the binary logs in the primary:

Delete the PVC and restart one of the replicas:

This will trigger a replica recovery operation, resulting in:

A PhysicalBackup based on the template being created.
Restoring the backup to the failed replica PVC.
Reconfigure the replica to connect to the primary from the GTID position stored in the backup.

It is important to note that, if there are no ready replicas available at the time of the recovery operation, the PhysicalBackup will not become ready, and the recovery operation will be stuck until a replica becomes ready. You have the ability to cancel the recovery operation by setting spec.replication.replica.recovery.enabled=false.

Troubleshooting

The operator tracks the current replication status under the MariaDB status subresource. This status is updated every time the operator reconciles the MariaDB resource, and it is the first place to look for when troubleshooting replication issues:

Additionally, also under the status subresource, the operator sets status conditions whenever a specific state of the MariaDB lifecycle is reached:

The operator also emits Kubernetes events during failover/switchover operations. You may check them to see how these operations progress:

Common errors

Primary has purged binary logs, unable to configure replica

The primary may purge binary log events at some point, after then, if a replica requests events before that point, it will fail with the following error:

This is a something the operator is able to recover from, please refer to the .

Scaling out/recovery operation stucked

These operations rely on a PhysicalBackup for setting up the new replicas. If this PhysicalBackup does not become ready, the operation will not progress. In order to debug this please refer to the .

One of the reasons could be that there are not replicas in ready state at the time of creating the PhysicalBackup, for instance, all the replicas are lagging behind the primary. Please verify that this is the case by checking the status of your MariaDB resource and your Pods.

MaxScale switchover stucked during update

When using MaxScale, after having updated all the replica Pods, it could happen that MaxScale refuses to perform the switchover, as it considers the Pod chosen by the operator to be unsafe:

For this case, you can manually update the primaryServer field in the MaxScale resource to a safe Pod, and restart the operator. If the new primary server is the right Pod, MaxScale will start the switchover and the update will continue after it completes.

Technical Architecture

System Architecture
Component Details

System Architecture

High-Level Architecture

Container Dependency Graph

Component Details

1. RAG API Component

Binary Location: /opt/rag-in-a-box/bin/rag-api

Responsibilities:

Document ingestion and processing
Text chunking and embedding generation
Vector storage and retrieval
Semantic search

Technology Stack:

Framework: FastAPI (Python)
ASGI Server: Uvicorn
Database Driver: PyMySQL / aiomysql
Embedding Client: Google Generative AI SDK

Endpoints:

Configuration Variables:

2. MCP Server Component

Binary Location: /opt/rag-in-a-box/bin/mcp-server

Responsibilities:

Model Context Protocol implementation
Database tool exposure
Vector store tool exposure
RAG tool exposure

Technology Stack:

Framework: FastAPI (Python)
ASGI Server: Uvicorn
Protocol: MCP (Model Context Protocol)
Database Client: PyMySQL

Available Tools:

Core Tools:

health_check - Server health verification
get_server_status - Detailed server status

Database Tools:

list_databases - List all databases
list_tables - List tables in database
get_table_schema - Get table structure

Vector Store Tools:

create_vector_store - Create vector store
delete_vector_store - Delete vector store
list_vector_stores - List all vector stores

RAG Tools:

ingest_documents - Ingest documents via RAG API
generate_response - Generate RAG responses

Configuration Variables:

3. MariaDB Component

Image: mariadb:11

Configuration:

Database Schema:

Data Flow

Document Ingestion Flow

RAG Query Flow

Security Architecture

Authentication Flow

Security Keys

Critical Requirement: All three keys must be identical for unified authentication:

Key Generation (for production):

Security Features

JWT Authentication
- Algorithm: HS256
- Expiration: 30 minutes (configurable)
- Unified token for RAG API and MCP Server

Configuration Management

Configuration Modes

1. Standalone Mode

File: config.env.secure.local Usage: Direct environment variables Security: Secrets stored in file Best for: Development, single developer

2. Vault Mode

File: config.env.vault.local Usage: HashiCorp Vault integration Security: Secrets stored in Vault Best for: Team development, production-like

Vault Configuration:

3. 1Password Mode

File: config.env.1password.employee Usage: 1Password CLI references Security: Secrets in 1Password vault Best for: Enterprise with 1Password

1Password References:

4. HCP Vault Mode

File: config.env.hcp.live Usage: HashiCorp Cloud Platform Security: Cloud-managed secrets Best for: Production cloud deployments

API Specifications

Database Schema

Tables

documents_DEMO_gemini

vdb_tbl_DEMO_gemini

Vector Storage Format

Embedding Dimensions: 768 (float32) Storage Size: 768 × 4 bytes = 3,072 bytes per vector Format: Binary BLOB Encoding: IEEE 754 single-precision floating-point

Performance Characteristics

Resource Requirements

Per Container:

Performance Metrics

Document Ingestion:

Processing speed: ~5 documents/batch
Chunking: ~100 chunks/second
Embedding generation: ~32 chunks/batch
Total time: ~30-60 seconds per document (depends on size)

Query Performance:

Embedding generation: ~100-200ms
Similarity search: ~50-100ms (depends on dataset size)
LLM generation: ~1-3 seconds
Total response time: ~2-4 seconds

Scalability

Current Limits:

Max file size: 200MB
Max concurrent requests: 100/minute
Database connections: 10 (pool size)

Scaling Options:

Horizontal: Deploy multiple ai-nexus containers
Vertical: Increase container resources
Database: Use read replicas for queries

End of Technical Architecture Document

execute_sql - Execute SQL queries

insert_docs_vector_store - Add documents

kubectl get pods
NAME                                    READY   STATUS    RESTARTS   AGE
mariadb-repl-0                          2/2     Running   0          2d19h
mariadb-repl-1                          2/2     Running   0          2d19h
mariadb-repl-2                          2/2     Running   0          2d19h
mariadb-repl-metrics-56865fff65-t72kc   1/1     Running   0          2d20h

kubectl get mariadb
NAME           READY   STATUS    PRIMARY          UPDATES                    AGE
mariadb-repl   True    Running   mariadb-repl-0   ReplicasFirstPrimaryLast   2d20h

kubectl get mariadb mariadb-repl -o jsonpath="{.status.replication}" | jq
{
  "replicas": {
    "mariadb-repl-1": {
      "gtidCurrentPos": "0-10-155",
      "gtidIOPos": "0-10-155",
      "lastErrorTransitionTime": "2025-10-22T10:51:10Z",
      "lastIOErrno": 0,
      "lastIOError": "",
      "lastSQLErrno": 0,
      "lastSQLError": "",
      "secondsBehindMaster": 0,
      "slaveIORunning": true,
      "slaveSQLRunning": true
    },
    "mariadb-repl-2": {
      "gtidCurrentPos": "0-10-155",
      "gtidIOPos": "0-10-155",
      "lastErrorTransitionTime": "2025-10-22T10:47:29Z",
      "lastIOErrno": 0,
      "lastIOError": "",
      "lastSQLErrno": 0,
      "lastSQLError": "",
      "secondsBehindMaster": 0,
      "slaveIORunning": true,
      "slaveSQLRunning": true
    }
  },
  "roles": {
    "mariadb-repl-0": "Primary",
    "mariadb-repl-1": "Replica",
    "mariadb-repl-2": "Replica"
  }
}

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-repl
spec:
  replicas: 3
  replication:
    enabled: true
    gtidStrictMode: true
    semiSyncEnabled: true
    semiSyncAckTimeout: 10s
    semiSyncWaitPoint: AfterCommit
    syncBinlog: 1
    standaloneProbes: false

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-repl
spec:
  replicas: 3
  replication:
    enabled: true
    replica:
      replPasswordSecretKeyRef:
        name: mariadb
        key: password
      gtid: CurrentPos
      connectionRetrySeconds: 10
      maxLagSeconds: 0
      syncTimeout: 10s

kubectl get mariadb
NAME           READY   STATUS                                  PRIMARY          UPDATES                    AGE
mariadb-repl   False   Switching primary to 'mariadb-repl-1'   mariadb-repl-0   ReplicasFirstPrimaryLast   3d2h

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-repl
spec:
  replicas: 3
  replication:
    enabled: true
    primary:
      autoFailover: true
      autoFailoverDelay: 0s

kubectl get mariadb
NAME           READY   STATUS    PRIMARY          UPDATES                    AGE
mariadb-repl   True    Running   mariadb-repl-0   ReplicasFirstPrimaryLast   3d2h

kubectl delete pod mariadb-repl-0
pod "mariadb-repl-0" deleted

kubectl get mariadb
NAME           READY   STATUS                                  PRIMARY          UPDATES                    AGE
mariadb-repl   False   Switching primary to 'mariadb-repl-1'   mariadb-repl-0   ReplicasFirstPrimaryLast   3d2h 

kubectl get mariadb
NAME           READY   STATUS    PRIMARY          UPDATES                    AGE
mariadb-repl   True    Running   mariadb-repl-1   ReplicasFirstPrimaryLast   3d2h

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup-tpl
spec:
  mariaDbRef:
    name: mariadb-repl
  schedule:
    suspend: true
  storage:
    s3:
      bucket: scaleout
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      region:  us-east-1
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt
  timeout: 1h
  podAffinity: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup-tpl
spec:
  mariaDbRef:
    name: mariadb-repl
  schedule:
    suspend: true
  storage:
    volumeSnapshot:
      volumeSnapshotClassName: csi-hostpath-snapclass

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-repl
spec:
  replication:
    enabled: true
    replica:
      bootstrapFrom:
        physicalBackupTemplateRef:
          name: physicalbackup-tpl

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-repl
spec:
  replicas: 4
  replication:
    enabled: true
    replica:
      bootstrapFrom:
        physicalBackupTemplateRef:
          name: physicalbackup-tpl

kubectl scale mariadb mariadb-repl --replicas=4
mariadb.enterprise.mariadb.com/mariadb-repl scaled

kubectl get mariadb
NAME           READY   STATUS        PRIMARY          UPDATES                    AGE
mariadb-repl   False   Scaling out   mariadb-repl-1   ReplicasFirstPrimaryLast   3d5h

kubectl get physicalbackups
NAME                                    COMPLETE   STATUS      MARIADB        LAST SCHEDULED   AGE
mariadb-repl-physicalbackup-scale-out   True       Success     mariadb-repl   14s              14s
physicalbackup-tpl                      False      Suspended   mariadb-repl                    3d8h

kubectl get pods
NAME                                    READY   STATUS    RESTARTS   AGE
mariadb-repl-0                          2/2     Running   0          137m
mariadb-repl-1                          2/2     Running   0          3d5h
mariadb-repl-2                          2/2     Running   0          3d5h
mariadb-repl-3                          2/2     Running   0          40s
mariadb-repl-metrics-56865fff65-t72kc   1/1     Running   0          3d5h

kubectl get mariadb
NAME           READY   STATUS    PRIMARY          UPDATES                    AGE
mariadb-repl   True    Running   mariadb-repl-1   ReplicasFirstPrimaryLast   3d5h

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-repl
spec:
  replication:
    enabled: true
    replica:
      bootstrapFrom:
        physicalBackupTemplateRef:
          name: physicalbackup-tpl
      recovery:
        enabled: true
        errorDurationThreshold: 5m

PRIMARY=$(kubectl get mariadb mariadb-repl -o jsonpath="{.status.currentPrimary}")
echo "Purging binary logs in primary $PRIMARY"
kubectl exec -it $PRIMARY -c mariadb -- mariadb -u root -p'MariaDB11!' --ssl=false -e "FLUSH LOGS;"
kubectl exec -it $PRIMARY -c mariadb -- mariadb -u root -p'MariaDB11!' --ssl=false -e "PURGE BINARY LOGS BEFORE NOW();"
kubectl exec -it $PRIMARY -c mariadb -- mariadb -u root -p'MariaDB11!' --ssl=false -e "SHOW BINARY LOGS;"

REPLICA=$(kubectl get mariadb mariadb-repl -o jsonpath='{.status.replication.replicas}' | jq -r 'keys[]' | head -n1)
echo "Deleting PVC and restarting replica $REPLICA"
kubectl delete pvc storage-$REPLICA --wait=false 
kubectl delete pod $REPLICA --wait=false

kubectl get mariadb
NAME           READY   STATUS                PRIMARY          UPDATES                    AGE
mariadb-repl   False   Recovering replicas   mariadb-repl-1   ReplicasFirstPrimaryLast   3d6h

kubectl get physicalbackups
NAME                                           COMPLETE   STATUS      MARIADB        LAST SCHEDULED   AGE
mariadb-repl-physicalbackup-replica-recovery   True       Success     mariadb-repl   31s              31s
physicalbackup-tpl                             False      Suspended   mariadb-repl                    3d9h

kubectl get pods
NAME                                                              READY   STATUS            RESTARTS       AGE
mariadb-repl-0                                                    0/2     PodInitializing   0              22s
mariadb-repl-0-physicalbackup-init-qn79f                          0/1     Completed         0              8s
mariadb-repl-1                                                    2/2     Running           0              3d6h
mariadb-repl-2                                                    2/2     Running           0              3d6h
mariadb-repl-metrics-56865fff65-t72kc                             1/1     Running           0              3d6h
mariadb-repl-physicalbackup-replica-recovery-2025102020270r98zr   0/1     Completed         0              31s

kubectl get mariadb
NAME           READY   STATUS    PRIMARY          UPDATES                    AGE
mariadb-repl   True    Running   mariadb-repl-1   ReplicasFirstPrimaryLast   3d6h

kubectl get mariadb mariadb-repl -o jsonpath="{.status.replication}" | jq
{
  "replicas": {
    "mariadb-repl-1": {
      "gtidCurrentPos": "0-10-155",
      "gtidIOPos": "0-10-155",
      "lastErrorTransitionTime": "2025-10-22T10:51:10Z",
      "lastIOErrno": 0,
      "lastIOError": "",
      "lastSQLErrno": 0,
      "lastSQLError": "",
      "secondsBehindMaster": 0,
      "slaveIORunning": true,
      "slaveSQLRunning": true
    },
    "mariadb-repl-2": {
      "gtidCurrentPos": "0-10-155",
      "gtidIOPos": "0-10-155",
      "lastErrorTransitionTime": "2025-10-22T10:47:29Z",
      "lastIOErrno": 0,
      "lastIOError": "",
      "lastSQLErrno": 0,
      "lastSQLError": "",
      "secondsBehindMaster": 0,
      "slaveIORunning": true,
      "slaveSQLRunning": true
    }
  },
  "roles": {
    "mariadb-repl-0": "Primary",
    "mariadb-repl-1": "Replica",
    "mariadb-repl-2": "Replica"
  }
}

kubectl get mariadb mariadb-repl -o jsonpath="{.status.conditions}" | jq
[
  {
    "lastTransitionTime": "2025-10-20T20:28:09Z",
    "message": "Running",
    "reason": "StatefulSetReady",
    "status": "True",
    "type": "Ready"
  },
  {
    "lastTransitionTime": "2025-10-17T14:17:43Z",
    "message": "Updated",
    "reason": "Updated",
    "status": "True",
    "type": "Updated"
  },
  {
    "lastTransitionTime": "2025-10-17T14:17:58Z",
    "message": "Replication configured",
    "reason": "ReplicationConfigured",
    "status": "True",
    "type": "ReplicationConfigured"
  },
  {
    "lastTransitionTime": "2025-10-20T17:14:38Z",
    "message": "Switchover complete",
    "reason": "SwitchPrimary",
    "status": "True",
    "type": "PrimarySwitched"
  },
  {
    "lastTransitionTime": "2025-10-20T19:31:29Z",
    "message": "Scaled out",
    "reason": "ScaledOut",
    "status": "True",
    "type": "ScaledOut"
  },
  {
    "lastTransitionTime": "2025-10-20T20:27:41Z",
    "message": "Replica recovered",
    "reason": "ReplicaRecovered",
    "status": "True",
    "type": "ReplicaRecovered"
  }
]

kubectl get events --field-selector involvedObject.name=mariadb-repl --sort-by='.lastTimestamp'

LAST SEEN   TYPE     REASON             OBJECT                 MESSAGE
17s         Normal   PrimaryLock        mariadb/mariadb-repl   Locking primary with read lock
17s         Normal   PrimaryReadonly    mariadb/mariadb-repl   Enabling readonly mode in primary
17s         Normal   ReplicaSync        mariadb/mariadb-repl   Waiting for replicas to be synced with primary
17s         Normal   PrimaryNew         mariadb/mariadb-repl   Configuring new primary at index '0'
7s          Normal   ReplicaConn        mariadb/mariadb-repl   Connecting replicas to new primary at '0'
7s          Normal   PrimaryToReplica   mariadb/mariadb-repl   Unlocking primary '1' and configuring it to be a replica. New primary at '0'
7s          Normal   PrimaryLock        mariadb/mariadb-repl   Unlocking primary
7s          Normal   PrimarySwitched    mariadb/mariadb-repl   Primary switched from index '1' to index '0'

┌─────────────────────────────────────────────────────────────────────┐
│                         Windows Host System                         │
│                                                                     │
│  ┌─────────────────────────────────────────────────────────────┐    │
│  │              Docker Desktop (WSL 2 Backend)                 │    │
│  │                                                             │    │
│  │  ┌────────────────────────────────────────────────────────┐ │    │
│  │  │              Docker Network: ai-nexus-network          │ │    │
│  │  │                  (Bridge Driver)                       │ │    │
│  │  │                                                        │ │    │
│  │  │  ┌──────────────────────────────────────────────────┐  │ │    │
│  │  │  │      ai-nexus Container (Ubuntu 24.04)           │  │ │    │
│  │  │  │                                                  │  │ │    │
│  │  │  │  ┌────────────────────────────────────────────┐  │  │ │    │
│  │  │  │  │  Process 1: RAG API (PID: dynamic)         │  │  │ │    │
│  │  │  │  │  - Framework: FastAPI                      │  │  │ │    │
│  │  │  │  │  - Server: Uvicorn (ASGI)                  │  │  │ │    │
│  │  │  │  │  - Bind: 0.0.0.0:8000                      │  │  │ │    │
│  │  │  │  │  - Workers: 1                              │  │  │ │    │
│  │  │  │  │  - Binary: /opt/rag-in-a-box/bin/rag-api   │  │  │ │    │
│  │  │  │  └────────────────────────────────────────────┘  │  │ │    │
│  │  │  │                                                  │  │ │    │
│  │  │  │  ┌────────────────────────────────────────────┐  │  │ │    │
│  │  │  │  │  Process 2: MCP Server (PID: dynamic)      │  │  │ │    │
│  │  │  │  │  - Framework: FastAPI                      │  │  │ │    │
│  │  │  │  │  - Server: Uvicorn (ASGI)                  │  │  │ │    │
│  │  │  │  │  - Bind: 0.0.0.0:8002                      │  │  │ │    │
│  │  │  │  │  - Workers: 1                              │  │  │ │    │
│  │  │  │  │  - Binary: /opt/rag-in-a-box/bin/mcp-server│  │  │ │    │
│  │  │  │  └────────────────────────────────────────────┘  │  │ │    │
│  │  │  │                                                  │  │ │    │
│  │  │  │  Startup: start-services.sh                      │  │ │    │
│  │  │  │  Health Check: 180s timeout, 10s interval        │  │ │    │
│  │  │  └──────────────────┬────────────────────────────┘     │ │    │
│  │  │                     │                                  │ │    │
│  │  │                     │ MySQL Protocol (Port 3306)       │ │    │
│  │  │                     │                                  │ │    │
│  │  │  ┌──────────────────▼────────────────────────────┐     │ │    │
│  │  │  │      mysql-db Container (MariaDB 11)          │     │ │    │
│  │  │  │                                               │     │ │    │
│  │  │  │  ┌──────────────────────────────────────────┐ │     │ │    │
│  │  │  │  │  MariaDB Server                          │ │     │ │    │
│  │  │  │  │  - Version: 11.x                         │ │     │ │    │
│  │  │  │  │  - Storage Engine: InnoDB                │ │     │ │    │
│  │  │  │  │  - Character Set: utf8mb4                │ │     │ │    │
│  │  │  │  │  - Collation: utf8mb4_unicode_ci         │ │     │ │    │
│  │  │  │  │  - Page Size: 16KB                       │ │     │ │    │
│  │  │  │  │  - Row Format: Dynamic                   │ │     │ │    │
│  │  │  │  └──────────────────────────────────────────┘ │     │ │    │
│  │  │  │                                               │     │ │    │
│  │  │  │  ┌──────────────────────────────────────────┐ │     │ │    │
│  │  │  │  │  Persistent Volume: mysql_data           │ │     │ │    │
│  │  │  │  │  - Database: kb_chunks                   │ │     │ │    │
│  │  │  │  │  - Tables: documents_*, vdb_tbl_*        │ │     │ │    │
│  │  │  │  │  - Indexes: Vector indexes               │ │     │ │    │
│  │  │  │  └──────────────────────────────────────────┘ │     │ │    │
│  │  │  └────────────────────────────────────────────┘ │ │           │
│  │  └─────────────────────────────────────────────────┘ │           │
│  └───────────────────────────────────────────────────────┘          │
│                                                                     │
│  Port Mappings (Host → Container):                                  │
│  - 8000:8000  (RAG API)                                             │
│  - 8002:8002  (MCP Server)                                          │
│  - 3306:3306  (MariaDB)                                             │
└─────────────────────────────────────────────────────────────────────┘

External Services (Internet):
┌─────────────────────────────────────────────────┐
│  Google Generative AI API                       │
│  - Endpoint: generativelanguage.googleapis.com  │
│  - Embedding: text-embedding-004                │
│  - LLM: gemini-2.0-flash                        │
└─────────────────────────────────────────────────┘

Start Order:
1. mysql-db (MariaDB)
   ├─ Health Check: 30s start period, 10s interval
   └─ Condition: service_healthy

2. ai-nexus (Application)
   ├─ Depends on: mysql-db (healthy)
   ├─ Startup Script: start-services.sh
   │   ├─ Start RAG API (background)
   │   ├─ Wait for RAG API health (max 180s)
   │   └─ Start MCP Server (foreground)
   └─ Restart Policy: unless-stopped

Authentication:
POST   /token                 - Generate JWT token

Document Management:
POST   /documents/ingest      - Upload and process documents
GET    /documents             - List all documents
GET    /documents/{id}        - Get document details
DELETE /documents/{id}        - Delete document

RAG Operations:
POST   /generate              - Generate RAG response
POST   /search                - Semantic search
GET    /embeddings/{doc_id}   - Get document embeddings

Health & Status:
GET    /health                - Health check
GET    /                      - API info
GET    /docs                  - Swagger UI
GET    /openapi.json          - OpenAPI spec

APP_HOST=0.0.0.0
APP_PORT=8000
DB_HOST=mysql-db
DB_PORT=3306
DB_USER=root
DB_PASSWORD=your_secure_database_password
DB_NAME=kb_chunks
GEMINI_API_KEY=your_gemini_api_key
SECRET_KEY=your_generated_secret_key
JWT_SECRET_KEY=<secret>
EMBEDDING_PROVIDER=gemini
embedding_model=text-embedding-004
LLM_PROVIDER=gemini
LLM_MODEL=gemini-2.0-flash
DOCUMENTS_TABLE=documents_DEMO_gemini
VDB_TABLE=vdb_tbl_DEMO_gemini
CHUNK_SIZE=512
CHUNK_OVERLAP=128

MCP_HOST=0.0.0.0
MCP_PORT=8002
MCP_MARIADB_HOST=mysql-db
MCP_MARIADB_PORT=3306
MCP_AUTH_SECRET_KEY=<secret>
MCP_ENABLE_AUTH=true
MCP_ENABLE_VECTOR_TOOLS=true
MCP_ENABLE_DATABASE_TOOLS=true
MCP_ENABLE_RAG_TOOLS=true
MCP_READ_ONLY=false
MCP_STANDALONE_MODE=false
MCP_RAG_HEALTHCHECK_ENABLED=true
MCP_LOG_LEVEL=INFO

Environment:
  MYSQL_ROOT_PASSWORD: your_secure_database_password
  MYSQL_DATABASE: kb_chunks

Command:
  --character-set-server=utf8mb4
  --collation-server=utf8mb4_unicode_ci
  --innodb-page-size=16k
  --innodb-default-row-format=dynamic

Health Check:
  Test: healthcheck.sh --connect --innodb_initialized
  Interval: 10s
  Timeout: 5s
  Retries: 10
  Start Period: 30s

Volume:
  mysql_data:/var/lib/mysql (persistent)

-- Documents Table
CREATE TABLE documents_DEMO_gemini (
    id INT AUTO_INCREMENT PRIMARY KEY,
    filename VARCHAR(255) NOT NULL,
    content LONGTEXT,
    metadata JSON,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
    INDEX idx_filename (filename),
    INDEX idx_created_at (created_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

-- Vector Database Table
CREATE TABLE vdb_tbl_DEMO_gemini (
    id INT AUTO_INCREMENT PRIMARY KEY,
    document_id INT NOT NULL,
    chunk_index INT NOT NULL,
    chunk_text LONGTEXT NOT NULL,
    embedding BLOB,  -- 768-dimensional vector (3072 bytes)
    metadata JSON,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    FOREIGN KEY (document_id) REFERENCES documents_DEMO_gemini(id) ON DELETE CASCADE,
    INDEX idx_document_id (document_id),
    INDEX idx_chunk_index (chunk_index)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

User Upload
    │
    ▼
┌───────────────────────────────────────┐
│  1. RAG API - File Reception          │
│  - Validate file type                 │
│  - Check file size (max 200MB)        │
│  - Generate unique ID                 │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  2. Document Processing               │
│  - Extract text from file             │
│  - Clean and normalize text           │
│  - Store in documents table           │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  3. Text Chunking                     │
│  - Method: Recursive character split  │
│  - Chunk size: 512 tokens             │
│  - Overlap: 128 tokens                │
│  - Generate chunk metadata            │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  4. Embedding Generation              │
│  - Batch size: 32 chunks              │
│  - Call Gemini API                    │
│  - Model: text-embedding-004          │
│  - Dimensions: 768                    │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  5. Vector Storage                    │
│  - Store in vdb_tbl_DEMO_gemini       │
│  - Link to document_id                │
│  - Store chunk text + embedding       │
│  - Create indexes                     │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  6. Response to User                  │
│  - Document ID                        │
│  - Number of chunks                   │
│  - Processing status                  │
└───────────────────────────────────────┘

User Query
    │
    ▼
┌───────────────────────────────────────┐
│  1. Query Reception                   │
│  - Validate JWT token                 │
│  - Parse query text                   │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  2. Query Embedding                   │
│  - Call Gemini API                    │
│  - Generate 768-dim vector            │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  3. Similarity Search                 │
│  - Calculate cosine similarity        │
│  - Filter by threshold (0.8)          │
│  - Retrieve top-k chunks (default: 5) │
│  - Order by similarity score          │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  4. Context Preparation               │
│  - Combine retrieved chunks           │
│  - Add source metadata                │
│  - Format for LLM prompt              │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  5. LLM Generation                    │
│  - Construct prompt:                  │
│    "Context: {chunks}"                │
│    "Question: {query}"                │
│  - Call Gemini LLM                    │
│  - Model: gemini-2.0-flash            │
└───────────────┬───────────────────────┘
                │
                ▼
┌───────────────────────────────────────┐
│  6. Response Formatting               │
│  - AI-generated answer                │
│  - Source documents                   │
│  - Confidence scores                  │
│  - Metadata                           │
└───────────────┬───────────────────────┘
                │
                ▼
    Return to User

┌─────────────────────────────────────────────────────────────┐
│  1. Token Generation                                        │
│                                                             │
│  POST /token                                                │
│  Body: {"username": "admin", "password": "password"}        │
│                                                             │
│  ┌────────────────────────────────────────────────────────┐ │
│  │  Server validates credentials                          │ │
│  │  Generates JWT with:                                   │ │
│  │  - Header: {"alg": "HS256", "typ": "JWT"}              │ │
│  │  - Payload: {"sub": "admin", "exp": <timestamp>}       │ │
│  │  - Signature: HMAC-SHA256(header.payload, SECRET_KEY)  │ │
│  └────────────────────────────────────────────────────────┘ │
│                                                             │
│  Response: {"access_token": "eyJ...", "token_type": "bearer"}│
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│  2. Authenticated Request                                   │
│                                                             │
│  GET /documents                                             │
│  Headers: {"Authorization": "Bearer eyJ..."}                │
│                                                             │
│  ┌────────────────────────────────────────────────────────┐ │
│  │  Server extracts token                                 │ │
│  │  Verifies signature with SECRET_KEY                    │ │
│  │  Checks expiration (30 minutes)                        │ │
│  │  Validates claims                                      │ │
│  └────────────────────────────────────────────────────────┘ │
│                                                             │
│  If valid: Process request                                  │
│  If invalid: Return 401 Unauthorized                        │
└─────────────────────────────────────────────────────────────┘

{
  "answer": "The main topic is...",
  "sources": [
    {
      "document_id": 123,
      "chunk_index": 5,
      "similarity": 0.92,
      "text": "..."
    }
  ],
  "metadata": {
    "processing_time": 1.23,
    "model": "gemini-2.0-flash"
  }
}

CREATE TABLE documents_DEMO_gemini (
    id INT AUTO_INCREMENT PRIMARY KEY,
    filename VARCHAR(255) NOT NULL,
    content LONGTEXT,
    metadata JSON,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
    INDEX idx_filename (filename),
    INDEX idx_created_at (created_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

CREATE TABLE vdb_tbl_DEMO_gemini (
    id INT AUTO_INCREMENT PRIMARY KEY,
    document_id INT NOT NULL,
    chunk_index INT NOT NULL,
    chunk_text LONGTEXT NOT NULL,
    embedding BLOB,
    metadata JSON,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    FOREIGN KEY (document_id) REFERENCES documents_DEMO_gemini(id) ON DELETE CASCADE,
    INDEX idx_document_id (document_id),
    INDEX idx_chunk_index (chunk_index)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

Helm

Helm is the preferred way to install MariaDB Enterprise Kubernetes Operator in Kubernetes clusters. This documentation aims to provide guidance on how to manage the installation and upgrades of both the CRDs and the operator via Helm charts.

Prerequisites

Configure your customer credentials as described in the documentation to be able to pull images.

Charts

MariaDB Enterprise Kubernetes Operator is splitted into two different helm charts for better convenience:

mariadb-enterprise-operator-crds: Bundles the required by the operator.
mariadb-enterprise-operator: Contains all the template manifests required to install the operator. Refer to the section for detailed information about the supported values.

Control-plane

The operator extends the Kubernetes control plane and consists of the following components deployed via Helm:

operator: The mariadb-enterprise-operator itself that performs the CRD reconciliation.
webhook: The Kubernetes control-plane delegates CRD validations to this HTTP server. Kubernetes requires TLS to communicate with the webhook server.
cert-controller: Provisions TLS certificates for the webhook. You can see it as a minimal that is intended to work only with the webhook. It is optional and can be replaced by cert-manager.

Installing CRDs

Helm has certain . To address this, we are providing the CRDs in a separate chart, . This allows us to manage the installation and updates of the CRDs independently from the operator. For example, you can uninstall the operator without impacting your existing MariaDB CRDs.

CRDs can be installed in your cluster by running the following commands

Installing the operator

The first step is to prepare a values.yaml file to specify your previously configured :

Then, you can proceed to install the operator:

If you have the and already installed in your cluster, it is recommended to leverage them to scrape the operator metrics and provision the webhook certificate respectively:

Refer to the section for detailed information about the supported values.

Long-Term Support Versions

MariaDB Enterprise Kubernetes Operator provides stable Long-Term Support (LTS) versions.

Version

Supported Kubernetes Versions

Description

If you instead wish to install a specific LTS release, you can do:

Where: --version "25.10.*" installs the most recent available release within the 25.10 series.

Deployment modes

The following deployment modes are supported:

Cluster-wide

The operator watches CRDs in all namespaces and requires cluster-wide RBAC permissions to operate. This is the default deployment mode, enabled through the default configuration values:

Single namespace

By setting currentNamespaceOnly=true, the operator will only watch CRDs within the namespace it is deployed in, and the RBAC permissions will be restricted to that namespace as well:

Updates

Make sure you read and understand the before proceeding to update the operator.

To install a version instead, replace <new-version> with your desired LTS release. For example: --version "25.10.*" will automatically install the latest available patch within that LTS series.

The first step is upgrading the CRDs that the operator depends on:

Once updated, you may proceed to upgrade the operator:

Whenever a new version of the operator is released, an upgrade guide is linked in the if additional upgrade steps are required. Be sure to review the and follow the version-specific upgrade guides accordingly.

Operator high availability

The operator can run in high availability mode to prevent downtime during updates and ensure continuous reconciliation of your CRs, even if the node where the operator runs goes down. To achieve this, you need:

Multiple replicas
Configure Pod anti-affinity
Configure PodDisruptionBudgets

You can achieve this by providing the following values to the helm chart:

You may similarly configure the webhook and cert-controller components to run in high availability mode by providing the same values to their respective sections. Refer to the for detailed information.

Uninstalling

Uninstalling the mariadb-enterprise-operator-crds Helm chart will remove the CRDs and their associated resources, resulting in downtime.

First, uninstall the mariadb-enterprise-operator Helm chart. This action will not delete your CRDs, so your operands (i.e. MariaDB and MaxScale) will continue to run without the operator's reconciliation.

At this point, if you also want to delete CRDs and the operands running in your cluster, you may proceed to uninstall the mariadb-enterprise-operator-crds Helm chart:

Operator helm values

Key

Type

Default

Description

TLS

MariaDB Enterprise Kubernetes Operator supports issuing, configuring and rotating TLS certificates for both your MariaDB and MaxScale resources. It aims to be secure by default; for this reason, TLS certificates are issued and configured by the operator as a default behaviour.

`MariaDB` configuration

This section covers TLS configuration in new instances. If you are looking to migrate an existing instance to use TLS, please refer to instead.

TLS can be configured in MariaDB resources by setting tls.enabled=true:

As a result, the operator will generate a Certificate Authority (CA) and use it to issue the leaf certificates mounted by the instance. It is important to note that the TLS connections are not enforced in this case i.e. both TLS and non-TLS connections will be accepted. This is the default behaviour when no tls field is specified.

If you want to enforce TLS connections, you can set tls.required=true:

This approach ensures that any unencrypted connection will fail, effectively enforcing security best practices.

If you want to fully opt-out from TLS, you can set tls.enabled=false:

This will disable certificate issuance, resulting in all connections being unencrypted.

Refer to further sections for a more advanced TLS configuration.

`MaxScale` configuration

This section covers TLS configuration in new instances. If you are looking to migrate an existing instance to use TLS, please refer to instead.

TLS will be automatically enabled in MaxScale when the referred MariaDB (via mariaDbRef) has TLS enabled and enforced. Alternatively, you can explicitly enable TLS by setting tls.enabled=true:

As a result, the operator will generate a Certificate Authority (CA) and use it to issue the leaf certificates mounted by the instance. It is important to note that, unlike MariaDB, MaxScale does not support TLS and non-TLS connections simultaneously (see ). Therefore, TLS connections will be enforced in this case i.e. unencrypted connections will fail, ensuring security best practises.

If you want to fully opt-out from TLS, you can set tls.enabled=false. This should only be done when MariaDB TLS is not enforced or disabled:

This will disable certificate issuance, resulting in all connections being unencrypted.

Refer to further sections for a more advanced TLS configuration.

`MariaDB` certificate specification

The MariaDB TLS setup consists of the following certificates:

Certificate Authority (CA) keypair to issue the server certificate.
Server leaf certificate used to encrypt server connections.
Certificate Authority (CA) keypair to issue the client certificate.
Client leaf certificate used to encrypt and authenticate client connections.

As a default behaviour, the operator generates a single CA to be used for issuing both the server and client certificates, but the user can decide to use dedicated CAs for each case. Root CAs, and in some cases, are supported, see for further detail.

The server certificate contains the following Subject Alternative Names (SANs):

<mariadb-name>.<namespace>.svc.<cluster-name>
<mariadb-name>.<namespace>.svc
<mariadb-name>.<namespace>

Whereas the client certificate is only valid for the <mariadb-name>-client SAN.

`MaxScale` certificate specification

The MaxScale TLS setup consists of the following certificates:

Certificate Authority (CA) keypair to issue the admin certificate.
Admin leaf certificate used to encrypt the administrative REST API and GUI.
Certificate Authority (CA) keypair to issue the listener certificate.
Listener leaf certificate used to encrypt database connections to the listener.

As a default behaviour, the operator generates a single CA to be used for issuing both the admin and the listener certificates, but the user can decide to use dedicated CAs for each case. Client certificate and CA bundle configured in the referred MariaDB are used as server certificates by default, but the user is able to provide its own certificates. Root CAs, and in some cases, are supported, see for further detail.

Both the admin and listener certificates contain the following Subject Alternative Names (SANs):

<maxscale-name>.<namespace>.svc.<clusername>
<maxscale-name>.<namespace>.svc
<maxscale-name>.<namespace>

For details about the server certificate, see .

CA bundle

As you could appreciate in and , the TLS setup involves multiple CAs. In order to establish trust in a more convenient way, the operator groups the CAs together in a CA bundle that will need to be specified when . Every MariaDB and MaxScale resources have a dedicated bundle of its own available in a Secret named <instance-name>-ca-bundle.

These trust bundles contain non expired CAs needed to connect to the instances. New CAs are automatically added to the bundle after , whilst old CAs are removed after they expire. It is important to note that both the new and old CAs remain in the bundle for a while to ensure a smooth update when the new certificates are issued by the new CA.

Issue certificates with the operator

By setting tls.enabled=true, the operator will generate a root CA for each instance, which will be used to issue the certificates described in the and sections:

To establish trust with the instances, the CA's public key will be added to the . If you need a different trust chain, please refer to the section.

The advantage of this approach is that the operator fully manages the Secrets that contain the certificates without depending on any third party dependency. Also, since the operator fully controls the renewal process, it is able to pause a leaf certificate renewal if the CA is being updated at that moment, as described in the section.

Issue certificates with cert-manager

must be previously installed in the cluster in order to use this feature.

cert-manager is the de-facto standard for managing certificates in Kubernetes. It is a Kubernetes native certificate management controller that allows you to automatically provision, manage and renew certificates. It supports multiple (in-cluster, Hashicorp Vault...) which are configured as Issuer or ClusterIssuer resources.

As an example, we are going to setup an in-cluster root CA ClusterIssuer:

Then, you can reference the ClusterIssuer in the MariaDB and MaxScale resources:

The operator will create cert-manager's for each certificate, and will mount the resulting in the instances. These Secrets containing the certificates will be managed by cert-manager as well as its renewal process.

To establish trust with the instances, the in the Secret will be added to the . If you need a different trust chain, please refer to the section.

The advantage of this approach is that you can use any of the , such as the in-cluster CA or HashiCorp Vault, and potentially reuse the same Issuer/ClusterIssuer with multiple instances.

Provide your own certificates

Providing your own certificates is as simple as creating the Secrets with the appropriate structure and referencing them in the MariaDB and MaxScale resources. The certificates must be compliant with the and .

The CA certificate must be provided as a Secret with the following structure:

The ca.key field is only required if you want to the operator to automatically re-issue certificates with this CA, see for further detail. In other words, if only ca.crt is provided, the operator will trust this CA by adding it to the , but no certificates will be issued with it, the user will responsible for upating the certificate Secret manually with renewed certificates.

The enterprise.mariadb.com/watch label is required only if you want the operator to automatically trigger an update when the CA is renewed, see for more detail.

The leaf certificate must match the previous CA's public key, and it should provided as a with the following structure:

The enterprise.mariadb.com/watch label is required only if you want the operator to automatically trigger an update when the certificate is renewed, see for more detail.

Once the certificate Secrets are available in the cluster, you can create the MariaDB and MaxScale resources referencing them:

Bring your own CA

If you already have a CA setup outside of Kubernetes, you can use it with the operator by providing the CA certificate as a Secret with the following structure:

Just by providing a reference to this Secret, the operator will use it to issue leaf certificates instead of generating a new CA:

Intermediate CAs

Intermediate CAs are supported by the operator with . Leaf certificates issued by the intermediate CAs are slightly different, and include the intermediate CA public key as part of the certificate, in the following order: Leaf certificate -> Intermediate CA. This is a common practise to easily establish trust in complex PKI setups, where multiple CA are involved.

Many applications support this Leaf certificate -> Intermediate CA structure as a valid leaf certificate, and are able to establish trust with the intermediate CA. Normally, the intermediate CA will not be directly trusted, but used as a path to the root CA, which should be trusted by the application. If not trusted already, you can add the root CA to the by using a .

Custom trust

You are able to provide a set of CA public keys to be added to the by creating a Secret with the following structure:

And referencing it in the MariaDB and MaxScale resources, for instance:

This is specially useful when issuing certificates with an intermediate CA, see section for further detail.

Distributing trust

Distributing the to your application namespace is out of the scope of this operator, the bundles will remain in the same namespace as the MariaDB and MaxScale instances.

If your application is in a different namespace, you can copy the CA bundle to the application namespace. Projects like can help you to automate this process and continously reconcile bundle changes.

TLS version configuration

You may configure the supported TLS versions in MariaDB by setting:

If not specified, the MariaDB's default TLS versions will be used. See .

Regarding MaxScale, you can also configure the supported TLS versions, both for the Admin REST API and MariaDB servers:

If not specified, the MaxScale's default TLS versions will be used. See MaxScale docs:

Certificate lifetime configuration

By default, CA certificates are valid for 3 years, while leaf certificates have a validity of 3 months. This lifetime can be customized in both MariaDB and MaxScale resources through the certificate configuration fields. For example:

When issuing certificates with cert-manager, you can specify the certificate configuration field alongside the issuer reference:

Private key configuration

By default, private keys are generated with the ECDSA algorithm and a size of 256. You can customize the private key configuration in both MariaDB and MaxScale resources through the certificate configuration fields. For example:

When issuing certificates with cert-manager, you can specify the private key configuration field alongside the issuer reference:

The following set of algorithms and sizes are supported:

Algorithm

Key Sizes

CA renewal

Depending on the setup, CAs can be managed and renewed by either MariaDB Enterprise Kubernetes Operator or cert-manager.

When managed by the operator, CAs have a lifetime of 3 years by default, and are marked for renewal after 66% of its lifetime has passed i.e. ~2 years. After being renewed, the operator will trigger an update of the instances to include the new CA in the bundle.

When managed by cert-manager, the renewal process is fully controlled by cert-manager, but the operator will also update the CA bundle after the CA is renewed.

You may choose any of the available to control the instance update process.

Certificate renewal

Depending on the setup, certificates can be managed and renewed by the operator or cert-manager. In either case, certificates have a lifetime of 90 days by default, and marked for renewal after 66% of its lifetime has passed i.e. ~60 days.

When the , the operator is able to pause a leaf certificate renewal if the CA is being updated at that same moment. This approach ensures a smooth update by avoiding the simultaneous rollout of the new CA and its associated certificates. Rolling them out together could be problematic, as all Pods need to trust the new CA before its issued certificates can be utilized.

When the , the renewal process is fully managed by cert-manager, and the operator will not interfere with it. The operator will only update the instances whenever the CA or the certificates get renewed.

You may choose any of the available to control the instance update process.

Certificate status

To have a high level picture of the certificates status, you can check the status.tls field of the MariaDB and MaxScale resources:

TLS requirements for `Users`

You are able to declaratively manage access to your MariaDB instances by creating . In particular, when TLS is enabled, you can provide additional requirements for the user when connecting over TLS.

For instance, if you want to require a valid x509 certificate for the user to be able o connect:

In order to restrict which subject the user certificate should have and/or require a particular issuer, you may set:

When any of these TLS requirements are not met, the user will not be able to connect to the instance.

See and the for further detail.

Galera Enterprise SSL modes

MariaDB Enterprise Cluster (Galera) supports multiple SSL modes to secure the communication between the nodes. For configuring the SSL enforcement level on the server i.e. WSREP, you can set:

The following values are supported: SERVER_X509, SERVER and PROVIDER. Refer to the for further detail about these modes.

You may also configure the SSL enforcement level used during Snapshot State Transfers(SST) by setting:

The following values are supported: VERIFY_IDENTITY, VERIFY, REQUIRED and DISABLED. Refer to the for further detail about these modes.

If you are willing to increase the enforcement level in an existing instance, make sure you follow the migration guide provided in the section.

Secure application connections with TLS

In this guide, we will configure TLS for an application running in the app namespace to connect with MariaDB and MaxScale instances deployed in the default namespace. We assume that the following resources are already present in the default namespace with TLS enabled:

The first step is to create a User resource and grant the necessary permissions:

The app user will be able to connect to the MariaDB instance from the app namespace by providing a certificate with subject mariadb-galera-client and issued by the mariadb-galera-ca CA.

With the permissions in place, the next step is to prepare the certificates required for the application to connect:

CA Bundle: The trust bundle for MariaDB and MaxScale is available as a Secret named <instance-name>-ca-bundle in the default namespace. For more details, refer to the sections on and .
Client Certificate: MariaDB provides a default client certificate stored in a Secret named <mariadb-name>-client-cert

In this example, we assume that the following Secrets are available in the app namespace:

mariadb-bundle: CA bundle for the MariaDB and MaxScale instances.
mariadb-galera-client-cert: Client certificate required to connect to the MariaDB instance.

With these Secrets in place, we can proceed to define our application:

The application will connect to the MariaDB instance using the app user, and will execute a simple query to check the connection status. The --ssl-ca, --ssl-cert, --ssl-key and --ssl-verify-server-cert flags are used to provide the CA bundle, client certificate and key, and to verify the server certificate respectively.

If the connection is successful, the output should be:

You can also point the application to the MaxScale instance by updating the host to maxscale-galera.default.svc.cluster.local:

If successful, the expected output is:

Test TLS certificates with `Connections`

In order to validate your TLS setup, and to ensure that you TLS certificates are correctly issued and configured, you can use the Connection resource to test the connection to both your MariaDB and MaxScale instances:

If successful, the Connection resource will be in a Ready state, which means that your TLS setup is correctly configured:

This could be specially useful when and issuing certificates for your applications.

Limitations

Galera and intermediate CAs

Leaf certificates issued by are not supported by Galera, see . This implies that a root CA must be used to issue the MariaDB certificates.

This doesn't affect MaxScale, as it is able to establish trust with intermediate CAs, and therefore you can still issue your application facing certificates (MaxScale listeners) with an intermediate CA, giving you more flexibility in your PKI setup.

MaxScale

Unlike MariaDB, TLS and non-TLS connections on the same port are not supported simultaneously.
TLS encryption must be enabled for listeners when they are created. For servers, the TLS can be enabled after creation but it cannot be disabled or altered.

Refer to the for further details.

<mariadb-name>

<maxscale-name>

default

Secret

mariadb-galera-client

mariadb-galera-ca

helm repo add mariadb-enterprise-operator https://operator.mariadb.com
helm install mariadb-enterprise-operator mariadb-enterprise-operator/mariadb-enterprise-operator \
  -f values.yaml \
  --set metrics.enabled=true --set webhook.cert.certManager.enabled=true

helm install --version "25.10.*" mariadb-enterprise-operator-crds mariadb-enterprise-operator/mariadb-enterprise-operator-crds
helm install mariadb-enterprise-operator mariadb-enterprise-operator/mariadb-enterprise-operator \
  -f values.yaml \
  --version "25.10.*"

helm repo add mariadb-enterprise-operator https://operator.mariadb.com
helm install mariadb-enterprise-operator \
  -n databases --create-namespace \
  -f values.yaml \
  --set currentNamespaceOnly=true \
  mariadb-enterprise-operator/mariadb-enterprise-operator

ha:
  enabled: true
  replicas: 3

affinity:
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
    - labelSelector:
        matchExpressions:
        - key: app.kubernetes.io/name
          operator: In
          values:
          - mariadb-enterprise-operator
        - key: app.kubernetes.io/instance
          operator: In
          values:
          - mariadb-enterprise-operator
      topologyKey: kubernetes.io/hostname

pdb:
  enabled: true
  maxUnavailable: 1

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: root-ca
  namespace: default
spec:
  duration: 52596h # 6 years
  commonName: root-ca
  usages:
  - digital signature
  - key encipherment
  - cert sign
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer
  isCA: true
  privateKey:
    encoding: PKCS1
    algorithm: ECDSA
    size: 256
  secretTemplate:
    labels:
      enterprise.mariadb.com/watch: ""
  secretName: root-ca
  revisionHistoryLimit: 10
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: root-ca
spec:
  ca:
    secretName: root-ca

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: mariadb-galera-server-ca
  labels:
    enterprise.mariadb.com/watch: ""
data:
  ca.crt:
  -----BEGIN CERTIFICATE-----
  <public-key>
  -----END CERTIFICATE-----
  ca.key:
  -----BEGIN EC PRIVATE KEY-----
  <private-key>
  -----END EC PRIVATE KEY-----

apiVersion: v1
kind: Secret
type: kubernetes.io/tls  
metadata:
  name: mariadb-galera-server-tls 
  labels:
    enterprise.mariadb.com/watch: ""
data:
  tls.crt:
  -----BEGIN CERTIFICATE-----
  <public-key>
  -----END CERTIFICATE-----
  tls.key:
  -----BEGIN EC PRIVATE KEY-----
  <private-key>
  -----END EC PRIVATE KEY-----

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCASecretRef:
      name: mariadb-server-ca
    serverCertSecretRef:
      name: mariadb-galera-server-tls
    clientCASecretRef:
      name: mariadb-client-ca
    clientCertSecretRef:
      name: mariadb-galera-client-tls

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCASecretRef:
      name: maxscale-admin-ca
    adminCertSecretRef:
      name: maxscale-galera-admin-tls
    listenerCASecretRef:
      name: maxscale-listener-ca
    listenerCertSecretRef:
      name: maxscale-galera-listener-tls
    serverCASecretRef:
      name: mariadb-galera-ca-bundle
    serverCertSecretRef:
      name: mariadb-galera-client-tls

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: mariadb-ca
  labels:
    enterprise.mariadb.com/watch: ""
data:
  ca.crt:
  -----BEGIN CERTIFICATE-----
  <public-key>
  -----END CERTIFICATE-----
  ca.key:
  -----BEGIN EC PRIVATE KEY-----
  <private-key>
  -----END EC PRIVATE KEY-----

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCASecretRef:
      name: mariadb-server-ca
    clientCASecretRef:
      name: mariadb-client-ca

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: custom-trust
  labels:
    enterprise.mariadb.com/watch: ""
data:
  ca.crt:
  -----BEGIN CERTIFICATE-----
  <my-org-root-ca>
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  <root-ca>
  -----END CERTIFICATE-----

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCASecretRef:
      name: custom-trust
    adminCertIssuerRef:
      name: my-org-intermediate-ca
      kind: ClusterIssuer
    listenerCASecretRef:
      name: custom-trust
    listenerCertIssuerRef:
      name: intermediate-ca
      kind: ClusterIssuer

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    adminVersions:
      - TLSv13
      - TLSv12
      - TLSv11
      - TLSv10
    serverVersions:
      - TLSv13
      - TLSv12
      - TLSv11
      - TLSv10

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month
    clientCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 1h # 1 month
    listenerCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    serverCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    adminCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 1h # 1 month
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048
    clientCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048
    listenerCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    serverCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    adminCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256

kubectl get mariadb mariadb-galera -o jsonpath="{.status.tls}" | jq
{
  "caBundle": [
    {
      "issuer": "CN=mariadb-galera-ca",
      "notAfter": "2028-01-20T14:26:50Z",
      "notBefore": "2025-01-20T13:26:50Z",
      "subject": "CN=mariadb-galera-ca"
    }
  ],
  "clientCert": {
    "issuer": "CN=mariadb-galera-ca",
    "notAfter": "2025-04-20T14:26:50Z",
    "notBefore": "2025-01-20T13:26:50Z",
    "subject": "CN=mariadb-galera-client"
  },
  "serverCert": {
    "issuer": "CN=mariadb-galera-ca",
    "notAfter": "2025-04-20T14:26:50Z",
    "notBefore": "2025-01-20T13:26:50Z",
    "subject": "CN=mariadb-galera.default.svc.cluster.local"
  }
}

kubectl get maxscale maxscale-galera -o jsonpath="{.status.tls}" | jq
{
  "adminCert": {
    "issuer": "CN=maxscale-galera-ca",
    "notAfter": "2025-04-20T14:33:09Z",
    "notBefore": "2025-01-20T13:33:09Z",
    "subject": "CN=maxscale-galera.default.svc.cluster.local"
  },
  "caBundle": [
    {
      "issuer": "CN=maxscale-galera-ca",
      "notAfter": "2028-01-20T14:33:09Z",
      "notBefore": "2025-01-20T13:33:09Z",
      "subject": "CN=maxscale-galera-ca"
    },
    {
      "issuer": "CN=mariadb-galera-ca",
      "notAfter": "2028-01-20T14:28:46Z",
      "notBefore": "2025-01-20T13:28:46Z",
      "subject": "CN=mariadb-galera-ca"
    }
  ],
  "listenerCert": {
    "issuer": "CN=maxscale-galera-ca",
    "notAfter": "2025-04-20T14:33:09Z",
    "notBefore": "2025-01-20T13:33:09Z",
    "subject": "CN=maxscale-galera.default.svc.cluster.local"
  },
  "serverCert": {
    "issuer": "CN=mariadb-galera-ca",
    "notAfter": "2025-04-20T14:28:46Z",
    "notBefore": "2025-01-20T13:28:46Z",
    "subject": "CN=mariadb-galera-client"
  }
}

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
  storage:
    size: 1Gi
  replicas: 3
  galera:
    enabled: true
  tls:
    enabled: true
    required: true
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  replicas: 2
  mariaDbRef:
    name: mariadb-galera
  tls:
    enabled: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: app
  namespace: app
spec:
  mariaDbRef:
    name: mariadb-galera
    namespace: default
  require:
    issuer: "/CN=mariadb-galera-ca"
    subject: "/CN=mariadb-galera-client"
  host: "%"
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: Grant
metadata:
  name: grant-app
  namespace: app
spec:
  mariaDbRef:
    name: mariadb-galera
    namespace: default
  privileges:
    - "ALL PRIVILEGES"
  database: "*"
  table: "*"
  username: app
  host: "%"

apiVersion: batch/v1
kind: CronJob
metadata:
  name: mariadb-client
  namespace: app
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: mariadb-client
            image: mariadb:11.4.4
            command:
              - bash
            args:
              - -c
              - >
                mariadb -u app -h mariadb-galera-primary.default.svc.cluster.local
                --ssl-ca=/etc/pki/ca.crt --ssl-cert=/etc/pki/tls.crt
                --ssl-key=/etc/pki/tls.key --ssl-verify-server-cert
                -e "SELECT 'MariaDB connection successful!' AS Status;" -t
            volumeMounts:
            - name: pki
              mountPath: /etc/pki
              readOnly: true
          volumes:
          - name: pki
            projected:
              sources:
              - secret:
                  name: mariadb-bundle
                  items:
                  - key: ca.crt
                    path: ca.crt
              - secret:
                  name: mariadb-galera-client-cert
                  items:
                  - key: tls.crt
                    path: tls.crt
                  - key: tls.key
                    path: tls.key
          restartPolicy: Never

apiVersion: batch/v1
kind: CronJob
metadata:
  name: maxscale-client
  namespace: app
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: maxscale-client
            image: mariadb:11.4.4
            command:
              - bash
            args:
              - -c
              - >
                mariadb -u app -h maxscale-galera.default.svc.cluster.local
                --ssl-ca=/etc/pki/ca.crt --ssl-cert=/etc/pki/tls.crt
                --ssl-key=/etc/pki/tls.key --ssl-verify-server-cert
                -e "SELECT 'MaxScale connection successful!' AS Status;" -t
            volumeMounts:
            - name: pki
              mountPath: /etc/pki
              readOnly: true
          volumes:
          - name: pki
            projected:
              sources:
              - secret:
                  name: mariadb-bundle
                  items:
                  - key: ca.crt
                    path: ca.crt
              - secret:
                  name: mariadb-galera-client-cert
                  items:
                  - key: tls.crt
                    path: tls.crt
                  - key: tls.key
                    path: tls.key
          restartPolicy: Never

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Connection
metadata:
  name: connection
spec:
  mariaDbRef:
    name: mariadb-galera
  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
  tlsClientCertSecretRef:
    name: mariadb-galera-client-cert
  database: mariadb
  healthCheck:
    interval: 30s

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Connection
metadata:
  name: connection-maxscale
spec:
  maxScaleRef:
    name: maxscale-galera
  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
  tlsClientCertSecretRef:
    name: mariadb-galera-client-cert
  database: mariadb
  healthCheck:
    interval: 30s

kubectl get connections
NAME                         READY   STATUS    SECRET                AGE
connection                   True    Healthy   connection            2m8s
connection-maxscale          True    Healthy   connection-maxscale   97s

Metrics

MariaDB Enterprise Kubernetes Operator is able to configure Prometheus operator resources to scrape metrics from MariaDB and MaxScale instances. These metrics can be used later on to build Grafana dashboards or trigger Alertmanager alerts.

Operator metrics

In order to expose the operator internal metrics, you can install the operator Helm chart passing the metrics.enabled = true value. Refer to the Helm documentation for further detail.

Exporters

The operator configures exporters to query MariaDB and MaxScale, exposing metrics in Prometheus format through an HTTP endpoint.

It is important to note that these exporters run as standalone Deployments rather than as sidecars for each data-plane replica. Since they can communicate with all replicas of MariaDB and MaxScale, there is no need to run a separate exporter for each replica.

As a result, the lifecycle of MariaDB and MaxScale remains independent from the exporters, allowing for upgrades without impacting the availability of either component.

`ServiceMonitor`

Once the exporter Deployment is ready, the operator creates a object that will be eventually reconciled by the , resulting in the Prometheus instance being configured to scrape the exporter endpoint.

As you scale MariaDB and MaxScale by adjusting the number of replicas, the operator will reconcile the ServiceMonitor to dynamically add or remove targets corresponding to the updated instances.

Configuration

The easiest way to setup metrics in your MariaDB and MaxScale instances is just by setting spec.metrics.enabled = true:

The rest of the fields are defaulted by the operator. If you need a more fine grained configuration, refer to the and the following examples:

Grafana dashboards

The following community dashboards available on are compatible with the , and therefore they can be used to monitor MariaDB instances:

MariaDB metrics

The following metrics are available for MariaDB instances:

Metric Name

Description

Type

MaxScale metrics

The following metrics are available for MaxScale instances:

Metric Name

Description

Type

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
...
  metrics:
    enabled: true
    exporter:
      image: mariadb/mariadb-prometheus-exporter-ubi:v0.0.2
      resources:
        requests:
          cpu: 50m
          memory: 64Mi
        limits:
          cpu: 300m
          memory: 512Mi
      port: 9104
    serviceMonitor:
      prometheusRelease: kube-prometheus-stack
      jobLabel: mariadb-monitoring
      interval: 10s
      scrapeTimeout: 10s
    username: monitoring
    passwordSecretKeyRef:
      name: mariadb
      key: password

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale
spec:
...
  auth:
    metricsUsername: metrics
    metricsPasswordSecretKeyRef:
      key: password
      name: maxscale-galera-metrics
  metrics:
    enabled: true
    exporter:
      image: mariadb/maxscale-prometheus-exporter-ubi:v0.0.2
      resources:
        requests:
          cpu: 50m
          memory: 64Mi
        limits:
          cpu: 300m
          memory: 512Mi
      port: 9105
    serviceMonitor:
      prometheusRelease: kube-prometheus-stack
      jobLabel: mariadb-monitoring
      interval: 10s
      scrapeTimeout: 10s

API Reference

enterprise.mariadb.com/v1alpha1

enterprise.mariadb.com/v1alpha1

CleanupPolicy

Underlying type: string

CleanupPolicy defines the behavior for cleaning up a resource.

Appears in:

Field

Description

Underlying type: string

CooperativeMonitoring enables coordination between multiple MaxScale instances running monitors. See: https://mariadb.com/docs/server/architecture/components/maxscale/monitors/mariadbmon/use-cooperative-locking-ha-maxscale-mariadb-monitor/

Appears in:

Field

Description

CronJobTemplate

CronJobTemplate defines parameters for configuring CronJob objects.

Appears in:

Field

Description

Default

Validation

Appears in:

Field

Description

Default

Validation

Grant

Grant is the Schema for the grants API. It is used to define grants as if you were running a 'GRANT' statement.

Field

Description

Default

Validation

GrantSpec

GrantSpec defines the desired state of Grant

Appears in:

Field

Description

Default

Validation

MariaDB is the Schema for the mariadbs API. It is used to define MariaDB clusters.

Field

Description

Default

Validation

MariaDBMaxScaleSpec

MariaDBMaxScaleSpec defines a reduced version of MaxScale to be used with the current MariaDB.

Appears in:

Field

Description

Default

Validation

MariaDBRef

MariaDBRef is a reference to a MariaDB object.

Appears in:

Field

Description

Default

Validation

MariaDBSpec

MariaDBSpec defines the desired state of MariaDB

Appears in:

Field

Description

Default

Validation

MariadbMetrics

MariadbMetrics defines the metrics for a MariaDB.

Appears in:

Field

Description

Default

Validation

Appears in:

Field

Description

Default

Validation

Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#resourcerequirements-v1-core.

Appears in:

Appears in:

Field

Description

Default

Validation

SQLTemplate

SQLTemplate defines a template to customize SQL objects.

Appears in:

Field

Description

Default

Validation

Underlying type: string

ServiceRouter defines the type of service router.

Appears in:

Field

Description

ServiceTemplate

ServiceTemplate defines a template to customize Service objects.

Appears in:

Field

Description

Default

Validation

Appears in:

Field

Description

Default

Validation

TopologySpreadConstraint

Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#topologyspreadconstraint-v1-core.

Appears in:

Field

Description

Default

Validation

TypedLocalObjectReference

TypedLocalObjectReference is a reference to a specific object type.

Appears in:

Field

Description

Default

Validation

UpdateStrategy

UpdateStrategy defines how a MariaDB resource is updated.

Appears in:

Field

Description

Default

Validation

UpdateType

Underlying type: string

UpdateType defines the type of update for a MariaDB resource.

Appears in:

Field

Description

Underlying type: string

WaitPoint defines whether the transaction should wait for ACK before committing to the storage engine. More info: https://mariadb.com/kb/en/semisynchronous-replication/#rpl_semi_sync_master_wait_point.

Appears in:

Field

Description

WeightedPodAffinityTerm

Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.

Appears in:

Field

Description

Default

Validation

Tools

Tools

MariaDB Enterprise Manager

MariaDB Enterprise Operator

MariaDB Enterprise MCP Server

MariaDB AI RAG

MariaDB Enterprise Manager

Quickstart Guide

Prerequisites

Architecture Overview

Enterprise Manager Server

Administration

Deployment

Installing the Enterprise Manager Server

Hardware and System Requirements

Enterprise Manager Server 🖥️

Hardware Sizing Guide

System Requirements

Enterprise Manager Agent🕵

Supported Platforms for MariaDB Server

Supported Platforms for MariaDB MaxScale

Agent Installation

Prerequisite: Create the Local Monitor User

Installation via Package Manager (Recommended)

Step 1: Configure the MariaDB Enterprise Repository

Get your Customer Download Token

Step 2: Install the Agent Package

Next Steps: Linking the Agent 🔗

Add Multiple MaxScale Monitors

SSO to MaxScale (Single Sign-On)

Accessing the MaxScale GUI

Configuring SSO in maxscale.cnf

Network and Firewall Requirements

Backup & Restore of Enterprise Manager

Backing up Enterprise Manager Server

Change Hostname or IP Address

Connect to your server

Usage

Monitoring

Dashboards

MariaDB Galera Cluster

Galera Metrics

Alerts and Notifications

How It Works: The Alerting Flow

Alert Rule is Defined

Key Alerting Concepts

SMTP Server Configuration

Edit the environment file

Database Administration

Schema Inspector

Object Browser

Object Editor

User Management

Process List Viewer

MariaDB Enterprise Kubernetes Operator

Installation

Topologies

Standalone

Backup and Restore

25.10 LTS version update guide

Plugins

Supported Docker Images

Examples Catalog

Migrations

Migrate external MariaDB into Kubernetes

MariaDB Enterprise MCP Server

Overview

Token Management

Token Generation

Example

Usage Examples

Standard SQL Query

Create Vector Store

Insert Documents into Vector Store

Semantic Search

RAG Generation

Frequently Asked Questions

Installation

System Requirements

Service Management

Configuring SSO in `maxscale.cnf`

Configuring SSO in `maxscale.cnf`