1 of 31

Tools

Discover essential tools for MariaDB. This section provides an overview of utilities for database management, development, migration, and monitoring to enhance your MariaDB experience.

MariaDB Enterprise Operator

MariaDB Enterprise Operator automates provisioning, scaling, backups, and high availability, making cloud-native database operations efficient and reliable.

Introduction

MariaDB Enterprise Operator provides a seamless way to run and operate containerized versions of MariaDB Enterprise Server and MaxScale on Kubernetes, allowing you to leverage Kubernetes orchestration and automation capabilities. This document outlines the features and advantages of using Kubernetes and the MariaDB Enterprise Operator to streamline the deployment and management of MariaDB and MaxScale instances.

What is Kubernetes?

Kubernetes is more than just a container orchestrator; it is a comprehensive platform that provides APIs for managing both applications and the underlying infrastructure. It automates key aspects of container management, including deployment, scaling, and monitoring, while also handling essential infrastructure needs such as networking and storage. By unifying the management of applications and infrastructure, Kubernetes simplifies operations and improves efficiency in cloud-native environments.

Why Kubernetes?

Kubernetes brings several key benefits to the table when managing applications in a containerized environment:

Standardization: Kubernetes relies on standard APIs for managing applications and infrastructure, making it easier to ensure uniformity across various environments. It acts as a common denominator across cloud providers and on-premises.
Automation: Kubernetes APIs encapsulate operational best practises, minimizing the need for manual intervention and improving the efficiency of operations.
Cost Effectiveness: Having an standarized way to manage infrastructure across cloud providers and automation to streamline operations, Kubernetes helps reducing the infrastructure and operational costs.

What is a Kubernetes Operator?

Kubernetes has been designed with flexibility in mind, allowing developers to extend its capabilities through custom resources and operators.

In particular, MariaDB Enterprise Operator, watches the desired state defined by users via MariaDB and MaxScale resources, and takes actions to ensure that the actual state of the system matches the desired state. This includes managing compute, storage and network resources, as well as the full lifecycle of the MariaDB and MaxScale instances. Whenever the desired state changes or the underlying infrastructure is modified, the Operator takes the necessary actions to reconcile the actual state with the desired state.

Operational expertise is baked into the MariaDB and MaxScale APIs and seamlessly managed by the Operator. This includes automated backups, restores, upgrades, monitoring, and other critical lifecycle tasks, ensuring reliability in Day 2 operations.

MariaDB Enterprise Operator Features

Provision and Configure MariaDB and MaxScale Declaratively: Define MariaDB Enterprise Server and MaxScale clusters in YAML manifests and deploy them with ease in Kubernetes.
High Availability with Galera: Ensure availability with MariaDB Enterprise Cluster, providing synchronous multi-master replication.
Query and Connection-Based Routing with MaxScale: MaxScale provides query routing and connection load balancing for improved application performance.
Cluster-Aware Rolling Updates: Perform rolling updates on MariaDB and MaxScale clusters, ensuring zero-downtime upgrades with no disruptions to your applications.
Flexible Storage Configuration and Volume Expansion: Easily configure storage for MariaDB instances, including the ability to expand volumes as needed.
Physical Backups based on and . By leveraging the feature, backups are taken without long read locks or service interruptions.
Logical Backups based on .
Backup Management: Take, restore, and schedule backups with multiple storage types supported: S3, PVCs, Kubernetes volumes and VolumeSnapshots..
Policy-Driven Backup Retention: Implement backup retention policies with bzip2 and gzip compression.
Target Recovery Time: Restore your database to the closest available backup based on a specified recovery time.
Bootstrap New Instances: Initialize new MariaDB instances from backups, S3, PVCs or VolumeSnapshots to quickly spin up new clusters.
TLS Certificate Management: Issue, configure, and rotate TLS certificates and Certificate Authorities (CAs) for secure connections.
Advanced TLS Support: customize certificate lifetime, private key algorithm and TLS version.
Native Integration with cert-manager: Leverage , the de-facto standard for managing certificates in Kubernetes, to enable issuance with private CAs, public CAs and HashiCorp Vault.
Prometheus Metrics: Expose metrics using the MariaDB and MaxScale Prometheus exporters.
Native Integration with prometheus-operator: Leverage to scrape metrics from MariaDB and MaxScale instances.
Declarative User and Database Management: Manage users, grants, and logical databases in a declarative manner using Kubernetes resources.
Secure, immutable and lightweight images based on Red Hat UBI, available for multiple architectires (amd64, arm64 and ppc64le).
by Red Hat.

Customer access to docker.mariadb.com

This documentation aims to provide guidance on how to configure access to docker.mariadb.com in your MariaDB Enterprise Operator resources.

Customer credentials

MariaDB Corporation requires customers to authenticate when logging in to the . A Customer Download Token must be provided as the password. Customer Download Tokens are available through the MariaDB Customer Portal. To retrieve the customer download token for your account:

Navigate to the Customer Download Token at the MariaDB Customer Portal.
Log in using your MariaDB ID.
Copy the Customer Download Token to use as the password when logging in to the MariaDB Enterprise Docker Registry.

Then, configure a Kubernetes kubernetes.io/dockerconfigjson Secret to authenticate:

kubectl create secret docker-registry mariadb-enterprise \
   --docker-server=docker.mariadb.com \
   --docker-username=<email> \
   --docker-password=<customer-download-token>

Openshift

If you are running in Openshift, it is recommended to use the global pull secret to configure customer credentials. The global pull secret is automatically used by all Pods in the cluster, without having to specify imagePullSecrets explicitly.

To configure the global pull secret, you can use the following commands:

Extract your Openshift global pull secret:

oc extract secret/pull-secret -n openshift-config --confirm

oc registry login \
  --registry="docker.mariadb.com" \
  --auth-basic="<email>:<customer-download-token>" \
  --to=.dockerconfigjson

Update the global pull secret:

oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson

Alternatively, you can also create a dedicated Secret for authenticating:

oc create secret docker-registry mariadb-enterprise \
   --docker-server=docker.mariadb.com \
   --docker-username=<email> \
   --docker-password=<customer-download-token>

`MariaDB`

In order to configure access to docker.mariadb.com in your MariaDB resources, you can use the imagePullSecrets field to specify your customer credentials:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  image: docker.mariadb.com/enterprise-server:11.4.4-2
  imagePullPolicy: IfNotPresent
  imagePullSecrets:
    - name: mariadb-enterprise

As a result, the Pods created as part of the reconciliation process will have the imagePullSecrets.

`MaxScale`

Similarly to MariaDB, you are able to configure access to docker.mariadb.com in your MaxScale resources:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale
spec:
  ...
  image: docker.mariadb.com/maxscale-enterprise:25.01.1
  imagePullPolicy: IfNotPresent
  imagePullSecrets:
    - name: mariadb-enterprise

`Backup`, `Restore` and `SqlJob`

The batch Job resources will inherit the imagePullSecrets from the referred MariaDB, as they also make use of its image. However, you are also able to provide dedicated imagePullSecrets for these resources:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  image: docker.mariadb.com/enterprise-server:11.4.4-2
  imagePullPolicy: IfNotPresent
  imagePullSecrets:
    - name: mariadb-enterprise

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  ...
  mariaDbRef:
    name: mariadb
  imagePullSecrets:
    - name: backup-registry

When the resources from the previous examples are created, a Job with both mariadb-enterprise and backup-registry imagePullSecrets will be reconciled.

Docker Images

Certified images

All the Docker images used by this operator are based on Red Hat UBI and have been certified by Red Hat. The advantages of using UBI based images are:

Immutability: UBI images are built to be secure and stable, reducing the risk of unintended changes or vulnerabilities due to mutable base layers.
Small size: The UBI minimal and micro variants used by this operator are designed to be lightweight, containing only the essential packages. This can lead to smaller container image sizes, resulting in faster build times, reduced storage requirements, and quicker image pulls.
Security and compliance: Regular CVE scanning and vulnerability patching help maintain compliance with industry standards and security best practices.
Enterprise-grade support: UBI images are maintained and supported by Red Hat, ensuring timely security updates and long-term stability.

List of compatible images

MariaDB Enterprise Operator is compatible with the following Docker images:

Component

Image

Supported Tags

CPU Architecture

MariaDB Enterprise Operator (ppc64le support)

docker.mariadb.com/mariadb-enterprise-operator

25.8.0

amd64 arm64 ppc64le

MariaDB Enterprise Operator

docker.mariadb.com/mariadb-enterprise-operator

1.0.0

amd64 arm64

MariaDB Enterprise Server (ppc64le support)

docker.mariadb.com/enterprise-server

11.4.7-4.1 11.4 10.6.22-18.1 10.6

amd64 arm64 ppc64le

MariaDB Enterprise Server

docker.mariadb.com/enterprise-server

11.4.5-3 11.4.4-2 10.6.21-17 10.6.20-16.1 10.6.19-15.1 10.6.18-14.2 10.6.17-13.2

amd64 arm64

MaxScale Enterprise (ppc64le support)

docker.mariadb.com/maxscale

25.01.3-1 25.01

amd64 arm64 ppc64le

MaxScale Enterprise

docker.mariadb.com/maxscale-enterprise

25.01.2 25.01.1

amd64 arm64

MaxScale

mariadb/maxscale

24.02.5-ubi 24.02-ubi 23.08.9-ubi 23.08-ubi

amd64 arm64

MariaDB Prometheus Exporter (ppc64le support)

mariadb/mariadb-prometheus-exporter-ubi

1.1.0

amd64 arm64 ppc64le

MariaDB Prometheus Exporter

mariadb/mariadb-prometheus-exporter-ubi

1.0.0

amd64 arm64

MaxScale Prometheus Exporter (ppc64le support)

mariadb/maxscale-prometheus-exporter-ubi

1.1.0

amd64 arm64 ppc64le

MaxScale Prometheus Exporter

mariadb/maxscale-prometheus-exporter-ubi

1.0.0

amd64 arm64

Refer to the registry documentation to access docker.mariadb.com with your customer credentials.

Installation

Installation instructions for MariaDB Enterprise Operator in Kubernetes and OpenShift

Helm

Helm is the preferred way to install MariaDB Enterprise Operator in Kubernetes clusters. This documentation aims to provide guidance on how to manage the installation and upgrades of both the CRDs and the operator via Helm charts.

Prerequisites

Configure your to be able to pull images.

Charts

MariaDB Enterprise Operator is splitted into two different helm charts for better convenience:

mariadb-enterprise-operator-crds: Bundles the required by the operator.
mariadb-enterprise-operator: Contains all the template manifests required to install the operator. Refer to the section for detailed information about the supported values.

Control-plane

The operator extends the Kubernetes control plane and consists of the following components deployed via Helm:

operator: The mariadb-enterprise-operator itself that performs the CRD reconciliation.
webhook: The Kubernetes control-plane delegates CRD validations to this HTTP server. Kubernetes requires TLS to communicate with the webhook server.
cert-controller: Provisions TLS certificates for the webhook. You can see it as a minimal that is intended to work only with the webhook. It is optional and can be replaced by cert-manager.

Installing CRDs

Helm has certain . To address this, we are providing the CRDs in a separate chart, . This allows us to manage the installation and updates of the CRDs independently from the operator. For example, you can uninstall the operator without impacting your existing MariaDB CRDs.

CRDs can be installed in your cluster by running the following commands

Installing the operator

The first step is to prepare a values.yaml file to specify your previously configured :

Then, you can proceed to install the operator:

If you have the and already installed in your cluster, it is recommended to leverage them to scrape the operator metrics and provision the webhook certificate respectively:

Refer to the section for detailed information about the supported values.

Deployment modes

The following deployment modes are supported:

Cluster-wide

The operator watches CRDs in all namespaces and requires cluster-wide RBAC permissions to operate. This is the default deployment mode, enabled through the default configuration values:

Single namespace

By setting currentNamespaceOnly=true, the operator will only watch CRDs within the namespace it is deployed in, and the RBAC permissions will be restricted to that namespace as well:

Updates

Make sure you read and understand the before proceeding to update the operator.

The first step is upgrading the CRDs that the operator depends on:

Once updated, you may proceed to upgrade the operator:

Whenever a new version of the operator is released, an upgrade guide is linked in the if additional upgrade steps are required. Be sure to review the and follow the version-specific upgrade guides accordingly.

Operator high availability

The operator can run in high availability mode to prevent downtime during updates and ensure continuous reconciliation of your CRs, even if the node where the operator runs goes down. To achieve this, you need:

Multiple replicas
Configure Pod anti-affinity
Configure PodDisruptionBudgets

You can achieve this by providing the following values to the helm chart:

You may similarly configure the webhook and cert-controller components to run in high availability mode by providing the same values to their respective sections. Refer to the for detailed information.

Uninstalling

Uninstalling the mariadb-enterprise-operator-crds Helm chart will remove the CRDs and their associated resources, resulting in downtime.

First, uninstall the mariadb-enterprise-operator Helm chart. This action will not delete your CRDs, so your operands (i.e. MariaDB and MaxScale) will continue to run without the operator's reconciliation.

At this point, if you also want to delete CRDs and the operands running in your cluster, you may proceed to uninstall the mariadb-enterprise-operator-crds Helm chart:

Operator helm values

Key

Type

Default

Description

OpenShift

This documentation provides guidance on installing the MariaDB Enterprise Operator operator in OpenShift. This operator has been certified by Red Hat and it is available in the OpenShift console.

Operators are deployed into OpenShift with the Operator Lifecycle Manager (OLM), which facilitates the installation, updates, and overall management of their lifecycle.

Prerequisites

Configure your customer credentials as described in the documentation to be able to pull images.

The recommended way to configure credentials is to use the global pull secret provided by OpenShift, as described in this section. Alternatively, the operator bundle has a mariadb-enterprise imagePullSecret configured by default. This means that you can configure a Secret named mariadb-enterprise in same namespace where the operator will be installed in order to pull images from the MariaDB Enterprise registry.

`PackageManifest`

You can install the certified operator in OpenShift clusters that have the mariadb-enterprise-operator packagemanifest available. In order to check this, run the following command:

oc get packagemanifests -n openshift-marketplace mariadb-enterprise-operator

NAME                          CATALOG                 AGE
mariadb-enterprise-operator   Certified Operators     21h

`SecurityContextConstraints`

Both the operator and the operand Pods run with the restricted-v2 SecurityContextConstraint, the most restrictive SCC in OpenShift in terms of container permissions. This implies that OpenShift automatically assigns a SecurityContext for the Pods with minimum permissions, for example:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  runAsNonRoot: true
  runAsUser: 1000650000

OpenShift does not assign SecurityContexts in the default and kube-system namespaces. Please refrain from deploying operands on them, as it will result in permission errors when trying to write to the filesystem.

You can read more about SecurityContextConstraints in the OpenShift documentation.

Installation in all namespaces

To install the operator watching resources on all namespaces, you need to create a Subscription object for mariadb-enterprise-operator using the stable channel in the openshift-operators namespace:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: mariadb-enterprise-operator
  namespace: openshift-operators
spec:
  channel: stable
  installPlanApproval: Automatic
  name: mariadb-enterprise-operator
  source: certified-operators
  sourceNamespace: openshift-marketplace
  startingCSV: mariadb-enterprise-operator.v1.0.0

This will use the global-operators OperatorGroup that is created by default in the openshift-operators namespace. This OperatorGroup will watch all namespaces in the cluster, and the operator will be able to manage resources across all namespaces.

You can read more about OperatorGroups in the OpenShift documentation.

Installation in specific namespaces

In order to define which namespaces the operator will be watching, you need to create an OperatorGroup in the namespace where the operator will be installed:

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: mariadb-enterprise-operator
  namespace: my-namespace
spec:
  targetNamespaces:
  - my-namespace
  - my-other-namespace
  - my-other-other-namespace
  upgradeStrategy: Default

This OperatorGroup will watch the namespaces defined in the targetNamespaces field. The operator will be able to manage resources only in these namespaces.

Then, the operator can be installed by creating a Subscription object in the same namespace as the OperatorGroup:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: mariadb-enterprise-operator
  namespace: my-namespace
spec:
  channel: stable
  installPlanApproval: Automatic
  name: mariadb-enterprise-operator
  source: certified-operators
  sourceNamespace: openshift-marketplace
  startingCSV: mariadb-enterprise-operator.v1.0.0

Release channels

Currently, the only release channel available to install the operator is stable, which contains supported releases of the operator. This is controlled by the channel field in the Subscription object.

Updates

Updates are fully managed by OLM and controlled by the installPlanApproval field in the Subscription object. The default value is Automatic, which means that OLM will automatically update the operator to the latest version available in the channel. If you want to control the updates, you can set this field to Manual, and OLM will only update the operator when you approve the update.

Uninstalling

The first step for uninstalling the operator is to delete the Subscription object. This will not remove the operator, but it will stop OLM from managing the operator:

oc delete subscription mariadb-enterprise-operator

After that, you can uninstall the ClusterServiceVersion (CSV) object that was created by OLM. This will remove the operator from the cluster:

oc delete clusterserviceversion mariadb-enterprise-operator.v1.0.0

OpenShift console

As an alternative to create Subscription objects via the command line, you can install operators by using the OpenShift console. Go to the Operators > OperatorHub section and search by mariadb enterprise:

Select MariaDB Enterprise Operator, click on install, and you will be able to create a Subscription object via the UI.

Once deployed, the operator comes with example resources that can be deployed from the console directly. For instance, to create a MariaDB:

As you can see in the previous screenshot, the form view that the OpenShift console offers is limited, we recommend using the YAML view:

Quickstart

This guide aims to provide a quick way to get started with the MariaDB Enterprise Operator for Kubernetes. It will walk you through the process of deploying a MariaDB Enterprise Cluster and MaxScale via the MariaDB and MaxScale CRs (Custom Resources) respectively.

Before you begin, ensure you meet the following prerequisites:

Configure your customer access for docker.mariadb.com
Install the MariaDB Enterprise Operator

The first step will be configuring a Secret with the credentials used by the MariaDB CR:

apiVersion: v1
kind: Secret
metadata:
  name: mariadb
stringData:
  password: MariaDB11!

kubectl apply -f secret.yaml

Next, we will deploy a MariaDB Enterprise Cluster (Galera) using the following CR:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: password
  imagePullSecrets:
  -  name: mariadb-enterprise
  maxScaleRef:
    name: maxscale-galera
  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
  database: mariadb
  storage:
    size: 1Gi
  replicas: 3
  galera:
    enabled: true

kubectl apply -f mariadb-galera.yaml

Let's break it down:

rootPasswordSecretKeyRef: A reference to a Secret containing the root password.
imagePullSecrets: The name of the Secret containing the customer credentials to pull the MariaDB Enterprise Server image.
maxScaleRef: The name of the MaxScale CR that we will be creating right after.
username, passwordSecretKeyRef and database: The initial user and database to create.
storage: The size of the volume that will back the data directory.
replicas: The number of MariaDB Enterprise Server instances to deploy.
galera: Configuration for the Galera clustering.

After applying the CR, we can observe the MariaDB Pods being created:

❯ kubectl get pods
NAME                                                           READY   STATUS    RESTARTS      AGE
mariadb-galera-0                                               2/2     Running   0             101s
mariadb-galera-1                                               2/2     Running   0             101s
mariadb-galera-2                                               2/2     Running   0             101s

Now, let's deploy a MaxScale CR:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  imagePullSecrets:
   -  name: mariadb-enterprise
  mariaDbRef:
    name: mariadb-galera
  replicas: 2

kubectl apply -f maxscale-galera.yaml

Again, let's break it down:

imagePullSecrets: The name of the Secret containing the customer credentials to pull the MaxScale image.
mariaDbRef: A reference to the MariaDB CR that we want to connect to.
replicas: The number of MaxScale instances to deploy.

After applying the CR, we can observe the MaxScale Pods being created, and that both the MariaDB and MaxScale CRs will become ready eventually:

❯ kubectl get pods
mariadb-galera-0                                               2/2     Running   0             10m
mariadb-galera-1                                               2/2     Running   0             10m
mariadb-galera-2                                               2/2     Running   0             10m
maxscale-galera-0                                              1/1     Running   0             81s
maxscale-galera-1                                              1/1     Running   0             81s

❯ kubectl get maxscale
NAME              READY   STATUS    PRIMARY            AGE
maxscale-galera   True    Running   mariadb-galera-0   65s

❯ kubectl get mariadb
NAME             READY   STATUS    PRIMARY            UPDATES                    AGE
mariadb-galera   True    Running   mariadb-galera-0   ReplicasFirstPrimaryLast   10m

To conclude, let's connect to the MariaDB Enterprise Cluster through MaxScale using the initial user and database we initially defined in the MariaDB CR:

❯ kubectl run mariadb-connect --rm -it --image=docker.mariadb.com/enterprise-server:11.4.4-2 -- bash -c "mariadb -u mariadb -p'MariaDB11!' --ssl=false -h maxscale-galera"
If you don't see a command prompt, try pressing enter.
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mariadb            |
+--------------------+
2 rows in set (0.001 sec)

You have successfully deployed a MariaDB Enterprise Cluster with MaxScale in Kubernetes using the MariaDB Enterprise Operator!

Refer to the documentation, the API reference and the examples catalog for further detail.

Standalone MariaDB

MariaDB Enterprise Operator allows you to configure standalone MariaDB Enterprise Server instances. To achieve this, you can either omit the replicas field or set it to 1:

Whilst this can be useful for development and testing, it is not recommended for production use because of the following reasons:

Single point of failure
Upgrades require downtime
Only vertical scaling is possible

For achieving high availability, we recommend deploying a Galera cluster. Refer to the and sections for more information.

Galera Cluster

MariaDB Enterprise Operator provides cloud native support for provisioning and operating multi-master MariaDB clusters using Galera. This setup enables the ability to perform writes on a single node and reads in all nodes, enhancing availability and allowing scalability across multiple nodes.

In certain circumstances, it could be the case that all the nodes of your cluster go down at the same time, something that Galera is not able to recover by itself, and it requires manual action to bring the cluster up again, as documented in the Galera documentation. The MariaDB Enterprise Operator encapsulates this operational expertise in the MariaDB CR. You just need to declaratively specify spec.galera, as explained in more detail later in this guide.

To accomplish this, after the MariaDB cluster has been provisioned, the operator will regularly monitor the cluster's status to make sure it is healthy. If any issues are detected, the operator will initiate the recovery process to restore the cluster to a healthy state. During this process, the operator will set status conditions in the MariaDB and emit Events so you have a better understanding of the recovery progress and the underlying activities being performed. For example, you may want to know which Pods were out of sync to further investigate infrastructure-related issues (i.e. networking, storage...) on the nodes where these Pods were scheduled.

Data-plane

To be able to effectively provision and recover MariaDB Galera clusters, the following data-plane components run alongside MariaDB and co-operate with MariaDB Enterprise Operator:

init: Init container that dynamically provisions the Galera configuration file before the MariaDB container starts. Guarantees ordered deployment of Pods even if spec.podManagementPolicy=Parallel is set on the MariaDB StatefulSet, something crucial for performing the Galera recovery, as the operator needs to restart Pods independently.
agent: Sidecar agent that exposes the Galera state (grastate.dat) via HTTP and allows the operator to remotely bootstrap and recover the Galera cluster. It comes with multiple auth methods to ensure that only the operator is able to call the agent.

All these components are available in the operator image. More preciselly, they are subcommands of the CLI shipped as binary inside the image.

`MariaDB` configuration

The easiest way to get a MariaDB Galera cluster up and running is setting spec.galera.enabled = true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
...
  replicas: 3

  galera:
    enabled: true

This relies on sensible defaults set by the operator, which may not be suitable for your Kubernetes cluster. This can be solved by overriding the defaults, so you have fine-grained control over the Galera configuration.

Refer to the API reference to better understand the purpose of each field.

Storage

By default, the operator provisions two PVCs for running Galera:

Storage PVC: Used to back the MariaDB data directory, mounted at /var/lib/mysql.
Config PVC: Where the Galera config files are located, mounted at /etc/mysql/conf.d.

However, you are also able to use just one PVC for keeping both the data and the config files:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    enabled: true
    config:
      reuseStorageVolume: true

Wsrep provider

You are able to pass extra options to the Galera wsrep provider by using the galera.providerOptions field:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    providerOptions:
      gcs.fc_limit: '64'

It is important to note that, the ist.recv_addr cannot be set by the user, as it is automatically configured to the Pod IP by the operator, something that an user won't be able to know beforehand.

A list of the available options can be found in the MariaDB documentation.

IPv6 support

If you have a Kubernetes cluster running with IPv6, the operator will automatically detect the IPv6 addresses of your Pods and it will configure several wsrep provider options to ensure that the Galera protocol runs smoothly with IPv6.

Agent auth methods

As previously mentioned in the data-plane section, the agent exposes an API to remotely manage the MariaDB Galera cluster. The following authentication methods are supported to ensure that only the operator is able to call the agent:

`ServiceAccount` based authentication

The operator uses its ServiceAccount token as a mean of authentication for communicating with the agent, which subsequently verifies the token by creating a TokenReview object. This is the default authentication method and will be automatically applied by setting:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  galera:
    agent:
      kubernetesAuth:
        enabled: true

This Kubernetes-native authentication mechanism eliminates the need for the operator to manage credentials, as it relies entirely on Kubernetes for this purpose. However, the drawback is that the agent requires cluster-wide permissions to impersonate the system:auth-delegator ClusterRole and to create TokenReviews, which are cluster-scoped objects.

Basic authentication

As an alternative, the agent also supports basic authentication:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  galera:
    agent:
      basicAuth:
        enabled: true

Unlike the ServiceAccount based authentication, the operator needs to explicitly generate credentials to authenticate. The advantage of this approach is that it is entirely decoupled from Kubernetes and it does not require cluster-wide permissions on the Kubernetes API.

Galera cluster recovery

MariaDB Enterprise Operator monitors the Galera cluster and acts accordinly to recover it if needed. This feature is enabled by default, but you may tune it as you need:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    enabled: true
    recovery:
      enabled: true
      minClusterSize: 1
      clusterMonitorInterval: 10s
      clusterHealthyTimeout: 30s
      clusterBootstrapTimeout: 10m
      podRecoveryTimeout: 5m
      podSyncTimeout: 5m

The minClusterSize field indicates the minimum cluster size (either absolut number of replicas or percentage) for the operator to consider the cluster healthy. If the cluster is unhealthy for more than the period defined in clusterHealthyTimeout (30s by default), a cluster recovery process is initiated by the operator. The process is explained in the Galera documentation and consists of the following steps:

Recover the sequence number from the grastate.dat on each node.
Trigger a recovery Job to obtain the sequence numbers in case that the previous step didn't manage to.
Mark the node with highest sequence (bootstrap node) as safe to bootstrap.
Bootstrap a new cluster in the bootstrap node.
Restart and wait until the bootstrap node becomes ready.
Restart the rest of the nodes one by one so they can join the new cluster.

The operator monitors the Galera cluster health periodically and performs the cluster recovery described above if needed. You are able to tune the monitoring interval via the clusterMonitorInterval field.

Refer to the API reference to better understand the purpose of each field.

Galera recovery `Job`

During the recovery process, a Job is triggered for each MariaDB Pod to obtain the sequence numbers. It's crucial for this Job to succeed; otherwise, the recovery process will fail. As a user, you are responsible for adjusting this Job to allocate sufficient resources and provide the necessary metadata to ensure its successful completion.

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    enabled: true
    recovery:
      job:
        metadata:
          labels:
            sidecar.istio.io/inject: "false"
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            memory: 256Mi

For example, if you're using a service mesh like Istio, it's important to add the sidecar.istio.io/inject=false label. Without this label, the Job will not complete, which would prevent the recovery process from finishing successfully.

Force cluster bootstrap

Use this option only in exceptional circumstances. Not selecting the Pod with the highest sequence number may result in data loss.

Ensure you unset forceClusterBootstrapInPod after completing the bootstrap to allow the operator to choose the appropriate Pod to bootstrap from in an event of cluster recovery.

You have the ability to manually select which Pod is used to bootstrap a new cluster during the recovery process by setting forceClusterBootstrapInPod:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  galera:
    enabled: true
    recovery:
      enabled: true
      forceClusterBootstrapInPod: "mariadb-galera-0"

This should only be used in exceptional circumstances:

You are absolutely certain that the chosen Pod has the highest sequence number.
The operator has not yet selected a Pod to bootstrap from.

You can verify this with the following command:

kubectl get mariadb mariadb-galera -o jsonpath="{.status.galeraRecovery}" | jq
{
  "recovered": {
    "mariadb-galera-0": {
      "seqno": 350454,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627"
    },
    "mariadb-galera-1": {
      "seqno": 350450,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627"
    }
  },
  "state": {
    "mariadb-galera-0": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627",
      "version": "2.1"
    },
    "mariadb-galera-1": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627",
      "version": "2.1"
    },
    "mariadb-galera-2": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "67a44ea9-63a8-11ef-98a2-2b0c0aa0a627",
      "version": "2.1"
    }
  }
}

In this case, assuming that mariadb-galera-2 sequence is lower than 350454, it should be safe to bootstrap from mariadb-galera-0.

Finally, after your cluster has been bootstrapped, remember to unset forceClusterBootstrapInPod to allow the operator to select the appropriate node for bootstrapping in the event of a cluster recovery.

Bootstrap Galera cluster from existing PVCs

MariaDB Enterprise Operator will never delete your MariaDB PVCs. Whenever you delete a MariaDB resource, the PVCs will remain intact so you could reuse them to re-provision a new cluster.

That said, Galera is unable to form a cluster from pre-existing state, it requires a cluster recovery process to identify which Pod has the highest sequence number to bootstrap a new cluster. That's exactly what the operator does: whenever a new MariaDB Galera cluster is created and previously created PVCs exist, a cluster recovery process is automatically triggered.

Quickstart

Apply the following manifests to get started with Galera in Kubernetes:

apiVersion: v1
kind: Secret
metadata:
  name: mariadb
stringData:
  root-password: MariaDB11!
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
  storage:
    size: 1Gi
  replicas: 3
  galera:
    enabled: true

Next, check the MariaDB status and the resources created by the operator:

kubectl get mariadbs
NAME             READY   STATUS    PRIMARY POD          AGE
mariadb-galera   True    Running   mariadb-galera-0     48m

kubectl get events --field-selector involvedObject.name=mariadb-galera --sort-by='.lastTimestamp'
LAST SEEN   TYPE     REASON                 OBJECT                               MESSAGE
...
45m         Normal   GaleraClusterHealthy   mariadb/mariadb-galera               Galera cluster is healthy

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions[?(@.type=='GaleraReady')]}" | jq
{
  "lastTransitionTime": "2023-07-13T18:22:31Z",
  "message": "Galera ready",
  "reason": "GaleraReady",
  "status": "True",
  "type": "GaleraReady"
}

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions[?(@.type=='GaleraConfigured')]}" | jq
{
  "lastTransitionTime": "2023-07-13T18:22:31Z",
  "message": "Galera configured",
  "reason": "GaleraConfigured",
  "status": "True",
  "type": "GaleraConfigured"
}

kubectl get statefulsets
NAME             READY   AGE
mariadb-galera   3/3     58m

kubectl get pods -o wide
NAME                                        READY   STATUS    RESTARTS   AGE   IP           NODE          NOMINATED NODE   READINESS GATES
mariadb-galera-0                            2/2     Running   0          58m   10.244.2.4   mdb-worker3   <none>           <none>
mariadb-galera-1                            2/2     Running   0          58m   10.244.1.9   mdb-worker2   <none>           <none>
mariadb-galera-2                            2/2     Running   0          58m   10.244.5.4   mdb-worker4   <none>           <none>

Let's now proceed with simulating a Galera cluster failure by deleting all the Pods at the same time:

kubectl delete pods -l app.kubernetes.io/instance=mariadb-galera
pod "mariadb-galera-0" deleted
pod "mariadb-galera-1" deleted
pod "mariadb-galera-2" deleted

After some time, we will see the MariaDB entering a non Ready state:

kubectl get mariadb mariadb-galera
NAME             READY   STATUS             PRIMARY POD             AGE
mariadb-galera   False   Galera not ready   mariadb-galera-0        67m

kubectl get events --field-selector involvedObject.name=mariadb-galera --sort-by='.lastTimestamp'
LAST SEEN   TYPE      REASON                    OBJECT                       MESSAGE
...
48s         Warning   GaleraClusterNotHealthy   mariadb/mariadb-galera       Galera cluster is not healthy

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions[?(@.type=='GaleraReady')]}" | jq
{
  "lastTransitionTime": "2023-07-13T19:25:17Z",
  "message": "Galera not ready",
  "reason": "GaleraNotReady",
  "status": "False",
  "type": "GaleraReady"
}

Eventually, the operator will kick in and recover the Galera cluster:

kubectl get events --field-selector involvedObject.name=mariadb-galera --sort-by='.lastTimestamp'
LAST SEEN   TYPE      REASON                    OBJECT                       MESSAGE
...
16m         Warning   GaleraClusterNotHealthy   mariadb/mariadb-galera       Galera cluster is not healthy
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-2'
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-1'
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-0'
16m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-1'
16m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-2'
17m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-0'
17m         Normal    GaleraClusterBootstrap    mariadb/mariadb-galera       Bootstrapping Galera cluster in Pod 'mariadb-galera-2'
20m         Normal    GaleraClusterHealthy      mariadb/mariadb-galera       Galera cluster is healthy

kubectl get mariadb mariadb-galera -o jsonpath="{.status.galeraRecovery}" | jq
{
  "bootstrap": {
    "pod": "mariadb-galera-2",
    "time": "2023-07-13T19:25:28Z"
  },
  "recovered": {
    "mariadb-galera-0": {
      "seqno": 3,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285"
    },
    "mariadb-galera-1": {
      "seqno": 3,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285"
    },
    "mariadb-galera-2": {
      "seqno": 3,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285"
    }
  },
  "state": {
    "mariadb-galera-0": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285",
      "version": "2.1"
    },
    "mariadb-galera-1": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285",
      "version": "2.1"
    },
    "mariadb-galera-2": {
      "safeToBootstrap": false,
      "seqno": -1,
      "uuid": "bf00b9c3-21a9-11ee-984f-9ba9ff0e9285",
      "version": "2.1"
    }
  }
}

Finally, the MariaDB resource will become Ready and your Galera cluster will be operational again:

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions[?(@.type=='GaleraReady')]}" | jq
{
  "lastTransitionTime": "2023-07-13T19:27:51Z",
  "message": "Galera ready",
  "reason": "GaleraReady",
  "status": "True",
  "type": "GaleraReady"
}

kubectl get mariadb mariadb-galera
NAME             READY   STATUS    PRIMARY POD          AGE
mariadb-galera   True    Running   mariadb-galera-0     82m

Troubleshooting

The aim of this section is showing you how to diagnose your Galera cluster when something goes wrong. In this situations, observability is a key factor to understand the problem, so we recommend following these steps before jumping into debugging the problem.

Inspect MariaDB status conditions.

kubectl get mariadb mariadb-galera -o jsonpath="{.status.conditions}" | jq
[
  {
    "lastTransitionTime": "2023-08-05T14:58:57Z",
    "message": "Galera not ready",
    "reason": "GaleraNotReady",
    "status": "False",
    "type": "Ready"
  },
  {
    "lastTransitionTime": "2023-08-05T14:58:57Z",
    "message": "Galera not ready",
    "reason": "GaleraNotReady",
    "status": "False",
    "type": "GaleraReady"
  },
  {
    "lastTransitionTime": "2023-08-03T19:21:16Z",
    "message": "Galera configured",
    "reason": "GaleraConfigured",
    "status": "True",
    "type": "GaleraConfigured"
  }
]

Make sure network connectivity is fine by checking that you have an Endpoint per Pod in your Galera cluster.

kubectl get endpoints mariadb-galera-internal -o yaml
apiVersion: v1
kind: Endpoints
metadata:
  name: mariadb-internal
subsets:
- addresses:
  - hostname: mariadb-1
    ip: 10.255.140.181
    nodeName: k8s-worker-1
    targetRef:
      kind: Pod
      name: mariadb-1
      namespace: mariadb
  - hostname: mariadb-2
    ip: 10.255.20.156
    nodeName: k8s-worker-2
    targetRef:
      kind: Pod
      name: mariadb-2
      namespace: mariadb
  - hostname: mariadb-0
    ip: 10.255.214.164
    nodeName: k8s-worker-0
    targetRef:
      kind: Pod
      name: mariadb-0
      namespace: mariadb
  ports:
  - name: sst
    port: 4568
    protocol: TCP
  - name: ist
    port: 4567
    protocol: TCP
  - name: mariadb
    port: 3306
    protocol: TCP
  - name: agent
    port: 5555
    protocol: TCP
  - name: cluster
    port: 4444
    protocol: TCP

Check the events associated with the MariaDB object, as they provide significant insights for diagnosis, particularly within the context of cluster recovery.

kubectl get events --field-selector involvedObject.name=mariadb-galera --sort-by='.lastTimestamp'
LAST SEEN   TYPE      REASON                    OBJECT                       MESSAGE
...
16m         Warning   GaleraClusterNotHealthy   mariadb/mariadb-galera       Galera cluster is not healthy
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-2'
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-1'
16m         Normal    GaleraPodStateFetched     mariadb/mariadb-galera       Galera state fetched in Pod 'mariadb-galera-0'
16m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-1'
16m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-2'
17m         Normal    GaleraPodRecovered        mariadb/mariadb-galera       Recovered Galera sequence in Pod 'mariadb-galera-0'
17m         Normal    GaleraClusterBootstrap    mariadb/mariadb-galera       Bootstrapping Galera cluster in Pod 'mariadb-galera-2'
20m         Normal    GaleraClusterHealthy      mariadb/mariadb-galera       Galera cluster is healthy

Enable debug logs in mariadb-enterprise-operator.

helm upgrade --install mariadb-enterprise-operator mariadb-enterprise-operator/mariadb-enterprise-operator --set logLevel=debug
kubectl logs mariadb-enterprise-operator-546c78f4f5-gq44k
{"level":"info","ts":1691090524.4911606,"logger":"galera.health","msg":"Checking Galera cluster health","controller":"statefulset","controllerGroup":"apps","controllerKind":"StatefulSet","statefulSet":{"name":"mariadb-galera","namespace":"default"},"namespace":"default","name":"mariadb-galera","reconcileID":"098620db-4486-45cc-966a-9f3fec0d165e"}
{"level":"debug","ts":1691090524.4911761,"logger":"galera.health","msg":"StatefulSet ready replicas","controller":"statefulset","controllerGroup":"apps","controllerKind":"StatefulSet","statefulSet":{"name":"mariadb-galera","namespace":"default"},"namespace":"default","name":"mariadb-galera","reconcileID":"098620db-4486-45cc-966a-9f3fec0d165e","replicas":1}

Get the logs of all the MariaDB Pod containers, not only of the main mariadb container but also the agent and init ones.

kubectl logs mariadb-galera-0 -c init
{"level":"info","ts":1691090778.5239124,"msg":"Starting init"}
{"level":"info","ts":1691090778.5305626,"msg":"Configuring Galera"}
{"level":"info","ts":1691090778.5307593,"msg":"Already initialized. Init done"}

kubectl logs mariadb-galera-0 -c agent
{"level":"info","ts":1691090779.3193653,"logger":"server","msg":"server listening","addr":":5555"}
2023/08/03 19:26:28 "POST http://mariadb-galera-0.mariadb-galera-internal.default.svc.cluster.local:5555/api/recovery HTTP/1.1" from 10.244.4.2:39162 - 200 58B in 4.112086ms
2023/08/03 19:26:28 "DELETE http://mariadb-galera-0.mariadb-galera-internal.default.svc.cluster.local:5555/api/recovery HTTP/1.1" from 10.244.4.2:39162 - 200 0B in 883.544µs

kubectl logs mariadb-galera-0 -c mariadb
2023-08-03 19:27:10 0 [Note] WSREP: Member 2.0 (mariadb-galera-0) synced with group.
2023-08-03 19:27:10 0 [Note] WSREP: Processing event queue:...100.0% (1/1 events) complete.
2023-08-03 19:27:10 0 [Note] WSREP: Shifting JOINED -> SYNCED (TO: 6)
2023-08-03 19:27:10 2 [Note] WSREP: Server mariadb-galera-0 synced with group
2023-08-03 19:27:10 2 [Note] WSREP: Server status change joined -> synced
2023-08-03 19:27:10 2 [Note] WSREP: Synchronized with group, ready for connections

Once you are done with these steps, you will have the context required to jump ahead to the Common errors section to see if any of them matches your case.

Common errors

Galera cluster recovery not progressing

If your MariaDB Galera cluster has been in GaleraNotReady state for a long time, the recovery process might not be progressing. You can diagnose this by checking:

Operator logs.
Galera recovery status:

kubectl get mariadb mariadb-galera -o jsonpath="{.status.galeraRecovery}" | jq

MariaDB events:

kubectl get events --field-selector involvedObject.name=mariadb-galera

If you have Pods named <mariadb-name>-<ordinal>-recovery-<suffix> running for a long time, check its logs to understand if something is wrong.

One of the reasons could be misconfigured Galera recovery Jobs, please make sure you read this section. If after checking all the points above, there are still no clear symptoms of what could be wrong, continue reading.

First af all, you could attempt to forcefully bootstrap a new cluster as it is described in this section. Please, refrain from doing so if the conditions described in the docs are not met.

Alternatively, if you can afford some downtime and your PVCs are in healthy state, you may follow this procedure:

Delete your existing MariaDB, this will leave your PVCs intact.
Create your MariaDB again, this will trigger a Galera recovery process as described in this section.

As a last resource, you can always delete the PVCs and bootstrap a new MariaDB from a backup as documented here.

Permission denied writing Galera configuration

This error occurs when the user that runs the container does not have enough privileges to write in /etc/mysql/mariadb.conf.d:

Error writing Galera config: open /etc/mysql/mariadb.conf.d/0-galera.cnf: permission denied

To mitigate this, by default, the operator sets the following securityContext in the MariaDB's StatefulSet :

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mariadb-galera
spec:
  securityContext:
    fsGroup: 999
    runAsGroup: 999
    runAsNonRoot: true
    runAsUser: 999

This enables the CSIDriver and the kubelet to recursively set the ownership ofr the /etc/mysql/mariadb.conf.d folder to the group 999, which is the one expected by MariaDB. It is important to note that not all the CSIDrivers implementations support this feature, see the CSIDriver documentation for further information.

Unauthorized error disabling bootstrap

Error reconciling Galera: error disabling bootstrap in Pod 0: unauthorized

This situation occurs when the mariadb-enterprise-operator credentials passed to the agent as authentication are either invalid or the agent is unable to verify them. To confirm this, ensure that both the mariadb-enterprise-operator and the MariaDB ServiceAccounts are able to create TokenReview objects:

kubectl auth can-i --list --as=system:serviceaccount:default:mariadb-enterprise-operator | grep tokenreview
tokenreviews.authentication.k8s.io              []                                    []               [create]

kubectl auth can-i --list --as=system:serviceaccount:default:mariadb-galera | grep tokenreview
tokenreviews.authentication.k8s.io              []                                    []               [create]

If that's not the case, check that the following ClusterRole and ClusterRoleBindings are available in your cluster:

kubectl get clusterrole system:auth-delegator
NAME                    CREATED AT
system:auth-delegator   2023-08-03T19:12:37Z

kubectl get clusterrolebinding | grep mariadb | grep auth-delegator
mariadb-galera:auth-delegator                     ClusterRole/system:auth-delegator                                                  108m
mariadb-enterprise-operator:auth-delegator                        ClusterRole/system:auth-delegator                                                  112m

mariadb-enterprise-operator:auth-delegator is the ClusterRoleBinding bound to the mariadb-enterprise-operator ServiceAccount which is created by the helm chart, so you can re-install the helm release in order to recreate it:

helm upgrade --install mariadb-enterprise-operator mariadb-enterprise-operator/mariadb-enterprise-operator

mariadb-galera:auth-delegator is the ClusterRoleBinding bound to the mariadb-galera ServiceAccount which is created on the flight by the operator as part of the reconciliation logic. You may check the mariadb-enterprise-operator logs to see if there are any issues reconciling it.

Bear in mind that ClusterRoleBindings are cluster-wide resources that are not garbage collected when the MariaDB owner object is deleted, which means that creating and deleting MariaDBs could leave leftovers in your cluster. These leftovers can lead to RBAC misconfigurations, as the ClusterRoleBinding might not be pointing to the right ServiceAccount. To overcome this, you can override the ClusterRoleBinding name setting the spec.galera.agent.kubernetesAuth.authDelegatorRoleName field.

Timeout waiting for Pod to be Synced

Timeout waiting for Pod 'mariadb-galera-2' to be Synced

This error appears in the mariadb-enterprise-operator logs when a Pod is in non synced state for a duration exceeding the spec.galera.recovery.podRecoveryTimeout. Just after, the operator will restart the Pod.

Increase this timeout if you consider that your Pod may take longer to recover.

Galera cluster bootstrap timed out

Galera cluster bootstrap timed out. Resetting recovery status

This is error is returned by the mariadb-enterprise-operator after exceeding the spec.galera.recovery.clusterBootstrapTimeout when recovering the cluster. At this point, the operator will reset the recovered sequence numbers and start again from a clean state.

Increase this timeout if you consider that your Galera cluster may take longer to recover.

High Availability

This section provide guidance on how to run MariaDB and MaxScale in high availability mode. If you are looking to run the operator in HA as well, please refer to the .

Our recommended HA setup for production is:

with at least 3 nodes. Always an odd number of nodes.
with at least 2 nodes to load balance requests to the cluster.
Use to avoid noisy neighbours.
Define .

Refer to the following sections for further detail.

Kubernetes Services

In order to address nodes, MariaDB Enterprise Operator provides you with the following Kubernetes Services:

<mariadb-name>: To be used for read requests. It will point to all nodes.
<mariadb-name>-primary: To be used for write requests. It will point to a single node, the primary.
<mariadb-name>-secondary: To be used for read requests. It will point to all nodes, except the primary.

Whenever the primary changes, either by the user or by the operator, both the <mariadb-name>-primary and <mariadb-name>-secondary Services will be automatically updated by the operator to address the right nodes.

The primary may be manually changed by the user at any point by updating the spec.galera.primary.podIndex field. Alternatively, automatic primary failover can be enabled by setting spec.galera.primary.automaticFailover, which will make the operator to switch primary whenever the primary Pod goes down.

MaxScale

While Kubernetes Services can be utilized to dynamically address primary and secondary instances, the most robust high availability configuration we recommend relies on MaxScale. Please refer to for further detail.

Pod Anti-Affinity

Bear in mind that, when enabling this, you need to have at least as many Nodes available as the replicas specified. Otherwise your Pods will be unscheduled and the cluster won't bootstrap.

To achieve real high availability, we need to run each MariaDB Pod in different Kubernetes Nodes. This practice, known as anti-affinity, helps reducing the blast radius of Nodes being unavailable.

By default, anti-affinity is disabled, which means that multiple Pods may be scheduled in the same Node, something not desired in HA scenarios.

You can selectively enable anti-affinity in all the different Pods managed by the MariaDB resource:

Anti-affinity may also be enabled in the resources that have a reference to MariaDB, resulting in their Pods being scheduled in Nodes where MariaDB is not running. For instance, the Backup and Restore processes can run in different Nodes:

In the case of MaxScale, the Pods will also be placed in Nodes isolated in terms of compute, ensuring isolation not only among themselves but also from the MariaDB Pods. For example, if you run a MariaDB and MaxScale with 3 replicas each, you will need 6 Nodes in total:

Default anti-affinity rules generated by the operator might not satisfy your needs, but you can always define your own rules. For example, if you want the MaxScale Pods to be in different Nodes, but you want them to share Nodes with MariaDB:

Dedicated Nodes

If you want to avoid noisy neighbours running in the same Kubernetes Nodes as your MariaDB, you may consider using dedicated Nodes. For achieving this, you will need:

Taint your Nodes and add the counterpart toleration in your Pods.

Tainting your Nodes is not covered by this operator, it is something you need to do by yourself beforehand. You may take a look at the to understand how to achieve this.

Select the Nodes where Pods will be scheduled in via a nodeSelector.

Although you can use the default Node labels, you may consider adding more significative labels to your Nodes, as you will have to set to them in your Pod nodeSelector. Refer to the .

Add podAntiAffinity to your Pods as described in the section.

The previous steps can be achieved by setting these fields in the MariaDB resource:

Pod Disruption Budgets

Take a look at the if you are unfamiliar to PodDisruptionBudgets

By defining a PodDisruptionBudget, you are telling Kubernetes how many Pods your database tolerates to be down. This quite important for planned maintenance operations such as Node upgrades.

MariaDB Enterprise Operator creates a default PodDisruptionBudget if you are running in HA, but you are able to define your own by setting:

MaxScale Database Proxy

MaxScale is a sophisticated database proxy, router, and load balancer designed specifically for and by MariaDB. It provides a range of features that ensure optimal high availability:

Query-based routing: Transparently route write queries to the primary nodes and read queries to the replica nodes.
Connection-based routing: Load balance connections between multiple servers.
Automatic primary failover based on MariaDB internals.
Replay pending transactions when a server goes down.
Support for Galera and Replication.

To better understand what MaxScale is capable of you may check the and the .

MaxScale resources

Prior to configuring MaxScale within Kubernetes, it's essential to have a basic understanding of the resources managed through its API.

Servers

A server defines the backend database servers that MaxScale forwards traffic to. For more detailed information, please consult the .

Monitors

A monitor is an agent that queries the state of the servers and makes it available to the services in order to route traffic based on it. For more detailed information, please consult the .

Depending on which highly available configuration your servers have, you will need to choose betweeen the following modules:

: Detects whether servers are part of the cluster, ensuring synchronization among them, and assigning primary and replica roles as needed.
: Probes the state of the cluster, assigns roles to the servers, and executes failover, switchover, and rejoin operations as necessary.

Services

A service defines how the traffic is routed to the servers based on a routing algorithm that takes into account the state of the servers and its role. For more detailed information, please consult the .

Depending on your requirements to route traffic, you may choose between the following routers:

: Route write queries to the primary server and read queries to the replica servers.
: Load balance connections between multiple servers.

Listeners

A listener specifies a port where MaxScale listens for incoming connections. It is associated with a service that handles the requests received on that port. For more detailed information, please consult the .

`MaxScale` CR

The minimal spec you need to provision a MaxScale instance is just a reference to a MariaDB resource:

This will provision a new StatefulSet for running MaxScale and configure the servers specified by the MariaDB resource. Refer to the section if you want to manually configure the MariaDB servers.

The rest of the configuration uses reasonable set automatically by the operator. If you need a more fine grained configuration, you can provide this values yourself:

As you can see, the we previously mentioned have a counterpart resource in the MaxScale CR.

You also need to set a reference in the MariaDB resource to make it MaxScale-aware. This is explained in the section.

Refer to the for further detail.

`MariaDB` CR

You can set a spec.maxScaleRef in your MariaDB resource to make it MaxScale-aware. By doing so, the primary server reported by MaxScale will be used in MariaDB and the high availability tasks such the primary failover will be delegated to MaxScale:

Refer to the for further detail.

`MaxScale` embedded in `MariaDB`

To streamline the setup outlined in the and sections, you can provision a MaxScale to be used with MariaDB in just one resource:

This will automatically set the references between MariaDB and MaxScale and the rest of the fields.

It is important to note that, this is intended for simple use cases that only require a single replica and where no further modifications are done on the spec.maxscale field. If you need a more fine grained configuration and perform further updates to the MaxScale resource, please use a dedicated MaxScale as described in the section.

Refer to the for further detail.

Defaults

MariaDB Enterprise Operator aims to provide highly configurable CRs, but at the same time maximize its usability by providing reasonable defaults. In the case of MaxScale, the following defaulting logic is applied:

spec.servers are inferred from spec.mariaDbRef.
spec.monitor.module is inferred from the spec.mariaDbRef.
spec.monitor.cooperativeMonitoring is set if is enabled.
If spec.services is not provided, a readwritesplit service is configured on port 3306 by default.

Server configuration

As an alternative to provide a reference to a MariaDB via spec.mariaDbRef, you can also specify the servers manually:

As you could see, you can refer to in-cluser MariaDB servers by providing the DNS names of the MariaDB Pods as server addresses. In addition, you can also refer to external MariaDB instances running outside of the Kubernetes cluster where the operator was deployed:

Pointing to external MariaDBs has a some limitations: Since the operator doesn't have a reference to a MariaDB resource (spec.mariaDbRef), it will be unable to perform the following actions:

Infer the monitor module (spec.monitor.module), so it will need to be provided by the user.
Autogenerate authentication credentials (spec.auth), so they will need to be provided by the user. See section.

Server maintenance

You can put servers in maintenance mode by setting maintenance = true:

Maintenance mode prevents MaxScale from routing traffic to the server and also excludes it from being elected as the new primary during failover events.

Configuration

Similar to MariaDB, MaxScale allows you to provide global configuration parameters in a maxscale.conf file. You don't need to provide this config file directly, but instead you can use the spec.config.params to instruct the operator to create the maxscale.conf:

Both this global configuration and the resources created by the operator using the are stored under a volume provisioned by the spec.config.volumeClaimTemplate.

Refer to the for more details about the supported parameters.

Authentication

MaxScale requires authentication with differents levels of permissions for the following components/actors:

consumed by MariaDB Enterprise Operator.
Clients connecting to MaxScale.
MaxScale connecting to MariaDB servers.
MaxScale monitor connecting to MariaDB servers.
MaxScale configuration syncer to connect to MariaDB servers. See section.

By default, the operator generates this credentials when spec.mariaDbRef is set and spec.auth.generate = true, but you are still able to provide your own:

As you could see, you are also able to limit the number of connections for each component/actor. Bear in mind that, when running in , you may need to increase this number, as more MaxScale instances implies more connections.

Kubernetes `Services`

To enable your applications to communicate with MaxScale, a Kubernetes Service is provisioned with all the ports specified in the MaxScale listeners. You have the flexibility to provide a template to customize this Service:

This results in the reconciliation of the following Service:

There is also another Kubernetes Service to access the GUI, please refer to the section for further detail.

Connection

You can leverage the Connection resource to automatically configure connection strings as Secret resources that your applications can mount:

Alternatively, you can also provide a connection template to your MaxScale resource:

Note that, the Connection uses the Service described in the section and you are able to specify which MaxScale service to connect to by providing the port (spec.port) of the corresponding MaxScale listener.

High availability

To synchronize the configuration state across multiple replicas, MaxScale stores the configuration externally in a MariaDB table and conducts periodic polling across all replicas. By default, the table mysql.maxscale_config is used, but this can be configured by the user as well as the synchronization interval.

Another crucial aspect to consider regarding HA is that only one monitor can be running at any given time to avoid conflicts. This can be achieved via cooperative locking, which can be configured by the user. Refer to for more information.

Multiple MaxScale replicas can be specified by providing the spec.replicas field. Note that, MaxScale exposes the , so you can scale/downscale it by running the following command:

Suspend resources

In order to enable this feature, you must set the --feature-maxscale-suspend feature flag:

Then you will be able to suspend any , for instance, you can suspend a monitor:

MaxScale GUI

MaxScale offers a great user interface that provides very useful information about the . You can enable it by providing the following configuration:

The GUI is exposed via a dedicated Kubernetes Service in the same port as the . Once you access, you will need to enter the credentials configured by the operator in a Secret. See the section for more details.

MaxScale API

MariaDB Enterprise Operator interacts with the to reconcile the specification provided by the user, considering both the MaxScale status retrieved from the API and the provided spec.

Troubleshooting

The operator tracks both the MaxScale status in regards to Kubernetes resources as well as the status of the resources. This information is available on the status field of the MaxScale resource, it may be very useful for debugging purposes:

Kubernetes events emitted by mariadb-enterprise-operator may also be very relevant for debugging. For instance, an event is emitted whenever the primary server changes:

The operator logs can also be a good source of information for troubleshooting. You can increase its verbosity and enable request logs by running:

Common errors

Permission denied writing `/var/lib/maxscale`

This error occurs when the user that runs the container does not have enough privileges to write in /var/lib/maxscale:

To mitigate this, by default, the operator sets the following securityContext in the MaxScale's StatefulSet:

This enables the CSIDriver and the kubelet to recursively set the ownership ofr the /var/lib/maxscale folder to the group 999, which is the one expected by MaxScale. It is important to note that not all the CSIDrivers implementations support this feature, see the for further information.

Backup and Restore

Configure multiple backup strategies and perform restoration.

Logical backups

What is a logical backup?

A logical backup is a backup that contains the logical structure of the database, such as tables, indexes, and data, rather than the physical storage format. It is created using mariadb-dump, which generates SQL statements that can be used to recreate the database schema and populate it with data.

Logical backups serve not just as a source of restoration, but also enable data mobility between MariaDB instances. These backups are called "logical" because they are independent from the MariaDB topology, as they only contain DDLs and INSERT statements to populate data.

Although logical backups are a great fit for data mobility and migrations, they are not as efficient as physical backups for large databases. For this reason, physical backups are the recommended method for backing up MariaDB databases, especially in production environments.

Storage types

Currently, the following storage types are supported:

S3 compatible storage: Store backups in a S3 compatible storage, such as AWS S3 or Minio.
PVCs: Use the available StorageClasses in your Kubernetes cluster to provision a PVC dedicated to store the backup files.
Kubernetes volumes: Use any of the volume types supported natively by Kubernetes.

Our recommendation is to store the backups externally in a S3 compatible storage.

`Backup` CR

You can take a one-time backup of your MariaDB instance by declaring the following resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    persistentVolumeClaim:
      resources:
        requests:
          storage: 100Mi
      accessModes:
        - ReadWriteOnce

This will use the default StorageClass to provision a PVC that would hold the backup files, but ideally you should use a S3 compatible storage:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    s3:
      bucket: backups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      region:  us-east-1
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: tls.crt

By providing the authentication details and the TLS configuration via references to Secret keys, this example will store the backups in a local Minio instance.

Alternatively you can use dynamic credentials from an EKS Service Account using EKS Pod Identity or IRSA:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: mariadb-backup
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<<account_id>>:role/my-role-irsa

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  serviceAccountName: mariadb-backup
  storage:
    s3:
      bucket: backups
      prefix: mariadb
      endpoint: s3.us-east-1.amazonaws.com
      region:  us-east-1
      tls:
        enabled: true

By leaving out the accessKeyIdSecretKeyRef and secretAccessKeySecretKeyRef credentials and pointing to the correct serviceAccountName, the backup Job will use the dynamic credentials from EKS.

Scheduling

To minimize the Recovery Point Objective (RPO) and mitigate the risk of data loss, it is recommended to perform backups regularly. You can do so by providing a spec.schedule in your Backup resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  schedule:
    cron: "*/1 * * * *"
    suspend: false

This resource gets reconciled into a CronJob that periodically takes the backups.

It is important to note that regularly scheduled Backups complement very well the target recovery time feature detailed below.

Retention policy

Given that the backups can consume a substantial amount of storage, it is crucial to define your retention policy by providing the spec.maxRetention field in your Backup resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  maxRetention: 720h # 30 days

Compression

You are able to compress backups by providing the compression algorithm you want to use in the spec.compression field:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  compression: gzip

Currently the following compression algorithms are supported:

bzip2: Good compression ratio, but slower compression/decompression speed compared to gzip.
gzip: Good compression/decompression speed, but worse compression ratio compared to bzip2.
none: No compression.

compression is defaulted to none by the operator.

`Restore` CR

You can easily restore a Backup in your MariaDB instance by creating the following resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Restore
metadata:
  name: restore
spec:
  mariaDbRef:
    name: mariadb
  backupRef:
    name: backup

This will trigger a Job that will mount the same storage as the Backup and apply the dump to your MariaDB database.

Nevertheless, the Restore resource doesn't necessarily need to specify a spec.backupRef, you can point to other storage source that contains backup files, for example a S3 bucket:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Restore
metadata:
  name: restore
spec:
  mariaDbRef:
    name: mariadb
  s3:
    bucket: backups
    prefix: mariadb
    endpoint: minio.minio.svc.cluster.local:9000
    region:  us-east-1
    accessKeyIdSecretKeyRef:
      name: minio
      key: access-key-id
    secretAccessKeySecretKeyRef:
      name: minio
      key: secret-access-key
    tls:
      enabled: true
      caSecretKeyRef:
        name: minio-ca
        key: tls.crt

Target recovery time

If you have multiple backups available, specially after configuring a scheduled Backup, the operator is able to infer which backup to restore based on the spec.targetRecoveryTime field.

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Restore
metadata:
  name: restore
spec:
  mariaDbRef:
    name: mariadb
  backupRef:
    name: backup
  targetRecoveryTime: 2023-12-19T09:00:00Z

The operator will look for the closest backup available and utilize it to restore your MariaDB instance.

By default, spec.targetRecoveryTime will be set to the current time, which means that the latest available backup will be used.

Bootstrap new `MariaDB` instances

To minimize your Recovery Time Objective (RTO) and to switfly spin up new clusters from existing Backups, you can provide a Restore source directly in the MariaDB object via the spec.bootstrapFrom field:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-from-backup
spec:
  storage:
    size: 1Gi
  bootstrapFrom:
    backupRef:
      name: backup
    targetRecoveryTime: 2023-12-19T09:00:00Z

As in the Restore resource, you don't strictly need to specify a reference to a Backup, you can provide other storage types that contain backup files:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-from-backup
spec:
  storage:
    size: 1Gi
  bootstrapFrom:
    s3:
      bucket: backups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: tls.crt
    targetRecoveryTime: 2023-12-19T09:00:00Z

Under the hood, the operator creates a Restore object just after the MariaDB resource becomes ready. The advantage of using spec.bootstrapFrom over a standalone Restore is that the MariaDB is bootstrap-aware and this will allow the operator to hold primary switchover/failover operations until the restoration is finished.

Backup and restore specific databases

By default, all the logical databases are backed up when a Backup is created, but you may also select specific databases by providing the databases field:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  databases:
    - db1
    - db2
    - db3

When it comes to restore, all the databases available in the backup will be restored, but you may also choose a single database to be restored via the database field available in the Restore resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Restore
metadata:
  name: restore
spec:
  mariaDbRef:
    name: mariadb
  backupRef:
    name: backup
  database: db1

There are a couple of points to consider here:

The referred database (db1 in the example) must previously exist for the Restore to succeed.
The mariadb CLI invoked by the operator under the hood only supports selecting a single database to restore via the --one-database option, restoration of multiple specific databases is not supported.

Extra options

Not all the flags supported by mariadb-dump and mariadb have their counterpart field in the Backup and Restore CRs respectively, but you may pass extra options by using the args field. For example, setting the --verbose flag can be helpful to track the progress of backup and restore operations:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  args:
    - --verbose

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Restore
metadata:
  name: restore
spec:
  mariaDbRef:
    name: mariadb
  backupRef:
    name: backup
  args:
    - --verbose

Refer to the mariadb-dump and mariadb CLI options in the reference section.

Staging area

S3 is the only storage type that supports a staging area.

When using S3 storage for backups, a staging area is used for keeping the external backups while they are being processed. By default, this staging area is an emptyDir volume, which means that the backups are temporarily stored in the node's local storage where the Backup/Restore Job is scheduled. In production environments, large backups may lead to issues if the node doesn't have sufficient space, potentially causing the backup/restore process to fail.

To overcome this limitation, you are able to define your own staging area by setting the stagingStorage field to both the Backup and Restore CRs:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  storage:
    s3:
      ...
  stagingStorage:
    persistentVolumeClaim:
      resources:
        requests:
          storage: 10Gi
      accessModes:
        - ReadWriteOnce

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Restore
metadata:
  name: restore
spec:
  s3:
    ...
  stagingStorage:
    persistentVolumeClaim:
      resources:
        requests:
          storage: 10Gi
      accessModes:
        - ReadWriteOnce

In the examples above, a PVC with the default StorageClass will be used as staging area. Refer to the API reference for more configuration options.

Similarly, you may also use a custom staging area when bootstrapping from backup:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  bootstrapFrom:
    s3:
      ...
    stagingStorage:
      persistentVolumeClaim:
        resources:
          requests:
            storage: 10Gi
        accessModes:
          - ReadWriteOnce

Important considerations and limitations

Root credentials

When restoring a backup, the root credentials specified through the spec.rootPasswordSecretKeyRef field in the MariaDB resource must match the ones in the backup. These credentials are utilized by the liveness and readiness probes, and if they are invalid, the probes will fail, causing your MariaDB Pods to restart after the backup restoration.

Restore job

Restoring large backups can consume significant compute resources and may cause Restore Jobs to become stuck due to insufficient resources. To prevent this, you can define the compute resources allocated to the Job:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  storage:
    size: 1Gi
  bootstrapFrom:
    restoreJob:
      args:
        - --verbose
      resources:
        requests:
          cpu: 100m
          memory: 128Mi
        limits:
          memory: 1Gi

Galera backup limitations

`mysql.global_priv`

Galera only replicates the tables with InnoDB engine, see the Galera docs.

Something that does not include mysql.global_priv, the table used to store users and grants, which uses the MyISAM engine. This basically means that a Galera instance with mysql.global_priv populated will not replicate this data to an empty Galera instance. However, DDL statements (CREATE USER, ALTER USER ...) will be replicated.

Taking this into account, if we think now about a restore scenario where:

The backup file includes a DROP TABLE statement for the mysql.global_priv table.
The backup has some INSERT statements for the mysql.global_priv table.
The Galera cluster has 3 nodes: galera-0, galera-1 and galera-2.
The backup is restored in galera-0.

This is what will happen under the scenes while restoring the backup:

The DROP TABLE statement is a DDL so it will be executed in galera-0, galera-1 and galera-2.
The INSERT statements are not DDLs, so they will only be applied to galera-0.
This results in the galera-1 and galera-2 not having the mysql.global_priv table.

After the backup is fully restored, the liveness and readiness probes will kick in, they will succeed in galera-0, but they will fail in galera-1 and galera-2, as they rely in the root credentials available in mysql.global_priv, resulting in the galera-1 and galera-2 getting restarted.

To address this issue, when backing up MariaDB instances with Galera enabled, the mysql.global_priv table will be excluded from backups by using the --ignore-table option with mariadb-dump. This prevents the replication of the DROP TABLE statement for the mysql.global_priv table. You can opt-out from this feature by setting spec.ignoreGlobalPriv=false in the Backup resource.

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  mariaDbRef:
    name: mariadb
  ignoreGlobalPriv: false

Also, to avoid situations where mysql.global_priv is unreplicated, all the entries in that table must be managed via DDLs. This is the recommended approach suggested in the Galera docs. There are a couple of ways that we can guarantee this:

Use the rootPasswordSecretKeyRef, username and passwordSecretKeyRef fields of the MariaDB CR to create the root and initial user respectively. This fields will be translated into DDLs by the image entrypoint.
Rely on the User and Grant CRs to create additional users and grants. Refer to the SQL resource documentation for further detail.

`LOCK TABLES`

Galera is not compatible with the LOCK TABLES statement:

LOCK TABLES Limitations

For this reason, the operator automatically adds the --skip-add-locks option to the Backup to overcome this limitation.

Migrations using logical backups

Migrating an external MariaDB to a `MariaDB` running in Kubernetes

You can leverage logical backups to bring your external MariaDB data into a new MariaDB instance running in Kubernetes. Follow this runbook for doing so:

Take a logical backup of your external MariaDB using one of the commands below:

mariadb-dump --user=${MARIADB_USER} --password=${MARIADB_PASSWORD} --host=${MARIADB_HOST} --single-transaction --events --routines --all-databases > backup.2024-08-26T12:24:34Z.sql

If you are using Galera or planning to migrate to a Galera instance, make sure you understand the Galera backup limitations and use the following command instead:

mariadb-dump --user=${MARIADB_USER} --password=${MARIADB_PASSWORD} --host=${MARIADB_HOST} --single-transaction --events --routines --all-databases --skip-add-locks --ignore-table=mysql.global_priv > backup.2024-08-26T12:24:34Z.sql

Ensure that your backup file is named in the following format: backup.2024-08-26T12:24:34Z.sql. If the file name does not follow this format, it will be ignored by the operator.
Upload the backup file to one of the supported storage types. We recommend using S3.
Create your MariaDB resource declaring that you want to bootstrap from the previous backup and providing a root password Secret that matches the backup:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
  replicas: 3
  galera:
    enabled: true
  storage:
    size: 1Gi
  bootstrapFrom:
    s3:
      bucket: backups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: tls.crt
    targetRecoveryTime: 2024-08-26T12:24:34Z

If you are using Galera in your new instance, migrate your previous users and grants to use the User and Grant CRs. Refer to the SQL resource documentation for further detail.

Migrating to a `MariaDB` with different topology

Database mobility between MariaDB instances with different topologies is possible with logical backups. However, there are a couple of technical details that you need to be aware of in the following scenarios:

Migrating between standalone and replicated `MariaDBs`

This should be fully compatible, no issues have been detected.

Migrating from standalone/replicated to Galera `MariaDBs`

There are a couple of limitations regarding the backups in Galera, please make sure you read the Galera backup limitations section before proceeding.

To overcome this limitations, the Backup in the standalone/replicated instance needs to be taken with spec.ignoreGlobalPriv=true. In the following example, we are backing up a standalone MariaDB (single instance):

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup-standalone
spec:
  mariaDbRef:
    name: mariadb-standalone
  ignoreGlobalPriv: true

Once the previous Backup is completed, we will be able bootstrap a new Galera instance from it:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  replicas: 3
  galera:
    enabled: true
  storage:
    size: 1Gi
  bootstrapFrom:
    backupRef:
      name: backup-standalone

Reference

Troubleshooting

Galera `Pods` restarting after bootstrapping from a backup

Please make sure you understand the Galera backup limitations.

After doing so, ensure that your backup does not contain a DROP TABLE mysql.global_priv; statement, as it will make your liveness and readiness probes to fail after the backup restoration.

Physical backups

What is a physical backup?

A physical backup is a snapshot of the entire data directory (/var/lib/mysql), including all data files. This type of backup captures the exact state of the database at a specific point in time, allowing for quick restoration in case of data loss or corruption.

Physical backups are the recommended method for backing up MariaDB databases, especially in production environments, as they are faster and more efficient than logical backups.

Backup strategies

Multiple strategies are available for performing physical backups, including:

mariadb-backup: Taken using the enterprise version of mariadb-backup, specifically MariaDB Enterprise backup, which is available in the MariaDB enterprise images. The operator supports scheduling Jobs to perform backups using this utility.
Kubernetes VolumeSnapshot: Leverage Kubernetes VolumeSnapshots to create snapshots of the persistent volumes used by the MariaDB Pods. This method relies on a compatible CSI (Container Storage Interface) driver that supports volume snapshots. See the VolumeSnapshots section for more details.

In order to use VolumeSnapshots, you will need to provide a VolumeSnapshotClass that is compatible with your storage provider. The operator will use this class to create snapshots of the persistent volumes:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    volumeSnapshot:
      volumeSnapshotClassName: csi-hostpath-snapclass

For the rest of compatible backup storage types, the mariadb-backup CLI will be used to perform the backup. For instance, to use S3 as backup storage:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    s3:
      bucket: physicalbackups
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt

Storage types

Multiple storage types are supported for storing physical backups, including:

S3 compatible storage: Store backups in a S3 compatible storage, such as AWS S3 or Minio.
Persistent Volume Claims (PVC): Use any of the StorageClasses available in your Kubernetes cluster to create a PersistentVolumeClaim (PVC) for storing backups.
Kubernetes Volumes: Store backups in any of the in-tree storage providers supported by Kubernetes out of the box, such as NFS.
Kubernetes VolumeSnapshots: Use Kubernetes VolumeSnapshots to create snapshots of the persistent volumes used by the MariaDB Pods. This method relies on a compatible CSI (Container Storage Interface) driver that supports volume snapshots. See the VolumeSnapshots section for more details.

Scheduling

Physical backups can be scheduled using the spec.schedule field in the PhysicalBackup resource. The schedule is defined using a Cron format and allows you to specify how often backups should be taken:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  schedule:
    cron: "*/1 * * * *"
    suspend: false
    immediate: true

If you want to immediatly trigger a backup after creating the PhysicalBackup resource, you can set the immediate field to true. This will create a backup immediately, regardless of the schedule.

If you want to suspend the schedule, you can set the suspend field to true. This will prevent any new backups from being created until the PhysicalBackup is resumed.

Compression

When using physical backups based on mariadb-backup, you are able to choose the compression algorithm used to compress the backup files. The available options are:

bzip2: Good compression ratio, but slower compression/decompression speed compared to gzip.
gzip: Good compression/decompression speed, but worse compression ratio compared to bzip2.
none: No compression.

To specify the compression algorithm, you can use the compression field in the PhysicalBackup resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  compression: bzip2

compression is defaulted to none by the operator.

Retention policy

You can define a retention policy both for backups based on mariadb-backup and for VolumeSnapshots. The retention policy allows you to specify how long backups should be retained before they are automatically deleted. This can be defined via the maxRetention field in the PhysicalBackup resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  maxRetention: 720h # 30 days

When using physical backups based on mariadb-backup, the operator will automatically delete backups files in the specified storage older than the retention period.

When using VolumeSnapshots, the operator will automatically delete the VolumeSnapshot resources older than the retention period using the Kubernetes API.

Restoration

Physical backups can only be restored in brand new MariaDB instances without any existing data. This means that you cannot restore a physical backup into an existing MariaDB instance that already has data.

To perform a restoration, you can specify a PhysicalBackup as restoration source under the spec.bootstrapFrom field in the MariaDB resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  bootstrapFrom:
    backupRef:
      name: physicalbackup
      kind: PhysicalBackup

This will take into account the backup strategy and storage type used in the PhysicalBackup, and it will perform the restoration accordingly.

As an alternative, you can also provide a reference to an S3 bucket that was previously used to store the physical backup files:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  bootstrapFrom:
    s3:
      bucket: physicalbackups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt
    backupContentType: Physical

It is important to note that the backupContentType field must be set to Physical when restoring from a physical backup. This ensures that the operator uses the correct restoration method.

To restore a VolumeSnapshot, you can provide a reference to a specific VolumeSnapshot resource in the spec.bootstrapFrom field:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  bootstrapFrom:
    volumeSnapshotRef:
      name: physicalbackup-20250611163352

Target recovery time

By default, the operator will match the closest backup available to the current time. You can specify a different target recovery time by using the targetRecoveryTime field in the PhysicalBackup resource. This lets you define the exact point in time you want to restore to:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  bootstrapFrom:
    targetRecoveryTime: 2025-06-17T08:07:00Z

Timeout

By default, both backups based on mariadb-backup and VolumeSnapshots will have a timeout of 1 hour. You can change this timeout by using the timeout field in the PhysicalBackup resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  timeout: 2h

When timed out, the operator will delete the Jobs or VolumeSnapshots resources associated wit the PhysicalBackup resource. The operator will create new Jobs or VolumeSnapshots to retry the backup operation if the PhysicalBackup resource is still scheduled.

Extra options

When taking backups based on mariadb-backup, you can specify extra options to be passed to the mariadb-backup command using the args field in the PhysicalBackup resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  args:
    - "--verbose"

Refer to the mariadb-backup documentation for a list of available options.

S3 credentials

Credentials for accessing an S3 compatible storage can be provided via the s3 key in the storage field of the PhysicalBackup resource. The credentials can be provided as a reference to a Kubernetes Secret:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    s3:
      bucket: physicalbackups
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt

Alternatively, if you are running in EKS, you can use dynamic credentials from an EKS Service Account using EKS Pod Identity or IRSA:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: mariadb-backup
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<<account_id>>:role/my-role-irsa

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  serviceAccountName: mariadb-backup
  storage:
    s3:
      bucket: physicalbackups
      prefix: mariadb
      endpoint: s3.us-east-1.amazonaws.com
      region:  us-east-1
      tls:
        enabled: true

By leaving out the accessKeyIdSecretKeyRef and secretAccessKeySecretKeyRef credentials and pointing to the correct serviceAccountName, the backup Job will use the dynamic credentials from EKS.

Staging area

S3 backups based on mariadb-backup are the only scenario that requires a staging area.

When using S3 storage for backups, a staging area is used for keeping the external backups while they are being processed. By default, this staging area is an emptyDir volume, which means that the backups are temporarily stored in the node's local storage where the PhysicalBackup Job is scheduled. In production environments, large backups may lead to issues if the node doesn't have sufficient space, potentially causing the backup/restore process to fail.

Additionally, when restoring these backups, the operator will pull the backup files from S3, uncompress them if needded, and restore them to each of the MariaDB Pods in the cluster individually. To save network bandwidth and compute resources, a staging area is used to keep the uncompressed backup files after they have been restored to the first MariaDB Pod. This allows the operator to restore the same backup to the rest of MariaDB Pods seamlessly, without needing to pull and uncompress the backup again.

To configure the staging area, you can use the stagingStorage field in the PhysicalBackup resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    s3:
      bucket: physicalbackups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      region:  us-east-1
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt
  stagingStorage:
    persistentVolumeClaim:
      resources:
        requests:
          storage: 1Gi
      accessModes:
        - ReadWriteOnce

Similarly, you may also use a staging area when bootstrapping from backup, in the MariaDB resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  mariaDbRef:
    name: mariadb
  bootstrapFrom:
    s3:
      bucket: physicalbackups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt
    backupContentType: Physical
    stagingStorage:
      persistentVolumeClaim:
        resources:
          requests:
            storage: 1Gi
        accessModes:
          - ReadWriteOnce

In the examples above, a PVC with the default StorageClass will be provisioned to be used as staging area.

`VolumeSnapshots`

Before using this feature, ensure that you meet the following prerequisites :

external-snapshotter and its CRs are installed in the cluster.
You have a compatible CSI driver that supports VolumeSnapshots installed in the cluster.
You have a VolumeSnapshotClass configured configured for your CSI driver.

The operator is capable of creating VolumeSnapshot resources of the PVCs used by the MariaDB Pods. This allows you to create point-in-time snapshots of your data in a Kubernetes-native way, leveraging the capabilities of your storage provider.

Most of the fields described in this documentation apply to VolumeSnapshots, including scheduling, retention policy, and compression. The main difference with the mariadb-backup based backups is that the operator will not create a Job to perform the backup, but instead it will create a VolumeSnapshot resource directly.

In order to create consistent, point-in-time snapshots of the MariaDB data, the operator will perform the following steps:

Execute a BACKUP STAGE START statement followed by BACKUP STAGE BLOCK_COMMIT in one of the secondary Pods.
Create a VolumeSnapshot resource of the data PVC mounted by the MariaDB secondary Pod.
Wait until the VolumeSnapshot resource becomes ready. When timing out, the operator will delete the VolumeSnapshot resource and retry the operation.
Issue a BACKUP STAGE END statement.

This backup process is described in the MariaDB documentation and is designed to be non-blocking.

Non-blocking physical backups

Both for mariadb-backup and VolumeSnapshot backup strategies, the enterprise operator performs non-blocking physical backups by leveraging the BACKUP STAGE feature.. This implies that the backups are taken without long read locks, enabling consistent, production-grade backups with minimal impact on running workloads, ideal for high-availability and performance-sensitive environments.

Important considerations and limitations

Root credentials

Restore `Job`

When using backups based on mariadb-backup, restoring and uncompressing large backups can consume significant compute resources and may cause restoration Jobs to become stuck due to insufficient resources. To prevent this, you can define the compute resources allocated to the Job:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  bootstrapFrom:
    restoreJob:
      resources:
        requests:
          cpu: 100m
          memory: 128Mi
        limits:
          memory: 1Gi

`ReadWriteOncePod` access mode partially supported

When using backups based on mariadb-backup, the data PVC used by the MariaDB Pod cannot use the ReadWriteOncePod access mode, as it needs to be mounted at the same time by both the MariaDB Pod and the PhysicalBackup Job. In this case, please use either the ReadWriteOnce or ReadWriteMany access modes instead.

Alternatively, if you want to keep using the ReadWriteOncePod access mode, you must use backups based on VolumeSnapshots, which do not require creating a Job to perform the backup and therefore avoid the volume sharing limitation.

`PhysicalBackup` `Jobs` scheduling

PhysicalBackup Jobs must mount the data PVC used by one of the secondary MariaDB Pods. To avoid scheduling issues caused by the commonly used ReadWriteOnce access mode, the operator schedules backup Jobs on the same node as MariaDB by default.

If you prefer to disable this behavior and allow Jobs to run on any node, you can set podAffinity=false:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  podAffinity: false

This configuration may be suitable when using the ReadWriteMany access mode, which allows multiple Pods across different nodes to mount the volume simultaneously.

Troubleshooting

Custom columns are used to display the status of the PhysicalBackup resource:

kubectl get physicalbackups

NAME             COMPLETE   STATUS    MARIADB   LAST SCHEDULED   AGE
physicalbackup   True       Success   mariadb   17s              17s

To get a higher level of detail, you can also check the status field directly:

kubectl get physicalbackups physicalbackup -o json | jq -r '.status'

{
  "conditions": [
    {
      "lastTransitionTime": "2025-07-14T07:01:14Z",
      "message": "Success",
      "reason": "JobComplete",
      "status": "True",
      "type": "Complete"
    }
  ],
  "lastScheduleCheckTime": "2025-07-14T07:00:00Z",
  "lastScheduleTime": "2025-07-14T07:00:00Z",
  "nextScheduleTime": "2025-07-15T07:00:00Z"
}

You may also check the related events for the PhysicalBackup resource to see if there are any issues:

kubectl get events --field-selector involvedObject.name=physicalbackup

LAST SEEN   TYPE     REASON                  OBJECT                                 MESSAGE
116s        Normal   WaitForFirstConsumer    persistentvolumeclaim/physicalbackup   waiting for first consumer to be created before binding
116s        Normal   JobScheduled            physicalbackup/physicalbackup          Job physicalbackup-20250714140837 scheduled
116s        Normal   ExternalProvisioning    persistentvolumeclaim/physicalbackup   Waiting for a volume to be created either by the external provisioner 'rancher.io/local-path' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.
116s        Normal   Provisioning            persistentvolumeclaim/physicalbackup   External provisioner is provisioning volume for claim "default/physicalbackup"
113s        Normal   ProvisioningSucceeded   persistentvolumeclaim/physicalbackup   Successfully provisioned volume pvc-7b7c71f9-ea7e-4950-b612-2d41d7ab35b7

Common errors

`mariadb-backup` log copy incomplete: consider increasing `innodb_log_file_size`

In some situations, when using the mariadb-backup strategy, you may encounter the following error in the backup Job logs:

mariadb [00] 2025-08-04 09:15:57 Was only able to copy log from 58087 to 59916, not 68968; try increasing
innodb_log_file_size
mariadb mariabackup: Stopping log copying thread.[00] 2025-08-04 09:15:57 Retrying read of log at LSN=59916

This can be addressed by increasing the innodb_log_file_size in the MariaDB configuration. You can do this by adding the following to your MariaDB resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
...
  myCnf: |
    [mariadb]
    innodb_log_file_size=200M

Refer to MDEV-36159 for further details on this issue.

Storage

This operator gives you flexibility to define the storage that will back the /var/lib/mysql data directory mounted by MariaDB.

Configuration

The simplest way to configure storage for your MariaDB is:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  storage:
    size: 1Gi

This will make use of the default StorageClass available in your cluster, but you can also provide a different one:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  storage:
    size: 1Gi
    storageClassName: gp3

Under the scenes, the operator is configuring the StatefulSet's volumeClaimTemplate property, which you are also able to provide yourself:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  storage:
    size: 1Gi
    storageClassName: gp3
    volumeClaimTemplate:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: gp3

Volume resize

The StorageClass used for volume resizing must define allowVolumeExpansion = true.

It is possible to resize your storage after having provisioned a MariaDB. We need to distinguish between:

PVCs already in use.
StatefulSet storage size, which will be used when provisioning new replicas.

It is important to note that, for the first case, your StorageClass must support volume expansion by declaring the allowVolumeExpansion = true. In such case, it will be safe to expand the storage by increasing the size and setting resizeInUseVolumes = true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  storage:
    size: 2Gi
    resizeInUseVolumes: true
    waitForVolumeResize: true

Depending on your storage provider, this operation might take a while, and you can decide to wait for this operation before the MariaDB becomes ready by setting waitForVolumeResize = true. Operations such as Galera cluster recovery and will not be performed if the MariaDB resource is not ready.

Ephemeral storage

Provisioning standalone MariaDB instances with ephemeral storage can be done by setting ephemeral = true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  storage:
    ephemeral: true

This may be useful for multiple use cases, like provisioning ephemeral MariaDBs for the integration tests of your CI.

TLS

MariaDB Enterprise Operator supports issuing, configuring and rotating TLS certificates for both your MariaDB and MaxScale resources. It aims to be secure by default; for this reason, TLS certificates are issued and configured by the operator as a default behaviour.

`MariaDB` configuration

This section covers TLS configuration in new instances. If you are looking to migrate an existing instance to use TLS, please refer to Enabling TLS in existing instances instead.

TLS can be configured in MariaDB resources by setting tls.enabled=true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true

As a result, the operator will generate a Certificate Authority (CA) and use it to issue the leaf certificates mounted by the instance. It is important to note that the TLS connections are not enforced in this case i.e. both TLS and non-TLS connections will be accepted. This is the default behaviour when no tls field is specified.

If you want to enforce TLS connections, you can set tls.required=true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    required: true

This approach ensures that any unencrypted connection will fail, effectively enforcing security best practices.

If you want to fully opt-out from TLS, you can set tls.enabled=false:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: false

This will disable certificate issuance, resulting in all connections being unencrypted.

Refer to further sections for a more advanced TLS configuration.

`MaxScale` configuration

This section covers TLS configuration in new instances. If you are looking to migrate an existing instance to use TLS, please refer to Enabling TLS in existing instances instead.

TLS will be automatically enabled in MaxScale when the referred MariaDB (via mariaDbRef) has TLS enabled and enforced. Alternatively, you can explicitly enable TLS by setting tls.enabled=true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  mariaDbRef:
    name: mariadb-galera
  tls:
    enabled: true

As a result, the operator will generate a Certificate Authority (CA) and use it to issue the leaf certificates mounted by the instance. It is important to note that, unlike MariaDB, MaxScale does not support TLS and non-TLS connections simultaneously (see limitations). Therefore, TLS connections will be enforced in this case i.e. unencrypted connections will fail, ensuring security best practises.

If you want to fully opt-out from TLS, you can set tls.enabled=false. This should only be done when MariaDB TLS is not enforced or disabled:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  mariaDbRef:
    name: mariadb-galera
  tls:
    enabled: false

This will disable certificate issuance, resulting in all connections being unencrypted.

Refer to further sections for a more advanced TLS configuration.

`MariaDB` certificate specification

The MariaDB TLS setup consists of the following certificates:

Certificate Authority (CA) keypair to issue the server certificate.
Server leaf certificate used to encrypt server connections.
Certificate Authority (CA) keypair to issue the client certificate.
Client leaf certificate used to encrypt and authenticate client connections.

As a default behaviour, the operator generates a single CA to be used for issuing both the server and client certificates, but the user can decide to use dedicated CAs for each case. Root CAs, and intermedicate CAs in some cases, are supported, see limitations for further detail.

The server certificate contains the following Subject Alternative Names (SANs):

<mariadb-name>.<namespace>.svc.<cluster-name>
<mariadb-name>.<namespace>.svc
<mariadb-name>.<namespace>
<mariadb-name>
*.<mariadb-name>-internal.<namespace>.svc.<cluster-name>
*.<mariadb-name>-internal.<namespace>.svc
*.<mariadb-name>-internal.<namespace>
*.<mariadb-name>-internal
<mariadb-name>-primary.<namespace>.svc.<cluster-name>
<mariadb-name>-primary.<namespace>.svc
<mariadb-name>-primary.<namespace>
<mariadb-name>-primary
<mariadb-name>-secondary.<namespace>.svc.<cluster-name>
<mariadb-name>-secondary.<namespace>.svc
<mariadb-name>-secondary.<namespace>
<mariadb-name>-secondary
localhost

Whereas the client certificate is only valid for the <mariadb-name>-client SAN.

`MaxScale` certificate specification

The MaxScale TLS setup consists of the following certificates:

Certificate Authority (CA) keypair to issue the admin certificate.
Admin leaf certificate used to encrypt the administrative REST API and GUI.
Certificate Authority (CA) keypair to issue the listener certificate.
Listener leaf certificate used to encrypt database connections to the listener.
Server CA bundle used to establish trust with the MariaDB server.
Server leaf certificate used to connect to the MariaDB server.

As a default behaviour, the operator generates a single CA to be used for issuing both the admin and the listener certificates, but the user can decide to use dedicated CAs for each case. Client certificate and CA bundle configured in the referred MariaDB are used as server certificates by default, but the user is able to provide its own certificates. Root CAs, and intermedicate CAs in some cases, are supported, see limitations for further detail.

Both the admin and listener certificates contain the following Subject Alternative Names (SANs):

<maxscale-name>.<namespace>.svc.<clusername>
<maxscale-name>.<namespace>.svc
<maxscale-name>.<namespace>
<maxscale-name>
<maxscale-name>-gui.<namespace>.svc.<clusername>
<maxscale-name>-gui.<namespace>.svc
<maxscale-name>-gui.<namespace>
<maxscale-name>-gui
*.<maxscale-name>-internal.<namespace>.svc.<clusername>
*.<maxscale-name>-internal.<namespace>.svc
*.<maxscale-name>-internal.<namespace>
*.<maxscale-name>-internal

For details about the server certificate, see MariaDB certificate specification.

CA bundle

As you could appreciate in MariaDB certificate specification and MaxScale certificate specification, the TLS setup involves multiple CAs. In order to establish trust in a more convenient way, the operator groups the CAs together in a CA bundle that will need to be specified when securely connecting from your applications. Every MariaDB and MaxScale resources have a dedicated bundle of its own available in a Secret named <instance-name>-ca-bundle.

These trust bundles contain non expired CAs needed to connect to the instances. New CAs are automatically added to the bundle after renewal, whilst old CAs are removed after they expire. It is important to note that both the new and old CAs remain in the bundle for a while to ensure a smooth update when the new certificates are issued by the new CA.

Issue certificates with the operator

By setting tls.enabled=true, the operator will generate a root CA for each instance, which will be used to issue the certificates described in the MariaDB cert spec and MaxScale cert spec sections:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  tls:
    enabled: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale
spec:
  ...
  tls:
    enabled: true

To establish trust with the instances, the CA's public key will be added to the CA bundle. If you need a different trust chain, please refer to the custom trust section.

The advantage of this approach is that the operator fully manages the Secrets that contain the certificates without depending on any third party dependency. Also, since the operator fully controls the renewal process, it is able to pause a leaf certificate renewal if the CA is being updated at that moment, as described in the cert renewal section.

Issue certificates with cert-manager

cert-manager must be previously installed in the cluster in order to use this feature.

cert-manager is the de-facto standard for managing certificates in Kubernetes. It is a Kubernetes native certificate management controller that allows you to automatically provision, manage and renew certificates. It supports multiple certificate backends (in-cluster, Hashicorp Vault...) which are configured as Issuer or ClusterIssuer resources.

As an example, we are going to setup an in-cluster root CA ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: root-ca
  namespace: default
spec:
  duration: 52596h # 6 years
  commonName: root-ca
  usages:
  - digital signature
  - key encipherment
  - cert sign
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer
  isCA: true
  privateKey:
    encoding: PKCS1
    algorithm: ECDSA
    size: 256
  secretTemplate:
    labels:
      enterprise.mariadb.com/watch: ""
  secretName: root-ca
  revisionHistoryLimit: 10
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: root-ca
spec:
  ca:
    secretName: root-ca

Then, you can reference the ClusterIssuer in the MariaDB and MaxScale resources:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer

The operator will create cert-manager's Certificate resources for each certificate, and will mount the resulting TLS Secrets in the instances. These Secrets containing the certificates will be managed by cert-manager as well as its renewal process.

To establish trust with the instances, the ca.crt field provided by cert-managed in the Secret will be added to the CA bundle. If you need a different trust chain, please refer to the custom trust section.

The advantage of this approach is that you can use any of the cert-manager's certificate backends, such as the in-cluster CA or HashiCorp Vault, and potentially reuse the same Issuer/ClusterIssuer with multiple instances.

Provide your own certificates

Providing your own certificates is as simple as creating the Secrets with the appropriate structure and referencing them in the MariaDB and MaxScale resources. The certificates must be compliant with the MariaDB cert spec and MaxScale cert spec.

The CA certificate must be provided as a Secret with the following structure:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: mariadb-galera-server-ca
  labels:
    enterprise.mariadb.com/watch: ""
data:
  ca.crt:
  -----BEGIN CERTIFICATE-----
  <public-key>
  -----END CERTIFICATE-----
  ca.key:
  -----BEGIN EC PRIVATE KEY-----
  <private-key>
  -----END EC PRIVATE KEY-----

The ca.key field is only required if you want to the operator to automatically re-issue certificates with this CA, see bring your own CA for further detail. In other words, if only ca.crt is provided, the operator will trust this CA by adding it to the CA bundle, but no certificates will be issued with it, the user will responsible for upating the certificate Secret manually with renewed certificates.

The enterprise.mariadb.com/watch label is required only if you want the operator to automatically trigger an update when the CA is renewed, see CA renewal for more detail.

The leaf certificate must match the previous CA's public key, and it should provided as a TLS Secret with the following structure:

apiVersion: v1
kind: Secret
type: kubernetes.io/tls  
metadata:
  name: mariadb-galera-server-tls 
  labels:
    enterprise.mariadb.com/watch: ""
data:
  tls.crt:
  -----BEGIN CERTIFICATE-----
  <public-key>
  -----END CERTIFICATE-----
  tls.key:
  -----BEGIN EC PRIVATE KEY-----
  <private-key>
  -----END EC PRIVATE KEY-----

The enterprise.mariadb.com/watch label is required only if you want the operator to automatically trigger an update when the certificate is renewed, see cert renewal for more detail.

Once the certificate Secrets are available in the cluster, you can create the MariaDB and MaxScale resources referencing them:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCASecretRef:
      name: mariadb-server-ca
    serverCertSecretRef:
      name: mariadb-galera-server-tls
    clientCASecretRef:
      name: mariadb-client-ca
    clientCertSecretRef:
      name: mariadb-galera-client-tls

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCASecretRef:
      name: maxscale-admin-ca
    adminCertSecretRef:
      name: maxscale-galera-admin-tls
    listenerCASecretRef:
      name: maxscale-listener-ca
    listenerCertSecretRef:
      name: maxscale-galera-listener-tls
    serverCASecretRef:
      name: mariadb-galera-ca-bundle
    serverCertSecretRef:
      name: mariadb-galera-client-tls

Bring your own CA

If you already have a CA setup outside of Kubernetes, you can use it with the operator by providing the CA certificate as a Secret with the following structure:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: mariadb-ca
  labels:
    enterprise.mariadb.com/watch: ""
data:
  ca.crt:
  -----BEGIN CERTIFICATE-----
  <public-key>
  -----END CERTIFICATE-----
  ca.key:
  -----BEGIN EC PRIVATE KEY-----
  <private-key>
  -----END EC PRIVATE KEY-----

Just by providing a reference to this Secret, the operator will use it to issue leaf certificates instead of generating a new CA:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCASecretRef:
      name: mariadb-server-ca
    clientCASecretRef:
      name: mariadb-client-ca

Intermediate CAs

Intermediate CAs are supported by the operator with some limitations. Leaf certificates issued by the intermediate CAs are slightly different, and include the intermediate CA public key as part of the certificate, in the following order: Leaf certificate -> Intermediate CA. This is a common practise to easily establish trust in complex PKI setups, where multiple CA are involved.

Many applications support this Leaf certificate -> Intermediate CA structure as a valid leaf certificate, and are able to establish trust with the intermediate CA. Normally, the intermediate CA will not be directly trusted, but used as a path to the root CA, which should be trusted by the application. If not trusted already, you can add the root CA to the CA bundle by using a custom trust.

Custom trust

You are able to provide a set of CA public keys to be added to the CA bundle by creating a Secret with the following structure:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: custom-trust
  labels:
    enterprise.mariadb.com/watch: ""
data:
  ca.crt:
  -----BEGIN CERTIFICATE-----
  <my-org-root-ca>
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  <root-ca>
  -----END CERTIFICATE-----

And referencing it in the MariaDB and MaxScale resources, for instance:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCASecretRef:
      name: custom-trust
    adminCertIssuerRef:
      name: my-org-intermediate-ca
      kind: ClusterIssuer
    listenerCASecretRef:
      name: custom-trust
    listenerCertIssuerRef:
      name: intermediate-ca
      kind: ClusterIssuer

This is specially useful when issuing certificates with an intermediate CA, see intermediate CAs section for further detail.

Distributing trust

Distributing the CA bundle to your application namespace is out of the scope of this operator, the bundles will remain in the same namespace as the MariaDB and MaxScale instances.

If your application is in a different namespace, you can copy the CA bundle to the application namespace. Projects like trust-manager can help you to automate this process and continously reconcile bundle changes.

TLS version configuration

You may configure the supported TLS versions in MariaDB by setting:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    versions:
      - TLSv1.3
      - TLSv1.2
      - TLSv1.1
      - TLSv1.0

If not specified, the MariaDB's default TLS versions will be used. See .

Regarding MaxScale, you can also configure the supported TLS versions, both for the Admin REST API and MariaDB servers:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    adminVersions:
      - TLSv13
      - TLSv12
      - TLSv11
      - TLSv10
    serverVersions:
      - TLSv13
      - TLSv12
      - TLSv11
      - TLSv10

If not specified, the MaxScale's default TLS versions will be used. See MaxScale docs:

Certificate lifetime configuration

By default, CA certificates are valid for 3 years, while leaf certificates have a validity of 3 months. This lifetime can be customized in both MariaDB and MaxScale resources through the certificate configuration fields. For example:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month
    clientCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 1h # 1 month
    listenerCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

When issuing certificates with cert-manager, you can specify the certificate configuration field alongside the issuer reference:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    serverCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    adminCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 1h # 1 month
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

Private key configuration

By default, private keys are generated with the ECDSA algorithm and a size of 256. You can customize the private key configuration in both MariaDB and MaxScale resources through the certificate configuration fields. For example:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048
    clientCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048
    listenerCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048

When issuing certificates with cert-manager, you can specify the private key configuration field alongside the issuer reference:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    serverCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    adminCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256

The following set of algorithms and sizes are supported:

Algorithm

Key Sizes

RSA

2048, 3072, 4096

ECDSA

256, 384, 521

CA renewal

Depending on the setup, CAs can be managed and renewed by either MariaDB Enterprise Operator or cert-manager.

When managed by the operator, CAs have a lifetime of 3 years by default, and are marked for renewal after 66% of its lifetime has passed i.e. ~2 years. After being renewed, the operator will trigger an update of the instances to include the new CA in the bundle.

When managed by cert-manager, the renewal process is fully controlled by cert-manager, but the operator will also update the CA bundle after the CA is renewed.

You may choose any of the available update strategies to control the instance update process.

Certificate renewal

Depending on the setup, certificates can be managed and renewed by the operator or cert-manager. In either case, certificates have a lifetime of 90 days by default, and marked for renewal after 66% of its lifetime has passed i.e. ~60 days.

When the certificates are issued by the operator, the operator is able to pause a leaf certificate renewal if the CA is being updated at that same moment. This approach ensures a smooth update by avoiding the simultaneous rollout of the new CA and its associated certificates. Rolling them out together could be problematic, as all Pods need to trust the new CA before its issued certificates can be utilized.

When the certificates are issued by cert-manager, the renewal process is fully managed by cert-manager, and the operator will not interfere with it. The operator will only update the instances whenever the CA or the certificates get renewed.

You may choose any of the available update strategies to control the instance update process.

Certificate status

To have a high level picture of the certificates status, you can check the status.tls field of the MariaDB and MaxScale resources:

kubectl get mariadb mariadb-galera -o jsonpath="{.status.tls}" | jq
{
  "caBundle": [
    {
      "issuer": "CN=mariadb-galera-ca",
      "notAfter": "2028-01-20T14:26:50Z",
      "notBefore": "2025-01-20T13:26:50Z",
      "subject": "CN=mariadb-galera-ca"
    }
  ],
  "clientCert": {
    "issuer": "CN=mariadb-galera-ca",
    "notAfter": "2025-04-20T14:26:50Z",
    "notBefore": "2025-01-20T13:26:50Z",
    "subject": "CN=mariadb-galera-client"
  },
  "serverCert": {
    "issuer": "CN=mariadb-galera-ca",
    "notAfter": "2025-04-20T14:26:50Z",
    "notBefore": "2025-01-20T13:26:50Z",
    "subject": "CN=mariadb-galera.default.svc.cluster.local"
  }
}

kubectl get maxscale maxscale-galera -o jsonpath="{.status.tls}" | jq
{
  "adminCert": {
    "issuer": "CN=maxscale-galera-ca",
    "notAfter": "2025-04-20T14:33:09Z",
    "notBefore": "2025-01-20T13:33:09Z",
    "subject": "CN=maxscale-galera.default.svc.cluster.local"
  },
  "caBundle": [
    {
      "issuer": "CN=maxscale-galera-ca",
      "notAfter": "2028-01-20T14:33:09Z",
      "notBefore": "2025-01-20T13:33:09Z",
      "subject": "CN=maxscale-galera-ca"
    },
    {
      "issuer": "CN=mariadb-galera-ca",
      "notAfter": "2028-01-20T14:28:46Z",
      "notBefore": "2025-01-20T13:28:46Z",
      "subject": "CN=mariadb-galera-ca"
    }
  ],
  "listenerCert": {
    "issuer": "CN=maxscale-galera-ca",
    "notAfter": "2025-04-20T14:33:09Z",
    "notBefore": "2025-01-20T13:33:09Z",
    "subject": "CN=maxscale-galera.default.svc.cluster.local"
  },
  "serverCert": {
    "issuer": "CN=mariadb-galera-ca",
    "notAfter": "2025-04-20T14:28:46Z",
    "notBefore": "2025-01-20T13:28:46Z",
    "subject": "CN=mariadb-galera-client"
  }
}

TLS requirements for `Users`

You are able to declaratively manage access to your MariaDB instances by creating User SQL resources. In particular, when TLS is enabled, you can provide additional requirements for the user when connecting over TLS.

For instance, if you want to require a valid x509 certificate for the user to be able o connect:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  ...
  require:
    x509: true

In order to restrict which subject the user certificate should have and/or require a particular issuer, you may set:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  ...
  require:
    issuer: "/CN=mariadb-galera-ca"
    subject: "/CN=mariadb-galera-client"

When any of these TLS requirements are not met, the user will not be able to connect to the instance.

See and the API reference for further detail.

Galera Enterprise SSL modes

MariaDB Enterprise Cluster (Galera) supports multiple SSL modes to secure the communication between the nodes. For configuring the SSL enforcement level on the server i.e. WSREP, you can set:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    galeraServerSSLMode: SERVER_X509

The following values are supported: SERVER_X509, SERVER and PROVIDER. Refer to the MariaDB Enterprise Cluster documentation for further detail about these modes.

You may also configure the SSL enforcement level used during Snapshot State Transfers(SST) by setting:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    galeraSSTEnabled: true
    galeraClientSSLMode: VERIFY_IDENTITY

The following values are supported: VERIFY_IDENTITY, VERIFY, REQUIRED and DISABLED. Refer to the MariaDB Enterprise Cluster documentation for further detail about these modes.

If you are willing to increase the enforcement level in an existing instance, make sure you follow the migration guide provided in the Enabling TLS in existing instances section.

Secure application connections with TLS

In this guide, we will configure TLS for an application running in the app namespace to connect with MariaDB and MaxScale instances deployed in the default namespace. We assume that the following resources are already present in the default namespace:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
  storage:
    size: 1Gi
  replicas: 3
  galera:
    enabled: true
  tls:
    enabled: true
    required: true
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  replicas: 2
  mariaDbRef:
    name: mariadb-galera
  tls:
    enabled: true

The first step is to create a User resource and grant the necessary permissions:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: app
  namespace: app
spec:
  mariaDbRef:
    name: mariadb-galera
    namespace: default
  require:
    issuer: "/CN=mariadb-galera-ca"
    subject: "/CN=mariadb-galera-client"
  host: "%"
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: Grant
metadata:
  name: grant-app
  namespace: app
spec:
  mariaDbRef:
    name: mariadb-galera
    namespace: default
  privileges:
    - "ALL PRIVILEGES"
  database: "*"
  table: "*"
  username: app
  host: "%"

The app user will be able to connect to the MariaDB instance from the app namespace by providing a certificate with subject mariadb-galera-client and issued by the mariadb-galera-ca CA.

With the permissions in place, the next step is to prepare the certificates required for the application to connect:

CA Bundle: The trust bundle for MariaDB and MaxScale is available as a Secret named <instance-name>-ca-bundle in the default namespace. For more details, refer to the sections on CA bundle and distributing trust.
Client Certificate: MariaDB provides a default client certificate stored in a Secret named <mariadb-name>-client-cert in the default namespace. You can either use this Secret or generate a new one with the subject mariadb-galera-client, issued by the mariadb-galera-ca CA. While issuing client certificates for applications falls outside the scope of this operator, you can test them using Connection resources.

In this example, we assume that the following Secrets are available in the app namespace:

mariadb-bundle: CA bundle for the MariaDB and MaxScale instances.
mariadb-galera-client-cert: Client certificate required to connect to the MariaDB instance.

With these Secrets in place, we can proceed to define our application:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: mariadb-client
  namespace: app
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: mariadb-client
            image: mariadb:11.4.4
            command:
              - bash
            args:
              - -c
              - >
                mariadb -u app -h mariadb-galera-primary.default.svc.cluster.local
                --ssl-ca=/etc/pki/ca.crt --ssl-cert=/etc/pki/tls.crt
                --ssl-key=/etc/pki/tls.key --ssl-verify-server-cert
                -e "SELECT 'MariaDB connection successful!' AS Status;" -t
            volumeMounts:
            - name: pki
              mountPath: /etc/pki
              readOnly: true
          volumes:
          - name: pki
            projected:
              sources:
              - secret:
                  name: mariadb-bundle
                  items:
                  - key: ca.crt
                    path: ca.crt
              - secret:
                  name: mariadb-galera-client-cert
                  items:
                  - key: tls.crt
                    path: tls.crt
                  - key: tls.key
                    path: tls.key
          restartPolicy: Never

The application will connect to the MariaDB instance using the app user, and will execute a simple query to check the connection status. The --ssl-ca, --ssl-cert, --ssl-key and --ssl-verify-server-cert flags are used to provide the CA bundle, client certificate and key, and to verify the server certificate respectively.

If the connection is successful, the output should be:

+---------------------------------+
| Status                          |
+---------------------------------+
| MariaDB connection successful!  |
+---------------------------------+

You can also point the application to the MaxScale instance by updating the host to maxscale-galera.default.svc.cluster.local:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: maxscale-client
  namespace: app
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: maxscale-client
            image: mariadb:11.4.4
            command:
              - bash
            args:
              - -c
              - >
                mariadb -u app -h maxscale-galera.default.svc.cluster.local
                --ssl-ca=/etc/pki/ca.crt --ssl-cert=/etc/pki/tls.crt
                --ssl-key=/etc/pki/tls.key --ssl-verify-server-cert
                -e "SELECT 'MaxScale connection successful!' AS Status;" -t
            volumeMounts:
            - name: pki
              mountPath: /etc/pki
              readOnly: true
          volumes:
          - name: pki
            projected:
              sources:
              - secret:
                  name: mariadb-bundle
                  items:
                  - key: ca.crt
                    path: ca.crt
              - secret:
                  name: mariadb-galera-client-cert
                  items:
                  - key: tls.crt
                    path: tls.crt
                  - key: tls.key
                    path: tls.key
          restartPolicy: Never

If successful, the expected output is:

+---------------------------------+
| Status                          |
+---------------------------------+
| MaxScale connection successful! |
+---------------------------------+

Test TLS certificates with `Connections`

In order to validate your TLS setup, and to ensure that you TLS certificates are correctly issued and configured, you can use the Connection resource to test the connection to both your MariaDB and MaxScale instances:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Connection
metadata:
  name: connection
spec:
  mariaDbRef:
    name: mariadb-galera
  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
  tlsClientCertSecretRef:
    name: mariadb-galera-client-cert
  database: mariadb
  healthCheck:
    interval: 30s

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Connection
metadata:
  name: connection-maxscale
spec:
  maxScaleRef:
    name: maxscale-galera
  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
  tlsClientCertSecretRef:
    name: mariadb-galera-client-cert
  database: mariadb
  healthCheck:
    interval: 30s

If successful, the Connection resource will be in a Ready state, which means that your TLS setup is correctly configured:

kubectl get connections
NAME                         READY   STATUS    SECRET                AGE
connection                   True    Healthy   connection            2m8s
connection-maxscale          True    Healthy   connection-maxscale   97s

This could be specially useful when providing your own certificates and issuing certificates for your applications.

Limitations

Galera and intermediate CAs

Leaf certificates issued by intermediate CAs are not supported by Galera, see MDEV-35812. This implies that a root CA must be used to issue the MariaDB certificates.

This doesn't affect MaxScale, as it is able to establish trust with intermediate CAs, and therefore you can still issue your application facing certificates (MaxScale listeners) with an intermediate CA, giving you more flexibility in your PKI setup.

MaxScale

Unlike MariaDB, TLS and non-TLS connections on the same port are not supported simultaneously.
TLS encryption must be enabled for listeners when they are created. For servers, the TLS can be enabled after creation but it cannot be disabled or altered.

Refer to the MaxScale documentation for further details.

Configuration

This documentation aims to provide guidance on various configuration aspects shared across many MariaDB Enterprise Operator CRs.

my.cnf

An inline can be provisioned in the MariaDB resource via the myCnf field:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  myCnf: |
    [mariadb]
    bind-address=*
    default_storage_engine=InnoDB
    binlog_format=row
    innodb_autoinc_lock_mode=2
    innodb_buffer_pool_size=1024M
    max_allowed_packet=256M

In this field, you may provide any or supported by MariaDB.

Under the hood, the operator automatically creates a ConfigMap with the contents of the myCnf field, which will be mounted in the MariaDB instance. Alternatively, you can manage your own configuration using a pre-existing ConfigMap by linking it via myCnfConfigMapKeyRef. It is important to note that the key in this ConfigMap i.e. the config file name, must have a .cnf extension in order to be detected by MariaDB:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  myCnfConfigMapKeyRef:
    name: mariadb
    key: mycnf

To ensure your configuration changes take effect, the operator triggers a MariaDB update whenever the myCnf field or the ConfigMap is updated. For the operator to detect changes in a ConfigMap, it must be labeled with enterprise.mariadb.com/watch. Refer to the external resources section for further detail.

Compute resources

CPU and memory resouces can be configured via the resources field in both the MariaDB and MaxScale CRs:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  resources:
    requests:
      cpu: 1
      memory: 4Gi
    limits:
      memory: 4Gi

In the case of MariaDB, it is recommended to set the innodb_buffer_pool_size system variable to a value that is 70-80% of the available memory. This can be done via the myCnf field:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  myCnf: |
    [mariadb]
    innodb_buffer_pool_size=3200M

Timezones

By default, MariaDB does not load timezone data on startup for performance reasons and defaults the timezone to SYSTEM, obtaining the timezone information from the environment where it runs. See the for further information.

You can explicitly configure a timezone in your MariaDB instance by setting the timeZone field:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  timeZone: "UTC"

This setting is immutable and implies loading the timezone data on startup.

In regards to Backup and SqlJob resources, which get reconciled into CronJobs, you can also define a timeZone associated with their cron expression:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup-scheduled
spec:
  mariaDbRef:
    name: mariadb
  schedule:
    cron: "*/1 * * * *"
    suspend: false
  timeZone: "UTC"

If timeZone is not provided, the local timezone will be used, as described in the Kubernetes docs.

Passwords

Some CRs require passwords provided as Secret references to function properly. For instance, the root password for a MariaDB resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password

By default, fields like rootPasswordSecretKeyRef are optional and defaulted by the operator, resulting in random password generation if not provided:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
    generate: true

You may choose to explicitly provide a Secret reference via rootPasswordSecretKeyRef and opt-out from random password generation by either not providing the generate field or setting it to false:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
    generate: false

This way, we are telling the operator that we are expecting a Secret to be available eventually, enabling the use of GitOps tools to seed the password:

sealed-secrets: The Secret is reconciled from a SealedSecret, which is decrypted by the sealed-secrets controller.
external-secrets: The Secret is reconciled fom an ExternalSecret, which is read by the external-secrets controller from an external secrets source (Vault, AWS Secrets Manager ...).

External resources

Many CRs have a references to external resources (i.e. ConfigMap, Secret) not managed by the operator.

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  myCnfConfigMapKeyRef:
    name: mariadb
    key: mycnf

These external resources should be labeled with enterprise.mariadb.com/watch so the operator can watch them and perform reconciliations based on their changes. For example, see the my.cnf ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: mariadb
  labels:
    enterprise.mariadb.com/watch: ""
data:
  mycnf: |
    [mariadb]
    bind-address=*
    default_storage_engine=InnoDB
    binlog_format=row
    innodb_autoinc_lock_mode=2
    innodb_buffer_pool_size=1024M
    max_allowed_packet=256M

Probes

Kubernetes probes serve as an inversion of control mechanism, enabling the application to communicate its health status to Kubernetes. This enables Kubernetes to take appropriate actions when the application is unhealthy, such as restarting or stop sending traffic to Pods.

Make sure you check the Kubernetes documentation if you are unfamiliar with Kubernetes probes.

Fine tunning of probes for databases running in Kubernetes is critical, you may do so by tweaking the following fields:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  # Tune your liveness probe accordingly to avoid Pod restarts.
  livenessProbe:
    periodSeconds: 10
    timeoutSeconds: 5

  # Tune your readiness probe accordingly to prevent disruptions in network traffic.
  readinessProbe:
    periodSeconds: 10
    timeoutSeconds: 5

  # Tune your startup probe accordingly to ensure that the SST completes with a large amount of data.
  # failureThreshold × periodSeconds = 30 × 10 = 300s = 5m until the container gets restarted if unhealthy
  startupProbe:
    failureThreshold: 30
    periodSeconds: 10
    timeoutSeconds: 5

There isn't an universally correct default value for these thresholds, so we recommend determining your own based on factors like the compute resources, network, storage, and other aspects of the environment where your MariaDB and MaxScale instances are running.

Updates

By leveraging the automation provided by MariaDB Enterprise Operator, you can declaratively manage large fleets of databases using CRs. This also covers day two operations, such as upgrades, which can be risky when rolling out updates to thousands of instances simultaneously.

To mitigate this, and to give you full control on the upgrade process, you are able to choose between multiple update strategies described in the following sections.

Update strategies

In order to provide you with flexibility for updating MariaDB reliably, this operator supports multiple update strategies:

ReplicasFirstPrimaryLast: Roll out replica Pods one by one, wait for each of them to become ready, and then proceed with the primary Pod.
RollingUpdate: Utilize the rolling update strategy from Kubernetes.
OnDelete: Updates are performed manually by deleting Pods.
Never: Pause updates.

Configuration

The update strategy can be configured in the updateStrategy field of the MariaDB resource:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  updateStrategy:
    type: ReplicasFirstPrimaryLast

It defaults to ReplicasFirstPrimaryLast if not provided.

Trigger updates

Updates are not limited to updating the image field in the MariaDB resource, an update will be triggered whenever any field of the Pod template is changed. This translates into making changes to MariaDB fields that map directly or indirectly to the Pod template, for instance, the CPU and memory resources:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
- image: docker.mariadb.com/enterprise-server:10.6.18-14.2
+ image: docker.mariadb.com/enterprise-server:10.6.19-15.1
  resources:
    requests:
      cpu: 200m
      memory: 128Mi
    limits:
-     memory: 1Gi
+     memory: 2Gi

Once the update is triggered, the operator manages it differently based on the selected update strategy.

`ReplicasFirstPrimaryLast`

This role-aware update strategy consists in rolling out the replica Pods one by one first, waiting for each of them become ready (i.e. readiness probe passed), and then proceed with the primary Pod. This is the default update strategy, as it can potentially meet various reliability requirements and minimize the risks associated with updates:

Write operations won't be affected until all the replica Pods have been rolled out. If something goes wrong in the update, such as an update to an incompatible MariaDB version, this is detected early when the replicas are being rolled out and the update operation will be paused at that point.
Read operations impact is minimized by only rolling one replica Pod at a time.
Waiting for every Pod to be synced minimizes the impact in the clustering protocols and the network.

`RollingUpdate`

This strategy leverages the rolling update strategy from the StatefulSet resource, which, unlike ReplicasFirstPrimaryLast, does not take into account the role of the Pods(primary or replica). Instead, it rolls out the Pods one by one, from the highest to the lowest StatefulSet index.

You are able to pass extra parameters to this strategy via the rollingUpdate object:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1

`OnDelete`

This strategy aims to provide a method to update MariaDB resources manually by allowing the user to restart the Pods individually. This way, the user has full control over the update process and can decide which Pods are rolled out at any given time.

Whenever an update is triggered, the MariaDB will be marked as pending to update:

kubectl get mariadbs
NAME             READY   STATUS           PRIMARY            UPDATES    AGE
mariadb-galera   True    Pending update   mariadb-galera-0   OnDelete   5m17s

From this point, you are able to delete the Pods to trigger the update, which will result the MariaDB marked as updating:

kubectl get mariadbs
NAME             READY   STATUS         PRIMARY            UPDATES    AGE
mariadb-galera   True    Updating       mariadb-galera-0   OnDelete   9m50s

Once all the Pods have been rolled out, the MariaDB resource will be back to a ready state:

NAME             READY   STATUS         PRIMARY            UPDATES    AGE
mariadb-galera   True    Running        mariadb-galera-0   OnDelete   12m

`Never`

The operator will not perform updates on the StatefulSet whenever this update strategy is configured. This could be useful in multiple scenarios:

Progressive fleet upgrades: If you're managing large fleets of databases, you likely prefer to roll out updates progressively rather than simultaneously across all instances.
Operator upgrades: When upgrading the operator, changes to the StatefulSet or the Pod template may occur from one version to another, which could trigger a rolling update of your MariaDB instances.

Data-plane updates

Galera relies on data-plane containers that run alongside MariaDB to implement provisioning and high availability operations on the cluster. These containers use the mariadb-enterprise-operator image, which can be automatically updated by the operator based on its image version:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  updateStrategy:
    autoUpdateDataPlane: true

By default, updateStrategy.autoUpdateDataPlane is false, which means that no automatic upgrades will be performed, but you can opt-in/opt-out from this feature at any point in time by updating this field. For instance, you may want to selectively enable updateStrategy.autoUpdateDataPlane in a subset of your MariaDB instances after the operator has been upgraded to a newer version, and then disable it once the upgrades are completed.

It is important to note that this feature is fully compatible with the Never strategy: no upgrades will happen when updateStrategy.autoUpdateDataPlane=true and updateStrategy.type=Never.

SQL Resources

MariaDB Operator Enterprise enables you to manage SQL resources declaratively through CRs. By SQL resources, we refer to users, grants, and databases that are typically created using SQL statements.

The key advantage of this approach is that, unlike executing SQL statements manually, which is a one-time operation, declaring a SQL resource via a CR ensures that the resource is periodically reconciled by the operator. This provides a guarantee that the resource will be recreated if it gets manually deleted. Additionally, it prevents state drifts, as the operator will regularly update the resource according to the CR specification.

`User` CR

By creating this resource, you are declaring an intent to create an user in the referred MariaDB instance, just like a statement would do:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: bob
spec:
  mariaDbRef:
    name: mariadb
  passwordSecretKeyRef:
    name: bob-password
    key: password
  maxUserConnections: 20
  host: "%"
  cleanupPolicy: Delete

In the example above, a user named bob identified by the password available in the bob-password Secret will be created in the mariadb instance.

Refer to the API reference for more detailed information about every field.

Custom name

By default, the CR name is used to create the user in the database, but you can specify a different one providing the name field under spec:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  name: user-custom

`Grant` CR

By creating this resource, you are declaring an intent to grant permissions to a given user in the referred MariaDB instance, just like a statement would do.

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Grant
metadata:
  name: grant-bob
spec:
  mariaDbRef:
    name: mariadb
  privileges:
    - "SELECT"
    - "INSERT"
    - "UPDATE"
  database: "*"
  table: "*"
  username: bob
  grantOption: true
  host: "%"

You may provide any set of .

Refer to the API reference for more detailed information about every field.

`Database` CR

By creating this resource, you are declaring an intent to create a logical database in the referred MariaDB instance, just like a statement would do:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Database
metadata:
  name: wordpress
spec:
  mariaDbRef:
    name: mariadb
  characterSet: utf8
  collate: utf8_general_ci

Refer to the API reference for more detailed information about every field.

Custom name

By default, the CR name is used to create the user in the database, but you can specify a different one providing the name field under spec:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Database
metadata:
  name: database
spec:
  name: database-custom

Initial `User`, `Grant` and `Database`

If you only need one user to interact with a single logical database, you can use of the MariaDB resource to configure it, instead of creating the User, Grant and Database resources separately:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  username: bob
  passwordSecretKeyRef:
    name: bob-password
    key: password
  database: wordpress

Behind the scenes, the operator will be creating an User resource with ALL PRIVILEGES in the initial Database.

Authentication plugins

This feature requires the skip-strict-password-validation option to be set. See: .

Passwords can be supplied using the passwordSecretKeyRef field in the User CR. This is a reference to a Secret that contains a password in plain text.

Alternatively, you can use to avoid passing passwords in plain text and provide the password in a hashed format instead. This doesn't affect the end user experience, as they will still need to provide the password in plain text to authenticate.

Password hash

Provide the password hashed using the function:

apiVersion: v1
kind: Secret
metadata:
  name: mariadb-auth
stringData:
  passwordHash: "*57685B4F0FF9D049082E296E2C39354B7A98774E"
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user-password-hash
spec:
  mariaDbRef:
    name: mariadb
  passwordHashSecretKeyRef:
    name: mariadb-auth
    key: passwordHash
  host: "%"

The password hash can be obtained by executing SELECT PASSWORD('<password>'); in an existing MariaDB installation.

Password plugin

Provide the password hashed using any of the available , for example mysql_native_password:

apiVersion: v1
kind: Secret
metadata:
  name: mariadb-auth
stringData:
  passwordHash: "*57685B4F0FF9D049082E296E2C39354B7A98774E"
  nativePasswordPlugin: mysql_native_password
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user-password-plugin
spec:
  mariaDbRef:
    name: mariadb
  passwordPlugin:
    pluginNameSecretKeyRef:
        name: mariadb-auth
        key: nativePasswordPlugin
    pluginArgSecretKeyRef:
        name: mariadb-auth
        key: passwordHash
  host: "%"

The plugin name should be available in a Secret referenced by pluginNameSecretKeyRef and the argument passed to it in pluginArgSecretKeyRef. The argument is the hashed password in most cases, refer to the for further detail.

Configure reconciliation

As we previously mentioned, SQL resources are periodically reconciled by the operator into SQL statements. You are able to configure the reconciliation interval using the following fields:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  requeueInterval: 30s
  retryInterval: 5s

If the SQL statement executed by the operator is successful, it will schedule the next reconciliation cycle using the requeueInterval. If the statement encounters an error, the operator will use the retryInterval instead.

Cleanup policy

Whenever you delete a SQL resource, the operator will also delete the associated resource in the database. This is the default behaviour, that can also be achieved by setting cleanupPolicy=Delete:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  cleanupPolicy: Delete

You can opt-out from this cleanup process using cleanupPolicy=Skip. Note that this resources will remain in the database.

Metadata

This documentation shows how to configure metadata in the MariaDB Enterprise Operator CRs.

Children object metadata

MariaDB and MaxScale resources allow you to propagate metadata to all the children objects by specifying the inheritMetadata field:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  inheritMetadata:
    labels:
      database.myorg.io: mariadb
    annotations:
      database.myorg.io: mariadb

This means that all the reconciled objects will inherit these labels and annotations. For instance, see the Services and Pods:

apiVersion: v1
kind: Service
metadata:
  annotations:
    database.myorg.io: mariadb
  labels:
    database.myorg.io: mariadb
  name: mariadb-galera-primary

apiVersion: v1
kind: Pod
metadata:
  annotations:
    database.myorg.io: mariadb
  labels:
    database.myorg.io: mariadb
  name: mariadb-galera-0

`Pod` metadata

You have the ability to provide dedicated metadata for Pods by specifying the podMetadata field in any CR that reconciles a Pod, for instance: MariaDB, MaxScale, Backup, Restore and SqlJobs:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  inheritMetadata:
    labels:
      sidecar.istio.io/inject: "true"
    annotations:
      database.myorg.io: mariadb
  podMetadata:
    labels:
      sidecar.istio.io/inject: "false"

It is important to note that the podMetadata field supersedes the inheritMetadata field, therefore the labels and annotations provided in the former will override the ones in the latter.

`Service` metadata

Provision dedicated metadata for Services in the MariaDB resources can be done via the service, primaryService and secondaryService fields:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  service:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.150

  primaryService:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.160

  secondaryService:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.161

In the case of MaxScale, you can also do this via the kubernetesService field.

Refer to the to know more about the Service fields and MaxScale.

`PVC` metadata

Both MariaDB and MaxScale allow you to define a volumeClaimTemplate to be used by the underlying StatefulSet. You may also define metadata for it:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  storage:
    size: 1Gi
    volumeClaimTemplate:
      metadata:
        annotations:
          database.myorg.io: mariadb
        labels:
          database.myorg.io: mariadb
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi

Use cases

Being able to provide metadata allows you to integrate with other CNCF landscape projects:

Metallb

If you run on bare metal and you use Metallb for managing the LoadBalancer objects, you can declare its IPs via annotations:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  service:
    type: LoadBalancer
    metadata:
      annotations:
        metallb.universe.tf/loadBalancerIPs: 172.18.0.150

Istio

Istio injects the data-plane container to all Pods, but you might want to opt-out of this feature in some cases:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  podMetadata:
    labels:
      sidecar.istio.io/inject: "false"

For instance, you probably don't want to inject the Istio sidecar to Backup Pods, as it will prevent the Jobs from finishing and therefore your backup process will hang.

Suspend Reconciliation

Suspended state

When a resource is suspended, all operations performed by the operator are disabled, including but not limited to:

Provisioning
Upgrades
Volume resize
Galera cluster recovery

More specifically, the reconciliation loop of the operator is omitted, anything part of it will not happen while the resource is suspended. This could be useful in maintenance scenarios, where manual operations need to be performed, as it helps prevent conflicts with the operator.

Suspend a resource

Currently, only MariaDB and MaxScale resources support suspension. You can enable it by setting suspend=true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  suspend: true

This results in the reconciliation loop being disabled and the status being marked as Suspended:

kubectl get mariadbs
NAME             READY   STATUS      PRIMARY           UPDATES                   AGE
mariadb-galera   True    Suspended   mariadb-galera-0  ReplicasFirstPrimaryLast  12m

To re-enable it, simply remove the suspend setting or set it to suspend=false.

Examples Catalog

The contains a number of sample manifests that aim to show the operator functionality in a practical way. Follow these instructions for getting started:

Download the :

Install the configuration shared by all the examples:

Start deploying examples:

Some examples rely on external dependencies for specific tasks, make sure to install them when it applies:

for metrics
for TLS certificates
for S3 object storage

It is recommended to complement the examples with the documentation to understand the full range of configuration options available.

If you are looking for production-grade examples, you can check the mariadb_galera_production.yaml and maxscale_galera_production.yaml examples.

Migrations

Learn about migrations with MariaDB Enterprise Operator. This section covers strategies and procedures for smoothly migrating your MariaDB databases within Kubernetes environments.

Enabling TLS in existing instances

In this guide, we will be migrating existing MariaDB Galera and MaxScale instances to TLS without downtime.

1. Ensure that MariaDB has TLS enabled and not enforced. Set the following options if needed:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
+   enabled: true
+   required: false
+   galeraSSTEnabled: false
+   galeraServerSSLMode: PROVIDER
+   galeraClientSSLMode: DISABLED

By setting these options, the operator will issue and configure certificates for MariaDB, but TLS will not be enforced in the connections i.e. both TLS and non-TLS connections will be accepted. TLS enforcement will be optionally configured at the end of the migration process.

This will trigger a rolling upgrade, make sure it finishes successfully before proceeding with the next step. Refer to the updates documentation for further information about update strategies.

2. If you are currently using MaxScale, it is important to note that, unlike MariaDB, it does not support TLS and non-TLS connections simultaneously (see limitations). For this reason, you must temporarily point your applications to MariaDB during the migration process. You can achieve this by configuring your application to use the . At the end of the MariaDB migration process, the MaxScale instance will need to be recreated in order to use TLS, and then you will be able to point your application back to MaxScale. Ensure that all applications are pointing to MariaDB before moving on to the next step.

3. MariaDB is now accepting TLS connections. The next step is migrating your applications to use TLS by pointing them to MariaDB securely. Ensure that all applications are connecting to MariaDB via TLS before proceeding to the next step.

4. If you are currently using MaxScale, and you are planning to connect via TLS through it, you should now delete your MaxScale instance. If needed, keep a copy of the MaxScale manifest, as we will need to recreate it with TLS enabled in further steps:

kubectl get mxs maxscale-galera -o yaml > maxscale-galera.yaml
kubectl delete mxs maxscale-galera

It is very important that you wait until your old MaxScale instance is fully terminated to make sure that the old configuration is cleaned up by the operator.

5. For enhanced security, it is recommended to enforce TLS in all MariaDB connections by setting the following options. This will trigger a rolling upgrade, make sure it finishes successfully before proceeding with the next step:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
+   required: true
+   galeraServerSSLMode: SERVER_X509

6. For improved security, you can optionally configure TLS for Galera SSTs by following the steps below:

Get the migration script and grant execute permissions:

curl -sLO https://operator.mariadb.com/scripts/migrate_galera_ssl.sh
chmod +x migrate_galera_ssl.sh

Run the migration script. Make sure you set <mariadb-name> with the name of the MariaDB resource:

./migrate_galera_ssl.sh <mariadb-name>

Set the following option to enable TLS for Galera SSTs:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
+   galeraSSTEnabled: true
+   galeraClientSSLMode: VERIFY_IDENTITY

This will trigger a rolling upgrade, make sure it finishes successfully before proceeding with the next step

7. As mentioned in step 4, recreate your MaxScale instance with tls.enabled=true if needed:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
+ tls:
+   enabled: true

8. MaxScale is now accepting TLS connections. Next, you need to migrate your applications to use TLS by pointing them back to MaxScale securely. You have done this previously for MariaDB, you just need to update your application configuration to use the MaxScale Service and its CA bundle.

Migrate Community operator to Enterprise operator

In this guide, we will be migrating from the to the without downtime. This guide assumes:

version of the MariaDB Community Operator is installed in the cluster.
MariaDB community resources will be migrated to its counterpart MariaDB enterprise resource. In this case, we will be using 11.4.4 version, which is supported in both community and enterprise versions. Check the supported and migrate to a counterpart community version first if needed.
MaxScale resources cannot be migrated in a similar way, they need to be recreated. To avoid downtime, temporarily point your applications to MariaDB directly during the migration.

1. Install the Enterprise CRDs as described in the .

2. Get the and grant execute permissions:

3. Migrate MariaDB resources using the migration script. Make sure you set <mariadb-name> with the name of the MariaDB resource to be migrated and <operator-version> with the version of the Enterprise operator you will be installing:

4. Update the apiVersion of the rest of CRs to enterprise.mariadb.com/v1alpha1.

5. Uninstall the Community operator:

6. If your MariaDB Community had Galera enabled, delete the <mariadb-name> Role, as it will be specyfing the Community CRDs:

7. Install the Enterprise operator as described in the . This will trigger a rolling upgrade, make sure it finishes successfully before proceeding with the next step.

8. Delete the finalizers and uninstall the Community CRDs:

9. Run mariadb-upgrade in all Pods. Make sure you set <mariadb-name> with the name of the MariaDB resource:

10. Restart the Enterprise operator:

Migrate external MariaDB into Kubernetes

In this guide, we will be migrating an external MariaDB into a new MariaDB instance running in Kubernetes and managed by MariaDB Enterprise Operator. We will be using for achieving this migration.

Ensure you understand the in the MariaDB Enterprise Operator.

1. Take a logical backup of your external MariaDB using one of the commands below:

If you are currently using or migrating to a Galera instance, use the following command instead:

2. Ensure that your backup file matches the following format: backup.2024-08-26T12:24:34Z.sql. If the file name does not follow this format, it will be ignored by the operator.

3. Upload the backup file to one of the supported . We recommend using S3.

4. Create your MariaDB resource declaring that you want to and providing a that matches the backup:

5. If you are using Galera in your new instance, migrate your previous users and grants to use the User and Grant CRs. Refer to the for further detail.

Migrate to Enterprise Operator 25.08

This guide illustrates, step by step, how to migrate to 25.8.0 from previous versions.

Uninstall you current mariadb-enterprise-operator for preventing conflicts:

helm uninstall mariadb-enterprise-operator

Alternatively, you may only downscale and delete the webhook configurations:

kubectl scale deployment mariadb-enterprise-operator --replicas=0
kubectl scale deployment mariadb-enterprise-operator-webhook --replicas=0
kubectl delete validatingwebhookconfiguration mariadb-enterprise-operator-webhook
kubectl delete mutatingwebhookconfiguration mariadb-enterprise-operator-webhook

Upgrade mariadb-enterprise-operator-crds to 25.8.0:

helm repo update mariadb-enterprise-operator
helm upgrade --install mariadb-enterprise-operator-crds  mariadb-enterprise-operator/mariadb-enterprise-operator-crds --version 25.8.0

The Galera data-plane must be updated to the 25.8.0 version.

If you want the operator to automatically update the data-plane (i.e. init and agent containers), you can set updateStrategy.autoUpdateDataPlane=true in your MariaDB resources:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  updateStrategy:
+   autoUpdateDataPlane: true

Alternatively, you can also do this manually:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  galera:
    agent:
-      image: docker.mariadb.com/mariadb-enterprise-operator:1.0.0
+      image: docker.mariadb.com/mariadb-enterprise-operator:25.8.0
    initContainer:
-      image: docker.mariadb.com/mariadb-enterprise-operator:1.0.0
+      image: docker.mariadb.com/mariadb-enterprise-operator:25.8.0

Upgrade mariadb-enterprise-operator to 25.8.0:

helm repo update mariadb-enterprise-operator
helm upgrade --install mariadb-enterprise-operator mariadb-enterprise-operator/mariadb-enterprise-operator --version 25.8.0

If you previously decided to downscale the operator, make sure you upscale it back:

kubectl scale deployment mariadb-enterprise-operator --replicas=1
kubectl scale deployment mariadb-enterprise-operator-webhook --replicas=1

If you previously set updateStratety.autoUpdateDataPlane=true, you may consider reverting the changes once the upgrades have finished:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  updateStrategy:
+   autoUpdateDataPlane: false
-   autoUpdateDataPlane: true

TLS

`MariaDB` configuration

This section covers TLS configuration in new instances. If you are looking to migrate an existing instance to use TLS, please refer to Enabling TLS in existing instances instead.

TLS can be configured in MariaDB resources by setting tls.enabled=true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true

If you want to enforce TLS connections, you can set tls.required=true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    required: true

This approach ensures that any unencrypted connection will fail, effectively enforcing security best practices.

If you want to fully opt-out from TLS, you can set tls.enabled=false:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: false

This will disable certificate issuance, resulting in all connections being unencrypted.

Refer to further sections for a more advanced TLS configuration.

`MaxScale` configuration

This section covers TLS configuration in new instances. If you are looking to migrate an existing instance to use TLS, please refer to Enabling TLS in existing instances instead.

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  mariaDbRef:
    name: mariadb-galera
  tls:
    enabled: true

If you want to fully opt-out from TLS, you can set tls.enabled=false. This should only be done when MariaDB TLS is not enforced or disabled:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  mariaDbRef:
    name: mariadb-galera
  tls:
    enabled: false

This will disable certificate issuance, resulting in all connections being unencrypted.

Refer to further sections for a more advanced TLS configuration.

`MariaDB` certificate specification

The MariaDB TLS setup consists of the following certificates:

Certificate Authority (CA) keypair to issue the server certificate.
Server leaf certificate used to encrypt server connections.
Certificate Authority (CA) keypair to issue the client certificate.
Client leaf certificate used to encrypt and authenticate client connections.

The server certificate contains the following Subject Alternative Names (SANs):

<mariadb-name>.<namespace>.svc.<cluster-name>
<mariadb-name>.<namespace>.svc
<mariadb-name>.<namespace>
<mariadb-name>
*.<mariadb-name>-internal.<namespace>.svc.<cluster-name>
*.<mariadb-name>-internal.<namespace>.svc
*.<mariadb-name>-internal.<namespace>
*.<mariadb-name>-internal
<mariadb-name>-primary.<namespace>.svc.<cluster-name>
<mariadb-name>-primary.<namespace>.svc
<mariadb-name>-primary.<namespace>
<mariadb-name>-primary
<mariadb-name>-secondary.<namespace>.svc.<cluster-name>
<mariadb-name>-secondary.<namespace>.svc
<mariadb-name>-secondary.<namespace>
<mariadb-name>-secondary
localhost

Whereas the client certificate is only valid for the <mariadb-name>-client SAN.

`MaxScale` certificate specification

The MaxScale TLS setup consists of the following certificates:

Certificate Authority (CA) keypair to issue the admin certificate.
Admin leaf certificate used to encrypt the administrative REST API and GUI.
Certificate Authority (CA) keypair to issue the listener certificate.
Listener leaf certificate used to encrypt database connections to the listener.
Server CA bundle used to establish trust with the MariaDB server.
Server leaf certificate used to connect to the MariaDB server.

Both the admin and listener certificates contain the following Subject Alternative Names (SANs):

<maxscale-name>.<namespace>.svc.<clusername>
<maxscale-name>.<namespace>.svc
<maxscale-name>.<namespace>
<maxscale-name>
<maxscale-name>-gui.<namespace>.svc.<clusername>
<maxscale-name>-gui.<namespace>.svc
<maxscale-name>-gui.<namespace>
<maxscale-name>-gui
*.<maxscale-name>-internal.<namespace>.svc.<clusername>
*.<maxscale-name>-internal.<namespace>.svc
*.<maxscale-name>-internal.<namespace>
*.<maxscale-name>-internal

For details about the server certificate, see MariaDB certificate specification.

CA bundle

Issue certificates with the operator

By setting tls.enabled=true, the operator will generate a root CA for each instance, which will be used to issue the certificates described in the MariaDB cert spec and MaxScale cert spec sections:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
  ...
  tls:
    enabled: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale
spec:
  ...
  tls:
    enabled: true

To establish trust with the instances, the CA's public key will be added to the CA bundle. If you need a different trust chain, please refer to the custom trust section.

Issue certificates with cert-manager

cert-manager must be previously installed in the cluster in order to use this feature.

As an example, we are going to setup an in-cluster root CA ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: root-ca
  namespace: default
spec:
  duration: 52596h # 6 years
  commonName: root-ca
  usages:
  - digital signature
  - key encipherment
  - cert sign
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer
  isCA: true
  privateKey:
    encoding: PKCS1
    algorithm: ECDSA
    size: 256
  secretTemplate:
    labels:
      enterprise.mariadb.com/watch: ""
  secretName: root-ca
  revisionHistoryLimit: 10
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: root-ca
spec:
  ca:
    secretName: root-ca

Then, you can reference the ClusterIssuer in the MariaDB and MaxScale resources:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer

Provide your own certificates

The CA certificate must be provided as a Secret with the following structure:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: mariadb-galera-server-ca
  labels:
    enterprise.mariadb.com/watch: ""
data:
  ca.crt:
  -----BEGIN CERTIFICATE-----
  <public-key>
  -----END CERTIFICATE-----
  ca.key:
  -----BEGIN EC PRIVATE KEY-----
  <private-key>
  -----END EC PRIVATE KEY-----

The enterprise.mariadb.com/watch label is required only if you want the operator to automatically trigger an update when the CA is renewed, see CA renewal for more detail.

The leaf certificate must match the previous CA's public key, and it should provided as a TLS Secret with the following structure:

apiVersion: v1
kind: Secret
type: kubernetes.io/tls  
metadata:
  name: mariadb-galera-server-tls 
  labels:
    enterprise.mariadb.com/watch: ""
data:
  tls.crt:
  -----BEGIN CERTIFICATE-----
  <public-key>
  -----END CERTIFICATE-----
  tls.key:
  -----BEGIN EC PRIVATE KEY-----
  <private-key>
  -----END EC PRIVATE KEY-----

The enterprise.mariadb.com/watch label is required only if you want the operator to automatically trigger an update when the certificate is renewed, see cert renewal for more detail.

Once the certificate Secrets are available in the cluster, you can create the MariaDB and MaxScale resources referencing them:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCASecretRef:
      name: mariadb-server-ca
    serverCertSecretRef:
      name: mariadb-galera-server-tls
    clientCASecretRef:
      name: mariadb-client-ca
    clientCertSecretRef:
      name: mariadb-galera-client-tls

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCASecretRef:
      name: maxscale-admin-ca
    adminCertSecretRef:
      name: maxscale-galera-admin-tls
    listenerCASecretRef:
      name: maxscale-listener-ca
    listenerCertSecretRef:
      name: maxscale-galera-listener-tls
    serverCASecretRef:
      name: mariadb-galera-ca-bundle
    serverCertSecretRef:
      name: mariadb-galera-client-tls

Bring your own CA

If you already have a CA setup outside of Kubernetes, you can use it with the operator by providing the CA certificate as a Secret with the following structure:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: mariadb-ca
  labels:
    enterprise.mariadb.com/watch: ""
data:
  ca.crt:
  -----BEGIN CERTIFICATE-----
  <public-key>
  -----END CERTIFICATE-----
  ca.key:
  -----BEGIN EC PRIVATE KEY-----
  <private-key>
  -----END EC PRIVATE KEY-----

Just by providing a reference to this Secret, the operator will use it to issue leaf certificates instead of generating a new CA:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  ...
  tls:
    enabled: true
    serverCASecretRef:
      name: mariadb-server-ca
    clientCASecretRef:
      name: mariadb-client-ca

Intermediate CAs

Custom trust

You are able to provide a set of CA public keys to be added to the CA bundle by creating a Secret with the following structure:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: custom-trust
  labels:
    enterprise.mariadb.com/watch: ""
data:
  ca.crt:
  -----BEGIN CERTIFICATE-----
  <my-org-root-ca>
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  <root-ca>
  -----END CERTIFICATE-----

And referencing it in the MariaDB and MaxScale resources, for instance:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    enabled: true
    adminCASecretRef:
      name: custom-trust
    adminCertIssuerRef:
      name: my-org-intermediate-ca
      kind: ClusterIssuer
    listenerCASecretRef:
      name: custom-trust
    listenerCertIssuerRef:
      name: intermediate-ca
      kind: ClusterIssuer

This is specially useful when issuing certificates with an intermediate CA, see intermediate CAs section for further detail.

Distributing trust

Distributing the CA bundle to your application namespace is out of the scope of this operator, the bundles will remain in the same namespace as the MariaDB and MaxScale instances.

TLS version configuration

You may configure the supported TLS versions in MariaDB by setting:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    versions:
      - TLSv1.3
      - TLSv1.2
      - TLSv1.1
      - TLSv1.0

If not specified, the MariaDB's default TLS versions will be used. See .

Regarding MaxScale, you can also configure the supported TLS versions, both for the Admin REST API and MariaDB servers:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  ...
  tls:
    adminVersions:
      - TLSv13
      - TLSv12
      - TLSv11
      - TLSv10
    serverVersions:
      - TLSv13
      - TLSv12
      - TLSv11
      - TLSv10

If not specified, the MaxScale's default TLS versions will be used. See MaxScale docs:

Certificate lifetime configuration

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month
    clientCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 1h # 1 month
    listenerCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

When issuing certificates with cert-manager, you can specify the certificate configuration field alongside the issuer reference:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    serverCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    adminCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 1h # 1 month
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertConfig:
      caLifetime: 8766h # 1 year
      certLifetime: 720h # 1 month

Private key configuration

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048
    clientCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048
    listenerCertConfig:
      privateKeyAlgorithm: RSA
      privateKeySize: 2048

When issuing certificates with cert-manager, you can specify the private key configuration field alongside the issuer reference:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    required: true
    serverCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    serverCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256
    clientCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    clientCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  tls:
    enabled: true
    adminCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    adminCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256
    listenerCertIssuerRef:
      name: root-ca
      kind: ClusterIssuer
    listenerCertConfig:
      privateKeyAlgorithm: ECDSA
      privateKeySize: 256

The following set of algorithms and sizes are supported:

Algorithm

Key Sizes

RSA

2048, 3072, 4096

ECDSA

256, 384, 521

CA renewal

Depending on the setup, CAs can be managed and renewed by either MariaDB Enterprise Operator or cert-manager.

When managed by cert-manager, the renewal process is fully controlled by cert-manager, but the operator will also update the CA bundle after the CA is renewed.

You may choose any of the available update strategies to control the instance update process.

Certificate renewal

You may choose any of the available update strategies to control the instance update process.

Certificate status

To have a high level picture of the certificates status, you can check the status.tls field of the MariaDB and MaxScale resources:

kubectl get mariadb mariadb-galera -o jsonpath="{.status.tls}" | jq
{
  "caBundle": [
    {
      "issuer": "CN=mariadb-galera-ca",
      "notAfter": "2028-01-20T14:26:50Z",
      "notBefore": "2025-01-20T13:26:50Z",
      "subject": "CN=mariadb-galera-ca"
    }
  ],
  "clientCert": {
    "issuer": "CN=mariadb-galera-ca",
    "notAfter": "2025-04-20T14:26:50Z",
    "notBefore": "2025-01-20T13:26:50Z",
    "subject": "CN=mariadb-galera-client"
  },
  "serverCert": {
    "issuer": "CN=mariadb-galera-ca",
    "notAfter": "2025-04-20T14:26:50Z",
    "notBefore": "2025-01-20T13:26:50Z",
    "subject": "CN=mariadb-galera.default.svc.cluster.local"
  }
}

kubectl get maxscale maxscale-galera -o jsonpath="{.status.tls}" | jq
{
  "adminCert": {
    "issuer": "CN=maxscale-galera-ca",
    "notAfter": "2025-04-20T14:33:09Z",
    "notBefore": "2025-01-20T13:33:09Z",
    "subject": "CN=maxscale-galera.default.svc.cluster.local"
  },
  "caBundle": [
    {
      "issuer": "CN=maxscale-galera-ca",
      "notAfter": "2028-01-20T14:33:09Z",
      "notBefore": "2025-01-20T13:33:09Z",
      "subject": "CN=maxscale-galera-ca"
    },
    {
      "issuer": "CN=mariadb-galera-ca",
      "notAfter": "2028-01-20T14:28:46Z",
      "notBefore": "2025-01-20T13:28:46Z",
      "subject": "CN=mariadb-galera-ca"
    }
  ],
  "listenerCert": {
    "issuer": "CN=maxscale-galera-ca",
    "notAfter": "2025-04-20T14:33:09Z",
    "notBefore": "2025-01-20T13:33:09Z",
    "subject": "CN=maxscale-galera.default.svc.cluster.local"
  },
  "serverCert": {
    "issuer": "CN=mariadb-galera-ca",
    "notAfter": "2025-04-20T14:28:46Z",
    "notBefore": "2025-01-20T13:28:46Z",
    "subject": "CN=mariadb-galera-client"
  }
}

TLS requirements for `Users`

For instance, if you want to require a valid x509 certificate for the user to be able o connect:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  ...
  require:
    x509: true

In order to restrict which subject the user certificate should have and/or require a particular issuer, you may set:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: user
spec:
  ...
  require:
    issuer: "/CN=mariadb-galera-ca"
    subject: "/CN=mariadb-galera-client"

When any of these TLS requirements are not met, the user will not be able to connect to the instance.

See and the API reference for further detail.

Galera Enterprise SSL modes

MariaDB Enterprise Cluster (Galera) supports multiple SSL modes to secure the communication between the nodes. For configuring the SSL enforcement level on the server i.e. WSREP, you can set:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    galeraServerSSLMode: SERVER_X509

The following values are supported: SERVER_X509, SERVER and PROVIDER. Refer to the MariaDB Enterprise Cluster documentation for further detail about these modes.

You may also configure the SSL enforcement level used during Snapshot State Transfers(SST) by setting:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  tls:
    enabled: true
    galeraSSTEnabled: true
    galeraClientSSLMode: VERIFY_IDENTITY

The following values are supported: VERIFY_IDENTITY, VERIFY, REQUIRED and DISABLED. Refer to the MariaDB Enterprise Cluster documentation for further detail about these modes.

If you are willing to increase the enforcement level in an existing instance, make sure you follow the migration guide provided in the Enabling TLS in existing instances section.

Secure application connections with TLS

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-galera
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
  storage:
    size: 1Gi
  replicas: 3
  galera:
    enabled: true
  tls:
    enabled: true
    required: true
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale-galera
spec:
  replicas: 2
  mariaDbRef:
    name: mariadb-galera
  tls:
    enabled: true

The first step is to create a User resource and grant the necessary permissions:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: User
metadata:
  name: app
  namespace: app
spec:
  mariaDbRef:
    name: mariadb-galera
    namespace: default
  require:
    issuer: "/CN=mariadb-galera-ca"
    subject: "/CN=mariadb-galera-client"
  host: "%"
---
apiVersion: enterprise.mariadb.com/v1alpha1
kind: Grant
metadata:
  name: grant-app
  namespace: app
spec:
  mariaDbRef:
    name: mariadb-galera
    namespace: default
  privileges:
    - "ALL PRIVILEGES"
  database: "*"
  table: "*"
  username: app
  host: "%"

The app user will be able to connect to the MariaDB instance from the app namespace by providing a certificate with subject mariadb-galera-client and issued by the mariadb-galera-ca CA.

With the permissions in place, the next step is to prepare the certificates required for the application to connect:

CA Bundle: The trust bundle for MariaDB and MaxScale is available as a Secret named <instance-name>-ca-bundle in the default namespace. For more details, refer to the sections on CA bundle and distributing trust.
Client Certificate: MariaDB provides a default client certificate stored in a Secret named <mariadb-name>-client-cert in the default namespace. You can either use this Secret or generate a new one with the subject mariadb-galera-client, issued by the mariadb-galera-ca CA. While issuing client certificates for applications falls outside the scope of this operator, you can test them using Connection resources.

In this example, we assume that the following Secrets are available in the app namespace:

mariadb-bundle: CA bundle for the MariaDB and MaxScale instances.
mariadb-galera-client-cert: Client certificate required to connect to the MariaDB instance.

With these Secrets in place, we can proceed to define our application:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: mariadb-client
  namespace: app
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: mariadb-client
            image: mariadb:11.4.4
            command:
              - bash
            args:
              - -c
              - >
                mariadb -u app -h mariadb-galera-primary.default.svc.cluster.local
                --ssl-ca=/etc/pki/ca.crt --ssl-cert=/etc/pki/tls.crt
                --ssl-key=/etc/pki/tls.key --ssl-verify-server-cert
                -e "SELECT 'MariaDB connection successful!' AS Status;" -t
            volumeMounts:
            - name: pki
              mountPath: /etc/pki
              readOnly: true
          volumes:
          - name: pki
            projected:
              sources:
              - secret:
                  name: mariadb-bundle
                  items:
                  - key: ca.crt
                    path: ca.crt
              - secret:
                  name: mariadb-galera-client-cert
                  items:
                  - key: tls.crt
                    path: tls.crt
                  - key: tls.key
                    path: tls.key
          restartPolicy: Never

If the connection is successful, the output should be:

+---------------------------------+
| Status                          |
+---------------------------------+
| MariaDB connection successful!  |
+---------------------------------+

You can also point the application to the MaxScale instance by updating the host to maxscale-galera.default.svc.cluster.local:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: maxscale-client
  namespace: app
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: maxscale-client
            image: mariadb:11.4.4
            command:
              - bash
            args:
              - -c
              - >
                mariadb -u app -h maxscale-galera.default.svc.cluster.local
                --ssl-ca=/etc/pki/ca.crt --ssl-cert=/etc/pki/tls.crt
                --ssl-key=/etc/pki/tls.key --ssl-verify-server-cert
                -e "SELECT 'MaxScale connection successful!' AS Status;" -t
            volumeMounts:
            - name: pki
              mountPath: /etc/pki
              readOnly: true
          volumes:
          - name: pki
            projected:
              sources:
              - secret:
                  name: mariadb-bundle
                  items:
                  - key: ca.crt
                    path: ca.crt
              - secret:
                  name: mariadb-galera-client-cert
                  items:
                  - key: tls.crt
                    path: tls.crt
                  - key: tls.key
                    path: tls.key
          restartPolicy: Never

If successful, the expected output is:

+---------------------------------+
| Status                          |
+---------------------------------+
| MaxScale connection successful! |
+---------------------------------+

Test TLS certificates with `Connections`

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Connection
metadata:
  name: connection
spec:
  mariaDbRef:
    name: mariadb-galera
  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
  tlsClientCertSecretRef:
    name: mariadb-galera-client-cert
  database: mariadb
  healthCheck:
    interval: 30s

apiVersion: enterprise.mariadb.com/v1alpha1
kind: Connection
metadata:
  name: connection-maxscale
spec:
  maxScaleRef:
    name: maxscale-galera
  username: mariadb
  passwordSecretKeyRef:
    name: mariadb
    key: password
  tlsClientCertSecretRef:
    name: mariadb-galera-client-cert
  database: mariadb
  healthCheck:
    interval: 30s

If successful, the Connection resource will be in a Ready state, which means that your TLS setup is correctly configured:

kubectl get connections
NAME                         READY   STATUS    SECRET                AGE
connection                   True    Healthy   connection            2m8s
connection-maxscale          True    Healthy   connection-maxscale   97s

This could be specially useful when providing your own certificates and issuing certificates for your applications.

Limitations

Galera and intermediate CAs

Leaf certificates issued by intermediate CAs are not supported by Galera, see MDEV-35812. This implies that a root CA must be used to issue the MariaDB certificates.

MaxScale

Unlike MariaDB, TLS and non-TLS connections on the same port are not supported simultaneously.
TLS encryption must be enabled for listeners when they are created. For servers, the TLS can be enabled after creation but it cannot be disabled or altered.

Refer to the MaxScale documentation for further details.

Metrics

MariaDB Enterprise Operator is able to configure Prometheus operator resources to scrape metrics from MariaDB and MaxScale instances. These metrics can be used later on to build Grafana dashboards or trigger Alertmanager alerts.

Operator metrics

In order to expose the operator internal metrics, you can install the operator Helm chart passing the metrics.enabled = true value. Refer to the Helm documentation for further detail.

Exporters

The operator configures exporters to query MariaDB and MaxScale, exposing metrics in Prometheus format through an HTTP endpoint.

It is important to note that these exporters run as standalone Deployments rather than as sidecars for each data-plane replica. Since they can communicate with all replicas of MariaDB and MaxScale, there is no need to run a separate exporter for each replica.

As a result, the lifecycle of MariaDB and MaxScale remains independent from the exporters, allowing for upgrades without impacting the availability of either component.

`ServiceMonitor`

Once the exporter Deployment is ready, the operator creates a ServiceMonitor object that will be eventually reconciled by the Prometheus operator, resulting in the Prometheus instance being configured to scrape the exporter endpoint.

As you scale MariaDB and MaxScale by adjusting the number of replicas, the operator will reconcile the ServiceMonitor to dynamically add or remove targets corresponding to the updated instances.

Configuration

The easiest way to setup metrics in your MariaDB and MaxScale instances is just by setting spec.metrics.enabled = true:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
...
  metrics:
    enabled: true

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale
spec:
...
  metrics:
    enabled: true

The rest of the fields are defaulted by the operator. If you need a more fine grained configuration, refer to the API reference and the following examples:

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb
spec:
...
  metrics:
    enabled: true
    exporter:
      image: mariadb/mariadb-prometheus-exporter-ubi:v0.0.2
      resources:
        requests:
          cpu: 50m
          memory: 64Mi
        limits:
          cpu: 300m
          memory: 512Mi
      port: 9104
    serviceMonitor:
      prometheusRelease: kube-prometheus-stack
      jobLabel: mariadb-monitoring
      interval: 10s
      scrapeTimeout: 10s
    username: monitoring
    passwordSecretKeyRef:
      name: mariadb
      key: password

apiVersion: enterprise.mariadb.com/v1alpha1
kind: MaxScale
metadata:
  name: maxscale
spec:
...
  auth:
    metricsUsername: metrics
    metricsPasswordSecretKeyRef:
      key: password
      name: maxscale-galera-metrics
  metrics:
    enabled: true
    exporter:
      image: mariadb/maxscale-prometheus-exporter-ubi:v0.0.2
      resources:
        requests:
          cpu: 50m
          memory: 64Mi
        limits:
          cpu: 300m
          memory: 512Mi
      port: 9105
    serviceMonitor:
      prometheusRelease: kube-prometheus-stack
      jobLabel: mariadb-monitoring
      interval: 10s
      scrapeTimeout: 10s

Grafana dashboards

The following community dashboards available on grafana.com are compatible with the MariaDB metrics, and therefore they can be used to monitor MariaDB instances:

MySQL Overview

MySQL Exporter Quickstart and Dashboard

MySQL Replication

Galera/MariaDB - Overview

MariaDB metrics

The following metrics are available for MariaDB instances:

Metric Name

Description

Type

Metric Name

Description

Type

mysql_exporter_collector_duration_seconds

Collector time duration.

GAUGE

mysql_exporter_collector_success

mysqld_exporter: Whether a collector succeeded.

GAUGE

mysql_galera_evs_repl_latency_avg_seconds

PXC/Galera group communication latency. Avg value.

GAUGE

mysql_galera_evs_repl_latency_max_seconds

PXC/Galera group communication latency. Max value.

GAUGE

mysql_galera_evs_repl_latency_min_seconds

PXC/Galera group communication latency. Min value.

GAUGE

mysql_galera_evs_repl_latency_sample_size

PXC/Galera group communication latency. Sample Size.

GAUGE

mysql_galera_evs_repl_latency_stdev

PXC/Galera group communication latency. Standard Deviation.

GAUGE

mysql_galera_gcache_size_bytes

PXC/Galera gcache size.

GAUGE

mysql_galera_status_info

PXC/Galera status information.

GAUGE

mysql_galera_variables_info

PXC/Galera variables information.

GAUGE

mysql_global_status_aborted_clients

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aborted_connects

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aborted_connects_preauth

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_access_denied_errors

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_column_grants

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_database_grants

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_function_grants

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_package_body_grants

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_package_spec_grants

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_procedure_grants

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_proxy_users

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_role_grants

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_roles

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_table_grants

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_acl_users

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aria_pagecache_blocks_not_flushed

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aria_pagecache_blocks_unused

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aria_pagecache_blocks_used

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aria_pagecache_read_requests

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aria_pagecache_reads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aria_pagecache_write_requests

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aria_pagecache_writes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_aria_transaction_log_syncs

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_bytes_written

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_cache_disk_use

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_cache_use

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_commits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_disk_use

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_group_commit_trigger_count

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_group_commit_trigger_lock_wait

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_group_commit_trigger_timeout

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_group_commits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_gtid_index_hit

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_gtid_index_miss

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_snapshot_position

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_stmt_cache_disk_use

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_binlog_stmt_cache_use

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_buffer_pool_dirty_pages

Innodb buffer pool dirty pages.

GAUGE

mysql_global_status_buffer_pool_page_changes_total

Innodb buffer pool page state changes.

COUNTER

mysql_global_status_buffer_pool_pages

Innodb buffer pool pages by state.

GAUGE

mysql_global_status_busy_time

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_bytes_received

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_bytes_sent

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_column_compressions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_column_decompressions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_commands_total

Total number of executed MySQL commands.

COUNTER

mysql_global_status_compression

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_connection_errors_total

Total number of MySQL connection errors.

COUNTER

mysql_global_status_connections

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_cpu_time

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_created_tmp_disk_tables

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_created_tmp_files

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_created_tmp_tables

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_delayed_errors

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_delayed_insert_threads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_delayed_writes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_delete_scan

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_empty_queries

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_executed_events

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_executed_triggers

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_application_time_periods

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_check_constraint

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_custom_aggregate_functions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_delay_key_write

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_dynamic_columns

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_fulltext

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_gis

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_insert_returning

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_into_outfile

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_into_variable

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_invisible_columns

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_json

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_locale

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_subquery

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_system_versioning

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_timezone

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_trigger

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_window_functions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_feature_xml

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_handlers_total

Total number of executed MySQL handlers.

COUNTER

mysql_global_status_innodb_adaptive_hash_hash_searches

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_adaptive_hash_non_hash_searches

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_available_undo_logs

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_background_log_sync

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_bytes_data

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_bytes_dirty

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_load_incomplete

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_read_ahead

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_read_ahead_evicted

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_read_ahead_rnd

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_read_requests

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_reads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_wait_free

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_buffer_pool_write_requests

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_bulk_operations

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_checkpoint_age

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_checkpoint_max_age

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_data_fsyncs

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_data_pending_fsyncs

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_data_pending_reads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_data_pending_writes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_data_read

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_data_reads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_data_writes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_data_written

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_dblwr_pages_written

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_dblwr_writes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_deadlocks

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_n_merge_blocks_decrypted

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_n_merge_blocks_encrypted

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_n_rowlog_blocks_decrypted

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_n_rowlog_blocks_encrypted

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_n_temp_blocks_decrypted

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_n_temp_blocks_encrypted

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_num_key_requests

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_rotation_estimated_iops

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_rotation_pages_flushed

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_rotation_pages_modified

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_rotation_pages_read_from_cache

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_encryption_rotation_pages_read_from_disk

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_have_bzip2

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_have_lz4

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_have_lzma

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_have_lzo

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_have_punch_hole

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_have_snappy

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_history_list_length

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_instant_alter_column

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_log_waits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_log_write_requests

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_log_writes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_lsn_current

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_lsn_flushed

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_lsn_last_checkpoint

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_master_thread_active_loops

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_master_thread_idle_loops

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_max_trx_id

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_mem_adaptive_hash

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_mem_dictionary

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_num_open_files

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_num_page_compressed_trim_op

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_num_pages_decrypted

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_num_pages_encrypted

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_num_pages_page_compressed

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_num_pages_page_compression_error

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_num_pages_page_decompressed

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_onlineddl_pct_progress

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_onlineddl_rowlog_pct_used

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_onlineddl_rowlog_rows

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_os_log_written

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_page_compression_saved

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_page_size

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_pages_created

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_pages_read

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_pages_written

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_row_lock_current_waits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_row_lock_time

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_row_lock_time_avg

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_row_lock_time_max

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_row_lock_waits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_truncated_status_writes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_innodb_undo_truncations

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_key_blocks_not_flushed

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_key_blocks_unused

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_key_blocks_used

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_key_blocks_warm

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_key_read_requests

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_key_reads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_key_write_requests

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_key_writes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_last_query_cost

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_master_gtid_wait_count

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_master_gtid_wait_time

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_master_gtid_wait_timeouts

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_max_statement_time_exceeded

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_max_tmp_space_used

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_max_used_connections

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_max_used_connections_time

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_memory_used

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_memory_used_initial

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_not_flushed_delayed_rows

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_open_files

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_open_streams

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_open_table_definitions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_open_tables

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_opened_files

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_opened_plugin_libraries

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_opened_table_definitions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_opened_tables

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_opened_views

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_optimizer_join_prefixes_check_calls

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_performance_schema_lost_total

Total number of MySQL instrumentations that could not be loaded or created due to memory constraints.

COUNTER

mysql_global_status_prepared_stmt_count

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_qcache_free_blocks

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_qcache_free_memory

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_qcache_hits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_qcache_inserts

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_qcache_lowmem_prunes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_qcache_not_cached

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_qcache_queries_in_cache

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_qcache_total_blocks

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_queries

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_questions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_resultset_metadata_skipped

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rows_read

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rows_sent

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rows_tmp_read

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_clients

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_get_ack

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_net_avg_wait_time

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_net_wait_time

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_net_waits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_no_times

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_no_tx

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_request_ack

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_status

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_timefunc_failures

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_tx_avg_wait_time

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_tx_wait_time

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_tx_waits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_wait_pos_backtraverse

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_wait_sessions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_master_yes_tx

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_slave_send_ack

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_semi_sync_slave_status

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_rpl_transactions_multi_engine

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_select_full_join

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_select_full_range_join

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_select_range

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_select_range_check

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_select_scan

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_server_audit_active

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_server_audit_writes_failed

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slave_connections

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slave_heartbeat_period

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slave_open_temp_tables

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slave_received_heartbeats

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slave_retried_transactions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slave_running

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slave_skipped_errors

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slaves_connected

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slaves_running

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slow_launch_threads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_slow_queries

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_sort_merge_passes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_sort_priority_queue_sorts

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_sort_range

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_sort_rows

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_sort_scan

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_accept_renegotiates

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_accepts

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_callback_cache_hits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_client_connects

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_connect_renegotiates

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_ctx_verify_depth

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_ctx_verify_mode

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_default_timeout

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_finished_accepts

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_finished_connects

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_session_cache_hits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_session_cache_misses

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_session_cache_overflows

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_session_cache_size

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_session_cache_timeouts

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_sessions_reused

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_used_session_cache_entries

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_verify_depth

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_ssl_verify_mode

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_subquery_cache_hit

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_subquery_cache_miss

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_syncs

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_table_locks_immediate

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_table_locks_waited

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_table_open_cache_active_instances

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_table_open_cache_hits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_table_open_cache_misses

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_table_open_cache_overflows

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_tc_log_max_pages_used

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_tc_log_page_size

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_tc_log_page_waits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_threadpool_idle_threads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_threadpool_threads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_threads_cached

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_threads_connected

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_threads_created

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_threads_running

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_tmp_space_used

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_transactions_gtid_foreign_engine

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_transactions_multi_engine

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_update_scan

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_uptime

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_uptime_since_flush_status

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_applier_thread_count

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_apply_oooe

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_apply_oool

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_apply_waits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_apply_window

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_causal_reads

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_cert_deps_distance

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_cert_index_size

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_cert_interval

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_cluster_conf_id

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_cluster_size

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_cluster_status

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_cluster_weight

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_commit_oooe

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_commit_oool

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_commit_window

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_connected

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_desync_count

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_flow_control_paused

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_flow_control_paused_ns

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_flow_control_recv

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_flow_control_sent

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_gmcast_segment

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_last_committed

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_bf_aborts

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_cached_downto

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_cert_failures

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_commits

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_index

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_recv_queue

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_recv_queue_avg

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_recv_queue_max

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_recv_queue_min

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_replays

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_send_queue

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_send_queue_avg

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_send_queue_max

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_send_queue_min

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_local_state

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_open_connections

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_open_transactions

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_protocol_version

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_ready

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_received

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_received_bytes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_repl_data_bytes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_repl_keys

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_repl_keys_bytes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_repl_other_bytes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_replicated

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_replicated_bytes

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_rollbacker_thread_count

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_status_wsrep_thread_count

Generic metric from SHOW GLOBAL STATUS.

UNTYPED

mysql_global_variables_allow_suspicious_udfs