mariadb-operator v0.27.0

packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml

@@ -1,17 +1,19 @@
 apiVersion: v2
-appVersion: v0.0.22
+appVersion: v0.0.27
 description: Run and operate MariaDB in a cloud native way
 home: https://github.com/mariadb-operator/mariadb-operator
-icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb.png
+icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
 keywords:
 - mariadb
+- mysql
 - operator
 - mariadb-operator
 - database
+- maxscale
 kubeVersion: '>= 1.16.0-0'
 maintainers:
 - email: mariadb-operator@proton.me
   name: mmontes11
 name: mariadb-operator
 type: application
-version: 0.22.0
+version: 0.27.0

packages/system/mariadb-operator/charts/mariadb-operator/README.md

@@ -3,10 +3,10 @@
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
 
 <p align="center">
-<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
+<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
 </p>
 
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![AppVersion: v0.0.22](https://img.shields.io/badge/AppVersion-v0.0.22-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![AppVersion: v0.0.27](https://img.shields.io/badge/AppVersion-v0.0.27-informational?style=flat-square)
 
 Run and operate MariaDB in a cloud native way
 
@@ -26,20 +26,50 @@ helm uninstall mariadb-operator
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity to add to controller Pod |
+| certController.affinity | object | `{}` | Affinity to add to controller Pod |
+| certController.caValidity | string | `"35064h"` | CA certificate validity. It must be greater than certValidity. |
+| certController.certValidity | string | `"8766h"` | Certificate validity. |
+| certController.enabled | bool | `true` | Specifies whether the cert-controller should be created. |
+| certController.extrArgs | list | `[]` | Extra arguments to be passed to the cert-controller entrypoint |
+| certController.extraVolumeMounts | list | `[]` | Extra volumes to mount to cert-controller container |
+| certController.extraVolumes | list | `[]` | Extra volumes to pass to cert-controller Pod |
+| certController.ha.enabled | bool | `false` | Enable high availability |
+| certController.ha.replicas | int | `3` | Number of replicas |
+| certController.image.pullPolicy | string | `"IfNotPresent"` |  |
+| certController.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
+| certController.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
+| certController.imagePullSecrets | list | `[]` |  |
+| certController.lookaheadValidity | string | `"2160h"` | Duration used to verify whether a certificate is valid or not. |
+| certController.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
+| certController.podAnnotations | object | `{}` | Annotations to add to cert-controller Pod |
+| certController.podSecurityContext | object | `{}` | Security context to add to cert-controller Pod |
+| certController.requeueDuration | string | `"5m"` | Requeue duration to ensure that certificate gets renewed. |
+| certController.resources | object | `{}` | Resources to add to cert-controller container |
+| certController.securityContext | object | `{}` | Security context to add to cert-controller container |
+| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the Pod |
+| certController.serviceAccount.enabled | bool | `true` | Specifies whether a service account should be created |
+| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account |
+| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template |
+| certController.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the cert-controller ServiceMonitor |
+| certController.serviceMonitor.enabled | bool | `true` | Enable cert-controller ServiceMonitor. Metrics must be enabled |
+| certController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| certController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| certController.tolerations | list | `[]` | Tolerations to add to controller Pod |
 | clusterName | string | `"cluster.local"` | Cluster DNS name |
 | extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
+| extraEnv | list | `[]` | Extra environment variables to be passed to the controller |
 | extraVolumeMounts | list | `[]` | Extra volumes to mount to the container. |
 | extraVolumes | list | `[]` | Extra volumes to pass to pod. |
 | fullnameOverride | string | `""` |  |
 | ha.enabled | bool | `false` | Enable high availability |
-| ha.leaseId | string | `"mariadb.mmontes.io"` | Lease resource name to be used for leader election |
 | ha.replicas | int | `3` | Number of replicas |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
 | image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | imagePullSecrets | list | `[]` |  |
 | logLevel | string | `"INFO"` | Controller log level |
-| metrics.enabled | bool | `false` | Enable prometheus metrics. Prometheus must be installed in the cluster |
+| metrics.enabled | bool | `false` | Enable operator internal metrics. Prometheus must be installed in the cluster |
 | metrics.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the controller ServiceMonitor |
 | metrics.serviceMonitor.enabled | bool | `true` | Enable controller ServiceMonitor |
 | metrics.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
@@ -59,16 +89,19 @@ helm uninstall mariadb-operator
 | tolerations | list | `[]` | Tolerations to add to controller Pod |
 | webhook.affinity | object | `{}` | Affinity to add to controller Pod |
 | webhook.annotations | object | `{}` | Annotations for webhook configurations. |
-| webhook.certificate.certManager | bool | `false` | Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used. |
+| webhook.cert.caPath | string | `"/tmp/k8s-webhook-server/certificate-authority"` | Path where the CA certificate will be mounted. |
-| webhook.certificate.default | object | `{"annotations":{},"caExpirationDays":365,"certExpirationDays":365,"hook":""}` | Default certificate generated when the chart is installed or upgraded. |
+| webhook.cert.certManager.duration | string | `""` | Duration to be used in the Certificate resource, |
-| webhook.certificate.default.annotations | object | `{}` | Annotations for certificate Secret. |
+| webhook.cert.certManager.enabled | bool | `false` | Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead. |
-| webhook.certificate.default.caExpirationDays | int | `365` | Certificate authority expiration in days. |
+| webhook.cert.certManager.issuerRef | object | `{}` | Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used. |
-| webhook.certificate.default.certExpirationDays | int | `365` | Certificate expiration in days. |
+| webhook.cert.certManager.renewBefore | string | `""` | Renew before duration to be used in the Certificate resource. |
-| webhook.certificate.default.hook | string | `""` | Helm hook to be added to the default certificate. |
+| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
-| webhook.certificate.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
+| webhook.cert.secretAnnotations | object | `{}` | Annotatioms to be added to webhook TLS secret. |
+| webhook.cert.secretLabels | object | `{}` | Labels to be added to webhook TLS secret. |
 | webhook.extrArgs | list | `[]` | Extra arguments to be passed to the webhook entrypoint |
 | webhook.extraVolumeMounts | list | `[]` | Extra volumes to mount to webhook container |
 | webhook.extraVolumes | list | `[]` | Extra volumes to pass to webhook Pod |
+| webhook.ha.enabled | bool | `false` | Enable high availability |
+| webhook.ha.replicas | int | `3` | Number of replicas |
 | webhook.hostNetwork | bool | `false` | Expose the webhook server in the host network |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | webhook.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
@@ -77,7 +110,7 @@ helm uninstall mariadb-operator
 | webhook.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
 | webhook.podAnnotations | object | `{}` | Annotations to add to webhook Pod |
 | webhook.podSecurityContext | object | `{}` | Security context to add to webhook Pod |
-| webhook.port | int | `10250` | Port to be used by the webhook server |
+| webhook.port | int | `9443` | Port to be used by the webhook server |
 | webhook.resources | object | `{}` | Resources to add to webhook container |
 | webhook.securityContext | object | `{}` | Security context to add to webhook container |
 | webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |

packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl

@@ -4,7 +4,7 @@
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
 
 <p align="center">
-<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
+<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
 </p>
 
 {{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl

@@ -71,28 +71,23 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
-Webhook certificate
+Cert-controller common labels
 */}}
-{{- define "mariadb-operator-webhook.certificate" -}}
+{{- define "mariadb-operator-cert-controller.labels" -}}
-{{- if .Values.webhook.certificate.certManager }}
+helm.sh/chart: {{ include "mariadb-operator.chart" . }}
-{{- include "mariadb-operator.fullname" . }}-webhook-cert
+{{ include "mariadb-operator-cert-controller.selectorLabels" . }}
-{{- else }}
+{{ if .Chart.AppVersion }}
-{{- include "mariadb-operator.fullname" . }}-webhook-default-cert
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
+{{ end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
 {{/*
-Webhook certificate subject name
+Cert-controller selector labels
 */}}
-{{- define "mariadb-operator-webhook.subjectName" -}}
+{{- define "mariadb-operator-cert-controller.selectorLabels" -}}
-{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}-cert-controller
-{{- end }}
+app.kubernetes.io/instance: {{ .Release.Name }}
-
-{{/*
-Webhook certificate subject alternative name
-*/}}
-{{- define "mariadb-operator-webhook.altName" -}}
-{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
 {{- end }}
 
 {{/*
@@ -116,3 +111,14 @@ Create the name of the webhook service account to use
 {{- default "default" .Values.webhook.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the name of the cert-controller service account to use
+*/}}
+{{- define "mariadb-operator-cert-controller.serviceAccountName" -}}
+{{- if .Values.certController.serviceAccount.enabled }}
+{{- default (printf "%s-cert-controller" (include "mariadb-operator.fullname" .))  .Values.certController.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.certController.serviceAccount.name }}
+{{- end }}
+{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-deployment.yaml

@@ -0,0 +1,103 @@
+{{- if and .Values.certController.enabled  (not .Values.webhook.cert.certManager.enabled) -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-cert-controller
+  labels:
+    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
+spec:
+  {{ if .Values.certController.ha.enabled }}
+  replicas: {{ .Values.certController.ha.replicas}}
+  {{ end }}
+  selector:
+    matchLabels:
+      {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{ with .Values.certController.podAnnotations }}
+      annotations:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      labels:
+        {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.certController.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
+      automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
+      {{ with .Values.certController.nodeSelector }}
+      nodeSelector:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      {{ with .Values.certController.tolerations }}
+      tolerations:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      {{ with .Values.certController.affinity }}
+      affinity:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      {{ with .Values.certController.podSecurityContext }}
+      securityContext:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      containers:
+        - image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
+          name: cert-controller
+          args:
+            - cert-controller
+            - --ca-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-ca
+            - --ca-secret-namespace={{ .Release.Namespace }}
+            - --ca-validity={{ .Values.certController.caValidity }}
+            - --cert-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-cert
+            - --cert-secret-namespace={{ .Release.Namespace }}
+            - --cert-validity={{ .Values.certController.certValidity }}
+            - --lookahead-validity={{ .Values.certController.lookaheadValidity }}
+            - --service-name={{ include "mariadb-operator.fullname" . }}-webhook
+            - --service-namespace={{ .Release.Namespace }}
+            - --requeue-duration={{ .Values.certController.requeueDuration }}
+            - --metrics-addr=:8080
+            - --health-addr=:8081
+            - --log-level={{ .Values.logLevel }}
+            {{- if .Values.certController.ha.enabled }}
+            - --leader-elect
+            {{- end }}
+            {{- range .Values.certController.extrArgs }}
+            - {{ . }}
+            {{- end }}
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: metrics
+            - containerPort: 8081
+              protocol: TCP
+              name: health
+          env: 
+            - name: CLUSTER_NAME
+              value: {{ .Values.clusterName }}
+          {{- with .Values.certController.extraVolumeMounts }}
+          volumeMounts:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 20
+            periodSeconds: 5
+          {{ with .Values.certController.resources }}
+          resources:
+            {{ toYaml . | nindent 12 }}
+          {{ end }}
+          {{ with .Values.certController.securityContext}}
+          securityContext:
+            {{ toYaml . | nindent 12 }}
+          {{ end }}
+      {{- with .Values.certController.extraVolumes }}
+      volumes:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-rbac.yaml

@@ -0,0 +1,88 @@
+{{- if and .Values.rbac.enabled .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
+{{ $fullName := include "mariadb-operator.fullname" . }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $fullName }}-cert-controller
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $fullName }}-cert-controller
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - update
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - endpoints/restricted
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $fullName }}-cert-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $fullName }}-cert-controller
+subjects:
+- kind: ServiceAccount
+  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $fullName }}-cert-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $fullName }}-cert-controller
+subjects:
+- kind: ServiceAccount
+  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
+  namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
+  labels:
+    {{- include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
+    {{- with .Values.certController.serviceAccount.extraLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.certController.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-servicemonitor.yaml

@@ -0,0 +1,36 @@
+{{ if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) .Values.metrics.enabled  .Values.certController.serviceMonitor.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-cert-controller-metrics
+  labels:
+    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 8080
+      protocol: TCP
+      name: metrics
+  selector:
+    {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 4 }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-cert-controller
+  labels:
+    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
+    {{ with .Values.certController.serviceMonitor.additionalLabels }}
+    {{ toYaml . | nindent 4 }}
+    {{ end }}
+spec:
+  selector:
+    matchLabels:
+      {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace | quote }}
+  endpoints:
+  - port: metrics
+    interval: {{ .Values.certController.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.certController.serviceMonitor.scrapeTimeout }}
+{{ end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+data:
+  MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
+  MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
+  MARIADB_GALERA_LIB_PATH: /usr/lib/galera/libgalera_smm.so
+  MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
+  RELATED_IMAGE_EXPORTER: prom/mysqld-exporter:v0.15.1
+  RELATED_IMAGE_MARIADB: mariadb:11.2.2
+  RELATED_IMAGE_MAXSCALE: mariadb/maxscale:23.08
+kind: ConfigMap
+metadata:
+  creationTimestamp: null
+  name: mariadb-operator-env

packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml

@@ -53,17 +53,17 @@ spec:
             {{- if .Values.ha.enabled }}
             - --leader-elect
             {{- end }}
-            {{- if .Values.metrics.enabled }}
+            {{- range .Values.extraArgs }}
-            - --service-monitor-reconciler
-            {{- end }}
-            {{- range .Values.extrArgs }}
             - {{ . }}
             {{- end }}
           ports:
             - containerPort: 8080
               protocol: TCP
               name: metrics
-          env: 
+          envFrom:
+            - configMapRef:
+                name: mariadb-operator-env
+          env:
             - name: CLUSTER_NAME
               value: {{ .Values.clusterName }}
             - name: MARIADB_OPERATOR_NAME
@@ -76,6 +76,9 @@ spec:
                   fieldPath: metadata.namespace
             - name: MARIADB_OPERATOR_SA_PATH
               value: /var/run/secrets/kubernetes.io/serviceaccount/token
+            {{- with .Values.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- if .Values.extraVolumeMounts }}
           volumeMounts:
           {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
@@ -88,21 +91,6 @@ spec:
           securityContext:
             {{ toYaml . | nindent 12 }}
           {{ end }}
-          readinessProbe:
-            tcpSocket:
-              port: 8080
-            initialDelaySeconds: 30
-            periodSeconds: 10
-          livenessProbe:
-            tcpSocket:
-              port: 8080
-            initialDelaySeconds: 30
-            periodSeconds: 10
-          startupProbe:
-            tcpSocket:
-              port: 8080
-            initialDelaySeconds: 20
-            periodSeconds: 10
       {{- if .Values.extraVolumes }}
       volumes:
       {{- toYaml .Values.extraVolumes | nindent 8 }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml

@@ -56,6 +56,15 @@ rules:
   - ""
   resources:
   - endpoints
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
   - endpoints/restricted
   verbs:
   - create
@@ -90,6 +99,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pvcs
+  verbs:
+  - list
 - apiGroups:
   - ""
   resources:
@@ -117,16 +132,38 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
 - apiGroups:
   - apps
   resources:
   - statefulsets
   verbs:
   - create
+  - delete
   - get
   - list
   - patch
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
 - apiGroups:
   - batch
   resources:
@@ -142,11 +179,12 @@ rules:
   - jobs
   verbs:
   - create
+  - delete
   - list
   - patch
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - backups
   verbs:
@@ -158,13 +196,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - backups/finalizers
   verbs:
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - backups/status
   verbs:
@@ -172,7 +210,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - connections
   verbs:
@@ -184,23 +222,37 @@ rules:
   - update
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - connections
+  - grants
+  - maxscale
   - restores
+  - users
   verbs:
   - create
   - list
   - patch
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
+  resources:
+  - connections
+  - grants
+  - users
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
   resources:
   - connections/finalizers
   verbs:
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - connections/status
   verbs:
@@ -208,7 +260,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - databases
   verbs:
@@ -220,13 +272,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - databases/finalizers
   verbs:
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - databases/status
   verbs:
@@ -234,7 +286,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - grants
   verbs:
@@ -246,13 +298,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - grants/finalizers
   verbs:
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - grants/status
   verbs:
@@ -260,7 +312,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - mariadbs
   verbs:
@@ -272,13 +324,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - mariadbs/finalizers
   verbs:
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - mariadbs/status
   verbs:
@@ -286,7 +338,33 @@ rules:
   - patch
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
+  resources:
+  - maxscales
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - maxscales/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - maxscales/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - k8s.mariadb.com
   resources:
   - restores
   verbs:
@@ -298,13 +376,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - restores/finalizers
   verbs:
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - restores/status
   verbs:
@@ -312,7 +390,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - sqljobs
   verbs:
@@ -324,13 +402,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - sqljobs/finalizers
   verbs:
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - sqljobs/status
   verbs:
@@ -338,7 +416,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - users
   verbs:
@@ -350,13 +428,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - users/finalizers
   verbs:
   - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
   resources:
   - users/status
   verbs:
@@ -431,4 +509,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "mariadb-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{- end }}
+{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml

@@ -1,4 +1,5 @@
-{{ if .Values.webhook.certificate.certManager }}
+{{ if .Values.webhook.cert.certManager.enabled }}
+{{ if not .Values.webhook.cert.certManager.issuerRef }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -7,6 +8,7 @@ metadata:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
   selfSigned: {}
+{{ end }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -15,11 +17,33 @@ metadata:
   labels:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
+  commonName: {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
   dnsNames:
-    - {{ include "mariadb-operator-webhook.subjectName" . }}
+    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
-    - {{ include "mariadb-operator-webhook.altName" . }}
+    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}
+    - {{ include "mariadb-operator.fullname" . }}-webhook
   issuerRef:
+  {{- if .Values.webhook.cert.certManager.issuerRef -}}
+    {{ toYaml .Values.webhook.cert.certManager.issuerRef | nindent 4 }}
+  {{- else }}
     kind: Issuer
     name: {{ include "mariadb-operator.fullname" . }}-selfsigned-issuer
+  {{- end }}
+  {{- with .Values.webhook.cert.certManager.duration }}
+  duration: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.webhook.cert.certManager.renewBefore }}
+  renewBefore: {{ . | quote }}
+  {{- end }}
   secretName: {{ include "mariadb-operator.fullname" . }}-webhook-cert
-{{ end }}
+  secretTemplate:
+    {{- with .Values.webhook.cert.secretLabels }}
+    labels:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.webhook.cert.secretAnnotations }}
+    annotations:
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{ end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-config.yaml

@@ -1,30 +1,4 @@
 {{ $fullName := include "mariadb-operator.fullname" . }}
-{{ $subjectName := include "mariadb-operator-webhook.subjectName" . }}
-{{ $altNames := list }}
-{{ $altNames := append $altNames $subjectName }}
-{{ $altNames := append $altNames (include "mariadb-operator-webhook.altName" . ) }}
-{{ $ca := genCA $fullName (.Values.webhook.certificate.default.caExpirationDays | int) }}
-{{ $cert := genSignedCert $subjectName nil $altNames (.Values.webhook.certificate.default.certExpirationDays | int) $ca }}
-{{ if not .Values.webhook.certificate.certManager }}
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/tls
-metadata:
-  name: {{ $fullName }}-webhook-default-cert
-  labels:
-    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
-  annotations:
-    {{ with .Values.webhook.certificate.default.hook }}
-    helm.sh/hook: {{ . }}
-    {{ end }}
-    {{ with .Values.webhook.certificate.default.annotations }}
-    {{ toYaml . | nindent 4 }}
-    {{ end }}
-data:
-  tls.crt: {{ $cert.Cert | b64enc }}
-  tls.key: {{ $cert.Key | b64enc }} 
-{{ end }}
----
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -32,12 +6,11 @@ metadata:
   labels:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
   annotations:
-    {{ if .Values.webhook.certificate.certManager }}
+    {{- if .Values.webhook.cert.certManager.enabled }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{ end }}
+    {{- else }}
-    {{ with .Values.webhook.certificate.default.hook }}
+    k8s.mariadb.com/webhook: ""
-    helm.sh/hook: {{ . }}
+    {{- end }}
-    {{ end }}
     {{ with .Values.webhook.annotations }}
     {{ toYaml . | indent 4 }}
     {{ end }}
@@ -48,15 +21,12 @@ webhooks:
     service:
       name: {{ $fullName }}-webhook
       namespace: {{ .Release.Namespace }}
-      path: /mutate-mariadb-mmontes-io-v1alpha1-mariadb
+      path: /mutate-k8s-mariadb-com-v1alpha1-mariadb
-    {{ if not .Values.webhook.certificate.certManager }}
-    caBundle: {{ $ca.Cert | b64enc }}
-    {{ end }}
   failurePolicy: Fail
   name: mmariadb.kb.io
   rules:
   - apiGroups:
-    - mariadb.mmontes.io
+    - k8s.mariadb.com
     apiVersions:
     - v1alpha1
     operations:
@@ -73,12 +43,11 @@ metadata:
   labels:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
   annotations:
-    {{ if .Values.webhook.certificate.certManager }}
+    {{- if .Values.webhook.cert.certManager.enabled }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{ end }}
+    {{- else }}
-    {{ with .Values.webhook.certificate.default.hook }}
+    k8s.mariadb.com/webhook: ""
-    helm.sh/hook: {{ . }}
+    {{- end }}
-    {{ end }}
     {{ with .Values.webhook.annotations }}
     {{ toYaml . | indent 4 }}
     {{ end }}
@@ -89,15 +58,12 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-backup
+        path: /validate-k8s-mariadb-com-v1alpha1-backup
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
     failurePolicy: Fail
     name: vbackup.kb.io
     rules:
       - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
         apiVersions:
           - v1alpha1
         operations:
@@ -112,15 +78,12 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-connection
+        path: /validate-k8s-mariadb-com-v1alpha1-connection
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
     failurePolicy: Fail
     name: vconnection.kb.io
     rules:
       - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
         apiVersions:
           - v1alpha1
         operations:
@@ -135,15 +98,12 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-database
+        path: /validate-k8s-mariadb-com-v1alpha1-database
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
     failurePolicy: Fail
     name: vdatabase.kb.io
     rules:
       - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
         apiVersions:
           - v1alpha1
         operations:
@@ -158,15 +118,12 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-grant
+        path: /validate-k8s-mariadb-com-v1alpha1-grant
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
     failurePolicy: Fail
     name: vgrant.kb.io
     rules:
       - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
         apiVersions:
           - v1alpha1
         operations:
@@ -181,15 +138,12 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-mariadb
+        path: /validate-k8s-mariadb-com-v1alpha1-mariadb
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
     failurePolicy: Fail
     name: vmariadb.kb.io
     rules:
       - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
         apiVersions:
           - v1alpha1
         operations:
@@ -198,21 +152,38 @@ webhooks:
         resources:
           - mariadbs
     sideEffects: None
+  - admissionReviewVersions:
+    - v1
+    clientConfig:
+      service:
+        name: {{ $fullName }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validate-k8s-mariadb-com-v1alpha1-maxscale
+    failurePolicy: Fail
+    name: vmaxscale.kb.io
+    rules:
+    - apiGroups:
+      - k8s.mariadb.com
+      apiVersions:
+      - v1alpha1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - maxscales
+    sideEffects: None
   - admissionReviewVersions:
       - v1
     clientConfig:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-restore
+        path: /validate-k8s-mariadb-com-v1alpha1-restore
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
     failurePolicy: Fail
     name: vrestore.kb.io
     rules:
       - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
         apiVersions:
           - v1alpha1
         operations:
@@ -227,15 +198,12 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-sqljob
+        path: /validate-k8s-mariadb-com-v1alpha1-sqljob
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
     failurePolicy: Fail
     name: vsqljob.kb.io
     rules:
       - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
         apiVersions:
           - v1alpha1
         operations:
@@ -250,15 +218,12 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-user
+        path: /validate-k8s-mariadb-com-v1alpha1-user
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
     failurePolicy: Fail
     name: vuser.kb.io
     rules:
       - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
         apiVersions:
           - v1alpha1
         operations:

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml

@@ -1,10 +1,14 @@
+{{ $fullName := include "mariadb-operator.fullname" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-webhook
+  name: {{ $fullName }}-webhook
   labels:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
+  {{ if .Values.webhook.ha.enabled }}
+  replicas: {{ .Values.webhook.ha.replicas}}
+  {{ end }}
   selector:
     matchLabels:
       {{ include "mariadb-operator-webhook.selectorLabels" . | nindent 6 }}
@@ -46,12 +50,18 @@ spec:
           name: webhook
           args:
             - webhook
-            - --cert-dir={{ .Values.webhook.certificate.path }}
+            {{- if .Values.webhook.cert.certManager.enabled }}
+            - --ca-cert-path={{ .Values.webhook.cert.path }}/ca.crt
+            {{- else }}
+            - --ca-cert-path={{ .Values.webhook.cert.caPath }}/tls.crt
+            {{- end }}
+            - --cert-dir={{ .Values.webhook.cert.path }}
+            - --dns-name={{ $fullName }}-webhook.{{ .Release.Namespace }}.svc
             - --port={{ .Values.webhook.port }}
             - --metrics-addr=:8080
             - --health-addr=:8081
             - --log-level={{ .Values.logLevel }}
-            {{- range .Values.extrArgs }}
+            {{- range .Values.webhook.extrArgs }}
             - {{ . }}
             {{- end }}
           ports:
@@ -65,7 +75,12 @@ spec:
               protocol: TCP
               name: health
           volumeMounts:
-            - mountPath: {{ .Values.webhook.certificate.path }}
+            {{- if not .Values.webhook.cert.certManager.enabled }}
+            - mountPath: {{ .Values.webhook.cert.caPath }}
+              name: ca
+              readOnly: true
+            {{- end }}
+            - mountPath: {{ .Values.webhook.cert.path }}
               name: cert
               readOnly: true
           {{- if .Values.webhook.extraVolumeMounts }}
@@ -73,22 +88,10 @@ spec:
           {{- end }}
           readinessProbe:
             httpGet:
-              path: /healthz
+              path: /readyz
               port: 8081
-            initialDelaySeconds: 5
+            initialDelaySeconds: 20
-            periodSeconds: 10
+            periodSeconds: 5
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 8081
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          startupProbe:
-            httpGet:
-              path: /healthz
-              port: 8081
-            initialDelaySeconds: 5
-            periodSeconds: 10
           {{ with .Values.webhook.resources }}
           resources:
             {{ toYaml . | nindent 12 }}
@@ -98,10 +101,16 @@ spec:
             {{ toYaml . | nindent 12 }}
           {{ end }}
       volumes:
+        {{- if not .Values.webhook.cert.certManager.enabled }}
+        - name: ca
+          secret:
+            defaultMode: 420
+            secretName: {{ $fullName }}-webhook-ca
+        {{- end }}
         - name: cert
           secret:
             defaultMode: 420
-            secretName: {{ include "mariadb-operator-webhook.certificate" . }}
+            secretName: {{ $fullName }}-webhook-cert
       {{- if .Values.webhook.extraVolumes }}
       {{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
       {{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-secret.yaml

@@ -0,0 +1,25 @@
+{{- if not .Values.webhook.cert.certManager.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-webhook-ca
+  labels:
+    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
+    mariadb-operator.io/component: webhook
+  {{- with .Values.webhook.cert.secretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-webhook-cert
+  labels:
+    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
+    mariadb-operator.io/component: webhook
+  {{- with .Values.webhook.cert.secretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/values.yaml

@@ -19,11 +19,9 @@ ha:
   enabled: false
   # -- Number of replicas
   replicas: 3
-  # -- Lease resource name to be used for leader election
-  leaseId: mariadb.mmontes.io
 
 metrics:
-  # -- Enable prometheus metrics. Prometheus must be installed in the cluster
+  # -- Enable operator internal metrics. Prometheus must be installed in the cluster
   enabled: false
   serviceMonitor:
     # -- Enable controller ServiceMonitor
@@ -56,6 +54,9 @@ rbac:
 # -- Extra arguments to be passed to the controller entrypoint
 extrArgs: []
 
+# -- Extra environment variables to be passed to the controller
+extraEnv: []
+
 # -- Extra volumes to pass to pod.
 extraVolumes: []
 
@@ -87,31 +88,37 @@ tolerations: []
 affinity: {}
 
 webhook:
-  # -- Annotations for webhook configurations.
-  annotations: {}
   image:
     repository: ghcr.io/mariadb-operator/mariadb-operator
     pullPolicy: IfNotPresent
     # -- Image tag to use. By default the chart appVersion is used
     tag: ""
   imagePullSecrets: []
-  certificate:
+  ha:
-    # -- Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used.
+    # -- Enable high availability
-    certManager: false
+    enabled: false
-    # -- Default certificate generated when the chart is installed or upgraded.
+    # -- Number of replicas
-    default:
+    replicas: 3
-      # -- Certificate authority expiration in days.
+  cert:
-      caExpirationDays: 365
+    certManager:
-      # -- Certificate expiration in days.
+      # -- Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead.
-      certExpirationDays: 365
+      enabled: false
-      # -- Annotations for certificate Secret.
+      # -- Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.
-      annotations: {}
+      issuerRef: {}
-      # -- Helm hook to be added to the default certificate.
+       # -- Duration to be used in the Certificate resource,
-      hook: ""
+      duration: ""
+       # -- Renew before duration to be used in the Certificate resource.
+      renewBefore: ""
+    # -- Annotatioms to be added to webhook TLS secret.
+    secretAnnotations: {}
+    # -- Labels to be added to webhook TLS secret.
+    secretLabels: {}
+    # -- Path where the CA certificate will be mounted.
+    caPath: /tmp/k8s-webhook-server/certificate-authority
     # -- Path where the certificate will be mounted.
     path: /tmp/k8s-webhook-server/serving-certs
   # -- Port to be used by the webhook server
-  port: 10250
+  port: 9443
   # -- Expose the webhook server in the host network
   hostNetwork: false
   serviceMonitor:
@@ -136,6 +143,8 @@ webhook:
     # -- The name of the service account to use.
     # If not set and enabled is true, a name is generated using the fullname template
     name: ""
+  # -- Annotations for webhook configurations.
+  annotations: {}
   # -- Extra arguments to be passed to the webhook entrypoint
   extrArgs: []
   # -- Extra volumes to pass to webhook Pod
@@ -159,3 +168,71 @@ webhook:
   tolerations: []
   # -- Affinity to add to controller Pod
   affinity: {}
+
+certController:
+  # -- Specifies whether the cert-controller should be created.
+  enabled: true
+  image:
+    repository: ghcr.io/mariadb-operator/mariadb-operator
+    pullPolicy: IfNotPresent
+    # -- Image tag to use. By default the chart appVersion is used
+    tag: ""
+  imagePullSecrets: []
+  ha:
+    # -- Enable high availability
+    enabled: false
+    # -- Number of replicas
+    replicas: 3
+  # -- CA certificate validity. It must be greater than certValidity.
+  caValidity: 35064h
+  # -- Certificate validity.
+  certValidity: 8766h
+  # -- Duration used to verify whether a certificate is valid or not.
+  lookaheadValidity: 2160h
+  # -- Requeue duration to ensure that certificate gets renewed.
+  requeueDuration: 5m
+  serviceMonitor:
+    # -- Enable cert-controller ServiceMonitor. Metrics must be enabled
+    enabled: true
+    # -- Labels to be added to the cert-controller ServiceMonitor
+    additionalLabels: {}
+    # release: kube-prometheus-stack
+    # --  Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+  serviceAccount:
+    # -- Specifies whether a service account should be created
+    enabled: true
+    # -- Automounts the service account token in all containers of the Pod
+    automount: true
+    # -- Annotations to add to the service account
+    annotations: {}
+    # -- Extra Labels to add to the service account
+    extraLabels: {}
+    # -- The name of the service account to use.
+    # If not set and enabled is true, a name is generated using the fullname template
+    name: ""
+  # -- Extra arguments to be passed to the cert-controller entrypoint
+  extrArgs: []
+  # -- Extra volumes to pass to cert-controller Pod
+  extraVolumes: []
+  # -- Extra volumes to mount to cert-controller container
+  extraVolumeMounts: []
+  # -- Annotations to add to cert-controller Pod
+  podAnnotations: {}
+  # -- Security context to add to cert-controller Pod
+  podSecurityContext: {}
+  # -- Security context to add to cert-controller container
+  securityContext: {}
+  # -- Resources to add to cert-controller container
+  resources: {}
+  # requests:
+  #   cpu: 10m
+  #   memory: 32Mi
+  # -- Node selectors to add to controller Pod
+  nodeSelector: {}
+  # -- Tolerations to add to controller Pod
+  tolerations: []
+  # -- Affinity to add to controller Pod
+  affinity: {}

scripts/installer.sh

@@ -1,9 +1,18 @@
 #!/bin/sh
+VERSION=2
 set -o pipefail
 set -e
 
 run_migrations() {
-  return 0
+  if ! kubectl get configmap -n cozy-system cozystack-version; then
+    kubectl create configmap -n cozy-system cozystack-version --from-literal=version="$VERSION" --dry-run=client -o yaml | kubectl create -f-
+  fi
+  current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}') || true
+  until [ "$current_version" = "$VERSION" ]; do
+    echo "run migration: $current_version --> $VERSION"
+    scripts/migrations/$current_version
+    current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}')
+  done
 }
 
 flux_is_ok() {
@@ -18,6 +27,9 @@ install_basic_charts() {
 
 cd "$(dirname "$0")/.."
 
+# Run migrations
+run_migrations
+
 # Install namespaces
 make -C packages/core/platform namespaces-apply
 
@@ -26,9 +38,6 @@ if ! flux_is_ok; then
   install_basic_charts
 fi
 
-# Run migrations
-run_migrations
-
 # Reconcile Helm repositories
 kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite
 

scripts/migrations/1

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if kubectl get -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert; then
+  kubectl annotate -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert meta.helm.sh/release-namespace=cozy-mariadb-operator meta.helm.sh/release-name=mariadb-operator
+  kubectl label -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert app.kubernetes.io/managed-by=Helm
+fi
+
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=2 --dry-run=client -o yaml | kubectl apply -f-