mariadb-operator v0.27.0

Update CNPG to 1.22.2 (#46 )
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-01-29 10:18:54 +00:00 · 2024-03-27 19:47:41 +01:00 · 2024-03-15 21:15:36 +01:00 · 2024-03-15 21:15:27 +01:00 · 2024-03-15 21:15:17 +01:00 · 2024-03-15 21:15:06 +01:00
38 changed files with 47878 additions and 8991 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 _out
+.git
+.idea
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@

 # Cozystack

-**Cozystack** is an open-source **PaaS platform** for cloud providers.
+**Cozystack** is a free PaaS platform and framework for building clouds.

 With Cozystack, you can transform your bunch of servers into an intelligent system with a simple REST API for spawning Kubernetes clusters, Database-as-a-Service, virtual machines, load balancers, HTTP caching services, and other services with ease.

@@ -44,6 +44,8 @@ If you encounter any difficulties, start with the [troubleshooting guide](https:
 Versioning adheres to the [Semantic Versioning](http://semver.org/) principles.  
 A full list of the available releases is available in the GitHub repository's [Release](https://github.com/aenix-io/cozystack/releases) section.

+- [Roadmap](https://github.com/orgs/aenix-io/projects/2)
+
 ## Contributions

 Contributions are highly appreciated and very welcomed!
--- a/packages/apps/http-cache/Makefile
+++ b/packages/apps/http-cache/Makefile
@@ -2,7 +2,7 @@ PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
 NGINX_CACHE_TAG = v0.1.0
-TAG := v0.1.0
+TAG := v0.2.0

 image: image-nginx

--- a/packages/apps/kubernetes/Makefile
+++ b/packages/apps/kubernetes/Makefile
@@ -1,7 +1,7 @@
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
-TAG := v0.1.0
+TAG := v0.2.0
 UBUNTU_CONTAINER_DISK_TAG = v1.29.1

 image: image-ubuntu-container-disk
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -3,7 +3,7 @@ NAME=installer
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
-TAG := v0.1.0
+TAG := v0.2.0
 TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' images/talos/profiles/installer.yaml)

 show:
--- a/packages/system/dashboard/Makefile
+++ b/packages/system/dashboard/Makefile
@@ -3,7 +3,7 @@ NAMESPACE=cozy-dashboard
 PUSH := 1
 LOAD := 0
 REPOSITORY := ghcr.io/aenix-io/cozystack
-TAG := v0.1.0
+TAG := v0.2.0

 show:
 	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
--- a/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
@@ -1,17 +1,19 @@
 apiVersion: v2
-appVersion: v0.0.22
+appVersion: v0.0.27
 description: Run and operate MariaDB in a cloud native way
 home: https://github.com/mariadb-operator/mariadb-operator
-icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb.png
+icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
 keywords:
 - mariadb
+- mysql
 - operator
 - mariadb-operator
 - database
+- maxscale
 kubeVersion: '>= 1.16.0-0'
 maintainers:
 - email: mariadb-operator@proton.me
  name: mmontes11
 name: mariadb-operator
 type: application
-version: 0.22.0
+version: 0.27.0
--- a/packages/system/mariadb-operator/charts/mariadb-operator/README.md
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/README.md
@@ -3,10 +3,10 @@
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)

 <p align="center">
-<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
+<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
 </p>

-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![AppVersion: v0.0.22](https://img.shields.io/badge/AppVersion-v0.0.22-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![AppVersion: v0.0.27](https://img.shields.io/badge/AppVersion-v0.0.27-informational?style=flat-square)

 Run and operate MariaDB in a cloud native way

@@ -26,20 +26,50 @@ helm uninstall mariadb-operator
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity to add to controller Pod |
+| certController.affinity | object | `{}` | Affinity to add to controller Pod |
+| certController.caValidity | string | `"35064h"` | CA certificate validity. It must be greater than certValidity. |
+| certController.certValidity | string | `"8766h"` | Certificate validity. |
+| certController.enabled | bool | `true` | Specifies whether the cert-controller should be created. |
+| certController.extrArgs | list | `[]` | Extra arguments to be passed to the cert-controller entrypoint |
+| certController.extraVolumeMounts | list | `[]` | Extra volumes to mount to cert-controller container |
+| certController.extraVolumes | list | `[]` | Extra volumes to pass to cert-controller Pod |
+| certController.ha.enabled | bool | `false` | Enable high availability |
+| certController.ha.replicas | int | `3` | Number of replicas |
+| certController.image.pullPolicy | string | `"IfNotPresent"` |  |
+| certController.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
+| certController.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
+| certController.imagePullSecrets | list | `[]` |  |
+| certController.lookaheadValidity | string | `"2160h"` | Duration used to verify whether a certificate is valid or not. |
+| certController.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
+| certController.podAnnotations | object | `{}` | Annotations to add to cert-controller Pod |
+| certController.podSecurityContext | object | `{}` | Security context to add to cert-controller Pod |
+| certController.requeueDuration | string | `"5m"` | Requeue duration to ensure that certificate gets renewed. |
+| certController.resources | object | `{}` | Resources to add to cert-controller container |
+| certController.securityContext | object | `{}` | Security context to add to cert-controller container |
+| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the Pod |
+| certController.serviceAccount.enabled | bool | `true` | Specifies whether a service account should be created |
+| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account |
+| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template |
+| certController.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the cert-controller ServiceMonitor |
+| certController.serviceMonitor.enabled | bool | `true` | Enable cert-controller ServiceMonitor. Metrics must be enabled |
+| certController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| certController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| certController.tolerations | list | `[]` | Tolerations to add to controller Pod |
 | clusterName | string | `"cluster.local"` | Cluster DNS name |
 | extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
+| extraEnv | list | `[]` | Extra environment variables to be passed to the controller |
 | extraVolumeMounts | list | `[]` | Extra volumes to mount to the container. |
 | extraVolumes | list | `[]` | Extra volumes to pass to pod. |
 | fullnameOverride | string | `""` |  |
 | ha.enabled | bool | `false` | Enable high availability |
-| ha.leaseId | string | `"mariadb.mmontes.io"` | Lease resource name to be used for leader election |
 | ha.replicas | int | `3` | Number of replicas |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
 | image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | imagePullSecrets | list | `[]` |  |
 | logLevel | string | `"INFO"` | Controller log level |
-| metrics.enabled | bool | `false` | Enable prometheus metrics. Prometheus must be installed in the cluster |
+| metrics.enabled | bool | `false` | Enable operator internal metrics. Prometheus must be installed in the cluster |
 | metrics.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the controller ServiceMonitor |
 | metrics.serviceMonitor.enabled | bool | `true` | Enable controller ServiceMonitor |
 | metrics.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
@@ -59,16 +89,19 @@ helm uninstall mariadb-operator
 | tolerations | list | `[]` | Tolerations to add to controller Pod |
 | webhook.affinity | object | `{}` | Affinity to add to controller Pod |
 | webhook.annotations | object | `{}` | Annotations for webhook configurations. |
-| webhook.certificate.certManager | bool | `false` | Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used. |
-| webhook.certificate.default | object | `{"annotations":{},"caExpirationDays":365,"certExpirationDays":365,"hook":""}` | Default certificate generated when the chart is installed or upgraded. |
-| webhook.certificate.default.annotations | object | `{}` | Annotations for certificate Secret. |
-| webhook.certificate.default.caExpirationDays | int | `365` | Certificate authority expiration in days. |
-| webhook.certificate.default.certExpirationDays | int | `365` | Certificate expiration in days. |
-| webhook.certificate.default.hook | string | `""` | Helm hook to be added to the default certificate. |
-| webhook.certificate.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
+| webhook.cert.caPath | string | `"/tmp/k8s-webhook-server/certificate-authority"` | Path where the CA certificate will be mounted. |
+| webhook.cert.certManager.duration | string | `""` | Duration to be used in the Certificate resource, |
+| webhook.cert.certManager.enabled | bool | `false` | Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead. |
+| webhook.cert.certManager.issuerRef | object | `{}` | Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used. |
+| webhook.cert.certManager.renewBefore | string | `""` | Renew before duration to be used in the Certificate resource. |
+| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
+| webhook.cert.secretAnnotations | object | `{}` | Annotatioms to be added to webhook TLS secret. |
+| webhook.cert.secretLabels | object | `{}` | Labels to be added to webhook TLS secret. |
 | webhook.extrArgs | list | `[]` | Extra arguments to be passed to the webhook entrypoint |
 | webhook.extraVolumeMounts | list | `[]` | Extra volumes to mount to webhook container |
 | webhook.extraVolumes | list | `[]` | Extra volumes to pass to webhook Pod |
+| webhook.ha.enabled | bool | `false` | Enable high availability |
+| webhook.ha.replicas | int | `3` | Number of replicas |
 | webhook.hostNetwork | bool | `false` | Expose the webhook server in the host network |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | webhook.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
@@ -77,7 +110,7 @@ helm uninstall mariadb-operator
 | webhook.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
 | webhook.podAnnotations | object | `{}` | Annotations to add to webhook Pod |
 | webhook.podSecurityContext | object | `{}` | Security context to add to webhook Pod |
-| webhook.port | int | `10250` | Port to be used by the webhook server |
+| webhook.port | int | `9443` | Port to be used by the webhook server |
 | webhook.resources | object | `{}` | Resources to add to webhook container |
 | webhook.securityContext | object | `{}` | Security context to add to webhook container |
 | webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
--- a/packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl
@@ -4,7 +4,7 @@
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)

 <p align="center">
-<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
+<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
 </p>

 {{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl
@@ -71,28 +71,23 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

 {{/*
-Webhook certificate
+Cert-controller common labels
 */}}
-{{- define "mariadb-operator-webhook.certificate" -}}
-{{- if .Values.webhook.certificate.certManager }}
-{{- include "mariadb-operator.fullname" . }}-webhook-cert
-{{- else }}
-{{- include "mariadb-operator.fullname" . }}-webhook-default-cert
-{{- end }}
+{{- define "mariadb-operator-cert-controller.labels" -}}
+helm.sh/chart: {{ include "mariadb-operator.chart" . }}
+{{ include "mariadb-operator-cert-controller.selectorLabels" . }}
+{{ if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{ end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}

 {{/*
-Webhook certificate subject name
+Cert-controller selector labels
 */}}
-{{- define "mariadb-operator-webhook.subjectName" -}}
-{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
-{{- end }}
-
-{{/*
-Webhook certificate subject alternative name
-*/}}
-{{- define "mariadb-operator-webhook.altName" -}}
-{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
+{{- define "mariadb-operator-cert-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}-cert-controller
+app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

 {{/*
@@ -116,3 +111,14 @@ Create the name of the webhook service account to use
 {{- default "default" .Values.webhook.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the name of the cert-controller service account to use
+*/}}
+{{- define "mariadb-operator-cert-controller.serviceAccountName" -}}
+{{- if .Values.certController.serviceAccount.enabled }}
+{{- default (printf "%s-cert-controller" (include "mariadb-operator.fullname" .))  .Values.certController.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.certController.serviceAccount.name }}
+{{- end }}
+{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-deployment.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-deployment.yaml
@@ -0,0 +1,103 @@
+{{- if and .Values.certController.enabled  (not .Values.webhook.cert.certManager.enabled) -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-cert-controller
+  labels:
+    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
+spec:
+  {{ if .Values.certController.ha.enabled }}
+  replicas: {{ .Values.certController.ha.replicas}}
+  {{ end }}
+  selector:
+    matchLabels:
+      {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{ with .Values.certController.podAnnotations }}
+      annotations:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      labels:
+        {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.certController.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
+      automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
+      {{ with .Values.certController.nodeSelector }}
+      nodeSelector:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      {{ with .Values.certController.tolerations }}
+      tolerations:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      {{ with .Values.certController.affinity }}
+      affinity:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      {{ with .Values.certController.podSecurityContext }}
+      securityContext:
+        {{ toYaml . | nindent 8 }}
+      {{ end }}
+      containers:
+        - image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
+          name: cert-controller
+          args:
+            - cert-controller
+            - --ca-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-ca
+            - --ca-secret-namespace={{ .Release.Namespace }}
+            - --ca-validity={{ .Values.certController.caValidity }}
+            - --cert-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-cert
+            - --cert-secret-namespace={{ .Release.Namespace }}
+            - --cert-validity={{ .Values.certController.certValidity }}
+            - --lookahead-validity={{ .Values.certController.lookaheadValidity }}
+            - --service-name={{ include "mariadb-operator.fullname" . }}-webhook
+            - --service-namespace={{ .Release.Namespace }}
+            - --requeue-duration={{ .Values.certController.requeueDuration }}
+            - --metrics-addr=:8080
+            - --health-addr=:8081
+            - --log-level={{ .Values.logLevel }}
+            {{- if .Values.certController.ha.enabled }}
+            - --leader-elect
+            {{- end }}
+            {{- range .Values.certController.extrArgs }}
+            - {{ . }}
+            {{- end }}
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: metrics
+            - containerPort: 8081
+              protocol: TCP
+              name: health
+          env: 
+            - name: CLUSTER_NAME
+              value: {{ .Values.clusterName }}
+          {{- with .Values.certController.extraVolumeMounts }}
+          volumeMounts:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 20
+            periodSeconds: 5
+          {{ with .Values.certController.resources }}
+          resources:
+            {{ toYaml . | nindent 12 }}
+          {{ end }}
+          {{ with .Values.certController.securityContext}}
+          securityContext:
+            {{ toYaml . | nindent 12 }}
+          {{ end }}
+      {{- with .Values.certController.extraVolumes }}
+      volumes:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-rbac.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-rbac.yaml
@@ -0,0 +1,88 @@
+{{- if and .Values.rbac.enabled .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
+{{ $fullName := include "mariadb-operator.fullname" . }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $fullName }}-cert-controller
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $fullName }}-cert-controller
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - update
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - endpoints/restricted
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $fullName }}-cert-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $fullName }}-cert-controller
+subjects:
+- kind: ServiceAccount
+  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $fullName }}-cert-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $fullName }}-cert-controller
+subjects:
+- kind: ServiceAccount
+  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
+  namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-serviceaccount.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
+  labels:
+    {{- include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
+    {{- with .Values.certController.serviceAccount.extraLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.certController.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-servicemonitor.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-servicemonitor.yaml
@@ -0,0 +1,36 @@
+{{ if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) .Values.metrics.enabled  .Values.certController.serviceMonitor.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-cert-controller-metrics
+  labels:
+    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 8080
+      protocol: TCP
+      name: metrics
+  selector:
+    {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 4 }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-cert-controller
+  labels:
+    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
+    {{ with .Values.certController.serviceMonitor.additionalLabels }}
+    {{ toYaml . | nindent 4 }}
+    {{ end }}
+spec:
+  selector:
+    matchLabels:
+      {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace | quote }}
+  endpoints:
+  - port: metrics
+    interval: {{ .Values.certController.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.certController.serviceMonitor.scrapeTimeout }}
+{{ end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+data:
+  MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
+  MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
+  MARIADB_GALERA_LIB_PATH: /usr/lib/galera/libgalera_smm.so
+  MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
+  RELATED_IMAGE_EXPORTER: prom/mysqld-exporter:v0.15.1
+  RELATED_IMAGE_MARIADB: mariadb:11.2.2
+  RELATED_IMAGE_MAXSCALE: mariadb/maxscale:23.08
+kind: ConfigMap
+metadata:
+  creationTimestamp: null
+  name: mariadb-operator-env
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml
@@ -53,17 +53,17 @@ spec:
            {{- if .Values.ha.enabled }}
            - --leader-elect
            {{- end }}
-            {{- if .Values.metrics.enabled }}
-            - --service-monitor-reconciler
-            {{- end }}
-            {{- range .Values.extrArgs }}
+            {{- range .Values.extraArgs }}
            - {{ . }}
            {{- end }}
          ports:
            - containerPort: 8080
              protocol: TCP
              name: metrics
-          env: 
+          envFrom:
+            - configMapRef:
+                name: mariadb-operator-env
+          env:
            - name: CLUSTER_NAME
              value: {{ .Values.clusterName }}
            - name: MARIADB_OPERATOR_NAME
@@ -76,6 +76,9 @@ spec:
                  fieldPath: metadata.namespace
            - name: MARIADB_OPERATOR_SA_PATH
              value: /var/run/secrets/kubernetes.io/serviceaccount/token
+            {{- with .Values.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
          {{- if .Values.extraVolumeMounts }}
          volumeMounts:
          {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
@@ -88,21 +91,6 @@ spec:
          securityContext:
            {{ toYaml . | nindent 12 }}
          {{ end }}
-          readinessProbe:
-            tcpSocket:
-              port: 8080
-            initialDelaySeconds: 30
-            periodSeconds: 10
-          livenessProbe:
-            tcpSocket:
-              port: 8080
-            initialDelaySeconds: 30
-            periodSeconds: 10
-          startupProbe:
-            tcpSocket:
-              port: 8080
-            initialDelaySeconds: 20
-            periodSeconds: 10
      {{- if .Values.extraVolumes }}
      volumes:
      {{- toYaml .Values.extraVolumes | nindent 8 }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/metrics-servicemonitor.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/metrics-servicemonitor.yaml
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml
@@ -56,6 +56,15 @@ rules:
  - ""
  resources:
  - endpoints
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
  - endpoints/restricted
  verbs:
  - create
@@ -90,6 +99,12 @@ rules:
  - get
  - list
  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pvcs
+  verbs:
+  - list
 - apiGroups:
  - ""
  resources:
@@ -117,16 +132,38 @@ rules:
  - list
  - patch
  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
 - apiGroups:
  - apps
  resources:
  - statefulsets
  verbs:
  - create
+  - delete
  - get
  - list
  - patch
  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
 - apiGroups:
  - batch
  resources:
@@ -142,11 +179,12 @@ rules:
  - jobs
  verbs:
  - create
+  - delete
  - list
  - patch
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - backups
  verbs:
@@ -158,13 +196,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - backups/finalizers
  verbs:
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - backups/status
  verbs:
@@ -172,7 +210,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - connections
  verbs:
@@ -184,23 +222,37 @@ rules:
  - update
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - connections
+  - grants
+  - maxscale
  - restores
+  - users
  verbs:
  - create
  - list
  - patch
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
+  resources:
+  - connections
+  - grants
+  - users
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
  resources:
  - connections/finalizers
  verbs:
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - connections/status
  verbs:
@@ -208,7 +260,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - databases
  verbs:
@@ -220,13 +272,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - databases/finalizers
  verbs:
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - databases/status
  verbs:
@@ -234,7 +286,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - grants
  verbs:
@@ -246,13 +298,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - grants/finalizers
  verbs:
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - grants/status
  verbs:
@@ -260,7 +312,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - mariadbs
  verbs:
@@ -272,13 +324,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - mariadbs/finalizers
  verbs:
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - mariadbs/status
  verbs:
@@ -286,7 +338,33 @@ rules:
  - patch
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
+  resources:
+  - maxscales
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - maxscales/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - maxscales/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - k8s.mariadb.com
  resources:
  - restores
  verbs:
@@ -298,13 +376,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - restores/finalizers
  verbs:
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - restores/status
  verbs:
@@ -312,7 +390,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - sqljobs
  verbs:
@@ -324,13 +402,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - sqljobs/finalizers
  verbs:
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - sqljobs/status
  verbs:
@@ -338,7 +416,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - users
  verbs:
@@ -350,13 +428,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - users/finalizers
  verbs:
  - update
 - apiGroups:
-  - mariadb.mmontes.io
+  - k8s.mariadb.com
  resources:
  - users/status
  verbs:
@@ -431,4 +509,4 @@ subjects:
 - kind: ServiceAccount
  name: {{ include "mariadb-operator.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
-{{- end }}
+{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml
@@ -1,4 +1,5 @@
-{{ if .Values.webhook.certificate.certManager }}
+{{ if .Values.webhook.cert.certManager.enabled }}
+{{ if not .Values.webhook.cert.certManager.issuerRef }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -7,6 +8,7 @@ metadata:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
  selfSigned: {}
+{{ end }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -15,11 +17,33 @@ metadata:
  labels:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
+  commonName: {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
  dnsNames:
-    - {{ include "mariadb-operator-webhook.subjectName" . }}
-    - {{ include "mariadb-operator-webhook.altName" . }}
+    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
+    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}
+    - {{ include "mariadb-operator.fullname" . }}-webhook
  issuerRef:
+  {{- if .Values.webhook.cert.certManager.issuerRef -}}
+    {{ toYaml .Values.webhook.cert.certManager.issuerRef | nindent 4 }}
+  {{- else }}
    kind: Issuer
    name: {{ include "mariadb-operator.fullname" . }}-selfsigned-issuer
+  {{- end }}
+  {{- with .Values.webhook.cert.certManager.duration }}
+  duration: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.webhook.cert.certManager.renewBefore }}
+  renewBefore: {{ . | quote }}
+  {{- end }}
  secretName: {{ include "mariadb-operator.fullname" . }}-webhook-cert
-{{ end }}
+  secretTemplate:
+    {{- with .Values.webhook.cert.secretLabels }}
+    labels:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.webhook.cert.secretAnnotations }}
+    annotations:
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{ end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-config.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-config.yaml
@@ -1,30 +1,4 @@
 {{ $fullName := include "mariadb-operator.fullname" . }}
-{{ $subjectName := include "mariadb-operator-webhook.subjectName" . }}
-{{ $altNames := list }}
-{{ $altNames := append $altNames $subjectName }}
-{{ $altNames := append $altNames (include "mariadb-operator-webhook.altName" . ) }}
-{{ $ca := genCA $fullName (.Values.webhook.certificate.default.caExpirationDays | int) }}
-{{ $cert := genSignedCert $subjectName nil $altNames (.Values.webhook.certificate.default.certExpirationDays | int) $ca }}
-{{ if not .Values.webhook.certificate.certManager }}
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/tls
-metadata:
-  name: {{ $fullName }}-webhook-default-cert
-  labels:
-    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
-  annotations:
-    {{ with .Values.webhook.certificate.default.hook }}
-    helm.sh/hook: {{ . }}
-    {{ end }}
-    {{ with .Values.webhook.certificate.default.annotations }}
-    {{ toYaml . | nindent 4 }}
-    {{ end }}
-data:
-  tls.crt: {{ $cert.Cert | b64enc }}
-  tls.key: {{ $cert.Key | b64enc }} 
-{{ end }}
---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -32,12 +6,11 @@ metadata:
  labels:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
  annotations:
-    {{ if .Values.webhook.certificate.certManager }}
+    {{- if .Values.webhook.cert.certManager.enabled }}
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{ end }}
-    {{ with .Values.webhook.certificate.default.hook }}
-    helm.sh/hook: {{ . }}
-    {{ end }}
+    {{- else }}
+    k8s.mariadb.com/webhook: ""
+    {{- end }}
    {{ with .Values.webhook.annotations }}
    {{ toYaml . | indent 4 }}
    {{ end }}
@@ -48,15 +21,12 @@ webhooks:
    service:
      name: {{ $fullName }}-webhook
      namespace: {{ .Release.Namespace }}
-      path: /mutate-mariadb-mmontes-io-v1alpha1-mariadb
-    {{ if not .Values.webhook.certificate.certManager }}
-    caBundle: {{ $ca.Cert | b64enc }}
-    {{ end }}
+      path: /mutate-k8s-mariadb-com-v1alpha1-mariadb
  failurePolicy: Fail
  name: mmariadb.kb.io
  rules:
  - apiGroups:
-    - mariadb.mmontes.io
+    - k8s.mariadb.com
    apiVersions:
    - v1alpha1
    operations:
@@ -73,12 +43,11 @@ metadata:
  labels:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
  annotations:
-    {{ if .Values.webhook.certificate.certManager }}
+    {{- if .Values.webhook.cert.certManager.enabled }}
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{ end }}
-    {{ with .Values.webhook.certificate.default.hook }}
-    helm.sh/hook: {{ . }}
-    {{ end }}
+    {{- else }}
+    k8s.mariadb.com/webhook: ""
+    {{- end }}
    {{ with .Values.webhook.annotations }}
    {{ toYaml . | indent 4 }}
    {{ end }}
@@ -89,15 +58,12 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-backup
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
+        path: /validate-k8s-mariadb-com-v1alpha1-backup
    failurePolicy: Fail
    name: vbackup.kb.io
    rules:
      - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
        apiVersions:
          - v1alpha1
        operations:
@@ -112,15 +78,12 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-connection
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
+        path: /validate-k8s-mariadb-com-v1alpha1-connection
    failurePolicy: Fail
    name: vconnection.kb.io
    rules:
      - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
        apiVersions:
          - v1alpha1
        operations:
@@ -135,15 +98,12 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-database
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
+        path: /validate-k8s-mariadb-com-v1alpha1-database
    failurePolicy: Fail
    name: vdatabase.kb.io
    rules:
      - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
        apiVersions:
          - v1alpha1
        operations:
@@ -158,15 +118,12 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-grant
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
+        path: /validate-k8s-mariadb-com-v1alpha1-grant
    failurePolicy: Fail
    name: vgrant.kb.io
    rules:
      - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
        apiVersions:
          - v1alpha1
        operations:
@@ -181,15 +138,12 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-mariadb
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
+        path: /validate-k8s-mariadb-com-v1alpha1-mariadb
    failurePolicy: Fail
    name: vmariadb.kb.io
    rules:
      - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
        apiVersions:
          - v1alpha1
        operations:
@@ -198,21 +152,38 @@ webhooks:
        resources:
          - mariadbs
    sideEffects: None
+  - admissionReviewVersions:
+    - v1
+    clientConfig:
+      service:
+        name: {{ $fullName }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validate-k8s-mariadb-com-v1alpha1-maxscale
+    failurePolicy: Fail
+    name: vmaxscale.kb.io
+    rules:
+    - apiGroups:
+      - k8s.mariadb.com
+      apiVersions:
+      - v1alpha1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - maxscales
+    sideEffects: None
  - admissionReviewVersions:
      - v1
    clientConfig:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-restore
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
+        path: /validate-k8s-mariadb-com-v1alpha1-restore
    failurePolicy: Fail
    name: vrestore.kb.io
    rules:
      - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
        apiVersions:
          - v1alpha1
        operations:
@@ -227,15 +198,12 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-sqljob
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
+        path: /validate-k8s-mariadb-com-v1alpha1-sqljob
    failurePolicy: Fail
    name: vsqljob.kb.io
    rules:
      - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
        apiVersions:
          - v1alpha1
        operations:
@@ -250,15 +218,12 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-mariadb-mmontes-io-v1alpha1-user
-      {{ if not .Values.webhook.certificate.certManager }}
-      caBundle: {{ $ca.Cert | b64enc }}
-      {{ end }}
+        path: /validate-k8s-mariadb-com-v1alpha1-user
    failurePolicy: Fail
    name: vuser.kb.io
    rules:
      - apiGroups:
-          - mariadb.mmontes.io
+          - k8s.mariadb.com
        apiVersions:
          - v1alpha1
        operations:
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml
@@ -1,10 +1,14 @@
+{{ $fullName := include "mariadb-operator.fullname" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-webhook
+  name: {{ $fullName }}-webhook
  labels:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
+  {{ if .Values.webhook.ha.enabled }}
+  replicas: {{ .Values.webhook.ha.replicas}}
+  {{ end }}
  selector:
    matchLabels:
      {{ include "mariadb-operator-webhook.selectorLabels" . | nindent 6 }}
@@ -46,12 +50,18 @@ spec:
          name: webhook
          args:
            - webhook
-            - --cert-dir={{ .Values.webhook.certificate.path }}
+            {{- if .Values.webhook.cert.certManager.enabled }}
+            - --ca-cert-path={{ .Values.webhook.cert.path }}/ca.crt
+            {{- else }}
+            - --ca-cert-path={{ .Values.webhook.cert.caPath }}/tls.crt
+            {{- end }}
+            - --cert-dir={{ .Values.webhook.cert.path }}
+            - --dns-name={{ $fullName }}-webhook.{{ .Release.Namespace }}.svc
            - --port={{ .Values.webhook.port }}
            - --metrics-addr=:8080
            - --health-addr=:8081
            - --log-level={{ .Values.logLevel }}
-            {{- range .Values.extrArgs }}
+            {{- range .Values.webhook.extrArgs }}
            - {{ . }}
            {{- end }}
          ports:
@@ -65,7 +75,12 @@ spec:
              protocol: TCP
              name: health
          volumeMounts:
-            - mountPath: {{ .Values.webhook.certificate.path }}
+            {{- if not .Values.webhook.cert.certManager.enabled }}
+            - mountPath: {{ .Values.webhook.cert.caPath }}
+              name: ca
+              readOnly: true
+            {{- end }}
+            - mountPath: {{ .Values.webhook.cert.path }}
              name: cert
              readOnly: true
          {{- if .Values.webhook.extraVolumeMounts }}
@@ -73,22 +88,10 @@ spec:
          {{- end }}
          readinessProbe:
            httpGet:
-              path: /healthz
+              path: /readyz
              port: 8081
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 8081
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          startupProbe:
-            httpGet:
-              path: /healthz
-              port: 8081
-            initialDelaySeconds: 5
-            periodSeconds: 10
+            initialDelaySeconds: 20
+            periodSeconds: 5
          {{ with .Values.webhook.resources }}
          resources:
            {{ toYaml . | nindent 12 }}
@@ -98,10 +101,16 @@ spec:
            {{ toYaml . | nindent 12 }}
          {{ end }}
      volumes:
+        {{- if not .Values.webhook.cert.certManager.enabled }}
+        - name: ca
+          secret:
+            defaultMode: 420
+            secretName: {{ $fullName }}-webhook-ca
+        {{- end }}
        - name: cert
          secret:
            defaultMode: 420
-            secretName: {{ include "mariadb-operator-webhook.certificate" . }}
+            secretName: {{ $fullName }}-webhook-cert
      {{- if .Values.webhook.extraVolumes }}
      {{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
      {{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-secret.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-secret.yaml
@@ -0,0 +1,25 @@
+{{- if not .Values.webhook.cert.certManager.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-webhook-ca
+  labels:
+    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
+    mariadb-operator.io/component: webhook
+  {{- with .Values.webhook.cert.secretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "mariadb-operator.fullname" . }}-webhook-cert
+  labels:
+    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
+    mariadb-operator.io/component: webhook
+  {{- with .Values.webhook.cert.secretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/values.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/values.yaml
@@ -19,11 +19,9 @@ ha:
  enabled: false
  # -- Number of replicas
  replicas: 3
-  # -- Lease resource name to be used for leader election
-  leaseId: mariadb.mmontes.io

 metrics:
-  # -- Enable prometheus metrics. Prometheus must be installed in the cluster
+  # -- Enable operator internal metrics. Prometheus must be installed in the cluster
  enabled: false
  serviceMonitor:
    # -- Enable controller ServiceMonitor
@@ -56,6 +54,9 @@ rbac:
 # -- Extra arguments to be passed to the controller entrypoint
 extrArgs: []

+# -- Extra environment variables to be passed to the controller
+extraEnv: []
+
 # -- Extra volumes to pass to pod.
 extraVolumes: []

@@ -87,31 +88,37 @@ tolerations: []
 affinity: {}

 webhook:
-  # -- Annotations for webhook configurations.
-  annotations: {}
  image:
    repository: ghcr.io/mariadb-operator/mariadb-operator
    pullPolicy: IfNotPresent
    # -- Image tag to use. By default the chart appVersion is used
    tag: ""
  imagePullSecrets: []
-  certificate:
-    # -- Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used.
-    certManager: false
-    # -- Default certificate generated when the chart is installed or upgraded.
-    default:
-      # -- Certificate authority expiration in days.
-      caExpirationDays: 365
-      # -- Certificate expiration in days.
-      certExpirationDays: 365
-      # -- Annotations for certificate Secret.
-      annotations: {}
-      # -- Helm hook to be added to the default certificate.
-      hook: ""
+  ha:
+    # -- Enable high availability
+    enabled: false
+    # -- Number of replicas
+    replicas: 3
+  cert:
+    certManager:
+      # -- Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead.
+      enabled: false
+      # -- Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.
+      issuerRef: {}
+       # -- Duration to be used in the Certificate resource,
+      duration: ""
+       # -- Renew before duration to be used in the Certificate resource.
+      renewBefore: ""
+    # -- Annotatioms to be added to webhook TLS secret.
+    secretAnnotations: {}
+    # -- Labels to be added to webhook TLS secret.
+    secretLabels: {}
+    # -- Path where the CA certificate will be mounted.
+    caPath: /tmp/k8s-webhook-server/certificate-authority
    # -- Path where the certificate will be mounted.
    path: /tmp/k8s-webhook-server/serving-certs
  # -- Port to be used by the webhook server
-  port: 10250
+  port: 9443
  # -- Expose the webhook server in the host network
  hostNetwork: false
  serviceMonitor:
@@ -136,6 +143,8 @@ webhook:
    # -- The name of the service account to use.
    # If not set and enabled is true, a name is generated using the fullname template
    name: ""
+  # -- Annotations for webhook configurations.
+  annotations: {}
  # -- Extra arguments to be passed to the webhook entrypoint
  extrArgs: []
  # -- Extra volumes to pass to webhook Pod
@@ -159,3 +168,71 @@ webhook:
  tolerations: []
  # -- Affinity to add to controller Pod
  affinity: {}
+
+certController:
+  # -- Specifies whether the cert-controller should be created.
+  enabled: true
+  image:
+    repository: ghcr.io/mariadb-operator/mariadb-operator
+    pullPolicy: IfNotPresent
+    # -- Image tag to use. By default the chart appVersion is used
+    tag: ""
+  imagePullSecrets: []
+  ha:
+    # -- Enable high availability
+    enabled: false
+    # -- Number of replicas
+    replicas: 3
+  # -- CA certificate validity. It must be greater than certValidity.
+  caValidity: 35064h
+  # -- Certificate validity.
+  certValidity: 8766h
+  # -- Duration used to verify whether a certificate is valid or not.
+  lookaheadValidity: 2160h
+  # -- Requeue duration to ensure that certificate gets renewed.
+  requeueDuration: 5m
+  serviceMonitor:
+    # -- Enable cert-controller ServiceMonitor. Metrics must be enabled
+    enabled: true
+    # -- Labels to be added to the cert-controller ServiceMonitor
+    additionalLabels: {}
+    # release: kube-prometheus-stack
+    # --  Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+  serviceAccount:
+    # -- Specifies whether a service account should be created
+    enabled: true
+    # -- Automounts the service account token in all containers of the Pod
+    automount: true
+    # -- Annotations to add to the service account
+    annotations: {}
+    # -- Extra Labels to add to the service account
+    extraLabels: {}
+    # -- The name of the service account to use.
+    # If not set and enabled is true, a name is generated using the fullname template
+    name: ""
+  # -- Extra arguments to be passed to the cert-controller entrypoint
+  extrArgs: []
+  # -- Extra volumes to pass to cert-controller Pod
+  extraVolumes: []
+  # -- Extra volumes to mount to cert-controller container
+  extraVolumeMounts: []
+  # -- Annotations to add to cert-controller Pod
+  podAnnotations: {}
+  # -- Security context to add to cert-controller Pod
+  podSecurityContext: {}
+  # -- Security context to add to cert-controller container
+  securityContext: {}
+  # -- Resources to add to cert-controller container
+  resources: {}
+  # requests:
+  #   cpu: 10m
+  #   memory: 32Mi
+  # -- Node selectors to add to controller Pod
+  nodeSelector: {}
+  # -- Tolerations to add to controller Pod
+  tolerations: []
+  # -- Affinity to add to controller Pod
+  affinity: {}
--- a/packages/system/piraeus-operator/charts/piraeus/Chart.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/Chart.yaml
@@ -3,8 +3,8 @@ name: piraeus
 description: |
  The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.3.0
-appVersion: "v2.3.0"
+version: 2.4.1
+appVersion: "v2.4.1"
 maintainers:
  - name: Piraeus Datastore
    url: https://piraeus.io
--- a/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml
@@ -17,19 +17,19 @@ data:
    #   quay.io/piraeusdatastore/piraeus-server:v1.24.2
    components:
      linstor-controller:
-        tag: v1.25.1
+        tag: v1.26.2
        image: piraeus-server
      linstor-satellite:
-        tag: v1.25.1
+        tag: v1.26.2
        image: piraeus-server
      linstor-csi:
-        tag: v1.3.0
+        tag: v1.4.0
        image: piraeus-csi
      drbd-reactor:
        tag: v1.4.0
        image: drbd-reactor
      ha-controller:
-        tag: v1.1.4
+        tag: v1.2.0
        image: piraeus-ha-controller
      drbd-shutdown-guard:
        tag: v1.0.0
@@ -38,7 +38,7 @@ data:
        tag: v0.10
        image: ktls-utils
      drbd-module-loader:
-        tag: v9.2.6
+        tag: v9.2.8
        # The special "match" attribute is used to select an image based on the node's reported OS.
        # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list
        # here. If one matches, that specific image name will be used instead of the fallback image.
@@ -54,12 +54,18 @@ data:
            image: drbd9-almalinux8
          - osImage: AlmaLinux 9
            image: drbd9-almalinux9
+          - osImage: Rocky Linux 8
+            image: drbd9-almalinux8
+          - osImage: Rocky Linux 9
+            image: drbd9-almalinux9
          - osImage: Ubuntu 18\.04
            image: drbd9-bionic
          - osImage: Ubuntu 20\.04
            image: drbd9-focal
          - osImage: Ubuntu 22\.04
            image: drbd9-jammy
+          - osImage: Debian GNU/Linux 12
+            image: drbd9-bookworm
          - osImage: Debian GNU/Linux 11
            image: drbd9-bullseye
          - osImage: Debian GNU/Linux 10
@@ -69,25 +75,25 @@ data:
    base: registry.k8s.io/sig-storage
    components:
      csi-attacher:
-        tag: v4.4.2
+        tag: v4.5.0
        image: csi-attacher
      csi-livenessprobe:
-        tag: v2.11.0
+        tag: v2.12.0
        image: livenessprobe
      csi-provisioner:
-        tag: v3.6.2
+        tag: v4.0.0
        image: csi-provisioner
      csi-snapshotter:
-        tag: v6.3.2
+        tag: v7.0.1
        image: csi-snapshotter
      csi-resizer:
-        tag: v1.9.2
+        tag: v1.10.0
        image: csi-resizer
      csi-external-health-monitor-controller:
-        tag: v0.10.0
+        tag: v0.11.0
        image: csi-external-health-monitor-controller
      csi-node-driver-registrar:
-        tag: v2.9.1
+        tag: v2.10.0
        image: csi-node-driver-registrar
  {{- range $idx, $value := .Values.imageConfigOverride }}
  {{ add $idx 1 }}_helm_override.yaml: |
--- a/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml
--- a/packages/system/piraeus-operator/charts/piraeus/templates/validating-webhook-configuration.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/validating-webhook-configuration.yaml
@@ -152,3 +152,27 @@ webhooks:
    resources:
    - linstorsatelliteconfigurations
  sideEffects: None
+- admissionReviewVersions:
+    - v1
+  clientConfig:
+    service:
+      name: '{{ include "piraeus-operator.fullname" . }}-webhook-service'
+      namespace: '{{ .Release.Namespace }}'
+      path: /validate-storage-k8s-io-v1-storageclass
+    {{- if not .Values.tls.certManagerIssuerRef }}
+    caBundle: {{ $ca }}
+    {{- end }}
+  failurePolicy: {{ .Values.webhook.failurePolicy }}
+  timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
+  name: vstorageclass.kb.io
+  rules:
+    - apiGroups:
+        - storage.k8s.io
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - storageclasses
+  sideEffects: None
--- a/packages/system/postgres-operator/charts/cloudnative-pg/Chart.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/Chart.yaml
@@ -1,9 +1,11 @@
 apiVersion: v2
-appVersion: 1.21.1
-description: CloudNativePG Helm Chart
+appVersion: 1.22.2
+description: CloudNativePG Operator Helm Chart
 home: https://cloudnative-pg.io
 icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
 keywords:
+- operator
+- controller
 - postgresql
 - postgres
 - database
@@ -14,4 +16,4 @@ name: cloudnative-pg
 sources:
 - https://github.com/cloudnative-pg/charts
 type: application
-version: 0.19.1
+version: 0.20.2
--- a/packages/system/postgres-operator/charts/cloudnative-pg/README.md
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/README.md
--- a/packages/system/postgres-operator/charts/cloudnative-pg/monitoring/grafana-dashboard.json
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/monitoring/grafana-dashboard.json
--- a/packages/system/postgres-operator/charts/cloudnative-pg/templates/crds/crds.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/templates/crds/crds.yaml
--- a/packages/system/postgres-operator/charts/cloudnative-pg/templates/deployment.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/templates/deployment.yaml
@@ -31,8 +31,9 @@ spec:
      {{- include "cloudnative-pg.selectorLabels" . | nindent 6 }}
  template:
    metadata:
-      {{- with .Values.podAnnotations }}
      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
--- a/packages/system/postgres-operator/charts/cloudnative-pg/templates/grafana-dashboard.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/templates/grafana-dashboard.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.monitoring.grafanaDashboard.create -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.monitoring.grafanaDashboard.configMapName }}
+  namespace: {{ default .Release.Namespace .Values.monitoring.grafanaDashboard.namespace }}
+  labels:
+    {{ .Values.monitoring.grafanaDashboard.sidecarLabel }}: {{ .Values.monitoring.grafanaDashboard.sidecarLabelValue | quote }}
+data:
+    cnp.json: |-
+{{ .Files.Get "monitoring/grafana-dashboard.json" | indent 6 }}
+{{- end -}}
--- a/packages/system/postgres-operator/charts/cloudnative-pg/values.schema.json
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/values.schema.json
@@ -95,6 +95,26 @@
        "monitoring": {
            "type": "object",
            "properties": {
+                "grafanaDashboard": {
+                    "type": "object",
+                    "properties": {
+                        "configMapName": {
+                            "type": "string"
+                        },
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "namespace": {
+                            "type": "string"
+                        },
+                        "sidecarLabel": {
+                            "type": "string"
+                        },
+                        "sidecarLabelValue": {
+                            "type": "string"
+                        }
+                    }
+                },
                "podMonitorEnabled": {
                    "type": "boolean"
                }
--- a/packages/system/postgres-operator/charts/cloudnative-pg/values.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/values.yaml
@@ -139,6 +139,16 @@ affinity: {}
 monitoring:
  # -- Specifies whether the monitoring should be enabled. Requires Prometheus Operator CRDs.
  podMonitorEnabled: false
+  grafanaDashboard:
+    create: false
+    # -- Allows overriding the namespace where the ConfigMap will be created, defaulting to the same one as the Release.
+    namespace: ""
+    # -- The name of the ConfigMap containing the dashboard.
+    configMapName: "cnpg-grafana-dashboard"
+    # -- Label that ConfigMaps should have to be loaded as dashboards.
+    sidecarLabel: "grafana_dashboard"
+    # -- Label value that ConfigMaps should have to be loaded as dashboards.
+    sidecarLabelValue: "1"

 # Default monitoring queries
 monitoringQueriesConfigMap:
--- a/scripts/installer.sh
+++ b/scripts/installer.sh
@@ -1,9 +1,18 @@
 #!/bin/sh
+VERSION=2
 set -o pipefail
 set -e

 run_migrations() {
-  return 0
+  if ! kubectl get configmap -n cozy-system cozystack-version; then
+    kubectl create configmap -n cozy-system cozystack-version --from-literal=version="$VERSION" --dry-run=client -o yaml | kubectl create -f-
+  fi
+  current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}') || true
+  until [ "$current_version" = "$VERSION" ]; do
+    echo "run migration: $current_version --> $VERSION"
+    scripts/migrations/$current_version
+    current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}')
+  done
 }

 flux_is_ok() {
@@ -18,6 +27,9 @@ install_basic_charts() {

 cd "$(dirname "$0")/.."

+# Run migrations
+run_migrations
+
 # Install namespaces
 make -C packages/core/platform namespaces-apply

@@ -26,9 +38,6 @@ if ! flux_is_ok; then
  install_basic_charts
 fi

-# Run migrations
-run_migrations
-
 # Reconcile Helm repositories
 kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite

--- a/scripts/migrations/1
+++ b/scripts/migrations/1
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if kubectl get -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert; then
+  kubectl annotate -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert meta.helm.sh/release-namespace=cozy-mariadb-operator meta.helm.sh/release-name=mariadb-operator
+  kubectl label -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert app.kubernetes.io/managed-by=Helm
+fi
+
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=2 --dry-run=client -o yaml | kubectl apply -f-
Author	SHA1	Message	Date
Andrei Kvapil	0efd9ebc83	mariadb-operator v0.27.0	2024-03-27 19:47:41 +01:00
Andrei Kvapil	e17dcaa65e	Update CNPG to 1.22.2 (#46 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-03-15 21:15:36 +01:00
Andrei Kvapil	85d4ed251d	Update piraeus-operator and LINSTOR v2.4.1 (#45 )	2024-03-15 21:15:27 +01:00
Andrei Kvapil	f1c01a0fe8	Add link to roadmap (#41 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-03-15 21:15:17 +01:00
Andrei Kvapil	2cff181279	Preapre release v0.2.0 (#38 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-03-15 21:15:06 +01:00
Andrei Kvapil	2e3555600d	Positioning Cozystack as framework for building clouds (#31 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-03-05 11:05:40 +01:00
George Gaál	98f488fcac	Fix gitignore (#26 ) Signed-off-by: George Gaál <gb12335@gmail.com>	2024-02-21 12:33:52 +01:00