Helm

Helm is the preferred way to install MariaDB Enterprise Operator in Kubernetes clusters. This documentation aims to provide guidance on how to manage the installation and upgrades of both the CRDs and the operator via Helm charts.

Prerequisites

Configure your customer credentials as described in the documentation to be able to pull images.

Charts

MariaDB Enterprise Operator is splitted into two different helm charts for better convenience:

  • mariadb-enterprise-operator-crds: Bundles the CustomResourceDefinitions required by the operator.

  • mariadb-enterprise-operator: Contains all the template manifests required to install the operator. Refer to the operator helm values section for detailed information about the supported values.

Control-plane

The operator extends the Kubernetes control plane and consists of the following components deployed via Helm:

  • operator: The mariadb-enterprise-operator itself that performs the CRD reconciliation.

  • webhook: The Kubernetes control-plane delegates CRD validations to this HTTP server. Kubernetes requires TLS to communicate with the webhook server.

  • cert-controller: Provisions TLS certificates for the webhook. You can see it as a minimal cert-manager that is intended to work only with the webhook. It is optional and can be replaced by cert-manager.

Installing CRDs

Helm has certain limitations when it comes to manage CRDs. To address this, we are providing the CRDs in a separate chart, as recommended by the official Helm documentation. This allows us to manage the installation and updates of the CRDs independently from the operator. For example, you can uninstall the operator without impacting your existing MariaDB CRDs.

CRDs can be installed in your cluster by running the following commands

helm repo add mariadb-enterprise-operator https://operator.mariadb.com
helm install mariadb-enterprise-operator-crds mariadb-enterprise-operator/mariadb-enterprise-operator-crds

Installing the operator

The first step is to prepare a values.yaml file to specify your previously configured customer credentials:

imagePullSecrets:
  - name: mariadb-enterprise

webhook:
  imagePullSecrets:
      - name: mariadb-enterprise

certController:
  imagePullSecrets:
    - name: mariadb-enterprise

Then, you can proceed to install the operator:

helm repo add mariadb-enterprise-operator https://operator.mariadb.com
helm install mariadb-enterprise-operator mariadb-enterprise-operator/mariadb-enterprise-operator \
  -f values.yaml

If you have the prometheus operator and cert-manager already installed in your cluster, it is recommended to leverage them to scrape the operator metrics and provision the webhook certificate respectively:

helm repo add mariadb-enterprise-operator https://operator.mariadb.com
helm install mariadb-enterprise-operator mariadb-enterprise-operator/mariadb-enterprise-operator \
  -f values.yaml \
  --set metrics.enabled=true --set webhook.cert.certManager.enabled=true

Refer to the operator helm values section for detailed information about the supported values.

Deployment modes

The following deployment modes are supported:

Cluster-wide

The operator watches CRDs in all namespaces and requires cluster-wide RBAC permissions to operate. This is the default deployment mode, enabled through the default configuration values:

helm repo add mariadb-enterprise-operator https://operator.mariadb.com
helm install mariadb-enterprise-operator mariadb-enterprise-operator/mariadb-enterprise-operator

Single namespace

By setting currentNamespaceOnly=true, the operator will only watch CRDs within the namespace it is deployed in, and the RBAC permissions will be restricted to that namespace as well:

helm repo add mariadb-enterprise-operator https://operator.mariadb.com
helm install mariadb-enterprise-operator \
  -n databases --create-namespace \
  -f values.yaml \
  --set currentNamespaceOnly=true \
  mariadb-enterprise-operator/mariadb-enterprise-operator

Updates

Make sure you read and understand the updates documentation before proceeding to update the operator.

The first step is upgrading the CRDs that the operator depends on:

helm repo update mariadb-enterprise-operator
helm upgrade --install mariadb-enterprise-operator-crds \
  --version <new-version> \
  mariadb-enterprise-operator/mariadb-enterprise-operator-crds

Once updated, you may proceed to upgrade the operator:

helm repo update mariadb-enterprise-operator
helm upgrade --install mariadb-enterprise-operator \
  --version <new-version> \
  mariadb-enterprise-operator/mariadb-enterprise-operator

Whenever a new version of the operator is released, an upgrade guide is linked in the release notes if additional upgrade steps are required. Be sure to review the release notes and follow the version-specific upgrade guides accordingly.

Operator high availability

The operator can run in high availability mode to prevent downtime during updates and ensure continuous reconciliation of your CRs, even if the node where the operator runs goes down. To achieve this, you need:

  • Multiple replicas

  • Configure Pod anti-affinity

  • Configure PodDisruptionBudgets

You can achieve this by providing the following values to the helm chart:

ha:
  enabled: true
  replicas: 3

affinity:
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
    - labelSelector:
        matchExpressions:
        - key: app.kubernetes.io/name
          operator: In
          values:
          - mariadb-enterprise-operator
        - key: app.kubernetes.io/instance
          operator: In
          values:
          - mariadb-enterprise-operator
      topologyKey: kubernetes.io/hostname

pdb:
  enabled: true
  maxUnavailable: 1

You may similarly configure the webhook and cert-controller components to run in high availability mode by providing the same values to their respective sections. Refer to the operator helm values for detailed information.

Uninstalling

First, uninstall the mariadb-enterprise-operator Helm chart. This action will not delete your CRDs, so your operands (i.e. MariaDB and MaxScale) will continue to run without the operator's reconciliation.

helm uninstall mariadb-enterprise-operator

At this point, if you also want to delete CRDs and the operands running in your cluster, you may proceed to uninstall the mariadb-enterprise-operator-crds Helm chart:

helm uninstall mariadb-enterprise-operator-crds

Operator helm values

Key
Type
Default
Description

affinity

object

{}

Affinity to add to controller Pod

certController.affinity

object

{}

Affinity to add to cert-controller container

certController.caLifetime

string

"26280h"

CA certificate lifetime. It must be greater than certLifetime.

certController.certLifetime

string

"2160h"

Certificate lifetime.

certController.enabled

bool

true

Specifies whether the cert-controller should be created.

certController.extrArgs

list

[]

Extra arguments to be passed to the cert-controller entrypoint

certController.extraVolumeMounts

list

[]

Extra volumes to mount to cert-controller container

certController.extraVolumes

list

[]

Extra volumes to pass to cert-controller Pod

certController.ha.enabled

bool

false

Enable high availability

certController.ha.replicas

int

3

Number of replicas

certController.image.pullPolicy

string

"IfNotPresent"

certController.image.repository

string

"docker.mariadb.com/mariadb-enterprise-operator"

certController.image.tag

string

""

Image tag to use. By default the chart appVersion is used

certController.imagePullSecrets

list

[]

certController.nodeSelector

object

{}

Node selectors to add to cert-controller container

certController.pdb.enabled

bool

false

Enable PodDisruptionBudget for the cert-controller.

certController.pdb.maxUnavailable

int

1

Maximum number of unavailable Pods. You may also give a percentage, like 50%

certController.podAnnotations

object

{}

Annotations to add to cert-controller Pod

certController.podSecurityContext

object

{}

Security context to add to cert-controller Pod

certController.priorityClassName

string

""

priorityClassName to add to cert-controller container

certController.privateKeyAlgorithm

string

"ECDSA"

Private key algorithm to be used for the CA and leaf certificate private keys. One of: ECDSA or RSA.

certController.privateKeySize

int

256

Private key size to be used for the CA and leaf certificate private keys. Supported values: ECDSA(256, 384, 521), RSA(2048, 3072, 4096)

certController.renewBeforePercentage

int

33

How long before the certificate expiration should the renewal process be triggered. For example, if a certificate is valid for 60 minutes, and renewBeforePercentage=25, cert-controller will begin to attempt to renew the certificate 45 minutes after it was issued (i.e. when there are 15 minutes (25%) remaining until the certificate is no longer valid).

certController.requeueDuration

string

"5m"

Requeue duration to ensure that certificate gets renewed.

certController.resources

object

{}

Resources to add to cert-controller container

certController.securityContext

object

{}

Security context to add to cert-controller Pod

certController.serviceAccount.annotations

object

{}

Annotations to add to the service account

certController.serviceAccount.automount

bool

true

Automounts the service account token in all containers of the Pod

certController.serviceAccount.enabled

bool

true

Specifies whether a service account should be created

certController.serviceAccount.extraLabels

object

{}

Extra Labels to add to the service account

certController.serviceAccount.name

string

""

The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template

certController.serviceMonitor.additionalLabels

object

{}

Labels to be added to the cert-controller ServiceMonitor

certController.serviceMonitor.enabled

bool

true

Enable cert-controller ServiceMonitor. Metrics must be enabled

certController.serviceMonitor.interval

string

"30s"

Interval to scrape metrics

certController.serviceMonitor.metricRelabelings

list

[]

certController.serviceMonitor.relabelings

list

[]

certController.serviceMonitor.scrapeTimeout

string

"25s"

Timeout if metrics can't be retrieved in given time interval

certController.tolerations

list

[]

Tolerations to add to cert-controller container

certController.topologySpreadConstraints

list

[]

topologySpreadConstraints to add to cert-controller container

clusterName

string

"cluster.local"

Cluster DNS name

config.exporterImage

string

"mariadb/mariadb-prometheus-exporter-ubi:1.0.0"

Default MariaDB exporter image

config.exporterMaxscaleImage

string

"mariadb/maxscale-prometheus-exporter-ubi:1.0.0"

Default MaxScale exporter image

config.galeraLibPath

string

"/usr/lib64/galera/libgalera_enterprise_smm.so"

Galera Enterprise library path to be used with Galera

config.mariadbDefaultVersion

string

"11.4"

Default MariaDB Enterprise version to be used when unable to infer it via image tag

config.mariadbImage

string

"docker.mariadb.com/enterprise-server:11.4.5-3"

Default MariaDB Enterprise image

config.maxscaleImage

string

"docker.mariadb.com/maxscale-enterprise:25.01.2"

Default MaxScale Enterprise image

crds

object

{"enabled":false}

- CRDs

crds.enabled

bool

false

Whether the helm chart should create and update the CRDs. It is false by default, which implies that the CRDs must be managed independently with the mariadb-enterprise-operator-crds helm chart. WARNING This should only be set to true during the initial deployment. If this chart manages the CRDs and is later uninstalled, all MariaDB instances will be DELETED.

currentNamespaceOnly

bool

false

Whether the operator should watch CRDs only in its own namespace or not.

extrArgs

list

[]

Extra arguments to be passed to the controller entrypoint

extraEnv

list

[]

Extra environment variables to be passed to the controller

extraEnvFrom

list

[]

Extra environment variables from preexiting ConfigMap / Secret objects used by the controller using envFrom

extraVolumeMounts

list

[]

Extra volumes to mount to the container.

extraVolumes

list

[]

Extra volumes to pass to pod.

fullnameOverride

string

""

ha.enabled

bool

false

Enable high availability of the controller. If you enable it we recommend to set affinity and pdb

ha.replicas

int

3

Number of replicas

image.pullPolicy

string

"IfNotPresent"

image.repository

string

"docker.mariadb.com/mariadb-enterprise-operator"

image.tag

string

""

Image tag to use. By default the chart appVersion is used

imagePullSecrets

list

[]

logLevel

string

"INFO"

Controller log level

metrics.enabled

bool

false

Enable operator internal metrics. Prometheus must be installed in the cluster

metrics.serviceMonitor.additionalLabels

object

{}

Labels to be added to the controller ServiceMonitor

metrics.serviceMonitor.enabled

bool

true

Enable controller ServiceMonitor

metrics.serviceMonitor.interval

string

"30s"

Interval to scrape metrics

metrics.serviceMonitor.metricRelabelings

list

[]

metrics.serviceMonitor.relabelings

list

[]

metrics.serviceMonitor.scrapeTimeout

string

"25s"

Timeout if metrics can't be retrieved in given time interval

nameOverride

string

""

nodeSelector

object

{}

Node selectors to add to controller Pod

pdb.enabled

bool

false

Enable PodDisruptionBudget for the controller.

pdb.maxUnavailable

int

1

Maximum number of unavailable Pods. You may also give a percentage, like 50%

podAnnotations

object

{}

Annotations to add to controller Pod

podSecurityContext

object

{}

Security context to add to controller Pod

pprof.enabled

bool

false

Enable the pprof HTTP server.

pprof.port

int

6060

The port where the pprof HTTP server listens.

priorityClassName

string

""

priorityClassName to add to controller Pod

rbac.aggregation.enabled

bool

true

Specifies whether the cluster roles aggrate to view and edit predefinied roles

rbac.enabled

bool

true

Specifies whether RBAC resources should be created

resources

object

{}

Resources to add to controller container

securityContext

object

{}

Security context to add to controller container

serviceAccount.annotations

object

{}

Annotations to add to the service account

serviceAccount.automount

bool

true

Automounts the service account token in all containers of the Pod

serviceAccount.enabled

bool

true

Specifies whether a service account should be created

serviceAccount.extraLabels

object

{}

Extra Labels to add to the service account

serviceAccount.name

string

""

The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template

tolerations

list

[]

Tolerations to add to controller Pod

topologySpreadConstraints

list

[]

topologySpreadConstraints to add to controller Pod

webhook.affinity

object

{}

Affinity to add to webhook Pod

webhook.annotations

object

{}

Annotations for webhook configurations.

webhook.cert.ca.key

string

""

File under 'ca.path' that contains the full CA trust chain.

webhook.cert.ca.path

string

""

Path that contains the full CA trust chain.

webhook.cert.certManager.duration

string

""

Duration to be used in the Certificate resource,

webhook.cert.certManager.enabled

bool

false

Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-enterprise-operator's cert-controller will be used instead.

webhook.cert.certManager.issuerRef

object

{}

Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.

webhook.cert.certManager.privateKeyAlgorithm

string

"ECDSA"

Private key algorithm to be used for the CA and leaf certificate private keys. One of: ECDSA or RSA.

webhook.cert.certManager.privateKeySize

int

256

Private key size to be used for the CA and leaf certificate private keys. Supported values: ECDSA(256, 384, 521), RSA(2048, 3072, 4096)

webhook.cert.certManager.renewBefore

string

""

Renew before duration to be used in the Certificate resource.

webhook.cert.certManager.revisionHistoryLimit

int

3

The maximum number of CertificateRequest revisions that are maintained in the Certificate’s history.

webhook.cert.path

string

"/tmp/k8s-webhook-server/serving-certs"

Path where the certificate will be mounted. 'tls.crt' and 'tls.key' certificates files should be under this path.

webhook.cert.secretAnnotations

object

{}

Annotatioms to be added to webhook TLS secret.

webhook.cert.secretLabels

object

{}

Labels to be added to webhook TLS secret.

webhook.enabled

bool

true

Specifies whether the webhook should be created.

webhook.extrArgs

list

[]

Extra arguments to be passed to the webhook entrypoint

webhook.extraVolumeMounts

list

[]

Extra volumes to mount to webhook container

webhook.extraVolumes

list

[]

Extra volumes to pass to webhook Pod

webhook.ha.enabled

bool

false

Enable high availability

webhook.ha.replicas

int

3

Number of replicas

webhook.hostNetwork

bool

false

Expose the webhook server in the host network

webhook.image.pullPolicy

string

"IfNotPresent"

webhook.image.repository

string

"docker.mariadb.com/mariadb-enterprise-operator"

webhook.image.tag

string

""

Image tag to use. By default the chart appVersion is used

webhook.imagePullSecrets

list

[]

webhook.nodeSelector

object

{}

Node selectors to add to webhook Pod

webhook.pdb.enabled

bool

false

Enable PodDisruptionBudget for the webhook.

webhook.pdb.maxUnavailable

int

1

Maximum number of unavailable Pods. You may also give a percentage, like 50%

webhook.podAnnotations

object

{}

Annotations to add to webhook Pod

webhook.podSecurityContext

object

{}

Security context to add to webhook Pod

webhook.port

int

9443

Port to be used by the webhook server

webhook.priorityClassName

string

""

priorityClassName to add to webhook Pod

webhook.resources

object

{}

Resources to add to webhook container

webhook.securityContext

object

{}

Security context to add to webhook container

webhook.serviceAccount.annotations

object

{}

Annotations to add to the service account

webhook.serviceAccount.automount

bool

true

Automounts the service account token in all containers of the Pod

webhook.serviceAccount.enabled

bool

true

Specifies whether a service account should be created

webhook.serviceAccount.extraLabels

object

{}

Extra Labels to add to the service account

webhook.serviceAccount.name

string

""

The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template

webhook.serviceMonitor.additionalLabels

object

{}

Labels to be added to the webhook ServiceMonitor

webhook.serviceMonitor.enabled

bool

true

Enable webhook ServiceMonitor. Metrics must be enabled

webhook.serviceMonitor.interval

string

"30s"

Interval to scrape metrics

webhook.serviceMonitor.metricRelabelings

list

[]

webhook.serviceMonitor.relabelings

list

[]

webhook.serviceMonitor.scrapeTimeout

string

"25s"

Timeout if metrics can't be retrieved in given time interval

webhook.tolerations

list

[]

Tolerations to add to webhook Pod

webhook.topologySpreadConstraints

list

[]

topologySpreadConstraints to add to webhook Pod

This page is: Copyright © 2025 MariaDB. All rights reserved.

Last updated

Was this helpful?