diff --git a/k8s.mariadb.com/backup_v1alpha1.json b/k8s.mariadb.com/backup_v1alpha1.json index 6886112b..b5e029dc 100644 --- a/k8s.mariadb.com/backup_v1alpha1.json +++ b/k8s.mariadb.com/backup_v1alpha1.json @@ -1108,10 +1108,8 @@ } }, "required": [ - "accessKeyIdSecretKeyRef", "bucket", - "endpoint", - "secretAccessKeySecretKeyRef" + "endpoint" ], "type": "object", "additionalProperties": false diff --git a/k8s.mariadb.com/connection_v1alpha1.json b/k8s.mariadb.com/connection_v1alpha1.json index b9e6b886..ab792c10 100644 --- a/k8s.mariadb.com/connection_v1alpha1.json +++ b/k8s.mariadb.com/connection_v1alpha1.json @@ -77,7 +77,7 @@ "type": "object" }, "passwordSecretKeyRef": { - "description": "PasswordSecretKeyRef is a reference to the password to use for configuring the Connection.\nIf the referred Secret is labeled with \"k8s.mariadb.com/watch\", updates may be performed to the Secret in order to update the password.", + "description": "PasswordSecretKeyRef is a reference to the password to use for configuring the Connection.\nEither passwordSecretKeyRef or tlsClientCertSecretRef must be provided as client credentials.\nIf the referred Secret is labeled with \"k8s.mariadb.com/watch\", updates may be performed to the Secret in order to update the password.", "properties": { "key": { "type": "string" @@ -163,13 +163,23 @@ "description": "ServiceName to be used in the Connection.", "type": "string" }, + "tlsClientCertSecretRef": { + "description": "TLSClientCertSecretRef is a reference to a Kubernetes TLS Secret used as authentication when checking the connection health.\nEither passwordSecretKeyRef or tlsClientCertSecretRef must be provided as client credentials.\nIf not provided, the client certificate provided by the referred MariaDB is used if TLS is enabled.\nIf the referred Secret is labeled with \"k8s.mariadb.com/watch\", updates may be performed to the Secret in order to update the client certificate.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, "username": { "description": "Username to use for configuring the Connection.", "type": "string" } }, "required": [ - "passwordSecretKeyRef", "username" ], "type": "object", diff --git a/k8s.mariadb.com/mariadb_v1alpha1.json b/k8s.mariadb.com/mariadb_v1alpha1.json index a2b6b079..eb8ef5f1 100644 --- a/k8s.mariadb.com/mariadb_v1alpha1.json +++ b/k8s.mariadb.com/mariadb_v1alpha1.json @@ -856,10 +856,8 @@ } }, "required": [ - "accessKeyIdSecretKeyRef", "bucket", - "endpoint", - "secretAccessKeySecretKeyRef" + "endpoint" ], "type": "object", "additionalProperties": false @@ -1684,6 +1682,30 @@ "format": "int32", "type": "integer" }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, "timeoutSeconds": { "format": "int32", "type": "integer" @@ -1693,7 +1715,12 @@ "additionalProperties": false }, "port": { - "description": "Port where the agent will be listening for connections.", + "description": "Port where the agent will be listening for API connections.", + "format": "int32", + "type": "integer" + }, + "probePort": { + "description": "Port where the agent will be listening for probe connections.", "format": "int32", "type": "integer" }, @@ -1761,6 +1788,30 @@ "format": "int32", "type": "integer" }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, "timeoutSeconds": { "format": "int32", "type": "integer" @@ -1860,6 +1911,102 @@ "type": "object", "additionalProperties": false }, + "startupProbe": { + "description": "StartupProbe to be used in the Container.", + "properties": { + "exec": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#execaction-v1-core.", + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "failureThreshold": { + "format": "int32", + "type": "integer" + }, + "httpGet": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#httpgetaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + }, + "scheme": { + "description": "URIScheme identifies the scheme used for connection to a host for Get actions", + "type": "string" + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, + "initialDelaySeconds": { + "format": "int32", + "type": "integer" + }, + "periodSeconds": { + "format": "int32", + "type": "integer" + }, + "successThreshold": { + "format": "int32", + "type": "integer" + }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, + "timeoutSeconds": { + "format": "int32", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, "volumeMounts": { "description": "VolumeMounts to be used in the Container.", "items": { @@ -2250,6 +2397,30 @@ "format": "int32", "type": "integer" }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, "timeoutSeconds": { "format": "int32", "type": "integer" @@ -2322,6 +2493,30 @@ "format": "int32", "type": "integer" }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, "timeoutSeconds": { "format": "int32", "type": "integer" @@ -2421,6 +2616,102 @@ "type": "object", "additionalProperties": false }, + "startupProbe": { + "description": "StartupProbe to be used in the Container.", + "properties": { + "exec": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#execaction-v1-core.", + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "failureThreshold": { + "format": "int32", + "type": "integer" + }, + "httpGet": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#httpgetaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + }, + "scheme": { + "description": "URIScheme identifies the scheme used for connection to a host for Get actions", + "type": "string" + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, + "initialDelaySeconds": { + "format": "int32", + "type": "integer" + }, + "periodSeconds": { + "format": "int32", + "type": "integer" + }, + "successThreshold": { + "format": "int32", + "type": "integer" + }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, + "timeoutSeconds": { + "format": "int32", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, "volumeMounts": { "description": "VolumeMounts to be used in the Container.", "items": { @@ -2994,6 +3285,30 @@ "format": "int32", "type": "integer" }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, "timeoutSeconds": { "format": "int32", "type": "integer" @@ -4407,7 +4722,140 @@ "type": "object", "additionalProperties": false }, - "type": "array" + "type": "array" + }, + "tls": { + "description": "TLS defines the PKI to be used with MaxScale.", + "properties": { + "adminCASecretRef": { + "description": "AdminCASecretRef is a reference to a Secret containing the admin certificate authority keypair. It is used to establish trust and issue certificates for the MaxScale's administrative REST API and GUI.\nOne of:\n- Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates.\n- Secret containing only the 'ca.crt' in order to establish trust. In this case, either adminCertSecretRef or adminCertIssuerRef fields must be provided.\nIf not provided, a self-signed CA will be provisioned to issue the server certificate.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "adminCertIssuerRef": { + "description": "AdminCertIssuerRef is a reference to a cert-manager issuer object used to issue the MaxScale's administrative REST API and GUI certificate. cert-manager must be installed previously in the cluster.\nIt is mutually exclusive with adminCertSecretRef.\nBy default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via adminCASecretRef.", + "properties": { + "group": { + "description": "Group of the resource being referred to.", + "type": "string" + }, + "kind": { + "description": "Kind of the resource being referred to.", + "type": "string" + }, + "name": { + "description": "Name of the resource being referred to.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "adminCertSecretRef": { + "description": "AdminCertSecretRef is a reference to a TLS Secret used by the MaxScale's administrative REST API and GUI.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "enabled": { + "description": "Enabled indicates whether TLS is enabled, determining if certificates should be issued and mounted to the MaxScale instance.\nIt is enabled by default when the referred MariaDB instance (via mariaDbRef) has TLS enabled and enforced.", + "type": "boolean" + }, + "listenerCASecretRef": { + "description": "ListenerCASecretRef is a reference to a Secret containing the listener certificate authority keypair. It is used to establish trust and issue certificates for the MaxScale's listeners.\nOne of:\n- Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates.\n- Secret containing only the 'ca.crt' in order to establish trust. In this case, either listenerCertSecretRef or listenerCertIssuerRef fields must be provided.\nIf not provided, a self-signed CA will be provisioned to issue the listener certificate.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "listenerCertIssuerRef": { + "description": "ListenerCertIssuerRef is a reference to a cert-manager issuer object used to issue the MaxScale's listeners certificate. cert-manager must be installed previously in the cluster.\nIt is mutually exclusive with listenerCertSecretRef.\nBy default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via listenerCASecretRef.", + "properties": { + "group": { + "description": "Group of the resource being referred to.", + "type": "string" + }, + "kind": { + "description": "Kind of the resource being referred to.", + "type": "string" + }, + "name": { + "description": "Name of the resource being referred to.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "listenerCertSecretRef": { + "description": "ListenerCertSecretRef is a reference to a TLS Secret used by the MaxScale's listeners.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "replicationSSLEnabled": { + "description": "ReplicationSSLEnabled specifies whether the replication SSL is enabled. If enabled, the SSL options will be added to the server configuration.\nIt is enabled by default when the referred MariaDB instance (via mariaDbRef) has replication enabled.\nIf the MariaDB servers are manually provided by the user via the 'servers' field, this must be set by the user as well.", + "type": "boolean" + }, + "serverCASecretRef": { + "description": "ServerCASecretRef is a reference to a Secret containing the MariaDB server CA certificates. It is used to establish trust with MariaDB servers.\nThe Secret should contain a 'ca.crt' key in order to establish trust.\nIf not provided, and the reference to a MariaDB resource is set (mariaDbRef), it will be defaulted to the referred MariaDB CA bundle.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "serverCertSecretRef": { + "description": "ServerCertSecretRef is a reference to a TLS Secret used by MaxScale to connect to the MariaDB servers.\nIf not provided, and the reference to a MariaDB resource is set (mariaDbRef), it will be defaulted to the referred MariaDB client certificate (clientCertSecretRef).", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "verifyPeerCertificate": { + "description": "VerifyPeerCertificate specifies whether the peer certificate's signature should be validated against the CA.\nIt is disabled by default.", + "type": "boolean" + }, + "verifyPeerHost": { + "description": "VerifyPeerHost specifies whether the peer certificate's SANs should match the peer host.\nIt is disabled by default.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false }, "updateStrategy": { "description": "UpdateStrategy defines the update strategy for the StatefulSet object.", @@ -5622,6 +6070,30 @@ "format": "int32", "type": "integer" }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, "timeoutSeconds": { "format": "int32", "type": "integer" @@ -6290,6 +6762,102 @@ }, "type": "array" }, + "startupProbe": { + "description": "StartupProbe to be used in the Container.", + "properties": { + "exec": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#execaction-v1-core.", + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "failureThreshold": { + "format": "int32", + "type": "integer" + }, + "httpGet": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#httpgetaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + }, + "scheme": { + "description": "URIScheme identifies the scheme used for connection to a host for Get actions", + "type": "string" + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, + "initialDelaySeconds": { + "format": "int32", + "type": "integer" + }, + "periodSeconds": { + "format": "int32", + "type": "integer" + }, + "successThreshold": { + "format": "int32", + "type": "integer" + }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, + "timeoutSeconds": { + "format": "int32", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, "storage": { "description": "Storage defines the storage options to be used for provisioning the PVCs mounted by MariaDB.", "properties": { @@ -6459,6 +7027,113 @@ "description": "TimeZone sets the default timezone. If not provided, it defaults to SYSTEM and the timezone data is not loaded.", "type": "string" }, + "tls": { + "description": "TLS defines the PKI to be used with MariaDB.", + "properties": { + "clientCASecretRef": { + "description": "ClientCASecretRef is a reference to a Secret containing the client certificate authority keypair. It is used to establish trust and issue client certificates.\nOne of:\n- Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates.\n- Secret containing only the 'ca.crt' in order to establish trust. In this case, either clientCertSecretRef or clientCertIssuerRef fields must be provided.\nIf not provided, a self-signed CA will be provisioned to issue the client certificate.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "clientCertIssuerRef": { + "description": "ClientCertIssuerRef is a reference to a cert-manager issuer object used to issue the client certificate. cert-manager must be installed previously in the cluster.\nIt is mutually exclusive with clientCertSecretRef.\nBy default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via clientCASecretRef.", + "properties": { + "group": { + "description": "Group of the resource being referred to.", + "type": "string" + }, + "kind": { + "description": "Kind of the resource being referred to.", + "type": "string" + }, + "name": { + "description": "Name of the resource being referred to.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "clientCertSecretRef": { + "description": "ClientCertSecretRef is a reference to a TLS Secret containing the client certificate.\nIt is mutually exclusive with clientCertIssuerRef.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "enabled": { + "description": "Enabled indicates whether TLS is enabled, determining if certificates should be issued and mounted to the MariaDB instance.\nIt is enabled by default.", + "type": "boolean" + }, + "galeraSSTEnabled": { + "description": "GaleraSSTEnabled determines whether Galera SST connections should use TLS.\nIt disabled by default.", + "type": "boolean" + }, + "required": { + "description": "Required specifies whether TLS must be enforced for all connections.\nUser TLS requirements take precedence over this.\nIt disabled by default.", + "type": "boolean" + }, + "serverCASecretRef": { + "description": "ServerCASecretRef is a reference to a Secret containing the server certificate authority keypair. It is used to establish trust and issue server certificates.\nOne of:\n- Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates.\n- Secret containing only the 'ca.crt' in order to establish trust. In this case, either serverCertSecretRef or serverCertIssuerRef must be provided.\nIf not provided, a self-signed CA will be provisioned to issue the server certificate.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "serverCertIssuerRef": { + "description": "ServerCertIssuerRef is a reference to a cert-manager issuer object used to issue the server certificate. cert-manager must be installed previously in the cluster.\nIt is mutually exclusive with serverCertSecretRef.\nBy default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via serverCASecretRef.", + "properties": { + "group": { + "description": "Group of the resource being referred to.", + "type": "string" + }, + "kind": { + "description": "Kind of the resource being referred to.", + "type": "string" + }, + "name": { + "description": "Name of the resource being referred to.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "serverCertSecretRef": { + "description": "ServerCertSecretRef is a reference to a TLS Secret containing the server certificate.\nIt is mutually exclusive with serverCertIssuerRef.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, "tolerations": { "description": "Tolerations to be used in the Pod.", "items": { @@ -6629,7 +7304,7 @@ "additionalProperties": false }, "username": { - "description": "Username is the initial username to be created by the operator once MariaDB is ready. It has all privileges on the initial database.\nThe initial User will have ALL PRIVILEGES in the initial Database.", + "description": "Username is the initial username to be created by the operator once MariaDB is ready.\nThe initial User will have ALL PRIVILEGES in the initial Database.", "type": "string" }, "volumeMounts": { @@ -6878,6 +7553,10 @@ "description": "CurrentPrimaryPodIndex is the primary Pod index.", "type": "integer" }, + "defaultVersion": { + "description": "DefaultVersion is the MariaDB version used by the operator when it cannot infer the version\nfrom spec.image. This can happen if the image uses a digest (e.g. sha256) instead\nof a version tag.", + "type": "string" + }, "galeraRecovery": { "description": "GaleraRecovery is the Galera recovery current state.", "properties": { @@ -6962,6 +7641,104 @@ }, "description": "ReplicationStatus is the replication current state for each Pod.", "type": "object" + }, + "tls": { + "description": "TLS aggregates the status of the certificates used by the MariaDB instance.", + "properties": { + "caBundle": { + "description": "CABundle is the status of the Certificate Authority bundle.", + "items": { + "description": "CertificateStatus represents the current status of a TLS certificate.", + "properties": { + "issuer": { + "description": "Issuer is the issuer of the current certificate.", + "type": "string" + }, + "notAfter": { + "description": "NotAfter indicates that the certificate is not valid after the given date.", + "format": "date-time", + "type": "string" + }, + "notBefore": { + "description": "NotBefore indicates that the certificate is not valid before the given date.", + "format": "date-time", + "type": "string" + }, + "subject": { + "description": "Subject is the subject of the current certificate.", + "type": "string" + } + }, + "required": [ + "issuer", + "subject" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "clientCert": { + "description": "ClientCert is the status of the client certificate.", + "properties": { + "issuer": { + "description": "Issuer is the issuer of the current certificate.", + "type": "string" + }, + "notAfter": { + "description": "NotAfter indicates that the certificate is not valid after the given date.", + "format": "date-time", + "type": "string" + }, + "notBefore": { + "description": "NotBefore indicates that the certificate is not valid before the given date.", + "format": "date-time", + "type": "string" + }, + "subject": { + "description": "Subject is the subject of the current certificate.", + "type": "string" + } + }, + "required": [ + "issuer", + "subject" + ], + "type": "object", + "additionalProperties": false + }, + "serverCert": { + "description": "ServerCert is the status of the server certificate.", + "properties": { + "issuer": { + "description": "Issuer is the issuer of the current certificate.", + "type": "string" + }, + "notAfter": { + "description": "NotAfter indicates that the certificate is not valid after the given date.", + "format": "date-time", + "type": "string" + }, + "notBefore": { + "description": "NotBefore indicates that the certificate is not valid before the given date.", + "format": "date-time", + "type": "string" + }, + "subject": { + "description": "Subject is the subject of the current certificate.", + "type": "string" + } + }, + "required": [ + "issuer", + "subject" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false } }, "type": "object", diff --git a/k8s.mariadb.com/maxscale_v1alpha1.json b/k8s.mariadb.com/maxscale_v1alpha1.json index 9e50a8bf..d9d19fca 100644 --- a/k8s.mariadb.com/maxscale_v1alpha1.json +++ b/k8s.mariadb.com/maxscale_v1alpha1.json @@ -1170,6 +1170,30 @@ "format": "int32", "type": "integer" }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, "timeoutSeconds": { "format": "int32", "type": "integer" @@ -2098,6 +2122,30 @@ "format": "int32", "type": "integer" }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, "timeoutSeconds": { "format": "int32", "type": "integer" @@ -2329,11 +2377,240 @@ }, "type": "array" }, + "startupProbe": { + "description": "StartupProbe to be used in the Container.", + "properties": { + "exec": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#execaction-v1-core.", + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "failureThreshold": { + "format": "int32", + "type": "integer" + }, + "httpGet": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#httpgetaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + }, + "scheme": { + "description": "URIScheme identifies the scheme used for connection to a host for Get actions", + "type": "string" + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, + "initialDelaySeconds": { + "format": "int32", + "type": "integer" + }, + "periodSeconds": { + "format": "int32", + "type": "integer" + }, + "successThreshold": { + "format": "int32", + "type": "integer" + }, + "tcpSocket": { + "description": "Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#tcpsocketaction-v1-core.", + "properties": { + "host": { + "type": "string" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "port" + ], + "type": "object", + "additionalProperties": false + }, + "timeoutSeconds": { + "format": "int32", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, "suspend": { "default": false, "description": "Suspend indicates whether the current resource should be suspended or not.\nThis can be useful for maintenance, as disabling the reconciliation prevents the operator from interfering with user operations during maintenance activities.", "type": "boolean" }, + "tls": { + "description": "TLS defines the PKI to be used with MaxScale.", + "properties": { + "adminCASecretRef": { + "description": "AdminCASecretRef is a reference to a Secret containing the admin certificate authority keypair. It is used to establish trust and issue certificates for the MaxScale's administrative REST API and GUI.\nOne of:\n- Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates.\n- Secret containing only the 'ca.crt' in order to establish trust. In this case, either adminCertSecretRef or adminCertIssuerRef fields must be provided.\nIf not provided, a self-signed CA will be provisioned to issue the server certificate.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "adminCertIssuerRef": { + "description": "AdminCertIssuerRef is a reference to a cert-manager issuer object used to issue the MaxScale's administrative REST API and GUI certificate. cert-manager must be installed previously in the cluster.\nIt is mutually exclusive with adminCertSecretRef.\nBy default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via adminCASecretRef.", + "properties": { + "group": { + "description": "Group of the resource being referred to.", + "type": "string" + }, + "kind": { + "description": "Kind of the resource being referred to.", + "type": "string" + }, + "name": { + "description": "Name of the resource being referred to.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "adminCertSecretRef": { + "description": "AdminCertSecretRef is a reference to a TLS Secret used by the MaxScale's administrative REST API and GUI.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "enabled": { + "description": "Enabled indicates whether TLS is enabled, determining if certificates should be issued and mounted to the MaxScale instance.\nIt is enabled by default when the referred MariaDB instance (via mariaDbRef) has TLS enabled and enforced.", + "type": "boolean" + }, + "listenerCASecretRef": { + "description": "ListenerCASecretRef is a reference to a Secret containing the listener certificate authority keypair. It is used to establish trust and issue certificates for the MaxScale's listeners.\nOne of:\n- Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates.\n- Secret containing only the 'ca.crt' in order to establish trust. In this case, either listenerCertSecretRef or listenerCertIssuerRef fields must be provided.\nIf not provided, a self-signed CA will be provisioned to issue the listener certificate.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "listenerCertIssuerRef": { + "description": "ListenerCertIssuerRef is a reference to a cert-manager issuer object used to issue the MaxScale's listeners certificate. cert-manager must be installed previously in the cluster.\nIt is mutually exclusive with listenerCertSecretRef.\nBy default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via listenerCASecretRef.", + "properties": { + "group": { + "description": "Group of the resource being referred to.", + "type": "string" + }, + "kind": { + "description": "Kind of the resource being referred to.", + "type": "string" + }, + "name": { + "description": "Name of the resource being referred to.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "listenerCertSecretRef": { + "description": "ListenerCertSecretRef is a reference to a TLS Secret used by the MaxScale's listeners.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "replicationSSLEnabled": { + "description": "ReplicationSSLEnabled specifies whether the replication SSL is enabled. If enabled, the SSL options will be added to the server configuration.\nIt is enabled by default when the referred MariaDB instance (via mariaDbRef) has replication enabled.\nIf the MariaDB servers are manually provided by the user via the 'servers' field, this must be set by the user as well.", + "type": "boolean" + }, + "serverCASecretRef": { + "description": "ServerCASecretRef is a reference to a Secret containing the MariaDB server CA certificates. It is used to establish trust with MariaDB servers.\nThe Secret should contain a 'ca.crt' key in order to establish trust.\nIf not provided, and the reference to a MariaDB resource is set (mariaDbRef), it will be defaulted to the referred MariaDB CA bundle.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "serverCertSecretRef": { + "description": "ServerCertSecretRef is a reference to a TLS Secret used by MaxScale to connect to the MariaDB servers.\nIf not provided, and the reference to a MariaDB resource is set (mariaDbRef), it will be defaulted to the referred MariaDB client certificate (clientCertSecretRef).", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "verifyPeerCertificate": { + "description": "VerifyPeerCertificate specifies whether the peer certificate's signature should be validated against the CA.\nIt is disabled by default.", + "type": "boolean" + }, + "verifyPeerHost": { + "description": "VerifyPeerHost specifies whether the peer certificate's SANs should match the peer host.\nIt is disabled by default.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + }, "tolerations": { "description": "Tolerations to be used in the Pod.", "items": { @@ -2688,6 +2965,133 @@ "additionalProperties": false }, "type": "array" + }, + "tls": { + "description": "TLS aggregates the status of the certificates used by the MaxScale instance.", + "properties": { + "adminCert": { + "description": "AdminCert is the status of the admin certificate.", + "properties": { + "issuer": { + "description": "Issuer is the issuer of the current certificate.", + "type": "string" + }, + "notAfter": { + "description": "NotAfter indicates that the certificate is not valid after the given date.", + "format": "date-time", + "type": "string" + }, + "notBefore": { + "description": "NotBefore indicates that the certificate is not valid before the given date.", + "format": "date-time", + "type": "string" + }, + "subject": { + "description": "Subject is the subject of the current certificate.", + "type": "string" + } + }, + "required": [ + "issuer", + "subject" + ], + "type": "object", + "additionalProperties": false + }, + "caBundle": { + "description": "CABundle is the status of the Certificate Authority bundle.", + "items": { + "description": "CertificateStatus represents the current status of a TLS certificate.", + "properties": { + "issuer": { + "description": "Issuer is the issuer of the current certificate.", + "type": "string" + }, + "notAfter": { + "description": "NotAfter indicates that the certificate is not valid after the given date.", + "format": "date-time", + "type": "string" + }, + "notBefore": { + "description": "NotBefore indicates that the certificate is not valid before the given date.", + "format": "date-time", + "type": "string" + }, + "subject": { + "description": "Subject is the subject of the current certificate.", + "type": "string" + } + }, + "required": [ + "issuer", + "subject" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "listenerCert": { + "description": "ListenerCert is the status of the listener certificate.", + "properties": { + "issuer": { + "description": "Issuer is the issuer of the current certificate.", + "type": "string" + }, + "notAfter": { + "description": "NotAfter indicates that the certificate is not valid after the given date.", + "format": "date-time", + "type": "string" + }, + "notBefore": { + "description": "NotBefore indicates that the certificate is not valid before the given date.", + "format": "date-time", + "type": "string" + }, + "subject": { + "description": "Subject is the subject of the current certificate.", + "type": "string" + } + }, + "required": [ + "issuer", + "subject" + ], + "type": "object", + "additionalProperties": false + }, + "serverCert": { + "description": "ServerCert is the status of the MariaDB server certificate.", + "properties": { + "issuer": { + "description": "Issuer is the issuer of the current certificate.", + "type": "string" + }, + "notAfter": { + "description": "NotAfter indicates that the certificate is not valid after the given date.", + "format": "date-time", + "type": "string" + }, + "notBefore": { + "description": "NotBefore indicates that the certificate is not valid before the given date.", + "format": "date-time", + "type": "string" + }, + "subject": { + "description": "Subject is the subject of the current certificate.", + "type": "string" + } + }, + "required": [ + "issuer", + "subject" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false } }, "type": "object", diff --git a/k8s.mariadb.com/restore_v1alpha1.json b/k8s.mariadb.com/restore_v1alpha1.json index 17691b39..3460c4c0 100644 --- a/k8s.mariadb.com/restore_v1alpha1.json +++ b/k8s.mariadb.com/restore_v1alpha1.json @@ -701,10 +701,8 @@ } }, "required": [ - "accessKeyIdSecretKeyRef", "bucket", - "endpoint", - "secretAccessKeySecretKeyRef" + "endpoint" ], "type": "object", "additionalProperties": false diff --git a/k8s.mariadb.com/sqljob_v1alpha1.json b/k8s.mariadb.com/sqljob_v1alpha1.json index 024790f7..45c66229 100644 --- a/k8s.mariadb.com/sqljob_v1alpha1.json +++ b/k8s.mariadb.com/sqljob_v1alpha1.json @@ -727,6 +727,28 @@ "description": "TimeZone defines the timezone associated with the cron expression.", "type": "string" }, + "tlsCASecretRef": { + "description": "TLSCACertSecretRef is a reference toa CA Secret used to establish trust when executing the SqlJob.\nIf not provided, the CA bundle provided by the referred MariaDB is used.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "tlsClientCertSecretRef": { + "description": "TLSClientCertSecretRef is a reference to a Kubernetes TLS Secret used as authentication when executing the SqlJob.\nIf not provided, the client certificate provided by the referred MariaDB is used.", + "properties": { + "name": { + "default": "", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, "tolerations": { "description": "Tolerations to be used in the Pod.", "items": { diff --git a/k8s.mariadb.com/user_v1alpha1.json b/k8s.mariadb.com/user_v1alpha1.json index 5c401f9e..48e617a0 100644 --- a/k8s.mariadb.com/user_v1alpha1.json +++ b/k8s.mariadb.com/user_v1alpha1.json @@ -140,6 +140,29 @@ "description": "RequeueInterval is used to perform requeue reconciliations.", "type": "string" }, + "require": { + "description": "Require specifies TLS requirements for the user to connect. See: https://mariadb.com/kb/en/securing-connections-for-client-and-server/#requiring-tls.", + "properties": { + "issuer": { + "description": "Issuer indicates that the TLS certificate provided by the user must be issued by a specific issuer.", + "type": "string" + }, + "ssl": { + "description": "SSL indicates that the user must connect via TLS.", + "type": "boolean" + }, + "subject": { + "description": "Subject indicates that the TLS certificate provided by the user must have a specific subject.", + "type": "string" + }, + "x509": { + "description": "X509 indicates that the user must provide a valid x509 certificate to connect.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + }, "retryInterval": { "description": "RetryInterval is the interval used to perform retries.", "type": "string"