[mariadb] run sidecars as a native sidecars

* Add an option to run all sidecar containers as a native sidecar.

This option is enabled by default.

Example configuration values:
```yaml
global:
  mariadb:
    native_sidecar:
      enabled: true
```

Author: s10

common/mariadb/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## v0.29.0 - 2025/10/28
+* Add an option to run all sidecar containers as a native sidecar.
+
+This option is enabled by default.
+
+Example configuration values:
+```yaml
+global:
+  mariadb:
+    native_sidecar:
+      enabled: true
+```
+
 ## v0.28.1 - 2025/10/27
 * mysqld-exporter now collects data from mysql.user table
 

common/mariadb/Chart.yaml

@@ -2,7 +2,7 @@
 apiVersion: v2
 description: A Helm chart for Kubernetes
 name: mariadb
-version: 0.28.1
+version: 0.29.0
 # scripts/docker-entyrpoint.sh should be updated when appVersion is updated
 appVersion: 10.11.14
 dependencies:

common/mariadb/templates/_helpers.tpl

@@ -137,9 +137,9 @@ helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
 Default pod labels for linkerd
 */}}
 {{- define "mariadb.linkerdPodAnnotations" }}
-  {{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) $.Values.linkerd.mariadb.enabled }}
+  {{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) }}
 linkerd.io/inject: enabled
-    {{- if $.Values.global.linkerd_use_native_sidecar }}
+    {{- if or $.Values.global.linkerd_use_native_sidecar $.Values.global.mariadb.native_sidecar.enabled }}
 config.alpha.linkerd.io/proxy-enable-native-sidecar: "true"
     {{- end }}
   {{- end }}

common/mariadb/templates/backup-v2-deployment.yaml

@@ -28,8 +28,8 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/targets: {{ required ".Values.alerts.prometheus missing" .Values.alerts.prometheus | quote }}
 {{- end }}
-{{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) $.Values.linkerd.backup.enabled }}
-        linkerd.io/inject: enabled
+{{- if $.Values.linkerd.backup.enabled }}
+        {{- include "mariadb.linkerdPodAnnotations" . | indent 8 }}
 {{- end }}
     spec:
       affinity:

common/mariadb/templates/backup-verify-deploy.yaml

@@ -26,8 +26,8 @@ spec:
         prometheus.io/port: "8082"
         prometheus.io/targets: {{ required ".Values.alerts.prometheus missing" .Values.alerts.prometheus | quote }}
 {{- end }}
-{{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) $.Values.linkerd.backup.enabled }}
-        linkerd.io/inject: enabled
+{{- if $.Values.linkerd.backup.enabled }}
+        {{- include "mariadb.linkerdPodAnnotations" . | indent 8 }}
 {{- end }}
     spec:
       serviceAccountName: {{ .Values.name }}-db-backup-v2

common/mariadb/templates/cronjob-mariadb-maintenance.yaml

@@ -22,10 +22,10 @@ spec:
             {{- include "mariadb.labels" (list $ "version" "mariadb" "cronjob" "maintenance") | indent 12 }}
           annotations:
             kubectl.kubernetes.io/default-container: maintenance
-            {{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) $.Values.linkerd.mariadb.enabled }}
-            linkerd.io/inject: enabled
-            {{- end }}
             checksum/configmap: {{ include (print $.Template.BasePath "/configmap-mariadb-maintenance.yaml") $ | sha256sum }}
+{{- if $.Values.linkerd.cronjob.enabled }}
+            {{- include "mariadb.linkerdPodAnnotations" . | indent 12 }}
+{{- end }}
         spec:
           restartPolicy: {{ $.Values.job.maintenance.jobRestartPolicy | default "OnFailure" | quote }}
           securityContext:

common/mariadb/templates/deployment.yaml

@@ -30,8 +30,8 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/targets: {{ required ".Values.alerts.prometheus missing" .Values.alerts.prometheus | quote }}
 {{- end }}
-{{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) $.Values.linkerd.mariadb.enabled }}
-        linkerd.io/inject: enabled
+{{- if $.Values.linkerd.mariadb.enabled }}
+        {{- include "mariadb.linkerdPodAnnotations" . | indent 8 }}
 {{- end }}
     spec:
       affinity:
@@ -72,70 +72,14 @@ spec:
             readOnly: true
           - name: init-file-root-sql
             mountPath: /etc/mysql/init-file
+{{- if .Values.global.mariadb.native_sidecar.enabled }}
+{{- else }}
       containers:
-      - name: mariadb
-        image: {{ required ".Values.global.dockerHubMirrorAlternateRegion is missing" .Values.global.dockerHubMirrorAlternateRegion }}/{{ .Values.image }}
-        imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
-        lifecycle:
-          postStart:
-            exec:
-              command: ["sh", "-c", "while ! mariadb-admin ping --silent; do sleep 1; done; mariadb-upgrade"]
-        env:
-        - name: MYSQL_ROOT_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: mariadb-{{.Values.name}}
-              key: root-password
-        ports:
-          - name: mariadb
-            containerPort: 3306
-        {{- if .Values.livenessProbe.enabled }}
-        livenessProbe:
-          exec:
-            command: ["sh", "-c", "exec mariadb-admin status"]
-          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
-          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
-          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
-          successThreshold: {{ .Values.livenessProbe.successThreshold }}
-          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
-        {{- end }}
-        {{- if .Values.readinessProbe.enabled }}
-        readinessProbe:
-          exec:
-            command: ["sh", "-c", "exec mariadb-admin status"]
-          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
-          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
-          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
-          successThreshold: {{ .Values.readinessProbe.successThreshold }}
-          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
-        {{- end }}
-        resources:
-{{ toYaml (required "missing .resources" .Values.resources) | indent 10 }}
-        volumeMounts:
-          - name: mariadb-socket
-            mountPath: /run/mysqld
-{{- if .Values.persistence_claim.enabled }}
-          - name: mariadb-persistent-storage
-            mountPath: /var/lib/mysql
-            readOnly: false
 {{- end }}
-          - mountPath: /usr/local/bin/docker-entrypoint.sh
-            subPath: docker-entrypoint.sh
-            name: mariadb-entrypoint
-            readOnly: true
-          - mountPath: /etc/mysql/mariadb.conf.d/
-            name: mariadb-etc
-          - mountPath: /root/.my.cnf
-            subPath: ".my.cnf"
-            name: mariadb-client
-          - name: initdb
-            mountPath: /docker-entrypoint-initdb.d
-          - name: mysql-users-secret-file
-            mountPath: /etc/mysql/mysql-users-secret
-            readOnly: true
-          - name: init-file-root-sql
-            mountPath: /etc/mysql/init-file
       - name: user-credential-updater
+{{- if .Values.global.mariadb.native_sidecar.enabled }}
+        restartPolicy: Always
+{{- end }}
         image: "{{ required ".Values.global.registryAlternateRegion is missing" .Values.global.registryAlternateRegion }}/{{ .Values.credentialUpdater.image }}:{{ .Values.credentialUpdater.imageTag }}"
         imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
         securityContext:
@@ -168,6 +112,9 @@ spec:
             name: initdb
 {{- if or .Values.backup_v2.enabled .Values.readiness.useSidecar }}
       - name: readiness
+{{- if .Values.global.mariadb.native_sidecar.enabled }}
+        restartPolicy: Always
+{{- end }}
         image: "{{ required ".Values.global.registryAlternateRegion is missing" .Values.global.registryAlternateRegion }}/{{ .Values.readiness.image }}:{{ .Values.readiness.image_version }}"
         command:
           - pod_readiness
@@ -187,6 +134,9 @@ spec:
 {{- end }}
 {{- if .Values.metrics.enabled }}
       - name: metrics
+{{- if .Values.global.mariadb.native_sidecar.enabled }}
+        restartPolicy: Always
+{{- end }}
         image: "{{ required ".Values.global.dockerHubMirrorAlternateRegion is missing" .Values.global.dockerHubMirrorAlternateRegion }}/{{ .Values.metrics.image }}:{{ .Values.metrics.image_version }}"
         imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
         args:
@@ -225,6 +175,71 @@ spec:
             memory: {{ .Values.metrics.resources.requests.memory | quote }}
         {{- end }}
 {{- end }}
+{{- if .Values.global.mariadb.native_sidecar.enabled }}
+      containers:
+{{- end }}
+      - name: mariadb
+        image: {{ required ".Values.global.dockerHubMirrorAlternateRegion is missing" .Values.global.dockerHubMirrorAlternateRegion }}/{{ .Values.image }}
+        imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
+        lifecycle:
+          postStart:
+            exec:
+              command: ["sh", "-c", "while ! mariadb-admin ping --silent; do sleep 1; done; mariadb-upgrade"]
+        env:
+        - name: MYSQL_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mariadb-{{.Values.name}}
+              key: root-password
+        ports:
+          - name: mariadb
+            containerPort: 3306
+        {{- if .Values.livenessProbe.enabled }}
+        livenessProbe:
+          exec:
+            command: ["sh", "-c", "exec mariadb-admin status"]
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+        {{- end }}
+        {{- if .Values.readinessProbe.enabled }}
+        readinessProbe:
+          exec:
+            command: ["sh", "-c", "exec mariadb-admin status"]
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+        {{- end }}
+        resources:
+{{ toYaml (required "missing .resources" .Values.resources) | indent 10 }}
+        volumeMounts:
+          - name: mariadb-socket
+            mountPath: /run/mysqld
+{{- if .Values.persistence_claim.enabled }}
+          - name: mariadb-persistent-storage
+            mountPath: /var/lib/mysql
+            readOnly: false
+{{- end }}
+          - mountPath: /usr/local/bin/docker-entrypoint.sh
+            subPath: docker-entrypoint.sh
+            name: mariadb-entrypoint
+            readOnly: true
+          - mountPath: /etc/mysql/mariadb.conf.d/
+            name: mariadb-etc
+          - mountPath: /root/.my.cnf
+            subPath: ".my.cnf"
+            name: mariadb-client
+          - name: initdb
+            mountPath: /docker-entrypoint-initdb.d
+          - name: mysql-users-secret-file
+            mountPath: /etc/mysql/mysql-users-secret
+            readOnly: true
+          - name: init-file-root-sql
+            mountPath: /etc/mysql/init-file
       priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
       volumes:
         - name: mariadb-socket

common/mariadb/templates/rename-check-constraints-job.yaml

@@ -22,9 +22,8 @@ spec:
 {{- include "mariadb.labels" (list $ "version" "mariadb" "job" "rename-check-constraints") | indent 8 }}
       annotations:
         kubectl.kubernetes.io/default-container: rename-check-constraints
-{{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) $.Values.linkerd.mariadb.enabled }}
-        linkerd.io/inject: enabled
-        config.alpha.linkerd.io/proxy-enable-native-sidecar: "true"
+{{- if $.Values.linkerd.mariadb.enabled }}
+        {{- include "mariadb.linkerdPodAnnotations" . | indent 8 }}
 {{- end }}
     spec:
       restartPolicy: {{ .Values.job.renameCheckConstraints.jobRestartPolicy | default "Never" | quote }}

common/mariadb/templates/sync-statefulset.yaml

@@ -22,7 +22,9 @@ spec:
         app.kubernetes.io/instance: {{ include "fullName" . }}-sync
       annotations:
         kubectl.kubernetes.io/default-container: "sync"
+{{- if $.Values.linkerd.sync.enabled }}
         {{- include "mariadb.linkerdPodAnnotations" . | indent 8 }}
+{{- end }}
     spec:
       affinity:
         nodeAffinity:

common/mariadb/values.yaml

@@ -1,7 +1,12 @@
+---
 # Default values for mariadb.
 # This is a YAML-formatted file.
 # Declare name/value pairs to be passed into your templates.
 # name: value
+global:
+  mariadb:
+    native_sidecar:
+      enabled: true
 
 name: null
 image: library/mariadb:10.11.14
@@ -289,12 +294,17 @@ vpa:
   set_main_container: false
 linkerd:
   mariadb:
-    #linkerd annotation for the MariaDB pod (true/false)
+    # linkerd annotation for the MariaDB pod (true/false)
     enabled: true
   backup:
-    #linkerd annotation for the backup pod (true/false)
+    # linkerd annotation for the backup pod (true/false)
+    enabled: true
+  cronjob:
+    # linkerd annotation for the cronjob pods (true/false)
+    enabled: true
+  sync:
+    # linkerd annotation for the go-maria-sync pod (true/false)
     enabled: true
-global: {}
 
 tcp_keepalive:
   # Timeout, in seconds, with no activity until the first TCP keep-alive packet is sent. If set to 0, a system dependent default is used https://mariadb.com/kb/en/server-system-variables/#tcp_keepalive_time