mariadb-operator 25.10.3 is here! 🦭

The focus of this release has been improving our backup and restore capabilities, along with various bug fixes and enhancements.

We are also announcing support for Kubernetes 1.35 and our roadmap for upcoming releases.

PhysicalBackup target policy

You are now able to define a target for PhysicalBackup resources, allowing you to control in which Pod the backups will be scheduled:

apiVersion: k8s.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  target: Replica

By default, the Replica policy is used, meaning that backups will only be scheduled on ready replicas. Alternatively, you can use the PreferReplica policy to schedule backups on replicas when available, or fall back to the primary if no replicas are available.

This is particularly useful in scenarios where you have a limited number of replicas, for instance, a primary-replica topology (single primary, single replica). By using the PreferReplica policy in this scenario, not only you ensure that backups are taken even if there are no available replicas, but also enables replica recovery operations, as they rely on PhysicalBackup resources successfully completing:

apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
  name: mariadb-repl
spec:
  rootPasswordSecretKeyRef:
    name: mariadb
    key: root-password
  storage:
    size: 10Gi
  replicas: 2
  replication:
    enabled: true
    replica:
      bootstrapFrom:
        physicalBackupTemplateRef:
          name: physicalbackup-tpl
      recovery:
        enabled: true
---
apiVersion: k8s.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup-tpl
spec:
  mariaDbRef:
    name: mariadb-repl
    waitForIt: false
  schedule:
    suspend: true
  target: PreferReplica
  storage:
    s3:
      bucket: physicalbackups
      prefix: mariadb
      endpoint: minio.minio.svc.cluster.local:9000
      region:  us-east-1
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt

In the example above, a MariaDB primary-replica cluster is defined with the ability to recover and rebuild the replica from a PhysicalBackup taken on the primary, thanks to the PreferReplica target policy.

For additional details, please refer to the PhysicalBackup documentation and the replica recovery section.

Backup encryption

Logical and physical backups i.e. Backup and PhysicalBackup resources have gained support for encrypting backups on the server-side when using S3 storage. For doing so, you need to generate an encryption key and configure the backup resource to use it:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: ssec-key
stringData:
  # 32-byte key encoded in base64 (use: openssl rand -base64 32)
  customer-key: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
---
apiVersion: k8s.mariadb.com/v1alpha1
kind: PhysicalBackup
metadata:
  name: physicalbackup
spec:
  mariaDbRef:
    name: mariadb
  storage:
    s3:
      bucket: physicalbackups
      endpoint: minio.minio.svc.cluster.local:9000
      accessKeyIdSecretKeyRef:
        name: minio
        key: access-key-id
      secretAccessKeySecretKeyRef:
        name: minio
        key: secret-access-key
      tls:
        enabled: true
        caSecretKeyRef:
          name: minio-ca
          key: ca.crt
      ssec:
        customerKeySecretKeyRef:
          name: ssec-key
          key: customer-key

In order to boostrap a new instance from an encrypted backup, you need to provide the same encryption key in the MariaDB bootstrapFrom section.

Kudos to @xavierleune for this initiative and the PR contributing this feature! 🎉

Deprecating embedded MaxScale

To improve maintainability, minimize complexity and reduce the size of the CRD bundle (getting close to the 1MB hard limit), we are deprecating the MaxScale embedded definition inside the MariaDB CR in favor of deploying MaxScale as a separate CR.

To make the transition easier, we are providing you with this migration script. Refer to the MaxScale documentation for additional details.

Roadmap

We are very excited to share the roadmap for the upcoming releases:

• Point In Time Recovery (PITR): You have been requesting this for a while, and it is completely aligned with our roadmap. We are actively working on this and we expect to release it on early 2026.
• Multi-cluster topology: We are working on a new highly available topology that will allow you to setup replication between 2 different MariaDB clusters, allowing you to perform promotion and demotion of the clusters declaratively.

Community

Contributions of any kind are always welcome: adding yourself to the list of adopters, reporting issues, submitting pull requests, or simply starring the project! 🌟

Enterprise

For enterprise users, see the MariaDB Enterprise Operator, a commercially supported Kubernetes operator from MariaDB with additional enterprise-grade features.

What's Changed

• Fix extraArgs values in mariadb-operator chart by @hedgieinsocks in https://github.com/mariadb-operator/mariadb-operator/pull/1522
• Add cacheSyncTimeout by @hedgieinsocks in https://github.com/mariadb-operator/mariadb-operator/pull/1521
• Backup & Restore: support for SSE-C by @xavierleune in https://github.com/mariadb-operator/mariadb-operator/pull/1520
• Refactor S3 by @mmontes11 in https://github.com/mariadb-operator/mariadb-operator/pull/1525
• Document namespaceOverride for mariadb-cluster by @hedgieinsocks in https://github.com/mariadb-operator/mariadb-operator/pull/1527
• Decoupled compression from backups by @mmontes11 in https://github.com/mariadb-operator/mariadb-operator/pull/1528
• Allow ExternalMariadb calls without providing client cert by @snaax in https://github.com/mariadb-operator/mariadb-operator/pull/1443
• Using Specific helm version for locally and github workflows by @Michaelpalacce in https://github.com/mariadb-operator/mariadb-operator/pull/1515
• Feature/remove maxscale from maraidb cr by @Michaelpalacce in https://github.com/mariadb-operator/mariadb-operator/pull/1540
• Multiple fixes for 25.10.3 by @mmontes11 in https://github.com/mariadb-operator/mariadb-operator/pull/1541
• Bump golang to 1.25.5 by @dependabot[bot] in https://github.com/mariadb-operator/mariadb-operator/pull/1534
• Bump kubernetes 1.35 by @mmontes11 in https://github.com/mariadb-operator/mariadb-operator/pull/1542
• Bump ghcr.io/devcontainers/features/docker-in-docker from 2.12.3 to 2.13.0 by @dependabot[bot] in https://github.com/mariadb-operator/mariadb-operator/pull/1537
• Bump crate-ci/typos from 1.36.2 to 1.40.0 by @dependabot[bot] in https://github.com/mariadb-operator/mariadb-operator/pull/1524
• Bump helm/chart-testing-action from 2.7.0 to 2.8.0 by @dependabot[bot] in https://github.com/mariadb-operator/mariadb-operator/pull/1512
• Bump github.com/gruntwork-io/terratest from 0.50.0 to 0.52.0 by @dependabot[bot] in https://github.com/mariadb-operator/mariadb-operator/pull/1500
• Bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in https://github.com/mariadb-operator/mariadb-operator/pull/1511
• Bump actions/checkout from 5 to 6 by @dependabot[bot] in https://github.com/mariadb-operator/mariadb-operator/pull/1518
• Release 25.10.3 by @mmontes11 in https://github.com/mariadb-operator/mariadb-operator/pull/1526

New Contributors

• @xavierleune made their first contribution in https://github.com/mariadb-operator/mariadb-operator/pull/1520
• @snaax made their first contribution in https://github.com/mariadb-operator/mariadb-operator/pull/1443

Full Changelog: https://github.com/mariadb-operator/mariadb-operator/compare/25.10.2...25.10.3