From aac927d57c636c2f9da1feb7c37d2339cd8516eb Mon Sep 17 00:00:00 2001
From: Sergiy Markin <smarkin@mirantis.com>
Date: Thu, 4 Dec 2025 22:11:57 +0000
Subject: [PATCH] Mariadb upgrade to 11.4.8

- replace deprecates mysql* binaries with mariadb*
- fix mysql-exporter TLS connection to mariadb
- using freshly built mariadb image based on ubuntu noble

Change-Id: I8594f9df6b3cecd45466d41c625fa2b7a45604d9
Signed-off-by: Sergiy Markin <smarkin@mirantis.com>
---
 mariadb/templates/bin/_backup_mariadb.sh.tpl       | 14 +++++++-------
 mariadb/templates/bin/_health.sh.tpl               | 10 +++++-----
 .../bin/_prometheus-create-mysql-user.sh.tpl       | 10 +++++-----
 mariadb/templates/bin/_restore_mariadb.sh.tpl      |  4 ++--
 mariadb/templates/bin/_start.py.tpl                |  8 ++++----
 .../bin/_start_mariadb_verify_server.sh.tpl        |  4 ++--
 mariadb/templates/bin/_test.sh.tpl                 |  2 +-
 .../secrets/_prometheus-exporter_user.cnf.tpl      |  5 +++++
 mariadb/templates/statefulset.yaml                 |  1 +
 mariadb/values.yaml                                |  8 ++++----
 releasenotes/notes/mariadb-b923ac9345734125.yaml   |  9 +++++++++
 11 files changed, 45 insertions(+), 30 deletions(-)
 mode change 100755 => 100644 mariadb/templates/bin/_restore_mariadb.sh.tpl
 create mode 100644 releasenotes/notes/mariadb-b923ac9345734125.yaml

diff --git a/mariadb/templates/bin/_backup_mariadb.sh.tpl b/mariadb/templates/bin/_backup_mariadb.sh.tpl
index 44db641420..7514b0c4e3 100644
--- a/mariadb/templates/bin/_backup_mariadb.sh.tpl
+++ b/mariadb/templates/bin/_backup_mariadb.sh.tpl
@@ -35,11 +35,11 @@ dump_databases_to_directory() {
   SCOPE=${3:-"all"}
 
 
-  MYSQL="mysql \
+  MYSQL="mariadb \
      --defaults-file=/etc/mysql/admin_user.cnf \
      --connect-timeout 10"
 
-  MYSQLDUMP="mysqldump \
+  MYSQLDUMP="mariadb-dump \
      --defaults-file=/etc/mysql/admin_user.cnf"
 
   if [[ "${SCOPE}" == "all" ]]; then
@@ -441,11 +441,11 @@ verify_databases_backup_archives() {
   export ARCHIVE_DIR=${MARIADB_BACKUP_BASE_DIR}/db/${MARIADB_POD_NAMESPACE}/${DB_NAME}/archive
   export BAD_ARCHIVE_DIR=${ARCHIVE_DIR}/quarantine
   export MYSQL_OPTS="--silent --skip-column-names"
-  export MYSQL_LIVE="mysql ${MYSQL_OPTS}"
+  export MYSQL_LIVE="mariadb ${MYSQL_OPTS}"
   export MYSQL_LOCAL_OPTS=""
-  export MYSQL_LOCAL_SHORT="mysql ${MYSQL_LOCAL_OPTS} --connect-timeout 2"
+  export MYSQL_LOCAL_SHORT="mariadb ${MYSQL_LOCAL_OPTS} --connect-timeout 2"
   export MYSQL_LOCAL_SHORT_SILENT="${MYSQL_LOCAL_SHORT} ${MYSQL_OPTS}"
-  export MYSQL_LOCAL="mysql ${MYSQL_LOCAL_OPTS} --connect-timeout 10"
+  export MYSQL_LOCAL="mariadb ${MYSQL_LOCAL_OPTS} --connect-timeout 10"
 
   max_wait={{ .Values.conf.mariadb_server.setup_wait.iteration }}
   duration={{ .Values.conf.mariadb_server.setup_wait.duration }}
@@ -513,8 +513,8 @@ verify_databases_backup_archives() {
   # Before insert the tuple mentioned above, we should make sure that the MariaDB version is 10.4.+
   mariadb_version=$($MYSQL_LOCAL_SHORT -e "status" | grep -E '^Server\s+version:')
   log "Current database ${mariadb_version}"
-  if [[ ! -z ${mariadb_version} && -z $(grep '10.2' <<< ${mariadb_version}}) ]]; then
-    if [[ -z $(grep 'mariadb.sys' <<< $($MYSQL_LOCAL_SHORT mysql  -e "select * from global_priv where user='mariadb.sys'")) ]]; then
+  if [[ ! -z ${mariadb_version} && -z $(grep '10.2' <<< ${mariadb_version}) ]]; then
+    if [[ -z $(grep 'mariadb.sys' <<< $($MYSQL_LOCAL_SHORT mariadb  -e "select * from global_priv where user='mariadb.sys'")) ]]; then
       $MYSQL_LOCAL_SHORT -e "insert into mysql.global_priv values ('localhost','mariadb.sys',\
     '{\"access\":0,\"plugin\":\"mysql_native_password\",\"authentication_string\":\"\",\"account_locked\":true,\"password_last_changed\":0}');"
       $MYSQL_LOCAL_SHORT -e 'flush privileges;'
diff --git a/mariadb/templates/bin/_health.sh.tpl b/mariadb/templates/bin/_health.sh.tpl
index fb4be06456..6f48c6a54e 100644
--- a/mariadb/templates/bin/_health.sh.tpl
+++ b/mariadb/templates/bin/_health.sh.tpl
@@ -18,7 +18,7 @@
 
 set -e
 
-MYSQL="mysql \
+MYSQL="mariadb \
   --defaults-file=/etc/mysql/admin_user.cnf \
   --host=localhost \
 {{- if .Values.manifests.certificates }}
@@ -92,12 +92,12 @@ check_readiness () {
 }
 
 check_liveness () {
-  if pidof mysql_upgrade > /dev/null 2>&1 ; then
-    echo "The process mysql_upgrade is active. Skip rest checks"
+  if pidof mariadb-upgrade > /dev/null 2>&1 ; then
+    echo "The process mariadb-upgrade is active. Skip rest checks"
     exit 0
   fi
-  if ! pidof mysqld > /dev/null 2>&1 ; then
-    echo "The mysqld pid not found"
+  if ! pidof mariadbd > /dev/null 2>&1 ; then
+    echo "The mariadbd pid not found"
     exit 1
   fi
   # NOTE(mkarpin): SST process may take significant time in case of large databases,
diff --git a/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl b/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl
index 388a91647b..c7f9463698 100644
--- a/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl
+++ b/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl
@@ -26,12 +26,12 @@ set -e
   # is an alias for BINLOG MONITOR and the capabilities have changed. BINLOG MONITOR grants
   # ability to SHOW MASTER STATUS, SHOW BINARY LOGS, SHOW BINLOG EVENTS, and SHOW BINLOG STATUS.
 
-  mariadb_version=$(mysql --defaults-file=/etc/mysql/admin_user.cnf -e "status" | grep -E '^Server\s+version:')
+  mariadb_version=$(mariadb --defaults-file=/etc/mysql/admin_user.cnf -e "status" | grep -E '^Server\s+version:')
   echo "Current database ${mariadb_version}"
 
   if [[ ! -z ${mariadb_version} && -z $(grep -E '10.2|10.3|10.4' <<< ${mariadb_version}) ]]; then
     # In case MariaDB version is 10.2.x-10.4.x - we use old privileges definitions
-    if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
+    if ! mariadb --defaults-file=/etc/mysql/admin_user.cnf -e \
       "CREATE OR REPLACE USER '${EXPORTER_USER}'@'127.0.0.1' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
       GRANT SLAVE MONITOR, PROCESS, BINLOG MONITOR, SLAVE MONITOR, SELECT ON *.* TO '${EXPORTER_USER}'@'127.0.0.1'; \
       FLUSH PRIVILEGES;" ; then
@@ -40,9 +40,9 @@ set -e
     fi
   else
     # here we use new MariaDB privileges definitions defines since version 10.5
-    if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
-      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
-      GRANT SLAVE MONITOR, PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
+    if ! mariadb --defaults-file=/etc/mysql/admin_user.cnf -e \
+      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'127.0.0.1' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
+      GRANT SLAVE MONITOR, PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'127.0.0.1'  ${MARIADB_X509}; \
       FLUSH PRIVILEGES;" ; then
       echo "ERROR: Could not create user: ${EXPORTER_USER}"
       exit 1
diff --git a/mariadb/templates/bin/_restore_mariadb.sh.tpl b/mariadb/templates/bin/_restore_mariadb.sh.tpl
old mode 100755
new mode 100644
index 334ba85bc6..c0c04dc772
--- a/mariadb/templates/bin/_restore_mariadb.sh.tpl
+++ b/mariadb/templates/bin/_restore_mariadb.sh.tpl
@@ -35,14 +35,14 @@ RESTORE_LOG='/tmp/restore_error.log'
 rm -f $RESTORE_LOG
 
 # This is for commands which require admin access
-MYSQL="mysql \
+MYSQL="mariadb \
        --defaults-file=/etc/mysql/admin_user.cnf \
        --host=$MARIADB_SERVER_SERVICE_HOST \
        --connect-timeout 10"
 
 # This is for commands which we want the temporary "restore" user
 # to execute
-RESTORE_CMD="mysql \
+RESTORE_CMD="mariadb \
              --user=${RESTORE_USER} \
              --password=${RESTORE_PW} \
              --host=$MARIADB_SERVER_SERVICE_HOST \
diff --git a/mariadb/templates/bin/_start.py.tpl b/mariadb/templates/bin/_start.py.tpl
index a91a2867f2..ae4dde29fc 100644
--- a/mariadb/templates/bin/_start.py.tpl
+++ b/mariadb/templates/bin/_start.py.tpl
@@ -128,7 +128,7 @@ state_configmap_update_period = 10
 default_sleep = 20
 
 # set one name for all commands, avoid "magic names"
-MYSQL_BINARY_NAME='mysqld'
+MYSQL_BINARY_NAME='mariadbd'
 
 
 def ensure_state_configmap(pod_namespace, configmap_name, configmap_body):
@@ -183,7 +183,7 @@ def wait_mysql_status(delay=30):
     res = 1
     while True:
         logger.info("Checking mysql status {0}".format(i))
-        cmd = ['mysql',
+        cmd = ['mariadb',
             "--defaults-file=/etc/mysql/admin_user.cnf",
             "--host=localhost"]
         if mysql_x509:
@@ -300,7 +300,7 @@ def mysqld_bootstrap():
         stop_mysqld()
         mysqld_write_cluster_conf(mode='bootstrap')
         run_cmd_with_logging([
-            'mysql_install_db', '--user=mysql',
+            'mariadb-install-db', '--user=mysql',
             "--datadir={0}".format(mysql_data_dir)
         ], logger)
         if not mysql_dbaudit_username:
@@ -897,7 +897,7 @@ def run_mysqld(cluster='existing'):
         run_cmd_with_logging_thread.start()
         wait_mysql_status()
         logger.info("Upgrading local mysql instance")
-        upgrade_cmd=['mysql_upgrade', '--skip-write-binlog',
+        upgrade_cmd=['mariadb-upgrade', '--skip-write-binlog',
                      "--user={0}".format(mysql_dbadmin_username),
                      "--password={0}".format(mysql_dbadmin_password)]
         if mysql_x509:
diff --git a/mariadb/templates/bin/_start_mariadb_verify_server.sh.tpl b/mariadb/templates/bin/_start_mariadb_verify_server.sh.tpl
index c633946c93..d9d059a089 100644
--- a/mariadb/templates/bin/_start_mariadb_verify_server.sh.tpl
+++ b/mariadb/templates/bin/_start_mariadb_verify_server.sh.tpl
@@ -25,5 +25,5 @@ log () {
 }
 
 log "Starting Mariadb server for backup verification..."
-mysql_install_db --user=nobody --ldata=/var/lib/mysql >/dev/null 2>&1
-MYSQL_ALLOW_EMPTY_PASSWORD=1 mysqld --user=nobody --verbose >/dev/null 2>&1
+mariadb-install-db --user=nobody --ldata=/var/lib/mysql >/dev/null 2>&1
+MYSQL_ALLOW_EMPTY_PASSWORD=1 mariadbd --user=nobody --verbose >/dev/null 2>&1
diff --git a/mariadb/templates/bin/_test.sh.tpl b/mariadb/templates/bin/_test.sh.tpl
index 536a4213e5..1f3282ebf7 100644
--- a/mariadb/templates/bin/_test.sh.tpl
+++ b/mariadb/templates/bin/_test.sh.tpl
@@ -17,7 +17,7 @@ set -ex
 
 rm -f /tmp/test-success
 
-mysqlslap \
+mariadb-slap \
   --defaults-file=/etc/mysql/test-params.cnf \
   {{ include "helm-toolkit.utils.joinListWithSpace" $.Values.conf.tests.params }} -vv \
   --post-system="touch /tmp/test-success"
diff --git a/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl b/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl
index d0aab834f5..bbc702e93d 100644
--- a/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl
+++ b/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl
@@ -17,3 +17,8 @@ user = {{ .Values.endpoints.oslo_db.auth.exporter.username }}
 password = {{ .Values.endpoints.oslo_db.auth.exporter.password }}
 host = localhost
 port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- if .Values.manifests.certificates }}
+ssl-ca = /etc/mysql/certs/ca.crt
+ssl-key = /etc/mysql/certs/tls.key
+ssl-cert = /etc/mysql/certs/tls.crt
+{{- end }}
\ No newline at end of file
diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml
index 21d26706cc..7ed25e0baf 100644
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -315,6 +315,7 @@ spec:
               mountPath: /tmp/mysqld-exporter.sh
               subPath: mysqld-exporter.sh
               readOnly: true
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- end }}
       volumes:
         - name: pod-tmp
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index 5cd08af2e6..cccbc39ae6 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -20,16 +20,16 @@ release_group: null
 
 images:
   tags:
-    mariadb: docker.io/openstackhelm/mariadb:latest-ubuntu_jammy
-    prometheus_create_mysql_user: quay.io/airshipit/mariadb:10.6.20-focal
+    mariadb: quay.io/airshipit/mariadb:latest-ubuntu_noble
+    prometheus_create_mysql_user: quay.io/airshipit/mariadb:11.4.8-noble
     prometheus_mysql_exporter: docker.io/prom/mysqld-exporter:v0.12.1
     prometheus_mysql_exporter_helm_tests: quay.io/airshipit/heat:2025.1-ubuntu_noble
     dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy
     image_repo_sync: quay.io/airshipit/docker:27.5.0
     mariadb_backup: quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_jammy
     ks_user: quay.io/airshipit/heat:2025.1-ubuntu_noble
-    scripted_test: docker.io/openstackhelm/mariadb:ubuntu_focal-20210415
-    mariadb_controller: docker.io/openstackhelm/mariadb:latest-ubuntu_jammy
+    scripted_test: quay.io/airshipit/mariadb:latest-ubuntu_noble
+    mariadb_controller: quay.io/airshipit/mariadb:latest-ubuntu_noble
   pull_policy: "IfNotPresent"
   local_registry:
     active: false
diff --git a/releasenotes/notes/mariadb-b923ac9345734125.yaml b/releasenotes/notes/mariadb-b923ac9345734125.yaml
new file mode 100644
index 0000000000..0a786d7a33
--- /dev/null
+++ b/releasenotes/notes/mariadb-b923ac9345734125.yaml
@@ -0,0 +1,9 @@
+---
+mariadb:
+  - |
+    Updated to use MariaDB 11.4.8 built on Ubuntu 22.04 (Noble).
+fixes:
+  - |
+    Replaced deprecated mysql* binaries to their mariadb* equivalents in
+    scripts. Also fixed TLS connection for myqsl-exporter side conainers.
+...