release: advance to 25.4.3-preview+1

As part of the migration strategy for moving workloads from the public operator
to the CockroachDB operator, we are transitioning CockroachDB operator workloads to
v1beta1.

This commit updates the operator image to support multiple API versions for
CRDs. This ensures backward compatibility, allowing users to continue creating
and reading resources using either v1alpha1 or v1beta1 during this
transition period.

Eventually, support for v1alpha1 will be removed entirely in favor of
v1beta1.

This release also includes a fix to relax the Azure secret dependency during
initial deployment.

Author: NishanthNalluri

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## [cockroachdb-parent-25.4.3-preview+1] 2026-01-19
+### Changed
+- **API Version Migration (v1alpha1 to v1beta1)**: The CockroachDB custom resources are migrating from `v1alpha1` to `v1beta1`. CockroachDB chart now uses `v1beta1` templates.
+  - **IMPORTANT**: Operator MUST be upgraded before CockroachDB chart.
+  - **See [MIGRATION_v1alpha1_to_v1beta1.md](cockroachdb-parent/MIGRATION_v1alpha1_to_v1beta1.md) for upgrade instructions.**
+- Updated the Operator to support multiple CRD versions (v1alpha1, v1beta1) simultaneously.
+### Added
+- Pre-upgrade validation hook to ensure smooth upgrades owing to CR version updates and prevent upgrade order issues.
+### Fixed
+- Relaxed the K8s secret dependency during initial deployment on Azure.
+
 ## [cockroachdb-parent-25.4.2-preview+3] 2025-12-22
 ### Fixed
 - Updated the Operator image to fix pkill command failures within the cert-reloader container.

Makefile

@@ -3,7 +3,7 @@ NC := $(shell tput sgr0) # No Color
 ifeq ($(UNAME_S),Linux)
   COCKROACH_BIN ?= https://binaries.cockroachdb.com/cockroach-v23.2.0.linux-amd64.tgz
   HELM_BIN ?= https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz
-  K3D_BIN ?=  https://github.com/k3d-io/k3d/releases/download/v5.7.4/k3d-linux-amd64
+  K3D_BIN ?=  https://github.com/k3d-io/k3d/releases/download/v5.8.3/k3d-linux-amd64
   KIND_BIN ?= https://kind.sigs.k8s.io/dl/v0.29.0/kind-linux-amd64
   KUBECTL_BIN ?= https://dl.k8s.io/release/v1.29.1/bin/linux/amd64/kubectl
   YQ_BIN ?= https://github.com/mikefarah/yq/releases/download/v4.31.2/yq_linux_amd64
@@ -14,7 +14,7 @@ endif
 ifeq ($(UNAME_S),Darwin)
   COCKROACH_BIN ?= https://binaries.cockroachdb.com/cockroach-v23.2.0.darwin-10.9-amd64.tgz
   HELM_BIN ?= https://get.helm.sh/helm-v3.14.0-darwin-amd64.tar.gz
-  K3D_BIN ?=  https://github.com/k3d-io/k3d/releases/download/v5.7.4/k3d-darwin-arm64
+  K3D_BIN ?=  https://github.com/k3d-io/k3d/releases/download/v5.8.3/k3d-darwin-arm64
   KIND_BIN ?= https://kind.sigs.k8s.io/dl/v0.29.0/kind-darwin-arm64
   KUBECTL_BIN ?= https://dl.k8s.io/release/v1.29.1/bin/darwin/amd64/kubectl
   YQ_BIN ?= https://github.com/mikefarah/yq/releases/download/v4.31.2/yq_darwin_amd64

build/templates/cockroachdb-parent/charts/operator/values.yaml

@@ -9,7 +9,7 @@ image:
   # pullPolicy specifies the image pull policy.
   pullPolicy: IfNotPresent
   # tag is the image tag.
-  tag: "897dc492b863c347f9207f800b368a1744cf177e493874b7503987007b5ed869"
+  tag: "1cf224626cbd631fddc87f36eb6e4624f268061f5437fe8e7cdcfae5b5ee7805"
 # certificate defines the certificate settings for the Operator.
 certificate:
   # validForDays specifies the number of days the certificate is valid for.

cockroachdb-parent/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: operator
   repository: file://charts/operator
-  version: 25.4.3-preview
+  version: 25.4.3-preview+1
 - name: cockroachdb
   repository: file://charts/cockroachdb
-  version: 25.4.3-preview
-digest: sha256:6f1b0de178c9ef3c4167d5ef6080944ace76520966300e9699290dce762edd01
-generated: "2026-01-14T22:20:16.665505457Z"
+  version: 25.4.3-preview+1
+digest: sha256:29f46720efb21eb0473395bc8ccc7c2fc858a684b094d283ba7dc7cb952814d5
+generated: "2026-01-17T01:14:03.12317+05:30"

cockroachdb-parent/Chart.yaml

@@ -3,14 +3,14 @@ apiVersion: v2
 name: cockroachdb-parent
 description: A parent Helm chart for CockroachDB and its operator using helm-spray
 type: application
-version: 25.4.3-preview
+version: 25.4.3-preview+1
 appVersion: 25.4.3
 dependencies:
   - name: operator
-    version: 25.4.3-preview
+    version: 25.4.3-preview+1
     condition: operator.enabled
     repository: "file://charts/operator"
   - name: cockroachdb
-    version: 25.4.3-preview
+    version: 25.4.3-preview+1
     condition: cockroachdb.enabled
     repository: "file://charts/cockroachdb"

cockroachdb-parent/MIGRATION_v1alpha1_to_v1beta1.md

@@ -0,0 +1,181 @@
+# CockroachDB Operator API Version Migration (v1alpha1 → v1beta1)
+
+## Overview
+
+CockroachDB Operator is transitioning from `v1alpha1` to `v1beta1` API version. This document provides essential upgrade instructions.
+
+**Current Version**: `25.4.3-preview+1` (Multi-version support)
+
+---
+
+## Before You Upgrade
+
+### 🚨 Critical Warning
+
+**NEVER DELETE THE CRD**
+- **DO NOT delete CRDs** if you encounter upgrade issues
+- Deleting CRDs will **permanently delete all your CockroachDB clusters and data**
+- If you have upgrade issues, check logs and contact support – do not delete CRDs
+
+---
+
+## User Scenarios
+
+### New Users (Fresh Installation)
+If you're installing for the first time:
+- ✅ Install normally - no special steps needed
+- ✅ Pre-upgrade validation will automatically detect new installation and skip unnecessary checks
+
+### Existing Users (Upgrading from v1alpha1)
+If you have existing CockroachDB clusters:
+- ✅ Follow the two-step upgrade process below
+- ✅ Pre-upgrade validation will automatically:
+  - Verify CRD supports v1beta1
+  - Rewrite resources to v1beta1 storage format
+  - Validate API access
+- ✅ Zero downtime - your cluster continues running during the upgrade
+
+---
+
+## Upgrade Instructions
+
+### ⚠️ Required Upgrade Order
+
+**The operator MUST be upgraded before the CockroachDB chart.**
+
+Why? The CockroachDB chart now uses `v1beta1` templates, which requires the operator to enable `v1beta1` support in the CRD first.
+
+### Step-by-Step Upgrade
+
+```bash
+# Step 1: Upgrade operator first
+helm upgrade <operator-release> ./cockroachdb-parent/charts/operator -n <namespace>
+
+# Step 2: Then upgrade CockroachDB chart
+helm upgrade <cockroachdb-release> ./cockroachdb-parent/charts/cockroachdb -n <namespace>
+```
+
+**Important**: Both steps are required. Even if you don't have CockroachDB chart value changes, you must upgrade it to update Helm's stored manifest to v1beta1.
+
+### Post-Upgrade
+
+Clear your kubectl cache:
+```bash
+rm -rf ~/.kube/cache
+```
+
+---
+
+## What Happens During Upgrade
+
+1. **Operator Upgrade**: Adds v1beta1 support to CRD (both v1alpha1 and v1beta1 are served, v1beta1 is storage version)
+2. **CockroachDB Chart Upgrade**: Updates templates to v1beta1, pre-upgrade hook validates and rewrites resources
+3. **Automatic Validation**: Pre-upgrade hook ensures everything is ready before proceeding
+
+---
+
+## Common Issues
+
+### "UPGRADE BLOCKED - CRD does not support v1beta1"
+
+**Cause**: Trying to upgrade CockroachDB chart before operator
+
+**Solution**: Upgrade operator first (Step 1 above), then retry CockroachDB chart upgrade
+
+---
+
+### "Cannot access CrdbCluster via v1beta1 API"
+
+**Cause**: Operator not running or CRD configuration issue
+
+**Solution**:
+1. Check operator status: `kubectl get pods -n <namespace> -l app.kubernetes.io/name=cockroach-operator`
+2. Check operator logs: `kubectl logs -n <namespace> -l app.kubernetes.io/name=cockroach-operator`
+3. Verify CRD: `kubectl get crd crdbclusters.crdb.cockroachlabs.com -o yaml`
+
+---
+
+## Verification
+
+After upgrade, verify everything is working:
+
+```bash
+# Check CRD configuration
+kubectl get crd crdbclusters.crdb.cockroachlabs.com \
+  -o jsonpath='{.spec.versions[?(@.storage==true)].name}'
+# Expected output: v1beta1
+
+# Check your clusters
+kubectl get crdbcluster -n <namespace>
+
+# Verify Helm manifest uses v1beta1
+helm get manifest <release> -n <namespace> | grep "apiVersion: crdb.cockroachlabs.com"
+# Expected: v1beta1
+```
+
+---
+
+## FAQ
+
+**Q: Will this cause downtime?**  
+A: No. The migration is zero-downtime. Resources remain accessible during upgrade.
+
+**Q: Do I need to do anything manually?**  
+A: No. Just follow the two-step upgrade order. Pre-upgrade hooks handle everything else automatically.
+
+**Q: What if I only upgrade the operator?**  
+A: You must also upgrade the CockroachDB chart (Step 2). This updates Helm's manifest to v1beta1, which is required for future upgrades.
+
+---
+
+## Support
+
+If you encounter issues:
+
+**🚨 IMPORTANT: Never delete CRDs to "fix" upgrade issues - this will destroy all your data!**
+
+**Check pre-upgrade job logs:**
+```bash
+kubectl logs job/<release>-pre-upgrade-validation -n <namespace>
+```
+
+**Check operator logs:**
+```bash
+kubectl logs -n <namespace> -l app.kubernetes.io/name=cockroach-operator --tail=50
+```
+
+**Check for events:**
+```bash
+kubectl get events -n <namespace> --sort-by='.lastTimestamp'
+```
+
+---
+
+## Quick Reference
+
+**Before upgrade:**
+- ⚠️ Never delete CRDs (will delete all data)
+- ⚠️ Upgrade operator first, then CockroachDB chart
+
+**Upgrade commands:**
+```bash
+# Step 1
+helm upgrade <operator-release> ./cockroachdb-parent/charts/operator -n <namespace>
+
+# Step 2
+helm upgrade <cockroachdb-release> ./cockroachdb-parent/charts/cockroachdb -n <namespace>
+```
+
+**After upgrade:**
+```bash
+# Clear kubectl cache
+rm -rf ~/.kube/cache
+
+# Verify
+kubectl get crdbcluster -n <namespace>
+```
+
+**If issues occur:**
+- Check job logs: `kubectl logs job/<release>-pre-upgrade-validation`
+- Check operator logs
+- DO NOT delete CRDs

cockroachdb-parent/charts/cockroachdb/Chart.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 name: cockroachdb
 home: https://www.cockroachlabs.com
-version: 25.4.3-preview
+version: 25.4.3-preview+1
 appVersion: 25.4.3
 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
 icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png

cockroachdb-parent/charts/cockroachdb/templates/clusterrole-preupgrade.yaml

@@ -0,0 +1,43 @@
+# ClusterRole for pre-upgrade validation hook
+# Allows reading CRDs to validate API version support
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cockroachdb.clusterfullname" . }}-preupgrade-validation
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list"]
+  resourceNames: ["crdbclusters.crdb.cockroachlabs.com", "crdbnodes.crdb.cockroachlabs.com"]
+---
+# ClusterRoleBinding for pre-upgrade validation
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cockroachdb.clusterfullname" . }}-preupgrade-validation
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cockroachdb.clusterfullname" . }}-preupgrade-validation
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cockroachdb.serviceAccount.name" . }}
+  namespace: {{ .Release.Namespace }}

cockroachdb-parent/charts/cockroachdb/templates/crdb.yaml

@@ -2,7 +2,7 @@
 {{- if .Release.IsUpgrade -}}
 {{ template "cockroachdb.isUpgradeAllowed" . }}
 {{- end -}}
-apiVersion: crdb.cockroachlabs.com/v1alpha1
+apiVersion: crdb.cockroachlabs.com/v1beta1
 kind: CrdbCluster
 metadata:
   name: {{ template "cockroachdb.fullname" . }}