Merge pull request #591 from cockroachdb/nishanth/updateOperatorImage

release: advance to 25.4.3-preview+1

Author: NishanthNalluri

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## [cockroachdb-parent-25.4.3-preview+1] 2026-01-19
+### Changed
+- **API Version Migration (v1alpha1 to v1beta1)**: The CockroachDB custom resources are migrating from `v1alpha1` to `v1beta1`. CockroachDB chart now uses `v1beta1` templates.
+  - **IMPORTANT**: Operator MUST be upgraded before CockroachDB chart.
+  - **See [MIGRATION_v1alpha1_to_v1beta1.md](cockroachdb-parent/MIGRATION_v1alpha1_to_v1beta1.md) for upgrade instructions.**
+- Updated the Operator to support multiple CRD versions (v1alpha1, v1beta1) simultaneously.
+### Added
+- Pre-upgrade validation hook to ensure smooth upgrades owing to CR version updates and prevent upgrade order issues.
+### Fixed
+- Relaxed the K8s secret dependency during initial deployment on Azure.
+
 ## [cockroachdb-parent-25.4.2-preview+3] 2025-12-22
 ### Fixed
 - Updated the Operator image to fix pkill command failures within the cert-reloader container.

Makefile

@@ -3,7 +3,7 @@ NC := $(shell tput sgr0) # No Color
 ifeq ($(UNAME_S),Linux)
   COCKROACH_BIN ?= https://binaries.cockroachdb.com/cockroach-v23.2.0.linux-amd64.tgz
   HELM_BIN ?= https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz
-  K3D_BIN ?=  https://github.com/k3d-io/k3d/releases/download/v5.7.4/k3d-linux-amd64
+  K3D_BIN ?=  https://github.com/k3d-io/k3d/releases/download/v5.8.3/k3d-linux-amd64
   KIND_BIN ?= https://kind.sigs.k8s.io/dl/v0.29.0/kind-linux-amd64
   KUBECTL_BIN ?= https://dl.k8s.io/release/v1.29.1/bin/linux/amd64/kubectl
   YQ_BIN ?= https://github.com/mikefarah/yq/releases/download/v4.31.2/yq_linux_amd64
@@ -14,7 +14,7 @@ endif
 ifeq ($(UNAME_S),Darwin)
   COCKROACH_BIN ?= https://binaries.cockroachdb.com/cockroach-v23.2.0.darwin-10.9-amd64.tgz
   HELM_BIN ?= https://get.helm.sh/helm-v3.14.0-darwin-amd64.tar.gz
-  K3D_BIN ?=  https://github.com/k3d-io/k3d/releases/download/v5.7.4/k3d-darwin-arm64
+  K3D_BIN ?=  https://github.com/k3d-io/k3d/releases/download/v5.8.3/k3d-darwin-arm64
   KIND_BIN ?= https://kind.sigs.k8s.io/dl/v0.29.0/kind-darwin-arm64
   KUBECTL_BIN ?= https://dl.k8s.io/release/v1.29.1/bin/darwin/amd64/kubectl
   YQ_BIN ?= https://github.com/mikefarah/yq/releases/download/v4.31.2/yq_darwin_amd64

build/templates/cockroachdb-parent/charts/operator/values.yaml

@@ -9,7 +9,7 @@ image:
   # pullPolicy specifies the image pull policy.
   pullPolicy: IfNotPresent
   # tag is the image tag.
-  tag: "897dc492b863c347f9207f800b368a1744cf177e493874b7503987007b5ed869"
+  tag: "1cf224626cbd631fddc87f36eb6e4624f268061f5437fe8e7cdcfae5b5ee7805"
 # certificate defines the certificate settings for the Operator.
 certificate:
   # validForDays specifies the number of days the certificate is valid for.

cockroachdb-parent/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: operator
   repository: file://charts/operator
-  version: 25.4.3-preview
+  version: 25.4.3-preview+1
 - name: cockroachdb
   repository: file://charts/cockroachdb
-  version: 25.4.3-preview
-digest: sha256:6f1b0de178c9ef3c4167d5ef6080944ace76520966300e9699290dce762edd01
-generated: "2026-01-14T22:20:16.665505457Z"
+  version: 25.4.3-preview+1
+digest: sha256:29f46720efb21eb0473395bc8ccc7c2fc858a684b094d283ba7dc7cb952814d5
+generated: "2026-01-17T01:14:03.12317+05:30"

cockroachdb-parent/Chart.yaml

@@ -3,14 +3,14 @@ apiVersion: v2
 name: cockroachdb-parent
 description: A parent Helm chart for CockroachDB and its operator using helm-spray
 type: application
-version: 25.4.3-preview
+version: 25.4.3-preview+1
 appVersion: 25.4.3
 dependencies:
   - name: operator
-    version: 25.4.3-preview
+    version: 25.4.3-preview+1
     condition: operator.enabled
     repository: "file://charts/operator"
   - name: cockroachdb
-    version: 25.4.3-preview
+    version: 25.4.3-preview+1
     condition: cockroachdb.enabled
     repository: "file://charts/cockroachdb"

cockroachdb-parent/MIGRATION_v1alpha1_to_v1beta1.md

@@ -0,0 +1,181 @@
+# CockroachDB Operator API Version Migration (v1alpha1 → v1beta1)
+
+## Overview
+
+CockroachDB Operator is transitioning from `v1alpha1` to `v1beta1` API version. This document provides essential upgrade instructions.
+
+**Current Version**: `25.4.3-preview+1` (Multi-version support)
+
+---
+
+## Before You Upgrade
+
+### 🚨 Critical Warning
+
+**NEVER DELETE THE CRD**
+- **DO NOT delete CRDs** if you encounter upgrade issues
+- Deleting CRDs will **permanently delete all your CockroachDB clusters and data**
+- If you have upgrade issues, check logs and contact support – do not delete CRDs
+
+---
+
+## User Scenarios
+
+### New Users (Fresh Installation)
+If you're installing for the first time:
+- ✅ Install normally - no special steps needed
+- ✅ Pre-upgrade validation will automatically detect new installation and skip unnecessary checks
+
+### Existing Users (Upgrading from v1alpha1)
+If you have existing CockroachDB clusters:
+- ✅ Follow the two-step upgrade process below
+- ✅ Pre-upgrade validation will automatically:
+  - Verify CRD supports v1beta1
+  - Rewrite resources to v1beta1 storage format
+  - Validate API access
+- ✅ Zero downtime - your cluster continues running during the upgrade
+
+---
+
+## Upgrade Instructions
+
+### ⚠️ Required Upgrade Order
+
+**The operator MUST be upgraded before the CockroachDB chart.**
+
+Why? The CockroachDB chart now uses `v1beta1` templates, which requires the operator to enable `v1beta1` support in the CRD first.
+
+### Step-by-Step Upgrade
+
+```bash
+# Step 1: Upgrade operator first
+helm upgrade <operator-release> ./cockroachdb-parent/charts/operator -n <namespace>
+
+# Step 2: Then upgrade CockroachDB chart
+helm upgrade <cockroachdb-release> ./cockroachdb-parent/charts/cockroachdb -n <namespace>
+```
+
+**Important**: Both steps are required. Even if you don't have CockroachDB chart value changes, you must upgrade it to update Helm's stored manifest to v1beta1.
+
+### Post-Upgrade
+
+Clear your kubectl cache:
+```bash
+rm -rf ~/.kube/cache
+```
+
+---
+
+## What Happens During Upgrade
+
+1. **Operator Upgrade**: Adds v1beta1 support to CRD (both v1alpha1 and v1beta1 are served, v1beta1 is storage version)
+2. **CockroachDB Chart Upgrade**: Updates templates to v1beta1, pre-upgrade hook validates and rewrites resources
+3. **Automatic Validation**: Pre-upgrade hook ensures everything is ready before proceeding
+
+---
+
+## Common Issues
+
+### "UPGRADE BLOCKED - CRD does not support v1beta1"
+
+**Cause**: Trying to upgrade CockroachDB chart before operator
+
+**Solution**: Upgrade operator first (Step 1 above), then retry CockroachDB chart upgrade
+
+---
+
+### "Cannot access CrdbCluster via v1beta1 API"
+
+**Cause**: Operator not running or CRD configuration issue
+
+**Solution**:
+1. Check operator status: `kubectl get pods -n <namespace> -l app.kubernetes.io/name=cockroach-operator`
+2. Check operator logs: `kubectl logs -n <namespace> -l app.kubernetes.io/name=cockroach-operator`
+3. Verify CRD: `kubectl get crd crdbclusters.crdb.cockroachlabs.com -o yaml`
+
+---
+
+## Verification
+
+After upgrade, verify everything is working:
+
+```bash
+# Check CRD configuration
+kubectl get crd crdbclusters.crdb.cockroachlabs.com \
+  -o jsonpath='{.spec.versions[?(@.storage==true)].name}'
+# Expected output: v1beta1
+
+# Check your clusters
+kubectl get crdbcluster -n <namespace>
+
+# Verify Helm manifest uses v1beta1
+helm get manifest <release> -n <namespace> | grep "apiVersion: crdb.cockroachlabs.com"
+# Expected: v1beta1
+```
+
+---
+
+## FAQ
+
+**Q: Will this cause downtime?**  
+A: No. The migration is zero-downtime. Resources remain accessible during upgrade.
+
+**Q: Do I need to do anything manually?**  
+A: No. Just follow the two-step upgrade order. Pre-upgrade hooks handle everything else automatically.
+
+**Q: What if I only upgrade the operator?**  
+A: You must also upgrade the CockroachDB chart (Step 2). This updates Helm's manifest to v1beta1, which is required for future upgrades.
+
+---
+
+## Support
+
+If you encounter issues:
+
+**🚨 IMPORTANT: Never delete CRDs to "fix" upgrade issues - this will destroy all your data!**
+
+**Check pre-upgrade job logs:**
+```bash
+kubectl logs job/<release>-pre-upgrade-validation -n <namespace>
+```
+
+**Check operator logs:**
+```bash
+kubectl logs -n <namespace> -l app.kubernetes.io/name=cockroach-operator --tail=50
+```
+
+**Check for events:**
+```bash
+kubectl get events -n <namespace> --sort-by='.lastTimestamp'
+```
+
+---
+
+## Quick Reference
+
+**Before upgrade:**
+- ⚠️ Never delete CRDs (will delete all data)
+- ⚠️ Upgrade operator first, then CockroachDB chart
+
+**Upgrade commands:**
+```bash
+# Step 1
+helm upgrade <operator-release> ./cockroachdb-parent/charts/operator -n <namespace>
+
+# Step 2
+helm upgrade <cockroachdb-release> ./cockroachdb-parent/charts/cockroachdb -n <namespace>
+```
+
+**After upgrade:**
+```bash
+# Clear kubectl cache
+rm -rf ~/.kube/cache
+
+# Verify
+kubectl get crdbcluster -n <namespace>
+```
+
+**If issues occur:**
+- Check job logs: `kubectl logs job/<release>-pre-upgrade-validation`
+- Check operator logs
+- DO NOT delete CRDs

cockroachdb-parent/charts/cockroachdb/Chart.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 name: cockroachdb
 home: https://www.cockroachlabs.com
-version: 25.4.3-preview
+version: 25.4.3-preview+1
 appVersion: 25.4.3
 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
 icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png

cockroachdb-parent/charts/cockroachdb/templates/clusterrole-preupgrade.yaml

@@ -0,0 +1,43 @@
+# ClusterRole for pre-upgrade validation hook
+# Allows reading CRDs to validate API version support
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cockroachdb.clusterfullname" . }}-preupgrade-validation
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list"]
+  resourceNames: ["crdbclusters.crdb.cockroachlabs.com", "crdbnodes.crdb.cockroachlabs.com"]
+---
+# ClusterRoleBinding for pre-upgrade validation
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cockroachdb.clusterfullname" . }}-preupgrade-validation
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cockroachdb.clusterfullname" . }}-preupgrade-validation
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cockroachdb.serviceAccount.name" . }}
+  namespace: {{ .Release.Namespace }}

cockroachdb-parent/charts/cockroachdb/templates/crdb.yaml

@@ -2,7 +2,7 @@
 {{- if .Release.IsUpgrade -}}
 {{ template "cockroachdb.isUpgradeAllowed" . }}
 {{- end -}}
-apiVersion: crdb.cockroachlabs.com/v1alpha1
+apiVersion: crdb.cockroachlabs.com/v1beta1
 kind: CrdbCluster
 metadata:
   name: {{ template "cockroachdb.fullname" . }}