Skip to content


Deploy a complete database topology in your Kubernetes cluster using MariaDB, MaxScale and HAProxy.


  • A Kubernetes cluster;
  • Persistent Volume (PV) provisioner support for persistence.

Install the chart

Add the repo

If you haven't yet, please add this repo to Helm.

To deploy the topology with the default parameters to your Kubernetes cluster:

helm install my-database sconeapps/database

The topology

        | HAProxy |
             | (use any HAProxy load balancing)
   +--------+  +--------+
   |MaxScale|  |MaxScale|
   |        |  |        |
   +---+----+  +---+----+
       |           | (shard-based routing)
    v     v      v      v
 +----+ +----+ +----+ +----+
 | DB | | DB | | DB | | DB |
 | 0  | | 1  | | 2  | | 3  |
 +----+ +----+ +----+ +----+

Each MariaDB instance deployed act as a shard, supporting also dynamic volumes (PVs) to provide persistence. MaxScale routes the incoming requests to the appropriate shard based on which table the operation (either a read or a write) is performed. The HAProxy (optionally) balances the load accross the MaxScale replicas.

Have a look at the Parameters section for a complete list of parameters this chart supports.

SGX device

By default, MariaDB and MaxScale helm charts use the SGX Plugin. Hence, their respective resource limits are set as follows:

  limits: 1

In case you do not want to use the SGX plugin, you can remove the resource limit and explicitly mount the local SGX device by setting:

    - name: dev-isgx
        path: /dev/isgx

    - name: dev-isgx
        path: /dev/isgx

    - name: dev-isgx
        path: /dev/isgx

    - name: dev-isgx
        path: /dev/isgx

Please note that mounting the local SGX device into a container requires privileged mode, which will grant the container access to ALL host devices. To enable privileged mode, set securityContext for MariaDB and MaxScale:

    privileged: true

    privileged: true


This is an umbrella chart composed by subcharts. In fact, the parameters are defined in each subchart (e.g. mariadb, maxscale), but here are a few key parameters. Refer to each subchart in this repo for the complete list of the parameters. Any parameter defined in the umbrella chart will override the subchart value, even those that are not listed below.

Parameter Description Default
global.mariadb.replicaCount How many MariaDB instances to deploy. This value is used by MaxScale when generating the shard configuration, if auto-generation is enabled 1
mariadb-scone.shardNameTemplate If defined, this will be the prefix of the database created in every MariaDB instance to act as a shard. To the prefix will be added the instance number, generated by the Kubernetes StatefulSet (e.g. db0, db1...) db
mariadb-scone.image MariaDB SCONE image
mariadb-scone.imagePullPolicy MariaDB SCONE pull policy Always
mariadb-scone.service.port MariaDB SCONE server port 3306
mariadb-scone.service.type MariaDB SCONE service type. As we are deploying MariaDB as a StatefulSet, we use a headless service. ClusterIP
mariadb-scone.extraVolumes Extra volume definitions []
mariadb-scone.extraVolumeMounts Extra volume mounts for MariaDB pod []
mariadb-scone.resources CPU/Memory resource requests/limits for node. Request SGX device through the SGX device plugin. Read more {"limits": {"": 1}}
mariadb-scone.scone.attestation.enabled Enable SCONE remote attestation true
mariadb-scone.scone.attestation.las LAS address, to be exported as SCONE_LAS_ADDR. Defaults to the Docker network interface address
mariadb-scone.scone.attestation.cas CAS address, to be exported as SCONE_CAS_ADDR
mariadb-scone.scone.attestation.config_id MariaDB SCONE session. To be exported as SCONE_CONFIG_ID database_policy/db
mariadb-scone.scone.attestation.env SCONE environment variables to be exported into the container SCONE_HEAP=2G,SCONE_ALLOW_DLOPEN=2,SCONE_MODE=hw,SCONE_LOG=7,SCONE_SYSLIBS=1
maxscale.replicaCount How many MaxScale replicas to deploy 1
maxscale.image MaxScale SCONE image
maxscale.imagePullPolicy MaxScale SCONE pull policy IfNotPresent
maxscale.service.port MaxScale listener port 3306
maxscale.service.type MaxScale service type NodePort
maxscale.extraVolumes Extra volume definitions []
maxscale.extraVolumeMounts Extra volume mounts for MaxScale pod []
maxscale.resources CPU/Memory resource requests/limits for node. {}
maxscale.scone.attestation.enabled Enable SCONE remote attestation false
maxscale.scone.attestation.lasUseHostIP Use node host IP as LAS address true
maxscale.configuration Define the static configuration the MaxScale replicas will use. The content will be rendered as-is into /etc/maxscale.cnf. Refer to MaxScale chart to read more about configuration options nil
maxscale.generateConfig If enabled, let MaxScale generate its config. from provided templates true
maxscale.generateConfig.servers List of IP addresses to be added to MaxScale as servers. Leave it undefined or empty and MaxScale will use the DNS entries of the MariaDB instances deployed alongside it nil
maxscale.generateConfig.serverTemplate Template used to render server and monitor definitions. Now it defaults to sharded setup Sharded setup, where each instance (e.g. IP address) is considered to be a different shard
maxscale.generateConfig.serviceTemplate Template used to render service and listener definitions Considers one service and one listener exposing all shards at the same port
maxscale.generateConfig.cliTemplate Template used to render the CLI service for MaxScale admin tools Default one, from MaxScale docs
maxscale.haproxy.enabled Deploy HAProxy Ingress Controller alongside MaxScale and expose it through a service false
maxscale.haproxy.controller.service.type Type of service used to expose the HAProxy NodePort
maxscale.haproxy.controller.tcp Configure TCP services for the Ingress. Please note that MaxScale will be exposed by default (HAProxy's 8000 -> MaxScale's 3306) {}
maxscale.haproxy.defaultBackend.enabled Deploy a default backend service alongside the ingress controller true
maxscale.haproxy.defaultBackend.image.repository Image repository for the default backend service
maxscale.haproxy.defaultBackend.image.tag Default backend service tag 1.0
serviceAccount.create Create a serviceAccount to be used by the application false
useSGXDevPlugin Use SGX Device Plugin to access SGX resources. "enabled"