feat: MariaDB operator and shared cluster

apps/_index/values.apps.yml

@@ -56,6 +56,13 @@ applications:
   syncWave: -100
   deleteProtection: false
 
+- name: network-policies-mariadb-system
+  namespace: mariadb-system
+  path: apps/network-policies
+  type: helm
+  syncWave: -100
+  deleteProtection: false
+
 - name: network-policies-apps
   namespace: apps
   path: apps/network-policies
@@ -120,6 +127,13 @@ applications:
   namespace: postgresql-system
   deleteProtection: false
 
+- name: mariadb-operator-crd
+  type: raw
+  syncWave: -85
+  namespace: mariadb-system
+  deleteProtection: false
+  serverSideApply: true
+
 - name: postgresql-operator
   type: helm
   syncWave: -84
@@ -128,6 +142,14 @@ applications:
   valueFiles:
   - values.$env.yml
 
+- name: mariadb-operator
+  type: helm
+  syncWave: -84
+  namespace: mariadb-system
+  deleteProtection: false
+  valueFiles:
+  - values.$env.yml
+
 - name: cert-manager-crd
   type: raw
   syncWave: -84
@@ -160,6 +182,16 @@ applications:
   secretValueFiles:
   - secrets.$env.yml
 
+- name: mariadb-shared-cluster
+  type: helm
+  syncWave: -58
+  namespace: apps
+  deleteProtection: false
+  valueFiles:
+  - values.$env.yml
+  secretValueFiles:
+  - secrets.$env.yml
+
 - name: dns-primary
   type: helm
   path: apps/dns

apps/common/templates/_network-policies-mariadb.tpl

@@ -0,0 +1,35 @@
+{{- define "common.network-policy-mariadb-cluster" }}
+{{- $port := (.Port | default 3306 ) }}
+{{- with .Root }}
+{{- $clusterName := (.ClusterName | default .Release.Name) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $clusterName }}
+  labels:
+    {{- include "common.resource-labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: mariadb
+      app.kubernetes.io/instance: {{ $clusterName }}
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Accept traffic from other cluster instances
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: mariadb
+              app.kubernetes.io/instance: {{ $clusterName }}
+    - from:
+        # Accept traffic from operator
+        - podSelector:
+            matchLabels: 
+              app.kubernetes.io/name: mariadb-operator
+              app.kubernetes.io/instance: mariadb-operator
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: mariadb-system
+{{- end }}
+{{- end }}

apps/common/templates/_network-policies.tpl

@@ -52,6 +52,18 @@
       port: {{ .port }}
 {{- end }}
 
+{{- define "common.ingress-kubeapi-webhook" }}
+- from:
+  {{- range untilStep 0 255 1 }}
+    - ipBlock:
+        cidr: {{ $.Values.networkPolicy.kubeApiWebhookSubnetPrefix }}.{{ . }}.0/32
+  {{- end }}
+  ports:
+    - protocol: {{ .protocol | default "TCP" }}
+      port: {{ .port }}
+{{- end }}
+
+
 {{- define "common.egress-kubeapi" }}
 - to:
   {{- range $node := .Values.networkPolicy.kubeApiNodes }}

apps/common/values.lab.yml

@@ -1,4 +1,5 @@
 networkPolicy:
+  kubeApiWebhookSubnetPrefix: 172.16
   kubeApiService: 172.17.0.1
   kubeApiNodes:
     - 10.1.8.21

apps/common/values.prod.yml

@@ -1,4 +1,5 @@
 networkPolicy:
+  kubeApiWebhookSubnetPrefix: 172.16
   kubeApiService: 172.17.0.1
   kubeApiNodes:
     - 10.1.2.21

apps/mariadb-operator/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: mariadb-operator
+version: 1.0.0
+
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../common
+
+  - name: mariadb-operator
+    repository: https://mariadb-operator.github.io/mariadb-operator
+    version: 0.22.0

apps/mariadb-operator/templates/network-policy-operator.yml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-operator
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "common.resource-labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: mariadb-operator
+      app.kubernetes.io/instance: {{ $.Release.Name }}
+  egress:
+    {{- include "common.egress-kubeapi" . | nindent 4 }}
+  policyTypes:
+  - Egress

apps/mariadb-operator/templates/network-policy-webhook.yml

@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-webhook
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "common.resource-labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: mariadb-operator-webhook
+      app.kubernetes.io/instance: {{ $.Release.Name }}
+  ingress:
+    # Accept webhooks from Kube API
+    {{- include "common.ingress-kubeapi" (dict "port" 10250 "Values" $.Values)  | nindent 4 }}
+    {{- include "common.ingress-kubeapi-webhook" (dict "port" 10250 "Values" $.Values) | nindent 4 }}
+
+    # Accept calls from operator
+    - ports:
+        - protocol: TCP
+          port: 10250
+        - protocol: TCP
+          port: 443
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: mariadb-operator
+              app.kubernetes.io/instance: {{ .Release.Name }}
+  egress:
+    {{- include "common.egress-kubeapi" . | nindent 4 }}
+  policyTypes:
+  - Ingress
+  - Egress

apps/mariadb-operator/values.lab.yml

@@ -0,0 +1,12 @@
+mariadb-operator:
+  tolerations:
+    - key: homecentr.one/critical-only
+      operator: Exists
+      effect: NoSchedule
+  webhook:
+    certificate:
+      certManager: true
+    tolerations:
+      - key: homecentr.one/critical-only
+        operator: Exists
+        effect: NoSchedule

apps/mariadb-operator/values.prod.yml

@@ -0,0 +1,12 @@
+mariadb-operator:
+  tolerations:
+    - key: homecentr.one/critical-only
+      operator: Exists
+      effect: NoSchedule
+  webhook:
+    certificate:
+      certManager: true
+    tolerations:
+      - key: homecentr.one/critical-only
+        operator: Exists
+        effect: NoSchedule

apps/mariadb-shared-cluster/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: mariadb-shared-cluster
+version: 1.0.0
+
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../common

apps/mariadb-shared-cluster/secrets.lab.yml

@@ -0,0 +1,34 @@
+rootUser:
+    password: ENC[AES256_GCM,data:kgQkZpbw1qc/6eOVbvG/D7LL5oJ+fJHhQOtW6oZlr9WGYHsTfiEK/x/oW7/9WI6Wmuh4501GSA==,iv:7adcPUUC8B8+Oo2XWFmJJ97hpJ60OmQfOJ+lZjLpQbA=,tag:uTTXJul/cbZQ7u+ubW6LCg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOV2J0Mks5YjBQWUFzSEJr
+            NE1ac2NzcDZZRFlsb1F6QkhHR2I2SCtHbmdJCmlVOFBQMDlDRXVpSUZaVUNwcmRV
+            V0VzNWd0dVhrTU9PRlFjemMzMUhjL2cKLS0tIGpla2tvMnVVWGZZNk5tb0x4L0hT
+            bjVqNG5zUXgrdlhmMDZVTEZZRFhFeTAKQ3so+dPaucHcOQwFxqxhMfCPwlCdMRUY
+            tEgGT8q3FjKyR6jYXuDin86DfVZ6ZFcJnCaLq5K/y7KJRTRzy+kE2A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1thhmcq56csqrrd07eymtau54xl620yw6qkjykc8tvpyr975v03zqhq5uz4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVUhoUE1WL3g2ZUNxd0Qz
+            cWNYc081ekVBRVlVRGwyL3JzU2FPK1psQ2k0CmM0NWhheThCZGt5NXl4R1g0YnJN
+            T2N1aHRWM1dMWlk0Z0NPcmk3Z2hna00KLS0tIGZ4THhtWU9taEx5SXU3UjFKam5x
+            REZCSXV3NW9LcUZ1cHBld2dZakhCOU0KHy2yGjgHeOEmDaPUML4LsFqLyRulFc6D
+            CYvNfcatZExHDosTj7WQbj3GtiXqV9kGj6HpfEDN38LzJdBMQceEVA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-13T12:37:47Z"
+    mac: ENC[AES256_GCM,data:A7mGWsKaA34LMLjK7RsNl9oZPYxbD2QW0BR5V8+cDmW2paqb0o6Lzf2KdUcSFIacBlvcyEe3FCQZUtaBjEpYbBjdl21wRJsbgKrKIPix9/+3k5kiRj7BecV4o9nsaRLmrw0pcJRPQV4K49xJep/3Psx1AwAXVCmktI2xuPGG9zw=,iv:iMaE+PLGubVELd/K1nNc03Xs+vDpjuy6OQ0qyYAA/Ug=,tag:ZmzwoZM/t2Y4DSnPCpyZzQ==,type:str]
+    pgp:
+        - created_at: "2023-11-13T12:28:45Z"
+          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//d7ZDPRVcUloWJPFKupVu0SlimhQyqpHLG/kFfTV2GdsU\r\n07jKobK/3td7MCGNA4RsKk4txIuG7H5b/35F9zC7Sw9u/l9xQHdmMyA/5n6NANHn\r\n09nVxdW+FyQF5WWsc7YE8KVebQaAukHgUvtV2LVreJlbwJHr3eej54SJO56M9K9R\r\nI6DRZ1SELuxpyROEa9WyYXQ2awHPHJIaqRIBLVFAEsRH/4oZ6rbK6t9f4pXGfJD6\r\nZhVqMm/p+9sPaTxa0zFVl0QjIIKgK+jPv6O5kJeUFPBZ0Fr+Nqak1/OGNjS5jBPH\r\nbzD/+nqzZKve0E94exCL3EFIkwIsScwt+PJmKvguLiZqD7+vB4RBtaEut/SpvdIA\r\nFWYcYJO/MUkAtIuBLJBHcaplAI5tiYcqkfo0WA+xPUKuQEAPC4uMkScU7+CIVvVm\r\ngfsuk/wMnp/JyAOuF259iVXKtzZrUqpibTXqegyalyKD4Py+jCxFKQzpZ+aHLiur\r\nAQF8r/NjDhMqu+zv/+5jawqubkvo7UyGWGVjJBurPMmlizMs6Wc0COpjNBw9e7lo\r\nRoFuiVsv1JcsHepWcnVYtuc7szeFbtNWm0i2UBYaPHmrKFZjQTEoqNdz0Qp2mECp\r\njyid9M0s7v1I4bdtgFv2WxicPsjwTLVVbNoFE4abIZG4sR73Z7cyqzIVopyuKUXS\r\nXgFsx7zAMqKlJ3cO0l9AX7FSkOhnNYt+eZj31A13pTvDZnUsYpbRp1iI8R2xWCJX\r\nlIlYAVpZJejqf+YnkbsSdrMGGrBL4OFgo3K2C79zopI1qd13z9aZfIjqw5mBnc0=\r\n=nsh/\r\n-----END PGP MESSAGE-----\r\n"
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

apps/mariadb-shared-cluster/secrets.prod.yml

@@ -0,0 +1,34 @@
+rootUser:
+    password: ENC[AES256_GCM,data:pDcLydZxrZe0ALXMCAnTLOIvnGwbRF991p5wCrl5zqXbSR8vdAChwBa3fs+J5vrdqr1WXY4xag==,iv:wPspVqUZvI0+cGwC7J8PII+4xcPg1a50Sb1lpfO4HJA=,tag:XuFqEylZR2XSDh+wnBFiUQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbE8rQzQwN1RKbHI4eDN2
+            K3ZxVTlZSWtqSmxEei8rQTQ3Rm9YQXVRWG1BCnQxQ1kvWVlkVnlIOFBPSWJPdDQ2
+            Uyt1Lyt0a2dOY3lxSTdCbkhMSzBhN2MKLS0tIFhTckxlR0ZjdXViSXZrdDBOZTlt
+            NmFQeEFmSit2OXphSm93RXNNVGdacFEK6Iv6Kdydcy4eEhQ6HXj3PIykXpgNzHTw
+            Bp/HuZufWmuzT4GhW9CfccSH5bfMbIjlJTsln7cfsy6Q0ysV4Yp1XA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jaxd6qpsycvekhveuvqs6v80hn235zye2s0uj0rlm4nety646ahsfp2u6e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dk1UTy9sZjRaN2kzUUdN
+            cm1pL0hCSGhMNFpjcDV3ZFIrdlRlWGdNcnlVClBQaVplcnpSYzZHTkNKQTFFMWFn
+            dEJEb0FFK0tpYUlPd1ZzbkJjL1hvR28KLS0tIE5DQVN5QnNXcTY2KzUxa0JQRWZp
+            NklFTUFyNklRRlVWa1BMU3JPOFZHMTAKc/LeYA7TtseQD9qNsQ5lQHyJMeIMLlR3
+            wk6qViY8xjr6AsMKOUrxhRlaykMAVp7NNCgHWXDradyUZtrFkmenng==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-13T20:41:42Z"
+    mac: ENC[AES256_GCM,data:E05g9vHeBNC9oSLdGlOdrAIHguDchxXBE3MLz9r+RuFYhB5D9X3+16LuBgmzWAHSKXjhZpW3owKrczcaN4iOMWQ3MnYzNhHCderfyO79fSbVb30GrdHsuTLCWsiOktSjH0Rp58ul64CszK5NAszqnKHudXhaGRaD835R4qlCxfM=,iv:QLf3gjzzdr5evoceFV30PQLuttb0gvq53CV84SnpDGQ=,tag:+vy6D+Wi6uptx4gbY+w7sA==,type:str]
+    pgp:
+        - created_at: "2023-11-13T20:41:27Z"
+          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CARAAonzfQHOFdsD7U4XimCAwdbELoZbxSgMPD1zjgcpaAlnf\r\nfIgCjcLHuc/B8HjydsGbSqM7VMxfONXv+tRSRQmpK7R7NHIiQfOui6NQuH0twrA4\r\nFRlLgcg3pjwD4oitcu9x4bRThTUrHdkSbnQCnjIRSysZ2sMJuTFSfNzmxOc1ZIK7\r\nOtPY2OrUydGKRzlJJnJVhAZgspw1nu9gOYLxqsRWg1l7Kxg+GMPZSHXIvTYp2jYv\r\nHFzz/gESpb2EBWB/8WZPdAiU2c/DsMUfoG9EhRqtpDNZ9bQ0RNXSV+fPzy747FD8\r\nEiigjBVlkvBhJe4PVB6UWUxMSSzwVRGKEuSzuGFF5NFSF3b02gbgepEQl8HJTGWL\r\nJhs9gLoYUqDy4+fjMQ2BWH99KsgsbYJAYmwa6KbgxzNDs0Hv78OnDMBUakyV/A+D\r\n+oiKMaL80mQQvvoifFGRoJoy9PlTwrycE+GKbgixvus707h4Zzi+rlXBvn8Fv2O0\r\n0E++xNn9bSJp/Ltp4PHmuh9nbPpUwanYFwRlrM6kocUMQr0Zg/ZrJ9f3w+IRdadL\r\nlQ3kgYUdOu/WY3Z9A8uI+wk01wy3T1QuasQVcqgQIGwS5qDRWFkC7MUvxMN1w8WE\r\niwEE44A9pIrJ6zds0tVqMMefMNtF7fo/fKvILyUj17rwPhBWSwUbWNhmg/9GsTbS\r\nXgHGHhkFq8PidcnxFICUJJTdv1qCf1kUftRsGPt6HINTLp9+/hv9LobNmWDcB2+F\r\nyQhpNr2HqZ4R4JWENwD26GtbQpgEhuWsPhprmjWH9r+qVuGjP9Bgz2PDhfkXPs0=\r\n=gqIh\r\n-----END PGP MESSAGE-----\r\n"
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

apps/mariadb-shared-cluster/templates/backup.yml

@@ -0,0 +1,19 @@
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: Backup
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  mariaDbRef:
+    name: {{ .Release.Name }}
+  schedule:
+    cron: "0 23 * * *"
+    suspend: false
+  maxRetentionDays: 30
+  storage:
+    persistentVolumeClaim:
+      storageClassName: {{ .Values.persistence.backup.storageClassName }}
+      resources:
+        requests:
+          storage: {{ .Values.persistence.backup.requestSize }}
+      accessModes: {{ .Values.persistence.backup.accessModes | toYaml | nindent 6 }}
+  resources: {{ .Values.backupResources | toYaml | nindent 4 }}

apps/mariadb-shared-cluster/templates/mariadb.yml

@@ -0,0 +1,75 @@
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: MariaDB
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "common.resource-labels" . | indent 4 }}
+spec:
+  rootPasswordSecretKeyRef:
+    name: {{ .Release.Name }}
+    key: root-user-password
+
+  image: mariadb:11.0.3
+
+  port: 3306
+
+  replicas: 2
+
+  replication:
+    enabled: true
+    primary:
+      automaticFailover: true
+    replica:
+      connectionTimeout: 10s
+      connectionRetries: 10
+      syncTimeout: 10s
+
+  connection:
+    secretName: {{ .Release.Name }}-repl
+    secretTemplate:
+      key: dsn
+
+  primaryConnection:
+    secretName: {{ .Release.Name }}-repl-primary
+    secretTemplate:
+      key: dsn
+
+  secondaryConnection:
+    secretName: {{ .Release.Name }}-repl-secondary
+    secretTemplate:
+      key: dsn
+
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - topologyKey: "kubernetes.io/hostname"
+
+  tolerations:
+    - key: "mariadb.mmontes.io/ha"
+      operator: "Exists"
+      effect: "NoSchedule"
+
+  podDisruptionBudget:
+    maxUnavailable: 66%
+
+  updateStrategy:
+    type: RollingUpdate
+
+  myCnf: |
+    [mariadb]
+    bind-address=*
+    default_storage_engine=InnoDB
+    binlog_format=row
+    innodb_autoinc_lock_mode=2
+    max_allowed_packet=256M
+
+  resources: {{ .Values.resources | toYaml | nindent 4 }}
+
+  # Volume for database data
+  volumeClaimTemplate:
+    storageClassName: {{ .Values.persistence.data.storageClassName }}
+    resources:
+      requests:
+        storage: {{ .Values.persistence.data.requestSize }}
+    accessModes: {{ .Values.persistence.data.accessModes | toYaml | nindent 6 }}