feat(mariadb): initial config (#66)

.gitleaksignore

@@ -1,3 +1,4 @@
 kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml:generic-api-key:9
 kubernetes/apps/media/radarr/app/secret.sops.yaml:generic-api-key:12
 kubernetes/apps/media/radarr/app/secret.sops.yaml:generic-api-key:8
+kubernetes/apps/databases/mariadb/app/secret.sops.yaml:generic-api-key:8

hacks/sops-subs-apply.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# A script that applies a kustomization path with substituting
+# the cluster config and secret vars in the KUSTOMIZATION_PATH
+# ./hack/sopsubst.sh ./kubernetes/apps/monitoring/kube-prometheus-stack/app
+
+KUSTOMIZATION_PATH="${1}"
+
+# Paths to cluster secrets and config
+cluster_secret_file="./kubernetes/flux/vars/cluster-secrets.sops.yaml"
+cluster_config_file="./kubernetes/flux/vars/cluster-settings.yaml"
+
+# Export vars in the config and secret files to the current env
+while read -r line; do declare -x "${line}"; done < <(sops -d "${cluster_secret_file}" | yq eval '.stringData' - | sed 's/: /=/g')
+while read -r line; do declare -x "${line}"; done < <(yq eval '.data' "${cluster_config_file}" | sed 's/: /=/g')
+
+# Build the manifests in KUSTOMIZATION_PATH, substitute env with the variables and then apply to the cluster
+kustomize build --load-restrictor=LoadRestrictionsNone "${KUSTOMIZATION_PATH}" \
+    | envsubst \
+        | kubectl apply --server-side -f -

kubernetes/apps/databases/kustomization.yaml

@@ -4,3 +4,4 @@ kind: Kustomization
 resources:
   - ./namespace.yaml
   - ./postgres/ks.yaml
+  - ./mariadb/ks.yaml

kubernetes/apps/databases/mariadb/app/helmrelease.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: mariadb
+  namespace: databases
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: mariadb
+      version: 12.2.3
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+      interval: 15m
+  maxHistory: 3
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    global:
+      storageClass: longhorn
+    architecture: standalone
+    auth:
+      existingSecret: mariadb-secret
+      database: main
+    persistence:
+      storageClass: longhorn
+      size: 2Gi
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+      prometheusRule:
+        enabled: true
+    # networkPolicy:
+    #   enabled: true
+    #   metrics:
+    #     enabled: true
+    #     namespaceSelector:
+    #       kubernetes.io/metadata.name: monitoring

kubernetes/apps/databases/mariadb/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml

kubernetes/apps/databases/mariadb/app/secret.sops.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: mariadb-secret
+    namespace: databases
+type: Opaque
+stringData:
+    mariadb-password: ENC[AES256_GCM,data:S3lQLlZm0xlYluFFlXxmqiS+Ncz0uANU,iv:DqMuUN5qXSLOkdFNgPuth2UONJwAD4Rl3vrrEmMa9o8=,tag:yLDozELYQkMWPM+ZHQtupQ==,type:str]
+    mariadb-replication-password: ENC[AES256_GCM,data:W+tkjfLIOJ38DxjHgMGvMI35rnkvcUaq,iv:Zs6kzluglT8Z/4QLViE2EbNg18hn2a/ntBq9kde5OCc=,tag:5dHPmHMxsY44RfJBG+FvgA==,type:str]
+    mariadb-root-password: ENC[AES256_GCM,data:JY04TrZDhvVWuriMRT5A7n+OVBZUOv1x,iv:n8469M3UUQtmbfIBrzRmUD2jQxbyOBXsEWsGnu0WeRQ=,tag:CgvlL2wJhlL0Y21P2+dPAw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1w02zzfg0y4ast9mgnd9w0yuym0wqx6q967kmrmq355w4cnw0xytq2x369r
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBODJPUmFFQktpb3lJV2dE
+            YmVPQW1QZHBKQ1Z6K0x1N3FtS2loeGhaMm00CnVEVFY2VjlzblRMUHRmNTBwSWI0
+            UFk3UGxVdlNoRUJpVDllclZNUUY2QzgKLS0tIFVXTnJuVDNPOEdmQzU2Z2VVb1JT
+            d3U2TkpFd1VBZ29XLzRtWlNacTZ6cW8KiHyK+sk78TwuQlbijlbrb0VkuHd8S+iN
+            cgTdE1CPONr81k6jxxSXlOHR7+ItqB/W6NkExkG2O8hD9o2b/b485g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-05-29T19:31:32Z"
+    mac: ENC[AES256_GCM,data:ZcR/k3mbMUhE0GQmIKBxuDRd9ifXS5g3UcYL50JTFkhR0jMLCRE02L7W1MTAnnLq3yv1xgGumVDW/twlF9Dg2nHdAw4+3g22f54k4gel8uIvLOWHcHWmNDPvZxAWcHabFhbS1t+32X+XDTFvDKc7kY0kJHqIxsjNl6AE8XZDHK4=,iv:NfBVaEIUBa9AYkX8EK+X6U/DvuD9k7R68zTMfFMMOdg=,tag:byZ9Ji3Gl0eowbKKigei1Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

kubernetes/apps/databases/mariadb/ks.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-mariadb
+  namespace: flux-system
+spec:
+  path: ./kubernetes/apps/databases/mariadb/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/apps/databases/postgres/app/kustomization.yaml

@@ -2,5 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helmreleases.yaml
+  - ./helmrelease.yaml
   - ./secret.sops.yaml