Sync MariaDB databases and users

Brutus5000 · Brutus5000 · commit 71e73e041676 · 2025-12-08T20:56:00.000+01:00
diff --git a/infra/clusterroles/Chart.yaml b/infra/clusterroles/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: clusterroles
+version: 1.0.0
+
+description: "Special cluster roles"
diff --git a/infra/clusterroles/templates/clusterrole-read-cm-secrets.yaml b/infra/clusterroles/templates/clusterrole-read-cm-secrets.yaml
@@ -0,0 +1,10 @@
+# Roles to access configMaps and secrets in all namespaces.
+# This is a very dangerous role, only use it with care!
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: read-cm-secrets
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps", "secrets"]
+    verbs: ["get", "list"]
diff --git a/infra/mariadb/templates/init-database-with-user.yaml b/infra/mariadb/templates/init-database-with-user.yaml
@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: init-apps
+  namespace: db-namespace
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: allow-init-apps-read-app-config
+  namespace: faf-apps
+subjects:
+  - kind: ServiceAccount
+    name: init-apps
+    namespace: faf-ops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: read-cm-secrets
+
+---
+
+{{- $wave := 1 }}
+{{- range .Values.databasesAndUsers }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: mariadb-sync-db-user-{{ $wave }}
+  labels:
+    app: mariadb-sync-db-user
+    argocd.argoproj.io/instance: mariadb
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: '{{ $wave }}'
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: init-apps
+      containers:
+        - name: mariadb-sync-db-user
+          image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
+          imagePullPolicy: Always
+          env:
+            - name: SYNC_DATABASE
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .configMapRef }}
+                  key: {{ .databaseKey }}
+            - name: SYNC_USERNAME
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .configMapRef }}
+                  key: {{ .usernameKey }}
+            - name: SYNC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secretRef }}
+                  key: {{ .passwordKey }}
+          envFrom:
+            - secretRef:
+                name: mariadb
+
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              mariadb --user=root --password="${MARIADB_ROOT_PASSWORD}" <<SQL_SCRIPT
+                CREATE DATABASE IF NOT EXISTS \`${SYNC_DATABASE}\`;
+                CREATE USER IF NOT EXISTS '${SYNC_USERNAME}'@'%' IDENTIFIED BY '${SYNC_PASSWORD}';
+                GRANT ALL PRIVILEGES ON \`${SYNC_DATABASE}\`.* TO '${SYNC_USERNAME}'@'%';
+              SQL_SCRIPT
+      restartPolicy: Never
+{{- $wave = add $wave 1 }}
+{{- end }}
diff --git a/infra/mariadb/templates/statefulset.yaml b/infra/mariadb/templates/statefulset.yaml
@@ -17,7 +17,7 @@ spec:
         app: mariadb
     spec:
       containers:
-        - image: mariadb:12.1
+        - image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
           imagePullPolicy: Always
           name: mariadb
           ports:
diff --git a/infra/mariadb/values.yaml b/infra/mariadb/values.yaml
@@ -1,2 +1,13 @@
+image:
+  repository: "mariadb"
+  tag: "12.1"
+
 infisical-secret:
   name: mariadb
+
+databasesAndUsers:
+  - configMapRef: faf-api
+    secretRef: faf-api
+    databaseKey: DATABASE_NAME
+    usernameKey: DATABASE_USERNAME
+    passwordKey: DATABASE_USERNAME
