From de8e5e776c80e16840841578aea4f12bd69ccdb0 Mon Sep 17 00:00:00 2001
From: dtapiacl <dtapiagonzalez.cl@gmail.com>
Date: Fri, 23 May 2025 10:40:29 -0400
Subject: [PATCH] (openvpn) deploy mariadb operator

---
 fleet/lib/mariadb-operator/fleet.yaml         |  18 +++
 .../ayekan/ipaddresspool-openvpndb.yaml       |  18 +++
 .../base/external-secret-dockerhub.yaml       |  34 +++++
 .../base/external-secret-openvpndb.yaml       |  36 +++++
 .../openvpn-db-pre/base/kustomization.yaml    |   4 +
 .../base/service-mariadb-headless.yaml        |  13 ++
 fleet/lib/openvpn-db-pre/fleet.yaml           |   6 +
 fleet/lib/openvpn-db/fleet.yaml               |  21 +++
 .../overlays/ayekan/kustomization.yaml        |   2 +
 .../overlays/ayekan/mariadb-cluster.yaml      | 124 ++++++++++++++++++
 fleet/s/dev/c/ayekan/mariadb-operator         |   1 +
 fleet/s/dev/c/ayekan/openvpn-db               |   1 +
 fleet/s/dev/c/ayekan/openvpn-db-pre           |   1 +
 13 files changed, 279 insertions(+)
 create mode 100644 fleet/lib/mariadb-operator/fleet.yaml
 create mode 100644 fleet/lib/metallb-conf/overlays/ayekan/ipaddresspool-openvpndb.yaml
 create mode 100644 fleet/lib/openvpn-db-pre/base/external-secret-dockerhub.yaml
 create mode 100644 fleet/lib/openvpn-db-pre/base/external-secret-openvpndb.yaml
 create mode 100644 fleet/lib/openvpn-db-pre/base/kustomization.yaml
 create mode 100644 fleet/lib/openvpn-db-pre/base/service-mariadb-headless.yaml
 create mode 100644 fleet/lib/openvpn-db-pre/fleet.yaml
 create mode 100644 fleet/lib/openvpn-db/fleet.yaml
 create mode 100644 fleet/lib/openvpn-db/overlays/ayekan/kustomization.yaml
 create mode 100644 fleet/lib/openvpn-db/overlays/ayekan/mariadb-cluster.yaml
 create mode 120000 fleet/s/dev/c/ayekan/mariadb-operator
 create mode 120000 fleet/s/dev/c/ayekan/openvpn-db
 create mode 120000 fleet/s/dev/c/ayekan/openvpn-db-pre

diff --git a/fleet/lib/mariadb-operator/fleet.yaml b/fleet/lib/mariadb-operator/fleet.yaml
new file mode 100644
index 000000000..d5eb0bebd
--- /dev/null
+++ b/fleet/lib/mariadb-operator/fleet.yaml
@@ -0,0 +1,18 @@
+---
+name: mariadb-operator
+defaultNamespace: &name mariadb-system
+labels:
+  bundle: *name
+helm:
+  chart: mariadb-operator
+  releaseName: mariadb-operator
+  repo: https://helm.mariadb.com/mariadb-operator
+  version: 0.38.1
+  waitForJobs: true
+  timeoutSeconds: 900
+  values:
+    crds:
+      enabled: true
+    ha:
+      enabled: true
+      replicas: 2
diff --git a/fleet/lib/metallb-conf/overlays/ayekan/ipaddresspool-openvpndb.yaml b/fleet/lib/metallb-conf/overlays/ayekan/ipaddresspool-openvpndb.yaml
new file mode 100644
index 000000000..c2de95f9e
--- /dev/null
+++ b/fleet/lib/metallb-conf/overlays/ayekan/ipaddresspool-openvpndb.yaml
@@ -0,0 +1,18 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: openvpndb
+  namespace: metallb-system
+spec:
+  addresses:
+    - 139.229.144.10/32
+  autoAssign: false
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: openvpndb
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+    - openvpndb
diff --git a/fleet/lib/openvpn-db-pre/base/external-secret-dockerhub.yaml b/fleet/lib/openvpn-db-pre/base/external-secret-dockerhub.yaml
new file mode 100644
index 000000000..c7d1aecf8
--- /dev/null
+++ b/fleet/lib/openvpn-db-pre/base/external-secret-dockerhub.yaml
@@ -0,0 +1,34 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: dockerhub-secret
+  namespace: openvpn-db
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: dockerhub-secret
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |
+          {
+            "auths": {
+              "docker.io": {
+                "username": "{{ .dockerhub_username }}",
+                "password": "{{ .dockerhub_token }}",
+                "auth": "{{ printf "%s:%s" .dockerhub_username .dockerhub_token | b64enc }}"
+              }
+            }
+          }
+  data:
+    - secretKey: dockerhub_username
+      remoteRef:
+        key: lsstitadmin-docker-hub
+        property: username
+    - secretKey: dockerhub_token
+      remoteRef:
+        key: lsstitadmin-docker-hub
+        property: docker hub api token
diff --git a/fleet/lib/openvpn-db-pre/base/external-secret-openvpndb.yaml b/fleet/lib/openvpn-db-pre/base/external-secret-openvpndb.yaml
new file mode 100644
index 000000000..5e5d6c483
--- /dev/null
+++ b/fleet/lib/openvpn-db-pre/base/external-secret-openvpndb.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: mariadb-root
+  namespace: openvpn-db
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: mariadb-root
+    creationPolicy: Owner
+  data:
+    - secretKey: mariadb-root-password
+      remoteRef:
+        key: ovpn-mariadb-root
+        property: mariadb-root-password
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: mariadb-replication
+  namespace: openvpn-db
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: mariadb-replication
+    creationPolicy: Owner
+  data:
+    - secretKey: mariadb-replication-password
+      remoteRef:
+        key: ovpn-mariadb-replication
+        property: mariadb-replication-password
diff --git a/fleet/lib/openvpn-db-pre/base/kustomization.yaml b/fleet/lib/openvpn-db-pre/base/kustomization.yaml
new file mode 100644
index 000000000..e7d89db9d
--- /dev/null
+++ b/fleet/lib/openvpn-db-pre/base/kustomization.yaml
@@ -0,0 +1,4 @@
+resources:
+  - external-secret-dockerhub.yaml
+  - external-secret-openvpndb.yaml
+  - service-mariadb-headless.yaml
diff --git a/fleet/lib/openvpn-db-pre/base/service-mariadb-headless.yaml b/fleet/lib/openvpn-db-pre/base/service-mariadb-headless.yaml
new file mode 100644
index 000000000..aa9fb392f
--- /dev/null
+++ b/fleet/lib/openvpn-db-pre/base/service-mariadb-headless.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mariadb-galera
+  namespace: openvpn-db
+spec:
+  clusterIP: None
+  selector:
+    app.kubernetes.io/name: mariadb
+  ports:
+    - protocol: TCP
+      port: 3306
+      targetPort: 3306
diff --git a/fleet/lib/openvpn-db-pre/fleet.yaml b/fleet/lib/openvpn-db-pre/fleet.yaml
new file mode 100644
index 000000000..d6d309e18
--- /dev/null
+++ b/fleet/lib/openvpn-db-pre/fleet.yaml
@@ -0,0 +1,6 @@
+defaultNamespace: openvpn-db
+labels:
+  bundle: openvpn-db-pre
+name: openvpn-db-pre
+kustomize:
+  dir: base
diff --git a/fleet/lib/openvpn-db/fleet.yaml b/fleet/lib/openvpn-db/fleet.yaml
new file mode 100644
index 000000000..d4101cb5f
--- /dev/null
+++ b/fleet/lib/openvpn-db/fleet.yaml
@@ -0,0 +1,21 @@
+name: openvpn-db
+defaultNamespace: &name openvpn-db
+namespaceLabels:
+  lsst.io/discover: "true"
+labels:
+  bundle: *name
+dependsOn:
+  - name: mariadb-operator
+    namespace: mariadb-system
+  - name: openvpn-db-pre
+    namespace: openvpn-db
+targetCustomizations:
+  - name: ayekan
+    clusterSelector:
+      matchExpressions:
+        - key: management.cattle.io/cluster-display-name
+          operator: In
+          values:
+            - ayekan
+    kustomize:
+      dir: overlays/ayekan
diff --git a/fleet/lib/openvpn-db/overlays/ayekan/kustomization.yaml b/fleet/lib/openvpn-db/overlays/ayekan/kustomization.yaml
new file mode 100644
index 000000000..1e1523a6d
--- /dev/null
+++ b/fleet/lib/openvpn-db/overlays/ayekan/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - mariadb-cluster.yaml
diff --git a/fleet/lib/openvpn-db/overlays/ayekan/mariadb-cluster.yaml b/fleet/lib/openvpn-db/overlays/ayekan/mariadb-cluster.yaml
new file mode 100644
index 000000000..f7ae22c8f
--- /dev/null
+++ b/fleet/lib/openvpn-db/overlays/ayekan/mariadb-cluster.yaml
@@ -0,0 +1,124 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MariaDB
+metadata:
+  name: mariadb
+  namespace: openvpn-db
+spec:
+  replicas: 3
+  galera:
+    enabled: true
+    primary:
+      podIndex: 0
+      automaticFailover: true
+    sst: mariabackup
+
+  rootPasswordSecretKeyRef:
+    name: mariadb-root
+    key: mariadb-root-password
+
+  username: mariadb
+  passwordSecretKeyRef:
+    name: mariadb-replication
+    key: mariadb-replication-password
+  database: mariadb
+
+  image: docker.io/library/mariadb:11.4.5
+  imagePullPolicy: IfNotPresent
+  imagePullSecrets:
+    - name: dockerhub-secret
+
+  storage:
+    size: 100Gi
+    storageClassName: rook-ceph-block
+
+  connection:
+    secretName: connection-mariadb
+    secretTemplate:
+      key: dsn
+    healthCheck:
+      interval: 10s
+      retryInterval: 3s
+    params:
+      parseTime: "true"
+
+  myCnf: |
+    [mariadb]
+    bind-address=*
+    skip-name-resolve
+    connect_timeout=30
+    wait_timeout=28800
+    interactive_timeout=28800
+    net_read_timeout=60
+    net_write_timeout=60
+    max_connections=500
+    max_allowed_packet=64M
+    thread_cache_size=100
+    table_open_cache=2048
+    open_files_limit=65535
+    default_storage_engine=InnoDB
+    binlog_format=row
+    innodb_autoinc_lock_mode=2
+    innodb_buffer_pool_size=1024M
+
+  livenessProbe:
+    exec:
+      command:
+        - bash
+        - -c
+        - mysqladmin ping -u root -p"$MARIADB_ROOT_PASSWORD" --silent
+    periodSeconds: 10
+    timeoutSeconds: 5
+
+  readinessProbe:
+    exec:
+      command:
+        - bash
+        - -c
+        - >
+          mariadb -u root -p"$MARIADB_ROOT_PASSWORD" -e "
+          SHOW STATUS LIKE 'wsrep_ready';
+          SHOW STATUS LIKE 'wsrep_local_state_comment';" |
+          grep -q 'ON' && grep -q 'Synced'
+    periodSeconds: 10
+    timeoutSeconds: 5
+
+  service:
+    type: ClusterIP
+  primaryService:
+    type: LoadBalancer
+    metadata:
+      annotations:
+        metallb.universe.tf/address-pool: openvpndb
+  secondaryService:
+    type: ClusterIP
+
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: mariadb
+          topologyKey: kubernetes.io/hostname
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app.kubernetes.io/name: mariadb
+
+  podDisruptionBudget:
+    minAvailable: 2
+
+  terminationGracePeriodSeconds: 180
+
+  podSecurityContext:
+    runAsUser: 999
+    runAsGroup: 999
+    fsGroup: 999
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+
+  metrics:
+    enabled: true
diff --git a/fleet/s/dev/c/ayekan/mariadb-operator b/fleet/s/dev/c/ayekan/mariadb-operator
new file mode 120000
index 000000000..5e874221a
--- /dev/null
+++ b/fleet/s/dev/c/ayekan/mariadb-operator
@@ -0,0 +1 @@
+../../../../lib/mariadb-operator
\ No newline at end of file
diff --git a/fleet/s/dev/c/ayekan/openvpn-db b/fleet/s/dev/c/ayekan/openvpn-db
new file mode 120000
index 000000000..41cd740b7
--- /dev/null
+++ b/fleet/s/dev/c/ayekan/openvpn-db
@@ -0,0 +1 @@
+../../../../lib/openvpn-db
\ No newline at end of file
diff --git a/fleet/s/dev/c/ayekan/openvpn-db-pre b/fleet/s/dev/c/ayekan/openvpn-db-pre
new file mode 120000
index 000000000..034f2981b
--- /dev/null
+++ b/fleet/s/dev/c/ayekan/openvpn-db-pre
@@ -0,0 +1 @@
+../../../../lib/openvpn-db-pre
\ No newline at end of file