feat(helm): mariadb-operator Database/User/Grant CRDs

When mariadb.enabled=true, references the in-cluster MariaDB this chart deploys. When false, references an external CR via mariadb.externalRef. Privileges scoped to the website's database only — no global ALL PRIVILEGES. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 22:55:06 -04:00
parent 3c2cb907d3
commit c46f02bca5
3 changed files with 56 additions and 0 deletions
--- a/helm/ezscale-website/templates/mariadb-database.yaml
+++ b/helm/ezscale-website/templates/mariadb-database.yaml
@@ -0,0 +1,16 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: {{ include "ezscale-website.fullname" . }}-db
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  mariaDbRef:
+    {{- if .Values.mariadb.enabled }}
+    name: {{ include "ezscale-website.fullname" . }}-mariadb
+    {{- else }}
+    name: {{ .Values.mariadb.externalRef.name }}
+    namespace: {{ .Values.mariadb.externalRef.namespace }}
+    {{- end }}
+  characterSet: utf8mb4
+  collate: utf8mb4_unicode_ci
+  name: {{ .Values.mariadb.database }}
--- a/helm/ezscale-website/templates/mariadb-grant.yaml
+++ b/helm/ezscale-website/templates/mariadb-grant.yaml
@@ -0,0 +1,19 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ include "ezscale-website.fullname" . }}-grant
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  mariaDbRef:
+    {{- if .Values.mariadb.enabled }}
+    name: {{ include "ezscale-website.fullname" . }}-mariadb
+    {{- else }}
+    name: {{ .Values.mariadb.externalRef.name }}
+    namespace: {{ .Values.mariadb.externalRef.namespace }}
+    {{- end }}
+  username: {{ .Values.mariadb.username }}
+  host: "%"
+  privileges:
+    - "ALL PRIVILEGES"
+  database: {{ .Values.mariadb.database }}
+  table: "*"
--- a/helm/ezscale-website/templates/mariadb-user.yaml
+++ b/helm/ezscale-website/templates/mariadb-user.yaml
@@ -0,0 +1,21 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: {{ include "ezscale-website.fullname" . }}-user
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  # spec.name overrides metadata.name as the SQL identifier — needed because
+  # k8s resource names can't contain underscores but our SQL username can.
+  name: {{ .Values.mariadb.username }}
+  mariaDbRef:
+    {{- if .Values.mariadb.enabled }}
+    name: {{ include "ezscale-website.fullname" . }}-mariadb
+    {{- else }}
+    name: {{ .Values.mariadb.externalRef.name }}
+    namespace: {{ .Values.mariadb.externalRef.namespace }}
+    {{- end }}
+  passwordSecretKeyRef:
+    name: {{ include "ezscale-website.secretName" . }}
+    key: DB_PASSWORD
+  host: "%"
+  maxUserConnections: 50