From f4ec0098406d78e2556e1bd81c2e7476b79cde5e99de252e37fb50b4b0b601bd Mon Sep 17 00:00:00 2001
From: Andrew <andrewmurray@ezscale.cloud>
Date: Sun, 26 Apr 2026 22:55:17 -0400
Subject: [PATCH] feat(helm): in-cluster MariaDB CR (toggleable for dev)

Renders only when mariadb.enabled=true. Generates a random root
password Secret with helm.sh/resource-policy=keep so uninstall
doesn't orphan the data volume.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../templates/mariadb-instance.yaml           | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 helm/ezscale-website/templates/mariadb-instance.yaml

diff --git a/helm/ezscale-website/templates/mariadb-instance.yaml b/helm/ezscale-website/templates/mariadb-instance.yaml
new file mode 100644
index 0000000..39a5365
--- /dev/null
+++ b/helm/ezscale-website/templates/mariadb-instance.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.mariadb.enabled }}
+{{- $rootSecretName := default (printf "%s-mariadb-root" (include "ezscale-website.fullname" .)) .Values.mariadb.rootPasswordSecret }}
+{{- if not .Values.mariadb.rootPasswordSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $rootSecretName }}
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/resource-policy: keep
+type: Opaque
+stringData:
+  password: {{ randAlphaNum 32 | quote }}
+---
+{{- end }}
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MariaDB
+metadata:
+  name: {{ include "ezscale-website.fullname" . }}-mariadb
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  image: {{ .Values.mariadb.image }}
+  rootPasswordSecretKeyRef:
+    name: {{ $rootSecretName }}
+    key: password
+    generate: false
+  replicas: {{ .Values.mariadb.replicas }}
+  storage:
+    size: {{ .Values.mariadb.storage.size }}
+    storageClassName: {{ .Values.mariadb.storage.storageClassName }}
+{{- end }}