Sync MariaDB databases and users

Brutus5000 · Brutus5000 · commit 1d0e07e5b74e · 2025-12-08T21:25:42.000+01:00
diff --git a/infra/clusterroles/Chart.yaml b/infra/clusterroles/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: clusterroles
+version: 1.0.0
+
+description: "Special cluster roles"
diff --git a/infra/clusterroles/templates/clusterrole-read-cm-secrets.yaml b/infra/clusterroles/templates/clusterrole-read-cm-secrets.yaml
@@ -0,0 +1,10 @@
+# Roles to access configMaps and secrets in all namespaces.
+# This is a very dangerous role, only use it with care!
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: read-cm-secrets
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps", "secrets"]
+    verbs: ["get", "list"]
diff --git a/infra/mariadb/templates/init-database-with-user.yaml b/infra/mariadb/templates/init-database-with-user.yaml
@@ -0,0 +1,110 @@
+# =======================================
+# Jesus, what the fuck is happening here?
+# =======================================
+#
+# 1. Create a service account
+# 2. Permit it to read configmaps and secrets in the faf-apps namespace
+# 3. Iterate over the databasesAndUsers list and create a job for each database
+#    a) initContainer: Load the configmap and secret into environment variables. This must happen via k8s api, as we can't directly reference cm/secrets cross-namespace.
+#    b) actual container: Load the env from file and create the database and user
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: init-apps
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: allow-init-apps-read-app-config
+  namespace: faf-apps
+subjects:
+  - kind: ServiceAccount
+    name: init-apps
+    namespace: faf-infra
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: read-cm-secrets
+
+---
+
+{{- $wave := 1 }}
+{{- range .Values.databasesAndUsers }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: mariadb-sync-db-user-{{ $wave }}
+  labels:
+    app: mariadb-sync-db-user
+    argocd.argoproj.io/instance: mariadb
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    #argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: '{{ $wave }}'
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: init-apps
+      volumes:
+        - name: config # We will store the apps config for database, username and password here
+          emptyDir: {}
+      initContainers:
+        - name: load-config
+          image: alpine/kubectl
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              mkdir -p /config
+
+              echo -n "SYNC_DATABASE=" > /config/env
+              kubectl get cm {{ .configMapRef }} \
+                -n faf-apps \
+                -o jsonpath='{.data.{{ .databaseKey }}}' >> /config/env
+              echo >> /config/env
+
+              echo -n "SYNC_USERNAME=" >> /config/env
+              kubectl get cm {{ .configMapRef }} \
+                -n faf-apps \
+                -o jsonpath='{.data.{{ .usernameKey }}}' >> /config/env
+              echo >> /config/env
+
+              echo -n "SYNC_PASSWORD=" >> /config/env
+              kubectl get secret {{ .secretRef }} \
+                -n faf-apps \
+                -o jsonpath='{.data.{{ .passwordKey }}}' \
+                | base64 -d >> /config/env
+              echo >> /config/env
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      containers:
+        - name: mariadb-sync-db-user
+          image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
+          imagePullPolicy: Always
+          envFrom:
+            - secretRef:
+                name: mariadb
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              cat /config/env
+              set -a
+              . /config/env
+              set +a
+
+              mariadb --host=mariadb --user=root --password="${MARIADB_ROOT_PASSWORD}" <<SQL_SCRIPT
+                CREATE DATABASE IF NOT EXISTS \`${SYNC_DATABASE}\`;
+                CREATE USER IF NOT EXISTS '${SYNC_USERNAME}'@'%' IDENTIFIED BY '${SYNC_PASSWORD}';
+                GRANT ALL PRIVILEGES ON \`${SYNC_DATABASE}\`.* TO '${SYNC_USERNAME}'@'%';
+              SQL_SCRIPT
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      restartPolicy: Never
+{{- $wave = add $wave 1 }}
+{{- end }}
diff --git a/infra/mariadb/templates/statefulset.yaml b/infra/mariadb/templates/statefulset.yaml
@@ -17,7 +17,7 @@ spec:
         app: mariadb
     spec:
       containers:
-        - image: mariadb:12.1
+        - image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
           imagePullPolicy: Always
           name: mariadb
           ports:
diff --git a/infra/mariadb/values.yaml b/infra/mariadb/values.yaml
@@ -1,2 +1,13 @@
+image:
+  repository: "mariadb"
+  tag: "12.1"
+
 infisical-secret:
   name: mariadb
+
+databasesAndUsers:
+  - configMapRef: faf-api
+    secretRef: faf-api
+    databaseKey: DATABASE_NAME
+    usernameKey: DATABASE_USERNAME
+    passwordKey: DATABASE_PASSWORD
