chore:: Initial commit for mysql.

kubernetes/apps/database-system/mysql-operator/app.ks.yaml

@@ -0,0 +1,55 @@
+---
+# yaml-language-server: $schema=https://k8s-validation-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app mysql-operator
+  namespace: &namespace database-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  # healthChecks:
+  #   - apiVersion: helm.toolkit.fluxcd.io/v2
+  #     kind: HelmRelease
+  #     name: *app
+  #     namespace: *namespace
+  interval: 30m
+  path: ./kubernetes/apps/database/mysql-operator/app
+  prune: true
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 5m
+  wait: true
+
+---
+# yaml-language-server: $schema=https://k8s-validation-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app mysql-innodbcluster
+  namespace: &namespace database
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: mysql-operator
+      namespace: *namespace
+    - name: openebs
+      namespace: openebs-system
+  interval: 30m
+  path: ./kubernetes/apps/database-system/mysql-operator/cluster
+  prune: true
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 5m
+  wait: true

kubernetes/apps/database-system/mysql-operator/app/helmrelease.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://k8s-validation-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mysql-operator
+spec:
+  interval: 15m
+  chartRef:
+    kind: OCIRepository
+    name: mysql-operator
+  maxHistory: 2
+  install:
+    crds: Create
+    remediation:
+      retries: -1
+  upgrade:
+    crds: CreateReplace
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    image:
+      pullPolicy: IfNotPresent
+    envs:
+        imagesPullPolicy: IfNotPresent
+        k8sClusterDomain: cluster.local

kubernetes/apps/database-system/mysql-operator/app/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - https://raw.githubusercontent.com/mysql/mysql-operator/9.3.0-2.2.4/deploy/deploy-crds.yaml
+  - ./helmrelease.yaml
+  - ./ocirepository.yaml

kubernetes/apps/database-system/mysql-operator/app/ocirepository.yaml

@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://k8s-validation-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: mysql-operator
+spec:
+  interval: 5m
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy
+  ref:
+    tag: 2.2.5
+  url: oci://ghcr.io/astrateam-net/oci-charts/mysql-operator
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/astrateam-net/oci-charts.*$"

kubernetes/apps/database-system/mysql-operator/cluster/helmrelease.yaml

@@ -0,0 +1,290 @@
+---
+# yaml-language-server: $schema=https://k8s-validation-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mysql-innodbcluster
+spec:
+  interval: 15m
+  chartRef:
+    kind: OCIRepository
+    name: mysql-innodbcluster
+  maxHistory: 2
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    image:
+      pullPolicy: IfNotPresent
+      pullSecrets:
+        enabled: false
+        secretName:
+    datadirVolumeClaimTemplate:
+      storageClassName: openebs-hostpath
+      accessModes: ReadWriteOnce
+      resources:
+        requests:
+          storage: 10Gi
+    tls:
+      useSelfSigned: true
+    serverVersion: 8.0.31
+    serverInstances: 1
+    routerInstances: 1 # or use router.instances
+    baseServerId: 1000
+    podSpec:
+      resources:
+        requests:
+          cpu: 50m
+          memory: 1200M
+        limits:
+          cpu: 300m
+          memory: 2250M
+    router:
+      resources:
+        requests:
+          cpu: 48m
+          memory: 64M
+    backupProfiles:
+      - name: mysql-db-backup
+        dumpInstance:
+          storage:
+            persistentVolumeClaim:
+              claimName: mysql-db-backup-pvc
+    backupSchedules:
+      - name: mysql-backup-pvc-schedule
+        schedule: "0 1 * * *"
+        backupProfileName: mysql-db-backup
+        enabled: true
+
+    #instanceService:
+    #  annotations:
+    #    ann1: "is_avalue1"
+    #  labels:
+    #    l1: "is_lvalue1"
+
+    #service:
+    #  type: "ClusterIP"
+    #  annotations:
+    #    ann1: "es_avalue1"
+    #  labels:
+    #    l1: "es_lvalue1"
+
+    #datadirPermissions:
+    #  setRightsUsingInitContainer: false
+    #  fsGroupChangePolicy: "Always"
+
+    #logs:
+    #  error:
+    #    enabled: true
+    #    collect: false
+    #  general:
+    #    enabled: false
+    #    collect: false
+    #  slowQuery:
+    #    enabled: false
+    #    longQueryTime: 2.5
+    #  collector:
+    #    image: "192.168.20.198:5000/fluentd-es:v1.16"
+    #    fluentd:
+    #      forwarding:
+    #        enabled: false
+    #        forwarderSpec:
+    #          podSpec:
+    #            terminationGracePeriod: 42
+    #          podAnnotations:
+    #            forwarderAnnotation1: forwarderAnnotation1Value
+    #          podLabels:
+    #            forwarderLabel1: forwarderLabel1Value
+    #      generalLog:
+    #        tag: "genLogTag"
+    ##        options:
+    #      errorLog:
+    #        tag: "errLogTag"
+    ##        options:
+    ##      slowLog:
+    #        tag: "slowLogTag"
+    ##        options:
+    #     recordAugmentation:
+    #        enabled: false
+    #        labels:
+    #        - fieldName: "pod_name"
+    #          labelName: "statefulset.kubernetes.io/pod-name"
+    #        annotations:
+    #        - fieldName: "membership-info"
+    #          labelName: "mysql.oracle.com/membership-info"
+    #        staticFields:
+    #        - fieldName: "static_field_1"
+    #          fieldValue: "static_field_1_value"
+    #        resourceFields:
+    #        - fieldName: "pod_ip"
+    #          fieldPath: "status.podIP"
+    #        - fieldName: "host_ip"
+    #          fieldPath: "status.hostIP"
+    #      additionalFilterConfiguration: |
+    #        filterConfigValueLine1
+    #        filterConfigValueLine1
+    #      sink:
+    ##       rawConfig:
+
+
+    #keyring:
+    #  file:
+    #    fileName:
+    #    readOnly:
+    #    storage:
+    #  encryptedFile:
+    #    fileName:
+    #    readOnly:
+    #    storage:
+    #    password:
+    #  oci:
+    #    user: "ocid1.user.oc1..."
+    #    keySecret: "oci-credentials"
+    #    keyFingerprint: ""
+    #    tenancy: "ocid1.tenancy.oc1..."
+    #    compartment: "ocid1.compartment.oc1..."
+    #    virtualVault: "ocid1.vault.oc1.."
+    #    masterKey: "ocid1.key.oc1..."
+    #    caCertificate: ""
+    #    endpoints:
+    #      encryption: "<identifier>-crypto.kms.<region>.oraclecloud.com"
+    #      management: "<identifier>-management.kms.<region>.oraclecloud.com"
+    #      vaults: "vaults.<region>.oci.oraclecloud.com"
+    #      secrets: "secrets.vaults.<region>.oci.oraclecloud.com"
+
+
+    #podSpec:
+    #  containers:
+    #  - name: mysql
+    #    resources:
+    #      requests:
+    #        memory: "2048Mi"  # adapt to your needs
+    #        cpu: "1800m"      # adapt to your needs
+    #      limits:
+    #        memory: "8192Mi"  # adapt to your needs
+    #        cpu: "3600m"      # adapt to your needs
+    #
+    #podAnnotations:
+    #podLabels:
+
+    #serverConfig:
+    #  mycnf: |
+    #    [mysqld]
+    #    core_file
+    #    local_infile=off
+
+
+    #datadirVolumeClaimTemplate:
+    #  accessModes:
+    #  resources:
+    #    requests:
+    #      storage:
+
+    #initDB:
+    #  dump:
+    #    name:
+    #    path:
+    #    options:
+    #      includeSchemas:
+    #    ociObjectStorage:
+    #      prefix:
+    #      bucketName:
+    #      credentials:
+    #    s3:
+    #      prefix:
+    #      config:
+    #      bucketName:
+    #      profile:
+    #      endpoint
+    #    azure:
+    #      prefix:
+    #      config:
+    #      containerName:
+    #    persistentVolumeClaim:
+    #  clone:
+    #    donorUrl:
+    #    rootUser:
+    #    credentials:
+
+
+    #backupProfiles:
+    #- name: dump-instance-profile-pvc
+    #  dumpInstance:
+    #    dumpOptions:
+    #      excludeSchemas: ["excludeme"]
+    #    storage:
+    #      persistentVolumeClaim:
+    #        claimName: backup-volume-claim-1
+    #- name: dump-instance-profile-oci
+    #  dumpInstance:
+    #    dumpOptions:
+    #      excludeSchemas: ["excludeme"]
+    #    storage:
+    #      ociObjectStorage:
+    #        prefix : /
+    #        bucketName: idbcluster_backup
+    #        credentials: oci-credentials
+    #
+    #- name: snapshot-profile-oci
+    #  snapshot:
+    #    storage:
+    #      ociObjectStorage:
+    #        prefix : /
+    #        bucketName: idbcluster_backup
+    #        credentials: oci-credentials
+    #      s3:
+    #        prefix:
+    #        config:
+    #        bucketName:
+    #        profile:
+    #        endpoint
+    #      azure:
+    #        prefix:
+    #        config:
+    #        containerName:
+    #
+    #backupSchedules:
+    #- name: schedule-ref
+    #  schedule: "*/1 * * * *"
+    #  timeZone: "Europe/Amsterdam"
+    #  deleteBackupData: false
+    #  backupProfileName: dump-instance-profile-oci
+    #  enabled: true
+    #- name: schedule-inline
+    #  schedule: "*/1 * * * *"
+    #  timeZone: "Europe/Amsterdam"
+    #  deleteBackupData: false
+    #  enabled: true
+    #  backupProfile:
+    #    dumpInstance:
+    #      dumpOptions:
+    #        excludeSchemas: ["excludeme"]
+    #      storage:
+    #        ociObjectStorage:
+    #          prefix : /
+    #          bucketName: idbcluster_backup
+    #          credentials: oci-credentials
+
+
+    # If you would like to debug the Helm output with `helm template`, you need
+    # to turn disableLookups on as during `helm template` Helm won't contact the kube API
+    # and all lookups will thus fail
+    disableLookups: false
+
+    # Set explicit FQDN for MySQL instances
+    # serviceFqdnTemplate: "{service}.{namespace}.svc.{domain}"
+  valuesFrom:
+    - targetPath: credentials.root.user
+      kind: Secret
+      name: mysql-secret
+      valuesKey: rootUser
+    - targetPath: credentials.root.password
+      kind: Secret
+      name: mysql-secret
+      valuesKey: rootPassword

kubernetes/apps/database-system/mysql-operator/cluster/kustomization.yaml

@@ -0,0 +1,12 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./ocirepository.yaml
+  #- ./externalsecret.yaml
+  # - ./replicationsource.yaml
+  # - ./pvc.yaml
+  # - ./replicationdestination.yaml
+  - ./secrets.sops.yaml

kubernetes/apps/database-system/mysql-operator/cluster/ocirepository.yaml

@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://k8s-validation-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: mysql-innodbcluster
+spec:
+  interval: 5m
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy
+  ref:
+    tag: 2.2.5
+  url: oci://ghcr.io/astrateam-net/oci-charts/mysql-innodbcluster
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/astrateam-net/oci-charts.*$"

kubernetes/apps/database-system/mysql-operator/cluster/pvc.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mysql-db-backup-pvc
+spec:
+  accessModes: ["ReadWriteMany"]
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: nfs-slow

kubernetes/apps/database-system/mysql-operator/cluster/replicationdestination.yaml

@@ -0,0 +1,28 @@
+---
+# yaml-language-server: $schema=https://k8s-validation-schemas.pages.dev/volsync.backube/replicationdestination_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationDestination
+metadata:
+  name: "mysql-db-backup-dst"
+  labels:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
+spec:
+  trigger:
+    manual: restore-once
+  restic:
+    repository: "mysql-db-backup-volsync-secret"
+    copyMethod: Snapshot
+    volumeSnapshotClassName: "csi-ceph-blockpool"
+    cacheStorageClassName: "ceph-block"
+    cacheAccessModes: ["ReadWriteOnce"]
+    cacheCapacity: 2Gi
+    storageClassName: "ceph-block"
+    accessModes: ["ReadWriteOnce"]
+    capacity: 10Gi
+    moverSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+    enableFileDeletion: true
+    cleanupCachePVC: true
+    cleanupTempPVC: true

kubernetes/apps/database-system/mysql-operator/cluster/replicationsource.yaml

@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://k8s-validation-schemas.pages.dev/volsync.backube/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: &name "mysql-db-backup"
+spec:
+  sourcePVC: "mysql-db-backup"
+  trigger:
+    schedule: "0 2 * * *"
+  restic:
+    copyMethod: "Snapshot"
+    pruneIntervalDays: 14
+    repository: "mysql-db-backup-volsync-secret"
+    volumeSnapshotClassName: "csi-ceph-blockpool"
+    cacheCapacity: 10Gi
+    cacheStorageClassName: "ceph-block"
+    cacheAccessModes: ["ReadWriteOnce"]
+    storageClassName: "ceph-block"
+    accessModes: ["ReadWriteOnce"]
+    moverSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+    retain:
+      daily: 7

kubernetes/apps/database-system/mysql-operator/cluster/secrets.sops.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: rook-ceph-dashboard-password
+stringData:
+    api-token: ENC[AES256_GCM,data:Q/EO1flnXjhh/GuaFMufV4T6a6X6+slo1g==,iv:YsQmkJ6VRkmAWya6Fmlt6YUW/yX3DTqZOS6Z2c8+WwA=,tag:hAUOIr8hDFRRHYeXyxvhpg==,type:str]
+sops:
+    age:
+        - recipient: age1yzrqhl9dk8ljswpmzsqme3enad5kxxhsptdvecy3lwlq0ms80gaqxrctst
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncEg3QlNCdXJvMlFvUVgx
+            RU9jU2E1K3h5dlphWmN4R3VhdXBYaDhybFZFCjJuRjFoZ25RQU53RDhpeElTb1Ba
+            RXVYdWFFVFlZT0JmOXRRc3JlWk9zdmcKLS0tIDhFSkJJcytTR1JIZlBIT2ZNZGJ6
+            YWxtMWJrd3hUQlQ3dG04TlRWdy9VbzQKNcokkZu9wDTKM17sLcJ7OkafSI1nFhyO
+            /IM1vRlkJh12vPFE4351skFkgDdExf4gRoZH9MzXdDSh5b/2YBl8Ig==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-24T13:42:07Z"
+    mac: ENC[AES256_GCM,data:l5WfPr1HQ94V+TbgLFavTF569qO/9hcgqh7XP3NRZH/Z8/xfL496Cint2DwNkE6RB1JPAM4CpsOeCF3HItOgvonokIgZswyCeKwdU5nrWH9UO9pkAIsVjVLRNSbXJhsZiRJQmdQ2SescDSs/5S3wo+x8EO8PPj41TbZBvzUolcw=,iv:3QsirCiB81SVZ+yNAMr1IdWAbtHywPC8E444y+UEem8=,tag:u6uk/YdzQ2Svb3Tbbx3TGw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    mac_only_encrypted: true
+    version: 3.11.0