From f17de43d21b49f82ffce7d58e8b54cb6b84545bf Mon Sep 17 00:00:00 2001
From: Pratik Bandarkar <pratik.bandarkar@proton.me>
Date: Sun, 24 Mar 2024 21:48:54 +0000
Subject: [PATCH] Use HashiCorp Vault to fetch password required by MariaDB
 MaxScale

---
 docs/infrastructure-mariadb.md                |  1 +
 .../base/vault/kustomization.yaml             |  1 +
 .../base/vault/mariadb-maxscale.yaml          | 24 +++++++++++++++++++
 3 files changed, 26 insertions(+)
 create mode 100644 kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml

diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md
index f69f8b0a..02072e61 100644
--- a/docs/infrastructure-mariadb.md
+++ b/docs/infrastructure-mariadb.md
@@ -47,6 +47,7 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
 kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
     vault kv put -mount=osh/mariadb mariadb-root-password root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
 ```
+
 - MaxScale password:
 ``` shell
 kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
diff --git a/kustomize/mariadb-cluster/base/vault/kustomization.yaml b/kustomize/mariadb-cluster/base/vault/kustomization.yaml
index 7b3b9e58..22438c37 100644
--- a/kustomize/mariadb-cluster/base/vault/kustomization.yaml
+++ b/kustomize/mariadb-cluster/base/vault/kustomization.yaml
@@ -3,3 +3,4 @@ resources:
   - vaultauth.yaml
   - vaultconnection.yaml
   - mariadb-root-password.yaml
+  - mariadb-maxscale.yaml
diff --git a/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml b/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml
new file mode 100644
index 00000000..a4ef5265
--- /dev/null
+++ b/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: maxscale
+  namespace: openstack
+spec:
+  type: kv-v2
+
+# mount path
+  mount: 'osh/mariadb'
+
+# path of the secret
+  path: maxscale
+
+# dest k8s secret
+  destination:
+     name: maxscale
+     create: true
+
+# static secret refresh interval
+  refreshAfter: 30s
+
+# Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth