diff --git a/infrastructure/databases/mariadb-operator/cluster/kustomization.yaml b/infrastructure/databases/mariadb-operator/cluster/kustomization.yaml
new file mode 100644
index 0000000..8f5f70c
--- /dev/null
+++ b/infrastructure/databases/mariadb-operator/cluster/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- mariadb.yaml
diff --git a/infrastructure/databases/mariadb-operator/cluster/mariadb.yaml b/infrastructure/databases/mariadb-operator/cluster/mariadb.yaml
new file mode 100644
index 0000000..36991bb
--- /dev/null
+++ b/infrastructure/databases/mariadb-operator/cluster/mariadb.yaml
@@ -0,0 +1,31 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MariaDB
+metadata:
+  name: mariadb
+  namespace: mariadb-opeartor-system
+spec:
+  replicas: 3
+
+  rootPasswordSecretKeyRef:
+    name: mariadb-root
+    key: password
+
+  storage:
+    size: 20Gi
+
+  # Optional but recommended
+  service:
+    type: ClusterIP
+
+  # Helps with stable operation in GitOps
+  updateStrategy:
+    type: ReplicasFirstPrimaryLast
+
+  # Basic resource safety
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: "1"
+      memory: 1Gi
diff --git a/infrastructure/databases/mariadb-operator/cluster/rootsecret.yaml b/infrastructure/databases/mariadb-operator/cluster/rootsecret.yaml
new file mode 100644
index 0000000..2da9cc3
--- /dev/null
+++ b/infrastructure/databases/mariadb-operator/cluster/rootsecret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mariadb-root
+  namespace: databases
+type: Opaque
+stringData:
+  password: supersecure-root-password#
diff --git a/infrastructure/databases/mariadb-operator/kustomization.yaml b/infrastructure/databases/mariadb-operator/kustomization.yaml
index abbcb8d..d4e7c92 100644
--- a/infrastructure/databases/mariadb-operator/kustomization.yaml
+++ b/infrastructure/databases/mariadb-operator/kustomization.yaml
@@ -4,13 +4,5 @@ resources:
 - helmrelease.yaml
 - namespace.yaml
 - crds
+- cluster
 
-#namespace: mariadb-operator-system
-
-#configMapGenerator:
-#  - name: mariadb-operator-values
-#    files:
-#      - values.yaml
-
-#generatorOptions:
-#  disableNameSuffixHash: true
diff --git a/infrastructure/databases/mariadb-operator/values.yaml b/infrastructure/databases/mariadb-operator/values.yaml
deleted file mode 100644
index e69de29..0000000
diff --git a/secrets/kustomization.yaml b/secrets/kustomization.yaml
index cb3622c..1272cdc 100644
--- a/secrets/kustomization.yaml
+++ b/secrets/kustomization.yaml
@@ -5,3 +5,4 @@ resources:
 - namespace.yaml
 - velerosecrets.yaml
 - fireflysecrets.yaml
+- mariadb-clustersecrets.yaml
diff --git a/secrets/mariadb-clustersecrets.yaml b/secrets/mariadb-clustersecrets.yaml
new file mode 100644
index 0000000..746518d
--- /dev/null
+++ b/secrets/mariadb-clustersecrets.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: mariadb-secrets
+  namespace: mariadb-operator-system
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: bitwarden
+    kind: ClusterSecretStore
+  target:
+    name: mariadb-secrets
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      mergePolicy: Merge
+      data:
+        root-password: '{{ index . "mariadb-cluster-root-password" }}'
+  data:
+    - secretKey: mariadb-cluster-root-password
+      remoteRef:
+        key: mariadb-cluster-root-password