feat(infra): Oceanbase Vector Sql Prevent SQL injection And Complementary helm deployment (#2048)

backend/infra/impl/oceanbase/oceanbase.go

@@ -64,15 +64,16 @@ func (c *OceanBaseClient) BatchInsertVectors(ctx context.Context, collectionName
 }
 
 func (c *OceanBaseClient) DeleteVector(ctx context.Context, collectionName string, vectorID string) error {
-	return c.official.GetDB().WithContext(ctx).Exec("DELETE FROM "+collectionName+" WHERE vector_id = ?", vectorID).Error
+	return c.official.GetDB().WithContext(ctx).Table(collectionName).Where("vector_id = ?", vectorID).Delete(nil).Error
 }
 
 func (c *OceanBaseClient) InitDatabase(ctx context.Context) error {
-	return c.official.GetDB().WithContext(ctx).Exec("SELECT 1").Error
+	var result int
+	return c.official.GetDB().WithContext(ctx).Raw("SELECT 1").Scan(&result).Error
 }
 
 func (c *OceanBaseClient) DropCollection(ctx context.Context, collectionName string) error {
-	return c.official.GetDB().WithContext(ctx).Exec("DROP TABLE IF EXISTS " + collectionName).Error
+	return c.official.GetDB().WithContext(ctx).Migrator().DropTable(collectionName)
 }
 
 type SearchStrategy interface {

backend/infra/impl/oceanbase/oceanbase_official.go

@@ -43,6 +43,15 @@ type VectorResult struct {
 	CreatedAt       time.Time `json:"created_at"`
 }
 
+type VectorRecord struct {
+	VectorID  string    `gorm:"column:vector_id;primaryKey"`
+	Content   string    `gorm:"column:content;type:text;not null"`
+	Metadata  string    `gorm:"column:metadata;type:json"`
+	Embedding string    `gorm:"column:embedding;type:vector;not null"`
+	CreatedAt time.Time `gorm:"column:created_at;type:timestamp;default:CURRENT_TIMESTAMP"`
+	UpdatedAt time.Time `gorm:"column:updated_at;type:timestamp;default:CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP"`
+}
+
 type CollectionInfo struct {
 	Name      string `json:"name"`
 	Dimension int    `json:"dimension"`
@@ -83,21 +92,23 @@ func (c *OceanBaseOfficialClient) setVectorParameters() error {
 }
 
 func (c *OceanBaseOfficialClient) CreateCollection(ctx context.Context, collectionName string, dimension int) error {
-	createTableSQL := fmt.Sprintf(`
-		CREATE TABLE IF NOT EXISTS %s (
-			vector_id VARCHAR(255) PRIMARY KEY,
-			content TEXT NOT NULL,
-			metadata JSON,
-			embedding VECTOR(%d) NOT NULL,
-			created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-			updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
-			INDEX idx_created_at (created_at),
-			INDEX idx_content (content(100))
-		) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
-	`, collectionName, dimension)
+	if !c.db.WithContext(ctx).Migrator().HasTable(collectionName) {
+		createTableSQL := fmt.Sprintf(`
+			CREATE TABLE IF NOT EXISTS %s (
+				vector_id VARCHAR(255) PRIMARY KEY,
+				content TEXT NOT NULL,
+				metadata JSON,
+				embedding VECTOR(%d) NOT NULL,
+				created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+				updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+				INDEX idx_created_at (created_at),
+				INDEX idx_content (content(100))
+			) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+		`, collectionName, dimension)
 
-	if err := c.db.WithContext(ctx).Exec(createTableSQL).Error; err != nil {
-		return fmt.Errorf("failed to create table: %v", err)
+		if err := c.db.WithContext(ctx).Exec(createTableSQL).Error; err != nil {
+			return fmt.Errorf("failed to create table: %v", err)
+		}
 	}
 
 	createIndexSQL := fmt.Sprintf(`
@@ -136,30 +147,19 @@ func (c *OceanBaseOfficialClient) InsertVectors(ctx context.Context, collectionN
 }
 
 func (c *OceanBaseOfficialClient) insertBatch(ctx context.Context, collectionName string, batch []VectorResult) error {
-	placeholders := make([]string, len(batch))
-	values := make([]interface{}, 0, len(batch)*5)
-
-	for j, vector := range batch {
-		placeholders[j] = "(?, ?, ?, ?, NOW())"
-		values = append(values,
-			vector.VectorID,
-			vector.Content,
-			vector.Metadata,
-			c.vectorToString(vector.Embedding),
-		)
+	records := make([]VectorRecord, len(batch))
+	for i, vector := range batch {
+		records[i] = VectorRecord{
+			VectorID:  vector.VectorID,
+			Content:   vector.Content,
+			Metadata:  vector.Metadata,
+			Embedding: c.vectorToString(vector.Embedding),
+			CreatedAt: time.Now(),
+			UpdatedAt: time.Now(),
+		}
 	}
 
-	sql := fmt.Sprintf(`
-		INSERT INTO %s (vector_id, content, metadata, embedding, created_at)
-		VALUES %s
-		ON DUPLICATE KEY UPDATE
-			content = VALUES(content),
-			metadata = VALUES(metadata),
-			embedding = VALUES(embedding),
-			updated_at = NOW()
-	`, collectionName, strings.Join(placeholders, ","))
-
-	return c.db.WithContext(ctx).Exec(sql, values...).Error
+	return c.db.WithContext(ctx).Table(collectionName).Save(&records).Error
 }
 
 func (c *OceanBaseOfficialClient) SearchVectors(
@@ -341,24 +341,28 @@ func (c *OceanBaseOfficialClient) DebugCollectionData(ctx context.Context, colle
 	log.Printf("[Debug] Collection '%s' exists with %d vectors", collectionName, count)
 
 	log.Printf("[Debug] Sample data from collection '%s':", collectionName)
-	rows, err := c.db.WithContext(ctx).Raw(`
-		SELECT vector_id, content, created_at
-		FROM ` + collectionName + `
-		ORDER BY created_at DESC
-		LIMIT 5
-	`).Rows()
+	var samples []struct {
+		VectorID  string    `gorm:"column:vector_id"`
+		Content   string    `gorm:"column:content"`
+		CreatedAt time.Time `gorm:"column:created_at"`
+	}
+
+	err := c.db.WithContext(ctx).Table(collectionName).
+		Select("vector_id, content, created_at").
+		Order("created_at DESC").
+		Limit(5).
+		Find(&samples).Error
+
 	if err != nil {
 		log.Printf("[Debug] Failed to get sample data: %v", err)
 	} else {
-		defer rows.Close()
-		for rows.Next() {
-			var vectorID, content string
-			var createdAt time.Time
-			if err := rows.Scan(&vectorID, &content, &createdAt); err != nil {
-				log.Printf("[Debug] Failed to scan sample row: %v", err)
-				continue
+		for _, sample := range samples {
+			contentPreview := sample.Content
+			if len(contentPreview) > 50 {
+				contentPreview = contentPreview[:50]
 			}
-			log.Printf("[Debug] Sample: ID=%s, Content=%s, Created=%s", vectorID, content[:min(50, len(content))], createdAt)
+			log.Printf("[Debug] Sample: ID=%s, Content=%s, Created=%s",
+				sample.VectorID, contentPreview, sample.CreatedAt)
 		}
 	}
 

docker/docker-compose-oceanbase.yml

@@ -252,6 +252,7 @@ services:
       OB_DATAFILE_SIZE: 1G
       OB_SYS_PASSWORD: ${OCEANBASE_PASSWORD:-coze123}
       OB_TENANT_PASSWORD: ${OCEANBASE_PASSWORD:-coze123}
+      OB_CLUSTER_NAME: ${OCEANBASE_CLUSTER_NAME:-cozeAi}
     ports:
       - '2881:2881'
     volumes:

docker/docker-compose-oceanbase_debug.yml

@@ -345,6 +345,7 @@ services:
       OB_DATAFILE_SIZE: 1G
       OB_SYS_PASSWORD: ${OCEANBASE_PASSWORD:-coze123}
       OB_TENANT_PASSWORD: ${OCEANBASE_PASSWORD:-coze123}
+      OB_CLUSTER_NAME: ${OCEANBASE_CLUSTER_NAME:-cozeAi}
     profiles: ['middleware']
     env_file: *env_file
     ports:

docs/oceanbase-integration-guide-en.md

@@ -225,6 +225,266 @@ docker logs coze-oceanbase | grep "slow query"
 mysql -h localhost -P 2881 -u root -p -e "SHOW PROCESSLIST;"
 ```
 
+## Helm Deployment Guide (Kubernetes)
+
+### 1. Environment Preparation
+
+Ensure the following tools are installed:
+
+- Kubernetes cluster (recommended: k3s or kind)
+- Helm 3.x
+- kubectl
+
+### 2. Install Dependencies
+
+#### Install cert-manager
+
+```bash
+# Add cert-manager Helm repository
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+
+# Install cert-manager
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
+
+# Wait for cert-manager to be ready
+kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=cert-manager -n cert-manager --timeout=300s
+```
+
+#### Install ob-operator
+
+```bash
+# Add ob-operator Helm repository
+helm repo add ob-operator https://oceanbase.github.io/ob-operator/
+helm repo update
+
+# Install ob-operator
+helm install ob-operator ob-operator/ob-operator --set reporter=cozeAi --namespace=oceanbase-system --create-namespace
+
+# Wait for ob-operator to be ready
+kubectl wait --for=condition=ready pod -l control-plane=controller-manager -n oceanbase-system --timeout=300s
+```
+
+### 3. Deploy OceanBase
+
+#### Using Integrated Helm Chart
+
+```bash
+# Deploy complete Coze Studio application (including OceanBase)
+helm install coze-studio helm/charts/opencoze \
+  --set oceanbase.enabled=true \
+  --namespace coze-studio \
+  --create-namespace
+
+# Or deploy only OceanBase component
+helm install oceanbase-only helm/charts/opencoze \
+  --set oceanbase.enabled=true \
+  --set mysql.enabled=false \
+  --set redis.enabled=false \
+  --set minio.enabled=false \
+  --set elasticsearch.enabled=false \
+  --set milvus.enabled=false \
+  --set rocketmq.enabled=false \
+  --namespace oceanbase \
+  --create-namespace
+```
+
+#### Custom Configuration
+
+Create `oceanbase-values.yaml` file:
+
+```yaml
+oceanbase:
+  enabled: true
+  port: 2881
+  targetPort: 2881
+  clusterName: 'cozeAi'
+  clusterId: 1
+  image:
+    repository: oceanbase/oceanbase-ce
+    tag: 'latest'
+  obAgentVersion: '4.2.2-100000042024011120'
+  monitorEnabled: true
+  storageClass: ''
+  observerConfig:
+    resource:
+      cpu: 2
+      memory: 8Gi
+    storages:
+      dataStorage: 10G
+      redoLogStorage: 5G
+      logStorage: 5G
+  monitorResource:
+    cpu: 100m
+    memory: 256Mi
+  generateUserSecrets: true
+  userSecrets:
+    root: 'coze123'
+    monitor: 'coze123'
+    operator: 'coze123'
+    proxyro: 'coze123'
+  topology:
+    - zone: zone1
+      replica: 1
+  parameters:
+    - name: system_memory
+      value: '4G'
+    - name: '__min_full_resource_pool_memory'
+      value: '4294967296'
+  annotations: {}
+  backupVolumeEnabled: false
+```
+
+Deploy with custom configuration:
+
+```bash
+helm install oceanbase-custom helm/charts/opencoze \
+  -f oceanbase-values.yaml \
+  --namespace oceanbase \
+  --create-namespace
+```
+
+### 4. Verify Deployment
+
+```bash
+# Check OBCluster status
+kubectl get obcluster -n oceanbase
+
+# Check OceanBase pods
+kubectl get pods -n oceanbase
+
+# Check services
+kubectl get svc -n oceanbase
+
+# View detailed status
+kubectl describe obcluster -n oceanbase
+```
+
+### 5. Connection Testing
+
+#### Port Forwarding
+
+```bash
+# Forward OceanBase port
+kubectl port-forward svc/oceanbase-service -n oceanbase 2881:2881
+```
+
+#### Using obclient Connection
+
+```bash
+# Connect within cluster
+kubectl exec -it deployment/oceanbase-obcluster-zone1 -n oceanbase -- obclient -h127.0.0.1 -P2881 -uroot@test -pcoze123 -Dtest
+
+# Connect from external (requires port forwarding)
+obclient -h127.0.0.1 -P2881 -uroot@test -pcoze123 -Dtest
+```
+
+#### Using MySQL Client Connection
+
+```bash
+# Using MySQL client
+mysql -h127.0.0.1 -P2881 -uroot@test -pcoze123 -Dtest
+```
+
+### 6. Monitoring and Management
+
+#### View Logs
+
+```bash
+# View OceanBase logs
+kubectl logs -f deployment/oceanbase-obcluster-zone1 -n oceanbase
+
+# View ob-operator logs
+kubectl logs -f deployment/oceanbase-controller-manager -n oceanbase-system
+```
+
+#### Scaling
+
+```bash
+# Scale replica count
+kubectl patch obcluster oceanbase-obcluster -n oceanbase --type='merge' -p='{"spec":{"topology":[{"zone":"zone1","replica":2}]}}'
+
+# Adjust resource configuration
+kubectl patch obcluster oceanbase-obcluster -n oceanbase --type='merge' -p='{"spec":{"observer":{"resource":{"cpu":4,"memory":"16Gi"}}}}'
+```
+
+#### Backup and Recovery
+
+```bash
+# Create backup
+kubectl apply -f - <<EOF
+apiVersion: oceanbase.oceanbase.com/v1alpha1
+kind: OBTenantBackupPolicy
+metadata:
+  name: backup-policy
+  namespace: oceanbase
+spec:
+  obClusterName: oceanbase-obcluster
+  tenantName: test
+  backupType: FULL
+  schedule: "0 2 * * *"
+  destination:
+    path: "file:///backup"
+EOF
+```
+
+### 7. Troubleshooting
+
+#### Common Issues
+
+1. **OBCluster Creation Failed**
+
+   ```bash
+   # Check ob-operator status
+   kubectl get pods -n oceanbase-system
+
+   # View detailed errors
+   kubectl describe obcluster -n oceanbase
+   ```
+2. **Image Pull Failed**
+
+   ```bash
+   # Check node image pull capability
+   kubectl describe node
+
+   # Manually pull image
+   docker pull oceanbase/oceanbase-cloud-native:4.3.5.3-103000092025080818
+   ```
+3. **Storage Issues**
+
+   ```bash
+   # Check PVC status
+   kubectl get pvc -n oceanbase
+
+   # Check storage class
+   kubectl get storageclass
+   ```
+
+#### Log Analysis
+
+```bash
+# View all related logs
+kubectl logs -f deployment/oceanbase-controller-manager -n oceanbase-system
+kubectl logs -f deployment/oceanbase-obcluster-zone1 -n oceanbase
+kubectl logs -f deployment/cert-manager -n cert-manager
+```
+
+### 8. Uninstallation
+
+```bash
+# Uninstall OceanBase
+helm uninstall oceanbase-custom -n oceanbase
+
+# Delete namespace
+kubectl delete namespace oceanbase
+
+# Uninstall ob-operator
+helm uninstall ob-operator -n oceanbase-system
+
+# Uninstall cert-manager
+kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
+```
+
 ## Integration Features
 
 ### 1. Design Principles

docs/oceanbase-integration-guide.md

@@ -107,8 +107,6 @@ case "oceanbase":
     }
 ```
 
-
-
 ## 配置说明
 
 ### 环境变量配置
@@ -227,6 +225,266 @@ docker logs coze-oceanbase | grep "slow query"
 mysql -h localhost -P 2881 -u root -p -e "SHOW PROCESSLIST;"
 ```
 
+## Helm 部署指南（Kubernetes）
+
+### 1. 环境准备
+
+确保已安装以下工具：
+
+- Kubernetes 集群（推荐使用 k3s 或 kind）
+- Helm 3.x
+- kubectl
+
+### 2. 安装依赖
+
+#### 安装 cert-manager
+
+```bash
+# 添加 cert-manager Helm 仓库
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+
+# 安装 cert-manager
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
+
+# 等待 cert-manager 就绪
+kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=cert-manager -n cert-manager --timeout=300s
+```
+
+#### 安装 ob-operator
+
+```bash
+# 添加 ob-operator Helm 仓库
+helm repo add ob-operator https://oceanbase.github.io/ob-operator/
+helm repo update
+
+# 安装 ob-operator
+helm install ob-operator ob-operator/ob-operator --set reporter=cozeAi --namespace=oceanbase-system --create-namespace
+
+# 等待 ob-operator 就绪
+kubectl wait --for=condition=ready pod -l control-plane=controller-manager -n oceanbase-system --timeout=300s
+```
+
+### 3. 部署 OceanBase
+
+#### 使用集成 Helm Chart
+
+```bash
+# 部署完整的 Coze Studio 应用（包含 OceanBase）
+helm install coze-studio helm/charts/opencoze \
+  --set oceanbase.enabled=true \
+  --namespace coze-studio \
+  --create-namespace
+
+# 或者只部署 OceanBase 组件
+helm install oceanbase-only helm/charts/opencoze \
+  --set oceanbase.enabled=true \
+  --set mysql.enabled=false \
+  --set redis.enabled=false \
+  --set minio.enabled=false \
+  --set elasticsearch.enabled=false \
+  --set milvus.enabled=false \
+  --set rocketmq.enabled=false \
+  --namespace oceanbase \
+  --create-namespace
+```
+
+#### 自定义配置
+
+创建 `oceanbase-values.yaml` 文件：
+
+```yaml
+oceanbase:
+  enabled: true
+  port: 2881
+  targetPort: 2881
+  clusterName: 'cozeAi'
+  clusterId: 1
+  image:
+    repository: oceanbase/oceanbase-ce
+    tag: 'latest'
+  obAgentVersion: '4.2.2-100000042024011120'
+  monitorEnabled: true
+  storageClass: ''
+  observerConfig:
+    resource:
+      cpu: 2
+      memory: 8Gi
+    storages:
+      dataStorage: 10G
+      redoLogStorage: 5G
+      logStorage: 5G
+  monitorResource:
+    cpu: 100m
+    memory: 256Mi
+  generateUserSecrets: true
+  userSecrets:
+    root: 'coze123'
+    monitor: 'coze123'
+    operator: 'coze123'
+    proxyro: 'coze123'
+  topology:
+    - zone: zone1
+      replica: 1
+  parameters:
+    - name: system_memory
+      value: '4G'
+    - name: '__min_full_resource_pool_memory'
+      value: '4294967296'
+  annotations: {}
+  backupVolumeEnabled: false
+```
+
+使用自定义配置部署：
+
+```bash
+helm install oceanbase-custom helm/charts/opencoze \
+  -f oceanbase-values.yaml \
+  --namespace oceanbase \
+  --create-namespace
+```
+
+### 4. 验证部署
+
+```bash
+# 检查 OBCluster 状态
+kubectl get obcluster -n oceanbase
+
+# 检查 OceanBase pods
+kubectl get pods -n oceanbase
+
+# 检查服务
+kubectl get svc -n oceanbase
+
+# 查看详细状态
+kubectl describe obcluster -n oceanbase
+```
+
+### 5. 连接测试
+
+#### 端口转发
+
+```bash
+# 转发 OceanBase 端口
+kubectl port-forward svc/oceanbase-service -n oceanbase 2881:2881
+```
+
+#### 使用 obclient 连接
+
+```bash
+# 在集群内连接
+kubectl exec -it deployment/oceanbase-obcluster-zone1 -n oceanbase -- obclient -h127.0.0.1 -P2881 -uroot@test -pcoze123 -Dtest
+
+# 从外部连接（需要端口转发）
+obclient -h127.0.0.1 -P2881 -uroot@test -pcoze123 -Dtest
+```
+
+#### 使用 MySQL 客户端连接
+
+```bash
+# 使用 MySQL 客户端
+mysql -h127.0.0.1 -P2881 -uroot@test -pcoze123 -Dtest
+```
+
+### 6. 监控和管理
+
+#### 查看日志
+
+```bash
+# 查看 OceanBase 日志
+kubectl logs -f deployment/oceanbase-obcluster-zone1 -n oceanbase
+
+# 查看 ob-operator 日志
+kubectl logs -f deployment/oceanbase-controller-manager -n oceanbase-system
+```
+
+#### 扩缩容
+
+```bash
+# 扩展副本数
+kubectl patch obcluster oceanbase-obcluster -n oceanbase --type='merge' -p='{"spec":{"topology":[{"zone":"zone1","replica":2}]}}'
+
+# 调整资源配置
+kubectl patch obcluster oceanbase-obcluster -n oceanbase --type='merge' -p='{"spec":{"observer":{"resource":{"cpu":4,"memory":"16Gi"}}}}'
+```
+
+#### 备份和恢复
+
+```bash
+# 创建备份
+kubectl apply -f - <<EOF
+apiVersion: oceanbase.oceanbase.com/v1alpha1
+kind: OBTenantBackupPolicy
+metadata:
+  name: backup-policy
+  namespace: oceanbase
+spec:
+  obClusterName: oceanbase-obcluster
+  tenantName: test
+  backupType: FULL
+  schedule: "0 2 * * *"
+  destination:
+    path: "file:///backup"
+EOF
+```
+
+### 7. 故障排除
+
+#### 常见问题
+
+1. **OBCluster 创建失败**
+
+   ```bash
+   # 检查 ob-operator 状态
+   kubectl get pods -n oceanbase-system
+
+   # 查看详细错误
+   kubectl describe obcluster -n oceanbase
+   ```
+2. **镜像拉取失败**
+
+   ```bash
+   # 检查节点镜像拉取能力
+   kubectl describe node
+
+   # 手动拉取镜像
+   docker pull oceanbase/oceanbase-cloud-native:4.3.5.3-103000092025080818
+   ```
+3. **存储问题**
+
+   ```bash
+   # 检查 PVC 状态
+   kubectl get pvc -n oceanbase
+
+   # 检查存储类
+   kubectl get storageclass
+   ```
+
+#### 日志分析
+
+```bash
+# 查看所有相关日志
+kubectl logs -f deployment/oceanbase-controller-manager -n oceanbase-system
+kubectl logs -f deployment/oceanbase-obcluster-zone1 -n oceanbase
+kubectl logs -f deployment/cert-manager -n cert-manager
+```
+
+### 8. 卸载
+
+```bash
+# 卸载 OceanBase
+helm uninstall oceanbase-custom -n oceanbase
+
+# 删除 namespace
+kubectl delete namespace oceanbase
+
+# 卸载 ob-operator
+helm uninstall ob-operator -n oceanbase-system
+
+# 卸载 cert-manager
+kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
+```
+
 ## 适配特点
 
 ### 1. 设计原则

helm/charts/opencoze/templates/oceanbase-secret.yaml

@@ -0,0 +1,54 @@
+{{- if .Values.oceanbase.enabled }}
+{{- $rootPassword := .Values.oceanbase.userSecrets.root | default "coze123" }}
+{{- $monitorPassword := .Values.oceanbase.userSecrets.monitor | default "coze123" }}
+{{- $operatorPassword := .Values.oceanbase.userSecrets.operator | default "coze123" }}
+{{- $proxyroPassword := .Values.oceanbase.userSecrets.proxyro | default "coze123" }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencoze.fullname" . }}-oceanbase-root-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "opencoze.labels" . | nindent 4 }}
+    app.kubernetes.io/component: oceanbase
+type: Opaque
+data:
+  password: {{ $rootPassword | b64enc | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencoze.fullname" . }}-oceanbase-monitor-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "opencoze.labels" . | nindent 4 }}
+    app.kubernetes.io/component: oceanbase
+type: Opaque
+data:
+  password: {{ $monitorPassword | b64enc | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencoze.fullname" . }}-oceanbase-operator-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "opencoze.labels" . | nindent 4 }}
+    app.kubernetes.io/component: oceanbase
+type: Opaque
+data:
+  password: {{ $operatorPassword | b64enc | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencoze.fullname" . }}-oceanbase-proxyro-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "opencoze.labels" . | nindent 4 }}
+    app.kubernetes.io/component: oceanbase
+type: Opaque
+data:
+  password: {{ $proxyroPassword | b64enc | quote }}
+{{- end }}

helm/charts/opencoze/templates/oceanbase-service.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.oceanbase.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "opencoze.fullname" . }}-oceanbase
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "opencoze.labels" . | nindent 4 }}
+    app.kubernetes.io/component: oceanbase
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.oceanbase.port }}
+      targetPort: {{ .Values.oceanbase.targetPort }}
+      name: oceanbase
+  selector:
+    app.kubernetes.io/component: oceanbase
+    app.kubernetes.io/name: {{ include "opencoze.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

helm/charts/opencoze/templates/oceanbase-serviceaccount.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.oceanbase.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "opencoze.fullname" . }}-oceanbase
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "opencoze.labels" . | nindent 4 }}
+    app.kubernetes.io/component: oceanbase
+{{- end }}

helm/charts/opencoze/templates/oceanbase-statefulset.yaml

@@ -0,0 +1,52 @@
+{{- if .Values.oceanbase.enabled }}
+apiVersion: oceanbase.oceanbase.com/v1alpha1
+kind: OBCluster
+metadata:
+  name: {{ include "opencoze.fullname" . }}-oceanbase
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "opencoze.labels" . | nindent 4 }}
+    app.kubernetes.io/component: oceanbase
+  annotations:
+    {{- toYaml .Values.oceanbase.annotations | nindent 4 }}
+spec:
+  clusterName: {{ .Values.oceanbase.clusterName | default .Release.Name | quote }}
+  clusterId: {{ .Values.oceanbase.clusterId | default 1 }}
+  serviceAccount: {{ include "opencoze.fullname" . }}-oceanbase
+  userSecrets:
+    root: {{ include "opencoze.fullname" . }}-oceanbase-root-secret
+    monitor: {{ include "opencoze.fullname" . }}-oceanbase-monitor-secret
+    operator: {{ include "opencoze.fullname" . }}-oceanbase-operator-secret
+    proxyro: {{ include "opencoze.fullname" . }}-oceanbase-proxyro-secret
+  topology:
+    {{- toYaml .Values.oceanbase.topology | nindent 4 }}
+  observer:
+    image: {{ .Values.oceanbase.image.repository }}:{{ .Values.oceanbase.image.tag }}
+    {{- with .Values.oceanbase.observerConfig }}
+    resource:
+      {{- toYaml .resource | nindent 6 }}
+    storage:
+     {{- range $key, $size := .storages }}
+      {{ $key }}:
+        storageClass: {{ $.Values.oceanbase.storageClass }}
+        size: {{ $size }}
+     {{- end }}
+    {{- end }}
+  {{- if .Values.oceanbase.monitorEnabled }}
+  monitor:
+    image: oceanbase/obagent:{{ .Values.oceanbase.obAgentVersion }}
+    resource:
+      {{- toYaml .Values.oceanbase.monitorResource | nindent 6 }}
+  {{- end }}
+  parameters:
+  {{- range $param := .Values.oceanbase.parameters }}
+    - name: {{ $param.name }}
+      value: {{ $param.value | quote }}
+  {{- end }}
+  {{- if .Values.oceanbase.backupVolumeEnabled }}
+  backupVolume:
+    volume:
+      name: backup
+      {{- toYaml .Values.oceanbase.backupVolume | nindent 6 }}
+  {{- end }}
+{{- end }}

helm/charts/opencoze/values.yaml

@@ -19,6 +19,46 @@ mysql:
   initScripts:
     - files/mysql/schema.sql
 
+oceanbase:
+  enabled: false
+  port: 2881
+  targetPort: 2881
+  clusterName: 'cozeai'
+  clusterId: 1
+  image:
+    repository: oceanbase/oceanbase-cloud-native
+    tag: '4.3.5.3-103000092025080818'
+  obAgentVersion: '4.2.2-100000042024011120'
+  monitorEnabled: true
+  storageClass: ''
+  observerConfig:
+    resource:
+      cpu: 2
+      memory: 8Gi
+    storages:
+      dataStorage: 30Gi
+      redoLogStorage: 30Gi
+      logStorage: 10Gi
+  monitorResource:
+    cpu: 100m
+    memory: 256Mi
+  generateUserSecrets: true
+  userSecrets:
+    root: 'coze123'
+    monitor: 'coze123'
+    operator: 'coze123'
+    proxyro: 'coze123'
+  topology:
+    - zone: zone1
+      replica: 1
+  parameters:
+    - name: system_memory
+      value: '2G'
+    - name: '__min_full_resource_pool_memory'
+      value: '2147483648'
+  annotations: {}
+  backupVolumeEnabled: false
+
 redis:
   enabled: true
   image:
@@ -266,4 +306,3 @@ ingress:
   #  - secretName: chart-example-tls
   #    hosts:
   #      - chart-example.local
-