diff --git a/infrastructure/environments/dplplat01/configuration/mariadb-operator/upgrade.sh b/infrastructure/environments/dplplat01/configuration/mariadb-operator/upgrade.sh
new file mode 100644
index 00000000..9efa8a4c
--- /dev/null
+++ b/infrastructure/environments/dplplat01/configuration/mariadb-operator/upgrade.sh
@@ -0,0 +1,14 @@
+#!/bin/env bash
+
+helm repo add mariadb-operator https://helm.mariadb.com/mariadb-operator
+
+helm upgrade mariadb-operator-crds mariadb-operator/mariadb-operator-crds \
+  --install \
+  --version 0.36.0
+
+helm upgrade mariadb-operator mariadb-operator/mariadb-operator \
+  --namespace mariadb-operator \
+  --create-namespace \
+  --install \
+  --version 0.36.0 \
+  -f values.yaml
diff --git a/infrastructure/environments/dplplat01/configuration/mariadb-operator/values.yaml b/infrastructure/environments/dplplat01/configuration/mariadb-operator/values.yaml
new file mode 100644
index 00000000..af113e7a
--- /dev/null
+++ b/infrastructure/environments/dplplat01/configuration/mariadb-operator/values.yaml
@@ -0,0 +1,304 @@
+nameOverride: ""
+fullnameOverride: ""
+
+# --- CRDs
+crds:
+  # -- Whether the helm chart should create and update the CRDs. It is false by default, which implies that the CRDs must be
+  # managed independently with the mariadb-operator-crds helm chart.
+  # **WARNING** This should only be set to true during the initial deployment. If this chart manages the CRDs
+  # and is later uninstalled, all MariaDB instances will be DELETED.
+  enabled: false
+
+image:
+  repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
+  pullPolicy: IfNotPresent
+  # -- Image tag to use. By default the chart appVersion is used
+  tag: ""
+  # Setting a digest will override any tag
+  # digest: sha256:084a927ee9f3918a5c85d283f73822ae205757df352218de0b935853a0765060
+imagePullSecrets: []
+
+# -- Controller log level
+logLevel: INFO
+
+# -- Cluster DNS name
+clusterName: cluster.local
+
+# -- Whether the operator should watch CRDs only in its own namespace or not.
+currentNamespaceOnly: false
+
+ha:
+  # -- Enable high availability of the controller.
+  # If you enable it we recommend to set `affinity` and `pdb`
+  enabled: false
+  # -- Number of replicas
+  replicas: 3
+
+metrics:
+  # -- Enable operator internal metrics. Prometheus must be installed in the cluster
+  enabled: true
+  serviceMonitor:
+    # -- Enable controller ServiceMonitor
+    enabled: true
+    # -- Labels to be added to the controller ServiceMonitor
+    additionalLabels: {}
+    # release: kube-prometheus-stack
+    # --  Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+
+serviceAccount:
+  # -- Specifies whether a service account should be created
+  enabled: true
+  # -- Automounts the service account token in all containers of the Pod
+  automount: true
+  # -- Annotations to add to the service account
+  annotations: {}
+  # -- Extra Labels to add to the service account
+  extraLabels: {}
+  # -- The name of the service account to use.
+  # If not set and enabled is true, a name is generated using the fullname template
+  name: ""
+
+rbac:
+  # -- Specifies whether RBAC resources should be created
+  enabled: true
+
+  aggregation:
+
+    # -- Specifies whether the cluster roles aggrate to view and edit predefinied roles
+    enabled: true
+
+# -- Extra arguments to be passed to the controller entrypoint
+extrArgs: []
+
+# -- Extra environment variables to be passed to the controller
+extraEnv: []
+
+# -- Extra environment variables from preexiting ConfigMap / Secret objects used by the controller using envFrom
+extraEnvFrom: []
+
+# -- Extra volumes to pass to pod.
+extraVolumes: []
+
+# -- Extra volumes to mount to the container.
+extraVolumeMounts: []
+
+# -- Annotations to add to controller Pod
+podAnnotations: {}
+
+# -- Security context to add to controller Pod
+podSecurityContext: {}
+
+# -- Security context to add to controller container
+securityContext: {}
+
+# -- Resources to add to controller container
+resources: {}
+# requests:
+#   cpu: 10m
+#   memory: 32Mi
+
+# -- Node selectors to add to controller Pod
+nodeSelector: {}
+
+# -- Tolerations to add to controller Pod
+tolerations:
+  - key: noderole.dplplatform
+    operator: Equal
+    value: prod
+    effect: NoSchedule
+
+# -- Affinity to add to controller Pod
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: noderole.dplplatform
+              operator: In
+              values:
+                - system
+  #  Sample on how to create an antiAffinity rule that place
+  #  the pods on different nodes, to be used together with `ha.enabled: true`
+  # podAntiAffinity:
+  #   requiredDuringSchedulingIgnoredDuringExecution:
+  #   - labelSelector:
+  #       matchExpressions:
+  #       - key: app.kubernetes.io/name
+  #         operator: In
+  #         values:
+  #         - mariadb-operator
+  #       - key: app.kubernetes.io/instance
+  #         operator: In
+  #         values:
+  #         - mariadb-operator
+  #     topologyKey: kubernetes.io/hostname
+
+pdb:
+  # -- Enable PodDisruptionBudget for the controller.
+  enabled: false
+  # -- Maximum number of unavailable Pods. You may also give a percentage, like `50%`
+  maxUnavailable: 1
+
+webhook:
+  # -- Specifies whether the webhook should be created.
+  enabled: true
+  image:
+    repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
+    pullPolicy: IfNotPresent
+    # -- Image tag to use. By default the chart appVersion is used
+    tag: ""
+    # Setting a digest will override any tag
+    # digest: sha256:084a927ee9f3918a5c85d283f73822ae205757df352218de0b935853a0765060
+  imagePullSecrets: []
+  ha:
+    # -- Enable high availability
+    enabled: false
+    # -- Number of replicas
+    replicas: 3
+  cert:
+    certManager:
+      # -- Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead.
+      enabled: true
+      # -- Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.
+      issuerRef: {}
+      # -- Duration to be used in the Certificate resource,
+      duration: ""
+      # -- Renew before duration to be used in the Certificate resource.
+      renewBefore: ""
+      # -- The maximum number of CertificateRequest revisions that are maintained in the Certificate’s history.
+      revisionHistoryLimit: 3
+    # -- Annotatioms to be added to webhook TLS secret.
+    secretAnnotations: {}
+    # -- Labels to be added to webhook TLS secret.
+    secretLabels: {}
+    ca:
+      # -- Path that contains the full CA trust chain.
+      path: ""
+      # -- File under 'ca.path' that contains the full CA trust chain.
+      key: ""
+    # -- Path where the certificate will be mounted. 'tls.crt' and 'tls.key' certificates files should be under this path.
+    path: /tmp/k8s-webhook-server/serving-certs
+  # -- Port to be used by the webhook server
+  port: 9443
+  # -- Expose the webhook server in the host network
+  hostNetwork: false
+  serviceMonitor:
+    # -- Enable webhook ServiceMonitor. Metrics must be enabled
+    enabled: true
+    # -- Labels to be added to the webhook ServiceMonitor
+    additionalLabels: {}
+    # release: kube-prometheus-stack
+    # --  Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+  serviceAccount:
+    # -- Specifies whether a service account should be created
+    enabled: true
+    # -- Automounts the service account token in all containers of the Pod
+    automount: true
+    # -- Annotations to add to the service account
+    annotations: {}
+    # -- Extra Labels to add to the service account
+    extraLabels: {}
+    # -- The name of the service account to use.
+    # If not set and enabled is true, a name is generated using the fullname template
+    name: ""
+  # -- Annotations for webhook configurations.
+  annotations: {}
+  # -- Extra arguments to be passed to the webhook entrypoint
+  extrArgs: []
+  # -- Extra volumes to pass to webhook Pod
+  extraVolumes: []
+  # -- Extra volumes to mount to webhook container
+  extraVolumeMounts: []
+  # -- Annotations to add to webhook Pod
+  podAnnotations: {}
+  # -- Security context to add to webhook Pod
+  podSecurityContext: {}
+  # -- Security context to add to webhook container
+  securityContext: {}
+  # -- Resources to add to webhook container
+  resources: {}
+  # requests:
+  #   cpu: 10m
+  #   memory: 32Mi
+  # -- Node selectors to add to controller Pod
+  nodeSelector: {}
+  # -- Tolerations to add to controller Pod
+  tolerations: []
+  # -- Affinity to add to controller Pod
+  affinity: {}
+
+certController:
+  # -- Specifies whether the cert-controller should be created.
+  enabled: false
+  image:
+    repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
+    pullPolicy: IfNotPresent
+    # -- Image tag to use. By default the chart appVersion is used
+    tag: ""
+    # Setting a digest will override any tag
+    # digest: sha256:084a927ee9f3918a5c85d283f73822ae205757df352218de0b935853a0765060
+  imagePullSecrets: []
+  ha:
+    # -- Enable high availability
+    enabled: false
+    # -- Number of replicas
+    replicas: 3
+  # -- CA certificate validity. It must be greater than certValidity.
+  caValidity: 35064h
+  # -- Certificate validity.
+  certValidity: 8766h
+  # -- Duration used to verify whether a certificate is valid or not.
+  lookaheadValidity: 2160h
+  # -- Requeue duration to ensure that certificate gets renewed.
+  requeueDuration: 5m
+  serviceMonitor:
+    # -- Enable cert-controller ServiceMonitor. Metrics must be enabled
+    enabled: true
+    # -- Labels to be added to the cert-controller ServiceMonitor
+    additionalLabels: {}
+    # release: kube-prometheus-stack
+    # --  Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+  serviceAccount:
+    # -- Specifies whether a service account should be created
+    enabled: true
+    # -- Automounts the service account token in all containers of the Pod
+    automount: true
+    # -- Annotations to add to the service account
+    annotations: {}
+    # -- Extra Labels to add to the service account
+    extraLabels: {}
+    # -- The name of the service account to use.
+    # If not set and enabled is true, a name is generated using the fullname template
+    name: ""
+  # -- Extra arguments to be passed to the cert-controller entrypoint
+  extrArgs: []
+  # -- Extra volumes to pass to cert-controller Pod
+  extraVolumes: []
+  # -- Extra volumes to mount to cert-controller container
+  extraVolumeMounts: []
+  # -- Annotations to add to cert-controller Pod
+  podAnnotations: {}
+  # -- Security context to add to cert-controller Pod
+  podSecurityContext: {}
+  # -- Security context to add to cert-controller container
+  securityContext: {}
+  # -- Resources to add to cert-controller container
+  resources: {}
+  # requests:
+  #   cpu: 10m
+  #   memory: 32Mi
+  # -- Node selectors to add to controller Pod
+  nodeSelector: {}
+  # -- Tolerations to add to controller Pod
+  tolerations: []
+  # -- Affinity to add to controller Pod
+  affinity: {}