From 69831800ab71a0c72170485722787b635b9cf761 Mon Sep 17 00:00:00 2001 From: "dslab-renovate[bot]" <184400531+dslab-renovate[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 08:29:01 +0000 Subject: [PATCH 1/2] chore(deps): update redis docker tag to v20.2.1 --- wordpress/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wordpress/Chart.yaml b/wordpress/Chart.yaml index 176c845..12a59c8 100644 --- a/wordpress/Chart.yaml +++ b/wordpress/Chart.yaml @@ -10,6 +10,6 @@ dependencies: repository: oci://registry-1.docker.io/bitnamicharts condition: mariadb.enabled - name: redis - version: "20.2.0" + version: "20.2.1" repository: oci://registry-1.docker.io/bitnamicharts condition: redis.enabled From a3d9d1608dd6544c20d37b1248ea9ebb448d103c Mon Sep 17 00:00:00 2001 From: ffais Date: Wed, 16 Oct 2024 14:09:41 +0200 Subject: [PATCH 2/2] fixes Signed-off-by: ffais --- dockerfiles/php-fpm-healtcheck-Dockerfile | 8 - dockerfiles/php-fpm-healthcheck | 139 --------------- dockerfiles/php-fpm-redis-Dockerfile | 15 -- wordpress/confs/mariadb-init-script.sh | 2 +- wordpress/confs/wordpress/init-script.sh | 1 + .../nginx-configurations-configmap.yaml | 13 +- wordpress/templates/nginx-deployment.yaml | 8 +- wordpress/templates/php-deployment.yaml | 14 +- .../wordpress-backup-azure-cronjob.yaml | 2 +- wordpress/values.yaml | 162 +++++++++++------- 10 files changed, 129 insertions(+), 235 deletions(-) delete mode 100644 dockerfiles/php-fpm-healtcheck-Dockerfile delete mode 100644 dockerfiles/php-fpm-healthcheck delete mode 100644 dockerfiles/php-fpm-redis-Dockerfile diff --git a/dockerfiles/php-fpm-healtcheck-Dockerfile b/dockerfiles/php-fpm-healtcheck-Dockerfile deleted file mode 100644 index a7183b6..0000000 --- a/dockerfiles/php-fpm-healtcheck-Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM wordpress:6.6.2-php8.2-fpm-alpine@sha256:0f5053b3dc9551da2e41c5e071cceffc48e19ee000b5d19d9a38210cb6dd30a2 -RUN apk add --no-cache fcgi - -# Enable php fpm status page -RUN set -xe && echo "pm.status_path = /status" >> /usr/local/etc/php-fpm.d/zz-docker.conf - -# Source https://github.com/renatomefi/php-fpm-healthcheck -COPY --chmod=0755 ./dockerfiles/php-fpm-healthcheck /usr/local/bin/ diff --git a/dockerfiles/php-fpm-healthcheck b/dockerfiles/php-fpm-healthcheck deleted file mode 100644 index cd69742..0000000 --- a/dockerfiles/php-fpm-healthcheck +++ /dev/null @@ -1,139 +0,0 @@ -#!/bin/sh -# vim: set filetype=sh : - -# Author: https://github.com/renatomefi -# The original code lives in https://github.com/renatomefi/php-fpm-healthcheck -# -# A POSIX compliant shell script to healthcheck PHP fpm status, can be used only for pinging the status page -# or check for specific metrics -# -# i.e.: ./php-fpm-healthcheck --verbose --active-processes=6 -# The script will fail in case the 'active processes' is bigger than 6. -# -# You can combine multiple options as well, the first one to fail will fail the healthcheck -# i.e.: ./php-fpm-healthcheck --listen-queue-len=10 --active-processes=6 -# -# Ping mode (exit 0 if php-fpm returned data): ./php-fpm-healthcheck -# -# Ping mode with data (outputs php-fpm status text): ./php-fpm-healthcheck -v -# -# Exit status codes: -# 2,9,111 - Couldn't connect to PHP fpm, is it running? -# 8 - Couldn't reach PHP fpm status page, have you configured it with `pm.status_path = /status`? -# 1 - A healthcheck condition has failed -# 3 - Invalid option given -# 4 - One or more required softwares are missing -# -# Available options: -# -v|--verbose -# -# Metric options, fails in case the CURRENT VALUE is bigger than the GIVEN VALUE -# --accepted-conn=n -# --listen-queue=n -# --max-listen-queue=n -# --idle-processes=n -# --active-processes=n -# --total-processes=n -# --max-active-processes=n -# --max-children-reached=n -# --slow-requests=n -# - -set -eu - -OPTIND=1 # Reset getopt in case it has been used previously in the shell - -# Required software -FCGI_CMD_PATH=$(command -v cgi-fcgi) || { >&2 echo "Make sure fcgi is installed (i.e. apk add --no-cache fcgi). Aborting."; exit 4; } -command -v sed 1> /dev/null || { >&2 echo "Make sure sed is installed (i.e. apk add --no-cache busybox). Aborting."; exit 4; } -command -v tail 1> /dev/null || { >&2 echo "Make sure tail is installed (i.e. apk add --no-cache busybox). Aborting."; exit 4; } -command -v grep 1> /dev/null || { >&2 echo "Make sure grep is installed (i.e. apk add --no-cache grep). Aborting."; exit 4; } - -# Get status from fastcgi connection -# $1 - cgi-fcgi connect argument -get_fpm_status() { - if test "$VERBOSE" = 1; then printf "Trying to connect to php-fpm via: %s%s\\n" "$1" "$SCRIPT_NAME"; fi; - - # Since I cannot use pipefail I'll just split these in two commands - FPM_STATUS=$(env -i REQUEST_METHOD="$REQUEST_METHOD" SCRIPT_NAME="$SCRIPT_NAME" SCRIPT_FILENAME="$SCRIPT_FILENAME" "$FCGI_CMD_PATH" -bind -connect "$1" 2> /dev/null) - FPM_STATUS=$(echo "$FPM_STATUS" | tail -n +5) - - if test "$VERBOSE" = 1; then printf "php-fpm status output:\\n%s\\n" "$FPM_STATUS"; fi; - - if test "$FPM_STATUS" = "File not found."; then - >&2 printf "php-fpm status page non reachable\\n"; - exit 8; - fi; -} - -# $1 - fpm option -# $2 - expected value threshold -check_fpm_health_by() { - OPTION=$(echo "$1" | sed 's/--//g; s/-/ /g;') - VALUE_EXPECTED="$2"; - VALUE_ACTUAL=$(echo "$FPM_STATUS" | grep "^$OPTION:" | cut -d: -f2 | sed 's/ //g') - - if test "$VERBOSE" = 1; then printf "'%s' value '%s' and expected is less than '%s'\\n" "$OPTION" "$VALUE_ACTUAL" "$VALUE_EXPECTED"; fi; - - if test "$VALUE_ACTUAL" -gt "$VALUE_EXPECTED"; then - >&2 printf "'%s' value '%s' is greater than expected '%s'\\n" "$OPTION" "$VALUE_ACTUAL" "$VALUE_EXPECTED"; - exit 1; - fi; -} - -PARAM_AMOUNT=0 - -# $1 - fpm option -# $2 - expected value threshold -check_later() { - # The POSIX sh way to check if it's an integer, also the output is supressed since it's polution - if ! test "$2" -eq "$2" 2> /dev/null; then - >&2 printf "'%s' option value must be an integer, '%s' given\\n" "$1" "$2"; exit 3; - fi - - PARAM_AMOUNT=$(( PARAM_AMOUNT + 1 )) - - eval "PARAM_TO_CHECK$PARAM_AMOUNT=$1" - eval "VALUE_TO_CHECK$PARAM_AMOUNT=$2" -} - -# From the PARAM_TO_CHECK/VALUE_TO_CHECK magic variables, do all the checks -check_fpm_health() { - j=1 - while [ $j -le $PARAM_AMOUNT ]; do - eval "CURRENT_PARAM=\$PARAM_TO_CHECK$j" - eval "CURRENT_VALUE=\$VALUE_TO_CHECK$j" - check_fpm_health_by "$CURRENT_PARAM" "$CURRENT_VALUE" - j=$(( j + 1 )) - done -} - -if ! GETOPT=$(getopt -o v --long verbose,accepted-conn:,listen-queue:,max-listen-queue:,listen-queue-len:,idle-processes:,active-processes:,total-processes:,max-active-processes:,max-children-reached:,slow-requests: -n 'php-fpm-healthcheck' -- "$@"); then - >&2 echo "Invalid options, terminating." ; exit 3 -fi; - -eval set -- "$GETOPT" - -# FastCGI variables -FCGI_CONNECT_DEFAULT="localhost:9000" -FCGI_STATUS_PATH_DEFAULT="/status" - -export REQUEST_METHOD="GET" -export SCRIPT_NAME="${FCGI_STATUS_PATH:-$FCGI_STATUS_PATH_DEFAULT}" -export SCRIPT_FILENAME="${FCGI_STATUS_PATH:-$FCGI_STATUS_PATH_DEFAULT}" -FCGI_CONNECT="${FCGI_CONNECT:-$FCGI_CONNECT_DEFAULT}" - -VERBOSE=0 - -while test "$1"; do - case "$1" in - -v|--verbose ) VERBOSE=1; shift ;; - --) shift ; break ;; - * ) check_later "$1" "$2"; shift 2 ;; - esac -done - -FPM_STATUS=false - -get_fpm_status "$FCGI_CONNECT" -check_fpm_health diff --git a/dockerfiles/php-fpm-redis-Dockerfile b/dockerfiles/php-fpm-redis-Dockerfile deleted file mode 100644 index 753863f..0000000 --- a/dockerfiles/php-fpm-redis-Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -FROM wordpress:6.6.2-php8.2-fpm-alpine@sha256:0f5053b3dc9551da2e41c5e071cceffc48e19ee000b5d19d9a38210cb6dd30a2 - -RUN apk add --no-cache fcgi - -# Enable php fpm status page -RUN set -xe && echo "pm.status_path = /status" >> /usr/local/etc/php-fpm.d/zz-docker.conf - -# Source https://github.com/renatomefi/php-fpm-healthcheck -COPY --chmod=0755 ./dockerfiles/php-fpm-healthcheck /usr/local/bin/ - -RUN apk --no-cache add pcre-dev ${PHPIZE_DEPS} \ - && pecl install redis memcached \ - && docker-php-ext-enable redis memcached\ - && apk del pcre-dev ${PHPIZE_DEPS} \ - && rm -rf /tmp/pear diff --git a/wordpress/confs/mariadb-init-script.sh b/wordpress/confs/mariadb-init-script.sh index 419b9b2..26e085b 100644 --- a/wordpress/confs/mariadb-init-script.sh +++ b/wordpress/confs/mariadb-init-script.sh @@ -1,4 +1,4 @@ #!/bin/sh mysql -P 3306 -uroot -p${MARIADB_ROOT_PASSWORD} -e "CREATE DATABASE ${WORDPRESS_DB_NAME}"; mysql -P 3306 -uroot -p${MARIADB_ROOT_PASSWORD} -e "CREATE USER '${WORDPRESS_DB_USER}'@'%' IDENTIFIED BY '${WORDPRESS_DB_PASSWORD}'"; -mysql -P 3306 -uroot -p${MARIADB_ROOT_PASSWORD} -e "GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER ON ${WORDPRESS_DB_NAME}.* TO '${WORDPRESS_DB_USER}'@'%';"; +mysql -P 3306 -uroot -p${MARIADB_ROOT_PASSWORD} -e "GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,CREATE TEMPORARY TABLES,INDEX,LOCK TABLES ON ${WORDPRESS_DB_NAME}.* TO '${WORDPRESS_DB_USER}'@'%';"; diff --git a/wordpress/confs/wordpress/init-script.sh b/wordpress/confs/wordpress/init-script.sh index 9bc979b..8a7480e 100644 --- a/wordpress/confs/wordpress/init-script.sh +++ b/wordpress/confs/wordpress/init-script.sh @@ -29,4 +29,5 @@ echo "Check if wordpress is installed" if ! wp core is-installed 2>/dev/null; then echo "WP is not installed. Let's try installing it." wp core install --url="$wpUrl" --title="$wpTitle" --admin_user="$wpAdminUsername" --admin_email="$wpAdminEmail" --skip-email --admin_password="$wpAdminPassword" --path=/var/www/html/ + wp rewrite structure '/%postname%' fi diff --git a/wordpress/templates/nginx-configurations-configmap.yaml b/wordpress/templates/nginx-configurations-configmap.yaml index e6d61ef..9b819a2 100644 --- a/wordpress/templates/nginx-configurations-configmap.yaml +++ b/wordpress/templates/nginx-configurations-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: wordpress.conf: | server { - listen 8080 default_server; + listen 8080 default_server http2; server_name localhost; @@ -16,6 +16,17 @@ data: client_max_body_size {{ .Values.nginx.confsOverride.maxBodySize }}; fastcgi_buffers 64 4K; + location ~ /\.ht { + deny all; + return 403; + } + + ## disable all access to the following directories + location ~ ^/(config|tmp|core|lang) { + deny all; + return 404; # replace with 404 to not show these directories exist + } + gzip on; gzip_vary on; gzip_comp_level 4; diff --git a/wordpress/templates/nginx-deployment.yaml b/wordpress/templates/nginx-deployment.yaml index ce49caf..6a55980 100644 --- a/wordpress/templates/nginx-deployment.yaml +++ b/wordpress/templates/nginx-deployment.yaml @@ -41,10 +41,14 @@ spec: - name: http containerPort: {{ .Values.nginx.service.port }} protocol: TCP + {{- with .Values.nginx.livenessProbe }} livenessProbe: - {{- toYaml .Values.nginx.livenessProbe | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nginx.readinessProbe }} readinessProbe: - {{- toYaml .Values.nginx.readinessProbe | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.nginx.resources | nindent 12 }} {{- if or .Values.persistence.enabled .Values.nginx.volumeMounts }} diff --git a/wordpress/templates/php-deployment.yaml b/wordpress/templates/php-deployment.yaml index 1c9f102..01ef7b0 100644 --- a/wordpress/templates/php-deployment.yaml +++ b/wordpress/templates/php-deployment.yaml @@ -44,6 +44,8 @@ spec: value: {{ print "tcp://127.0.0.1:9000" .Values.php.poolConfigOverride.pmStatusPath | quote }} - name: PHP_FPM_WEB_LISTEN_ADDRESS value: "0.0.0.0:9253" + - name: PHP_FPM_FIX_PROCESS_COUNT + value: "true" resources: {{- toYaml .Values.php.exporter.resources | nindent 12 }} ports: @@ -74,12 +76,18 @@ spec: - name: fastcgi containerPort: {{ .Values.php.service.port }} protocol: TCP + {{- with .Values.php.startupProbe }} startupProbe: - {{- toYaml .Values.php.startupProbe | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.php.livenessProbe }} livenessProbe: - {{- toYaml .Values.php.livenessProbe | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.php.readinessProbe }} readinessProbe: - {{- toYaml .Values.php.readinessProbe | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.php.resources | nindent 12 }} {{- if or .Values.persistence.enabled .Values.php.volumeMounts }} diff --git a/wordpress/templates/wordpress-backup-azure-cronjob.yaml b/wordpress/templates/wordpress-backup-azure-cronjob.yaml index 4dca1b3..223e806 100644 --- a/wordpress/templates/wordpress-backup-azure-cronjob.yaml +++ b/wordpress/templates/wordpress-backup-azure-cronjob.yaml @@ -70,7 +70,7 @@ spec: value: /tmp/plan envFrom: - secretRef: - name: {{ .Release.Name }}-azure-creds + name: {{ .Values.jobs.backup.azure.existingSecret }} - configMapRef: name: {{ .Release.Name }}-wordpress-vars resources: diff --git a/wordpress/values.yaml b/wordpress/values.yaml index 25df0eb..f64b798 100644 --- a/wordpress/values.yaml +++ b/wordpress/values.yaml @@ -2,7 +2,7 @@ nameOverride: "" fullnameOverride: "" persistence: - enabled: true + enabled: false storageClassName: "" #ReadWriteMany support size: "10Gi" existingPvc: "" @@ -31,7 +31,7 @@ wordpress: extraEnv: {} ingress: - enabled: true + enabled: false className: "nginx" annotations: # cert-manager.io/cluster-issuer: letsencrypt-prod @@ -80,13 +80,13 @@ nginx: service: type: ClusterIP port: 8080 - resources: - limits: - memory: "1024Mi" - cpu: "2" - requests: - memory: "512Mi" - cpu: "512m" + resources: {} + # limits: + # memory: "1024Mi" + # cpu: "2" + # requests: + # memory: "512Mi" + # cpu: "512m" livenessProbe: httpGet: path: /readme.html @@ -123,7 +123,7 @@ nginx: php: replicaCount: 1 iniConfigOverride: - memoryLimit: 128M + memoryLimit: 256M maxExecutionTime: 300 postMaxSize: 100M maxInputTime: 90 @@ -136,10 +136,10 @@ php: pmMaxSpareServers: "18" pmStatusPath: /status image: - repository: smartcommunitylab/wordpress + repository: wordpress pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "redis-latest" + tag: "6.6.2-php8.2-fpm-alpine" imagePullSecrets: [] serviceAccount: create: true @@ -172,18 +172,18 @@ php: requests: memory: "512Mi" cpu: "512m" - livenessProbe: - exec: - command: - - php-fpm-healthcheck - - --listen-queue=10 # fails if there are more than 10 processes waiting in the fpm queue - periodSeconds: 123 - readinessProbe: - exec: - command: - - php-fpm-healthcheck # a simple ping since this means it's ready to handle traffic - initialDelaySeconds: 23 - periodSeconds: 60 + livenessProbe: {} + # exec: + # command: + # - php-fpm-healthcheck + # - --listen-queue=10 # fails if there are more than 10 processes waiting in the fpm queue + # periodSeconds: 123 + readinessProbe: {} + # exec: + # command: + # - php-fpm-healthcheck # a simple ping since this means it's ready to handle traffic + # initialDelaySeconds: 23 + # periodSeconds: 60 startupProbe: tcpSocket: port: 9000 @@ -210,7 +210,7 @@ php: tolerations: [] affinity: {} exporter: - enabled: true + enabled: false image: repository: smartcommunitylab/php-fpm_exporter pullPolicy: IfNotPresent @@ -227,25 +227,55 @@ php: readOnlyRootFilesystem: true runAsNonRoot: true allowPrivilegeEscalation: false - resources: - limits: - memory: "64Mi" - cpu: "200m" - requests: - memory: "32Mi" - cpu: "100m" + resources: {} + # limits: + # memory: "64Mi" + # cpu: "200m" + # requests: + # memory: "32Mi" + # cpu: "100m" mariadb: enabled: true initdbScriptsConfigMap: "mariadb-init-script-configmap" primary: - resources: - requests: - cpu: 1 - memory: 512Mi - limits: - cpu: 3 - memory: 1024Mi + configuration: |- + [mysqld] + skip-name-resolve + explicit_defaults_for_timestamp + basedir=/opt/bitnami/mariadb + datadir=/bitnami/mariadb/data + plugin_dir=/opt/bitnami/mariadb/plugin + port={{ .Values.primary.containerPorts.mysql }} + socket=/opt/bitnami/mariadb/tmp/mysql.sock + tmpdir=/opt/bitnami/mariadb/tmp + max_allowed_packet=64M + bind-address=* + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + log-error=/opt/bitnami/mariadb/logs/mysqld.log + character-set-server=UTF8 + collation-server=utf8_general_ci + slow_query_log=0 + long_query_time=10.0 + binlog_expire_logs_seconds=2592000 + + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + default-character-set=UTF8 + plugin_dir=/opt/bitnami/mariadb/plugin + + [manager] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + resources: {} + # requests: + # cpu: 1 + # memory: 512Mi + # limits: + # cpu: 3 + # memory: 1024Mi extraEnvVarsSecret: "db-vars" persistence: enabled: true @@ -282,13 +312,13 @@ debug: automount: false annotations: {} name: "debug" - resources: - limits: - memory: "512Mi" - cpu: "1" - requests: - memory: "64Mi" - cpu: "100m" + resources: {} + # limits: + # memory: "512Mi" + # cpu: "1" + # requests: + # memory: "64Mi" + # cpu: "100m" nodeSelector: {} tolerations: [] affinity: {} @@ -317,19 +347,21 @@ jobs: enabled: true backup: cron: "0 0 * * *" - tempStorageSize: 1024Mi + tempStorageSize: 256Mi azure: - enabled: true + enabled: false + # Secret containing AZURE_BLOB_URL and TOKEN variables + existingSecret: "" image: repository: peterdavehello/azcopy tag: 10 - resources: - limits: - memory: "1024Mi" - cpu: "1" - requests: - memory: "64Mi" - cpu: "100m" + resources: {} + # limits: + # memory: "1024Mi" + # cpu: "1" + # requests: + # memory: "64Mi" + # cpu: "100m" s3: enabled: false pvc: @@ -342,10 +374,10 @@ jobs: languages: true core: true plugins: - enabled: true - deleteUnused: true + enabled: false + deleteUnused: false w3tc: - enabled: true + enabled: false common: ttlSecondsAfterFinished: 86400 image: @@ -358,13 +390,13 @@ jobs: automount: false annotations: {} name: "debug" - resources: - limits: - memory: "256Mi" - cpu: "1" - requests: - memory: "64Mi" - cpu: "100m" + resources: {} + # limits: + # memory: "256Mi" + # cpu: "1" + # requests: + # memory: "64Mi" + # cpu: "100m" nodeSelector: {} tolerations: [] affinity: {}