From e6a2f66fd5422448bfa5dcef15aad369412810cf Mon Sep 17 00:00:00 2001 From: Maya Baya <maya@example.org> Date: Thu, 23 Jun 2022 08:20:13 +0200 Subject: [PATCH] feat: Extra volumes support --- README.md | 18 ++++++++++ container-files/entrypoint-riotkit.sh | 36 ++++++++++++++++++- .../templates/deployment.yaml | 6 ++++ helm/wordpress-hardened/values.yaml | 4 +++ 4 files changed, 63 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 63dd215..c65a9c4 100644 --- a/README.md +++ b/README.md @@ -300,6 +300,24 @@ ACCESS_LOG: off ERROR_LOG: off ``` +Mounting extra volumes +---------------------- + +Every file placed in `/mnt/extra-files` will be copied during startup to `/var/www/riotkit/`, this mechanism ensures that +no any file will be created with root-permissions inside of a `/var/www/riotkit` directory - mounting a volume directly could do so. + +```yaml +pv: + extraVolumes: + - name: my-config + configMap: + name: my-configmap-name + extraVolumeMounts: + - name: my-config + mountPath: /mnt/extra-files/wp-content/some-file.php + subPath: some-file.php +``` + From authors ------------ diff --git a/container-files/entrypoint-riotkit.sh b/container-files/entrypoint-riotkit.sh index 0c36c74..0849cdd 100644 --- a/container-files/entrypoint-riotkit.sh +++ b/container-files/entrypoint-riotkit.sh @@ -2,11 +2,17 @@ set -eo pipefail +# +# Setup Wordpress files, extracts from files provided by official WordPress base image +# setupWP() { echo " >> Installing Wordpress" /usr/local/bin/docker-entrypoint.sh || exit 1 } +# +# Preinstall WordPress, setup admin account, set URL, install plugins etc. - make it immediately ready +# preinstallWP() { if [[ "${WP_PREINSTALL}" == "true" ]]; then wp core install --url=${WP_SITE_URL} --title=${WP_SITE_TITLE} --admin_user=${WP_SITE_ADMIN_LOGIN} --admin_password=${WP_SITE_ADMIN_PASSWORD} --admin_email=${WP_SITE_ADMIN_EMAIL} @@ -14,6 +20,9 @@ preinstallWP() { fi } +# +# Automatic updates +# scheduleAutoupdate() { echo -n " >> Checking if autoupdate should be scheduled..." if [[ "${AUTO_UPDATE_CRON}" != "" ]]; then @@ -24,6 +33,9 @@ scheduleAutoupdate() { fi } +# +# Basic AUTH on wp-login.php is a very primitive additional layer of security against bots +# setupBasicAuth() { if [[ "${BASIC_AUTH_USER}" ]] && [[ "${BASIC_AUTH_PASSWORD}" ]]; then echo " >> Writing to basic auth file - /opt/htpasswd" @@ -33,17 +45,34 @@ setupBasicAuth() { fi } +# +# Runtime configuration setup: NGINX, PHP configuration is templated during startup +# to allow using environment variables as configuration +# setupConfiguration() { echo " >> Rendering configuration files..." p2 --template /templates/etc/nginx/nginx.conf > /etc/nginx/nginx.conf p2 --template /templates/usr/local/etc/php/php.ini > /usr/local/etc/php/php.ini } +# +# Extra files: In /mnt/extra-files you can volume-mount extra files that would be copied into WWW-root directory +# This allows to keep WWW-root directory not mounted by any volume to avoid conflicts with permissions +# (mounted volumes are creating directories owned by ROOT) +# +copyExtraFiles() { + echo " >> Copying extra files if placed in /mnt/extra-files" + if [[ -d /mnt/extra-files ]]; then + cp -rf /mnt/extra-files/* /var/www/riotkit/ + fi +} + scheduleAutoupdate setupBasicAuth setupConfiguration setupWP preinstallWP +copyExtraFiles # Allows to pass own CMD # Also allows to execute tests on the container @@ -52,4 +81,9 @@ if [[ "${1}" == "exec" ]] || [[ "${1}" == "sh" ]] || [[ "${1}" == "bash" ]] || [ exec "$@" fi -exec multirun "php-fpm" "nginx -c /etc/nginx/nginx.conf" "crond -f -d 6" "/usr/local/bin/install-plugins-first-time.sh" +multirun_args=("php-fpm" "nginx -c /etc/nginx/nginx.conf" "/usr/local/bin/install-plugins-first-time.sh") +if [[ "${AUTO_UPDATE_CRON}" != "" ]]; then + multirun_args+=("crond -f -d 6") +fi + +exec multirun "${multirun_args[@]}" diff --git a/helm/wordpress-hardened/templates/deployment.yaml b/helm/wordpress-hardened/templates/deployment.yaml index 38d4313..cdd8f75 100644 --- a/helm/wordpress-hardened/templates/deployment.yaml +++ b/helm/wordpress-hardened/templates/deployment.yaml @@ -129,6 +129,9 @@ spec: - name: wp-content mountPath: /var/www/riotkit/wp-content {{- end }} + {{- with .Values.pv.extraVolumeMounts }} + {{- toYaml . | nindent 22 }} + {{- end }} ports: - name: http containerPort: 8080 @@ -178,3 +181,6 @@ spec: configMap: name: {{ include "wordpress-hardened.fullname" . }}-waf-custom-config {{- end }} + {{- with .Values.pv.extraVolumes }} + {{- toYaml . | nindent 14 }} + {{- end }} diff --git a/helm/wordpress-hardened/values.yaml b/helm/wordpress-hardened/values.yaml index 9cb460a..06de765 100644 --- a/helm/wordpress-hardened/values.yaml +++ b/helm/wordpress-hardened/values.yaml @@ -37,6 +37,10 @@ pv: size: 1Gi #storageClassName: "..." + # use those following to e.g. mount a custom ConfigMap, or a PVC with some data + extraVolumes: [] + extraVolumeMounts: [] + ingresses: [] # - name: wp-https