From e6a2f66fd5422448bfa5dcef15aad369412810cf Mon Sep 17 00:00:00 2001
From: Maya Baya <maya@example.org>
Date: Thu, 23 Jun 2022 08:20:13 +0200
Subject: [PATCH] feat: Extra volumes support

---
 README.md                                     | 18 ++++++++++
 container-files/entrypoint-riotkit.sh         | 36 ++++++++++++++++++-
 .../templates/deployment.yaml                 |  6 ++++
 helm/wordpress-hardened/values.yaml           |  4 +++
 4 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 63dd215..c65a9c4 100644
--- a/README.md
+++ b/README.md
@@ -300,6 +300,24 @@ ACCESS_LOG: off
 ERROR_LOG: off
 ```
 
+Mounting extra volumes
+----------------------
+
+Every file placed in `/mnt/extra-files` will be copied during startup to `/var/www/riotkit/`, this mechanism ensures that
+no any file will be created with root-permissions inside of a `/var/www/riotkit` directory - mounting a volume directly could do so.
+
+```yaml
+pv:
+    extraVolumes:
+        - name: my-config
+          configMap:
+              name: my-configmap-name
+    extraVolumeMounts:
+        - name: my-config
+          mountPath: /mnt/extra-files/wp-content/some-file.php
+          subPath: some-file.php
+```
+
 From authors
 ------------
 
diff --git a/container-files/entrypoint-riotkit.sh b/container-files/entrypoint-riotkit.sh
index 0c36c74..0849cdd 100644
--- a/container-files/entrypoint-riotkit.sh
+++ b/container-files/entrypoint-riotkit.sh
@@ -2,11 +2,17 @@
 
 set -eo pipefail
 
+#
+# Setup Wordpress files, extracts from files provided by official WordPress base image
+#
 setupWP() {
     echo " >> Installing Wordpress"
     /usr/local/bin/docker-entrypoint.sh || exit 1
 }
 
+#
+# Preinstall WordPress, setup admin account, set URL, install plugins etc. - make it immediately ready
+#
 preinstallWP() {
     if [[ "${WP_PREINSTALL}" == "true" ]]; then
         wp core install --url=${WP_SITE_URL} --title=${WP_SITE_TITLE} --admin_user=${WP_SITE_ADMIN_LOGIN} --admin_password=${WP_SITE_ADMIN_PASSWORD} --admin_email=${WP_SITE_ADMIN_EMAIL}
@@ -14,6 +20,9 @@ preinstallWP() {
     fi
 }
 
+#
+# Automatic updates
+#
 scheduleAutoupdate() {
     echo -n " >> Checking if autoupdate should be scheduled..."
     if [[ "${AUTO_UPDATE_CRON}" != "" ]]; then
@@ -24,6 +33,9 @@ scheduleAutoupdate() {
     fi
 }
 
+#
+# Basic AUTH on wp-login.php is a very primitive additional layer of security against bots
+#
 setupBasicAuth() {
     if [[ "${BASIC_AUTH_USER}" ]] && [[ "${BASIC_AUTH_PASSWORD}" ]]; then
         echo " >> Writing to basic auth file - /opt/htpasswd"
@@ -33,17 +45,34 @@ setupBasicAuth() {
     fi
 }
 
+#
+# Runtime configuration setup: NGINX, PHP configuration is templated during startup
+#                              to allow using environment variables as configuration
+#
 setupConfiguration() {
     echo " >> Rendering configuration files..."
     p2 --template /templates/etc/nginx/nginx.conf > /etc/nginx/nginx.conf
     p2 --template /templates/usr/local/etc/php/php.ini > /usr/local/etc/php/php.ini
 }
 
+#
+# Extra files: In /mnt/extra-files you can volume-mount extra files that would be copied into WWW-root directory
+#              This allows to keep WWW-root directory not mounted by any volume to avoid conflicts with permissions
+#              (mounted volumes are creating directories owned by ROOT)
+#
+copyExtraFiles() {
+    echo " >> Copying extra files if placed in /mnt/extra-files"
+    if [[ -d /mnt/extra-files ]]; then
+        cp -rf /mnt/extra-files/* /var/www/riotkit/
+    fi
+}
+
 scheduleAutoupdate
 setupBasicAuth
 setupConfiguration
 setupWP
 preinstallWP
+copyExtraFiles
 
 # Allows to pass own CMD
 # Also allows to execute tests on the container
@@ -52,4 +81,9 @@ if [[ "${1}" == "exec" ]] || [[ "${1}" == "sh" ]] || [[ "${1}" == "bash" ]] || [
     exec "$@"
 fi
 
-exec multirun "php-fpm" "nginx -c /etc/nginx/nginx.conf" "crond -f -d 6" "/usr/local/bin/install-plugins-first-time.sh"
+multirun_args=("php-fpm" "nginx -c /etc/nginx/nginx.conf" "/usr/local/bin/install-plugins-first-time.sh")
+if [[ "${AUTO_UPDATE_CRON}" != "" ]]; then
+    multirun_args+=("crond -f -d 6")
+fi
+
+exec multirun "${multirun_args[@]}"
diff --git a/helm/wordpress-hardened/templates/deployment.yaml b/helm/wordpress-hardened/templates/deployment.yaml
index 38d4313..cdd8f75 100644
--- a/helm/wordpress-hardened/templates/deployment.yaml
+++ b/helm/wordpress-hardened/templates/deployment.yaml
@@ -129,6 +129,9 @@ spec:
                       - name: wp-content
                         mountPath: /var/www/riotkit/wp-content
                       {{- end }}
+                      {{- with .Values.pv.extraVolumeMounts }}
+                      {{- toYaml . | nindent 22 }}
+                      {{- end }}
                   ports:
                       - name: http
                         containerPort: 8080
@@ -178,3 +181,6 @@ spec:
                   configMap:
                       name: {{ include "wordpress-hardened.fullname" . }}-waf-custom-config
               {{- end }}
+              {{- with .Values.pv.extraVolumes }}
+              {{- toYaml . | nindent 14 }}
+              {{- end }}
diff --git a/helm/wordpress-hardened/values.yaml b/helm/wordpress-hardened/values.yaml
index 9cb460a..06de765 100644
--- a/helm/wordpress-hardened/values.yaml
+++ b/helm/wordpress-hardened/values.yaml
@@ -37,6 +37,10 @@ pv:
         size: 1Gi
         #storageClassName: "..."
 
+    # use those following to e.g. mount a custom ConfigMap, or a PVC with some data
+    extraVolumes: []
+    extraVolumeMounts: []
+
 
 ingresses: []
 #    - name: wp-https