Skip to content
Snippets Groups Projects
Verified Commit 29c31421 authored by Maarten de Waard's avatar Maarten de Waard :angel:
Browse files

write backups to remote storage

parent 2524a0a9
No related branches found
No related tags found
1 merge request!2rsync backups to remote storage
......@@ -4,5 +4,5 @@ description: WordPress with a replicated MariaDB backend
name: wordpress
# Please only change the chart version as part of the release procedure: see
# RELEASING.md
version: 0.1.1
version: 0.1.0
icon: https://make.wordpress.org/design/files/2016/09/WordPress-logotype-wmark.png
......@@ -4,9 +4,9 @@ When releasing a new version of the wordpress-helm chart, please remember to do
the following:
* change the chart version in `Chart.yaml`;
* change the default `image.tag` and `initImage.tag` in `values.yaml` to the new
version (e.g., "0.1.2");
* create a git tag for the new version (e.g., "0.1.2") and push it to Gitlab
version (e.g., "0.1.0");
* create a git tag for the new version (e.g., "0.1.0") and push it to Gitlab
(any branch will do); the CI will create and push docker images tagged by that
same version string.
(You can push all git tags using `git push --tags`, or this specific one using
`git push origin 0.1.2`.)
`git push origin 0.1.0`.)
......@@ -10,3 +10,7 @@ metadata:
type: Opaque
data:
secret-vars.yaml: {{ tpl .Values.ansibleSecrets . | b64enc }}
{{- if .Values.backup.sshPrivateKey }}
ssh-private-key: {{ .Values.backup.sshPrivateKey | b64enc }}
ssh-known-hosts: {{ .Values.backup.sshKnownHosts | b64enc }}
{{- end }}
......@@ -22,9 +22,6 @@ spec:
# gets re-run.
checksum/config: {{ include (print $.Template.BasePath "/ansible-vars.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | nindent 8 }}
{{- end }}
spec:
imagePullSecrets:
- name: {{ .Values.initImage.imagePullSecretName }}
......@@ -62,9 +59,6 @@ spec:
value: {{ .Values.database.db.name }}
- name: WORDPRESS_TABLE_PREFIX
value: {{ .Values.wordPressTablePrefix }}
# TODO: Remove this debug
- name: WORDPRESS_DEBUG
value: "true"
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
......@@ -74,28 +68,11 @@ spec:
containerPort: 80
- name: https
containerPort: 443
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: {{ .Values.wordpress.site.probe_path }}
port: http
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: {{ .Values.wordpress.site.probe_path }}
port: http
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
# livenessProbe:
# httpGet:
# path: /wp-login.php
# port: http
# timeoutSeconds: 2
env:
- name: WORDPRESS_DB_HOST
value: {{ .Release.Name }}-database
......@@ -110,9 +87,6 @@ spec:
value: {{ .Values.database.db.name }}
- name: WORDPRESS_TABLE_PREFIX
value: {{ .Values.wordPressTablePrefix }}
# TODO: Remove this debug
- name: WORDPRESS_DEBUG
value: "true"
# readinessProbe:
# httpGet:
# path: /
......@@ -152,8 +126,9 @@ spec:
value: {{ .Values.database.db.name }}
- name: WORDPRESS_TABLE_PREFIX
value: {{ .Values.wordPressTablePrefix }}
- name: BACKUP_NAME
value: {{ .Release.Name }}
- name: BACKUP_INTERVAL_SECONDS
# A day's worth of seconds.
value: "86400"
volumeMounts:
- name: {{ include "wordpress.name" . }}-wp-storage
mountPath: /var/www/html
......@@ -166,8 +141,13 @@ spec:
subPath: main.yml
- name: ansible-secrets
mountPath: /var/local/ansible/secrets
- name: {{ include "wordpress.name" . }}-backups
mountPath: /mnt/backups
{{- if .Values.backup.sshPrivateKey }}
- name: ssh-private-key
mountPath: /var/local/ssh-private-key
- name: ssh-known-hosts
mountPath: /etc/ssh/ssh_known_hosts
subPath: ssh_known_hosts
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
......@@ -196,18 +176,26 @@ spec:
- name: ansible-secrets
secret:
secretName: {{ include "wordpress.fullname" . }}-ansible-secrets
# TODO: this might not be necessary
items:
- key: secret-vars.yaml
path: secret-vars.yaml
{{- if .Values.backup.sshPrivateKey }}
- name: ssh-private-key
secret:
secretName: {{ include "wordpress.fullname" . }}-ansible-secrets
items:
- key: ssh-private-key
path: ssh-private-key
- name: ssh-known-hosts
secret:
secretName: {{ include "wordpress.fullname" . }}-ansible-secrets
items:
- key: ssh-known-hosts
path: ssh_known_hosts
{{- end }}
- name: ansible-vars
configMap:
name: {{ include "wordpress.fullname" . }}-ansible-vars
- name: htuploads
configMap:
name: {{ include "wordpress.fullname" . }}-htuploads
{{- if .Values.backup.enabled }}
- name: {{ include "wordpress.name" . }}-backups
persistentVolumeClaim:
claimName: {{ .Values.backup.pvcName }}
{{- end }}
......@@ -28,8 +28,7 @@ wordpress:
theme: twentynineteen
# NOTE: Make sure you use underscore and that the localisation is in full caps
locale: en_US
# NOTE: Optionally set a Wordpress version number to override the default version: in values.yaml
# version: LOCAL-WORDPRESS-VERSION-NUMBER-OR-DELETE-THIS-LINE
version: 5.2.3
# NOTE: This is the URL that points to your WordPress installation. If this
# URL is set incorrectly your site will most likely not work. You can not
# change it after you have run helm install once because WordPress saves the
......@@ -43,10 +42,6 @@ wordpress:
alt_enabled: false
# alt_config: PATH-SETTING-IN-OPTIONS-TABLE
# alt_path: SOME-LOGIN-PATH
# # Path used by the liveness and readiness probes to see if the site runs
# # correctly. Defaults to `/wp-login.php`. Be sure to make this the same as
# # alt_path if you use it!
# probe_path: /wp-login.php
wp_content:
# The directory to mount the files placed in wp-content. You shouldn't have to
# change this.
......@@ -125,12 +120,20 @@ database:
# This will add a cronjob that performs a daily backup of the wordpress
# database, copying an sql file created by `wp db export` to the given PVC.
# The persistent volume is not created by this chart, because we don't want it
# to be managed by helm, so you will need to create it via some other means.
# backup:
# enabled: true
# pvcName: wordpress-backups
# # The target location of the backup. This can be a local directory (not
# # advisable) or a remote directory reachable over SSH. backup command uses
# # this value as the second argument for `rsync`
# target: <username@server.example.org:backup-dir/>
# # If `backup.target` is an SSH address, use this private key:
# sshPrivateKey: |
# -----BEGIN OPENSSH PRIVATE KEY-----
# ...
# -----END OPENSSH PRIVATE KEY-----
# # Mounted to /etc/ssh/known_hosts
# sshKnownHosts: |
# hostname keytype key
# It's advisable to set resource limits to prevent your K8s cluster from
# crashing
# resources:
......
......@@ -87,17 +87,14 @@ wordpress:
theme_fallback: twentytwenty
# NOTE: Make sure you use underscore and that the localisation is in full caps
locale: en_US
version: 5.4.1
version: 5.2.3
url: "http://localhost"
title: "Wordpress Helm"
## If including a plugin to alias wp login then set an alt_path and set the alt_config
# NOTE: A value for alt_enabled must be set. Select either true or false
alt_enabled: false
alt_enabled: false
# alt_config: PATH-SETTING-IN-OPTIONS-TABLE
# alt_path: SOME-LOGIN-PATH
# Path used by the liveness and readiness probes to see if the site runs
# correctly. Defaults to `/wp-login.php`
probe_path: /wp-login.php
wp_content:
## The directory to mount the files placed in wp-content. You shouldn't have to
## change this.
......@@ -169,14 +166,15 @@ ansibleVars:
wpSalts: {}
image:
repository: open.greenhost.net:4567/open/wordpress-helm/wordpress
tag: 0.1.1
repository: docker.greenhost.net/open/wordpress-helm/wordpress
tag: 0.1.0
pullPolicy: Always
initImage:
repository: open.greenhost.net:4567/open/wordpress-helm/wordpress-cli-ansible
tag: 0.1.1
repository: docker.greenhost.net/open/wordpress-helm/wordpress-cli-ansible
tag: 0.1.0
pullPolicy: Always
imagePullSecretName: greenhost-registry-pull
ingress:
enabled: false
......@@ -191,9 +189,6 @@ nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
database:
db:
user: wordpress
......@@ -266,6 +261,8 @@ backup:
# completely stored as a b64encoded secret in Kubernetes. If you're not a
# developer, never change this variable, only change the variables it points to.
ansibleSecrets: |
BACKUP_NAME: {{ .Release.Name }}
BACKUP_TARGET: {{ .Values.backup.target }}
DB_HOST: {{ .Release.Name }}-database
DB_NAME: {{ .Values.database.db.name }}
DB_PASS: {{ .Values.database.db.password }}
......@@ -336,22 +333,3 @@ ansibleSecrets: |
SECURE_AUTH_SALT: {{ .Values.wpSalts.SECURE_AUTH_SALT | default ( randAlphaNum 32) }}
WP_CACHE_KEY_SALT: {{ .Values.wpSalts.WP_CACHE_KEY_SALT | default ( randAlphaNum 32) }}
WP_CRON_CONTROL_SECRET: {{ .Values.wpSalts.WP_CRON_CONTROL_SECRET | default ( randAlphaNum 32 ) }}
## Liveness and readiness probe values
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: 60
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 10
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1
FROM wordpress:cli-2.4-php7.3
FROM wordpress:cli-2.1.0-php7.3
USER root
RUN apk add ansible git rsync
RUN apk add ansible git rsync openssh
ADD . /var/local/ansible
ENV ANSIBLE_CONFIG /var/local/ansible/ansible.cfg
# This is the homedir of user 33 in the alpine container and needs to exist and
# be writable for ssh to work.
RUN mkdir -p /etc/X11/fs && chown -R 33:33 /etc/X11/fs
# SSH Identity file location for backup playbook. It's in /etc/X11/fs which is
# the default home directory for the user with ID 33, which is the UID of the
# www-data user in the Debian container that runs the site...
RUN mkdir -p /etc/ssh/ && echo "IdentityFile /var/local/ssh-private-key/ssh-private-key" > /etc/ssh/ssh_config
# Chown the files to the Debian www-data user, because that's the only WP
# container that runs Apache too.
RUN chown -R 33:33 /var/local/ansible; \
......
......@@ -7,16 +7,19 @@
changed_when: false
- block:
- name: Create backups directory
file:
path: "{{ backup_dir }}"
- name: Create temporary backups directory
tempfile:
state: directory
suffix: backup
register: backup_dir
- name: Export WordPress database to file
shell:
wp {{ cli_args }} db export "{{ backup_dir }}/{{ backup_filename }}"
wp {{ cli_args }} db export "{{ backup_dir.path }}/{{ backup_filename }}"
# Never overwrite an existing file.
args:
creates: "{{ backup_dir }}/{{ backup_filename }}"
creates: "{{ backup_dir.path }}/{{ backup_filename }}"
- name: Copy export to backup location
shell:
rsync -a "{{ backup_dir.path }}/{{ backup_filename }}" "{{ BACKUP_TARGET }}"
vars:
backup_dir: "/mnt/backups/wp-db/{{ lookup('env', 'BACKUP_NAME') }}"
backup_filename: "wp-db-{{ lookup('env', 'BACKUP_NAME') }}-{{ date.stdout }}.sql"
backup_filename: "wp-db-{{ BACKUP_NAME }}-{{ date.stdout }}.sql"
#!/bin/bash
backupCommand="ansible-playbook backup.yml -e @secrets/secret-vars.yaml"
# A day's worth of seconds.
interval=86400
while true
do
date
echo "Waiting for $interval seconds before starting next backup."
sleep $interval
echo "Waiting for $BACKUP_INTERVAL_SECONDS seconds before starting next backup."
sleep $BACKUP_INTERVAL_SECONDS
$backupCommand
exitCode=$?
if [ $exitCode -ne 0 ]
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment