Merge branch 'master' into 65-backups-should-write-to-remote-storage

CHANGELOG.md

+## [0.1.3] - 2020-06-18
+
+* Only set imagePullSecrets if the corresponding helm value is set.
+* Run apache as non-root user, and listen on port 8080 inside the docker
+  container.
+
 ## [0.1.2] - 2020-06-09
 
 * Moved repository to open.greenhost.net/openappstack/wordpress-helm

Chart.yaml

@@ -5,5 +5,5 @@ description: WordPress with a replicated MariaDB backend
 name: wordpress
 # Please only change the chart version as part of the release procedure: see
 # RELEASING.md
-version: 0.1.2
+version: 0.1.3
 icon: https://make.wordpress.org/design/files/2016/09/WordPress-logotype-wmark.png

RELEASING.md

@@ -2,6 +2,7 @@
 
 When releasing a new version of the wordpress-helm chart, please remember to do
 the following:
+* update `CHANGELOG.md`;
 * change the chart version in `Chart.yaml`;
 * change the default `image.tag` and `initImage.tag` in `values.yaml` to the new
   version (e.g., "0.1.3");

install.sh.example

 #!/bin/bash
 
-# Use this installation script as an example for easy installation. Copy it to
-# `install.sh` and edit the values file names if you need to.
+# You can use this installation script to install production ready clusters.
+# Make sure to create `values-local.yaml` and edit the values to reflect your
+# website.
+
+# Edit the `releaseName` variable below  if you want to release several
+# production sites.
 
 set -v
 
-# Makes sure you use docker image tags for the branch you're working on now
-. variables.sh
+releaseName="wordpress-production"
 
 # Upgrade or install application using the current git branch as docker tag
-helm upgrade $releaseName . --install -f values-local.yaml --set initImage.tag=$dockerTag --set image.tag=$dockerTag
+helm upgrade $releaseName . --install -f values-local.yaml

templates/statefulset.yaml

@@ -27,8 +27,10 @@ spec:
         {{- toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.initImage.imagePullSecretName }}
       imagePullSecrets:
         - name: {{ .Values.initImage.imagePullSecretName }}
+      {{- end }}
       initContainers:
         - name: init-{{ .Chart.Name }}
           image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
@@ -67,11 +69,14 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            runAsUser: 33
+            runAsGroup: 33
           ports:
             - name: http
-              containerPort: 80
+              containerPort: 8080
             - name: https
-              containerPort: 443
+              containerPort: 8443
           {{- if .Values.livenessProbe.enabled }}
           livenessProbe:
             httpGet:

test-install.sh.example

+#!/bin/bash
+
+# Use this installation script to test development branches. It will
+# automatically set the docker tags to tags generated by the CI system.
+# Copy this script to `test-install.sh` and edit the values file names if you
+# need to.
+# Make sure you configure the helm chart by copying `values-local.yaml.example`
+# to `values-local.yaml` and editing it.
+
+
+set -v
+
+# Makes sure you use docker image tags for the branch you're working on now
+. variables.sh
+
+# Upgrade or install application using the current git branch as docker tag
+helm upgrade $releaseName . --install -f values-local.yaml --set initImage.tag=$dockerTag --set image.tag=$dockerTag

values-local.yaml.example

@@ -66,7 +66,7 @@ wordpress:
 
   ## mu_plugins are installed as hidden and cannot be updated from the UI
   ## mu_dir  'mu-plugins' maps to wp-content/mu-plugins
-  ## mu_plugins supplies a detailed list of mu values and plugins with versions 
+  ## mu_plugins supplies a detailed list of mu values and plugins with versions
 
   mu_plugins_enabled: false
   mu_plugins_dir: mu-plugins
@@ -75,8 +75,8 @@ wordpress:
        name: Block Bad Queries
        version: 20200319
        phpfile: block-bad-queries.php
-  
-  ## Enable externally triggered cron for an MU cron plugin 
+
+  ## Enable externally triggered cron for an MU cron plugin
   # NOTE: A value for mu_cron_enabled must be set. Select either true or false
   # NOTE: This cron must be triggered by a call you have set up outside the server
   mu_cron:
@@ -162,7 +162,7 @@ redis:
 #   enabled: true
 #   # Example annotation to make cert-manager manage the TLS certificates for
 #   # this ingress (Don't supply crt and key to the tls config in this case).
-#   # annotations: 
+#   # annotations:
 #   #   kubernetes.io/tls-acme: "true"
 #   path: /
 #   hosts:
@@ -173,7 +173,7 @@ redis:
 #       secretName: wordpress-cert
 #       crt: |
 #         Optionally insert your certificate here, it will be saved as a
-#         Kubernetes secret. You can insert the whole certificate chain here. 
+#         Kubernetes secret. You can insert the whole certificate chain here.
 #         NOTE: Don't do this if you use cert-manager to get your certificates!
 #       key: |
 #         If you use a custom certificate, insert your TLS key here, it will be

values.yaml

@@ -88,7 +88,7 @@ wordpress:
     theme_fallback: twentytwenty
     # NOTE: Make sure you use underscore and that the localisation is in full caps
     locale: en_US
-    version: 5.4.1
+    version: 5.4.2
     url: "http://localhost"
     title: "Wordpress Helm"
     ## If including a plugin to alias wp login then set a path for alt and also set the config 
@@ -174,12 +174,12 @@ wpSalts: {}
 
 image:
   repository: open.greenhost.net:4567/openappstack/wordpress-helm/wordpress
-  tag: 0.1.2
+  tag: 0.1.3
   pullPolicy: Always
 
 initImage:
   repository: open.greenhost.net:4567/openappstack/wordpress-helm/wordpress-cli-ansible
-  tag: 0.1.2
+  tag: 0.1.3
   pullPolicy: Always
 
 ingress:

wp-docker/Dockerfile

@@ -15,3 +15,9 @@ RUN a2enmod rewrite expires
 RUN pecl install -o -f redis \
     && rm -rf /tmp/pear \
     && docker-php-ext-enable redis
+
+# Do not use a privileged port for Apache so it can run as non-root
+ENV PORT 8080
+ENV TLS_PORT 8443
+RUN sed -i "s/\<80\>/$PORT/g" /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf
+RUN sed -i "s/\<443\>/$TLS_PORT/g" /etc/apache2/sites-available/default-ssl.conf /etc/apache2/ports.conf