Update to socket-based PHP, cert-manager instead of kube-lego.

daxio · Oct 26, 2019 · 53a1f1f · 53a1f1f
1 parent 1e6aa56
commit 53a1f1f
Show file tree

Hide file tree

Showing 18 changed files with 70 additions and 40 deletions.
diff --git a/README.md b/README.md
@@ -9,9 +9,9 @@ Actually, **k8s LEMP Stack** should be able to serve as your own personal web se
 
 ## How It Works
 * **WordPress**
-  * Each WordPress CMS is based on the [wordpress:php7.1-fpm](https://hub.docker.com/r/_/wordpress/ "Official WordPress Docker image") image with extra required PHP extensions such as `redis`. WordPress is contained in one `Deployment` controller along with an NGINX container with FastCGI caching and the NAXSI web application firewall.
+  * Each WordPress CMS is based on the [wordpress:php7.3-fpm](https://hub.docker.com/r/_/wordpress/ "Official WordPress Docker image") image with extra required PHP extensions such as `redis`. WordPress is contained in one `Deployment` controller along with an NGINX container with FastCGI caching and the NAXSI web application firewall.
   * Each WordPress `Deployment` gets it's own `PersistentVolume` as well as `Secret` objects for storing sensitive information such as passwords for their DBs.
-  * `ConfigMap`s are used to inject various `php.ini` settings for PHP 7.1.
+  * `ConfigMap`s are used to inject various `php.ini` settings for PHP 7.3.
 
 * **NGINX**
   * The NGINX container has multiple handy configurations for multi-site and caching, all easily deployed using `ConfigMap` objects.
@@ -30,23 +30,21 @@ Actually, **k8s LEMP Stack** should be able to serve as your own personal web se
 
 * **Ingress/Kube Lego**
   * Websites are reached externally via an `nginx` `Ingress` controller. See Kubernetes documentation regarding `Ingress` in the [official docs](https://kubernetes.io/docs/user-guide/ingress/ "Ingress Resources") and on [GitHub](https://github.com/kubernetes/ingress/blob/master/controllers/nginx/README.md "NGINX Ingress Controller").
-  * All TLS is terminated at `Ingress` via free Let's Encrypt certificates good for all domains on your cluster. Better yet, certificate issuance is handled automatically with the awesome [Kube Lego](https://github.com/jetstack/kube-lego "Kube Lego").
+  * All TLS is terminated at `Ingress` via free Let's Encrypt certificates good for all domains on your cluster. Better yet, certificate issuance is handled automatically with the awesome [cert-manager](https://github.com/jetstack/cert-manager "cert-manager").
 
 * See [**Installation and Usage**](USAGE.md) for instructions on getting up and running.
 
 ![Kubernetes LEMP Stack Architecture](k8s-lemp-stack.png "Kubernetes LEMP Stack Architecture")
 
 ## TODO
 - [x] Add diagram detailing the general structure of the cluster
-- [ ] Add working password authentication to Redis
 - [ ] High availability
   - [ ] [Ceph distributed storage](https://github.com/ceph/ceph-docker/tree/master/examples/kubernetes "Ceph on Kubernetes")
   - [ ] \(Optional\) HA MySQL via sharding, [clustering](https://thenewstack.io/deploy-highly-available-wordpress-instance-statefulset-kubernetes-1-5/ "Deploy a Highly Available WordPress Instance as a StatefulSet in Kubernetes 1.5"), etc.
   - [ ] Add shared and distributed storage to WordPress deployments so they can then be replicated
-- [ ] Enable Drupal CMSs
-- [ ] Enable Joomla CMSs
-- [ ] Enable generic "HTML" deployments
-- [ ] Explore segregating the website deployments in the name of privacy/hardening
+- [ ] PHP socket
+- [ ] New annotation `kubernetes.io/ingress.global-static-ip-name: "wpclust-ingress"`
+- [ ] Migrate to certmanager (with Helm installation)
 
 ## Installation and Usage
 Visit [USAGE.md](USAGE.md).

diff --git a/USAGE.md b/USAGE.md
@@ -1,5 +1,5 @@
 ## Prerequisites
-* You need a Kubernetes cluster on Google Compute Engine. This is as easy as following the [official Kubernetes guide](https://kubernetes.io/docs/getting-started-guides/gce/ "Running Kubernetes on Google Compute Engine").
+* You need a Kubernetes cluster on Google Compute Engine. This is as easy as following the [official Kubernetes guide](https://kubernetes.io/docs/setup/production-environment/turnkey/gce/ "Running Kubernetes on Google Compute Engine").
 * You should be comfortable with basic SQL statements, i.e. creating and managing DBs, users, grants.
 * You also need a domain and access to it's DNS settings. These instructions use the generic domain names www.wingdings.com and www.doodads.com.
 * Upon deploying WordPress you should install:

diff --git a/cert-manager/cluster-issuer.yaml b/cert-manager/cluster-issuer.yaml
@@ -0,0 +1,16 @@
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  # Adjust the name here accordingly
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: [email protected]
+    # Name of a secret used to store the ACME account private key from step 3
+    privateKeySecretRef:
+      name: letsencrypt-private-key
+    # Enable the HTTP-01 challenge provider
+    http01: {}
diff --git a/cert-manager/tiller-RBAC.yaml b/cert-manager/tiller-RBAC.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tiller
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tiller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: kube-system
diff --git a/mariadb-StatefulSet.yaml b/mariadb-StatefulSet.yaml
@@ -46,7 +46,7 @@ spec:
             secretKeyRef:
               key: mariadb-pass-root.txt
               name: mariadb-pass-root
-        image: mariadb:10.2.12
+        image: mariadb:10.3
         imagePullPolicy: IfNotPresent
         name: mariadb
         ports:

diff --git a/nginx/nginx-Deployment.yaml b/nginx/nginx-Deployment.yaml
@@ -16,7 +16,7 @@ spec:
     spec:
       serviceAccountName: nginx-ingress-serviceaccount
       containers:
-      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
+      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1
         name: nginx
         imagePullPolicy: Always
         env:

diff --git a/nginx/nginx-Service.yaml b/nginx/nginx-Service.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: nginx-ingress
 spec:
   type: LoadBalancer
+  loadBalancerIP: 104.199.54.116
   ports:
   - port: 80
     name: http

diff --git a/redis-Deployment.yaml b/redis-Deployment.yaml
@@ -42,7 +42,7 @@ spec:
         tier: mysql-cache
     spec:
       containers:
-      - image: redis:4.0.6
+      - image: redis:5
         imagePullPolicy: IfNotPresent
         name: redis
         ports:

diff --git a/wp/nginx/conf.d/wp-cache.conf.OFF b/wp/nginx/conf.d/wp-cache.conf.OFF
@@ -26,11 +26,7 @@ server {
     set $skip_cache 1;
   }
 
-  if ($request_uri ~* "(^/basket/.*|^/checkout/.*)") {
-    set $naxsi_flag_enable 0;
-  }
-
-  if ($args ~* "(customize_changeset_uuid=.+|wc-ajax=get_refreshed_fragments.*)") {
+  if ($arg_customize_changeset_uuid != "") {
     set $naxsi_flag_enable 0;
   }
 

diff --git a/wp/nginx/conf.d/wp-subdir-cache.conf.OFF b/wp/nginx/conf.d/wp-subdir-cache.conf.OFF
@@ -30,11 +30,7 @@ server {
     set $skip_cache 1;
   }
 
-  if ($request_uri ~* "(^/basket/.*|^/checkout/.*)") {
-    set $naxsi_flag_enable 0;
-  }
-
-  if ($args ~* "(customize_changeset_uuid=.+|wc-ajax=get_refreshed_fragments.*)") {
+  if ($arg_customize_changeset_uuid != "") {
     set $naxsi_flag_enable 0;
   }
 

diff --git a/wp/nginx/conf.d/wp-subdir.conf.OFF b/wp/nginx/conf.d/wp-subdir.conf.OFF
@@ -12,12 +12,8 @@ server {
         rewrite ^(/[^/]+)?(/.*\.php) $2 last;
     }
 
-    if ($request_uri ~* "(^/basket/.*|^/checkout/.*)") {
-        set $naxsi_flag_enable 0;
-    }
-
-    if ($args ~* "(customize_changeset_uuid=.+|wc-ajax=get_refreshed_fragments.*)") {
-        set $naxsi_flag_enable 0;
+    if ($arg_customize_changeset_uuid != "") {
+      set $naxsi_flag_enable 0;
     }
 
     location / {

diff --git a/wp/nginx/conf.d/wp.conf b/wp/nginx/conf.d/wp.conf
@@ -10,12 +10,8 @@ server {
 
         set $naxsi_flag_enable "";
 
-        if ($request_uri ~* "(^/basket/.*|^/checkout/.*)") {
-              set $naxsi_flag_enable 0;
-        }
-
-        if ($args ~* "(customize_changeset_uuid=.+|wc-ajax=get_refreshed_fragments.*)") {
-              set $naxsi_flag_enable 0;
+        if ($arg_customize_changeset_uuid != "") {
+                set $naxsi_flag_enable 0;
         }
 
         location / {

diff --git a/wp/nginx/global/naxsi-wp-whitelist.rules b/wp/nginx/global/naxsi-wp-whitelist.rules
@@ -146,3 +146,6 @@ BasicRule wl:1000 "mz:$URL:/wp-content/plugins/woocommerce/assets/js/select2/sel
 BasicRule wl:1000 "mz:$URL:/wp-content/plugins/woocommerce/assets/js/stupidtable/stupidtable.min.js|URL";
 #WPML
 BasicRule wl:1000 "mz:$URL:/wp-content/plugins/sitepress-multilingual-cms/lib/select2/select2.min.js|URL";
+#TablePress Responsive Tables
+BasicRule wl:1000 "mz:$URL:/wp-content/plugins/tablepress-responsive-tables/css/tablepress-responsive-flip.min.css|URL";
+BasicRule wl:1000 "mz:$URL:/wp-content/plugins/tablepress-responsive-tables/css/responsive.dataTables.min.css|URL";
diff --git a/wp/nginx/nginx.conf b/wp/nginx/nginx.conf
@@ -43,8 +43,8 @@ http {
     fastcgi_buffer_size 256k;
 
     upstream php {
-        #server unix:/tmp/php-cgi.socket;
-        server 127.0.0.1:9000;
+        server unix:/sock/docker.sock;
+        #server 127.0.0.1:9000;
     }
 
     fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;

diff --git a/wp/notls-Ingress.yaml b/wp/notls-Ingress.yaml
@@ -6,6 +6,7 @@ metadata:
   annotations:
     # kubernetes.io/tls-acme: "true"
     kubernetes.io/ingress.class: "nginx"
+    kubernetes.io/ingress.global-static-ip-name: "wpclust-ingress"
 spec:
   # tls:
   # - hosts:

diff --git a/wp/php/conf.d/nginx.ini b/wp/php/conf.d/nginx.ini
@@ -1,5 +1,5 @@
 file_uploads = On
-memory_limit = 32M
+memory_limit = 256M
 upload_max_filesize = 32M
 post_max_size = 32M
 max_execution_time = 30
diff --git a/wp/tls-Ingress.yaml b/wp/tls-Ingress.yaml
@@ -6,6 +6,8 @@ metadata:
   annotations:
     kubernetes.io/tls-acme: "true"
     kubernetes.io/ingress.class: "nginx"
+    certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
+    certmanager.k8s.io/acme-challenge-type: http01
 spec:
   tls:
   - hosts:

diff --git a/wp/wp-wd-Deployment.yaml b/wp/wp-wd-Deployment.yaml
@@ -43,7 +43,7 @@ spec:
             secretKeyRef:
               key: mariadb-pass-wp-wd.txt
               name: mariadb-pass-wp-wd
-        image: daxio/wordpress-redis:v1.6-fpm
+        image: daxio/wordpress-redis-sock:v1.0.0
         imagePullPolicy: IfNotPresent
         name: wp
         resources: {}
@@ -56,7 +56,9 @@ spec:
           name: php
         - mountPath: /var/run/nginx-cache
           name: cache
-      - image: daxio/nginx-naxsi:v1.1.3
+        - mountPath: /sock
+          name: php-socket
+      - image: daxio/nginx-naxsi:v1.1.4
         imagePullPolicy: IfNotPresent
         name: wp-nginx
         ports:
@@ -79,10 +81,13 @@ spec:
           name: nginx-html
         - mountPath: /var/run/nginx-cache
           name: cache
+        - mountPath: /sock
+          name: php-socket
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      securityContext:
+        fsGroup: 33
       terminationGracePeriodSeconds: 30
       volumes:
       - name: wp-persistent-storage
@@ -111,4 +116,6 @@ spec:
       - emptyDir:
           medium: Memory
         name: cache
+      - emptyDir: {}
+        name: php-socket
 status: {}