870bc4dba1
* Replace minideb by bitnami-shell in READMEs * Avoid minideb mentions in Helm Charts * Update values.yaml * Update values.yaml
WordPress
WordPress is one of the most versatile open source content management systems on the market. A publishing platform for building blogs and websites.
TL;DR
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/wordpress
Introduction
This chart bootstraps a WordPress deployment on a Kubernetes cluster using the Helm package manager.
It also packages the Bitnami MariaDB chart which is required for bootstrapping a MariaDB deployment for the database requirements of the WordPress application.
Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the BKPR.
Prerequisites
- Kubernetes 1.12+
- Helm 3.1.0
- PV provisioner support in the underlying infrastructure
- ReadWriteMany volumes for deployment scaling
Installing the Chart
To install the chart with the release name my-release:
helm install my-release bitnami/wordpress
The command deploys WordPress on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.
Tip
: List all releases using
helm list
Uninstalling the Chart
To uninstall/delete the my-release deployment:
helm delete my-release
The command removes all the Kubernetes components associated with the chart and deletes the release.
Parameters
The following table lists the configurable parameters of the WordPress chart and their default values per section/component:
Global parameters
| Parameter | Description | Default |
|---|---|---|
global.imageRegistry |
Global Docker image registry | nil |
global.imagePullSecrets |
Global Docker registry secret names as an array | [] (does not add image pull secrets to deployed pods) |
global.storageClass |
Global storage class for dynamic provisioning | nil |
Common parameters
| Parameter | Description | Default |
|---|---|---|
nameOverride |
String to partially override common.names.fullname | nil |
fullnameOverride |
String to fully override common.names.fullname | nil |
clusterDomain |
Default Kubernetes cluster domain | cluster.local |
commonLabels |
Labels to add to all deployed objects | {} |
commonAnnotations |
Annotations to add to all deployed objects | {} |
kubeVersion |
Force target Kubernetes version (using Helm capabilities if not set) | nil |
extraDeploy |
Array of extra objects to deploy with the release | [] (evaluated as a template) |
WordPress parameters
| Parameter | Description | Default |
|---|---|---|
image.registry |
WordPress image registry | docker.io |
image.repository |
WordPress image name | bitnami/wordpress |
image.tag |
WordPress image tag | {TAG_NAME} |
image.pullPolicy |
WordPress image pull policy | IfNotPresent |
image.pullSecrets |
Specify docker-registry secret names as an array | [] (does not add image pull secrets to deployed pods) |
image.debug |
Specify if debug logs should be enabled | false |
hostAliases |
Add deployment host aliases | Check values.yaml |
wordpressSkipInstall |
Skip wizard installation when the external db already contains data from a previous WordPress installation see | false |
wordpressUsername |
User of the application | user |
existingSecret |
Name of the existing Wordpress Secret (it must contain a key named wordpress-password). When it's set, wordpressPassword is ignored |
nil |
serviceAccountName |
Name of a service account for the WordPress pods | default |
wordpressPassword |
Application password | random 10 character long alphanumeric string |
wordpressEmail |
Admin email | user@example.com |
wordpressFirstName |
First name | FirstName |
wordpressLastName |
Last name | LastName |
wordpressBlogName |
Blog name | User's Blog! |
wordpressTablePrefix |
Table prefix | wp_ |
wordpressScheme |
Scheme to generate application URLs [http, https] |
http |
wordpressExtraConfigContent |
Add extra content to the configuration file | "" |
allowEmptyPassword |
Allow DB blank passwords | true |
allowOverrideNone |
Set Apache AllowOverride directive to None | false |
htaccessPersistenceEnabled |
Make .htaccess persistence so that it can be customized. See |
false |
customHTAccessCM |
Configmap with custom wordpress-htaccess.conf directives | nil |
customPostInitScripts |
Custom post-init.d user scripts | nil |
smtpHost |
SMTP host | nil |
smtpPort |
SMTP port | nil |
smtpUser |
SMTP user | nil |
smtpPassword |
SMTP password | nil |
smtpUsername |
User name for SMTP emails | nil |
smtpProtocol |
SMTP protocol [tls, ssl, none] |
nil |
smtpExistingPassword |
Existing secret containing SMTP password in key smtp-password |
nil |
command |
Override default container command (useful when using custom images) | nil |
args |
Override default container args (useful when using custom images) | nil |
extraEnvVars |
Extra environment variables to be set on WordPress container | {} |
extraEnvVarsCM |
Name of existing ConfigMap containing extra env vars | nil |
extraEnvVarsSecret |
Name of existing Secret containing extra env vars | nil |
WordPress deployment parameters
| Parameter | Description | Default |
|---|---|---|
replicaCount |
Number of WordPress Pods to run | 1 |
containerPorts.http |
HTTP port to expose at container level | 8080 |
containerPorts.https |
HTTPS port to expose at container level | 8443 |
podSecurityContext |
WordPress pods' Security Context | Check values.yaml file |
containerSecurityContext |
WordPress containers' Security Context | Check values.yaml file |
resources.limits |
The resources limits for the WordPress container | {} |
resources.requests |
The requested resources for the WordPress container | {"memory": "512Mi", "cpu": "300m"} |
livenessProbe |
Liveness probe configuration for WordPress | Check values.yaml file |
readinessProbe |
Readiness probe configuration for WordPress | Check values.yaml file |
customLivenessProbe |
Override default liveness probe | nil |
customReadinessProbe |
Override default readiness probe | nil |
updateStrategy |
Set up update strategy | RollingUpdate |
schedulerName |
Name of the alternate scheduler | nil |
podAntiAffinityPreset |
Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
soft |
nodeAffinityPreset.type |
Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard |
"" |
nodeAffinityPreset.key |
Node label key to match. Ignored if affinity is set. |
"" |
nodeAffinityPreset.values |
Node label values to match. Ignored if affinity is set. |
[] |
affinity |
Affinity for pod assignment | {} (evaluated as a template) |
nodeSelector |
Node labels for pod assignment | {} (evaluated as a template) |
tolerations |
Tolerations for pod assignment | [] (evaluated as a template) |
podLabels |
Extra labels for WordPress pods | {} |
podAnnotations |
Annotations for WordPress pods | {} |
extraVolumeMounts |
Additional volume mounts | [] |
extraVolumes |
Additional volumes | [] |
initContainers |
Add additional init containers to the WordPress pods | {} (evaluated as a template) |
sidecars |
Attach additional sidecar containers to the pod | {} (evaluated as a template) |
Exposure parameters
| Parameter | Description | Default |
|---|---|---|
service.type |
Kubernetes Service type | LoadBalancer |
service.port |
Service HTTP port | 80 |
service.httpsPort |
Service HTTPS port | 443 |
service.httpsTargetPort |
Service Target HTTPS port | https |
service.nodePorts.http |
Kubernetes http node port | "" |
service.nodePorts.https |
Kubernetes https node port | "" |
service.extraPorts |
Extra ports to expose in the service (normally used with the sidecar value) |
nil |
service.clusterIP |
WordPress service clusterIP IP | None |
service.loadBalancerSourceRanges |
Restricts access for LoadBalancer (only with service.type: LoadBalancer) |
[] |
service.loadBalancerIP |
loadBalancerIP if service type is LoadBalancer |
nil |
service.externalTrafficPolicy |
Enable client source IP preservation | Cluster |
service.annotations |
Service annotations | {} (evaluated as a template) |
ingress.enabled |
Enable ingress controller resource | false |
ingress.certManager |
Add annotations for cert-manager | false |
ingress.hostname |
Default host for the ingress resource | wordpress.local |
ingress.path |
Default path for the ingress resource | / |
ingress.tls |
Create TLS Secret | false |
ingress.annotations |
Ingress annotations | [] (evaluated as a template) |
ingress.extraHosts[0].name |
Additional hostnames to be covered | nil |
ingress.extraHosts[0].path |
Additional hostnames to be covered | nil |
ingress.extraPaths |
Additional arbitrary path/backend objects | nil |
ingress.extraTls[0].hosts[0] |
TLS configuration for additional hostnames to be covered | nil |
ingress.extraTls[0].secretName |
TLS configuration for additional hostnames to be covered | nil |
ingress.secrets[0].name |
TLS Secret Name | nil |
ingress.secrets[0].certificate |
TLS Secret Certificate | nil |
ingress.secrets[0].key |
TLS Secret Key | nil |
Persistence parameters
| Parameter | Description | Default |
|---|---|---|
persistence.enabled |
Enable persistence using PVC | true |
persistence.existingClaim |
Enable persistence using an existing PVC | nil |
persistence.storageClass |
PVC Storage Class | nil (uses alpha storage class annotation) |
persistence.accessMode |
PVC Access Mode | ReadWriteOnce |
persistence.size |
PVC Storage Request | 10Gi |
persistence.dataSource |
PVC data source | {} |
Database parameters
| Parameter | Description | Default |
|---|---|---|
mariadb.enabled |
Deploy MariaDB container(s) | true |
mariadb.architecture |
MariaDB architecture (standalone or replication) |
standalone |
mariadb.auth.rootPassword |
Password for the MariaDB root user |
random 10 character alphanumeric string |
mariadb.auth.database |
Database name to create | bitnami_wordpress |
mariadb.auth.username |
Database user to create | bn_wordpress |
mariadb.auth.password |
Password for the database | random 10 character long alphanumeric string |
mariadb.primary.persistence.enabled |
Enable database persistence using PVC | true |
mariadb.primary.persistence.accessModes |
Database Persistent Volume Access Modes | [ReadWriteOnce] |
mariadb.primary.persistence.size |
Database Persistent Volume Size | 8Gi |
externalDatabase.host |
Host of the external database | localhost |
externalDatabase.user |
Existing username in the external db | bn_wordpress |
externalDatabase.password |
Password for the above username | nil |
externalDatabase.database |
Name of the existing database | bitnami_wordpress |
externalDatabase.port |
Database port number | 3306 |
externalDatabase.existingSecret |
Name of the database existing Secret Object | nil |
Volume Permissions parameters
| Parameter | Description | Default |
|---|---|---|
volumePermissions.enabled |
Enable init container that changes the owner and group of the persistent volume(s) mountpoint to runAsUser:fsGroup |
false |
volumePermissions.image.registry |
Init container volume-permissions image registry | docker.io |
volumePermissions.image.repository |
Init container volume-permissions image name | bitnami/bitnami-shell |
volumePermissions.image.tag |
Init container volume-permissions image tag | "10" |
volumePermissions.image.pullPolicy |
Init container volume-permissions image pull policy | Always |
volumePermissions.image.pullSecrets |
Specify docker-registry secret names as an array | [] (does not add image pull secrets to deployed pods) |
volumePermissions.resources.limits |
Init container volume-permissions resource limits | {} |
volumePermissions.resources.requests |
Init container volume-permissions resource requests | {} |
volumePermissions.securityContext.* |
Other container security context to be included as-is in the container spec | {} |
volumePermissions.securityContext.runAsUser |
User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | 0 |
Metrics parameters
| Parameter | Description | Default |
|---|---|---|
metrics.enabled |
Start a side-car prometheus exporter | false |
metrics.image.registry |
Apache exporter image registry | docker.io |
metrics.image.repository |
Apache exporter image name | bitnami/apache-exporter |
metrics.image.tag |
Apache exporter image tag | {TAG_NAME} |
metrics.image.pullPolicy |
Image pull policy | IfNotPresent |
metrics.image.pullSecrets |
Specify docker-registry secret names as an array | [] (does not add image pull secrets to deployed pods) |
metrics.service.port |
Service Metrics port | 9117 |
metrics.service.annotations |
Annotations for enabling prometheus to access the metrics endpoints | {prometheus.io/scrape: "true", prometheus.io/port: "9117"} |
metrics.resources.limits |
The resources limits for the metrics exporter container | {} |
metrics.resources.requests |
The requested resources for the metrics exporter container | {} |
metrics.serviceMonitor.enabled |
Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | false |
metrics.serviceMonitor.namespace |
Namespace where servicemonitor resource should be created | nil |
metrics.serviceMonitor.interval |
Specify the interval at which metrics should be scraped | 30s |
metrics.serviceMonitor.scrapeTimeout |
Specify the timeout after which the scrape is ended | nil |
metrics.serviceMonitor.relabellings |
Specify Metric Relabellings to add to the scrape endpoint | nil |
metrics.serviceMonitor.honorLabels |
honorLabels chooses the metric's labels on collisions with target labels. | false |
metrics.serviceMonitor.additionalLabels |
Used to pass Labels that are required by the Installed Prometheus Operator | {} |
Other parameters
| Parameter | Description | Default |
|---|---|---|
pdb.create |
Enable/disable a Pod Disruption Budget creation | false |
pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | 1 |
pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable | nil |
autoscaling.enabled |
Enable autoscaling for WordPress | false |
autoscaling.minReplicas |
Minimum number of WordPress replicas | 1 |
autoscaling.maxReplicas |
Maximum number of WordPress replicas | 11 |
autoscaling.targetCPU |
Target CPU utilization percentage | nil |
autoscaling.targetMemory |
Target Memory utilization percentage | nil |
The above parameters map to the env variables defined in bitnami/wordpress. For more information please refer to the bitnami/wordpress image documentation.
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
helm install my-release \
--set wordpressUsername=admin \
--set wordpressPassword=password \
--set mariadb.auth.rootPassword=secretpassword \
bitnami/wordpress
The above command sets the WordPress administrator account username and password to admin and password respectively. Additionally, it sets the MariaDB root user password to secretpassword.
NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
helm install my-release -f values.yaml bitnami/wordpress
Tip
: You can use the default values.yaml
Configuration and installation details
Rolling VS Immutable tags
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
Known limitations
When performing admin operations that require activating the maintenance mode (such as updating a plugin or theme), it's activated in only one replica (see: bug report). This implies that WP could be attending requests on other replicas while performing admin operations, with unpredictable consequences.
To avoid that, you can manually activate/deactivate the maintenance mode on every replica using the WP CLI. For instance, if you installed WP with three replicas, you can run the commands below to activate the maintenance mode in all of them (assuming that the release name is wordpress):
kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[0].metadata.name}') -c wordpress -- wp maintenance-mode activate
kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[1].metadata.name}') -c wordpress -- wp maintenance-mode activate
kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[2].metadata.name}') -c wordpress -- wp maintenance-mode activate
Additional environment variables
In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the extraEnvVars property.
wordpress:
extraEnvVars:
- name: LOG_LEVEL
value: error
Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the extraEnvVarsCM or the extraEnvVarsSecret values.
Sidecars
If additional containers are needed in the same pod as WordPress (such as additional metrics or logging exporters), they can be defined using the sidecars parameter. If these sidecars export extra ports, extra port definitions can be added using the service.extraPorts parameter. Learn more about configuring and using sidecar containers.
External database support
You may want to have WordPress connect to an external database rather than installing one inside your cluster. Typical reasons for this are to use a managed database service, or to share a common database server for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the externalDatabase parameter. You should also disable the MariaDB installation with the mariadb.enabled option. Here is an example:
mariadb.enabled=false
externalDatabase.host=myexternalhost
externalDatabase.user=myuser
externalDatabase.password=mypassword
externalDatabase.database=mydatabase
externalDatabase.port=3306
Refer to the documentation on using an external database with WordPress and the tutorial on integrating WordPress with a managed cloud database for more information.
Pod affinity
This chart allows you to set your custom affinity using the affinity parameter. Find more information about Pod affinity in the kubernetes documentation.
As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the bitnami/common chart. To do so, set the podAffinityPreset, podAntiAffinityPreset, or nodeAffinityPreset parameters.
Ingress
This chart provides support for Ingress resources. If an Ingress controller, such as nginx-ingress or traefik, that Ingress controller can be used to serve WordPress.
To enable Ingress integration, set ingress.enabled to true. The ingress.hostname property can be used to set the host name. The ingress.tls parameter can be used to add the TLS configuration for this host. It is also possible to have more than one host, with a separate TLS configuration for each host. Learn more about configuring and using Ingress.
TLS secrets
The chart also facilitates the creation of TLS secrets for use with the Ingress controller, with different options for certificate management. Learn more about TLS secrets.
.htaccess files
For performance and security reasons, it is a good practice to configure Apache with the AllowOverride None directive. Instead of using .htaccess files, Apache will load the same directives at boot time. These directives are located in /opt/bitnami/wordpress/wordpress-htaccess.conf.
By default, the container image includes all the default .htaccess files in WordPress (together with the default plugins). To enable this feature, install the chart with the value allowOverrideNone=yes.
Learn more about working with .htaccess files.
Persistence
The Bitnami WordPress image stores the WordPress data and configurations at the /bitnami path of the container. Persistent Volume Claims are used to keep the data across deployments. Learn more about persistence in the chart documentation.
Troubleshooting
Find more information about how to deal with common errors related to Bitnami’s Helm charts in this troubleshooting guide.
Upgrading
To 10.0.0
On November 13, 2020, Helm v2 support was formally finished, this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
Learn more about this change and related upgrade considerations.
Additional upgrade notes
- MariaDB dependency version was bumped to a new major version that introduces several incompatabilitees. Therefore, backwards compatibility is not guaranteed unless an external database is used. Check MariaDB Upgrading Notes for more information.
- If you want to upgrade to this version from a previous one installed with Helm v3, there are two alternatives:
- Install a new WordPress chart, and migrate your WordPress site using backup/restore tools such as VaultPress or All-in-One WP Migration.
- Reuse the PVC used to hold the MariaDB data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is
wordpress).
Warning: please create a backup of your database before running any of these actions. The steps below would be only valid if your application (e.g. any plugins or custom code) is compatible with MariaDB 10.5.
Obtain the credentials and the name of the PVC used to hold the MariaDB data on your current release:
$ export WORDPRESS_PASSWORD=$(kubectl get secret --namespace default wordpress -o jsonpath="{.data.wordpress-password}" | base64 --decode)
$ export MARIADB_ROOT_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-root-password}" | base64 --decode)
$ export MARIADB_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-password}" | base64 --decode)
$ export MARIADB_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=wordpress,app.kubernetes.io/name=mariadb,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}")
Upgrade your release (maintaining the version) disabling MariaDB and scaling WordPress replicas to 0:
$ helm upgrade wordpress bitnami/wordpress --set wordpressPassword=$WORDPRESS_PASSWORD --set replicaCount=0 --set mariadb.enabled=false --version 9.6.4
Finally, upgrade you release to 10.0.0 reusing the existing PVC, and enabling back MariaDB:
$ helm upgrade wordpress bitnami/wordpress --set mariadb.primary.persistence.existingClaim=$MARIADB_PVC --set mariadb.auth.rootPassword=$MARIADB_ROOT_PASSWORD --set mariadb.auth.password=$MARIADB_PASSWORD --set wordpressPassword=$WORDPRESS_PASSWORD
You should see the lines below in MariaDB container logs:
$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=wordpress,app.kubernetes.io/name=mariadb,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}")
...
mariadb 12:13:24.98 INFO ==> Using persisted data
mariadb 12:13:25.01 INFO ==> Running mysql_upgrade
...
To 9.0.0
The Bitnami WordPress image was migrated to a "non-root" user approach. Previously the container ran as the root user and the Apache daemon was started as the daemon user. From now on, both the container and the Apache daemon run as user 1001. You can revert this behavior by setting the parameters securityContext.runAsUser, and securityContext.fsGroup to 0.
Chart labels and Ingress configuration were also adapted to follow the Helm charts best practices.
Consequences:
- The HTTP/HTTPS ports exposed by the container are now
8080/8443instead of80/443. - No writing permissions will be granted on
wp-config.phpby default. - Backwards compatibility is not guaranteed.
To upgrade to 9.0.0, it's recommended to install a new WordPress chart, and migrate your WordPress site using backup/restore tools such as VaultPress or All-in-One WP Migration.
To 8.0.0
Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.
In https://github.com/helm/charts/pulls/12642 the apiVersion of the deployment resources was updated to apps/v1 in tune with the api's deprecated, resulting in compatibility breakage.
This major version signifies this change.
To 3.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
Use the workaround below to upgrade from versions previous to 3.0.0. The following example assumes that the release name is wordpress:
kubectl patch deployment wordpress-wordpress --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]'
kubectl delete statefulset wordpress-mariadb --cascade=false