Search code examples
wordpresskubernetesenvironment-variableskubernetes-helm

Why WordPress Helm Chart not able to connect azure MariaDB having SSL enabled?

I have managed MariaDB with SSL enabled deployed in Azure, and i created a service type "external" named "mysql" within my k8s cluster.

Then i created a secret like follwing :

kubectl create secret generic ca-cert --from-file=ca-cert=./BaltimoreCyberTrustRoot.crt.pem -n app

PS: where i got BaltimoreCyberTrustRoot.crt.pem from :

wget https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem

Then i deployed Wordpress:

helm template wp azure-marketplace/wordpress -n app --create-namespace -f values.yml

where values.yml looks like :

##############################PART1########################
#pvc wordpress
persistence:
  enabled: false

#pvc mariadb
mariadb:
  enabled: false 

externalDatabase:
  host: mysql
  port: 3306
  user: benighil@benighil 
  password: "SomePassword"
  database: bitnami_wordpress

##############################PART2########################
extraEnvVars:
  - name: "WORDPRESS_DATABASE_SSL_CA_FILE"
    value: /tmp/ca-cert

## Additional volume mounts
## Example: Mount CA file
extraVolumeMounts:
  - name: ca-cert
    mountPath: /tmp

## Additional volumes
## Example: Add secret volume
extraVolumes:
 - name: ca-cert
   secret:
     secretName: ca-cert

But the pods logs gives :

wordpress 22:08:07.00 ERROR ==> Could not connect to the database

NOTE1: When i exec into pod, and do : env | grep WORDPRESS_DATABASE_SSL_CA_FILE it gives : WORDPRESS_DATABASE_SSL_CA_FILE=/tmp/ca-cert and when i do cat /tmp/ca-cert it gives its content normally.

NOTE2: The credentials are CORRECT, because when i desable SSL from MariaDB, and delete the whole PART2 from values.yml then it works fine!

Any help please?

Solution

  • So make sure that the DB exist on the Azure MariaDB server and the second thing is that path is further used by the daemon tmp so certs should not be mounted here, somewhere where the daemon can read.

    wordpress 04:19:09.91 INFO  ==> Persisting WordPress installation
/opt/bitnami/scripts/libpersistence.sh: line 51: /tmp/perms.acl: Read-only file system

    so make the below changes and it should work

    extraEnvVars:
  - name: "WORDPRESS_DATABASE_SSL_CA_FILE"
    value: /opt/bitnami/wordpress/tmp/ca-cert
  - name: WORDPRESS_ENABLE_DATABASE_SSL
    value: "yes"

## Additional volume mounts
## Example: Mount CA file
extraVolumeMounts:
  - name: ca-cert
    mountPath: /opt/bitnami/wordpress/tmp

    or you will have to set extra params for the same path

      containerSecurityContext:
    enabled: true
    privileged: false
    allowPrivilegeEscalation: false
    ## Requires mounting an `extraVolume` of type `emptyDir` into /tmp
    ##
    readOnlyRootFilesystem: false
    capabilities:
      drop:
        - ALL