使用k8s搭建一个https的wordpress无坑版

没有想到用k8s搭https版的wordpress能耗时这么久，还搭上了我的基友slash先生，既然这么费事，就记录下来吧。欢迎转载，转载请注明出处，谢谢。至于为什么我们的网站已经隐藏了server的版本，但是本文却大方地给出了实际版本，理由：任性，哈哈。

首先选用了kubeadm来启动一个单节点的k8s，runtime采用的是containerd，这样比较轻量，随着k8s进一步解耦docker，我也随波逐流，初始化的镜像仓库选择了docker.io/gotok8s，更新还是很及时的，本次采用了阿里云的镜像加速，下面是本次部署的大致架构图，图片来自slash，网站入口的nginx也是容器部署，采用hostnetwork。

wordpress镜像选用docker.io/library/wordpress:5.8.3-fpm，镜像默认不自带nginx，这里手动添加了nginx的镜像，wordpress用到数据库，这里选用了mysql，镜像为docker.io/library/mysql:5.7，服务用到的pvc均来自自建nfs做了stroageclass。网站的证书直接在腾讯云申请的，流程简单，免费好用（白嫖最香），缺点是有效期一年，一年后要重新申请。开始吧！

一、首先是mysql

采用无头的方式，单节点deployment部署，密码env挂载secret，secret有多种创建方式，如命令行

kubectl create secret mysql-pass --password='xxxxxx'

apiVersion: v1
kind: Service
metadata:name: mysqllabels:app: mysql
spec:ports:- port: 3306selector:app: mysqlclusterIP: None
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: mysql-pv-claimannotations:volume.beta.kubernetes.io/storage-class: "nfs-storage"labels:app: mysql
spec:accessModes:- ReadWriteOnceresources:requests:storage: 5Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:name: mysqllabels:app: mysql
spec:selector:matchLabels:app: mysqlstrategy:type: Recreatetemplate:metadata:labels:app: mysqlspec:containers:- image: docker.io/library/mysql:5.7imagePullPolicy: IfNotPresentname: mysqlenv:- name: MYSQL_ROOT_PASSWORDvalueFrom:secretKeyRef:name: mysql-passkey: passwordports:- containerPort: 3306name: mysqlvolumeMounts:- name: mysql-storagemountPath: /var/lib/mysqlvolumes:- name: mysql-storagepersistentVolumeClaim:claimName: mysql-pv-claim

apply后进入mysql的pod创建数据库wordpress。

二、wordpress的相关yaml

wordpress的pod中加入了nginx的容器，做了configmap挂载替换默认default.conf，nginx的configmap如下

apiVersion: v1
kind: ConfigMap
metadata:name: wordpress-configs
data:default.conf: |server {listen 80 default_server;client_max_body_size 20m;root /var/www/html;index index.php index.html index.htm;location ~ \.php$ {fastcgi_pass   127.0.0.1:9000;fastcgi_index  index.php;fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;include        fastcgi_params;}}

wordpress中的环境变量以secret的方式挂载，secret的yaml文件如下，自行修改user和password

apiVersion: v1
kind: Secret
metadata:name: wordpress-secrets
stringData:WORDPRESS_DB_HOST: "wordpress-mysql"WORDPRESS_DB_USER: "xxxxx"WORDPRESS_DB_PASSWORD: "xxxxx"

下面是wordpress相关的svc、pvc、deployment

apiVersion: v1
kind: Service
metadata:name: wordpress labels:app: wordpress
spec:ports:- name: httpport: 80targetPort: http selector:app: wordpresstype: ClusterIP
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: wp-pv-claimannotations:volume.beta.kubernetes.io/storage-class: "nfs-storage"labels:app: wordpress
spec:accessModes:- ReadWriteOnceresources:requests:storage: 5Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:name: wordpresslabels:app: wordpress
spec:selector:matchLabels:app: wordpressstrategy:type: Recreatetemplate:metadata:labels:app: wordpressspec:containers:- image: docker.io/library/wordpress:5.8.3-fpmname: wordpressenvFrom:- secretRef:name: wordpress-secretsvolumeMounts:- mountPath: /var/www/htmlname: storage- image: docker.io/nginx:1.21.0name: nginxports:- containerPort: 80name: httpvolumeMounts:- mountPath: /etc/nginx/conf.dname: configs- mountPath: /var/www/htmlname: storagevolumes:- name: storagepersistentVolumeClaim:claimName: wp-pv-claim- name: configsconfigMap:name: wordpress-configs

三、用于反向代理的nginx

配置文件也用configmap挂载，包括主配置文件nginx.conf和虚拟主机配置文件haifeihai.com.conf。
注意wordpress经过代理以后使用https时，静态资源还是http的方式请求，会导致无限跳转，所以可以在代理的nginx处加入 proxy_set_header X-Forwarded-Proto $scheme; 以解决这个问题，在wordpress的官方文档也提到了这个特性https://wordpress.org/support/article/administration-over-ssl/#using-a-reverse-proxy

apiVersion: v1
kind: ConfigMap
metadata:name: nginx-configs
data:nginx.conf: |user www-data;worker_processes auto;#error_log /var/log/nginx/error.log;pid /run/nginx.pid;# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.include /usr/share/nginx/modules/*.conf;events {worker_connections 10240;use epoll;}http {log_format  main  '$remote_addr - $remote_user &#91;$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log  main;server_names_hash_bucket_size 512;   server_tokens       off;sendfile            on;tcp_nopush          on;keepalive_timeout   65;types_hash_max_size 4096;gzip  on;gzip_min_length 1k;gzip_buffers 16 8k;gzip_comp_level 4;gzip_proxied any;gzip_typestext/xml application/xml application/atom+xml application/rss+xml application/xhtml+xmltext/javascript application/javascript application/x-javascripttext/x-json application/json application/x-web-app-manifest+jsontext/css text/plain text/x-componentfont/opentype application/x-font-ttf application/vnd.ms-fontobjectimage/x-icon image/svg+xml;gzip_disable "MSIE &#91;1-6]\.(?!.*SV1)";include             /etc/nginx/mime.types;default_type        application/octet-stream;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_session_cache shared:SSL:1m;ssl_session_timeout  10m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $remote_addr;proxy_set_header X-Forwarded-Proto $scheme;include /etc/nginx/conf.d/*.conf;}haifeihai.com.conf: |server {listen 80;listen 443 ssl;server_name  www.haifeihai.com haifeihai.com;ssl_certificate   ssl/tls.crt;ssl_certificate_key  ssl/tls.key;resolver 10.2.0.10;location /favicon.ico {return 204;}location / {if ($host ~ "^hai") {return 301 https://www.$http_host$request_uri;}if ($ssl_protocol = "") {return 301 https://$http_host$request_uri;}set $upstream_name wordpress.default.svc.cluster.local;proxy_pass   http://$upstream_name;}}

本次使用了https，所以将申请的免费证书以secret的形式挂载，创建tls类型的secret，自行修改获得的证书路径和私钥路径，tls类型的secret创建时会自动将key修改为tls.key和tls.crt的。

kubectl create secret tls haifeihai-secret --cert=haifeihai.com_bundle.crt --key=haifeihai.com.key

反向代理ngixn的deployment，之前也提到了，为了方便解析，使用hostnetwork。

apiVersion: apps/v1
kind: Deployment
metadata:name: nginx
spec:selector:matchLabels:app: nginxstrategy:type: Recreatetemplate:metadata:labels:app: nginxspec:hostNetwork: truednsPolicy: ClusterFirstWithHostNetcontainers:- image: docker.io/nginx:1.21.0name: nginxvolumeMounts:- mountPath: /etc/nginx/nginx.confname: configssubPath: nginx.conf- mountPath: /etc/nginx/conf.d/default.confname: configssubPath: haifeihai.com.conf- mountPath: /etc/nginx/ssl/tls.crtname: certssubPath: tls.crt- mountPath: /etc/nginx/ssl/tls.keyname: certssubPath: tls.keyvolumes:- name: configsconfigMap:name: nginx-configs- name: certssecret:secretName: haifeihai-secrets

apply后便可以完成，到此便已完成了使用k8s部署https的wordpress。欢迎访问个人博客www.haifeihai.com