2

I have managed MariaDB with SSL enabled deployed in Azure, and i created a service type "external" named "mysql" within my k8s cluster.

Then i created a secret like follwing :

kubectl create secret generic ca-cert --from-file=ca-cert=./BaltimoreCyberTrustRoot.crt.pem -n app

PS: where i got BaltimoreCyberTrustRoot.crt.pem from :

wget https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem

Then i deployed Wordpress:

helm template wp azure-marketplace/wordpress -n app --create-namespace -f values.yml

where values.yml looks like :

##############################PART1########################
#pvc wordpress
persistence:
  enabled: false

#pvc mariadb
mariadb:
  enabled: false 

externalDatabase:
  host: mysql
  port: 3306
  user: benighil@benighil 
  password: "SomePassword"
  database: bitnami_wordpress

##############################PART2########################
extraEnvVars:
  - name: "WORDPRESS_DATABASE_SSL_CA_FILE"
    value: /tmp/ca-cert

## Additional volume mounts
## Example: Mount CA file
extraVolumeMounts:
  - name: ca-cert
    mountPath: /tmp

## Additional volumes
## Example: Add secret volume
extraVolumes:
 - name: ca-cert
   secret:
     secretName: ca-cert

But the pods logs gives :

wordpress 22:08:07.00 ERROR ==> Could not connect to the database

NOTE1: When i exec into pod, and do : env | grep WORDPRESS_DATABASE_SSL_CA_FILE it gives : WORDPRESS_DATABASE_SSL_CA_FILE=/tmp/ca-cert and when i do cat /tmp/ca-cert it gives its content normally.

NOTE2: The credentials are CORRECT, because when i desable SSL from MariaDB, and delete the whole PART2 from values.yml then it works fine!

Any help please?

Mohamed
  • 239
  • 1
  • 4
  • 17
  • 1
    I would avoid bitnami's stuff. Even when they work, their images are a mess ... Trusting a CA, there should be some initContainer running a "update-ca-certificates", while /etc/ssl/certs & /usr/local/share/ca-certificates are mounted from emptyDirs and shared with both initContainer & app container. – SYN Aug 06 '22 at 22:35
  • Hello @SYN, i have not understood, could you please elaborate ? – Mohamed Aug 06 '22 at 22:43
  • 1
    When you do an openssl s_client -connect from your wordpress container to mysql: I would assume you get a TLS error? If wordpress is not configured to ignore tls verification (https://serverfault.com/a/987740/293779), then you need to trust your CA. One way to do this would be with an initContainer, that would run "update-ca-certificates". I'm not sure how to do this in your context/with that helm chart: if you can't figure it out, you can ask on their github, or drop that chart and deploy wordpress yourself. – SYN Aug 06 '22 at 23:05
  • actually, the only certificate i have is : https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem (got it from : https://learn.microsoft.com/en-us/azure/mariadb/concepts-ssl-connection-security ) – Mohamed Aug 06 '22 at 23:09
  • 1
    ok. and? does openssl s_client -connect successfully verifies mysql server certificate? – SYN Aug 06 '22 at 23:43
  • 1
    debug logs can help, are you sure that the database is exist in azure mariadb? `image: debug: true` see the debug logs and it will help you to see the error – Adiii Aug 07 '22 at 01:18
  • Yes, it is Mariadb in Azure. How can use debug option ? could you please provide the whole command ? – Mohamed Aug 07 '22 at 09:48
  • 1
    add this in the value file and you should be able to see the debug logs – Adiii Aug 07 '22 at 10:11
  • 1
    https://github.com/bitnami/azure-marketplace-charts/blob/master/bitnami/wordpress/values.yaml#L91 – Adiii Aug 07 '22 at 10:11
  • 1
    make sure this `bitnami_wordpress` is exist in the mariadb – Adiii Aug 07 '22 at 10:12
  • 1
    Seems like there are some other issue as well with the image – Adiii Aug 07 '22 at 16:31

1 Answers1

1

So make sure that the DB exist on the Azure MariaDB server and the second thing is that path is further used by the daemon tmp so certs should not be mounted here, somewhere where the daemon can read.

wordpress 04:19:09.91 INFO  ==> Persisting WordPress installation
/opt/bitnami/scripts/libpersistence.sh: line 51: /tmp/perms.acl: Read-only file system

so make the below changes and it should work

extraEnvVars:
  - name: "WORDPRESS_DATABASE_SSL_CA_FILE"
    value: /opt/bitnami/wordpress/tmp/ca-cert
  - name: WORDPRESS_ENABLE_DATABASE_SSL
    value: "yes"

## Additional volume mounts
## Example: Mount CA file
extraVolumeMounts:
  - name: ca-cert
    mountPath: /opt/bitnami/wordpress/tmp

or you will have to set extra params for the same path

  containerSecurityContext:
    enabled: true
    privileged: false
    allowPrivilegeEscalation: false
    ## Requires mounting an `extraVolume` of type `emptyDir` into /tmp
    ##
    readOnlyRootFilesystem: false
    capabilities:
      drop:
        - ALL
Adiii
  • 54,482
  • 7
  • 145
  • 148