Wordpress best practice for ci/cd deployment and persistent storage in Kubernetes

Hi, I have a question about getting wordpress set up in Kubernetes. I am setting all this up in GCP and I am using CloudSQL for the database. I have no problems with that but what I do have problems with is when trying to use persistent storage for the wordpress site. I want to know what the best practice is for updating a wordpress site using ci/cd and redeploying it. I looked at the documentation on the wordpress docker site at the “Static image / updates-via-redeploy” section and I was having issues where the persistent storage was being mounted with nothing there. It’s as if my site files that I copy into the container are then getting mounted over by the persistent storage which has nothing in it. I am unsure of how to get the files there and then I want those to update. So if I need to update a plugin I can replace the files and redeploy and the changes would take place.

Here are some yaml files for my wordpress deployment:

Deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: csa-site
  labels:
    app: wordpress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wordpress
  template:
    metadata:
      labels:
        app: wordpress
    spec:
      containers:
        - image: registry.gitlab.com/jason2462510/csa:latest
          name: csa-site
          env:
          - name: WORDPRESS_DB_HOST
            value: 127.0.0.1:3306
          # These secrets are required to start the pod.
          - name: WORDPRESS_DB_USER
            valueFrom:
              secretKeyRef:
                name: cloudsql-db-credentials
                key: username
          - name: WORDPRESS_DB_NAME
            valueFrom:
              secretKeyRef:
                name: cloudsql-db-credentials
                key: dbname
          - name: WORDPRESS_DB_PASSWORD
            valueFrom:
              secretKeyRef:
                name: cloudsql-db-credentials
                key: password
          ports:
            - containerPort: 80
              name: wordpress
          volumeMounts:
            - name: wordpress-persistent-storage
              mountPath: /var/www/html
        # Change ${INSTANCE_CONNECTION_NAME} here to include your GCP
        # project, the region of your Cloud SQL instance and the name
        # of your Cloud SQL instance. The format is
        # $PROJECT:$REGION:$INSTANCE
        - name: cloudsql-proxy
          image: gcr.io/cloudsql-docker/gce-proxy:1.33.2
          command: ["/cloud_sql_proxy",
                    "-instances=XXXXXXREDACTEDXXXXX:3306",
                    # If running on a VPC, the Cloud SQL proxy can connect via Private IP. See:
                    # https://cloud.google.com/sql/docs/mysql/private-ip for more info.
                    # "-ip_address_types=PRIVATE",
                    "-credential_file=/secrets/cloudsql/key.json"]
          securityContext:
            runAsUser: 2  # non-root user
            allowPrivilegeEscalation: false
          volumeMounts:
            - name: cloudsql-instance-credentials
              mountPath: /secrets/cloudsql
              readOnly: true
      imagePullSecrets:
      - name: gitlab-auth
      volumes:
        - name: wordpress-persistent-storage
          persistentVolumeClaim:
            claimName: wordpress-volumeclaim
        - name: cloudsql-instance-credentials
          secret:
            secretName: cloudsql-instance-credentials

volumeClaim.yaml

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# [START gke_wordpress_persistent_disks_wordpress_volumeclaim_persistentvolumeclaim_wordpress_volumeclaim]
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: wordpress-volumeclaim
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 30Gi
# [END gke_wordpress_persistent_disks_wordpress_volumeclaim_persistentvolumeclaim_wordpress_volumeclaim]

Dockerfile

FROM wordpress:latest
WORKDIR /usr/src/wordpress

COPY wp-content/ ./wp-content/

Hi
First in you Dockerfile you should change your Apache configuration to use the /usr/src/wordpress directory instead of /var/www/html

FROM wordpress:latest
WORKDIR /usr/src/wordpress

RUN set -eux; \
	find /etc/apache2 -name '*.conf' -type f -exec sed -ri -e "s!/var/www/html!$PWD!g" -e "s!Directory /var/www/!Directory $PWD!g" '{}' +; \
	cp -s wp-config-docker.php wp-config.php

COPY wp-content/ ./wp-content/

Second to have static deployment for Wordpress you should only persist the uploads directory. So the mountpath should be /usr/src/wordpress/wp-content/uploads.

          volumeMounts:
            - name: wordpress-persistent-storage
              mountPath: /usr/src/wordpress/wp-content/uploads

Third to make sure that updates of themes and plugins are only done using the deployment of a new image, you should run the container in read only mode.

      containers:
        - image: registry.gitlab.com/jason2462510/csa:latest
          name: csa-site
          securityContext:
            readOnlyRootFilesystem: true
          volumeMounts:
            - name: wordpress-persistent-storage
              mountPath: /usr/src/wordpress/wp-content/uploads
            - name: tmp-volume
              mountPath: /tmp
            - name: run-volume
              mountPath: /run