As part of an ongoing experiment with kubernetes and lots of WordPress instances I wanted to set up a site that talked to an Amazon RDS MySQL database. The unknown part was how to do this over SSL using the WordPress docker image...
In my experience WordPress is often in an environment where the MySQL server is either running locally or on another machine that is accessible via some private network. In this case however neither of those scenarios match. Our WordPress instance and database are just directly on the public internet in different places. If we want to talk between them we best secure the connection otherwise all our data will just be in plaintext for anyone to see.
Now according to this trusty StackOverflow answer we can set a flag in our wp-config.php (the main WordPress configuration file) to get the MySQL connection to happen over SSL.
define('MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL);
This isn’t a WordPress specific setting, rather a MySQLi setting to say ‘Use SSL (encryption)’. Our AWS database is already configured correctly so nothing further to do that side.
Now the question is, how do you set this with the WordPress docker image? Whenever I’ve used this image before I have set the configuration with environment variables, e.g. WORDPRESS_DB_HOSTNAME, WORDPRESS_DB_USER etc. Is there one for MYSQL flags?
Not knowing how the WordPress image is put together I spun up an instance then had a poke around using docker exec -it 123-id-here /bin/bash as usual to get a shell.
cd / # Let's just brute force search everything! fgrep -rn WORDPRESS_ 2> /dev/null sr/local/bin/docker-entrypoint.sh:77: # environment variables with a "WORDPRESS_" prefix (ie, "WORDPRESS_AUTH_KEY") usr/local/bin/docker-entrypoint.sh:89: WORDPRESS_DB_HOST usr/local/bin/docker-entrypoint.sh:90: WORDPRESS_DB_USER usr/local/bin/docker-entrypoint.sh:91: WORDPRESS_DB_PASSWORD usr/local/bin/docker-entrypoint.sh:92: WORDPRESS_DB_NAME usr/local/bin/docker-entrypoint.sh:93: WORDPRESS_DB_CHARSET [...]
Now we are getting somewhere. It’s probably obvious to those more familiar with the image that this is where the environment variables are used but I had to go looking for it — you don’t know what you don’t know.
A scan of the docker-entrypoint.sh shows that there isn’t really anything suitable for setting MySQL flags or any other settings beyond the usual set. However, it turns out those environment variables are just a convenient way to spin up a WordPress docker image and have it write out a wp-config.php file. If you don’t set any of the WORDPRESS_ environment variables then the file is not written. This sounds promising! If we avoid setting the variables and just write out our own file then we have a solution.
I bought up another instance without setting any WORDPRESS_* variables and sure enough if I look at /var/www/html there is no wp-config.php. For now I am just supplying my own file manually using kubectl cp [src] [dst] and that seems to work great.