Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Drupal in Kubernetes K3s on Raspberry Pi
# This manifest assumes 'drupal' namespace is already present:
#
# kubectl create namespace drupal
#
# Apply the manifest with:
#
# kubectl apply -f drupal.yml
---
kind: ConfigMap
apiVersion: v1
metadata:
name: drupal-config
namespace: drupal
data:
# Note: This is NOT secure. Don't use this in production!
settings.php: |-
<?php
$databases['default']['default'] = [
'database' => 'drupal',
'username' => 'drupal',
'password' => 'drupal',
'prefix' => '',
'host' => 'mariadb',
'port' => '3306',
'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
'driver' => 'mysql',
];
$settings['hash_salt'] = 'OTk4MTYzYWI4N2E2MGIxNjlmYmQ2MTA4';
$settings['trusted_host_patterns'] = ['^.+$'];
$settings['config_sync_directory'] = 'sites/default/files/config_OTk4MTYzY';
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: drupal-files-pvc
namespace: drupal
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: drupal
namespace: drupal
spec:
replicas: 1
selector:
matchLabels:
app: drupal
template:
metadata:
labels:
app: drupal
spec:
containers:
- name: drupal
image: 'drupal:8.8-apache'
ports:
- containerPort: 80
livenessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 60
readinessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 30
volumeMounts:
- mountPath: /var/www/html/sites/default/
name: drupal-settings
- mountPath: /var/www/html/sites/default/files/
name: drupal-files
resources:
limits:
cpu: '1'
memory: '512Mi'
requests:
cpu: '500m'
memory: '256Mi'
volumes:
- name: drupal-settings
configMap:
name: drupal-config
- name: drupal-files
persistentVolumeClaim:
claimName: drupal-files-pvc
---
kind: Service
apiVersion: v1
metadata:
name: drupal
namespace: drupal
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
selector:
app: drupal
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: drupal
namespace: drupal
spec:
rules:
- host: drupal.10.0.100.99.nip.io
http:
paths:
- path: /
backend:
serviceName: drupal
servicePort: 80
# This manifest assumes 'drupal' namespace is already present:
#
# kubectl create namespace drupal
#
# Apply the manifest with:
#
# kubectl apply -f mariadb.yml
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: mariadb-pvc
namespace: drupal
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: mariadb
namespace: drupal
spec:
replicas: 1
selector:
matchLabels:
app: mariadb
template:
metadata:
labels:
app: mariadb
spec:
containers:
- name: mariadb
image: tobi312/rpi-mariadb:10.3
ports:
- containerPort: 3306
env:
- name: MYSQL_DATABASE
value: drupal
- name: MYSQL_USER
value: drupal
- name: MYSQL_PASSWORD
value: drupal
- name: MYSQL_RANDOM_ROOT_PASSWORD
value: 'yes'
volumeMounts:
- mountPath: /var/lib/mysql/
name: database
resources:
limits:
cpu: '2'
memory: '512Mi'
requests:
cpu: '500m'
memory: '256Mi'
volumes:
- name: database
persistentVolumeClaim:
claimName: mariadb-pvc
---
kind: Service
apiVersion: v1
metadata:
name: mariadb
namespace: drupal
spec:
ports:
- port: 3306
targetPort: 3306
selector:
app: mariadb
@mkmojo

This comment has been minimized.

Copy link

@mkmojo mkmojo commented Jul 7, 2020

Hi @geerlingguy,

Thanks for sharing this and creating the Youtube video on how to deploy this to the cluster.
I have learned a lot from the pi cluster series.

Noticed that you mentioned in both this and the pi-hole deployment there are some security shortcuts taken in order to demo.
Do you think it possible to make a video on how to deploy in a secure fashion?

Thanks a lot for the awesome work!

@geerlingguy

This comment has been minimized.

Copy link
Owner Author

@geerlingguy geerlingguy commented Jul 8, 2020

@mkmojo - The actual Drupal deployment here is pretty secure, but would need some changes to make it more scalable (e.g. using HPA by setting up NFS for shared files volume). I mention the security issue mostly because I didn't spend hours hardening the entire K3s cluster configuration (e.g. per-Pi firewalls, any kind of intrusion monitoring, configuring things like Fail2Ban, etc.), and that's something that is not easy to cover in a short-form YouTube series (nor is it the intention of that series).

For some of those basics, I highly suggest Ansible 101 - Episode 9 - First 5 min server security with Ansible.

Also, I am planning out a Kubernetes 101 series on YouTube... sometime in the next few months :) — it will cover more topics like RBAC and resource constraints in more depth.

@cyrtstein

This comment has been minimized.

Copy link

@cyrtstein cyrtstein commented Aug 25, 2020

@mkmojo - thanks for asking that question!!
@geerlinguy - thanks for the very helpful answer!!!
I am following this using 4 Pi 4Bs (with 4 GB each). But so far everything works as is just like on the Turing Pi. Well, except that I could not for the life of me get kubectl installed on my master node. So I am just running kubectl from the Ubuntu 18 box that is also my ansible master (and that works fine). I am definitely planning to follow up on using fail2ban and ufw on my cluster.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.