Skip to main content

Wordpress GitOps summary

info

Summary page for the Wordpress GitOps series of runbooks for deploying and operating WordPress on Kubernetes via FluxCD, with SOPS-encrypted Secrets, Cloudflare Origin CA TLS, Redis object cache, external cron job, and a repeatable backup and restore workflow.

WordPress GitOps series

  1. WordPress GitOps summary - you are here
  2. WordPress repo and prerequisites
  3. WordPress manifests
  4. WordPress flux integration
  5. WordPress operations, restore and backups
  • This playbook has been tested on:
    • Kubernetes version: v1.31.9
    • OS-Image: Ubuntu 24.04.2 LTS
    • Kernel version: 6.8.0-62-generic
    • Container runtime: containerd://2.0.5

1. What this runbook series covers

A single hosted WordPress site is migrated onto the cluster, including an optional domain change, and then operated day-to-day using GitOps.

1.1 Included components

This deployment pattern includes MariaDB, a stateful Redis cache, a WordPress Deployment with a persistent wp-content PVC, externalised cron via a Kubernetes CronJob, and a support toolbox for restores and maintenance.

2. Key conventions

2.1 GitOps boundaries

The app repo owns application manifests under k8s/prod/, while flux-config owns the namespace and Flux objects that point to the app repo.

2.2 Secrets handling

Secrets are committed as SOPS-encrypted YAML and decrypted by Flux using the sops-age Secret in flux-system. Files opt-in by matching k8s/.*\.enc\.ya?ml.

2.3 Default security posture

The namespace uses default-deny NetworkPolicy and only opens the minimum traffic paths needed for:

  • Ingress-NGINX to reach WordPress
  • WordPress and cron to reach MariaDB, Redis, and DNS
  • Optional controlled egress for WordPress update checks and plugin vendors

3. Verification checklist

  • flux get sources git -n flux-system shows the WordPress app source Ready
  • flux get kustomizations -n flux-system shows the WordPress app Kustomization Ready
  • kubectl -n wp-coach get pods,svc,ingress shows expected resources
  • kubectl -n wp-coach get certificate muppit-au-origin is Ready
  • curl -I https://muppit.au returns the expected status codes