chore: Bump README.md by release pipeline (automatic) / Riotkit

Riotkit via Github Actions · Riotkit via Github Actions · commit 77ddaf5d35a3 · 2023-03-25T11:26:04.000Z
diff --git a/helm/wordpress-hardened/Chart.yaml b/helm/wordpress-hardened/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: wordpress-hardened
 description: "Lightweight Wordpress installation with additional security fixes"
 type: application
-version: 0.1.0
-appVersion: "master"  # replaced by CI on build stage
+version: 0.0-latest-master
+appVersion: "" # replaced by CI on build stage
diff --git a/helm/wordpress-hardened/README.md b/helm/wordpress-hardened/README.md
@@ -1,124 +1,8 @@
 # wordpress-hardened
 
-![Version: 0.0-latest-master](https://img.shields.io/badge/Version-0.0--latest--master-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/wordpress-hardened)](https://artifacthub.io/packages/search?repo=wordpress-hardened)
 
 Hardened version of official WordPress container, with special support for Kubernetes.
 
-**Features:**
-- Scheduled updates via wp-cli
-- **NGINX instead of Apache**
-- Supports [NGINX-PROXY](https://github.com/nginx-proxy/nginx-proxy) (VIRTUAL_HOST environment variable)
-- Hardened settings for WordPress: limiting access to code execution from wp-content directory, basic auth on wp-login.php
-- Basic Auth enabled by default to protect wp-login against bots (default user: `riotkit`, password: `riotkit`), can be changed using environment variables
-- Non-root container
-- Free from Supervisord, using lightweight [multirun](https://github.com/nicolas-van/multirun) instead
-- Runtime NGINX and PHP configuration to adjust things like `memory_limit`, `error_reporting` or `post_max_size`
-- Pre-configuration of admin account, website name and list of installed plugins
-- Possible to upgrade Wordpress together with docker container
-- Built-in primitive rules to block common exploits targeting PHP
-
-**Kubernetes-only features:**
-- Helm installer
-- Integration with [Backup Repository](https://github.com/riotkit-org/backup-repository) (for Kubernetes-native backups)
-- Integration with [Volume Syncing Controller](https://github.com/riotkit-org/volume-syncing-controller) (for WordPress volume synchronization between Pod and cloud filesystem)
-- Web Application Firewall and OWASP CRS support (experimental)
-
-[Check full documentation](https://github.com/riotkit-org/wordpress-hardened)
-------------------------
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| backups.collectionId | string | `""` | Server side collection id (a backup slot/directory) |
-| backups.email | string | `"example@example.org"` | Used for GPG encryption. Recommended: Set the same as in user account in Backup Repository |
-| backups.enabled | bool | `false` |  |
-| backups.schedule | string | `"16 1 * * *"` | Crontab-like syntax, will be used in a `kind: CronJob` object |
-| backups.secrets.gpgKeys | object | `{"createIfNotExists":true,"secretName":"backups-gpg"}` | GPG key pair - public & private key used for backup encryption. Will generate automatically if not present (make sure to back up created `kind: Secret`) |
-| backups.secrets.loginToken | object | `{"secretKey":"backup-login-token","secretName":""}` | Login token is a JWT token generated by logging in to Backup Repository (see: https://github.com/riotkit-org/backup-repository/blob/767707ada71781a59b583f3e35f22618cf7c1e44/docs/api/users/README.md#post-apistableauthlogin) |
-| backups.templateName | string | `"wordpress-mariadb-10.10"` | Use MariaDB template version matching your server's version for best compatibility |
-| backups.templateType | string | `"internal"` |  |
-| backups.url | string | `"https://my-backup-repository-instance.org"` | Backup Repository instance URL |
-| chownInitContainer | object | `{"enabled":true,"image":"busybox:1.36.0-musl"}` | Use PRIVILEGED init container to correct permissions of your volumes |
-| db.administrativeJobs | object | `{}` |  |
-| db.host | string | `"mariadb.db.svc.cluster.local"` |  |
-| db.name | string | `"riotkit"` |  |
-| db.password.secretKey | string | `"password"` |  |
-| db.password.secretName | string | `"db-credentials"` |  |
-| db.port | int | `3306` |  |
-| db.user | string | `"riotkit"` |  |
-| env | object | `{}` |  |
-| extraConfigMaps | list | `[]` |  |
-| health.allowedSubnets | string | `"10.0.0.0/8"` |  |
-| health.liveness.attributes.failureThreshold | int | `2` |  |
-| health.liveness.attributes.periodSeconds | int | `60` |  |
-| health.liveness.enabled | bool | `true` |  |
-| health.readiness.attributes.failureThreshold | int | `2` |  |
-| health.readiness.attributes.periodSeconds | int | `60` |  |
-| health.readiness.enabled | bool | `true` |  |
-| image.repository | string | `"ghcr.io/riotkit-org/wordpress-hardened"` |  |
-| image.tag | string | `""` |  |
-| ingresses[0].annotations."cert-manager.io/cluster-issuer" | string | `"letsencrypt-staging"` |  |
-| ingresses[0].className | string | `"nginx"` |  |
-| ingresses[0].hosts[0].paths[0].path | string | `"/"` |  |
-| ingresses[0].hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
-| ingresses[0].tls[0].hosts | list | `[]` |  |
-| permissions | object | `{"gid":65161,"uid":65161}` | If .Values.podSecurityContext is not specified, then this section will set securityContext. Those values also applies to the chown init container |
-| podDisruptionBudget.enabled | bool | `false` |  |
-| podDisruptionBudget.spec.maxUnavailable | int | `0` |  |
-| podDisruptionBudget.spec.minAvailable | int | `1` |  |
-| podLabels | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
-| pv.extraVolumeMounts | list | `[]` |  |
-| pv.extraVolumes | list | `[]` |  |
-| pv.wp | object | `{"claimName":"wp","create":true,"enabled":true,"size":"256Mi"}` | Disable whole root directory volume to have WordPress version managed by the container. Enable it to use updater from the web - in this case the image version would only matter for PHP, NGINX versions, but the WordPress version would be bumped by WordPress by his own |
-| pv.wp_content.claimName | string | `"wp-content"` |  |
-| pv.wp_content.create | bool | `true` |  |
-| pv.wp_content.enabled | bool | `true` |  |
-| pv.wp_content.size | string | `"1Gi"` |  |
-| replicas | int | `1` |  |
-| resources.limits.cpu | int | `1` |  |
-| resources.limits.memory | string | `"128Mi"` |  |
-| resources.requests.cpu | int | `0` |  |
-| resources.requests.memory | string | `"16Mi"` |  |
-| revisionHistoryLimit | int | `1` |  |
-| rollingUpdate.enabled | bool | `true` |  |
-| rollingUpdate.spec.maxSurge | int | `1` |  |
-| rollingUpdate.spec.maxUnavailable | int | `0` |  |
-| secrets | object | `{"apiVersion":"bitnami.com/v1alpha1","content":"encryptedData:\n    ...\n","create":false,"enabled":false,"kind":"SealedSecret","name":"wordpress-secrets"}` | Allows to embed `kind: Secret`, `kind: SealedSecret`, `kind: ExternalSecret` or any other secret. Use it for example with Bitnami's Sealed Secret |
-| service.port | int | `8080` |  |
-| service.type | string | `"ClusterIP"` |  |
-| terminationGracePeriodSeconds | int | `20` |  |
-| volumeSyncing.automaticEncryption.enabled | bool | `true` |  |
-| volumeSyncing.automaticEncryption.secretName | string | `"sync-encryption"` |  |
-| volumeSyncing.enabled | bool | `false` |  |
-| volumeSyncing.env.REMOTE_ACL | string | `"private"` |  |
-| volumeSyncing.env.REMOTE_ENDPOINT | string | `"http://minio.storage.svc.cluster.local:9000"` |  |
-| volumeSyncing.env.REMOTE_PROVIDER | string | `"Minio"` |  |
-| volumeSyncing.env.REMOTE_TYPE | string | `"s3"` | Remote storage configuration |
-| volumeSyncing.secret.name | string | `""` |  |
-| volumeSyncing.syncOptions.allowedDirections.fromRemote | bool | `true` |  |
-| volumeSyncing.syncOptions.allowedDirections.toRemote | bool | `true` |  |
-| volumeSyncing.syncOptions.cleanUp.forceLocal | bool | `false` |  |
-| volumeSyncing.syncOptions.cleanUp.forceRemote | bool | `false` |  |
-| volumeSyncing.syncOptions.cleanUp.local | bool | `false` |  |
-| volumeSyncing.syncOptions.cleanUp.remote | bool | `true` |  |
-| volumeSyncing.syncOptions.restoreRemoteOnFirstRun | bool | `false` |  |
-| volumeSyncing.syncOptions.schedule | string | `"@every 8h"` |  |
-| waf.directives | string | `"#SecDefaultAction \"phase:4,allow,log\"\n#SecAction \"id:1,pass,log\"\n#SecAuditLog /dev/stdout\n#SecDebugLog /dev/stdout\n#SecDebugLogLevel 5\n"` |  |
-| waf.enabled | bool | `false` |  |
-| waf.env.ENABLE_CORAZA_WAF | bool | `false` |  |
-| waf.env.ENABLE_CRS | bool | `true` |  |
-| waf.env.ENABLE_RATE_LIMITER | bool | `true` |  |
-| waf.env.ENABLE_RULE_WORDPRESS | bool | `true` |  |
-| waf.env.RATE_LIMIT_EVENTS | string | `"30"` |  |
-| waf.env.RATE_LIMIT_WINDOW | string | `"5s"` |  |
-| waf.health.liveness.attributes.failureThreshold | int | `2` |  |
-| waf.health.liveness.attributes.periodSeconds | int | `60` |  |
-| waf.health.liveness.enabled | bool | `true` |  |
-| waf.image.repository | string | `"ghcr.io/riotkit-org/waf-proxy"` |  |
-| waf.image.tag | string | `"snapshot"` |  |
-| wordpress.autoUpdate | bool | `true` | Should the WordPress automatically update itself periodically? NOTICE! Use with .pv.wp.enabled = true |
-| wordpress.domain | string | `"example.org"` | Ingress domain name |
-| wordpress.https | string | `"on"` | HTTP/HTTPS |
-| wordpress.publicPort | string | `"443"` | Ingress port |
+```bash
+helm install my-wordpress-hardened oci://ghcr.io/riotkit-org/charts/wordpress-hardened --version 
