feat: use new penpot-frontend image based on nginx-unprivileged

2024-12-21 21:23:04 -05:00 · 2024-10-09 17:55:25 +02:00 · 2024-10-09 17:55:25 +02:00 · 36ca179358
commit 36ca179358
parent 125b7fc255
10 changed files with 127 additions and 24 deletions
--- a/charts/penpot/Chart.yaml
+++ b/charts/penpot/Chart.yaml
@ -1,6 +1,6 @@
 ---
 apiVersion: v2
-version: 0.1.0  # Chart version
+version: 0.4.0  # Chart version
 appVersion: "2.1.4"  # Penpot version
 type: application
 name: penpot
@ -39,8 +39,12 @@ annotations:
      url: https://penpot.app/dev-diaries.html
  artifacthub.io/containsSecurityUpdates: "false"
  artifacthub.io/changes: |
+    - kind: added
+      description: containsSecurityUpdates and podSecurityContext can be defined for penpot-frontend.
+    - kind: added
+      description: Allow to run in a Openshift Container Platform.
    - kind: changed
-      description: Bump to 0.1.0. Initial release.
+      description: Change penpot-frontend service port to 8080.
 dependencies:
  - name: postgresql
    version: 15.x.x  # appVersion >= 16.2.0
--- a/charts/penpot/README.md
+++ b/charts/penpot/README.md
@ -1,6 +1,6 @@
 # penpot

-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 Helm chart for Penpot, the Open Source design and prototyping platform.

@ -175,11 +175,11 @@ helm install my-release -f values.yaml penpot/penpot
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
-| frontend.containerSecurityContext | object | `{}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
 | frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
 | frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
-| frontend.image.repository | string | `"penpotapp/frontend"` | The Docker repository to pull the image from. |
-| frontend.image.tag | string | `"2.1.4"` | The image tag to use. |
+| frontend.image.repository | string | `"bameda00/test-p"` | The Docker repository to pull the image from. |
+| frontend.image.tag | string | `"latest"` | The image tag to use. |
 | frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
 | frontend.pdb | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | Configure Pod Disruption Budget for the frontend pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) |
 | frontend.pdb.enabled | bool | `false` | Enable Pod Disruption Budget for the frontend pods. |
@ -187,12 +187,12 @@ helm install my-release -f values.yaml penpot/penpot
 | frontend.pdb.minAvailable | int,string | `nil` | The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). |
 | frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
 | frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
-| frontend.podSecurityContext | object | `{}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| frontend.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
 | frontend.replicaCount | int | `1` | The number of replicas to deploy. |
 | frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
 | frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers |
 | frontend.resources.requests | object | `{}` | The requested resources for the Penpot frontend containers |
-| frontend.service.port | int | `80` | The service port to use. |
+| frontend.service.port | int | `8080` | The service port to use. |
 | frontend.service.type | string | `"ClusterIP"` | The service type to create. |
 | frontend.tolerations | list | `[]` | Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) |

@ -251,14 +251,25 @@ helm install my-release -f values.yaml penpot/penpot
 | ingress.path | string | `"/"` | Root path for every hosts. |
 | ingress.tls | list | `[]` | Array style TLS secrets for the (frontend) ingress crontroller. E.g. tls:   - secretName: penpot.example.com-tls     hosts:       - penpot.example.com |

+### Reute (for OpenShift Container Platform)
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| route.annotations | object | `{}` | An optional map of annotations to be applied to the route. |
+| route.enabled | bool | `false` | Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null. |
+| route.host | string | `"penpot.example.com"` | The default external hostname to access to the penpot app. |
+| route.path | string | `nil` | Define a path to use Path-based routes. |
+| route.tls | object | `{}` | A Map with TLS configuration for the route. E.g. tls:   terminationType: edge   terminationPolicy: Redirect |
+| route.wildcardPolicy | string | `"None"` | Define the wildcard policy (None, Subdomain, ...) |
+
 ### PostgreSQL

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| postgresql | object | `{"auth":{"database":"penpot","password":"penpot","username":"penpot"}}` | PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) |
 | postgresql.auth.database | string | `"penpot"` | Name for a custom database to create. |
 | postgresql.auth.password | string | `"penpot"` | Password for the custom user to create. |
 | postgresql.auth.username | string | `"penpot"` | Name for a custom user to create. |
+| postgresql.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) |

 > **NOTE**: You can use more parameters according to the [PostgreSQL oficial documentation](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters).

@ -266,8 +277,8 @@ helm install my-release -f values.yaml penpot/penpot

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| redis | object | `{"auth":{"enabled":false}}` | Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) |
 | redis.auth.enabled | bool | `false` | Whether to enable password authentication. |
+| redis.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) |

 > **NOTE**: You can use more parameters according to the [Redis oficial documentation](https://artifacthub.io/packages/helm/bitnami/redis#parameters).

--- a/charts/penpot/README.md.gotmpl
+++ b/charts/penpot/README.md.gotmpl
@ -64,6 +64,7 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }}
    (hasPrefix "exporter" .Key)
    (hasPrefix "persistence" .Key)
    (hasPrefix "ingress" .Key)
+    (hasPrefix "route" .Key)
    (hasPrefix "postgresql" .Key)
    (hasPrefix "redis" .Key)
  ) }}
@ -138,6 +139,17 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }}
 {{- end }}


+### Reute (for OpenShift Container Platform)
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if hasPrefix "route" .Key }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
+
 ### PostgreSQL

 | Key | Type | Default | Description |
--- a/charts/penpot/templates/backend-service.yml
+++ b/charts/penpot/templates/backend-service.yml
@ -6,11 +6,11 @@ metadata:
  labels:
    {{- include "penpot.labels" . | nindent 4 }}
 spec:
-  selector:
-    {{- include "penpot.backendSelectorLabels" . | nindent 4 }}
  type: {{ .Values.backend.service.type }}
  ports:
    - port: {{ .Values.backend.service.port }}
      targetPort: {{ .Values.backend.service.port }}
      protocol: TCP
      name: http
+  selector:
+    {{- include "penpot.backendSelectorLabels" . | nindent 4 }}
--- a/charts/penpot/templates/frontend-service.yml
+++ b/charts/penpot/templates/frontend-service.yml
@ -9,7 +9,7 @@ spec:
  type: {{ .Values.frontend.service.type }}
  ports:
    - port: {{ .Values.frontend.service.port }}
-      targetPort: http
+      targetPort: {{ .Values.frontend.service.port }}
      protocol: TCP
      name: http
  selector:
--- a/charts/penpot/templates/route.yml
+++ b/charts/penpot/templates/route.yml
@ -0,0 +1,30 @@
+{{- if .Values.route.enabled -}}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: {{ include "penpot.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+  {{- with .Values.route.annotations }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  host: {{ .Values.route.host }}
+  path: {{ .Values.route.path }}
+  to:
+    kind: Service
+    name: {{ include "penpot.fullname" . }}
+  port:
+    targetPort: http
+  {{- with .Values.route.tls }}
+  tls:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{ end }}
+  wildcardPolicy: {{ .Values.route.wildcardPolicy | quote }}
+{{- end }}
--- a/charts/penpot/values.yaml
+++ b/charts/penpot/values.yaml
@ -384,10 +384,10 @@ frontend:
  image:
    # -- The Docker repository to pull the image from.
    # @section -- Frontend parameters
-    repository: penpotapp/frontend
+    repository: bameda00/test-p
    # -- The image tag to use.
    # @section -- Frontend parameters
-    tag: 2.1.4
+    tag: latest
    # -- The image pull policy to use.
    # @section -- Frontend parameters
    pullPolicy: IfNotPresent
@ -400,7 +400,7 @@ frontend:
    type: ClusterIP
    # -- The service port to use.
    # @section -- Frontend parameters
-    port: 80
+    port: 8080
  # -- An optional map of annotations to be applied to the controller Deployment
  # @section -- Frontend parameters
  deploymentAnnotations: {}
@ -412,10 +412,18 @@ frontend:
  podAnnotations: {}
  # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
  # @section -- Frontend parameters
-  podSecurityContext: {}
+  podSecurityContext:
+    fsGroup: 1001
  # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
  # @section -- Frontend parameters
-  containerSecurityContext: {}
+  containerSecurityContext:
+    runAsUser: 1001
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - all
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
  # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
  # @section -- Frontend parameters
  affinity: {}
@ -522,7 +530,6 @@ exporter:
    # @section -- Exporter parameters
    maxUnavailable:

-# @section -- Persistence parameters
 persistence:
  assets:
    # -- Enable assets persistence using Persistent Volume Claims.
@ -599,9 +606,39 @@ ingress:
  # @section -- Ingress parameters
  tls: []

-# -- PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql))
-# @section -- PostgreSQL Dependencie parameters
+route:
+  # -- Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null.
+  # @section -- Route parameters
+  enabled: false
+  # -- An optional map of annotations to be applied to the route.
+  # @section -- Route parameters
+  annotations: {}
+  # -- The default external hostname to access to the penpot app.
+  # @section -- Route parameters
+  host: penpot.example.com
+  # -- Define a path to use Path-based routes.
+  # @section -- Route parameters
+  path: null
+  # -- A Map with TLS configuration for the route.
+  # E.g.
+  # tls:
+  #   terminationType: edge
+  #   terminationPolicy: Redirect
+  # @section -- Route parameters
+  tls: {}
+  # -- Define the wildcard policy (None, Subdomain, ...)
+  # @section -- Route parameters
+  wildcardPolicy: None
+
+# PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql))
 postgresql:
+  global:
+    compatibility:
+      openshift:
+        # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
+        # @section -- PostgreSQL Dependencie parameters
+        adaptSecurityContext: 'auto'
+
  auth:
    # -- Name for a custom user to create.
    # @section -- PostgreSQL Dependencie parameters
@ -613,9 +650,14 @@ postgresql:
    # @section -- PostgreSQL Dependencie parameters
    database: "penpot"

-# -- Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis))
-# @section -- Redis Dependencie parameters
+# Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis))
 redis:
+  global:
+    compatibility:
+      openshift:
+        # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
+        # @section -- Redis Dependencie parameters
+        adaptSecurityContext: 'auto'
  auth:
    # -- Whether to enable password authentication.
    # @section -- Redis Dependencie parameters
--- a/devel/README.md
+++ b/devel/README.md
@ -41,5 +41,5 @@ pre-commit install --install-hooks -f
 > [!TIP]
 > if you disable ingress, you can exposing the app in the port 8888 with:
 > ```shell
-> kubectl port-forward service/penpot 8888:80
+> kubectl port-forward service/penpot 8888:8080
 > ```
--- a/devel/kind.config.yml
+++ b/devel/kind.config.yml
@ -10,6 +10,9 @@ nodes:
      kubeletExtraArgs:
        node-labels: "ingress-ready=true"
  extraPortMappings:
+  - containerPort: 8080
+    hostPort: 8080
+    protocol: TCP
  - containerPort: 80
    hostPort: 80
    protocol: TCP
--- a/devel/penpot.values.yaml
+++ b/devel/penpot.values.yaml
@ -1,3 +1,4 @@
+---
 ## Default values for Penpot (local setup for development purpose)
 global:
  postgresqlEnabled: true