diff --git a/charts/penpot/Chart.yaml b/charts/penpot/Chart.yaml index ea785ce..19f01b4 100644 --- a/charts/penpot/Chart.yaml +++ b/charts/penpot/Chart.yaml @@ -1,6 +1,6 @@ --- apiVersion: v2 -version: 0.1.0 # Chart version +version: 0.4.0 # Chart version appVersion: "2.1.4" # Penpot version type: application name: penpot @@ -39,8 +39,12 @@ annotations: url: https://penpot.app/dev-diaries.html artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/changes: | + - kind: added + description: containsSecurityUpdates and podSecurityContext can be defined for penpot-frontend. + - kind: added + description: Allow to run in a Openshift Container Platform. - kind: changed - description: Bump to 0.1.0. Initial release. + description: Change penpot-frontend service port to 8080. dependencies: - name: postgresql version: 15.x.x # appVersion >= 16.2.0 diff --git a/charts/penpot/README.md b/charts/penpot/README.md index f3e4414..e725a81 100644 --- a/charts/penpot/README.md +++ b/charts/penpot/README.md @@ -1,6 +1,6 @@ # penpot -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Helm chart for Penpot, the Open Source design and prototyping platform. @@ -175,11 +175,11 @@ helm install my-release -f values.yaml penpot/penpot | Key | Type | Default | Description | |-----|------|---------|-------------| | frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) | -| frontend.containerSecurityContext | object | `{}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment | | frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. | -| frontend.image.repository | string | `"penpotapp/frontend"` | The Docker repository to pull the image from. | -| frontend.image.tag | string | `"2.1.4"` | The image tag to use. | +| frontend.image.repository | string | `"bameda00/test-p"` | The Docker repository to pull the image from. | +| frontend.image.tag | string | `"latest"` | The image tag to use. | | frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) | | frontend.pdb | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | Configure Pod Disruption Budget for the frontend pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) | | frontend.pdb.enabled | bool | `false` | Enable Pod Disruption Budget for the frontend pods. | @@ -187,12 +187,12 @@ helm install my-release -f values.yaml penpot/penpot | frontend.pdb.minAvailable | int,string | `nil` | The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). | | frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods | | frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods | -| frontend.podSecurityContext | object | `{}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | +| frontend.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | frontend.replicaCount | int | `1` | The number of replicas to deploy. | | frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) | | frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers | | frontend.resources.requests | object | `{}` | The requested resources for the Penpot frontend containers | -| frontend.service.port | int | `80` | The service port to use. | +| frontend.service.port | int | `8080` | The service port to use. | | frontend.service.type | string | `"ClusterIP"` | The service type to create. | | frontend.tolerations | list | `[]` | Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | @@ -251,14 +251,25 @@ helm install my-release -f values.yaml penpot/penpot | ingress.path | string | `"/"` | Root path for every hosts. | | ingress.tls | list | `[]` | Array style TLS secrets for the (frontend) ingress crontroller. E.g. tls: - secretName: penpot.example.com-tls hosts: - penpot.example.com | +### Reute (for OpenShift Container Platform) + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| route.annotations | object | `{}` | An optional map of annotations to be applied to the route. | +| route.enabled | bool | `false` | Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null. | +| route.host | string | `"penpot.example.com"` | The default external hostname to access to the penpot app. | +| route.path | string | `nil` | Define a path to use Path-based routes. | +| route.tls | object | `{}` | A Map with TLS configuration for the route. E.g. tls: terminationType: edge terminationPolicy: Redirect | +| route.wildcardPolicy | string | `"None"` | Define the wildcard policy (None, Subdomain, ...) | + ### PostgreSQL | Key | Type | Default | Description | |-----|------|---------|-------------| -| postgresql | object | `{"auth":{"database":"penpot","password":"penpot","username":"penpot"}}` | PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) | | postgresql.auth.database | string | `"penpot"` | Name for a custom database to create. | | postgresql.auth.password | string | `"penpot"` | Password for the custom user to create. | | postgresql.auth.username | string | `"penpot"` | Name for a custom user to create. | +| postgresql.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | > **NOTE**: You can use more parameters according to the [PostgreSQL oficial documentation](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters). @@ -266,8 +277,8 @@ helm install my-release -f values.yaml penpot/penpot | Key | Type | Default | Description | |-----|------|---------|-------------| -| redis | object | `{"auth":{"enabled":false}}` | Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) | | redis.auth.enabled | bool | `false` | Whether to enable password authentication. | +| redis.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | > **NOTE**: You can use more parameters according to the [Redis oficial documentation](https://artifacthub.io/packages/helm/bitnami/redis#parameters). diff --git a/charts/penpot/README.md.gotmpl b/charts/penpot/README.md.gotmpl index e6bdcfd..b6d78e0 100644 --- a/charts/penpot/README.md.gotmpl +++ b/charts/penpot/README.md.gotmpl @@ -64,6 +64,7 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }} (hasPrefix "exporter" .Key) (hasPrefix "persistence" .Key) (hasPrefix "ingress" .Key) + (hasPrefix "route" .Key) (hasPrefix "postgresql" .Key) (hasPrefix "redis" .Key) ) }} @@ -138,6 +139,17 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }} {{- end }} +### Reute (for OpenShift Container Platform) + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if hasPrefix "route" .Key }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + + ### PostgreSQL | Key | Type | Default | Description | diff --git a/charts/penpot/templates/backend-service.yml b/charts/penpot/templates/backend-service.yml index 28951e1..7155877 100644 --- a/charts/penpot/templates/backend-service.yml +++ b/charts/penpot/templates/backend-service.yml @@ -6,11 +6,11 @@ metadata: labels: {{- include "penpot.labels" . | nindent 4 }} spec: - selector: - {{- include "penpot.backendSelectorLabels" . | nindent 4 }} type: {{ .Values.backend.service.type }} ports: - port: {{ .Values.backend.service.port }} targetPort: {{ .Values.backend.service.port }} protocol: TCP name: http + selector: + {{- include "penpot.backendSelectorLabels" . | nindent 4 }} diff --git a/charts/penpot/templates/frontend-service.yml b/charts/penpot/templates/frontend-service.yml index 2ceb04f..1af21fa 100644 --- a/charts/penpot/templates/frontend-service.yml +++ b/charts/penpot/templates/frontend-service.yml @@ -9,7 +9,7 @@ spec: type: {{ .Values.frontend.service.type }} ports: - port: {{ .Values.frontend.service.port }} - targetPort: http + targetPort: {{ .Values.frontend.service.port }} protocol: TCP name: http selector: diff --git a/charts/penpot/templates/route.yml b/charts/penpot/templates/route.yml new file mode 100644 index 0000000..bdb767b --- /dev/null +++ b/charts/penpot/templates/route.yml @@ -0,0 +1,30 @@ +{{- if .Values.route.enabled -}} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "penpot.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} + {{- with .Values.route.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + host: {{ .Values.route.host }} + path: {{ .Values.route.path }} + to: + kind: Service + name: {{ include "penpot.fullname" . }} + port: + targetPort: http + {{- with .Values.route.tls }} + tls: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{ end }} + wildcardPolicy: {{ .Values.route.wildcardPolicy | quote }} +{{- end }} diff --git a/charts/penpot/values.yaml b/charts/penpot/values.yaml index fe15494..febfdbb 100644 --- a/charts/penpot/values.yaml +++ b/charts/penpot/values.yaml @@ -384,10 +384,10 @@ frontend: image: # -- The Docker repository to pull the image from. # @section -- Frontend parameters - repository: penpotapp/frontend + repository: bameda00/test-p # -- The image tag to use. # @section -- Frontend parameters - tag: 2.1.4 + tag: latest # -- The image pull policy to use. # @section -- Frontend parameters pullPolicy: IfNotPresent @@ -400,7 +400,7 @@ frontend: type: ClusterIP # -- The service port to use. # @section -- Frontend parameters - port: 80 + port: 8080 # -- An optional map of annotations to be applied to the controller Deployment # @section -- Frontend parameters deploymentAnnotations: {} @@ -412,10 +412,18 @@ frontend: podAnnotations: {} # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Frontend parameters - podSecurityContext: {} + podSecurityContext: + fsGroup: 1001 # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Frontend parameters - containerSecurityContext: {} + containerSecurityContext: + runAsUser: 1001 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: false + runAsNonRoot: true # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # @section -- Frontend parameters affinity: {} @@ -522,7 +530,6 @@ exporter: # @section -- Exporter parameters maxUnavailable: -# @section -- Persistence parameters persistence: assets: # -- Enable assets persistence using Persistent Volume Claims. @@ -599,9 +606,39 @@ ingress: # @section -- Ingress parameters tls: [] -# -- PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) -# @section -- PostgreSQL Dependencie parameters +route: + # -- Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null. + # @section -- Route parameters + enabled: false + # -- An optional map of annotations to be applied to the route. + # @section -- Route parameters + annotations: {} + # -- The default external hostname to access to the penpot app. + # @section -- Route parameters + host: penpot.example.com + # -- Define a path to use Path-based routes. + # @section -- Route parameters + path: null + # -- A Map with TLS configuration for the route. + # E.g. + # tls: + # terminationType: edge + # terminationPolicy: Redirect + # @section -- Route parameters + tls: {} + # -- Define the wildcard policy (None, Subdomain, ...) + # @section -- Route parameters + wildcardPolicy: None + +# PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) postgresql: + global: + compatibility: + openshift: + # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + # @section -- PostgreSQL Dependencie parameters + adaptSecurityContext: 'auto' + auth: # -- Name for a custom user to create. # @section -- PostgreSQL Dependencie parameters @@ -613,9 +650,14 @@ postgresql: # @section -- PostgreSQL Dependencie parameters database: "penpot" -# -- Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) -# @section -- Redis Dependencie parameters +# Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) redis: + global: + compatibility: + openshift: + # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + # @section -- Redis Dependencie parameters + adaptSecurityContext: 'auto' auth: # -- Whether to enable password authentication. # @section -- Redis Dependencie parameters diff --git a/devel/README.md b/devel/README.md index 2743427..757e991 100644 --- a/devel/README.md +++ b/devel/README.md @@ -41,5 +41,5 @@ pre-commit install --install-hooks -f > [!TIP] > if you disable ingress, you can exposing the app in the port 8888 with: > ```shell -> kubectl port-forward service/penpot 8888:80 +> kubectl port-forward service/penpot 8888:8080 > ``` diff --git a/devel/kind.config.yml b/devel/kind.config.yml index 54d1d07..a9ae659 100644 --- a/devel/kind.config.yml +++ b/devel/kind.config.yml @@ -10,6 +10,9 @@ nodes: kubeletExtraArgs: node-labels: "ingress-ready=true" extraPortMappings: + - containerPort: 8080 + hostPort: 8080 + protocol: TCP - containerPort: 80 hostPort: 80 protocol: TCP diff --git a/devel/penpot.values.yaml b/devel/penpot.values.yaml index 31253a6..52c3d92 100644 --- a/devel/penpot.values.yaml +++ b/devel/penpot.values.yaml @@ -1,3 +1,4 @@ +--- ## Default values for Penpot (local setup for development purpose) global: postgresqlEnabled: true