Penpot/penpot-helm
0
Fork 0
mirror of https://github.com/penpot/penpot-helm.git synced 2025-01-03 05:10:09 -05:00
Code Issues Activity

feat: use new penpot-frontend image based on nginx-unprivileged

Browse source
This commit is contained in:
David Barragán Merino 2024-10-09 17:55:25 +02:00
parent 125b7fc255
commit 36ca179358
10 changed files with 127 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
charts/penpot/Chart.yaml
View file

@ -1,6 +1,6 @@
--- ---
apiVersion: v2 apiVersion: v2
version: 0.1.0 # Chart version version: 0.4.0 # Chart version
appVersion: "2.1.4" # Penpot version appVersion: "2.1.4" # Penpot version
type: application type: application
name: penpot name: penpot
@ -39,8 +39,12 @@ annotations:
url: https://penpot.app/dev-diaries.html url: https://penpot.app/dev-diaries.html
artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/containsSecurityUpdates: "false"
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: added
description: containsSecurityUpdates and podSecurityContext can be defined for penpot-frontend.
- kind: added
description: Allow to run in a Openshift Container Platform.
- kind: changed - kind: changed
description: Bump to 0.1.0. Initial release. description: Change penpot-frontend service port to 8080.
dependencies: dependencies:
- name: postgresql - name: postgresql
version: 15.x.x # appVersion >= 16.2.0 version: 15.x.x # appVersion >= 16.2.0

27
charts/penpot/README.md
View file

@ -1,6 +1,6 @@
# penpot # penpot
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
Helm chart for Penpot, the Open Source design and prototyping platform. Helm chart for Penpot, the Open Source design and prototyping platform.
@ -175,11 +175,11 @@ helm install my-release -f values.yaml penpot/penpot
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) | | frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
| frontend.containerSecurityContext | object | `{}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment | | frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
| frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. | | frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
| frontend.image.repository | string | `"penpotapp/frontend"` | The Docker repository to pull the image from. | | frontend.image.repository | string | `"bameda00/test-p"` | The Docker repository to pull the image from. |
| frontend.image.tag | string | `"2.1.4"` | The image tag to use. | | frontend.image.tag | string | `"latest"` | The image tag to use. |
| frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) | | frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
| frontend.pdb | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | Configure Pod Disruption Budget for the frontend pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) | | frontend.pdb | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | Configure Pod Disruption Budget for the frontend pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) |
| frontend.pdb.enabled | bool | `false` | Enable Pod Disruption Budget for the frontend pods. | | frontend.pdb.enabled | bool | `false` | Enable Pod Disruption Budget for the frontend pods. |
@ -187,12 +187,12 @@ helm install my-release -f values.yaml penpot/penpot
| frontend.pdb.minAvailable | int,string | `nil` | The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). | | frontend.pdb.minAvailable | int,string | `nil` | The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). |
| frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods | | frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
| frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods | | frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
| frontend.podSecurityContext | object | `{}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | frontend.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| frontend.replicaCount | int | `1` | The number of replicas to deploy. | | frontend.replicaCount | int | `1` | The number of replicas to deploy. |
| frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) | | frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
| frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers | | frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers |
| frontend.resources.requests | object | `{}` | The requested resources for the Penpot frontend containers | | frontend.resources.requests | object | `{}` | The requested resources for the Penpot frontend containers |
| frontend.service.port | int | `80` | The service port to use. | | frontend.service.port | int | `8080` | The service port to use. |
| frontend.service.type | string | `"ClusterIP"` | The service type to create. | | frontend.service.type | string | `"ClusterIP"` | The service type to create. |
| frontend.tolerations | list | `[]` | Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | | frontend.tolerations | list | `[]` | Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) |
@ -251,14 +251,25 @@ helm install my-release -f values.yaml penpot/penpot
| ingress.path | string | `"/"` | Root path for every hosts. | | ingress.path | string | `"/"` | Root path for every hosts. |
| ingress.tls | list | `[]` | Array style TLS secrets for the (frontend) ingress crontroller. E.g. tls: - secretName: penpot.example.com-tls hosts: - penpot.example.com | | ingress.tls | list | `[]` | Array style TLS secrets for the (frontend) ingress crontroller. E.g. tls: - secretName: penpot.example.com-tls hosts: - penpot.example.com |
### Reute (for OpenShift Container Platform)
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| route.annotations | object | `{}` | An optional map of annotations to be applied to the route. |
| route.enabled | bool | `false` | Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null. |
| route.host | string | `"penpot.example.com"` | The default external hostname to access to the penpot app. |
| route.path | string | `nil` | Define a path to use Path-based routes. |
| route.tls | object | `{}` | A Map with TLS configuration for the route. E.g. tls: terminationType: edge terminationPolicy: Redirect |
| route.wildcardPolicy | string | `"None"` | Define the wildcard policy (None, Subdomain, ...) |
### PostgreSQL ### PostgreSQL
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| postgresql | object | `{"auth":{"database":"penpot","password":"penpot","username":"penpot"}}` | PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) |
| postgresql.auth.database | string | `"penpot"` | Name for a custom database to create. | | postgresql.auth.database | string | `"penpot"` | Name for a custom database to create. |
| postgresql.auth.password | string | `"penpot"` | Password for the custom user to create. | | postgresql.auth.password | string | `"penpot"` | Password for the custom user to create. |
| postgresql.auth.username | string | `"penpot"` | Name for a custom user to create. | | postgresql.auth.username | string | `"penpot"` | Name for a custom user to create. |
| postgresql.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) |
> **NOTE**: You can use more parameters according to the [PostgreSQL oficial documentation](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters). > **NOTE**: You can use more parameters according to the [PostgreSQL oficial documentation](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters).
@ -266,8 +277,8 @@ helm install my-release -f values.yaml penpot/penpot
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| redis | object | `{"auth":{"enabled":false}}` | Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) |
| redis.auth.enabled | bool | `false` | Whether to enable password authentication. | | redis.auth.enabled | bool | `false` | Whether to enable password authentication. |
| redis.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) |
> **NOTE**: You can use more parameters according to the [Redis oficial documentation](https://artifacthub.io/packages/helm/bitnami/redis#parameters). > **NOTE**: You can use more parameters according to the [Redis oficial documentation](https://artifacthub.io/packages/helm/bitnami/redis#parameters).

12
charts/penpot/README.md.gotmpl
View file

@ -64,6 +64,7 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }}
(hasPrefix "exporter" .Key) (hasPrefix "exporter" .Key)
(hasPrefix "persistence" .Key) (hasPrefix "persistence" .Key)
(hasPrefix "ingress" .Key) (hasPrefix "ingress" .Key)
(hasPrefix "route" .Key)
(hasPrefix "postgresql" .Key) (hasPrefix "postgresql" .Key)
(hasPrefix "redis" .Key) (hasPrefix "redis" .Key)
) }} ) }}
@ -138,6 +139,17 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }}
{{- end }} {{- end }}
### Reute (for OpenShift Container Platform)
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if hasPrefix "route" .Key }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
### PostgreSQL ### PostgreSQL
| Key | Type | Default | Description | | Key | Type | Default | Description |

4
charts/penpot/templates/backend-service.yml
View file

@ -6,11 +6,11 @@ metadata:
labels: labels:
{{- include "penpot.labels" . | nindent 4 }} {{- include "penpot.labels" . | nindent 4 }}
spec: spec:
selector:
{{- include "penpot.backendSelectorLabels" . | nindent 4 }}
type: {{ .Values.backend.service.type }} type: {{ .Values.backend.service.type }}
ports: ports:
- port: {{ .Values.backend.service.port }} - port: {{ .Values.backend.service.port }}
targetPort: {{ .Values.backend.service.port }} targetPort: {{ .Values.backend.service.port }}
protocol: TCP protocol: TCP
name: http name: http
selector:
{{- include "penpot.backendSelectorLabels" . | nindent 4 }}

2
charts/penpot/templates/frontend-service.yml
View file

@ -9,7 +9,7 @@ spec:
type: {{ .Values.frontend.service.type }} type: {{ .Values.frontend.service.type }}
ports: ports:
- port: {{ .Values.frontend.service.port }} - port: {{ .Values.frontend.service.port }}
targetPort: http targetPort: {{ .Values.frontend.service.port }}
protocol: TCP protocol: TCP
name: http name: http
selector: selector:

30
charts/penpot/templates/route.yml Normal file
View file

@ -0,0 +1,30 @@
{{- if .Values.route.enabled -}}
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: {{ include "penpot.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "penpot.labels" . | nindent 4 }}
{{- with .Values.route.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
host: {{ .Values.route.host }}
path: {{ .Values.route.path }}
to:
kind: Service
name: {{ include "penpot.fullname" . }}
port:
targetPort: http
{{- with .Values.route.tls }}
tls:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{ end }}
wildcardPolicy: {{ .Values.route.wildcardPolicy | quote }}
{{- end }}

62
charts/penpot/values.yaml
View file

@ -384,10 +384,10 @@ frontend:
image: image:
# -- The Docker repository to pull the image from. # -- The Docker repository to pull the image from.
# @section -- Frontend parameters # @section -- Frontend parameters
repository: penpotapp/frontend repository: bameda00/test-p
# -- The image tag to use. # -- The image tag to use.
# @section -- Frontend parameters # @section -- Frontend parameters
tag: 2.1.4 tag: latest
# -- The image pull policy to use. # -- The image pull policy to use.
# @section -- Frontend parameters # @section -- Frontend parameters
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@ -400,7 +400,7 @@ frontend:
type: ClusterIP type: ClusterIP
# -- The service port to use. # -- The service port to use.
# @section -- Frontend parameters # @section -- Frontend parameters
port: 80 port: 8080
# -- An optional map of annotations to be applied to the controller Deployment # -- An optional map of annotations to be applied to the controller Deployment
# @section -- Frontend parameters # @section -- Frontend parameters
deploymentAnnotations: {} deploymentAnnotations: {}
@ -412,10 +412,18 @@ frontend:
podAnnotations: {} podAnnotations: {}
# -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Frontend parameters # @section -- Frontend parameters
podSecurityContext: {} podSecurityContext:
fsGroup: 1001
# -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Frontend parameters # @section -- Frontend parameters
containerSecurityContext: {} containerSecurityContext:
runAsUser: 1001
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: false
runAsNonRoot: true
# -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# @section -- Frontend parameters # @section -- Frontend parameters
affinity: {} affinity: {}
@ -522,7 +530,6 @@ exporter:
# @section -- Exporter parameters # @section -- Exporter parameters
maxUnavailable: maxUnavailable:
# @section -- Persistence parameters
persistence: persistence:
assets: assets:
# -- Enable assets persistence using Persistent Volume Claims. # -- Enable assets persistence using Persistent Volume Claims.
@ -599,9 +606,39 @@ ingress:
# @section -- Ingress parameters # @section -- Ingress parameters
tls: [] tls: []
# -- PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) route:
# @section -- PostgreSQL Dependencie parameters # -- Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null.
# @section -- Route parameters
enabled: false
# -- An optional map of annotations to be applied to the route.
# @section -- Route parameters
annotations: {}
# -- The default external hostname to access to the penpot app.
# @section -- Route parameters
host: penpot.example.com
# -- Define a path to use Path-based routes.
# @section -- Route parameters
path: null
# -- A Map with TLS configuration for the route.
# E.g.
# tls:
# terminationType: edge
# terminationPolicy: Redirect
# @section -- Route parameters
tls: {}
# -- Define the wildcard policy (None, Subdomain, ...)
# @section -- Route parameters
wildcardPolicy: None
# PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql))
postgresql: postgresql:
global:
compatibility:
openshift:
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
# @section -- PostgreSQL Dependencie parameters
adaptSecurityContext: 'auto'
auth: auth:
# -- Name for a custom user to create. # -- Name for a custom user to create.
# @section -- PostgreSQL Dependencie parameters # @section -- PostgreSQL Dependencie parameters
@ -613,9 +650,14 @@ postgresql:
# @section -- PostgreSQL Dependencie parameters # @section -- PostgreSQL Dependencie parameters
database: "penpot" database: "penpot"
# -- Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) # Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis))
# @section -- Redis Dependencie parameters
redis: redis:
global:
compatibility:
openshift:
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
# @section -- Redis Dependencie parameters
adaptSecurityContext: 'auto'
auth: auth:
# -- Whether to enable password authentication. # -- Whether to enable password authentication.
# @section -- Redis Dependencie parameters # @section -- Redis Dependencie parameters

2
devel/README.md
View file

@ -41,5 +41,5 @@ pre-commit install --install-hooks -f
> [!TIP] > [!TIP]
> if you disable ingress, you can exposing the app in the port 8888 with: > if you disable ingress, you can exposing the app in the port 8888 with:
> ```shell > ```shell
> kubectl port-forward service/penpot 8888:80 > kubectl port-forward service/penpot 8888:8080
> ``` > ```

3
devel/kind.config.yml
View file

@ -10,6 +10,9 @@ nodes:
kubeletExtraArgs: kubeletExtraArgs:
node-labels: "ingress-ready=true" node-labels: "ingress-ready=true"
extraPortMappings: extraPortMappings:
- containerPort: 8080
hostPort: 8080
protocol: TCP
- containerPort: 80 - containerPort: 80
hostPort: 80 hostPort: 80
protocol: TCP protocol: TCP

1
devel/penpot.values.yaml
View file

@ -1,3 +1,4 @@
---
## Default values for Penpot (local setup for development purpose) ## Default values for Penpot (local setup for development purpose)
global: global:
postgresqlEnabled: true postgresqlEnabled: true