0
Fork 0
mirror of https://github.com/penpot/penpot-helm.git synced 2024-12-22 05:32:59 -05:00

feat: use new penpot-frontend image based on nginx-unprivileged

This commit is contained in:
David Barragán Merino 2024-10-09 17:55:25 +02:00
parent 125b7fc255
commit 36ca179358
10 changed files with 127 additions and 24 deletions

View file

@ -1,6 +1,6 @@
---
apiVersion: v2
version: 0.1.0 # Chart version
version: 0.4.0 # Chart version
appVersion: "2.1.4" # Penpot version
type: application
name: penpot
@ -39,8 +39,12 @@ annotations:
url: https://penpot.app/dev-diaries.html
artifacthub.io/containsSecurityUpdates: "false"
artifacthub.io/changes: |
- kind: added
description: containsSecurityUpdates and podSecurityContext can be defined for penpot-frontend.
- kind: added
description: Allow to run in a Openshift Container Platform.
- kind: changed
description: Bump to 0.1.0. Initial release.
description: Change penpot-frontend service port to 8080.
dependencies:
- name: postgresql
version: 15.x.x # appVersion >= 16.2.0

View file

@ -1,6 +1,6 @@
# penpot
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
Helm chart for Penpot, the Open Source design and prototyping platform.
@ -175,11 +175,11 @@ helm install my-release -f values.yaml penpot/penpot
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
| frontend.containerSecurityContext | object | `{}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
| frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
| frontend.image.repository | string | `"penpotapp/frontend"` | The Docker repository to pull the image from. |
| frontend.image.tag | string | `"2.1.4"` | The image tag to use. |
| frontend.image.repository | string | `"bameda00/test-p"` | The Docker repository to pull the image from. |
| frontend.image.tag | string | `"latest"` | The image tag to use. |
| frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
| frontend.pdb | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | Configure Pod Disruption Budget for the frontend pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) |
| frontend.pdb.enabled | bool | `false` | Enable Pod Disruption Budget for the frontend pods. |
@ -187,12 +187,12 @@ helm install my-release -f values.yaml penpot/penpot
| frontend.pdb.minAvailable | int,string | `nil` | The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). |
| frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
| frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
| frontend.podSecurityContext | object | `{}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| frontend.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| frontend.replicaCount | int | `1` | The number of replicas to deploy. |
| frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
| frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers |
| frontend.resources.requests | object | `{}` | The requested resources for the Penpot frontend containers |
| frontend.service.port | int | `80` | The service port to use. |
| frontend.service.port | int | `8080` | The service port to use. |
| frontend.service.type | string | `"ClusterIP"` | The service type to create. |
| frontend.tolerations | list | `[]` | Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) |
@ -251,14 +251,25 @@ helm install my-release -f values.yaml penpot/penpot
| ingress.path | string | `"/"` | Root path for every hosts. |
| ingress.tls | list | `[]` | Array style TLS secrets for the (frontend) ingress crontroller. E.g. tls: - secretName: penpot.example.com-tls hosts: - penpot.example.com |
### Reute (for OpenShift Container Platform)
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| route.annotations | object | `{}` | An optional map of annotations to be applied to the route. |
| route.enabled | bool | `false` | Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null. |
| route.host | string | `"penpot.example.com"` | The default external hostname to access to the penpot app. |
| route.path | string | `nil` | Define a path to use Path-based routes. |
| route.tls | object | `{}` | A Map with TLS configuration for the route. E.g. tls: terminationType: edge terminationPolicy: Redirect |
| route.wildcardPolicy | string | `"None"` | Define the wildcard policy (None, Subdomain, ...) |
### PostgreSQL
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| postgresql | object | `{"auth":{"database":"penpot","password":"penpot","username":"penpot"}}` | PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) |
| postgresql.auth.database | string | `"penpot"` | Name for a custom database to create. |
| postgresql.auth.password | string | `"penpot"` | Password for the custom user to create. |
| postgresql.auth.username | string | `"penpot"` | Name for a custom user to create. |
| postgresql.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) |
> **NOTE**: You can use more parameters according to the [PostgreSQL oficial documentation](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters).
@ -266,8 +277,8 @@ helm install my-release -f values.yaml penpot/penpot
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| redis | object | `{"auth":{"enabled":false}}` | Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) |
| redis.auth.enabled | bool | `false` | Whether to enable password authentication. |
| redis.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) |
> **NOTE**: You can use more parameters according to the [Redis oficial documentation](https://artifacthub.io/packages/helm/bitnami/redis#parameters).

View file

@ -64,6 +64,7 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }}
(hasPrefix "exporter" .Key)
(hasPrefix "persistence" .Key)
(hasPrefix "ingress" .Key)
(hasPrefix "route" .Key)
(hasPrefix "postgresql" .Key)
(hasPrefix "redis" .Key)
) }}
@ -138,6 +139,17 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }}
{{- end }}
### Reute (for OpenShift Container Platform)
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if hasPrefix "route" .Key }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
### PostgreSQL
| Key | Type | Default | Description |

View file

@ -6,11 +6,11 @@ metadata:
labels:
{{- include "penpot.labels" . | nindent 4 }}
spec:
selector:
{{- include "penpot.backendSelectorLabels" . | nindent 4 }}
type: {{ .Values.backend.service.type }}
ports:
- port: {{ .Values.backend.service.port }}
targetPort: {{ .Values.backend.service.port }}
protocol: TCP
name: http
selector:
{{- include "penpot.backendSelectorLabels" . | nindent 4 }}

View file

@ -9,7 +9,7 @@ spec:
type: {{ .Values.frontend.service.type }}
ports:
- port: {{ .Values.frontend.service.port }}
targetPort: http
targetPort: {{ .Values.frontend.service.port }}
protocol: TCP
name: http
selector:

View file

@ -0,0 +1,30 @@
{{- if .Values.route.enabled -}}
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: {{ include "penpot.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "penpot.labels" . | nindent 4 }}
{{- with .Values.route.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
host: {{ .Values.route.host }}
path: {{ .Values.route.path }}
to:
kind: Service
name: {{ include "penpot.fullname" . }}
port:
targetPort: http
{{- with .Values.route.tls }}
tls:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{ end }}
wildcardPolicy: {{ .Values.route.wildcardPolicy | quote }}
{{- end }}

View file

@ -384,10 +384,10 @@ frontend:
image:
# -- The Docker repository to pull the image from.
# @section -- Frontend parameters
repository: penpotapp/frontend
repository: bameda00/test-p
# -- The image tag to use.
# @section -- Frontend parameters
tag: 2.1.4
tag: latest
# -- The image pull policy to use.
# @section -- Frontend parameters
pullPolicy: IfNotPresent
@ -400,7 +400,7 @@ frontend:
type: ClusterIP
# -- The service port to use.
# @section -- Frontend parameters
port: 80
port: 8080
# -- An optional map of annotations to be applied to the controller Deployment
# @section -- Frontend parameters
deploymentAnnotations: {}
@ -412,10 +412,18 @@ frontend:
podAnnotations: {}
# -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Frontend parameters
podSecurityContext: {}
podSecurityContext:
fsGroup: 1001
# -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Frontend parameters
containerSecurityContext: {}
containerSecurityContext:
runAsUser: 1001
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: false
runAsNonRoot: true
# -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# @section -- Frontend parameters
affinity: {}
@ -522,7 +530,6 @@ exporter:
# @section -- Exporter parameters
maxUnavailable:
# @section -- Persistence parameters
persistence:
assets:
# -- Enable assets persistence using Persistent Volume Claims.
@ -599,9 +606,39 @@ ingress:
# @section -- Ingress parameters
tls: []
# -- PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql))
# @section -- PostgreSQL Dependencie parameters
route:
# -- Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null.
# @section -- Route parameters
enabled: false
# -- An optional map of annotations to be applied to the route.
# @section -- Route parameters
annotations: {}
# -- The default external hostname to access to the penpot app.
# @section -- Route parameters
host: penpot.example.com
# -- Define a path to use Path-based routes.
# @section -- Route parameters
path: null
# -- A Map with TLS configuration for the route.
# E.g.
# tls:
# terminationType: edge
# terminationPolicy: Redirect
# @section -- Route parameters
tls: {}
# -- Define the wildcard policy (None, Subdomain, ...)
# @section -- Route parameters
wildcardPolicy: None
# PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql))
postgresql:
global:
compatibility:
openshift:
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
# @section -- PostgreSQL Dependencie parameters
adaptSecurityContext: 'auto'
auth:
# -- Name for a custom user to create.
# @section -- PostgreSQL Dependencie parameters
@ -613,9 +650,14 @@ postgresql:
# @section -- PostgreSQL Dependencie parameters
database: "penpot"
# -- Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis))
# @section -- Redis Dependencie parameters
# Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis))
redis:
global:
compatibility:
openshift:
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
# @section -- Redis Dependencie parameters
adaptSecurityContext: 'auto'
auth:
# -- Whether to enable password authentication.
# @section -- Redis Dependencie parameters

View file

@ -41,5 +41,5 @@ pre-commit install --install-hooks -f
> [!TIP]
> if you disable ingress, you can exposing the app in the port 8888 with:
> ```shell
> kubectl port-forward service/penpot 8888:80
> kubectl port-forward service/penpot 8888:8080
> ```

View file

@ -10,6 +10,9 @@ nodes:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 8080
hostPort: 8080
protocol: TCP
- containerPort: 80
hostPort: 80
protocol: TCP

View file

@ -1,3 +1,4 @@
---
## Default values for Penpot (local setup for development purpose)
global:
postgresqlEnabled: true