mirror of
https://github.com/penpot/penpot-helm.git
synced 2024-12-22 05:32:59 -05:00
feat: use new penpot-frontend image based on nginx-unprivileged
This commit is contained in:
parent
125b7fc255
commit
36ca179358
10 changed files with 127 additions and 24 deletions
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
apiVersion: v2
|
||||
version: 0.1.0 # Chart version
|
||||
version: 0.4.0 # Chart version
|
||||
appVersion: "2.1.4" # Penpot version
|
||||
type: application
|
||||
name: penpot
|
||||
|
@ -39,8 +39,12 @@ annotations:
|
|||
url: https://penpot.app/dev-diaries.html
|
||||
artifacthub.io/containsSecurityUpdates: "false"
|
||||
artifacthub.io/changes: |
|
||||
- kind: added
|
||||
description: containsSecurityUpdates and podSecurityContext can be defined for penpot-frontend.
|
||||
- kind: added
|
||||
description: Allow to run in a Openshift Container Platform.
|
||||
- kind: changed
|
||||
description: Bump to 0.1.0. Initial release.
|
||||
description: Change penpot-frontend service port to 8080.
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
version: 15.x.x # appVersion >= 16.2.0
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# penpot
|
||||
|
||||
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 2.1.4](https://img.shields.io/badge/AppVersion-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
Helm chart for Penpot, the Open Source design and prototyping platform.
|
||||
|
||||
|
@ -175,11 +175,11 @@ helm install my-release -f values.yaml penpot/penpot
|
|||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
|
||||
| frontend.containerSecurityContext | object | `{}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
|
||||
| frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
|
||||
| frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
|
||||
| frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
|
||||
| frontend.image.repository | string | `"penpotapp/frontend"` | The Docker repository to pull the image from. |
|
||||
| frontend.image.tag | string | `"2.1.4"` | The image tag to use. |
|
||||
| frontend.image.repository | string | `"bameda00/test-p"` | The Docker repository to pull the image from. |
|
||||
| frontend.image.tag | string | `"latest"` | The image tag to use. |
|
||||
| frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
|
||||
| frontend.pdb | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | Configure Pod Disruption Budget for the frontend pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) |
|
||||
| frontend.pdb.enabled | bool | `false` | Enable Pod Disruption Budget for the frontend pods. |
|
||||
|
@ -187,12 +187,12 @@ helm install my-release -f values.yaml penpot/penpot
|
|||
| frontend.pdb.minAvailable | int,string | `nil` | The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). |
|
||||
| frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
|
||||
| frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
|
||||
| frontend.podSecurityContext | object | `{}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
|
||||
| frontend.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
|
||||
| frontend.replicaCount | int | `1` | The number of replicas to deploy. |
|
||||
| frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
|
||||
| frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers |
|
||||
| frontend.resources.requests | object | `{}` | The requested resources for the Penpot frontend containers |
|
||||
| frontend.service.port | int | `80` | The service port to use. |
|
||||
| frontend.service.port | int | `8080` | The service port to use. |
|
||||
| frontend.service.type | string | `"ClusterIP"` | The service type to create. |
|
||||
| frontend.tolerations | list | `[]` | Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) |
|
||||
|
||||
|
@ -251,14 +251,25 @@ helm install my-release -f values.yaml penpot/penpot
|
|||
| ingress.path | string | `"/"` | Root path for every hosts. |
|
||||
| ingress.tls | list | `[]` | Array style TLS secrets for the (frontend) ingress crontroller. E.g. tls: - secretName: penpot.example.com-tls hosts: - penpot.example.com |
|
||||
|
||||
### Reute (for OpenShift Container Platform)
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| route.annotations | object | `{}` | An optional map of annotations to be applied to the route. |
|
||||
| route.enabled | bool | `false` | Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null. |
|
||||
| route.host | string | `"penpot.example.com"` | The default external hostname to access to the penpot app. |
|
||||
| route.path | string | `nil` | Define a path to use Path-based routes. |
|
||||
| route.tls | object | `{}` | A Map with TLS configuration for the route. E.g. tls: terminationType: edge terminationPolicy: Redirect |
|
||||
| route.wildcardPolicy | string | `"None"` | Define the wildcard policy (None, Subdomain, ...) |
|
||||
|
||||
### PostgreSQL
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| postgresql | object | `{"auth":{"database":"penpot","password":"penpot","username":"penpot"}}` | PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) |
|
||||
| postgresql.auth.database | string | `"penpot"` | Name for a custom database to create. |
|
||||
| postgresql.auth.password | string | `"penpot"` | Password for the custom user to create. |
|
||||
| postgresql.auth.username | string | `"penpot"` | Name for a custom user to create. |
|
||||
| postgresql.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) |
|
||||
|
||||
> **NOTE**: You can use more parameters according to the [PostgreSQL oficial documentation](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters).
|
||||
|
||||
|
@ -266,8 +277,8 @@ helm install my-release -f values.yaml penpot/penpot
|
|||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| redis | object | `{"auth":{"enabled":false}}` | Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) |
|
||||
| redis.auth.enabled | bool | `false` | Whether to enable password authentication. |
|
||||
| redis.global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) |
|
||||
|
||||
> **NOTE**: You can use more parameters according to the [Redis oficial documentation](https://artifacthub.io/packages/helm/bitnami/redis#parameters).
|
||||
|
||||
|
|
|
@ -64,6 +64,7 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }}
|
|||
(hasPrefix "exporter" .Key)
|
||||
(hasPrefix "persistence" .Key)
|
||||
(hasPrefix "ingress" .Key)
|
||||
(hasPrefix "route" .Key)
|
||||
(hasPrefix "postgresql" .Key)
|
||||
(hasPrefix "redis" .Key)
|
||||
) }}
|
||||
|
@ -138,6 +139,17 @@ helm install my-release -f values.yaml penpot/{{ template "chart.name" . }}
|
|||
{{- end }}
|
||||
|
||||
|
||||
### Reute (for OpenShift Container Platform)
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
{{- range .Values }}
|
||||
{{- if hasPrefix "route" .Key }}
|
||||
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
### PostgreSQL
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|
|
|
@ -6,11 +6,11 @@ metadata:
|
|||
labels:
|
||||
{{- include "penpot.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
{{- include "penpot.backendSelectorLabels" . | nindent 4 }}
|
||||
type: {{ .Values.backend.service.type }}
|
||||
ports:
|
||||
- port: {{ .Values.backend.service.port }}
|
||||
targetPort: {{ .Values.backend.service.port }}
|
||||
protocol: TCP
|
||||
name: http
|
||||
selector:
|
||||
{{- include "penpot.backendSelectorLabels" . | nindent 4 }}
|
||||
|
|
|
@ -9,7 +9,7 @@ spec:
|
|||
type: {{ .Values.frontend.service.type }}
|
||||
ports:
|
||||
- port: {{ .Values.frontend.service.port }}
|
||||
targetPort: http
|
||||
targetPort: {{ .Values.frontend.service.port }}
|
||||
protocol: TCP
|
||||
name: http
|
||||
selector:
|
||||
|
|
30
charts/penpot/templates/route.yml
Normal file
30
charts/penpot/templates/route.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
{{- if .Values.route.enabled -}}
|
||||
apiVersion: route.openshift.io/v1
|
||||
kind: Route
|
||||
metadata:
|
||||
name: {{ include "penpot.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "penpot.labels" . | nindent 4 }}
|
||||
{{- with .Values.route.annotations }}
|
||||
annotations:
|
||||
{{- range $key, $value := . }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
host: {{ .Values.route.host }}
|
||||
path: {{ .Values.route.path }}
|
||||
to:
|
||||
kind: Service
|
||||
name: {{ include "penpot.fullname" . }}
|
||||
port:
|
||||
targetPort: http
|
||||
{{- with .Values.route.tls }}
|
||||
tls:
|
||||
{{- range $key, $value := . }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
wildcardPolicy: {{ .Values.route.wildcardPolicy | quote }}
|
||||
{{- end }}
|
|
@ -384,10 +384,10 @@ frontend:
|
|||
image:
|
||||
# -- The Docker repository to pull the image from.
|
||||
# @section -- Frontend parameters
|
||||
repository: penpotapp/frontend
|
||||
repository: bameda00/test-p
|
||||
# -- The image tag to use.
|
||||
# @section -- Frontend parameters
|
||||
tag: 2.1.4
|
||||
tag: latest
|
||||
# -- The image pull policy to use.
|
||||
# @section -- Frontend parameters
|
||||
pullPolicy: IfNotPresent
|
||||
|
@ -400,7 +400,7 @@ frontend:
|
|||
type: ClusterIP
|
||||
# -- The service port to use.
|
||||
# @section -- Frontend parameters
|
||||
port: 80
|
||||
port: 8080
|
||||
# -- An optional map of annotations to be applied to the controller Deployment
|
||||
# @section -- Frontend parameters
|
||||
deploymentAnnotations: {}
|
||||
|
@ -412,10 +412,18 @@ frontend:
|
|||
podAnnotations: {}
|
||||
# -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
|
||||
# @section -- Frontend parameters
|
||||
podSecurityContext: {}
|
||||
podSecurityContext:
|
||||
fsGroup: 1001
|
||||
# -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
|
||||
# @section -- Frontend parameters
|
||||
containerSecurityContext: {}
|
||||
containerSecurityContext:
|
||||
runAsUser: 1001
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: true
|
||||
# -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
|
||||
# @section -- Frontend parameters
|
||||
affinity: {}
|
||||
|
@ -522,7 +530,6 @@ exporter:
|
|||
# @section -- Exporter parameters
|
||||
maxUnavailable:
|
||||
|
||||
# @section -- Persistence parameters
|
||||
persistence:
|
||||
assets:
|
||||
# -- Enable assets persistence using Persistent Volume Claims.
|
||||
|
@ -599,9 +606,39 @@ ingress:
|
|||
# @section -- Ingress parameters
|
||||
tls: []
|
||||
|
||||
# -- PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql))
|
||||
# @section -- PostgreSQL Dependencie parameters
|
||||
route:
|
||||
# -- Enable Openshift/OKD Route. Check [the official doc](https://docs.openshift.com/container-platform/4.16/networking/routes/route-configuration.html). When it is enabled, all fsGroup and runAsUser must be changed to null.
|
||||
# @section -- Route parameters
|
||||
enabled: false
|
||||
# -- An optional map of annotations to be applied to the route.
|
||||
# @section -- Route parameters
|
||||
annotations: {}
|
||||
# -- The default external hostname to access to the penpot app.
|
||||
# @section -- Route parameters
|
||||
host: penpot.example.com
|
||||
# -- Define a path to use Path-based routes.
|
||||
# @section -- Route parameters
|
||||
path: null
|
||||
# -- A Map with TLS configuration for the route.
|
||||
# E.g.
|
||||
# tls:
|
||||
# terminationType: edge
|
||||
# terminationPolicy: Redirect
|
||||
# @section -- Route parameters
|
||||
tls: {}
|
||||
# -- Define the wildcard policy (None, Subdomain, ...)
|
||||
# @section -- Route parameters
|
||||
wildcardPolicy: None
|
||||
|
||||
# PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql))
|
||||
postgresql:
|
||||
global:
|
||||
compatibility:
|
||||
openshift:
|
||||
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
|
||||
# @section -- PostgreSQL Dependencie parameters
|
||||
adaptSecurityContext: 'auto'
|
||||
|
||||
auth:
|
||||
# -- Name for a custom user to create.
|
||||
# @section -- PostgreSQL Dependencie parameters
|
||||
|
@ -613,9 +650,14 @@ postgresql:
|
|||
# @section -- PostgreSQL Dependencie parameters
|
||||
database: "penpot"
|
||||
|
||||
# -- Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis))
|
||||
# @section -- Redis Dependencie parameters
|
||||
# Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis))
|
||||
redis:
|
||||
global:
|
||||
compatibility:
|
||||
openshift:
|
||||
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
|
||||
# @section -- Redis Dependencie parameters
|
||||
adaptSecurityContext: 'auto'
|
||||
auth:
|
||||
# -- Whether to enable password authentication.
|
||||
# @section -- Redis Dependencie parameters
|
||||
|
|
|
@ -41,5 +41,5 @@ pre-commit install --install-hooks -f
|
|||
> [!TIP]
|
||||
> if you disable ingress, you can exposing the app in the port 8888 with:
|
||||
> ```shell
|
||||
> kubectl port-forward service/penpot 8888:80
|
||||
> kubectl port-forward service/penpot 8888:8080
|
||||
> ```
|
||||
|
|
|
@ -10,6 +10,9 @@ nodes:
|
|||
kubeletExtraArgs:
|
||||
node-labels: "ingress-ready=true"
|
||||
extraPortMappings:
|
||||
- containerPort: 8080
|
||||
hostPort: 8080
|
||||
protocol: TCP
|
||||
- containerPort: 80
|
||||
hostPort: 80
|
||||
protocol: TCP
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
## Default values for Penpot (local setup for development purpose)
|
||||
global:
|
||||
postgresqlEnabled: true
|
||||
|
|
Loading…
Reference in a new issue