feat: homogenize and simplify container and pod security context and affinity

charts/penpot/README.md

@@ -26,13 +26,7 @@ $ helm install my-release penpot/penpot
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | backend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
-| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
-| backend.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Set Penpot containers' security context allowPrivilegeEscalation |
-| backend.containerSecurityContext.capabilities | object | `{"drop":["all"]}` | Set Penpot containers' security context capabilities to be dropped |
-| backend.containerSecurityContext.enabled | bool | `true` | Enabled Penpot containers' security context |
-| backend.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Set Penpot containers' security context readOnlyRootFilesystem |
-| backend.containerSecurityContext.runAsNonRoot | bool | `true` | Set Penpot container's security context runAsNonRoot |
-| backend.containerSecurityContext.runAsUser | int | `1001` | Set Penpot containers' security context runAsUser |
 | backend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
 | backend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
 | backend.image.repository | string | `"penpotapp/backend"` | The Docker repository to pull the image from. |
@@ -40,9 +34,7 @@ $ helm install my-release penpot/penpot
 | backend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
 | backend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
 | backend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
-| backend.podSecurityContext | object | `{"enabled":true,"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| backend.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
-| backend.podSecurityContext.enabled | bool | `true` | Enabled Penpot pods' security context |
-| backend.podSecurityContext.fsGroup | int | `1001` | Set Penpot pod's security context fsGroup |
 | backend.replicaCount | int | `1` | The number of replicas to deploy. |
 | backend.resources | object | `{"limits":{},"requests":{}}` | Penpot backend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
 | backend.resources.limits | object | `{}` | The resources limits for the Penpot backend containers |
@@ -145,13 +137,7 @@ $ helm install my-release penpot/penpot
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | exporter.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
-| exporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| exporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
-| exporter.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Set Penpot containers' security context allowPrivilegeEscalation |
-| exporter.containerSecurityContext.capabilities | object | `{"drop":["all"]}` | Set Penpot containers' security context capabilities to be dropped |
-| exporter.containerSecurityContext.enabled | bool | `true` | Enabled Penpot containers' security context |
-| exporter.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Set Penpot containers' security context readOnlyRootFilesystem |
-| exporter.containerSecurityContext.runAsNonRoot | bool | `true` | Set Penpot container's security context runAsNonRoot |
-| exporter.containerSecurityContext.runAsUser | int | `1001` | Set Penpot containers' security context runAsUser |
 | exporter.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
 | exporter.image.imagePullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
 | exporter.image.repository | string | `"penpotapp/exporter"` | The Docker repository to pull the image from. |
@@ -159,9 +145,7 @@ $ helm install my-release penpot/penpot
 | exporter.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
 | exporter.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
 | exporter.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
-| exporter.podSecurityContext | object | `{"enabled":true,"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| exporter.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
-| exporter.podSecurityContext.enabled | bool | `true` | Enabled Penpot pods' security context |
-| exporter.podSecurityContext.fsGroup | int | `1001` | Set Penpot pod's security context fsGroup |
 | exporter.replicaCount | int | `1` | The number of replicas to deploy. Enable persistence.exporter if you use more than 1 replicaCount |
 | exporter.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
 | exporter.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers |
@@ -175,6 +159,7 @@ $ helm install my-release penpot/penpot
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
+| frontend.containerSecurityContext | object | `{}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
 | frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
 | frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
 | frontend.image.repository | string | `"penpotapp/frontend"` | The Docker repository to pull the image from. |
@@ -182,6 +167,7 @@ $ helm install my-release penpot/penpot
 | frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
 | frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
 | frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
+| frontend.podSecurityContext | object | `{}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
 | frontend.replicaCount | int | `1` | The number of replicas to deploy. |
 | frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
 | frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers |

charts/penpot/README.md.gotmpl

@@ -26,8 +26,12 @@ $ helm install my-release penpot/{{ template "chart.name" . }}
 
 ## Resources
 
-:speaking_head: [Community](https://community.penpot.app)<br />
+:speaking_head: [Community](https://community.penpot.app)
-:floppy_disk: [Documentation](https://help.penpot.app/)<br />
+
-:houses: [Architecture](https://help.penpot.app/technical-guide/developer/architecture/)<br />
+:floppy_disk: [Documentation](https://help.penpot.app/)
-:woman_teacher: [Tutorials](https://www.youtube.com/playlist?list=PLgcCPfOv5v54WpXhHmNO7T-YC7AE-SRsr)<br />
+
+:houses: [Architecture](https://help.penpot.app/technical-guide/developer/architecture/)
+
+:woman_teacher: [Tutorials](https://www.youtube.com/playlist?list=PLgcCPfOv5v54WpXhHmNO7T-YC7AE-SRsr)
+
 :memo: [Dev Diaries](https://penpot.app/dev-diaries.html)

charts/penpot/templates/assets-persistentvolumeclaim.yml

@@ -5,11 +5,11 @@ metadata:
   name: {{ include "penpot.fullname" . }}-data-assets
   namespace: {{ .Release.Namespace }}
   labels:
-{{- include "penpot.labels" . | nindent 4 }}
+    {{- include "penpot.labels" . | nindent 4 }}
-{{- if .Values.persistence.assets.annotations }}
+  {{- if .Values.persistence.assets.annotations }}
   annotations:
-{{ toYaml .Values.persistence.assets.annotations | indent 4 }}
+    {{ toYaml .Values.persistence.assets.annotations | indent 4 }}
-{{- end }}
+  {{- end }}
 spec:
   accessModes:
   {{- range .Values.persistence.assets.accessModes }}
@@ -18,7 +18,7 @@ spec:
   resources:
     requests:
       storage: {{ .Values.persistence.assets.size | quote }}
-{{- if .Values.persistence.assets.storageClass }}
+  {{- if .Values.persistence.assets.storageClass }}
   storageClassName: "{{ .Values.persistence.assets.storageClass }}"
-{{- end }}
+  {{- end }}
 {{- end -}}

charts/penpot/templates/backend-deployment.yml

@@ -27,33 +27,23 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
-    {{- with .Values.global.imagePullSecrets }}
+      serviceAccountName: {{ include "penpot.serviceAccountName" . }}
+      {{- with .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-      serviceAccountName: {{ include "penpot.serviceAccountName" . }}
+      {{- with .Values.backend.podSecurityContext }}
-    {{- if .Values.backend.podSecurityContext.enabled }}
       securityContext:
-        {{- omit .Values.backend.podSecurityContext "enabled" | toYaml | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-      affinity:
-        podAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-          - labelSelector:
-              matchExpressions:
-              - key: app.kubernetes.io/instance
-                operator: In
-                values:
-                - {{ .Release.Name }}
-            topologyKey: "kubernetes.io/hostname"
       containers:
         - name: {{ .Chart.Name }}-backend
           image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}"
           imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
-        {{- if .Values.backend.containerSecurityContext.enabled }}
+          {{- with .Values.backend.containerSecurityContext }}
           securityContext:
-            {{- omit .Values.backend.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
-        {{- end }}
+          {{- end }}
           env:
             # General settings
             - name: PENPOT_PUBLIC_URI
@@ -62,83 +52,83 @@ spec:
               value: "$PENPOT_FLAGS {{ .Values.config.flags }}"
             - name: PENPOT_SECRET_KEY
               value: {{ .Values.config.apiSecretKey | quote }}
-          {{- if .Values.config.registrationDomainWhitelist }}
+            {{- if .Values.config.registrationDomainWhitelist }}
             - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST
               value: {{ .Values.config.registrationDomainWhitelist | quote }}
-          {{- end }}
+            {{- end }}
             - name: PENPOT_TELEMETRY_ENABLED
               value: {{ .Values.config.telemetryEnabled | quote }}
             # PosgreSQL connection settings
             - name: PENPOT_DATABASE_URI
-          {{- if .Values.config.postgresql.host }}
+              {{- if .Values.config.postgresql.host }}
               value: "postgresql://{{ .Values.config.postgresql.host }}:{{ .Values.config.postgresql.port }}/{{ .Values.config.postgresql.database }}"
-          {{- else }}
+              {{- else }}
               value: {{ print "postgresql://" (include "penpot.fullname" .) "-postgresql:" .Values.config.postgresql.port "/" .Values.config.postgresql.database }}
-          {{- end }}
+              {{- end }}
             - name: PENPOT_DATABASE_USERNAME
-          {{- if not .Values.config.postgresql.secretKeys.usernameKey }}
+              {{- if not .Values.config.postgresql.secretKeys.usernameKey }}
               value: {{ .Values.config.postgresql.username | quote }}
-          {{- else }}
+              {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.config.postgresql.existingSecret }}
                   key: {{ .Values.config.postgresql.secretKeys.usernameKey }}
-          {{- end }}
+              {{- end }}
             - name: PENPOT_DATABASE_PASSWORD
-          {{- if not .Values.config.postgresql.secretKeys.passwordKey }}
+              {{- if not .Values.config.postgresql.secretKeys.passwordKey }}
               value: {{ .Values.config.postgresql.password | quote }}
-          {{- else }}
+              {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.config.postgresql.existingSecret }}
                   key: {{ .Values.config.postgresql.secretKeys.passwordKey }}
-          {{- end }}
+              {{- end }}
             # Redis connection settings
             - name: PENPOT_REDIS_URI
-          {{- if .Values.config.redis.host }}
+              {{- if .Values.config.redis.host }}
               value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}"
-          {{- else }}
+              {{- else }}
               value: {{ print "redis://" (include "penpot.fullname" .) "-redis-master:" .Values.config.redis.port "/" .Values.config.redis.database }}
-          {{- end }}
+              {{- end }}
             # Assets storage settings
             - name: PENPOT_ASSETS_STORAGE_BACKEND
               value: {{ .Values.config.assets.storageBackend | quote }}
-          {{- if eq .Values.config.assets.storageBackend "assets-fs" }}
+            {{- if eq .Values.config.assets.storageBackend "assets-fs" }}
             - name: PENPOT_STORAGE_ASSETS_FS_DIRECTORY
               value: {{ .Values.config.assets.filesystem.directory | quote }}
-          {{- else if eq .Values.config.assets.storageBackend "assets-s3" }}
+            {{- else if eq .Values.config.assets.storageBackend "assets-s3" }}
             - name: PENPOT_STORAGE_ASSETS_S3_REGION
               value: {{ .Values.config.assets.s3.region | quote }}
             - name: PENPOT_STORAGE_ASSETS_S3_BUCKET
               value: {{ .Values.config.assets.s3.bucket | quote }}
             - name: AWS_ACCESS_KEY_ID
-            {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }}
+              {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }}
               value: {{ .Values.config.assets.s3.accessKeyID | quote }}
-            {{- else }}
+              {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.config.assets.s3.existingSecret }}
                   key: {{ .Values.config.assets.s3.secretKeys.accessKeyIDKey }}
-            {{- end }}
+              {{- end }}
             - name: AWS_SECRET_ACCESS_KEY
-            {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }}
+              {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }}
               value: {{ .Values.config.assets.s3.secretAccessKey | quote }}
-            {{- else }}
+              {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.config.assets.s3.existingSecret }}
                   key: {{ .Values.config.assets.s3.secretKeys.secretAccessKey }}
-            {{- end }}
+              {{- end }}
             - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT
-            {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }}
+              {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }}
               value: {{ .Values.config.assets.s3.endpointURI | quote }}
-            {{- else }}
+              {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.config.assets.s3.existingSecret }}
                   key: {{ .Values.config.assets.s3.secretKeys.endpointURIKey }}
+              {{- end }}
             {{- end }}
-          {{- end }}
             # SMTP settings
           {{- if .Values.config.smtp.enabled }}
             {{- if .Values.config.smtp.defaultFrom }}
@@ -383,23 +373,23 @@ spec:
               protocol: TCP
           resources:
             {{- toYaml .Values.backend.resources | nindent 12 }}
-    {{- with .Values.backend.nodeSelector }}
+      {{- with .Values.backend.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.backend.affinity }}
+      {{- with .Values.backend.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.backend.tolerations }}
+      {{- with .Values.backend.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
       volumes:
       - name: app-data
-      {{- if .Values.persistence.assets.enabled }}
+        {{- if .Values.persistence.assets.enabled }}
         persistentVolumeClaim:
           claimName: {{ .Values.persistence.assets.existingClaim | default ( printf "%s-%s" ( include "penpot.fullname" . ) "data-assets" ) }}
-      {{- else }}
+        {{- else }}
         emptyDir: {}
-      {{- end }}
+        {{- end }}

charts/penpot/templates/exporter-deployment.yml

@@ -27,32 +27,32 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
-    {{- with .Values.global.imagePullSecrets }}
+      serviceAccountName: {{ include "penpot.serviceAccountName" . }}
+      {{- with .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-      serviceAccountName: {{ include "penpot.serviceAccountName" . }}
+      {{- with .Values.exporter.podSecurityContext }}
-    {{- if .Values.exporter.podSecurityContext.enabled }}
       securityContext:
-        {{- omit .Values.exporter.podSecurityContext "enabled" | toYaml | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-exporter
           image: "{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}"
           imagePullPolicy: {{ .Values.exporter.image.imagePullPolicy }}
-        {{- if .Values.exporter.containerSecurityContext.enabled }}
+          {{- with .Values.exporter.containerSecurityContext }}
           securityContext:
-            {{- omit .Values.exporter.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
-        {{- end }}
+          {{- end }}
           env:
             - name: PENPOT_PUBLIC_URI
               value: {{ print "http://" (include "penpot.fullname" .) ":" .Values.frontend.service.port }}
             - name: PENPOT_REDIS_URI
-          {{- if .Values.config.redis.host }}
+              {{- if .Values.config.redis.host }}
               value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}"
-          {{- else }}
+              {{- else }}
               value: {{ print "redis://" (include "penpot.fullname" .) "-redis-master:" .Values.config.redis.port "/" .Values.config.redis.database }}
-          {{- end }}
+              {{- end }}
             - name: PENPOT_TEMPDIR
               value: "/tmp/penpot-exporter"
           volumeMounts:
@@ -65,23 +65,23 @@ spec:
               protocol: TCP
           resources:
             {{- toYaml .Values.exporter.resources | nindent 12 }}
-    {{- with .Values.exporter.nodeSelector }}
+      {{- with .Values.exporter.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.exporter.affinity }}
+      {{- with .Values.exporter.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.exporter.tolerations }}
+      {{- with .Values.exporter.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
       volumes:
       - name: app-data
-      {{- if .Values.persistence.exporter.enabled }}
+        {{- if .Values.persistence.exporter.enabled }}
         persistentVolumeClaim:
           claimName: {{ .Values.persistence.exporter.existingClaim | default ( printf "%s-%s" ( include "penpot.fullname" . ) "data-exporter" ) }}
-      {{- else }}
+        {{- else }}
         emptyDir: {}
-      {{- end }}
+        {{- end }}

charts/penpot/templates/exporter-persistentvolumeclaim.yml

@@ -5,11 +5,11 @@ metadata:
   name: {{ include "penpot.fullname" . }}-data-exporter
   namespace: {{ .Release.Namespace }}
   labels:
-{{- include "penpot.labels" . | nindent 4 }}
+    {{- include "penpot.labels" . | nindent 4 }}
-{{- if .Values.persistence.exporter.annotations }}
+  {{- if .Values.persistence.exporter.annotations }}
   annotations:
-{{ toYaml .Values.persistence.exporter.annotations | indent 4 }}
+    {{ toYaml .Values.persistence.exporter.annotations | indent 4 }}
-{{- end }}
+  {{- end }}
 spec:
   accessModes:
   {{- range .Values.persistence.exporter.accessModes }}
@@ -18,7 +18,7 @@ spec:
   resources:
     requests:
       storage: {{ .Values.persistence.exporter.size | quote }}
-{{- if .Values.persistence.exporter.storageClass }}
+  {{- if .Values.persistence.exporter.storageClass }}
   storageClassName: "{{ .Values.persistence.exporter.storageClass }}"
-{{- end }}
+  {{- end }}
 {{- end -}}

charts/penpot/templates/frontend-deployment.yml

@@ -27,25 +27,23 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
-    {{- with .Values.global.imagePullSecrets }}
+      serviceAccountName: {{ include "penpot.serviceAccountName" . }}
+      {{- with .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-      serviceAccountName: {{ include "penpot.serviceAccountName" . }}
+      {{- with .Values.frontend.podSecurityContext }}
-      affinity:
+      securityContext:
-        podAffinity:
+        {{- toYaml . | nindent 8 }}
-          requiredDuringSchedulingIgnoredDuringExecution:
+      {{- end }}
-          - labelSelector:
-              matchExpressions:
-              - key: app.kubernetes.io/instance
-                operator: In
-                values:
-                - {{ .Release.Name }}
-            topologyKey: "kubernetes.io/hostname"
       containers:
         - name: {{ .Chart.Name }}-frontend
           image: "{{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag }}"
           imagePullPolicy: {{ .Values.frontend.image.pullPolicy }}
+          {{- with .Values.frontend.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
             - name: PENPOT_FLAGS
               value: "$PENPOT_FLAGS {{ .Values.config.flags }}"
@@ -63,23 +61,23 @@ spec:
               protocol: TCP
           resources:
             {{- toYaml .Values.frontend.resources | nindent 12 }}
-    {{- with .Values.frontend.nodeSelector }}
+      {{- with .Values.frontend.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.frontend.affinity }}
+      {{- with .Values.frontend.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.frontend.tolerations }}
+      {{- with .Values.frontend.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
       volumes:
       - name: app-data
-      {{- if .Values.persistence.assets.enabled }}
+        {{- if .Values.persistence.assets.enabled }}
         persistentVolumeClaim:
           claimName: {{ .Values.persistence.assets.existingClaim | default ( printf "%s-%s" ( include "penpot.fullname" . ) "data-assets" ) }}
-      {{- else }}
+        {{- else }}
         emptyDir: {}
-      {{- end }}
+        {{- end }}

charts/penpot/values.yaml

@@ -339,34 +339,16 @@ backend:
   # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
   # @section -- Backend parameters
   podSecurityContext:
-    # -- Enabled Penpot pods' security context
-    # @section -- Backend parameters
-    enabled: true
-    # -- Set Penpot pod's security context fsGroup
-    # @section -- Backend parameters
     fsGroup: 1001
   # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
   # @section -- Backend parameters
   containerSecurityContext:
-    # -- Enabled Penpot containers' security context
-    # @section -- Backend parameters
-    enabled: true
-    # -- Set Penpot containers' security context runAsUser
-    # @section -- Backend parameters
     runAsUser: 1001
-    # -- Set Penpot containers' security context allowPrivilegeEscalation
-    # @section -- Backend parameters
     allowPrivilegeEscalation: false
-    # -- Set Penpot containers' security context capabilities to be dropped
-    # @section -- Backend parameters
     capabilities:
       drop:
         - all
-    # -- Set Penpot containers' security context readOnlyRootFilesystem
-    # @section -- Backend parameters
     readOnlyRootFilesystem: false
-    # -- Set Penpot container's security context runAsNonRoot
-    # @section -- Backend parameters
     runAsNonRoot: true
   # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
   # @section -- Backend parameters
@@ -417,6 +399,12 @@ frontend:
   # -- An optional map of annotations to be applied to the controller Pods
   # @section -- Frontend parameters
   podAnnotations: {}
+  # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
+  # @section -- Frontend parameters
+  podSecurityContext: {}
+  # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
+  # @section -- Frontend parameters
+  containerSecurityContext: {}
   # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
   # @section -- Frontend parameters
   affinity: {}
@@ -469,34 +457,16 @@ exporter:
   # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
   # @section -- Exporter parameters
   podSecurityContext:
-    # -- Enabled Penpot pods' security context
-    # @section -- Exporter parameters
-    enabled: true
-    # -- Set Penpot pod's security context fsGroup
-    # @section -- Exporter parameters
     fsGroup: 1001
   # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
   # @section -- Exporter parameters
   containerSecurityContext:
-    # -- Enabled Penpot containers' security context
-    # @section -- Exporter parameters
-    enabled: true
-    # -- Set Penpot containers' security context runAsUser
-    # @section -- Exporter parameters
     runAsUser: 1001
-    # -- Set Penpot containers' security context allowPrivilegeEscalation
-    # @section -- Exporter parameters
     allowPrivilegeEscalation: false
-    # -- Set Penpot containers' security context capabilities to be dropped
-    # @section -- Exporter parameters
     capabilities:
       drop:
         - all
-    # -- Set Penpot containers' security context readOnlyRootFilesystem
-    # @section -- Exporter parameters
     readOnlyRootFilesystem: false
-    # -- Set Penpot container's security context runAsNonRoot
-    # @section -- Exporter parameters
     runAsNonRoot: true
   # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
   # @section -- Exporter parameters