feat: use new penpot-frontend image based on nginx-unprivileged

2024-12-22 13:43:01 -05:00 · 2024-10-09 17:55:25 +02:00 · 2024-10-09 17:55:25 +02:00 · 67c1191074
commit 67c1191074
parent 125b7fc255
7 changed files with 26 additions and 14 deletions
--- a/charts/penpot/README.md
+++ b/charts/penpot/README.md
@ -175,11 +175,11 @@ helm install my-release -f values.yaml penpot/penpot
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
-| frontend.containerSecurityContext | object | `{}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
 | frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
 | frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
-| frontend.image.repository | string | `"penpotapp/frontend"` | The Docker repository to pull the image from. |
-| frontend.image.tag | string | `"2.1.4"` | The image tag to use. |
+| frontend.image.repository | string | `"bameda00/test-p"` | The Docker repository to pull the image from. |
+| frontend.image.tag | string | `"latest"` | The image tag to use. |
 | frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
 | frontend.pdb | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | Configure Pod Disruption Budget for the frontend pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) |
 | frontend.pdb.enabled | bool | `false` | Enable Pod Disruption Budget for the frontend pods. |
@ -187,12 +187,12 @@ helm install my-release -f values.yaml penpot/penpot
 | frontend.pdb.minAvailable | int,string | `nil` | The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). |
 | frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
 | frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
-| frontend.podSecurityContext | object | `{}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
+| frontend.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
 | frontend.replicaCount | int | `1` | The number of replicas to deploy. |
 | frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
 | frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers |
 | frontend.resources.requests | object | `{}` | The requested resources for the Penpot frontend containers |
-| frontend.service.port | int | `80` | The service port to use. |
+| frontend.service.port | int | `8080` | The service port to use. |
 | frontend.service.type | string | `"ClusterIP"` | The service type to create. |
 | frontend.tolerations | list | `[]` | Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) |

--- a/charts/penpot/templates/backend-service.yml
+++ b/charts/penpot/templates/backend-service.yml
@ -6,11 +6,11 @@ metadata:
  labels:
    {{- include "penpot.labels" . | nindent 4 }}
 spec:
-  selector:
-    {{- include "penpot.backendSelectorLabels" . | nindent 4 }}
  type: {{ .Values.backend.service.type }}
  ports:
    - port: {{ .Values.backend.service.port }}
      targetPort: {{ .Values.backend.service.port }}
      protocol: TCP
      name: http
+  selector:
+    {{- include "penpot.backendSelectorLabels" . | nindent 4 }}
--- a/charts/penpot/templates/frontend-service.yml
+++ b/charts/penpot/templates/frontend-service.yml
@ -9,7 +9,7 @@ spec:
  type: {{ .Values.frontend.service.type }}
  ports:
    - port: {{ .Values.frontend.service.port }}
-      targetPort: http
+      targetPort: {{ .Values.frontend.service.port }}
      protocol: TCP
      name: http
  selector:
--- a/charts/penpot/values.yaml
+++ b/charts/penpot/values.yaml
@ -384,10 +384,10 @@ frontend:
  image:
    # -- The Docker repository to pull the image from.
    # @section -- Frontend parameters
-    repository: penpotapp/frontend
+    repository: bameda00/test-p
    # -- The image tag to use.
    # @section -- Frontend parameters
-    tag: 2.1.4
+    tag: latest
    # -- The image pull policy to use.
    # @section -- Frontend parameters
    pullPolicy: IfNotPresent
@ -400,7 +400,7 @@ frontend:
    type: ClusterIP
    # -- The service port to use.
    # @section -- Frontend parameters
-    port: 80
+    port: 8080
  # -- An optional map of annotations to be applied to the controller Deployment
  # @section -- Frontend parameters
  deploymentAnnotations: {}
@ -412,10 +412,18 @@ frontend:
  podAnnotations: {}
  # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
  # @section -- Frontend parameters
-  podSecurityContext: {}
+  podSecurityContext:
+    fsGroup: 1001
  # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
  # @section -- Frontend parameters
-  containerSecurityContext: {}
+  containerSecurityContext:
+    runAsUser: 1001
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - all
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
  # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
  # @section -- Frontend parameters
  affinity: {}
--- a/devel/README.md
+++ b/devel/README.md
@ -41,5 +41,5 @@ pre-commit install --install-hooks -f
 > [!TIP]
 > if you disable ingress, you can exposing the app in the port 8888 with:
 > ```shell
-> kubectl port-forward service/penpot 8888:80
+> kubectl port-forward service/penpot 8888:8080
 > ```
--- a/devel/kind.config.yml
+++ b/devel/kind.config.yml
@ -10,6 +10,9 @@ nodes:
      kubeletExtraArgs:
        node-labels: "ingress-ready=true"
  extraPortMappings:
+  - containerPort: 8080
+    hostPort: 8080
+    protocol: TCP
  - containerPort: 80
    hostPort: 80
    protocol: TCP
--- a/devel/penpot.values.yaml
+++ b/devel/penpot.values.yaml
@ -1,3 +1,4 @@
+---
 ## Default values for Penpot (local setup for development purpose)
 global:
  postgresqlEnabled: true