apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "penpot.fullname" . }}-backend namespace: {{ .Release.Namespace }} labels: {{- include "penpot.labels" . | nindent 4 }} {{- with .Values.backend.deploymentAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: selector: matchLabels: {{- include "penpot.backendSelectorLabels" . | nindent 6 }} replicas: {{ .Values.backend.replicaCount }} template: metadata: labels: app: penpot-backend {{- include "penpot.backendSelectorLabels" . | nindent 8 }} {{- with .Values.backend.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.backend.podAnnotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} spec: {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "penpot.serviceAccountName" . }} {{- if .Values.backend.podSecurityContext.enabled }} securityContext: {{- omit .Values.backend.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/instance operator: In values: - {{ .Release.Name }} topologyKey: "kubernetes.io/hostname" containers: - name: {{ .Chart.Name }}-backend image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}" imagePullPolicy: {{ .Values.backend.image.pullPolicy }} {{- if .Values.backend.containerSecurityContext.enabled }} securityContext: {{- omit .Values.backend.containerSecurityContext "enabled" | toYaml | nindent 12 }} {{- end }} env: # General settings - name: PENPOT_PUBLIC_URI value: {{ .Values.config.publicUri | quote }} - name: PENPOT_FLAGS value: "$PENPOT_FLAGS {{ .Values.config.flags }}" - name: PENPOT_SECRET_KEY value: {{ .Values.config.apiSecretKey | quote }} {{- if .Values.config.registrationDomainWhitelist }} - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST value: {{ .Values.config.registrationDomainWhitelist | quote }} {{- end }} - name: PENPOT_TELEMETRY_ENABLED value: {{ .Values.config.telemetryEnabled | quote }} # PosgreSQL connection settings - name: PENPOT_DATABASE_URI {{- if .Values.config.postgresql.host }} value: "postgresql://{{ .Values.config.postgresql.host }}:{{ .Values.config.postgresql.port }}/{{ .Values.config.postgresql.database }}" {{- else }} value: {{ print "postgresql://" (include "penpot.fullname" .) "-postgresql:" .Values.config.postgresql.port "/" .Values.config.postgresql.database }} {{- end }} - name: PENPOT_DATABASE_USERNAME {{- if not .Values.config.postgresql.secretKeys.usernameKey }} value: {{ .Values.config.postgresql.username | quote }} {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.postgresql.existingSecret }} key: {{ .Values.config.postgresql.secretKeys.usernameKey }} {{- end }} - name: PENPOT_DATABASE_PASSWORD {{- if not .Values.config.postgresql.secretKeys.passwordKey }} value: {{ .Values.config.postgresql.password | quote }} {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.postgresql.existingSecret }} key: {{ .Values.config.postgresql.secretKeys.passwordKey }} {{- end }} # Redis connection settings - name: PENPOT_REDIS_URI {{- if .Values.config.redis.host }} value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}" {{- else }} value: {{ print "redis://" (include "penpot.fullname" .) "-redis-master:" .Values.config.redis.port "/" .Values.config.redis.database }} {{- end }} # Assets storage settings - name: PENPOT_ASSETS_STORAGE_BACKEND value: {{ .Values.config.assets.storageBackend | quote }} {{- if eq .Values.config.assets.storageBackend "assets-fs" }} - name: PENPOT_STORAGE_ASSETS_FS_DIRECTORY value: {{ .Values.config.assets.filesystem.directory | quote }} {{- else if eq .Values.config.assets.storageBackend "assets-s3" }} - name: PENPOT_STORAGE_ASSETS_S3_REGION value: {{ .Values.config.assets.s3.region | quote }} - name: PENPOT_STORAGE_ASSETS_S3_BUCKET value: {{ .Values.config.assets.s3.bucket | quote }} - name: AWS_ACCESS_KEY_ID {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }} value: {{ .Values.config.assets.s3.accessKeyID | quote }} {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.assets.s3.existingSecret }} key: {{ .Values.config.assets.s3.secretKeys.accessKeyIDKey }} {{- end }} - name: AWS_SECRET_ACCESS_KEY {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }} value: {{ .Values.config.assets.s3.secretAccessKey | quote }} {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.assets.s3.existingSecret }} key: {{ .Values.config.assets.s3.secretKeys.secretAccessKey }} {{- end }} - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }} value: {{ .Values.config.assets.s3.endpointURI | quote }} {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.assets.s3.existingSecret }} key: {{ .Values.config.assets.s3.secretKeys.endpointURIKey }} {{- end }} {{- end }} # SMTP settings {{- if .Values.config.smtp.enabled }} {{- if .Values.config.smtp.defaultFrom }} - name: PENPOT_SMTP_DEFAULT_FROM value: {{ .Values.config.smtp.defaultFrom | quote }} {{- end }} {{- if .Values.config.smtp.defaultReplyTo }} - name: PENPOT_SMTP_DEFAULT_REPLY_TO value: {{ .Values.config.smtp.defaultReplyTo | quote }} {{- end }} {{- if .Values.config.smtp.host }} - name: PENPOT_SMTP_HOST value: {{ .Values.config.smtp.host | quote }} {{- end }} {{- if .Values.config.smtp.port }} - name: PENPOT_SMTP_PORT value: {{ .Values.config.smtp.port | quote }} {{- end }} {{- if not .Values.config.smtp.secretKeys.usernameKey }} - name: PENPOT_SMTP_USERNAME value: {{ .Values.config.smtp.username | quote }} {{- else }} - name: PENPOT_SMTP_USERNAME valueFrom: secretKeyRef: name: {{ .Values.config.smtp.existingSecret }} key: {{ .Values.config.smtp.secretKeys.usernameKey }} {{- end }} {{- if not .Values.config.smtp.secretKeys.passwordKey }} - name: PENPOT_SMTP_PASSWORD value: {{ .Values.config.smtp.password | quote }} {{- else }} - name: PENPOT_SMTP_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.config.smtp.existingSecret }} key: {{ .Values.config.smtp.secretKeys.passwordKey }} {{- end }} {{- if .Values.config.smtp.tls }} - name: PENPOT_SMTP_TLS value: {{ .Values.config.smtp.tls | quote }} {{- end }} {{- if .Values.config.smtp.ssl }} - name: PENPOT_SMTP_SSL value: {{ .Values.config.smtp.ssl | quote }} {{- end }} {{- end }} # Google Auth provider settings {{- if .Values.config.providers.google.enabled }} {{- if not .Values.config.providers.secretKeys.googleClientIDKey }} - name: PENPOT_GOOGLE_CLIENT_ID value: {{ .Values.config.providers.google.clientID | quote }} {{- else }} - name: PENPOT_GOOGLE_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Values.config.providers.existingSecret }} key: {{ .Values.config.providers.secretKeys.googleClientIDKey }} {{- end }} {{- if not .Values.config.providers.secretKeys.googleClientSecretKey}} - name: PENPOT_GOOGLE_CLIENT_SECRET value: {{ .Values.config.providers.google.clientSecret | quote }} {{- else }} - name: PENPOT_GOOGLE_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ .Values.config.providers.existingSecret }} key: {{ .Values.config.providers.secretKeys.googleClientSecretKey }} {{- end }} {{- end }} # Github Auth provider settings {{- if .Values.config.providers.github.enabled }} {{- if not .Values.config.providers.secretKeys.githubClientIDKey }} - name: PENPOT_GITHUB_CLIENT_ID value: {{ .Values.config.providers.github.clientID | quote }} {{- else }} - name: PENPOT_GITHUB_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Values.config.providers.existingSecret }} key: {{ .Values.config.providers.secretKeys.githubClientIDKey }} {{- end }} {{- if not .Values.config.providers.secretKeys.githubClientSecretKey }} - name: PENPOT_GITHUB_CLIENT_SECRET value: {{ .Values.config.providers.github.clientSecret | quote }} {{- else }} - name: PENPOT_GITHUB_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ .Values.config.providers.existingSecret }} key: {{ .Values.config.providers.secretKeys.githubClientSecretKey }} {{- end }} {{- end }} # Gitlab Auth provider settings {{- if .Values.config.providers.gitlab.enabled }} {{- if .Values.config.providers.gitlab.baseURI }} - name: PENPOT_GITLAB_BASE_URI value: {{ .Values.config.providers.gitlab.baseURI | quote }} {{- end }} {{- if not .Values.config.providers.secretKeys.gitlabClientIDKey }} - name: PENPOT_GITLAB_CLIENT_ID value: {{ .Values.config.providers.gitlab.clientID | quote }} {{- else }} - name: PENPOT_GITLAB_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Values.config.providers.existingSecret }} key: {{ .Values.config.providers.secretKeys.gitlabClientIDKey }} {{- end }} {{- if not .Values.config.providers.secretKeys.gitlabClientSecretKey }} - name: PENPOT_GITLAB_CLIENT_SECRET value: {{ .Values.config.providers.gitlab.clientSecret | quote }} {{- else }} - name: PENPOT_GITLAB_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ .Values.config.providers.existingSecret }} key: {{ .Values.config.providers.secretKeys.gitlabClientSecretKey }} {{- end }} {{- end }} # OIDC provider settings {{- if .Values.config.providers.oidc.enabled }} {{- if .Values.config.providers.oidc.baseURI }} - name: PENPOT_OIDC_BASE_URI value: {{ .Values.config.providers.oidc.baseURI | quote }} {{- end }} {{- if not .Values.config.providers.secretKeys.oidcClientIDKey }} - name: PENPOT_OIDC_CLIENT_ID value: {{ .Values.config.providers.oidc.clientID | quote}} {{- else }} - name: PENPOT_OIDC_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Values.config.providers.existingSecret }} key: {{ .Values.config.providers.secretKeys.oidcClientIDKey }} {{- end }} {{- if not .Values.config.providers.secretKeys.oidcClientSecretKey}} - name: PENPOT_OIDC_CLIENT_SECRET value: {{ .Values.config.providers.oidc.clientSecret | quote }} {{- else }} - name: PENPOT_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ .Values.config.providers.existingSecret }} key: {{ .Values.config.providers.secretKeys.oidcClientSecretKey }} {{- end }} {{- if .Values.config.providers.oidc.authURI }} - name: PENPOT_OIDC_AUTH_URI value: {{ .Values.config.providers.oidc.authURI | quote }} {{- end }} {{- if .Values.config.providers.oidc.tokenURI }} - name: PENPOT_OIDC_TOKEN_URI value: {{ .Values.config.providers.oidc.tokenURI | quote }} {{- end }} {{- if .Values.config.providers.oidc.userURI }} - name: PENPOT_OIDC_USER_URI value: {{ .Values.config.providers.oidc.userURI | quote }} {{- end }} {{- if .Values.config.providers.oidc.roles }} - name: PENPOT_OIDC_ROLES value: {{ .Values.config.providers.oidc.roles | quote }} {{- end }} {{- if .Values.config.providers.oidc.rolesAttribute }} - name: PENPOT_OIDC_ROLES_ATTR value: {{ .Values.config.providers.oidc.rolesAttribute | quote }} {{- end }} {{- if .Values.config.providers.oidc.scopes }} - name: PENPOT_OIDC_SCOPES value: {{ .Values.config.providers.oidc.scopes | quote }} {{- end }} {{- if .Values.config.providers.oidc.nameAttribute }} - name: PENPOT_OIDC_NAME_ATTR value: {{ .Values.config.providers.oidc.nameAttribute | quote }} {{- end }} {{- if .Values.config.providers.oidc.emailAttribute }} - name: PENPOT_OIDC_EMAIL_ATTR value: {{ .Values.config.providers.oidc.emailAttribute | quote }} {{- end }} {{- if .Values.config.providers.oidc.userInfoSource }} - name: PENPOT_OIDC_USER_INFO_SOURCE value: {{ .Values.config.providers.oidc.userInfoSource | quote }} {{- end }} {{- end }} # LDAP provider settings {{- if .Values.config.providers.ldap.enabled }} {{- if .Values.config.providers.ldap.host }} - name: PENPOT_LDAP_HOST value: {{ .Values.config.providers.ldap.host | quote }} {{- end }} {{- if .Values.config.providers.ldap.port }} - name: PENPOT_LDAP_PORT value: {{ .Values.config.providers.ldap.port | quote }} {{- end }} {{- if .Values.config.providers.ldap.ssl }} - name: PENPOT_LDAP_SSL value: {{ .Values.config.providers.ldap.ssl | quote }} {{- end }} {{- if .Values.config.providers.ldap.startTLS }} - name: PENPOT_LDAP_STARTTLS value: {{ .Values.config.providers.ldap.startTLS | quote }} {{- end }} {{- if .Values.config.providers.ldap.baseDN }} - name: PENPOT_LDAP_BASE_DN value: {{ .Values.config.providers.ldap.baseDN | quote }} {{- end }} {{- if .Values.config.providers.ldap.bindDN }} - name: PENPOT_LDAP_BIND_DN value: {{ .Values.config.providers.ldap.bindDN | quote }} {{- end }} {{- if .Values.config.providers.ldap.bindPassword }} - name: PENPOT_LDAP_BIND_PASSWORD value: {{ .Values.config.providers.ldap.bindPassword | quote }} {{- end }} {{- if .Values.config.providers.ldap.userQuery }} - name: PENPOT_LDAP_USER_QUERY value: {{ .Values.config.providers.ldap.userQuery | quote }} {{- end }} {{- if .Values.config.providers.ldap.attributesUsername }} - name: PENPOT_LDAP_ATTRS_USERNAME value: {{ .Values.config.providers.ldap.attributesUsername | quote }} {{- end }} {{- if .Values.config.providers.ldap.attributesEmail }} - name: PENPOT_LDAP_ATTRS_EMAIL value: {{ .Values.config.providers.ldap.attributesEmail | quote }} {{- end }} {{- if .Values.config.providers.ldap.attributesFullname }} - name: PENPOT_LDAP_ATTRS_FULLNAME value: {{ .Values.config.providers.ldap.attributesFullname | quote }} {{- end }} {{- if .Values.config.providers.ldap.attributesPhoto }} - name: PENPOT_LDAP_ATTRS_PHOTO value: {{ .Values.config.providers.ldap.attributesPhoto | quote }} {{- end }} {{- end }} volumeMounts: - mountPath: /opt/data/assets name: app-data readOnly: false ports: - name: http containerPort: {{ .Values.backend.service.port }} protocol: TCP resources: {{- toYaml .Values.backend.resources | nindent 12 }} {{- with .Values.backend.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.backend.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.backend.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} volumes: - name: app-data {{- if .Values.persistence.assets.enabled }} persistentVolumeClaim: claimName: {{ .Values.persistence.assets.existingClaim | default ( printf "%s-%s" ( include "penpot.fullname" . ) "data-assets" ) }} {{- else }} emptyDir: {} {{- end }}