# yaml-language-server: $schema=values.schema.json ## Default values for Penpot global: # -- Whether to deploy the Bitnami PostgreSQL chart as subchart. Check [the official chart](https://artifacthub.io/packages/helm/bitnami/postgresql) for configuration. # @section -- Global parameters postgresqlEnabled: false # -- Whether to deploy the Bitnami Redis chart as subchart. Check [the official chart](https://artifacthub.io/packages/helm/bitnami/redis) for configuration. # @section -- Global parameters redisEnabled: false # -- Global Docker registry secret names. # E.g. # imagePullSecrets: # - myRegistryKeySecretName # @section -- Global parameters imagePullSecrets: [] # -- To partially override common.names.fullname # @section -- Common parameters nameOverride: "" # -- To fully override common.names.fullname # @section -- Common parameters fullnameOverride: "" serviceAccount: # -- Specifies whether a ServiceAccount should be created. # @section -- Common parameters enabled: true # -- Annotations for service account. Evaluated as a template. # @section -- Common parameters annotations: {} # -- The name of the ServiceAccount to use. If not set and enabled is true, a name is generated using the fullname template. # @section -- Common parameters name: "penpot" config: # -- The public domain to serve Penpot on. # **IMPORTANT:** Set `disable-secure-session-cookies` in the flags if you plan on serving it on a non HTTPS domain. # @section -- Configuration parameters publicUri: "http://penpot.example.com" # -- The feature flags to enable. Check [the official docs](https://help.penpot.app/technical-guide/configuration/) for more info. # @section -- Configuration parameters flags: "enable-registration enable-login-with-password disable-email-verification enable-smtp enable-feature-plugins" # -- A random secret key needed for persistent user sessions. Generate with `python3 -c "import secrets; print(secrets.token_urlsafe(64))"` for example. # @section -- Configuration parameters apiSecretKey: "kmZ96pAxhTgk3HZvvBkPeVTspGBneKVLEpO_3ecORs_gwACENZ77z05zCe7skvPsQ3jI3QgkULQOWCuLjmjQsg" # -- Comma separated list of allowed domains to register. Empty to allow all domains. # @section -- Configuration parameters registrationDomainWhitelist: "" # -- Whether to enable sending of anonymous telemetry data. # @section -- Configuration parameters telemetryEnabled: true postgresql: # -- The PostgreSQL host to connect to. Empty to use dependencies. # @section -- Configuration parameters host: "" # Ex.: "postgresql.penpot.svc.cluster.local" # -- The PostgreSQL host port to use. # @section -- Configuration parameters port: 5432 # -- The database username to use. # @section -- Configuration parameters username: "penpot" # -- The database password to use. # @section -- Configuration parameters password: "penpot" # -- The PostgreSQL database to use. # @section -- Configuration parameters database: "penpot" # -- The name of an existing secret. # @section -- Configuration parameters existingSecret: "" secretKeys: # -- The username key to use from an existing secret. # @section -- Configuration parameters usernameKey: "" # -- The password key to use from an existing secret. # @section -- Configuration parameters passwordKey: "" redis: # -- The Redis host to connect to. Empty to use dependencies # @section -- Configuration parameters host: "" # Ex.: "redis-headless.penpot.svc.cluster.local" # -- The Redis host port to use. # @section -- Configuration parameters port: 6379 # -- The Redis database to connect to. # @section -- Configuration parameters database: "0" assets: # -- The storage backend for assets to use. Use `assets-fs` for filesystem, and `assets-s3` for S3. # @section -- Configuration parameters storageBackend: "assets-fs" filesystem: # -- The storage directory to use if you chose the filesystem storage backend. # @section -- Configuration parameters directory: "/opt/data/assets" s3: # -- The S3 access key ID to use if you chose the S3 storage backend. # @section -- Configuration parameters accessKeyID: "" # -- The S3 secret access key to use if you chose the S3 storage backend. # @section -- Configuration parameters secretAccessKey: "" # -- The S3 region to use if you chose the S3 storage backend. # @section -- Configuration parameters region: "" # -- The name of the S3 bucket to use if you chose the S3 storage backend. # @section -- Configuration parameters bucket: "" # -- The S3 endpoint URI to use if you chose the S3 storage backend. # @section -- Configuration parameters endpointURI: "" # -- The name of an existing secret. # @section -- Configuration parameters existingSecret: "" secretKeys: # -- The S3 access key ID to use from an existing secret. # @section -- Configuration parameters accessKeyIDKey: "" # -- The S3 secret access key to use from an existing secret. # @section -- Configuration parameters secretAccessKey: "" # -- The S3 endpoint URI to use from an existing secret. # @section -- Configuration parameters endpointURIKey: "" smtp: # -- Whether to enable SMTP configuration. You also need to add the 'enable-smtp' flag to the PENPOT_FLAGS variable. # @section -- Configuration parameters enabled: false # -- The SMTP default email to send from. # @section -- Configuration parameters defaultFrom: "" # -- The SMTP default email to reply to. # @section -- Configuration parameters defaultReplyTo: "" # -- The SMTP host to use. # @section -- Configuration parameters host: "" # -- The SMTP host port to use. # @section -- Configuration parameters port: "" # -- The SMTP username to use. # @section -- Configuration parameters username: "" # -- The SMTP password to use. # @section -- Configuration parameters password: "" # -- Whether to use TLS for the SMTP connection. # @section -- Configuration parameters tls: true # -- Whether to use SSL for the SMTP connection. # @section -- Configuration parameters ssl: false # -- The name of an existing secret. # @section -- Configuration parameters existingSecret: "" secretKeys: # -- The SMTP username to use from an existing secret. # @section -- Configuration parameters usernameKey: "" # -- The SMTP password to use from an existing secret. # @section -- Configuration parameters passwordKey: "" providers: google: # -- Whether to enable Google configuration. To enable Google auth, add `enable-login-with-google` to the flags. # @section -- Configuration parameters enabled: false # -- The Google client ID to use. To enable Google auth, add `enable-login-with-google` to the flags. # @section -- Configuration parameters clientID: "" # -- The Google client secret to use. To enable Google auth, add `enable-login-with-google` to the flags. # @section -- Configuration parameters clientSecret: "" github: # -- Whether to enable GitHub configuration. To enable GitHub auth, also add `enable-login-with-github` to the flags. # @section -- Configuration parameters enabled: false # -- The GitHub client ID to use. # @section -- Configuration parameters clientID: "" # -- The GitHub client secret to use. # @section -- Configuration parameters clientSecret: "" gitlab: # -- Whether to enable GitLab configuration. To enable GitLab auth, also add `enable-login-with-gitlab` to the flags. # @section -- Configuration parameters enabled: false # -- The GitLab base URI to use. # @section -- Configuration parameters baseURI: "https://gitlab.com" # -- The GitLab client ID to use. # @section -- Configuration parameters clientID: "" # -- The GitLab client secret to use. # @section -- Configuration parameters clientSecret: "" oidc: # -- Whether to enable OIDC configuration. To enable OpenID Connect auth, also add `enable-login-with-oidc` to the flags. # @section -- Configuration parameters enabled: false # -- The OpenID Connect base URI to use. # @section -- Configuration parameters baseURI: "" # -- The OpenID Connect client ID to use. # @section -- Configuration parameters clientID: "" # -- The OpenID Connect client secret to use. # @section -- Configuration parameters clientSecret: "" # -- Optional OpenID Connect auth URI to use. Auto discovered if not provided. # @section -- Configuration parameters authURI: "" # -- Optional OpenID Connect token URI to use. Auto discovered if not provided. # @section -- Configuration parameters tokenURI: "" # -- Optional OpenID Connect user URI to use. Auto discovered if not provided. # @section -- Configuration parameters userURI: "" # -- Optional OpenID Connect roles to use. If no role is provided, roles checking disabled. # @section -- Configuration parameters roles: "role1 role2" # -- Optional OpenID Connect roles attribute to use. If not provided, the roles checking will be disabled. # @section -- Configuration parameters rolesAttribute: "" # -- Optional OpenID Connect scopes to use. This settings allow overwrite the required scopes, use with caution because penpot requres at least `name` and `email` attrs found on the user info. Optional, defaults to `openid profile`. # @section -- Configuration parameters scopes: "scope1 scope2" # -- Optional OpenID Connect name attribute to use. If not provided, the `name` prop will be used. # @section -- Configuration parameters nameAttribute: "" # -- Optional OpenID Connect email attribute to use. If not provided, the `email` prop will be used. # @section -- Configuration parameters emailAttribute: "" ldap: # -- Whether to enable LDAP configuration. To enable LDAP, also add `enable-login-with-ldap` to the flags. # @section -- Configuration parameters enabled: false # -- The LDAP host to use. # @section -- Configuration parameters host: "ldap" # -- The LDAP port to use. # @section -- Configuration parameters port: 10389 # -- Whether to use SSL for the LDAP connection. # @section -- Configuration parameters ssl: false # -- Whether to utilize StartTLS for the LDAP connection. # @section -- Configuration parameters startTLS: false # -- The LDAP base DN to use. # @section -- Configuration parameters baseDN: "ou=people,dc=planetexpress,dc=com" # -- The LDAP bind DN to use. # @section -- Configuration parameters bindDN: "cn=admin,dc=planetexpress,dc=com" # -- The LDAP bind password to use. # @section -- Configuration parameters bindPassword: "GoodNewsEveryone" # -- The LDAP user query to use. # @section -- Configuration parameters userQuery: "(&(|(uid=:username)(mail=:username))(memberOf=cn=penpot,ou=groups,dc=my-domain,dc=com))" # -- The LDAP attributes username to use. # @section -- Configuration parameters attributesUsername: "uid" # -- The LDAP attributes email to use. # @section -- Configuration parameters attributesEmail: "mail" # -- The LDAP attributes fullname to use. # @section -- Configuration parameters attributesFullname: "cn" # -- The LDAP attributes photo format to use. # @section -- Configuration parameters attributesPhoto: "jpegPhoto" # -- The name of an existing secret to use. # @section -- Configuration parameters existingSecret: "" secretKeys: # -- The Google client ID key to use from an existing secret. # @section -- Configuration parameters googleClientIDKey: "" # -- The Google client secret key to use from an existing secret. # @section -- Configuration parameters googleClientSecretKey: "" # -- The GitHub client ID key to use from an existing secret. # @section -- Configuration parameters githubClientIDKey: "" # -- The GitHub client secret key to use from an existing secret. # @section -- Configuration parameters githubClientSecretKey: "" # -- The GitLab client ID key to use from an existing secret. # @section -- Configuration parameters gitlabClientIDKey: "" # -- The GitLab client secret key to use from an existing secret. # @section -- Configuration parameters gitlabClientSecretKey: "" # -- The OpenID Connect client ID key to use from an existing secret. # @section -- Configuration parameters oidcClientIDKey: "" # -- The OpenID Connect client secret key to use from an existing secret. # @section -- Configuration parameters oidcClientSecretKey: "" backend: image: # -- The Docker repository to pull the image from. # @section -- Backend parameters repository: penpotapp/backend # -- The image tag to use. # @section -- Backend parameters tag: 2.3.2 # -- The image pull policy to use. # @section -- Backend parameters pullPolicy: IfNotPresent # -- The number of replicas to deploy. # @section -- Backend parameters replicaCount: 1 service: # -- The http service type to create. # @section -- Backend parameters type: ClusterIP # -- The http service port to use. # @section -- Backend parameters port: 6060 # -- An optional map of annotations to be applied to the controller Deployment # @section -- Backend parameters deploymentAnnotations: {} # -- An optional map of labels to be applied to the controller Pods # @section -- Backend parameters podLabels: {} # -- An optional map of annotations to be applied to the controller Pods # @section -- Backend parameters podAnnotations: {} # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Backend parameters podSecurityContext: fsGroup: 1001 # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Backend parameters containerSecurityContext: runAsUser: 1001 allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: false runAsNonRoot: true # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # @section -- Backend parameters affinity: {} # -- Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) # @section -- Backend parameters nodeSelector: {} # -- Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) # @section -- Backend parameters tolerations: [] # -- Penpot backend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) # @section -- Backend parameters resources: # -- The resources limits for the Penpot backend containers # @section -- Backend parameters limits: {} # -- The requested resources for the Penpot backend containers # @section -- Backend parameters requests: {} # -- Configure Pod Disruption Budget for the backend pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) # @section -- Backend parameters pdb: # -- Enable Pod Disruption Budget for the backend pods. # @section -- Backend parameters enabled: false # -- (int,string) The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). # @section -- Backend parameters minAvailable: # -- (int,string) The number or percentage of pods from that set that can be unavailable after the eviction (e.g.: 3, "10%"). # @section -- Backend parameters maxUnavailable: frontend: image: # -- The Docker repository to pull the image from. # @section -- Frontend parameters repository: penpotapp/frontend # -- The image tag to use. # @section -- Frontend parameters tag: 2.3.2 # -- The image pull policy to use. # @section -- Frontend parameters pullPolicy: IfNotPresent # -- The number of replicas to deploy. # @section -- Frontend parameters replicaCount: 1 service: # -- The service type to create. # @section -- Frontend parameters type: ClusterIP # -- The service port to use. # @section -- Frontend parameters port: 80 # -- An optional map of annotations to be applied to the controller Deployment # @section -- Frontend parameters deploymentAnnotations: {} # -- An optional map of labels to be applied to the controller Pods # @section -- Frontend parameters podLabels: {} # -- An optional map of annotations to be applied to the controller Pods # @section -- Frontend parameters podAnnotations: {} # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Frontend parameters podSecurityContext: {} # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Frontend parameters containerSecurityContext: {} # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # @section -- Frontend parameters affinity: {} # -- Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) # @section -- Frontend parameters nodeSelector: {} # -- Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) # @section -- Frontend parameters tolerations: [] # -- Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) # @section -- Frontend parameters resources: # -- The resources limits for the Penpot frontend containers # @section -- Frontend parameters limits: {} # -- The requested resources for the Penpot frontend containers # @section -- Frontend parameters requests: {} # -- Configure Pod Disruption Budget for the frontend pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) # @section -- Frontend parameters pdb: # -- Enable Pod Disruption Budget for the frontend pods. # @section -- Frontend parameters enabled: false # -- (int,string) The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). # @section -- Frontend parameters minAvailable: # -- (int,string) The number or percentage of pods from that set that can be unavailable after the eviction (e.g.: 3, "10%"). # @section -- Frontend parameters maxUnavailable: exporter: image: # -- The Docker repository to pull the image from. # @section -- Exporter parameters repository: penpotapp/exporter # -- The image tag to use. # @section -- Exporter parameters tag: 2.3.2 # -- The image pull policy to use. # @section -- Exporter parameters imagePullPolicy: IfNotPresent # -- The number of replicas to deploy. Enable persistence.exporter if you use more than 1 replicaCount # @section -- Exporter parameters replicaCount: 1 service: # -- The service type to create. # @section -- Exporter parameters type: ClusterIP # -- The service port to use. # @section -- Exporter parameters port: 6061 # -- An optional map of annotations to be applied to the controller Deployment # @section -- Exporter parameters deploymentAnnotations: {} # -- An optional map of labels to be applied to the controller Pods # @section -- Exporter parameters podLabels: {} # -- An optional map of annotations to be applied to the controller Pods # @section -- Exporter parameters podAnnotations: {} # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Exporter parameters podSecurityContext: fsGroup: 1001 # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Exporter parameters containerSecurityContext: runAsUser: 1001 allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: false runAsNonRoot: true # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # @section -- Exporter parameters affinity: {} # -- Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) # @section -- Exporter parameters nodeSelector: {} # -- Tolerations for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) # @section -- Exporter parameters tolerations: [] # -- Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) # @section -- Exporter parameters resources: # -- The resources limits for the Penpot frontend containers # @section -- Exporter parameters limits: {} # -- The requested resources for the Penpot frontend containers # @section -- Exporter parameters requests: {} # -- Configure Pod Disruption Budget for the exporter pods. Check [the official doc](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) # @section -- Exporter parameters pdb: # -- Enable Pod Disruption Budget for the exporter pods. # @section -- Exporter parameters enabled: false # -- (int,string) The number or percentage of pods from that set that must still be available after the eviction (e.g.: 3, "10%"). # @section -- Exporter parameters minAvailable: # -- (int,string) The number or percentage of pods from that set that can be unavailable after the eviction (e.g.: 3, "10%"). # @section -- Exporter parameters maxUnavailable: # @section -- Persistence parameters persistence: assets: # -- Enable assets persistence using Persistent Volume Claims. # @section -- Persistence parameters enabled: false # -- Assets persistent Volume storage class. # If defined, storageClassName: . # If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. # @section -- Persistence parameters storageClass: "" # -- Assets persistent Volume size. # @section -- Persistence parameters size: 20Gi # -- The name of an existing PVC to use for assets persistence. # @section -- Persistence parameters existingClaim: "" # -- Assets persistent Volume access modes. # @section -- Persistence parameters accessModes: - ReadWriteOnce # -- Assetsp ersistent Volume Claim annotations. # @section -- Persistence parameters annotations: {} exporter: # -- Enable exporter persistence using Persistent Volume Claims. If exporter.replicaCount you have to enable it. # @section -- Persistence parameters enabled: false # -- Exporter persistent Volume storage class. Empty is choosing the default provisioner by the provider. # @section -- Persistence parameters storageClass: "" # -- Exporter persistent Volume size. # @section -- Persistence parameters size: 10Gi # -- The name of an existing PVC to use for persistence. # @section -- Persistence parameters existingClaim: "" # -- Exporter persistent Volume access modes. # @section -- Persistence parameters accessModes: - ReadWriteOnce # -- Exporter persistent Volume Claim annotations. # @section -- Persistence parameters annotations: {} ingress: # -- Enable (frontend) Ingress Controller. # @section -- Ingress parameters enabled: false # -- The Ingress className. # @section -- Ingress parameters className: "" # -- Mapped annotations for the ingress crontroller. # E.g. # annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # @section -- Ingress parameters annotations: {} # -- Root path for every hosts. # @section -- Ingress parameters path: "/" # -- Array style hosts for the (frontend) ingress crontroller. # @section -- Ingress parameters hosts: # -- The default external hostname to access to the penpot app. # @section -- Ingress parameters - "penpot.example.com" # -- Array style TLS secrets for the (frontend) ingress crontroller. # E.g. # tls: # - secretName: penpot.example.com-tls # hosts: # - penpot.example.com # @section -- Ingress parameters tls: [] # -- PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) # @section -- PostgreSQL Dependencie parameters postgresql: auth: # -- Name for a custom user to create. # @section -- PostgreSQL Dependencie parameters username: "penpot" # -- Password for the custom user to create. # @section -- PostgreSQL Dependencie parameters password: "penpot" # -- Name for a custom database to create. # @section -- PostgreSQL Dependencie parameters database: "penpot" # -- Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) # @section -- Redis Dependencie parameters redis: auth: # -- Whether to enable password authentication. # @section -- Redis Dependencie parameters enabled: false