mirror of
synced 2025-03-11 15:11:22 -05:00
25 KiB
25 KiB
Helm chart for Penpot, the Open Source design and prototyping platform.
Installing the Chart
To install the chart with the release name my-release
$ helm repo add penpot http://helm.penpot.app
$ helm install my-release penpot/penpot
Backend parameters
Key | Type | Default | Description |
backend.affinity | object | {} |
Affinity for Penpot pods assignment. Check the official doc |
backend.containerSecurityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001} |
Configure Container Security Context. Check the official doc |
backend.containerSecurityContext.allowPrivilegeEscalation | bool | false |
Set Penpot containers' security context allowPrivilegeEscalation |
backend.containerSecurityContext.capabilities | object | {"drop":["all"]} |
Set Penpot containers' security context capabilities to be dropped |
backend.containerSecurityContext.enabled | bool | true |
Enabled Penpot containers' security context |
backend.containerSecurityContext.readOnlyRootFilesystem | bool | false |
Set Penpot containers' security context readOnlyRootFilesystem |
backend.containerSecurityContext.runAsNonRoot | bool | true |
Set Penpot container's security context runAsNonRoot |
backend.containerSecurityContext.runAsUser | int | 1001 |
Set Penpot containers' security context runAsUser |
backend.deploymentAnnotations | object | {} |
An optional map of annotations to be applied to the controller Deployment |
backend.image.pullPolicy | string | "IfNotPresent" |
The image pull policy to use. |
backend.image.repository | string | "penpotapp/backend" |
The Docker repository to pull the image from. |
backend.image.tag | string | "2.0.3" |
The image tag to use. |
backend.nodeSelector | object | {} |
Node labels for Penpot pods assignment. Check the official doc |
backend.podAnnotations | object | {} |
An optional map of annotations to be applied to the controller Pods |
backend.podLabels | object | {} |
An optional map of labels to be applied to the controller Pods |
backend.podSecurityContext | object | {"enabled":true,"fsGroup":1001} |
Configure Pods Security Context. Check the official doc |
backend.podSecurityContext.enabled | bool | true |
Enabled Penpot pods' security context |
backend.podSecurityContext.fsGroup | int | 1001 |
Set Penpot pod's security context fsGroup |
backend.replicaCount | int | 1 |
The number of replicas to deploy. |
backend.resources | object | {"limits":{},"requests":{}} |
Penpot backend resource requests and limits. Check the official doc |
backend.resources.limits | object | {} |
The resources limits for the Penpot backend containers |
backend.resources.requests | object | {} |
The requested resources for the Penpot backend containers |
backend.service.port | int | 6060 |
The http service port to use. |
backend.service.type | string | "ClusterIP" |
The http service type to create. |
backend.tolerations | list | [] |
Tolerations for Penpot pods assignment. Check the official doc |
Configuration parameters
Key | Type | Default | Description |
config.apiSecretKey | string | "kmZ96pAxhTgk3HZvvBkPeVTspGBneKVLEpO_3ecORs_gwACENZ77z05zCe7skvPsQ3jI3QgkULQOWCuLjmjQsg" |
A random secret key needed for persistent user sessions. Generate with python3 -c "import secrets; print(secrets.token_urlsafe(64))" for example. |
config.assets.filesystem.directory | string | "/opt/data/assets" |
The storage directory to use if you chose the filesystem storage backend. |
config.assets.s3.accessKeyID | string | "" |
The S3 access key ID to use if you chose the S3 storage backend. |
config.assets.s3.bucket | string | "" |
The name of the S3 bucket to use if you chose the S3 storage backend. |
config.assets.s3.endpointURI | string | "" |
The S3 endpoint URI to use if you chose the S3 storage backend. |
config.assets.s3.existingSecret | string | "" |
The name of an existing secret. |
config.assets.s3.region | string | "" |
The S3 region to use if you chose the S3 storage backend. |
config.assets.s3.secretAccessKey | string | "" |
The S3 secret access key to use if you chose the S3 storage backend. |
config.assets.s3.secretKeys.accessKeyIDKey | string | "" |
The S3 access key ID to use from an existing secret. |
config.assets.s3.secretKeys.endpointURIKey | string | "" |
The S3 endpoint URI to use from an existing secret. |
config.assets.s3.secretKeys.secretAccessKey | string | "" |
The S3 secret access key to use from an existing secret. |
config.assets.storageBackend | string | "assets-fs" |
The storage backend for assets to use. Use assets-fs for filesystem, and assets-s3 for S3. |
config.flags | string | "enable-registration enable-login-with-password disable-email-verification enable-smtp" |
The feature flags to enable. Check the official docs for more info. |
config.postgresql.database | string | "penpot" |
The PostgreSQL database to use. |
config.postgresql.existingSecret | string | "" |
The name of an existing secret. |
config.postgresql.host | string | "" |
The PostgreSQL host to connect to. Empty to use dependencies. |
config.postgresql.password | string | "penpot" |
The database password to use. |
config.postgresql.port | int | 5432 |
The PostgreSQL host port to use. |
config.postgresql.secretKeys.passwordKey | string | "" |
The password key to use from an existing secret. |
config.postgresql.secretKeys.usernameKey | string | "" |
The username key to use from an existing secret. |
config.postgresql.username | string | "penpot" |
The database username to use. |
config.providers | object | `{"existingSecret":"","github":{"clientID":"","clientSecret":"","enabled":false},"gitlab":{"baseURI":"https://gitlab.com","clientID":"","clientSecret":"","enabled":false},"google":{"clientID":"","clientSecret":"","enabled":false},"ldap":{"attributesEmail":"mail","attributesFullname":"cn","attributesPhoto":"jpegPhoto","attributesUsername":"uid","baseDN":"ou=people,dc=planetexpress,dc=com","bindDN":"cn=admin,dc=planetexpress,dc=com","bindPassword":"GoodNewsEveryone","enabled":false,"host":"ldap","port":10389,"ssl":false,"startTLS":false,"userQuery":"(&( | (uid=:username)(mail=:username))(memberOf=cn=penpot,ou=groups,dc=my-domain,dc=com))"},"oidc":{"authURI":"","baseURI":"","clientID":"","clientSecret":"","emailAttribute":"","enabled":false,"nameAttribute":"","roles":"role1 role2","rolesAttribute":"","scopes":"scope1 scope2","tokenURI":"","userURI":""},"secretKeys":{"githubClientIDKey":"","githubClientSecretKey":"","gitlabClientIDKey":"","gitlabClientSecretKey":"","googleClientIDKey":"","googleClientSecretKey":"","oidcClientIDKey":"","oidcClientSecretKey":""}}` |
config.providers.existingSecret | string | "" |
The name of an existing secret to use. |
config.providers.github.clientID | string | "" |
The GitHub client ID to use. |
config.providers.github.clientSecret | string | "" |
The GitHub client secret to use. |
config.providers.github.enabled | bool | false |
Whether to enable GitHub configuration. To enable GitHub auth, also add enable-login-with-github to the flags. |
config.providers.gitlab.baseURI | string | "https://gitlab.com" |
The GitLab base URI to use. |
config.providers.gitlab.clientID | string | "" |
The GitLab client ID to use. |
config.providers.gitlab.clientSecret | string | "" |
The GitLab client secret to use. |
config.providers.gitlab.enabled | bool | false |
Whether to enable GitLab configuration. To enable GitLab auth, also add enable-login-with-gitlab to the flags. |
config.providers.google.clientID | string | "" |
The Google client ID to use. To enable Google auth, add enable-login-with-google to the flags. |
config.providers.google.clientSecret | string | "" |
The Google client secret to use. To enable Google auth, add enable-login-with-google to the flags. |
config.providers.google.enabled | bool | false |
Whether to enable Google configuration. To enable Google auth, add enable-login-with-google to the flags. |
config.providers.ldap.attributesEmail | string | "mail" |
The LDAP attributes email to use. |
config.providers.ldap.attributesFullname | string | "cn" |
The LDAP attributes fullname to use. |
config.providers.ldap.attributesPhoto | string | "jpegPhoto" |
The LDAP attributes photo format to use. |
config.providers.ldap.attributesUsername | string | "uid" |
The LDAP attributes username to use. |
config.providers.ldap.baseDN | string | "ou=people,dc=planetexpress,dc=com" |
The LDAP base DN to use. |
config.providers.ldap.bindDN | string | "cn=admin,dc=planetexpress,dc=com" |
The LDAP bind DN to use. |
config.providers.ldap.bindPassword | string | "GoodNewsEveryone" |
The LDAP bind password to use. |
config.providers.ldap.enabled | bool | false |
Whether to enable LDAP configuration. To enable LDAP, also add enable-login-with-ldap to the flags. |
config.providers.ldap.host | string | "ldap" |
The LDAP host to use. |
config.providers.ldap.port | int | 10389 |
The LDAP port to use. |
config.providers.ldap.ssl | bool | false |
Whether to use SSL for the LDAP connection. |
config.providers.ldap.startTLS | bool | false |
Whether to utilize StartTLS for the LDAP connection. |
config.providers.ldap.userQuery | string | `"(&( | (uid=:username)(mail=:username))(memberOf=cn=penpot,ou=groups,dc=my-domain,dc=com))"` |
config.providers.oidc.authURI | string | "" |
Optional OpenID Connect auth URI to use. Auto discovered if not provided. |
config.providers.oidc.baseURI | string | "" |
The OpenID Connect base URI to use. |
config.providers.oidc.clientID | string | "" |
The OpenID Connect client ID to use. |
config.providers.oidc.clientSecret | string | "" |
The OpenID Connect client secret to use. |
config.providers.oidc.emailAttribute | string | "" |
Optional OpenID Connect email attribute to use. If not provided, the email prop will be used. |
config.providers.oidc.enabled | bool | false |
Whether to enable OIDC configuration. To enable OpenID Connect auth, also add enable-login-with-oidc to the flags. |
config.providers.oidc.nameAttribute | string | "" |
Optional OpenID Connect name attribute to use. If not provided, the name prop will be used. |
config.providers.oidc.roles | string | "role1 role2" |
Optional OpenID Connect roles to use. If no role is provided, roles checking disabled. |
config.providers.oidc.rolesAttribute | string | "" |
Optional OpenID Connect roles attribute to use. If not provided, the roles checking will be disabled. |
config.providers.oidc.scopes | string | "scope1 scope2" |
Optional OpenID Connect scopes to use. This settings allow overwrite the required scopes, use with caution because penpot requres at least name and email attrs found on the user info. Optional, defaults to openid profile . |
config.providers.oidc.tokenURI | string | "" |
Optional OpenID Connect token URI to use. Auto discovered if not provided. |
config.providers.oidc.userURI | string | "" |
Optional OpenID Connect user URI to use. Auto discovered if not provided. |
config.providers.secretKeys.githubClientIDKey | string | "" |
The GitHub client ID key to use from an existing secret. |
config.providers.secretKeys.githubClientSecretKey | string | "" |
The GitHub client secret key to use from an existing secret. |
config.providers.secretKeys.gitlabClientIDKey | string | "" |
The GitLab client ID key to use from an existing secret. |
config.providers.secretKeys.gitlabClientSecretKey | string | "" |
The GitLab client secret key to use from an existing secret. |
config.providers.secretKeys.googleClientIDKey | string | "" |
The Google client ID key to use from an existing secret. |
config.providers.secretKeys.googleClientSecretKey | string | "" |
The Google client secret key to use from an existing secret. |
config.providers.secretKeys.oidcClientIDKey | string | "" |
The OpenID Connect client ID key to use from an existing secret. |
config.providers.secretKeys.oidcClientSecretKey | string | "" |
The OpenID Connect client secret key to use from an existing secret. |
config.publicUri | string | "http://penpot.example.com" |
The public domain to serve Penpot on. IMPORTANT: Set disable-secure-session-cookies in the flags if you plan on serving it on a non HTTPS domain. |
config.redis.database | string | "0" |
The Redis database to connect to. |
config.redis.host | string | "" |
The Redis host to connect to. Empty to use dependencies |
config.redis.port | int | 6379 |
The Redis host port to use. |
config.registrationDomainWhitelist | string | "" |
Comma separated list of allowed domains to register. Empty to allow all domains. |
config.smtp.defaultFrom | string | "" |
The SMTP default email to send from. |
config.smtp.defaultReplyTo | string | "" |
The SMTP default email to reply to. |
config.smtp.enabled | bool | false |
Whether to enable SMTP configuration. You also need to add the 'enable-smtp' flag to the PENPOT_FLAGS variable. |
config.smtp.existingSecret | string | "" |
The name of an existing secret. |
config.smtp.host | string | "" |
The SMTP host to use. |
config.smtp.password | string | "" |
The SMTP password to use. |
config.smtp.port | string | "" |
The SMTP host port to use. |
config.smtp.secretKeys.passwordKey | string | "" |
The SMTP password to use from an existing secret. |
config.smtp.secretKeys.usernameKey | string | "" |
The SMTP username to use from an existing secret. |
config.smtp.ssl | bool | false |
Whether to use SSL for the SMTP connection. |
config.smtp.tls | bool | true |
Whether to use TLS for the SMTP connection. |
config.smtp.username | string | "" |
The SMTP username to use. |
config.telemetryEnabled | bool | true |
Whether to enable sending of anonymous telemetry data. |
Exporter parameters
Key | Type | Default | Description |
exporter.affinity | object | {} |
Affinity for Penpot pods assignment. Check the official doc |
exporter.containerSecurityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001} |
Configure Container Security Context. Check the official doc |
exporter.containerSecurityContext.allowPrivilegeEscalation | bool | false |
Set Penpot containers' security context allowPrivilegeEscalation |
exporter.containerSecurityContext.capabilities | object | {"drop":["all"]} |
Set Penpot containers' security context capabilities to be dropped |
exporter.containerSecurityContext.enabled | bool | true |
Enabled Penpot containers' security context |
exporter.containerSecurityContext.readOnlyRootFilesystem | bool | false |
Set Penpot containers' security context readOnlyRootFilesystem |
exporter.containerSecurityContext.runAsNonRoot | bool | true |
Set Penpot container's security context runAsNonRoot |
exporter.containerSecurityContext.runAsUser | int | 1001 |
Set Penpot containers' security context runAsUser |
exporter.deploymentAnnotations | object | {} |
An optional map of annotations to be applied to the controller Deployment |
exporter.image.imagePullPolicy | string | "IfNotPresent" |
The image pull policy to use. |
exporter.image.repository | string | "penpotapp/exporter" |
The Docker repository to pull the image from. |
exporter.image.tag | string | "2.0.3" |
The image tag to use. |
exporter.nodeSelector | object | {} |
Node labels for Penpot pods assignment. Check the official doc |
exporter.podAnnotations | object | {} |
An optional map of annotations to be applied to the controller Pods |
exporter.podLabels | object | {} |
An optional map of labels to be applied to the controller Pods |
exporter.podSecurityContext | object | {"enabled":true,"fsGroup":1001} |
Configure Pods Security Context. Check the official doc |
exporter.podSecurityContext.enabled | bool | true |
Enabled Penpot pods' security context |
exporter.podSecurityContext.fsGroup | int | 1001 |
Set Penpot pod's security context fsGroup |
exporter.replicaCount | int | 1 |
The number of replicas to deploy. Enable persistence.exporter if you use more than 1 replicaCount |
exporter.resources | object | {"limits":{},"requests":{}} |
Penpot frontend resource requests and limits. Check the official doc |
exporter.resources.limits | object | {} |
The resources limits for the Penpot frontend containers |
exporter.resources.requests | object | {} |
The requested resources for the Penpot frontend containers |
exporter.service.port | int | 6061 |
The service port to use. |
exporter.service.type | string | "ClusterIP" |
The service type to create. |
exporter.tolerations | list | [] |
Tolerations for Penpot pods assignment. Check the official doc |
Frontend parameters
Key | Type | Default | Description |
frontend.affinity | object | {} |
Affinity for Penpot pods assignment. Check the official doc |
frontend.deploymentAnnotations | object | {} |
An optional map of annotations to be applied to the controller Deployment |
frontend.image.pullPolicy | string | "IfNotPresent" |
The image pull policy to use. |
frontend.image.repository | string | "penpotapp/frontend" |
The Docker repository to pull the image from. |
frontend.image.tag | string | "2.0.3" |
The image tag to use. |
frontend.nodeSelector | object | {} |
Node labels for Penpot pods assignment. Check the official doc |
frontend.podAnnotations | object | {} |
An optional map of annotations to be applied to the controller Pods |
frontend.podLabels | object | {} |
An optional map of labels to be applied to the controller Pods |
frontend.replicaCount | int | 1 |
The number of replicas to deploy. |
frontend.resources | object | {"limits":{},"requests":{}} |
Penpot frontend resource requests and limits. Check the official doc |
frontend.resources.limits | object | {} |
The resources limits for the Penpot frontend containers |
frontend.resources.requests | object | {} |
The requested resources for the Penpot frontend containers |
frontend.service.port | int | 80 |
The service port to use. |
frontend.service.type | string | "ClusterIP" |
The service type to create. |
frontend.tolerations | list | [] |
Tolerations for Penpot pods assignment. Check the official doc |
Common parameters
Key | Type | Default | Description |
fullnameOverride | string | "" |
To fully override common.names.fullname |
nameOverride | string | "" |
To partially override common.names.fullname |
serviceAccount.annotations | object | {} |
Annotations for service account. Evaluated as a template. |
serviceAccount.enabled | bool | true |
Specifies whether a ServiceAccount should be created. |
serviceAccount.name | string | "penpot" |
The name of the ServiceAccount to use. If not set and enabled is true, a name is generated using the fullname template. |
Global parameters
Key | Type | Default | Description |
global.imagePullSecrets | list | [] |
Global Docker registry secret names. E.g. imagePullSecrets: - myRegistryKeySecretName |
global.postgresqlEnabled | bool | false |
Whether to deploy the Bitnami PostgreSQL chart as subchart. Check the official chart for configuration. |
global.redisEnabled | bool | false |
Whether to deploy the Bitnami Redis chart as subchart. Check the official chart for configuration. |
Ingress parameters
Key | Type | Default | Description |
ingress.annotations | object | {} |
Mapped annotations for the ingress crontroller. E.g. annotations: kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" |
ingress.className | string | "" |
The Ingress className. |
ingress.enabled | bool | false |
Enable (frontend) Ingress Controller. |
ingress.hosts | list | [{"host":"penpot.example.com"}] |
Array style hosts for the (frontend) ingress crontroller. |
ingress.hosts[0] | object | {"host":"penpot.example.com"} |
The default external hostname to access to the penpot app. |
ingress.path | string | "/" |
Root path for every hosts. |
ingress.tls | list | [] |
Array style TLS secrets for the (frontend) ingress crontroller. E.g. tls: - secretName: penpot.example.com-tls hosts: - penpot.example.com |
Persistence parameters
Key | Type | Default | Description |
persistence.assets.accessModes | list | ["ReadWriteOnce"] |
Assets persistent Volume access modes. |
persistence.assets.annotations | object | {} |
Assetsp ersistent Volume Claim annotations. |
persistence.assets.enabled | string | "fals" |
Enable assets persistence using Persistent Volume Claims. |
persistence.assets.existingClaim | string | "" |
The name of an existing PVC to use for assets persistence. |
persistence.assets.size | string | "20Gi" |
Assets persistent Volume size. |
persistence.assets.storageClass | string | "" |
Assets persistent Volume storage class. If defined, storageClassName: . If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. |
persistence.exporter.accessModes | list | ["ReadWriteOnce"] |
Exporter persistent Volume access modes. |
persistence.exporter.annotations | object | {} |
Exporter persistent Volume Claim annotations. |
persistence.exporter.enabled | bool | false |
Enable exporter persistence using Persistent Volume Claims. If exporter.replicaCount you have to enable it. |
persistence.exporter.existingClaim | string | "" |
The name of an existing PVC to use for persistence. |
persistence.exporter.size | string | "10Gi" |
Exporter persistent Volume size. |
persistence.exporter.storageClass | string | "" |
Exporter persistent Volume storage class. Empty is choosing the default provisioner by the provider. |
PostgreSQL Dependencie parameters
Key | Type | Default | Description |
postgresql | object | {"auth":{"database":"penpot","password":"penpot","username":"penpot"}} |
PostgreSQL configuration (Check for more parameters here) |
postgresql.auth.database | string | "penpot" |
Name for a custom database to create. |
postgresql.auth.password | string | "penpot" |
Password for the custom user to create. |
postgresql.auth.username | string | "penpot" |
Name for a custom user to create. |
Redis Dependencie parameters
Key | Type | Default | Description |
redis | object | {"auth":{"enabled":false}} |
Redis configuration (Check for more parameters here) |
redis.auth.enabled | bool | false |
Whether to enable password authentication. |