diff --git a/.gimlet/k8s/preview-frontend/Chart.yaml b/.gimlet/k8s/penpot/Chart.yaml similarity index 72% rename from .gimlet/k8s/preview-frontend/Chart.yaml rename to .gimlet/k8s/penpot/Chart.yaml index 41d354629..e8e76bd46 100644 --- a/.gimlet/k8s/preview-frontend/Chart.yaml +++ b/.gimlet/k8s/penpot/Chart.yaml @@ -1,4 +1,4 @@ -name: penpot-frontend-preview +name: penpot maintainers: - name: Tokens Studio url: https://tokens.studio @@ -15,3 +15,8 @@ keywords: - design sources: - https://github.com/penpot/penpot +dependencies: + - condition: global.redisEnabled + name: redis + repository: https://charts.bitnami.com/bitnami + version: 17.x.x \ No newline at end of file diff --git a/.gimlet/k8s/preview-frontend/templates/_helpers.tpl b/.gimlet/k8s/penpot/templates/_helpers.tpl similarity index 100% rename from .gimlet/k8s/preview-frontend/templates/_helpers.tpl rename to .gimlet/k8s/penpot/templates/_helpers.tpl diff --git a/.gimlet/k8s/penpot/templates/backend/deployment.yaml b/.gimlet/k8s/penpot/templates/backend/deployment.yaml new file mode 100644 index 000000000..c1e9d6483 --- /dev/null +++ b/.gimlet/k8s/penpot/templates/backend/deployment.yaml @@ -0,0 +1,380 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "penpot.fullname" . }}-backend + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} + {{- with .Values.backend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.backend.replicaCount }} + selector: + matchLabels: + {{- include "penpot.backendSelectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "penpot.backendSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{ if .Values.backend.podSecurityContext.enabled }} + securityContext: + {{- omit .Values.backend.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "penpot.serviceAccountName" . }} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + containers: + - name: {{ .Chart.Name }}-backend + {{ if .Values.backend.containerSecurityContext.enabled }} + securityContext: + {{- omit .Values.backend.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}" + imagePullPolicy: {{ .Values.backend.image.imagePullPolicy }} + volumeMounts: + - mountPath: /opt/data + name: app-data + readOnly: false + env: + - name: PENPOT_PUBLIC_URI + value: {{ .Values.config.publicURI | quote }} + - name: PENPOT_FLAGS + value: "$PENPOT_FLAGS {{ .Values.config.flags }}" + - name: PENPOT_SECRET_KEY + value: {{ .Values.config.apiSecretKey | quote }} + - name: PENPOT_DATABASE_URI + value: "postgresql://{{ .Values.config.postgresql.host }}:{{ .Values.config.postgresql.port }}/{{ .Values.config.postgresql.database }}" + - name: PENPOT_DATABASE_USERNAME + {{- if not .Values.config.postgresql.secretKeys.usernameKey }} + value: {{ .Values.config.postgresql.username | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.postgresql.existingSecret }} + key: {{ .Values.config.postgresql.secretKeys.usernameKey }} + {{- end }} + - name: PENPOT_DATABASE_PASSWORD + {{- if not .Values.config.postgresql.secretKeys.passwordKey }} + value: {{ .Values.config.postgresql.password | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.postgresql.existingSecret }} + key: {{ .Values.config.postgresql.secretKeys.passwordKey }} + {{- end }} + - name: PENPOT_REDIS_URI + value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}" + - name: PENPOT_ASSETS_STORAGE_BACKEND + value: {{ .Values.config.assets.storageBackend | quote }} + {{- if eq .Values.config.assets.storageBackend "assets-fs" }} + - name: PENPOT_STORAGE_ASSETS_FS_DIRECTORY + value: {{ .Values.config.assets.filesystem.directory | quote }} + {{- else if eq .Values.config.assets.storageBackend "assets-s3" }} + - name: PENPOT_STORAGE_ASSETS_S3_REGION + value: {{ .Values.config.assets.s3.region | quote }} + - name: PENPOT_STORAGE_ASSETS_S3_BUCKET + value: {{ .Values.config.assets.s3.bucket | quote }} + - name: AWS_ACCESS_KEY_ID + {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }} + value: {{ .Values.config.assets.s3.accessKeyID | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.assets.s3.existingSecret }} + key: {{ .Values.config.assets.s3.secretKeys.accessKeyIDKey }} + {{- end }} + - name: AWS_SECRET_ACCESS_KEY + {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }} + value: {{ .Values.config.assets.s3.secretAccessKey | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.assets.s3.existingSecret }} + key: {{ .Values.config.assets.s3.secretKeys.secretAccessKey }} + {{- end }} + - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT + {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }} + value: {{ .Values.config.assets.s3.endpointURI | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.assets.s3.existingSecret }} + key: {{ .Values.config.assets.s3.secretKeys.endpointURIKey }} + {{- end }} + {{- end }} + - name: PENPOT_TELEMETRY_ENABLED + value: {{ .Values.config.telemetryEnabled | quote }} + + {{- if .Values.config.smtp.enabled }} + - name: PENPOT_SMTP_ENABLED + value: 'true' + {{- if .Values.config.smtp.defaultFrom }} + - name: PENPOT_SMTP_DEFAULT_FROM + value: {{ .Values.config.smtp.defaultFrom | quote }} + {{- end }} + {{- if .Values.config.smtp.defaultReplyTo }} + - name: PENPOT_SMTP_DEFAULT_REPLY_TO + value: {{ .Values.config.smtp.defaultReplyTo | quote }} + {{- end }} + {{- if .Values.config.smtp.host }} + - name: PENPOT_SMTP_HOST + value: {{ .Values.config.smtp.host | quote }} + {{- end }} + {{- if .Values.config.smtp.port }} + - name: PENPOT_SMTP_PORT + value: {{ .Values.config.smtp.port | quote }} + {{- end }} + {{- if not .Values.config.smtp.secretKeys.usernameKey }} + - name: PENPOT_SMTP_USERNAME + value: {{ .Values.config.smtp.username | quote }} + {{- else }} + - name: PENPOT_SMTP_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.config.smtp.existingSecret }} + key: {{ .Values.config.smtp.secretKeys.usernameKey }} + {{- end }} + {{- if not .Values.config.smtp.secretKeys.passwordKey }} + - name: PENPOT_SMTP_PASSWORD + value: {{ .Values.config.smtp.password | quote }} + {{- else }} + - name: PENPOT_SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.config.smtp.existingSecret }} + key: {{ .Values.config.smtp.secretKeys.passwordKey }} + {{- end }} + {{- if .Values.config.smtp.tls }} + - name: PENPOT_SMTP_TLS + value: {{ .Values.config.smtp.tls | quote }} + {{- end }} + {{- if .Values.config.smtp.ssl }} + - name: PENPOT_SMTP_SSL + value: {{ .Values.config.smtp.ssl | quote }} + {{- end }} + {{- end }} + + + {{- if .Values.config.registrationDomainWhitelist }} + - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST + value: {{ .Values.config.registrationDomainWhitelist | quote }} + {{- end }} + + {{- if .Values.config.providers.google.enabled }} + {{- if not .Values.config.providers.secretKeys.googleClientIDKey }} + - name: PENPOT_GOOGLE_CLIENT_ID + value: {{ .Values.config.providers.google.clientID | quote }} + {{- else }} + - name: PENPOT_GOOGLE_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.googleClientIDKey }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.googleClientSecretKey}} + - name: PENPOT_GOOGLE_CLIENT_SECRET + value: {{ .Values.config.providers.google.clientSecret | quote }} + {{- else }} + - name: PENPOT_GOOGLE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.googleClientSecretKey }} + {{- end }} + {{- end }} + + {{- if .Values.config.providers.github.enabled }} + {{- if not .Values.config.providers.secretKeys.githubClientIDKey }} + - name: PENPOT_GITHUB_CLIENT_ID + value: {{ .Values.config.providers.github.clientID | quote }} + {{- else }} + - name: PENPOT_GITHUB_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.githubClientIDKey }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.githubClientSecretKey }} + - name: PENPOT_GITHUB_CLIENT_SECRET + value: {{ .Values.config.providers.github.clientSecret | quote }} + {{- else }} + - name: PENPOT_GITHUB_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.githubClientSecretKey }} + {{- end }} + {{- end }} + + {{- if .Values.config.providers.gitlab.enabled }} + {{- if .Values.config.providers.gitlab.baseURI }} + - name: PENPOT_GITLAB_BASE_URI + value: {{ .Values.config.providers.gitlab.baseURI | quote }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.gitlabClientIDKey }} + - name: PENPOT_GITLAB_CLIENT_ID + value: {{ .Values.config.providers.gitlab.clientID | quote }} + {{- else }} + - name: PENPOT_GITLAB_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.gitlabClientIDKey }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.gitlabClientSecretKey }} + - name: PENPOT_GITLAB_CLIENT_SECRET + value: {{ .Values.config.providers.gitlab.clientSecret | quote }} + {{- else }} + - name: PENPOT_GITLAB_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.gitlabClientSecretKey }} + {{- end }} + {{- end }} + + {{- if .Values.config.providers.oidc.enabled }} + {{- if .Values.config.providers.oidc.baseURI }} + - name: PENPOT_OIDC_BASE_URI + value: {{ .Values.config.providers.oidc.baseURI | quote }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.oidcClientIDKey }} + - name: PENPOT_OIDC_CLIENT_ID + value: {{ .Values.config.providers.oidc.clientID | quote}} + {{- else }} + - name: PENPOT_OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.oidcClientIDKey }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.oidcClientSecretKey}} + - name: PENPOT_OIDC_CLIENT_SECRET + value: {{ .Values.config.providers.oidc.clientSecret | quote }} + {{- else }} + - name: PENPOT_OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.oidcClientSecretKey }} + {{- end }} + {{- if .Values.config.providers.oidc.authURI }} + - name: PENPOT_OIDC_AUTH_URI + value: {{ .Values.config.providers.oidc.authURI | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.tokenURI }} + - name: PENPOT_OIDC_TOKEN_URI + value: {{ .Values.config.providers.oidc.tokenURI | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.userURI }} + - name: PENPOT_OIDC_USER_URI + value: {{ .Values.config.providers.oidc.userURI | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.roles }} + - name: PENPOT_OIDC_ROLES + value: {{ .Values.config.providers.oidc.roles | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.rolesAttribute }} + - name: PENPOT_OIDC_ROLES_ATTR + value: {{ .Values.config.providers.oidc.rolesAttribute | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.scopes }} + - name: PENPOT_OIDC_SCOPES + value: {{ .Values.config.providers.oidc.scopes | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.nameAttribute }} + - name: PENPOT_OIDC_NAME_ATTR + value: {{ .Values.config.providers.oidc.nameAttribute | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.emailAttribute }} + - name: PENPOT_OIDC_EMAIL_ATTR + value: {{ .Values.config.providers.oidc.emailAttribute | quote }} + {{- end }} + {{- end }} + + {{- if .Values.config.providers.ldap.enabled }} + {{- if .Values.config.providers.ldap.host }} + - name: PENPOT_LDAP_HOST + value: {{ .Values.config.providers.ldap.host | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.port }} + - name: PENPOT_LDAP_PORT + value: {{ .Values.config.providers.ldap.port | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.ssl }} + - name: PENPOT_LDAP_SSL + value: {{ .Values.config.providers.ldap.ssl | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.startTLS }} + - name: PENPOT_LDAP_STARTTLS + value: {{ .Values.config.providers.ldap.startTLS | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.baseDN }} + - name: PENPOT_LDAP_BASE_DN + value: {{ .Values.config.providers.ldap.baseDN | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.bindDN }} + - name: PENPOT_LDAP_BIND_DN + value: {{ .Values.config.providers.ldap.bindDN | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.bindPassword }} + - name: PENPOT_LDAP_BIND_PASSWORD + value: {{ .Values.config.providers.ldap.bindPassword | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.attributesUsername }} + - name: PENPOT_LDAP_ATTRS_USERNAME + value: {{ .Values.config.providers.ldap.attributesUsername | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.attributesEmail }} + - name: PENPOT_LDAP_ATTRS_EMAIL + value: {{ .Values.config.providers.ldap.attributesEmail | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.attributesFullname }} + - name: PENPOT_LDAP_ATTRS_FULLNAME + value: {{ .Values.config.providers.ldap.attributesFullname | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.attributesPhoto }} + - name: PENPOT_LDAP_ATTRS_PHOTO + value: {{ .Values.config.providers.ldap.attributesPhoto | quote }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.backend.service.port }} + protocol: TCP + resources: + {{- toYaml .Values.backend.resources | nindent 12 }} + {{- with .Values.backend.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.backend.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.backend.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: app-data + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default ( include "penpot.fullname" . ) }} + {{- else }} + emptyDir: {} + {{- end }} \ No newline at end of file diff --git a/.gimlet/k8s/penpot/templates/backend/service.yaml b/.gimlet/k8s/penpot/templates/backend/service.yaml new file mode 100644 index 000000000..b9668d15e --- /dev/null +++ b/.gimlet/k8s/penpot/templates/backend/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "penpot.fullname" . }}-backend + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} +spec: + type: {{ .Values.backend.service.type }} + ports: + - port: {{ .Values.backend.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "penpot.backendSelectorLabels" . | nindent 4 }} diff --git a/.gimlet/k8s/penpot/templates/db.yaml b/.gimlet/k8s/penpot/templates/db.yaml new file mode 100644 index 000000000..92d9ab90c --- /dev/null +++ b/.gimlet/k8s/penpot/templates/db.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.postgresql.enabled -}} +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: {{ include "penpot.fullname" . }}-db + namespace: {{ .Release.Namespace }} +spec: + instances: 1 + superuserSecret: + name: {{ .Values.postgresql.superUser | quote }} + bootstrap: + initdb: + database: {{ .Values.postgresql.database | quote }} + owner: {{ .Values.postgresql.owner | quote }} + secret: + name: {{ .Values.postgresql.secret | quote }} + monitoring: + enablePodMonitor: true + storage: + size: 5Gi +{{- end -}} \ No newline at end of file diff --git a/.gimlet/k8s/penpot/templates/exporter/deployment.yaml b/.gimlet/k8s/penpot/templates/exporter/deployment.yaml new file mode 100644 index 000000000..dccbdf00f --- /dev/null +++ b/.gimlet/k8s/penpot/templates/exporter/deployment.yaml @@ -0,0 +1,353 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "penpot.fullname" . }}-exporter + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.exporter.replicaCount }} + selector: + matchLabels: + {{- include "penpot.exporterSelectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "penpot.exporterSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "penpot.serviceAccountName" . }} + {{ if .Values.exporter.podSecurityContext.enabled }} + securityContext: + {{- omit .Values.exporter.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }}-exporter + {{ if .Values.exporter.containerSecurityContext.enabled }} + securityContext: + {{- omit .Values.exporter.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + image: "{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}" + imagePullPolicy: {{ .Values.exporter.image.imagePullPolicy }} + env: + - name: PENPOT_PUBLIC_URI + value: {{ .Values.config.publicURI | quote }} + - name: PENPOT_FLAGS + value: "$PENPOT_FLAGS {{ .Values.config.flags }}" + - name: PENPOT_SECRET_KEY + value: {{ .Values.config.apiSecretKey | quote }} + - name: PENPOT_DATABASE_URI + value: "postgresql://{{ .Values.config.postgresql.host }}:{{ .Values.config.postgresql.port }}/{{ .Values.config.postgresql.database }}" + - name: PENPOT_DATABASE_USERNAME + {{- if not .Values.config.postgresql.secretKeys.usernameKey }} + value: {{ .Values.config.postgresql.username | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.postgresql.existingSecret }} + key: {{ .Values.config.postgresql.secretKeys.usernameKey }} + {{- end }} + - name: PENPOT_DATABASE_PASSWORD + {{- if not .Values.config.postgresql.secretKeys.passwordKey }} + value: {{ .Values.config.postgresql.password | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.postgresql.existingSecret }} + key: {{ .Values.config.postgresql.secretKeys.passwordKey }} + {{- end }} + - name: PENPOT_REDIS_URI + value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}" + - name: PENPOT_ASSETS_STORAGE_BACKEND + value: {{ .Values.config.assets.storageBackend | quote }} + {{- if eq .Values.config.assets.storageBackend "assets-fs" }} + - name: PENPOT_STORAGE_ASSETS_FS_DIRECTORY + value: {{ .Values.config.assets.filesystem.directory | quote }} + {{- else if eq .Values.config.assets.storageBackend "assets-s3" }} + - name: PENPOT_STORAGE_ASSETS_S3_REGION + value: {{ .Values.config.assets.s3.region | quote }} + - name: PENPOT_STORAGE_ASSETS_S3_BUCKET + value: {{ .Values.config.assets.s3.bucket | quote }} + - name: AWS_ACCESS_KEY_ID + {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }} + value: {{ .Values.config.assets.s3.accessKeyID | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.assets.s3.existingSecret }} + key: {{ .Values.config.assets.s3.secretKeys.accessKeyIDKey }} + {{- end }} + - name: AWS_SECRET_ACCESS_KEY + {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }} + value: {{ .Values.config.assets.s3.secretAccessKey | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.assets.s3.existingSecret }} + key: {{ .Values.config.assets.s3.secretKeys.secretAccessKey }} + {{- end }} + - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT + {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }} + value: {{ .Values.config.assets.s3.endpointURI | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.config.assets.s3.existingSecret }} + key: {{ .Values.config.assets.s3.secretKeys.endpointURIKey }} + {{- end }} + {{- end }} + - name: PENPOT_TELEMETRY_ENABLED + value: {{ .Values.config.telemetryEnabled | quote }} + + {{- if .Values.config.smtp.enabled }} + {{- if .Values.config.smtp.defaultFrom }} + - name: PENPOT_SMTP_DEFAULT_FROM + value: {{ .Values.config.smtp.defaultFrom | quote }} + {{- end }} + {{- if .Values.config.smtp.defaultReplyTo }} + - name: PENPOT_SMTP_DEFAULT_REPLY_TO + value: {{ .Values.config.smtp.defaultReplyTo | quote }} + {{- end }} + {{- if .Values.config.smtp.host }} + - name: PENPOT_SMTP_HOST + value: {{ .Values.config.smtp.host | quote }} + {{- end }} + {{- if .Values.config.smtp.port }} + - name: PENPOT_SMTP_PORT + value: {{ .Values.config.smtp.port | quote }} + {{- end }} + {{- if not .Values.config.smtp.secretKeys.usernameKey }} + - name: PENPOT_SMTP_USERNAME + value: {{ .Values.config.smtp.username | quote }} + {{- else }} + - name: PENPOT_SMTP_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.config.smtp.existingSecret }} + key: {{ .Values.config.smtp.secretKeys.usernameKey }} + {{- end }} + {{- if not .Values.config.smtp.secretKeys.passwordKey }} + - name: PENPOT_SMTP_PASSWORD + value: {{ .Values.config.smtp.password | quote }} + {{- else }} + - name: PENPOT_SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.config.smtp.existingSecret }} + key: {{ .Values.config.smtp.secretKeys.passwordKey }} + {{- end }} + {{- if .Values.config.smtp.tls }} + - name: PENPOT_SMTP_TLS + value: {{ .Values.config.smtp.tls | quote }} + {{- end }} + {{- if .Values.config.smtp.ssl }} + - name: PENPOT_SMTP_SSL + value: {{ .Values.config.smtp.ssl | quote }} + {{- end }} + {{- end }} + + + {{- if .Values.config.registrationDomainWhitelist }} + - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST + value: {{ .Values.config.registrationDomainWhitelist | quote }} + {{- end }} + + {{- if .Values.config.providers.google.enabled }} + {{- if not .Values.config.providers.secretKeys.googleClientIDKey }} + - name: PENPOT_GOOGLE_CLIENT_ID + value: {{ .Values.config.providers.google.clientID | quote }} + {{- else }} + - name: PENPOT_GOOGLE_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.googleClientIDKey }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.googleClientSecretKey}} + - name: PENPOT_GOOGLE_CLIENT_SECRET + value: {{ .Values.config.providers.google.clientSecret | quote }} + {{- else }} + - name: PENPOT_GOOGLE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.googleClientSecretKey }} + {{- end }} + {{- end }} + + {{- if .Values.config.providers.github.enabled }} + {{- if not .Values.config.providers.secretKeys.githubClientIDKey }} + - name: PENPOT_GITHUB_CLIENT_ID + value: {{ .Values.config.providers.github.clientID | quote }} + {{- else }} + - name: PENPOT_GITHUB_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.githubClientIDKey }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.githubClientSecretKey }} + - name: PENPOT_GITHUB_CLIENT_SECRET + value: {{ .Values.config.providers.github.clientSecret | quote }} + {{- else }} + - name: PENPOT_GITHUB_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.githubClientSecretKey }} + {{- end }} + {{- end }} + + {{- if .Values.config.providers.gitlab.enabled }} + {{- if .Values.config.providers.gitlab.baseURI }} + - name: PENPOT_GITLAB_BASE_URI + value: {{ .Values.config.providers.gitlab.baseURI | quote }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.gitlabClientIDKey }} + - name: PENPOT_GITLAB_CLIENT_ID + value: {{ .Values.config.providers.gitlab.clientID | quote }} + {{- else }} + - name: PENPOT_GITLAB_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.gitlabClientIDKey }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.gitlabClientSecretKey }} + - name: PENPOT_GITLAB_CLIENT_SECRET + value: {{ .Values.config.providers.gitlab.clientSecret | quote }} + {{- else }} + - name: PENPOT_GITLAB_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.gitlabClientSecretKey }} + {{- end }} + {{- end }} + + {{- if .Values.config.providers.oidc.enabled }} + {{- if .Values.config.providers.oidc.baseURI }} + - name: PENPOT_OIDC_BASE_URI + value: {{ .Values.config.providers.oidc.baseURI | quote }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.oidcClientIDKey }} + - name: PENPOT_OIDC_CLIENT_ID + value: {{ .Values.config.providers.oidc.clientID | quote}} + {{- else }} + - name: PENPOT_OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.oidcClientIDKey }} + {{- end }} + {{- if not .Values.config.providers.secretKeys.oidcClientSecretKey}} + - name: PENPOT_OIDC_CLIENT_SECRET + value: {{ .Values.config.providers.oidc.clientSecret | quote }} + {{- else }} + - name: PENPOT_OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.oidcClientSecretKey }} + {{- end }} + {{- if .Values.config.providers.oidc.authURI }} + - name: PENPOT_OIDC_AUTH_URI + value: {{ .Values.config.providers.oidc.authURI | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.tokenURI }} + - name: PENPOT_OIDC_TOKEN_URI + value: {{ .Values.config.providers.oidc.tokenURI | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.userURI }} + - name: PENPOT_OIDC_USER_URI + value: {{ .Values.config.providers.oidc.userURI | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.roles }} + - name: PENPOT_OIDC_ROLES + value: {{ .Values.config.providers.oidc.roles | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.rolesAttribute }} + - name: PENPOT_OIDC_ROLES_ATTR + value: {{ .Values.config.providers.oidc.rolesAttribute | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.scopes }} + - name: PENPOT_OIDC_SCOPES + value: {{ .Values.config.providers.oidc.scopes | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.nameAttribute }} + - name: PENPOT_OIDC_NAME_ATTR + value: {{ .Values.config.providers.oidc.nameAttribute | quote }} + {{- end }} + {{- if .Values.config.providers.oidc.emailAttribute }} + - name: PENPOT_OIDC_EMAIL_ATTR + value: {{ .Values.config.providers.oidc.emailAttribute | quote }} + {{- end }} + {{- end }} + + {{- if .Values.config.providers.ldap.enabled }} + {{- if .Values.config.providers.ldap.host }} + - name: PENPOT_LDAP_HOST + value: {{ .Values.config.providers.ldap.host | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.port }} + - name: PENPOT_LDAP_PORT + value: {{ .Values.config.providers.ldap.port | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.ssl }} + - name: PENPOT_LDAP_SSL + value: {{ .Values.config.providers.ldap.ssl | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.startTLS }} + - name: PENPOT_LDAP_STARTTLS + value: {{ .Values.config.providers.ldap.startTLS | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.baseDN }} + - name: PENPOT_LDAP_BASE_DN + value: {{ .Values.config.providers.ldap.baseDN | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.bindDN }} + - name: PENPOT_LDAP_BIND_DN + value: {{ .Values.config.providers.ldap.bindDN | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.bindPassword }} + - name: PENPOT_LDAP_BIND_PASSWORD + value: {{ .Values.config.providers.ldap.bindPassword | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.attributesUsername }} + - name: PENPOT_LDAP_ATTRS_USERNAME + value: {{ .Values.config.providers.ldap.attributesUsername | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.attributesEmail }} + - name: PENPOT_LDAP_ATTRS_EMAIL + value: {{ .Values.config.providers.ldap.attributesEmail | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.attributesFullname }} + - name: PENPOT_LDAP_ATTRS_FULLNAME + value: {{ .Values.config.providers.ldap.attributesFullname | quote }} + {{- end }} + {{- if .Values.config.providers.ldap.attributesPhoto }} + - name: PENPOT_LDAP_ATTRS_PHOTO + value: {{ .Values.config.providers.ldap.attributesPhoto | quote }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.exporter.service.port }} + protocol: TCP + resources: + {{- toYaml .Values.exporter.resources | nindent 12 }} + {{- with .Values.exporter.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.exporter.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.exporter.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/.gimlet/k8s/penpot/templates/exporter/service.yaml b/.gimlet/k8s/penpot/templates/exporter/service.yaml new file mode 100644 index 000000000..75985e86d --- /dev/null +++ b/.gimlet/k8s/penpot/templates/exporter/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "penpot.fullname" . }}-exporter + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} +spec: + type: {{ .Values.exporter.service.type }} + ports: + - port: {{ .Values.exporter.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "penpot.exporterSelectorLabels" . | nindent 4 }} diff --git a/.gimlet/k8s/penpot/templates/frontend/configmap.yaml b/.gimlet/k8s/penpot/templates/frontend/configmap.yaml new file mode 100644 index 000000000..b31698d6f --- /dev/null +++ b/.gimlet/k8s/penpot/templates/frontend/configmap.yaml @@ -0,0 +1,129 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ include "penpot.fullname" . }}-frontend-nginx" + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} +data: + nginx.conf: | + user www-data; + worker_processes auto; + pid /run/nginx.pid; + include /etc/nginx/modules-enabled/*.conf; + + events { + worker_connections 2048; + # multi_accept on; + } + + http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_requests 30; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_tokens off; + + reset_timedout_connection on; + client_body_timeout 30s; + client_header_timeout 30s; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + error_log /dev/stdout; + access_log /dev/stdout; + + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_static on; + gzip_comp_level 4; + gzip_buffers 16 8k; + gzip_http_version 1.1; + + gzip_types text/plain text/css text/javascript application/javascript application/json application/transit+json; + + resolver 127.0.0.11; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 80 default_server; + server_name _; + + client_max_body_size 100M; + charset utf-8; + + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + etag off; + root /var/www/app/; + + location ~* \.(js|css).*$ { + add_header Cache-Control "max-age=86400" always; # 24 hours + } + + location ~* \.(html).*$ { + add_header Cache-Control "no-cache, max-age=0" always; + } + + location /api/export { + proxy_pass http://{{ include "penpot.fullname" . }}-exporter:6061; + } + + location /api { + proxy_pass http://{{ include "penpot.fullname" . }}-backend:6060/api; + } + + location /ws/notifications { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_pass http://{{ include "penpot.fullname" . }}-backend:6060/ws/notifications; + } + + location @handle_redirect { + set $redirect_uri "$upstream_http_location"; + set $redirect_host "$upstream_http_x_host"; + set $redirect_cache_control "$upstream_http_cache_control"; + + proxy_buffering off; + + proxy_set_header Host "$redirect_host"; + proxy_hide_header etag; + proxy_hide_header x-amz-id-2; + proxy_hide_header x-amz-request-id; + proxy_hide_header x-amz-meta-server-side-encryption; + proxy_hide_header x-amz-server-side-encryption; + proxy_pass $redirect_uri; + + add_header x-internal-redirect "$redirect_uri"; + add_header x-cache-control "$redirect_cache_control"; + add_header cache-control "$redirect_cache_control"; + } + + location /assets { + proxy_pass http://{{ include "penpot.fullname" . }}-backend:6060/assets; + recursive_error_pages on; + proxy_intercept_errors on; + error_page 301 302 307 = @handle_redirect; + } + + location /internal/assets { + internal; + alias /opt/data/assets; + add_header x-internal-redirect "$upstream_http_x_accel_redirect"; + } + } + } diff --git a/.gimlet/k8s/preview-frontend/templates/frontend.yaml b/.gimlet/k8s/penpot/templates/frontend/deployment.yaml similarity index 99% rename from .gimlet/k8s/preview-frontend/templates/frontend.yaml rename to .gimlet/k8s/penpot/templates/frontend/deployment.yaml index c9b928463..3d4cf38d8 100644 --- a/.gimlet/k8s/preview-frontend/templates/frontend.yaml +++ b/.gimlet/k8s/penpot/templates/frontend/deployment.yaml @@ -2,9 +2,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "penpot.fullname" . }}-frontend - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "penpot.labels" . | nindent 4 }} + {{- with .Values.frontend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.frontend.replicaCount }} selector: diff --git a/.gimlet/k8s/preview-frontend/templates/ingress.yaml b/.gimlet/k8s/penpot/templates/frontend/ingress.yaml similarity index 94% rename from .gimlet/k8s/preview-frontend/templates/ingress.yaml rename to .gimlet/k8s/penpot/templates/frontend/ingress.yaml index 56155b571..eeeaa66cd 100644 --- a/.gimlet/k8s/preview-frontend/templates/ingress.yaml +++ b/.gimlet/k8s/penpot/templates/frontend/ingress.yaml @@ -12,7 +12,7 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: name: {{ $fullName }} - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "penpot.labels" . | nindent 4 }} {{- with .Values.frontend.ingress.annotations }} @@ -22,7 +22,7 @@ metadata: spec: {{- if .Values.frontend.ingress.tls }} tls: - {{- range .Values.ingress.tls }} + {{- range .Values.frontend.ingress.tls }} - hosts: {{- range .hosts }} - {{ . | quote }} diff --git a/.gimlet/k8s/preview-frontend/templates/service.yaml b/.gimlet/k8s/penpot/templates/frontend/service.yaml similarity index 90% rename from .gimlet/k8s/preview-frontend/templates/service.yaml rename to .gimlet/k8s/penpot/templates/frontend/service.yaml index 12ef09b33..2ceb04fd7 100644 --- a/.gimlet/k8s/preview-frontend/templates/service.yaml +++ b/.gimlet/k8s/penpot/templates/frontend/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "penpot.fullname" . }} - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "penpot.labels" . | nindent 4 }} spec: diff --git a/.gimlet/k8s/penpot/templates/pvac.yaml b/.gimlet/k8s/penpot/templates/pvac.yaml new file mode 100644 index 000000000..d093f367f --- /dev/null +++ b/.gimlet/k8s/penpot/templates/pvac.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "penpot.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{- include "penpot.labels" . | nindent 4 }} +{{- if .Values.persistence.annotations }} + annotations: +{{ toYaml .Values.persistence.annotations | indent 4 }} +{{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- if .Values.persistence.storageClass }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end }} +{{- end -}} diff --git a/.gimlet/k8s/penpot/templates/serviceaccount.yaml b/.gimlet/k8s/penpot/templates/serviceaccount.yaml new file mode 100644 index 000000000..8c317c454 --- /dev/null +++ b/.gimlet/k8s/penpot/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "penpot.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/.gimlet/k8s/preview-frontend/values.yaml b/.gimlet/k8s/penpot/values.yaml similarity index 96% rename from .gimlet/k8s/preview-frontend/values.yaml rename to .gimlet/k8s/penpot/values.yaml index 31876c330..bcbca6f1e 100644 --- a/.gimlet/k8s/preview-frontend/values.yaml +++ b/.gimlet/k8s/penpot/values.yaml @@ -2,12 +2,10 @@ ## @section Global parameters -## @param global.postgresqlEnabled Whether to deploy the Bitnami PostgreSQL chart as subchart. Check [the official chart](https://artifacthub.io/packages/helm/bitnami/postgresql) for configuration. ## @param global.redisEnabled Whether to deploy the Bitnami Redis chart as subchart. Check [the official chart](https://artifacthub.io/packages/helm/bitnami/redis) for configuration. ## @param global.imagePullSecrets Global Docker registry secret names as an array. ## global: - postgresqlEnabled: false redisEnabled: false ## E.g. ## imagePullSecrets: @@ -37,6 +35,7 @@ serviceAccount: ## Penpot Backend ## backend: + labels: {} ## @param backend.image.repository The Docker repository to pull the image from. ## @param backend.image.tag The image tag to use. ## @param backend.image.imagePullPolicy The image pull policy to use. @@ -106,6 +105,9 @@ backend: ## Penpot Frontend ## frontend: + + labels: {} + ## @param frontend.image.repository The Docker repository to pull the image from. ## @param frontend.image.tag The image tag to use. ## @param frontend.image.imagePullPolicy The image pull policy to use. @@ -243,12 +245,12 @@ exporter: persistence: ## @param persistence.enabled Enable persistence using Persistent Volume Claims. ## - enabled: true + enabled: false ## @param persistence.storageClass Persistent Volume storage class. ## If defined, storageClassName: . ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. ## - storageClass: standard-rwx + storageClass: "" ## @param persistence.size Persistent Volume size. ## size: 8Gi @@ -275,6 +277,7 @@ config: publicURI: "http://localhost:8080" flags: "enable-registration enable-login disable-demo-users disable-demo-warning" apiSecretKey: "b46a12cb4bedc6b9df8cb3f18c708b65" + ## @param config.postgresql.host The PostgreSQL host to connect to. ## @param config.postgresql.port The PostgreSQL host port to use. ## @param config.postgresql.database The PostgreSQL database to use. @@ -294,6 +297,7 @@ config: secretKeys: usernameKey: "" passwordKey: "" + ## @param config.redis.host The Redis host to connect to. ## @param config.redis.port The Redis host port to use. ## @param config.redis.database The Redis database to connect to. @@ -464,26 +468,24 @@ config: oidcClientIDKey: "" oidcClientSecretKey: "" +## @section PostgreSQL configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/postgresql)) -frontend: - image: - pullPolicy: IfNotPresent - repository: ghcr.io/tokens-studio/tokens-studio-for-penpot - tag: latest - ingress: - enabled: true - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - networking.gke.io/v1beta1.FrontendConfig: default-frontend-config +## @param postgresql.secret The secret to reference +## @param postgresql.owner The owner of the database +## @param postgresql.database Name for a custom database to create. +## @param postgresql.superUser The name of the secret for the superuser +## +postgresql: + enabled: false + secret: db-penpot-secrets + owner: penpot + database: penpot + superUser: db-penpot-superuser-secret -config: - publicURI: https://penpot.tokens.studio - redis: - host: penpot-redis-master.penpot.svc.cluster.local - postgresql: - host: penpot-db-rw - database: penpot - existingSecret: db-penpot-secrets - secretKeys: - usernameKey: username - passwordKey: password \ No newline at end of file +## @section Redis configuration (Check for [more parameters here](https://artifacthub.io/packages/helm/bitnami/redis)) + +## @param redis.auth.enabled Whether to enable password authentication. +## +redis: + auth: + enabled: false \ No newline at end of file diff --git a/.gimlet/k8s/preview-frontend/templates/namespace.yaml b/.gimlet/k8s/preview-frontend/templates/namespace.yaml deleted file mode 100644 index 562f206fc..000000000 --- a/.gimlet/k8s/preview-frontend/templates/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ - apiVersion: v1 - kind: Namespace - metadata: - name: {{ .Values.namespace }} - labels: - toolkit.fluxcd.io/tenant: penpot-team \ No newline at end of file diff --git a/.gimlet/penpot-infra.yaml b/.gimlet/penpot-infra.yaml index a8889acc2..1d94582ad 100644 --- a/.gimlet/penpot-infra.yaml +++ b/.gimlet/penpot-infra.yaml @@ -45,3 +45,37 @@ manifests: | - protocol: TCP port: 1025 targetPort: 1025 + --- + apiVersion: bitnami.com/v1alpha1 + kind: SealedSecret + metadata: + creationTimestamp: null + name: db-penpot-secrets + namespace: penpot + spec: + encryptedData: + password: AgBzAKLzhBGDrga3ojwgBnbaDmzxQkfoIcu90ji4iutq7t2OQCuJ/8NFD1KUw8hmQ6FlwQY3reaGqRnONdzdM2VyHQmXkaoXEzCAiARh9CWiwzwW2PG6KbSmHzo/YAt17Vkux0euc0z4JAceWqbXdm8Tl8FgUktFmJNY0OGIJ8CfLFNX8p6YujSoYpIRwjG0juiGhbPGeSkJguAAR7uwLwtjCNfFRuSqEDYeaRYHvhxGgh6pyJ70+qVzUQClFJEkVzNJu9CyGx48WSPDDpPbp+h84AWIIY25Cphk48DK/oNVikQitgMVOVBU8swcpz7MSVmKxs407vKRAWN4MGV2HkNrFwFjpQsksNAQ0KTfQrVigz1Hf985w4hji1gjifK7GbSgD9Kzz8pMni3gPMj0mr4y6Nhes+hc8AGTD3N+bhpJsAZKMzSZesdamWDiwyLi+ZPuPu+1/LBVLL68DAp6odKaposQfxeTKAkxqt/6s5jvKWPl3kQ9ud2cg/8Mw3B5pqzKK4dUwUdI1pNV4GyLTj9b+M1aDYaqGmYLzZVcYxeBVh27EFC2aon8/3zkXy6Hm/BZK/aZkrmO5sJTQRYRjnlG6rRtHCWcnXI6KKqKjU5GDFk2otqrlxPMQyXyjbwycP3rTHmhAaHWkR+fOETcq+kNbVUcaR3XTCw7T1qFZ4dtaBN02RHbRE3qxs/SjGMPnzfKQs1626gHAayZqxprpfz6mT0u0Hkn2NGg6RlJr36CxfE= + username: AgBw5ALuBj1TpQc5dmyLW927WQO9AXgdyqYeXHwzXbLKIdyAkyihVIkTSD/MS/InTbsiFIYPvZptpAjpWc9p2IN8nvLbEjc8JXS7DA3NDr/SN7J70oDOKS/vT4Vlz4yX/6fmU8pGvjMh22ELBbruxWS+a6Nty/XcZPqJ8gMuj/vAnticq+i4Rmuy1aghEfsYzPVSigS5QfnnFsMBA5lZS7rgiv4voudi5aAh8luIsDx9eCk2WxcN+9f816MYXBxcZL853h4lIQziOfs8LK0jCZm62yOeckmuMt0EznGEwAS1Magrw9PnZdSDOHvTrugRT/sx8JzkpEorJQXTA/6hXT9tqTbZuLnHMcdVGAcU9+1QcJPtlhYH05irbDqMs5IgxqCW7ch3gtiIS1hTRGpaG+LoNGREcZZtiWxkgcVhJG8E+5ailyt0B/NO+RgjYjjK+tH/hcGd2hABvkmS1f9FUHIRdE0uiwvwM/hWU9qTJcSHdN3mJ96/7lQvfnDoDDP8zS09Co0E0zLmLFSAEvOIz7HMvE0Bw2UPzcy4N8J2y+u4m0327FUUN96Y3e2L+o1SrVw/CJO1/haN34j1SMUFh/4q63VvNLDfUD69QbpjMtjNrvhqNWyyET1QNWl4SFsfbMdC7/rXM9Lpg4GEZ6R5G/QcTb27Zo5UuOeFP060XiWJ1/bD8tiZKU1K1QTwJ0Uur3MDcrYRvGw= + template: + metadata: + creationTimestamp: null + name: db-penpot-secrets + namespace: penpot + type: Opaque + --- + apiVersion: bitnami.com/v1alpha1 + kind: SealedSecret + metadata: + creationTimestamp: null + name: db-penpot-superuser-secret + namespace: penpot + spec: + encryptedData: + password: AgBwTdp950SD3x9c1CjlAz4MGEN3tTDQH0iKLW1e4itCEB+W7c6hf+t2nc4VYLAhxCbMfs+sS2onSuoIuzr7/wTLtia3gSaRAgPFu2t91m6s51ewMMrPxoAmIdpHiojCnBXdhuc6XjinOs40MOoS6/qY1WjEXaPyvKBeMdFkKAdDTvMW6WA9xel8Jyf3U6Tz8/Onj1VAAnhgehFvPMZ1uDCEtUfKDPAe+za4S1SRAL81iNwJCVQJrQdetDpcIMnKkMbUvy8RFDmPPKJ6lxZHFk8ztJgCXlj55ViWlEmUC3QHtktnB0QYd+B2rFf6j/66ozgzyiqHd4nXCuRiCxnFSgFMrWYbaDheJEN4rgDNZBITIBiqnlH5HntieQHj9YohsVkr7r0FObtKpePV1t+Sb0RptJ9+LWexkSs6Rvq3HNj7JdOLN/QVsIZbiU4ctRMjxiVsyl7PDZe84tx3Kl6BiUOrClN8QR6huLLnIdVXetMbrPDDQOCI4FiH5UghLRlPdNkvpoeYLfL79Mxy5yOG+xkydM5HR7//NMGDqP7hf+vZFe8/EKuaSExUX6S0AT+hQVkmWcwy7OKq2Ra37XezjmWf6KGiHAL8Idn47E+PQ5axAlkZ1MgkjB+pc/2Lpyo3bfINa7avf03nOKwJl01cChB9O4bDkUfDh7N+26YkqlwMm6aU4dm80fydsPRBikTKTWafpLsQqtimv1ANTYHvbDDEsufK95O/cq8ER/fTAmmrcg== + username: AgAIwqIbS5Ze9e4sefyg77opd801epCHPewxEb+VuuJrxIl4+gFroopQNf/lhRQRFX1unI0PaR/iV5szaIaDmIYz3JQ3OxCyF1zeDYr6YhYNQMtkLgRJRrBr0j7TQPAKwLmgtZok7hDIvTj5bQ2dydibQ1Zg8N1valb03X6Vs/ivvvO3KvQEDckdGgD7UauL8onapU6KAFU5Hu9aEkvMTk4CGNpuLxGhYdA1+HLpLdQYBQPaJyEblGoko4wyv+pF/3m1tRBSQ1L8HsUXfAEn5dAd+0qkS5IvwOM8zXnZcT0ohXmY2mXjvPyv2phOKElQYURPwq9PPI+Sc5Ff7QHcVLjwQ+DYtSMDlRSt5BektWC+peBJfxZQ/X6w2AmICtdkOT03rrMxn0sWKIgQkvmJ0jkERAYlvifcoRmbof0wbFh+ANa0NpGLvxwiG+DsQ6eAsTB0Nu3wPCCBFZOUuTxS+yb4BjE3KPNGgVI6XtArxPnO3z3xglfI/nKDTY1rC2e0ZE72BDnhsLAwQTTgb/R/X2mvS7a0YXJ0gOpAgwP92K9zy1GA9ov2uTVZ2wbb39E69OxMKcbetDWirQrSYMqLYzJ1+W2cBbNdCcYQ2xnSM9cdEd2sPcFJ3NDVQeQRhxSTI6UfKWphUeksqwdW+VN7aODlUzMSxBCwGnxuaS6OVzOdLzQnORdyhyD8zclh5e0AXJpvqs+Z4CuvZA== + template: + metadata: + creationTimestamp: null + name: db-penpot-superuser-secret + namespace: penpot + type: Opaque \ No newline at end of file diff --git a/.gimlet/penpot-pr.yaml b/.gimlet/penpot-pr.yaml index f8cdaaf58..2dc7f8d3e 100644 --- a/.gimlet/penpot-pr.yaml +++ b/.gimlet/penpot-pr.yaml @@ -7,19 +7,66 @@ cleanup: event: branchDeleted app: penpot-pr-{{ .BRANCH | sanitizeDNSName }} chart: - name: https://github.com/tokens-studio/tokens-studio-for-penpot.git?branch={{ .BRANCH }}&path=/.gimlet/k8s/preview-frontend/ + name: https://github.com/tokens-studio/tokens-studio-for-penpot.git?branch={{ .BRANCH }}&path=/.gimlet/k8s/penpot/ values: - namespace: "{{ .BRANCH | sanitizeDNSName }}" + namespace: "penpot" + redis: + replica: + replicaCount: 0 + global: + # Try use the existing redis + redisEnabled: false + imagePullSecrets: + - name: ghcr-login-secret + persistence: + enabled: true + storageClass: standard-rwx + postgresql: + # use the existing db + enabled: false + owner: penpot + database: penpot + # Assumed specified in infra + secret: db-penpot-secrets + superUser: db-penpot-superuser-secret + config: + smtp: + enabled: true + host: mailslurper + tls: false + port: 1025 + publicURI: https://{{ .BRANCH | sanitizeDNSName }}.penpot.dev.tokens.studio + redis: + host: penpot-redis-master.penpot.svc.cluster.local + postgresql: + # note that this is unchanged + host: penpot-db-rw + database: penpot + existingSecret: db-penpot-secrets + secretKeys: + usernameKey: username + passwordKey: password + backend: + image: + pullPolicy: IfNotPresent + repository: ghcr.io/tokens-studio/tokens-studio-for-penpot + tag: 'backend-pr-{{ .SHA }}' frontend: - image: - pullPolicy: IfNotPresent - repository: ghcr.io/tokens-studio/tokens-studio-for-penpot - tag: 'frontend-pr-{{ .SHA }}' - ingress: - hosts: - - host: "{{ .BRANCH | sanitizeDNSName }}.penpot.staging.tokens.studio" - tls: - - secretName: tls-penpot - hosts: - - "{{ .BRANCH | sanitizeDNSName }}.penpot.staging.tokens.studio" - \ No newline at end of file + labels: + portService: tokens-studio-for-penpot + image: + pullPolicy: IfNotPresent + repository: ghcr.io/tokens-studio/tokens-studio-for-penpot + tag: 'frontend-pr-{{ .SHA }}' + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: "{{ .BRANCH | sanitizeDNSName }}.penpot.dev.tokens.studio" + tls: + - secretName: tls-penpot + hosts: + - {{ .BRANCH | sanitizeDNSName }}.penpot.dev.tokens.studio + + diff --git a/.gimlet/penpot-prod.yaml b/.gimlet/penpot-prod.yaml index 3828e3427..e8ca82974 100644 --- a/.gimlet/penpot-prod.yaml +++ b/.gimlet/penpot-prod.yaml @@ -3,178 +3,65 @@ env: prod deploy: branch: token-studio-develop event: push -manifests: | - apiVersion: source.toolkit.fluxcd.io/v1beta2 - kind: HelmRepository - metadata: - name: codechem - namespace: penpot - spec: - interval: 5m - url: https://charts.codechem.com - --- - apiVersion: bitnami.com/v1alpha1 - kind: SealedSecret - metadata: - creationTimestamp: null - name: db-penpot-secrets - namespace: penpot - spec: - encryptedData: - password: AgBzAKLzhBGDrga3ojwgBnbaDmzxQkfoIcu90ji4iutq7t2OQCuJ/8NFD1KUw8hmQ6FlwQY3reaGqRnONdzdM2VyHQmXkaoXEzCAiARh9CWiwzwW2PG6KbSmHzo/YAt17Vkux0euc0z4JAceWqbXdm8Tl8FgUktFmJNY0OGIJ8CfLFNX8p6YujSoYpIRwjG0juiGhbPGeSkJguAAR7uwLwtjCNfFRuSqEDYeaRYHvhxGgh6pyJ70+qVzUQClFJEkVzNJu9CyGx48WSPDDpPbp+h84AWIIY25Cphk48DK/oNVikQitgMVOVBU8swcpz7MSVmKxs407vKRAWN4MGV2HkNrFwFjpQsksNAQ0KTfQrVigz1Hf985w4hji1gjifK7GbSgD9Kzz8pMni3gPMj0mr4y6Nhes+hc8AGTD3N+bhpJsAZKMzSZesdamWDiwyLi+ZPuPu+1/LBVLL68DAp6odKaposQfxeTKAkxqt/6s5jvKWPl3kQ9ud2cg/8Mw3B5pqzKK4dUwUdI1pNV4GyLTj9b+M1aDYaqGmYLzZVcYxeBVh27EFC2aon8/3zkXy6Hm/BZK/aZkrmO5sJTQRYRjnlG6rRtHCWcnXI6KKqKjU5GDFk2otqrlxPMQyXyjbwycP3rTHmhAaHWkR+fOETcq+kNbVUcaR3XTCw7T1qFZ4dtaBN02RHbRE3qxs/SjGMPnzfKQs1626gHAayZqxprpfz6mT0u0Hkn2NGg6RlJr36CxfE= - username: AgBw5ALuBj1TpQc5dmyLW927WQO9AXgdyqYeXHwzXbLKIdyAkyihVIkTSD/MS/InTbsiFIYPvZptpAjpWc9p2IN8nvLbEjc8JXS7DA3NDr/SN7J70oDOKS/vT4Vlz4yX/6fmU8pGvjMh22ELBbruxWS+a6Nty/XcZPqJ8gMuj/vAnticq+i4Rmuy1aghEfsYzPVSigS5QfnnFsMBA5lZS7rgiv4voudi5aAh8luIsDx9eCk2WxcN+9f816MYXBxcZL853h4lIQziOfs8LK0jCZm62yOeckmuMt0EznGEwAS1Magrw9PnZdSDOHvTrugRT/sx8JzkpEorJQXTA/6hXT9tqTbZuLnHMcdVGAcU9+1QcJPtlhYH05irbDqMs5IgxqCW7ch3gtiIS1hTRGpaG+LoNGREcZZtiWxkgcVhJG8E+5ailyt0B/NO+RgjYjjK+tH/hcGd2hABvkmS1f9FUHIRdE0uiwvwM/hWU9qTJcSHdN3mJ96/7lQvfnDoDDP8zS09Co0E0zLmLFSAEvOIz7HMvE0Bw2UPzcy4N8J2y+u4m0327FUUN96Y3e2L+o1SrVw/CJO1/haN34j1SMUFh/4q63VvNLDfUD69QbpjMtjNrvhqNWyyET1QNWl4SFsfbMdC7/rXM9Lpg4GEZ6R5G/QcTb27Zo5UuOeFP060XiWJ1/bD8tiZKU1K1QTwJ0Uur3MDcrYRvGw= - template: - metadata: - creationTimestamp: null - name: db-penpot-secrets - namespace: penpot - type: Opaque - --- - apiVersion: bitnami.com/v1alpha1 - kind: SealedSecret - metadata: - creationTimestamp: null - name: db-penpot-superuser-secret - namespace: penpot - spec: - encryptedData: - password: AgBwTdp950SD3x9c1CjlAz4MGEN3tTDQH0iKLW1e4itCEB+W7c6hf+t2nc4VYLAhxCbMfs+sS2onSuoIuzr7/wTLtia3gSaRAgPFu2t91m6s51ewMMrPxoAmIdpHiojCnBXdhuc6XjinOs40MOoS6/qY1WjEXaPyvKBeMdFkKAdDTvMW6WA9xel8Jyf3U6Tz8/Onj1VAAnhgehFvPMZ1uDCEtUfKDPAe+za4S1SRAL81iNwJCVQJrQdetDpcIMnKkMbUvy8RFDmPPKJ6lxZHFk8ztJgCXlj55ViWlEmUC3QHtktnB0QYd+B2rFf6j/66ozgzyiqHd4nXCuRiCxnFSgFMrWYbaDheJEN4rgDNZBITIBiqnlH5HntieQHj9YohsVkr7r0FObtKpePV1t+Sb0RptJ9+LWexkSs6Rvq3HNj7JdOLN/QVsIZbiU4ctRMjxiVsyl7PDZe84tx3Kl6BiUOrClN8QR6huLLnIdVXetMbrPDDQOCI4FiH5UghLRlPdNkvpoeYLfL79Mxy5yOG+xkydM5HR7//NMGDqP7hf+vZFe8/EKuaSExUX6S0AT+hQVkmWcwy7OKq2Ra37XezjmWf6KGiHAL8Idn47E+PQ5axAlkZ1MgkjB+pc/2Lpyo3bfINa7avf03nOKwJl01cChB9O4bDkUfDh7N+26YkqlwMm6aU4dm80fydsPRBikTKTWafpLsQqtimv1ANTYHvbDDEsufK95O/cq8ER/fTAmmrcg== - username: AgAIwqIbS5Ze9e4sefyg77opd801epCHPewxEb+VuuJrxIl4+gFroopQNf/lhRQRFX1unI0PaR/iV5szaIaDmIYz3JQ3OxCyF1zeDYr6YhYNQMtkLgRJRrBr0j7TQPAKwLmgtZok7hDIvTj5bQ2dydibQ1Zg8N1valb03X6Vs/ivvvO3KvQEDckdGgD7UauL8onapU6KAFU5Hu9aEkvMTk4CGNpuLxGhYdA1+HLpLdQYBQPaJyEblGoko4wyv+pF/3m1tRBSQ1L8HsUXfAEn5dAd+0qkS5IvwOM8zXnZcT0ohXmY2mXjvPyv2phOKElQYURPwq9PPI+Sc5Ff7QHcVLjwQ+DYtSMDlRSt5BektWC+peBJfxZQ/X6w2AmICtdkOT03rrMxn0sWKIgQkvmJ0jkERAYlvifcoRmbof0wbFh+ANa0NpGLvxwiG+DsQ6eAsTB0Nu3wPCCBFZOUuTxS+yb4BjE3KPNGgVI6XtArxPnO3z3xglfI/nKDTY1rC2e0ZE72BDnhsLAwQTTgb/R/X2mvS7a0YXJ0gOpAgwP92K9zy1GA9ov2uTVZ2wbb39E69OxMKcbetDWirQrSYMqLYzJ1+W2cBbNdCcYQ2xnSM9cdEd2sPcFJ3NDVQeQRhxSTI6UfKWphUeksqwdW+VN7aODlUzMSxBCwGnxuaS6OVzOdLzQnORdyhyD8zclh5e0AXJpvqs+Z4CuvZA== - template: - metadata: - creationTimestamp: null - name: db-penpot-superuser-secret - namespace: penpot - type: Opaque - --- - apiVersion: postgresql.cnpg.io/v1 - kind: Cluster - metadata: - name: penpot-db - namespace: penpot - spec: - instances: 1 - superuserSecret: - name: db-penpot-superuser-secret - bootstrap: - initdb: - database: penpot - owner: penpot - secret: - name: db-penpot-secrets - monitoring: - enablePodMonitor: true - storage: - size: 5Gi - --- - apiVersion: helm.toolkit.fluxcd.io/v2beta2 - kind: HelmRelease - metadata: - name: penpot - namespace: penpot - spec: - releaseName: penpot - chart: - spec: - version: "1.0.10" - chart: penpot - sourceRef: - kind: HelmRepository - name: codechem - interval: 50m - install: - remediation: - retries: 3 - values: - redis: - replica: - replicaCount: 0 - global: - postgresqlEnabled: false - redisEnabled: true - imagePullSecrets: - - name: ghcr-login-secret - persistence: - enabled: true - storageClass: standard-rwx - backend: - image: - pullPolicy: IfNotPresent - repository: ghcr.io/tokens-studio/tokens-studio-for-penpot - tag: 'backend-{{ .SHA }}' - frontend: - image: - pullPolicy: IfNotPresent - repository: ghcr.io/tokens-studio/tokens-studio-for-penpot - tag: 'frontend-{{ .SHA }}' - ingress: - enabled: true - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod +chart: + name: https://github.com/tokens-studio/tokens-studio-for-penpot.git?branch={{ .BRANCH }}&path=/.gimlet/k8s/penpot/ +values: + namespace: "penpot" + redis: + replica: + replicaCount: 0 + global: + redisEnabled: true + imagePullSecrets: + - name: ghcr-login-secret + persistence: + enabled: true + storageClass: standard-rwx + postgresql: + enabled: true + owner: penpot + database: penpot + # Assumed specified in infra + secret: db-penpot-secrets + superUser: db-penpot-superuser-secret + config: + smtp: + enabled: true + host: mailslurper + tls: false + port: 1025 + publicURI: https://penpot.tokens.studio + redis: + host: penpot-redis-master.penpot.svc.cluster.local + postgresql: + host: penpot-db-rw + database: penpot + existingSecret: db-penpot-secrets + secretKeys: + usernameKey: username + passwordKey: password + backend: + image: + pullPolicy: IfNotPresent + repository: ghcr.io/tokens-studio/tokens-studio-for-penpot + tag: 'backend-{{ .SHA }}' + frontend: + labels: + portService: tokens-studio-for-penpot + image: + pullPolicy: IfNotPresent + repository: ghcr.io/tokens-studio/tokens-studio-for-penpot + tag: 'frontend-{{ .SHA }}' + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: "penpot.tokens.studio" + tls: + - secretName: tls-penpot hosts: - - host: penpot.tokens.studio - tls: - - secretName: tls-penpot - hosts: - - penpot.tokens.studio - # https://github.com/codechem/helm/issues/15 - ingress: - tls: - - secretName: tls-penpot - hosts: - - penpot.tokens.studio - config: - publicURI: https://penpot.tokens.studio - smtp: - enabled: true - host: mailslurper - tls: false - port: 1025 - redis: - host: penpot-redis-master.penpot.svc.cluster.local - postgresql: - host: penpot-db-rw - database: penpot - existingSecret: db-penpot-secrets - secretKeys: - usernameKey: username - passwordKey: password -json6902Patches: -- target: - group: "apps" - version: "v1" - kind: "Deployment" - name: "penpot-frontend" - patch: | - --- - - op: add - path: /metadata/labels - value: - portService: tokens-studio-for-penpot -- target: - group: "apps" - version: "v1" - kind: "Deployment" - name: "penpot-exporter" - patch: | - --- - - op: add - path: /metadata/labels - value: - portService: tokens-studio-for-penpot -- target: - group: "apps" - version: "v1" - kind: "Deployment" - name: "penpot-backend" - patch: | - --- - - op: add - path: /metadata/labels - value: - portService: tokens-studio-for-penpot - - op: add - path: /spec/template/spec/containers/0/env - value: - name: PENPOT_SMTP_ENABLED - value: 'true' + - penpot.tokens.studio + + +