base/devtools/penpot.yaml

# Penpot — open-source design tool (frontend + backend + exporter).
# OIDC-only auth via Hydra; assets on SeaweedFS; DB on shared CNPG postgres.
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: penpot-config
  namespace: devtools
data:
  PENPOT_PUBLIC_URI: "https://designer.DOMAIN_SUFFIX"
  PENPOT_DATABASE_URI: "postgresql://postgres-rw.data.svc.cluster.local:5432/penpot_db"
  PENPOT_DATABASE_USERNAME: "penpot"
  PENPOT_REDIS_URI: "redis://valkey.data.svc.cluster.local:6379/3"
  PENPOT_ASSETS_STORAGE_BACKEND: "assets-s3"
  PENPOT_STORAGE_ASSETS_S3_ENDPOINT: "http://seaweedfs-filer.storage.svc.cluster.local:8333"
  PENPOT_STORAGE_ASSETS_S3_BUCKET: "penpot"
  PENPOT_STORAGE_ASSETS_S3_REGION: "us-east-1"
  AWS_REGION: "us-east-1"
  PENPOT_OIDC_BASE_URI: "https://auth.DOMAIN_SUFFIX/"
  PENPOT_TELEMETRY_ENABLED: "false"
  PENPOT_FLAGS: "enable-login-with-oidc disable-login-with-password disable-email-verification enable-oidc-registration enable-backend-api-doc enable-auto-file-snapshot enable-tiered-file-data-storage enable-webhooks enable-access-tokens enable-cors"
---
# ── Frontend (nginx SPA) ─────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: penpot-frontend
  namespace: devtools
spec:
  replicas: 1
  selector:
    matchLabels:
      app: penpot-frontend
  template:
    metadata:
      labels:
        app: penpot-frontend
    spec:
      containers:
        - name: penpot-frontend
          image: penpotapp/frontend:latest
          ports:
            - name: http
              containerPort: 8080
          env:
            - name: PENPOT_FLAGS
              valueFrom:
                configMapKeyRef:
                  name: penpot-config
                  key: PENPOT_FLAGS
            - name: PENPOT_BACKEND_URI
              value: "http://penpot-backend:6060"
            - name: PENPOT_EXPORTER_URI
              value: "http://penpot-exporter:6061"
          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              memory: 256Mi
---
apiVersion: v1
kind: Service
metadata:
  name: penpot-frontend
  namespace: devtools
spec:
  selector:
    app: penpot-frontend
  ports:
    - name: http
      port: 8080
      targetPort: http
---
# ── Backend (JVM API + websockets) ───────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: penpot-backend
  namespace: devtools
spec:
  replicas: 1
  selector:
    matchLabels:
      app: penpot-backend
  template:
    metadata:
      labels:
        app: penpot-backend
    spec:
      containers:
        - name: penpot-backend
          image: penpotapp/backend:latest
          ports:
            - name: http
              containerPort: 6060
          envFrom:
            - configMapRef:
                name: penpot-config
          env:
            - name: PENPOT_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: penpot-app-secrets
                  key: secret-key
            - name: PENPOT_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: penpot-db-credentials
                  key: password
            - name: PENPOT_OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc-penpot
                  key: CLIENT_ID
            - name: PENPOT_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc-penpot
                  key: CLIENT_SECRET
            - name: PENPOT_STORAGE_ASSETS_S3_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: penpot-s3-credentials
                  key: access-key
            - name: PENPOT_STORAGE_ASSETS_S3_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: penpot-s3-credentials
                  key: secret-key
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: penpot-s3-credentials
                  key: access-key
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: penpot-s3-credentials
                  key: secret-key
          resources:
            requests:
              cpu: 100m
              memory: 512Mi
            limits:
              memory: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  name: penpot-backend
  namespace: devtools
spec:
  selector:
    app: penpot-backend
  ports:
    - name: http
      port: 6060
      targetPort: http
---
# ── Exporter (headless Chromium for PDF/SVG) ─────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: penpot-exporter
  namespace: devtools
spec:
  replicas: 1
  selector:
    matchLabels:
      app: penpot-exporter
  template:
    metadata:
      labels:
        app: penpot-exporter
    spec:
      containers:
        - name: penpot-exporter
          image: penpotapp/exporter:latest
          ports:
            - name: http
              containerPort: 6061
          env:
            - name: PENPOT_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: penpot-app-secrets
                  key: secret-key
            - name: PENPOT_PUBLIC_URI
              valueFrom:
                configMapKeyRef:
                  name: penpot-config
                  key: PENPOT_PUBLIC_URI
            - name: PENPOT_REDIS_URI
              valueFrom:
                configMapKeyRef:
                  name: penpot-config
                  key: PENPOT_REDIS_URI
          resources:
            requests:
              cpu: 50m
              memory: 256Mi
            limits:
              memory: 512Mi
---
apiVersion: v1
kind: Service
metadata:
  name: penpot-exporter
  namespace: devtools
spec:
  selector:
    app: penpot-exporter
  ports:
    - name: http
      port: 6061
      targetPort: http
feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01 Penpot (designer.sunbeam.pt): - Frontend/backend/exporter deployments with OIDC-only auth via Hydra - VSO-managed DB, S3, and app secrets from OpenBao - PostgreSQL user/db in CNPG postInitSQL - Hydra Maester enabledNamespaces extended to devtools Penpot MCP server (mcp-designer.sunbeam.pt): - Pre-built Node.js image pushed to Gitea registry - Auth-gated via Pingora auth_request → Hydra /userinfo - WebSocket path for browser plugin connection Wildcard TLS: - Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook - Certificate collapsed to *.sunbeam.pt + sunbeam.pt - Added scaleway-certmanager-webhook Helm chart - VSO secret for Scaleway DNS API credentials in cert-manager namespace - Added cert-manager to OpenBao VSO auth role 2026-04-04 12:53:27 +01:00			`# Penpot — open-source design tool (frontend + backend + exporter).`
			`# OIDC-only auth via Hydra; assets on SeaweedFS; DB on shared CNPG postgres.`
			`---`
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: penpot-config`
			`namespace: devtools`
			`data:`
			`PENPOT_PUBLIC_URI: "https://designer.DOMAIN_SUFFIX"`
			`PENPOT_DATABASE_URI: "postgresql://postgres-rw.data.svc.cluster.local:5432/penpot_db"`
			`PENPOT_DATABASE_USERNAME: "penpot"`
			`PENPOT_REDIS_URI: "redis://valkey.data.svc.cluster.local:6379/3"`
			`PENPOT_ASSETS_STORAGE_BACKEND: "assets-s3"`
			`PENPOT_STORAGE_ASSETS_S3_ENDPOINT: "http://seaweedfs-filer.storage.svc.cluster.local:8333"`
			`PENPOT_STORAGE_ASSETS_S3_BUCKET: "penpot"`
fix(devtools): stabilize Penpot MCP, fix S3 creds, OIDC registration MCP server: - Replace vite build --watch + livePreview with static vite preview (watch mode was reloading the plugin iframe, killing WebSocket) - Bake WS_URI at Docker build time for production WebSocket URL - Add server-side application-level keepalive messages every 25s - Add client-side auto-reconnect with exponential backoff - Set Pingora route timeout to 86400s for WebSocket idle tolerance Penpot: - Add AWS_ACCESS_KEY_ID/SECRET env vars for S3 SDK compatibility - Set S3 region to satisfy AWS SDK credential chain - Enable OIDC registration (disable-registration blocks OIDC signup) - Fix frontend port (8080 not 80) - Add penpot bucket to seaweedfs-buckets init job 2026-04-04 15:37:45 +01:00			`PENPOT_STORAGE_ASSETS_S3_REGION: "us-east-1"`
			`AWS_REGION: "us-east-1"`
feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01 Penpot (designer.sunbeam.pt): - Frontend/backend/exporter deployments with OIDC-only auth via Hydra - VSO-managed DB, S3, and app secrets from OpenBao - PostgreSQL user/db in CNPG postInitSQL - Hydra Maester enabledNamespaces extended to devtools Penpot MCP server (mcp-designer.sunbeam.pt): - Pre-built Node.js image pushed to Gitea registry - Auth-gated via Pingora auth_request → Hydra /userinfo - WebSocket path for browser plugin connection Wildcard TLS: - Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook - Certificate collapsed to *.sunbeam.pt + sunbeam.pt - Added scaleway-certmanager-webhook Helm chart - VSO secret for Scaleway DNS API credentials in cert-manager namespace - Added cert-manager to OpenBao VSO auth role 2026-04-04 12:53:27 +01:00			`PENPOT_OIDC_BASE_URI: "https://auth.DOMAIN_SUFFIX/"`
			`PENPOT_TELEMETRY_ENABLED: "false"`
fix(devtools): stabilize Penpot MCP, fix S3 creds, OIDC registration MCP server: - Replace vite build --watch + livePreview with static vite preview (watch mode was reloading the plugin iframe, killing WebSocket) - Bake WS_URI at Docker build time for production WebSocket URL - Add server-side application-level keepalive messages every 25s - Add client-side auto-reconnect with exponential backoff - Set Pingora route timeout to 86400s for WebSocket idle tolerance Penpot: - Add AWS_ACCESS_KEY_ID/SECRET env vars for S3 SDK compatibility - Set S3 region to satisfy AWS SDK credential chain - Enable OIDC registration (disable-registration blocks OIDC signup) - Fix frontend port (8080 not 80) - Add penpot bucket to seaweedfs-buckets init job 2026-04-04 15:37:45 +01:00			`PENPOT_FLAGS: "enable-login-with-oidc disable-login-with-password disable-email-verification enable-oidc-registration enable-backend-api-doc enable-auto-file-snapshot enable-tiered-file-data-storage enable-webhooks enable-access-tokens enable-cors"`
feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01 Penpot (designer.sunbeam.pt): - Frontend/backend/exporter deployments with OIDC-only auth via Hydra - VSO-managed DB, S3, and app secrets from OpenBao - PostgreSQL user/db in CNPG postInitSQL - Hydra Maester enabledNamespaces extended to devtools Penpot MCP server (mcp-designer.sunbeam.pt): - Pre-built Node.js image pushed to Gitea registry - Auth-gated via Pingora auth_request → Hydra /userinfo - WebSocket path for browser plugin connection Wildcard TLS: - Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook - Certificate collapsed to *.sunbeam.pt + sunbeam.pt - Added scaleway-certmanager-webhook Helm chart - VSO secret for Scaleway DNS API credentials in cert-manager namespace - Added cert-manager to OpenBao VSO auth role 2026-04-04 12:53:27 +01:00			`---`
			`# ── Frontend (nginx SPA) ─────────────────────────────────────────────────────`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: penpot-frontend`
			`namespace: devtools`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: penpot-frontend`
			`template:`
			`metadata:`
			`labels:`
			`app: penpot-frontend`
			`spec:`
			`containers:`
			`- name: penpot-frontend`
			`image: penpotapp/frontend:latest`
			`ports:`
			`- name: http`
			`containerPort: 8080`
			`env:`
			`- name: PENPOT_FLAGS`
			`valueFrom:`
			`configMapKeyRef:`
			`name: penpot-config`
			`key: PENPOT_FLAGS`
			`- name: PENPOT_BACKEND_URI`
			`value: "http://penpot-backend:6060"`
			`- name: PENPOT_EXPORTER_URI`
			`value: "http://penpot-exporter:6061"`
			`resources:`
			`requests:`
			`cpu: 50m`
			`memory: 64Mi`
			`limits:`
			`memory: 256Mi`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: penpot-frontend`
			`namespace: devtools`
			`spec:`
			`selector:`
			`app: penpot-frontend`
			`ports:`
			`- name: http`
			`port: 8080`
			`targetPort: http`
			`---`
			`# ── Backend (JVM API + websockets) ───────────────────────────────────────────`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: penpot-backend`
			`namespace: devtools`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: penpot-backend`
			`template:`
			`metadata:`
			`labels:`
			`app: penpot-backend`
			`spec:`
			`containers:`
			`- name: penpot-backend`
			`image: penpotapp/backend:latest`
			`ports:`
			`- name: http`
			`containerPort: 6060`
			`envFrom:`
			`- configMapRef:`
			`name: penpot-config`
			`env:`
			`- name: PENPOT_SECRET_KEY`
			`valueFrom:`
			`secretKeyRef:`
			`name: penpot-app-secrets`
			`key: secret-key`
			`- name: PENPOT_DATABASE_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: penpot-db-credentials`
			`key: password`
			`- name: PENPOT_OIDC_CLIENT_ID`
			`valueFrom:`
			`secretKeyRef:`
			`name: oidc-penpot`
			`key: CLIENT_ID`
			`- name: PENPOT_OIDC_CLIENT_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: oidc-penpot`
			`key: CLIENT_SECRET`
			`- name: PENPOT_STORAGE_ASSETS_S3_ACCESS_KEY_ID`
			`valueFrom:`
			`secretKeyRef:`
			`name: penpot-s3-credentials`
			`key: access-key`
			`- name: PENPOT_STORAGE_ASSETS_S3_SECRET_ACCESS_KEY`
			`valueFrom:`
			`secretKeyRef:`
			`name: penpot-s3-credentials`
			`key: secret-key`
fix(devtools): stabilize Penpot MCP, fix S3 creds, OIDC registration MCP server: - Replace vite build --watch + livePreview with static vite preview (watch mode was reloading the plugin iframe, killing WebSocket) - Bake WS_URI at Docker build time for production WebSocket URL - Add server-side application-level keepalive messages every 25s - Add client-side auto-reconnect with exponential backoff - Set Pingora route timeout to 86400s for WebSocket idle tolerance Penpot: - Add AWS_ACCESS_KEY_ID/SECRET env vars for S3 SDK compatibility - Set S3 region to satisfy AWS SDK credential chain - Enable OIDC registration (disable-registration blocks OIDC signup) - Fix frontend port (8080 not 80) - Add penpot bucket to seaweedfs-buckets init job 2026-04-04 15:37:45 +01:00			`- name: AWS_ACCESS_KEY_ID`
			`valueFrom:`
			`secretKeyRef:`
			`name: penpot-s3-credentials`
			`key: access-key`
			`- name: AWS_SECRET_ACCESS_KEY`
			`valueFrom:`
			`secretKeyRef:`
			`name: penpot-s3-credentials`
			`key: secret-key`
feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01 Penpot (designer.sunbeam.pt): - Frontend/backend/exporter deployments with OIDC-only auth via Hydra - VSO-managed DB, S3, and app secrets from OpenBao - PostgreSQL user/db in CNPG postInitSQL - Hydra Maester enabledNamespaces extended to devtools Penpot MCP server (mcp-designer.sunbeam.pt): - Pre-built Node.js image pushed to Gitea registry - Auth-gated via Pingora auth_request → Hydra /userinfo - WebSocket path for browser plugin connection Wildcard TLS: - Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook - Certificate collapsed to *.sunbeam.pt + sunbeam.pt - Added scaleway-certmanager-webhook Helm chart - VSO secret for Scaleway DNS API credentials in cert-manager namespace - Added cert-manager to OpenBao VSO auth role 2026-04-04 12:53:27 +01:00			`resources:`
			`requests:`
			`cpu: 100m`
			`memory: 512Mi`
			`limits:`
			`memory: 1Gi`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: penpot-backend`
			`namespace: devtools`
			`spec:`
			`selector:`
			`app: penpot-backend`
			`ports:`
			`- name: http`
			`port: 6060`
			`targetPort: http`
			`---`
			`# ── Exporter (headless Chromium for PDF/SVG) ─────────────────────────────────`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: penpot-exporter`
			`namespace: devtools`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: penpot-exporter`
			`template:`
			`metadata:`
			`labels:`
			`app: penpot-exporter`
			`spec:`
			`containers:`
			`- name: penpot-exporter`
			`image: penpotapp/exporter:latest`
			`ports:`
			`- name: http`
			`containerPort: 6061`
			`env:`
			`- name: PENPOT_SECRET_KEY`
			`valueFrom:`
			`secretKeyRef:`
			`name: penpot-app-secrets`
			`key: secret-key`
			`- name: PENPOT_PUBLIC_URI`
			`valueFrom:`
			`configMapKeyRef:`
			`name: penpot-config`
			`key: PENPOT_PUBLIC_URI`
			`- name: PENPOT_REDIS_URI`
			`valueFrom:`
			`configMapKeyRef:`
			`name: penpot-config`
			`key: PENPOT_REDIS_URI`
			`resources:`
			`requests:`
			`cpu: 50m`
			`memory: 256Mi`
			`limits:`
			`memory: 512Mi`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: penpot-exporter`
			`namespace: devtools`
			`spec:`
			`selector:`
			`app: penpot-exporter`
			`ports:`
			`- name: http`
			`port: 6061`
			`targetPort: http`