feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01

Penpot (designer.sunbeam.pt): - Frontend/backend/exporter deployments with OIDC-only auth via Hydra - VSO-managed DB, S3, and app secrets from OpenBao - PostgreSQL user/db in CNPG postInitSQL - Hydra Maester enabledNamespaces extended to devtools Penpot MCP server (mcp-designer.sunbeam.pt): - Pre-built Node.js image pushed to Gitea registry - Auth-gated via Pingora auth_request → Hydra /userinfo - WebSocket path for browser plugin connection Wildcard TLS: - Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook - Certificate collapsed to *.sunbeam.pt + sunbeam.pt - Added scaleway-certmanager-webhook Helm chart - VSO secret for Scaleway DNS API credentials in cert-manager namespace - Added cert-manager to OpenBao VSO auth role
2026-04-04 12:53:27 +01:00
parent 97628b0f6f
commit fcb80f1f37
13 changed files with 486 additions and 40 deletions
--- a/base/devtools/penpot-mcp.yaml
+++ b/base/devtools/penpot-mcp.yaml
@@ -0,0 +1,56 @@
+# Penpot MCP server — bridges AI clients to Penpot via the MCP plugin.
+# Port 4401: HTTP/SSE for MCP clients (Claude, etc.)
+# Port 4402: WebSocket for the Penpot browser plugin
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: penpot-mcp
+  namespace: devtools
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: penpot-mcp
+  template:
+    metadata:
+      labels:
+        app: penpot-mcp
+    spec:
+      containers:
+        - name: penpot-mcp
+          image: src.sunbeam.pt/studio/penpot-mcp:latest
+          ports:
+            - name: http
+              containerPort: 4401
+            - name: ws
+              containerPort: 4402
+          env:
+            - name: PENPOT_MCP_REMOTE_MODE
+              value: "true"
+            - name: PENPOT_MCP_SERVER_HOST
+              value: "0.0.0.0"
+            - name: PENPOT_MCP_SERVER_ADDRESS
+              value: "mcp-designer.DOMAIN_SUFFIX"
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              memory: 256Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: penpot-mcp
+  namespace: devtools
+spec:
+  selector:
+    app: penpot-mcp
+  ports:
+    - name: http
+      port: 4401
+      targetPort: http
+    - name: ws
+      port: 4402
+      targetPort: ws