feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01

Penpot (designer.sunbeam.pt): - Frontend/backend/exporter deployments with OIDC-only auth via Hydra - VSO-managed DB, S3, and app secrets from OpenBao - PostgreSQL user/db in CNPG postInitSQL - Hydra Maester enabledNamespaces extended to devtools Penpot MCP server (mcp-designer.sunbeam.pt): - Pre-built Node.js image pushed to Gitea registry - Auth-gated via Pingora auth_request → Hydra /userinfo - WebSocket path for browser plugin connection Wildcard TLS: - Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook - Certificate collapsed to *.sunbeam.pt + sunbeam.pt - Added scaleway-certmanager-webhook Helm chart - VSO secret for Scaleway DNS API credentials in cert-manager namespace - Added cert-manager to OpenBao VSO auth role
2026-04-04 12:53:27 +01:00
parent 97628b0f6f
commit fcb80f1f37
13 changed files with 486 additions and 40 deletions
--- a/base/devtools/penpot-oidc.yaml
+++ b/base/devtools/penpot-oidc.yaml
@@ -0,0 +1,20 @@
+# Penpot OIDC client — Hydra Maester creates Secret "oidc-penpot" in devtools
+# with CLIENT_ID and CLIENT_SECRET keys.
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: penpot
+  namespace: devtools
+spec:
+  clientName: Penpot
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  scope: openid email profile
+  redirectUris:
+    - https://designer.DOMAIN_SUFFIX/api/auth/oidc/callback
+  tokenEndpointAuthMethod: client_secret_post
+  secretName: oidc-penpot
+  skipConsent: true