feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01

Penpot (designer.sunbeam.pt): - Frontend/backend/exporter deployments with OIDC-only auth via Hydra - VSO-managed DB, S3, and app secrets from OpenBao - PostgreSQL user/db in CNPG postInitSQL - Hydra Maester enabledNamespaces extended to devtools Penpot MCP server (mcp-designer.sunbeam.pt): - Pre-built Node.js image pushed to Gitea registry - Auth-gated via Pingora auth_request → Hydra /userinfo - WebSocket path for browser plugin connection Wildcard TLS: - Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook - Certificate collapsed to *.sunbeam.pt + sunbeam.pt - Added scaleway-certmanager-webhook Helm chart - VSO secret for Scaleway DNS API credentials in cert-manager namespace - Added cert-manager to OpenBao VSO auth role
2026-04-04 12:53:27 +01:00
parent 97628b0f6f
commit fcb80f1f37
13 changed files with 486 additions and 40 deletions
--- a/base/devtools/vault-secrets.yaml
+++ b/base/devtools/vault-secrets.yaml
@@ -62,6 +62,84 @@ spec:
        "secret-key":
          text: "{{ index .Secrets \"secret-key\" }}"
 ---
+# Penpot DB credentials from OpenBao database secrets engine (static role, 24h rotation).
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: penpot-db-credentials
+  namespace: devtools
+spec:
+  vaultAuthRef: vso-auth
+  mount: database
+  path: static-creds/penpot
+  allowStaticCreds: true
+  refreshAfter: 5m
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: penpot-backend
+  destination:
+    name: penpot-db-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        password:
+          text: "{{ index .Secrets \"password\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: penpot-s3-credentials
+  namespace: devtools
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: seaweedfs
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: penpot-backend
+  destination:
+    name: penpot-s3-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        "access-key":
+          text: "{{ index .Secrets \"access-key\" }}"
+        "secret-key":
+          text: "{{ index .Secrets \"secret-key\" }}"
+---
+# Penpot app secrets (secret-key for internal auth between backend/exporter).
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: penpot-app-secrets
+  namespace: devtools
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: penpot
+  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: penpot-backend
+    - kind: Deployment
+      name: penpot-exporter
+  destination:
+    name: penpot-app-secrets
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        "secret-key":
+          text: "{{ index .Secrets \"secret-key\" }}"
+---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata: