# Penpot — open-source design tool (frontend + backend + exporter).
# OIDC-only auth via Hydra; assets on SeaweedFS; DB on shared CNPG postgres.
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: penpot-config
  namespace: devtools
data:
  PENPOT_PUBLIC_URI: "https://designer.DOMAIN_SUFFIX"
  PENPOT_DATABASE_URI: "postgresql://postgres-rw.data.svc.cluster.local:5432/penpot_db"
  PENPOT_DATABASE_USERNAME: "penpot"
  PENPOT_REDIS_URI: "redis://valkey.data.svc.cluster.local:6379/3"
  PENPOT_ASSETS_STORAGE_BACKEND: "assets-s3"
  PENPOT_STORAGE_ASSETS_S3_ENDPOINT: "http://seaweedfs-filer.storage.svc.cluster.local:8333"
  PENPOT_STORAGE_ASSETS_S3_BUCKET: "penpot"
  PENPOT_STORAGE_ASSETS_S3_REGION: "us-east-1"
  AWS_REGION: "us-east-1"
  PENPOT_OIDC_BASE_URI: "https://auth.DOMAIN_SUFFIX/"
  PENPOT_TELEMETRY_ENABLED: "false"
  PENPOT_FLAGS: "enable-login-with-oidc disable-login-with-password disable-email-verification enable-oidc-registration enable-backend-api-doc enable-auto-file-snapshot enable-tiered-file-data-storage enable-webhooks enable-access-tokens enable-cors"
---
# ── Frontend (nginx SPA) ─────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: penpot-frontend
  namespace: devtools
spec:
  replicas: 1
  selector:
    matchLabels:
      app: penpot-frontend
  template:
    metadata:
      labels:
        app: penpot-frontend
    spec:
      containers:
        - name: penpot-frontend
          image: penpotapp/frontend:latest
          ports:
            - name: http
              containerPort: 8080
          env:
            - name: PENPOT_FLAGS
              valueFrom:
                configMapKeyRef:
                  name: penpot-config
                  key: PENPOT_FLAGS
            - name: PENPOT_BACKEND_URI
              value: "http://penpot-backend:6060"
            - name: PENPOT_EXPORTER_URI
              value: "http://penpot-exporter:6061"
          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              memory: 256Mi
---
apiVersion: v1
kind: Service
metadata:
  name: penpot-frontend
  namespace: devtools
spec:
  selector:
    app: penpot-frontend
  ports:
    - name: http
      port: 8080
      targetPort: http
---
# ── Backend (JVM API + websockets) ───────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: penpot-backend
  namespace: devtools
spec:
  replicas: 1
  selector:
    matchLabels:
      app: penpot-backend
  template:
    metadata:
      labels:
        app: penpot-backend
    spec:
      containers:
        - name: penpot-backend
          image: penpotapp/backend:latest
          ports:
            - name: http
              containerPort: 6060
          envFrom:
            - configMapRef:
                name: penpot-config
          env:
            - name: PENPOT_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: penpot-app-secrets
                  key: secret-key
            - name: PENPOT_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: penpot-db-credentials
                  key: password
            - name: PENPOT_OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc-penpot
                  key: CLIENT_ID
            - name: PENPOT_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc-penpot
                  key: CLIENT_SECRET
            - name: PENPOT_STORAGE_ASSETS_S3_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: penpot-s3-credentials
                  key: access-key
            - name: PENPOT_STORAGE_ASSETS_S3_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: penpot-s3-credentials
                  key: secret-key
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: penpot-s3-credentials
                  key: access-key
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: penpot-s3-credentials
                  key: secret-key
          resources:
            requests:
              cpu: 100m
              memory: 512Mi
            limits:
              memory: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  name: penpot-backend
  namespace: devtools
spec:
  selector:
    app: penpot-backend
  ports:
    - name: http
      port: 6060
      targetPort: http
---
# ── Exporter (headless Chromium for PDF/SVG) ─────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: penpot-exporter
  namespace: devtools
spec:
  replicas: 1
  selector:
    matchLabels:
      app: penpot-exporter
  template:
    metadata:
      labels:
        app: penpot-exporter
    spec:
      containers:
        - name: penpot-exporter
          image: penpotapp/exporter:latest
          ports:
            - name: http
              containerPort: 6061
          env:
            - name: PENPOT_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: penpot-app-secrets
                  key: secret-key
            - name: PENPOT_PUBLIC_URI
              valueFrom:
                configMapKeyRef:
                  name: penpot-config
                  key: PENPOT_PUBLIC_URI
            - name: PENPOT_REDIS_URI
              valueFrom:
                configMapKeyRef:
                  name: penpot-config
                  key: PENPOT_REDIS_URI
          resources:
            requests:
              cpu: 50m
              memory: 256Mi
            limits:
              memory: 512Mi
---
apiVersion: v1
kind: Service
metadata:
  name: penpot-exporter
  namespace: devtools
spec:
  selector:
    app: penpot-exporter
  ports:
    - name: http
      port: 6061
      targetPort: http