studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1206cd0fe4d508155c9b1c6525503ce31b33ef84
sbbb/base/devtools/penpot.yaml
Sienna Meridian Satterwhite 048319f70b fix(devtools): stabilize Penpot MCP, fix S3 creds, OIDC registration 
MCP server:
- Replace vite build --watch + livePreview with static vite preview
  (watch mode was reloading the plugin iframe, killing WebSocket)
- Bake WS_URI at Docker build time for production WebSocket URL
- Add server-side application-level keepalive messages every 25s
- Add client-side auto-reconnect with exponential backoff
- Set Pingora route timeout to 86400s for WebSocket idle tolerance

Penpot:
- Add AWS_ACCESS_KEY_ID/SECRET env vars for S3 SDK compatibility
- Set S3 region to satisfy AWS SDK credential chain
- Enable OIDC registration (disable-registration blocks OIDC signup)
- Fix frontend port (8080 not 80)
- Add penpot bucket to seaweedfs-buckets init job
2026-04-04 15:37:45 +01:00

218 lines
6.1 KiB
YAML
Raw Blame History

# Penpot — open-source design tool (frontend + backend + exporter).
# OIDC-only auth via Hydra; assets on SeaweedFS; DB on shared CNPG postgres.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: penpot-config
namespace: devtools
data:
PENPOT_PUBLIC_URI: "https://designer.DOMAIN_SUFFIX"
PENPOT_DATABASE_URI: "postgresql://postgres-rw.data.svc.cluster.local:5432/penpot_db"
PENPOT_DATABASE_USERNAME: "penpot"
PENPOT_REDIS_URI: "redis://valkey.data.svc.cluster.local:6379/3"
PENPOT_ASSETS_STORAGE_BACKEND: "assets-s3"
PENPOT_STORAGE_ASSETS_S3_ENDPOINT: "http://seaweedfs-filer.storage.svc.cluster.local:8333"
PENPOT_STORAGE_ASSETS_S3_BUCKET: "penpot"
PENPOT_STORAGE_ASSETS_S3_REGION: "us-east-1"
AWS_REGION: "us-east-1"
PENPOT_OIDC_BASE_URI: "https://auth.DOMAIN_SUFFIX/"
PENPOT_TELEMETRY_ENABLED: "false"
PENPOT_FLAGS: "enable-login-with-oidc disable-login-with-password disable-email-verification enable-oidc-registration enable-backend-api-doc enable-auto-file-snapshot enable-tiered-file-data-storage enable-webhooks enable-access-tokens enable-cors"
---
# ── Frontend (nginx SPA) ─────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
name: penpot-frontend
namespace: devtools
spec:
replicas: 1
selector:
matchLabels:
app: penpot-frontend
template:
metadata:
labels:
app: penpot-frontend
spec:
containers:
- name: penpot-frontend
image: penpotapp/frontend:latest
ports:
- name: http
containerPort: 8080
env:
- name: PENPOT_FLAGS
valueFrom:
configMapKeyRef:
name: penpot-config
key: PENPOT_FLAGS
- name: PENPOT_BACKEND_URI
value: "http://penpot-backend:6060"
- name: PENPOT_EXPORTER_URI
value: "http://penpot-exporter:6061"
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 256Mi
---
apiVersion: v1
kind: Service
metadata:
name: penpot-frontend
namespace: devtools
spec:
selector:
app: penpot-frontend
ports:
- name: http
port: 8080
targetPort: http
---
# ── Backend (JVM API + websockets) ───────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
name: penpot-backend
namespace: devtools
spec:
replicas: 1
selector:
matchLabels:
app: penpot-backend
template:
metadata:
labels:
app: penpot-backend
spec:
containers:
- name: penpot-backend
image: penpotapp/backend:latest
ports:
- name: http
containerPort: 6060
envFrom:
- configMapRef:
name: penpot-config
env:
- name: PENPOT_SECRET_KEY
valueFrom:
secretKeyRef:
name: penpot-app-secrets
key: secret-key
- name: PENPOT_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: penpot-db-credentials
key: password
- name: PENPOT_OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: oidc-penpot
key: CLIENT_ID
- name: PENPOT_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oidc-penpot
key: CLIENT_SECRET
- name: PENPOT_STORAGE_ASSETS_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: penpot-s3-credentials
key: access-key
- name: PENPOT_STORAGE_ASSETS_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: penpot-s3-credentials
key: secret-key
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: penpot-s3-credentials
key: access-key
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: penpot-s3-credentials
key: secret-key
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
memory: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: penpot-backend
namespace: devtools
spec:
selector:
app: penpot-backend
ports:
- name: http
port: 6060
targetPort: http
---
# ── Exporter (headless Chromium for PDF/SVG) ─────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
name: penpot-exporter
namespace: devtools
spec:
replicas: 1
selector:
matchLabels:
app: penpot-exporter
template:
metadata:
labels:
app: penpot-exporter
spec:
containers:
- name: penpot-exporter
image: penpotapp/exporter:latest
ports:
- name: http
containerPort: 6061
env:
- name: PENPOT_SECRET_KEY
valueFrom:
secretKeyRef:
name: penpot-app-secrets
key: secret-key
- name: PENPOT_PUBLIC_URI
valueFrom:
configMapKeyRef:
name: penpot-config
key: PENPOT_PUBLIC_URI
- name: PENPOT_REDIS_URI
valueFrom:
configMapKeyRef:
name: penpot-config
key: PENPOT_REDIS_URI
resources:
requests:
cpu: 50m
memory: 256Mi
limits:
memory: 512Mi
---
apiVersion: v1
kind: Service
metadata:
name: penpot-exporter
namespace: devtools
spec:
selector:
app: penpot-exporter
ports:
- name: http
port: 6061
targetPort: http
Reference in New Issue View Git Blame Copy Permalink