Sienna Meridian Satterwhite
fcb80f1f37
Penpot (designer.sunbeam.pt): - Frontend/backend/exporter deployments with OIDC-only auth via Hydra - VSO-managed DB, S3, and app secrets from OpenBao - PostgreSQL user/db in CNPG postInitSQL - Hydra Maester enabledNamespaces extended to devtools Penpot MCP server (mcp-designer.sunbeam.pt): - Pre-built Node.js image pushed to Gitea registry - Auth-gated via Pingora auth_request → Hydra /userinfo - WebSocket path for browser plugin connection Wildcard TLS: - Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook - Certificate collapsed to *.sunbeam.pt + sunbeam.pt - Added scaleway-certmanager-webhook Helm chart - VSO secret for Scaleway DNS API credentials in cert-manager namespace - Added cert-manager to OpenBao VSO auth role
206 lines
5.7 KiB
YAML
206 lines
5.7 KiB
YAML
# Penpot — open-source design tool (frontend + backend + exporter).
|
|
# OIDC-only auth via Hydra; assets on SeaweedFS; DB on shared CNPG postgres.
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: penpot-config
|
|
namespace: devtools
|
|
data:
|
|
PENPOT_PUBLIC_URI: "https://designer.DOMAIN_SUFFIX"
|
|
PENPOT_DATABASE_URI: "postgresql://postgres-rw.data.svc.cluster.local:5432/penpot_db"
|
|
PENPOT_DATABASE_USERNAME: "penpot"
|
|
PENPOT_REDIS_URI: "redis://valkey.data.svc.cluster.local:6379/3"
|
|
PENPOT_ASSETS_STORAGE_BACKEND: "assets-s3"
|
|
PENPOT_STORAGE_ASSETS_S3_ENDPOINT: "http://seaweedfs-filer.storage.svc.cluster.local:8333"
|
|
PENPOT_STORAGE_ASSETS_S3_BUCKET: "penpot"
|
|
PENPOT_OIDC_BASE_URI: "https://auth.DOMAIN_SUFFIX/"
|
|
PENPOT_TELEMETRY_ENABLED: "false"
|
|
PENPOT_FLAGS: "enable-login-with-oidc disable-login-with-password disable-email-verification disable-registration enable-backend-api-doc enable-auto-file-snapshot enable-tiered-file-data-storage enable-webhooks enable-access-tokens enable-cors"
|
|
---
|
|
# ── Frontend (nginx SPA) ─────────────────────────────────────────────────────
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: penpot-frontend
|
|
namespace: devtools
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: penpot-frontend
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: penpot-frontend
|
|
spec:
|
|
containers:
|
|
- name: penpot-frontend
|
|
image: penpotapp/frontend:latest
|
|
ports:
|
|
- name: http
|
|
containerPort: 8080
|
|
env:
|
|
- name: PENPOT_FLAGS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: penpot-config
|
|
key: PENPOT_FLAGS
|
|
- name: PENPOT_BACKEND_URI
|
|
value: "http://penpot-backend:6060"
|
|
- name: PENPOT_EXPORTER_URI
|
|
value: "http://penpot-exporter:6061"
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
limits:
|
|
memory: 256Mi
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: penpot-frontend
|
|
namespace: devtools
|
|
spec:
|
|
selector:
|
|
app: penpot-frontend
|
|
ports:
|
|
- name: http
|
|
port: 8080
|
|
targetPort: http
|
|
---
|
|
# ── Backend (JVM API + websockets) ───────────────────────────────────────────
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: penpot-backend
|
|
namespace: devtools
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: penpot-backend
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: penpot-backend
|
|
spec:
|
|
containers:
|
|
- name: penpot-backend
|
|
image: penpotapp/backend:latest
|
|
ports:
|
|
- name: http
|
|
containerPort: 6060
|
|
envFrom:
|
|
- configMapRef:
|
|
name: penpot-config
|
|
env:
|
|
- name: PENPOT_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: penpot-app-secrets
|
|
key: secret-key
|
|
- name: PENPOT_DATABASE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: penpot-db-credentials
|
|
key: password
|
|
- name: PENPOT_OIDC_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: oidc-penpot
|
|
key: CLIENT_ID
|
|
- name: PENPOT_OIDC_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: oidc-penpot
|
|
key: CLIENT_SECRET
|
|
- name: PENPOT_STORAGE_ASSETS_S3_ACCESS_KEY_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: penpot-s3-credentials
|
|
key: access-key
|
|
- name: PENPOT_STORAGE_ASSETS_S3_SECRET_ACCESS_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: penpot-s3-credentials
|
|
key: secret-key
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 512Mi
|
|
limits:
|
|
memory: 1Gi
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: penpot-backend
|
|
namespace: devtools
|
|
spec:
|
|
selector:
|
|
app: penpot-backend
|
|
ports:
|
|
- name: http
|
|
port: 6060
|
|
targetPort: http
|
|
---
|
|
# ── Exporter (headless Chromium for PDF/SVG) ─────────────────────────────────
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: penpot-exporter
|
|
namespace: devtools
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: penpot-exporter
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: penpot-exporter
|
|
spec:
|
|
containers:
|
|
- name: penpot-exporter
|
|
image: penpotapp/exporter:latest
|
|
ports:
|
|
- name: http
|
|
containerPort: 6061
|
|
env:
|
|
- name: PENPOT_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: penpot-app-secrets
|
|
key: secret-key
|
|
- name: PENPOT_PUBLIC_URI
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: penpot-config
|
|
key: PENPOT_PUBLIC_URI
|
|
- name: PENPOT_REDIS_URI
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: penpot-config
|
|
key: PENPOT_REDIS_URI
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 256Mi
|
|
limits:
|
|
memory: 512Mi
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: penpot-exporter
|
|
namespace: devtools
|
|
spec:
|
|
selector:
|
|
app: penpot-exporter
|
|
ports:
|
|
- name: http
|
|
port: 6061
|
|
targetPort: http
|