init

clusters/cl01tl/applications/penpot/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: penpot
+version: 1.0.0
+sources:
+  - https://github.com/penpot/penpot
+  - https://github.com/minio/operator
+  - https://github.com/bitnami/charts/tree/main/bitnami/redis
+  - https://github.com/alexlebens/helm-charts/charts/penpot
+  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
+dependencies:
+  - name: penpot
+    version: 0.1.0
+    repository: http://alexlebens.github.io/helm-charts
+  - name: redis
+    version: 19.3.2
+    repository: https://charts.bitnami.com/bitnami
+  - name: tenant
+    version: 5.0.15
+    alias: minio
+    repository: https://operator.min.io/
+  - name: postgres-cluster
+    alias: postgres-16-cluster
+    version: 3.0.0
+    repository: http://alexlebens.github.io/helm-charts
+appVersion: 2.0.0

clusters/cl01tl/applications/penpot/templates/external-secret.yaml

@@ -0,0 +1,169 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: penpot-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: penpot-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /penpot/key
+        metadataPolicy: None
+        property: key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: penpot-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: penpot-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: auth
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: client
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/penpot
+        metadataPolicy: None
+        property: client
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/penpot
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: penpot-bucket-user-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: penpot-bucket-user-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /penpot/minio/auth
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /penpot/minio/auth
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: penpot-minio-root-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: penpot-bucket-auth-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config.env
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /penpot/minio/root
+        metadataPolicy: None
+        property: config.env
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: penpot-minio-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: penpot-minio-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config.env
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /penpot/minio/config
+        metadataPolicy: None
+        property: config.env
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: penpot-postgresql-16-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: penpot-postgresql-16-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-penpot-postgresql
+        metadataPolicy: None
+        property: access_key
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-penpot-postgresql
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/applications/penpot/values.yaml

@@ -0,0 +1,135 @@
+penpot:
+  ingress:
+    enabled: true
+    annotations:
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      traefik.ingress.kubernetes.io/router.tls: "true"
+      cert-manager.io/cluster-issuer: letsencrypt-issuer
+    hosts:
+      - host: penpot.alexlebens.net
+    tls:
+      - secretName: penpot-secret-tls
+        hosts:
+          - penpot.alexlebens.net
+  persistence:
+    enabled: true
+    storageClass: ceph-block
+    size: 8Gi
+    accessModes:
+      - ReadWriteOnce
+  config:
+    publicURI: https://penpot.alexlebens.net
+    flags: enable-registration enable-insecure-register enable-login enable-login-with-oidc disable-demo-users disable-demo-warning
+    apiSecretKey:
+      existingSecretName: penpot-key-secret
+      existingSecretKey: key
+    postgresql:
+      host: penpot-postgresql-16-cluster-rw.penpot.svc.cluster.local
+      port: 5432
+      database: app
+      existingSecret: penpot-postgresql-16-cluster-app
+      secretKeys:
+        usernameKey: username
+        passwordKey: password
+    redis:
+      host: penpot-redis-headless.penpot.svc.cluster.local
+      port: 6379
+      database: 0
+    assets:
+      storageBackend: assets-s3
+      s3:
+        region: us-east-1
+        bucket: penpot
+        endpointURI: https://minio-penpot-api.alexlebens.net/penpot
+        existingSecret: penpot-bucket-user-secret
+        secretKeys:
+          accessKeyIDKey: AWS_ACCESS_KEY_ID
+          secretAccessKey: AWS_SECRET_ACCESS_KEY
+    telemetryEnabled: false
+    providers:
+      oidc:
+        enabled: true
+        baseURI: https://authentik.alexlebens.net/application/o/
+        authURI: https://authentik.alexlebens.net/application/o/authorize/
+        tokenURI: https://authentik.alexlebens.net/application/o/token/
+        userURI: https://authentik.alexlebens.net/application/o/userinfo/
+        roles: ""
+        rolesAttribute: ""
+        scopes: "openid profile email"
+        nameAttribute: preferred_username
+        emailAttribute: email
+      existingSecret: penpot-oidc-secret
+      secretKeys:
+        oidcClientIDKey: client
+        oidcClientSecretKey: secret
+redis:
+  architecture: standalone
+  auth:
+    enabled: false
+minio:
+  existingSecret:
+    name: penpot-minio-root-secret
+  tenant:
+    name: minio-penpot
+    configuration:
+      name: penpot-minio-config-secret
+    pools:
+      - servers: 3
+        name: pool
+        volumesPerServer: 2
+        size: 10Gi
+        storageClassName: ceph-block
+    mountPath: /export
+    subPath: /data
+    metrics:
+      enabled: true
+      port: 9000
+      protocol: http
+    certificate:
+      requestAutoCert: false
+  ingress:
+    api:
+      enabled: true
+      ingressClassName: traefik
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        cert-manager.io/cluster-issuer: letsencrypt-issuer
+      tls:
+        - secretName: minio-penpot-api-secret-tls
+          hosts:
+            - minio-penpot-api.alexlebens.net
+      host: minio-penpot-api.alexlebens.net
+      path: /
+      pathType: Prefix
+    console:
+      enabled: true
+      ingressClassName: traefik
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        cert-manager.io/cluster-issuer: letsencrypt-issuer
+      tls:
+        - secretName: minio-penpot-console-secret-tls
+          hosts:
+            - minio-penpot.alexlebens.net
+      host: minio-penpot.alexlebens.net
+      path: /
+      pathType: Prefix
+postgres-16-cluster:
+  mode: standalone
+  kubernetesClusterName: cl01tl
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+  backup:
+    enabled: true
+    endpointURL: https://s3.us-east-2.amazonaws.com
+    destinationPath: s3://cl01tl-postgresql-backups/penpot
+    endpointCredentials: penpot-postgresql-16-cluster-backup-secret
+    backupIndex: 1
+    retentionPolicy: 14d