penpot: defaultPodOptions: securityContext: fsGroup: 1001 affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/instance operator: In values: - penpot topologyKey: "kubernetes.io/hostname" controllers: frontend: type: deployment replicas: 1 strategy: Recreate revisionHistoryLimit: 3 containers: main: image: repository: penpotapp/frontend tag: 2.1.1 pullPolicy: IfNotPresent env: - name: PENPOT_PUBLIC_URI value: https://penpot-cl01tl.boreal-beaufort.ts.net - name: PENPOT_FLAGS value: enable-registration enable-insecure-register enable-login enable-login-with-oidc disable-demo-users disable-demo-warning - name: PENPOT_SECRET_KEY valueFrom: secretKeyRef: name: penpot-key-secret key: key - name: PENPOT_DATABASE_URI value: postgresql://penpot-postgresql-16-cluster-rw:5432/app - name: PENPOT_DATABASE_USERNAME valueFrom: secretKeyRef: name: penpot-postgresql-16-cluster-app key: username - name: PENPOT_DATABASE_PASSWORD valueFrom: secretKeyRef: name: penpot-postgresql-16-cluster-app key: password - name: PENPOT_REDIS_URI value: redis://penpot-valkey-master.penpot.svc.cluster.local:6379/0 - name: PENPOT_ASSETS_STORAGE_BACKEND value: assets-s3 - name: PENPOT_STORAGE_ASSETS_S3_REGION value: us-east-1 - name: PENPOT_STORAGE_ASSETS_S3_BUCKET value: penpot - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT value: https://penpot-storage-cl01tl.boreal-beaufort.ts.net - name: PENPOT_TELEMETRY_ENABLED value: false - name: PENPOT_OIDC_BASE_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/ - name: PENPOT_OIDC_CLIENT_ID valueFrom: secretKeyRef: name: penpot-oidc-secret key: client - name: PENPOT_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: penpot-oidc-secret key: secret - name: PENPOT_OIDC_AUTH_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/authorize/ - name: PENPOT_OIDC_TOKEN_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/token/ - name: PENPOT_OIDC_USER_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/userinfo/ - name: PENPOT_OIDC_SCOPES value: "openid profile email" - name: PENPOT_OIDC_NAME_ATTR value: preferred_username - name: PENPOT_OIDC_EMAIL_ATTR value: email envFrom: - secretRef: name: penpot-bucket-user-secret resources: requests: cpu: 100m memory: 128Mi backend: type: deployment replicas: 1 strategy: Recreate revisionHistoryLimit: 3 containers: main: image: repository: penpotapp/backend tag: 2.1.1 pullPolicy: IfNotPresent env: - name: PENPOT_PUBLIC_URI value: https://penpot-cl01tl.boreal-beaufort.ts.net - name: PENPOT_FLAGS value: enable-registration enable-insecure-register enable-login enable-login-with-oidc disable-demo-users disable-demo-warning - name: PENPOT_SECRET_KEY valueFrom: secretKeyRef: name: penpot-key-secret key: key - name: PENPOT_DATABASE_URI value: postgresql://penpot-postgresql-16-cluster-rw:5432/app - name: PENPOT_DATABASE_USERNAME valueFrom: secretKeyRef: name: penpot-postgresql-16-cluster-app key: username - name: PENPOT_DATABASE_PASSWORD valueFrom: secretKeyRef: name: penpot-postgresql-16-cluster-app key: password - name: PENPOT_REDIS_URI value: redis://penpot-valkey-master.penpot.svc.cluster.local:6379/0 - name: PENPOT_ASSETS_STORAGE_BACKEND value: assets-s3 - name: PENPOT_STORAGE_ASSETS_S3_REGION value: us-east-1 - name: PENPOT_STORAGE_ASSETS_S3_BUCKET value: penpot - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT value: https://penpot-storage-cl01tl.boreal-beaufort.ts.net - name: PENPOT_TELEMETRY_ENABLED value: false - name: PENPOT_OIDC_BASE_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/ - name: PENPOT_OIDC_CLIENT_ID valueFrom: secretKeyRef: name: penpot-oidc-secret key: client - name: PENPOT_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: penpot-oidc-secret key: secret - name: PENPOT_OIDC_AUTH_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/authorize/ - name: PENPOT_OIDC_TOKEN_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/token/ - name: PENPOT_OIDC_USER_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/userinfo/ - name: PENPOT_OIDC_SCOPES value: "openid profile email" - name: PENPOT_OIDC_NAME_ATTR value: preferred_username - name: PENPOT_OIDC_EMAIL_ATTR value: email envFrom: - secretRef: name: penpot-bucket-user-secret securityContext: runAsUser: 1001 allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: false runAsNonRoot: true resources: requests: cpu: 100m memory: 1Gi exporter: type: deployment replicas: 1 strategy: Recreate revisionHistoryLimit: 3 containers: main: image: repository: penpotapp/exporter tag: 2.1.1 pullPolicy: IfNotPresent env: - name: PENPOT_PUBLIC_URI value: https://penpot-cl01tl.boreal-beaufort.ts.net - name: PENPOT_FLAGS value: enable-registration enable-insecure-register enable-login enable-login-with-oidc disable-demo-users disable-demo-warning - name: PENPOT_SECRET_KEY valueFrom: secretKeyRef: name: penpot-key-secret key: key - name: PENPOT_DATABASE_URI value: postgresql://penpot-postgresql-16-cluster-rw:5432/app - name: PENPOT_DATABASE_USERNAME valueFrom: secretKeyRef: name: penpot-postgresql-16-cluster-app key: username - name: PENPOT_DATABASE_PASSWORD valueFrom: secretKeyRef: name: penpot-postgresql-16-cluster-app key: password - name: PENPOT_REDIS_URI value: redis://penpot-valkey-master.penpot.svc.cluster.local:6379/0 - name: PENPOT_ASSETS_STORAGE_BACKEND value: assets-s3 - name: PENPOT_STORAGE_ASSETS_S3_REGION value: us-east-1 - name: PENPOT_STORAGE_ASSETS_S3_BUCKET value: penpot - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT value: https://penpot-storage-cl01tl.boreal-beaufort.ts.net - name: PENPOT_TELEMETRY_ENABLED value: false - name: PENPOT_OIDC_BASE_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/ - name: PENPOT_OIDC_CLIENT_ID valueFrom: secretKeyRef: name: penpot-oidc-secret key: client - name: PENPOT_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: penpot-oidc-secret key: secret - name: PENPOT_OIDC_AUTH_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/authorize/ - name: PENPOT_OIDC_TOKEN_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/token/ - name: PENPOT_OIDC_USER_URI value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/userinfo/ - name: PENPOT_OIDC_SCOPES value: "openid profile email" - name: PENPOT_OIDC_NAME_ATTR value: preferred_username - name: PENPOT_OIDC_EMAIL_ATTR value: email envFrom: - secretRef: name: penpot-bucket-user-secret securityContext: runAsUser: 1001 allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: false runAsNonRoot: true resources: requests: cpu: 100m memory: 256Mi serviceAccount: create: true service: frontend: controller: frontend ports: http: port: 80 targetPort: 80 protocol: HTTP backend: controller: backend ports: http: port: 6060 targetPort: 6060 protocol: HTTP exporter: controller: exporter ports: http: port: 6061 targetPort: 6061 protocol: HTTP ingress: tailscale: enabled: true className: tailscale hosts: - host: penpot-cl01tl paths: - path: / pathType: Prefix service: name: penpot-frontend port: 80 - path: /api pathType: Prefix service: name: penpot-backend port: 6060 - path: /api/export pathType: Prefix service: name: penpot-exporter port: 6061 - path: /assets pathType: Prefix service: name: penpot-backend port: 6060 - path: /ws/notifications pathType: Prefix service: name: penpot-backend port: 6060 tls: - hosts: - penpot-cl01tl persistence: data: storageClass: ceph-block accessMode: ReadWriteOnce size: 8Gi retain: true advancedMounts: frontend: main: - path: /opt/data readOnly: false backend: main: - path: /opt/data readOnly: false config: enabled: true type: configMap name: penpot-frontend-nginx advancedMounts: frontend: main: - path: /etc/nginx/nginx.conf readOnly: true mountPropagation: None subPath: nginx.conf valkey: architecture: standalone auth: enabled: false minio: existingSecret: name: penpot-minio-root-secret tenant: name: minio-penpot configuration: name: penpot-minio-config-secret pools: - servers: 3 name: pool volumesPerServer: 2 size: 10Gi storageClassName: ceph-block mountPath: /export subPath: /data metrics: enabled: true port: 9000 protocol: http certificate: requestAutoCert: false ingress: api: enabled: true ingressClassName: tailscale annotations: tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" tls: - secretName: penpot-storage-cl01tl hosts: - penpot-storage-cl01tl host: penpot-storage-cl01tl path: / pathType: Prefix console: enabled: true ingressClassName: tailscale tls: - secretName: minio-penpot-cl01tl hosts: - minio-penpot-cl01tl host: minio-penpot-cl01tl path: / pathType: Prefix postgres-16-cluster: mode: standalone cluster: walStorage: storageClass: local-path storage: storageClass: local-path monitoring: enabled: true prometheusRule: enabled: false backup: enabled: true endpointURL: https://s3.us-east-2.amazonaws.com destinationPath: s3://cl01tl-postgresql-backups/penpot endpointCredentials: penpot-postgresql-16-cluster-backup-secret backupIndex: 1 retentionPolicy: 14d