apps: penpot
diff --git a/core/installer/values-tmpl/penpot.jsonschema b/core/installer/values-tmpl/penpot.jsonschema
new file mode 100644
index 0000000..0824944
--- /dev/null
+++ b/core/installer/values-tmpl/penpot.jsonschema
@@ -0,0 +1,8 @@
+{
+ "type": "object",
+ "properties": {
+ "Network": { "type": "string", "default": "Public", "role": "network" },
+ "Subdomain": { "type": "string", "default": "penpot" }
+ },
+ "additionalProperties": false
+}
diff --git a/core/installer/values-tmpl/penpot.md b/core/installer/values-tmpl/penpot.md
new file mode 100644
index 0000000..d750a90
--- /dev/null
+++ b/core/installer/values-tmpl/penpot.md
@@ -0,0 +1 @@
+Penpot application will be installed on {{ .Values.Network.Name }} network and be accessible to any user on https://{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}
diff --git a/core/installer/values-tmpl/penpot.yaml b/core/installer/values-tmpl/penpot.yaml
index f40972d..ae67f39 100644
--- a/core/installer/values-tmpl/penpot.yaml
+++ b/core/installer/values-tmpl/penpot.yaml
@@ -1,3 +1,24 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: penpot
+ namespace: {{ .Release.Namespace }}
+spec:
+ grantTypes:
+ - authorization_code
+ responseTypes:
+ - code
+ scope: "openid profile email"
+ secretName: oauth2-credentials # TODO(gio): config
+ redirectUris:
+ - https://{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}/api/auth/oauth/oidc/callback # TODO
+ hydraAdmin:
+ endpoint: /admin/clients
+ forwardedProto: https
+ port: 80
+ url: http://hydra-admin.esrt-core-auth.svc.cluster.local
+ tokenEndpointAuthMethod: client_secret_post
+---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
@@ -20,22 +41,24 @@
frontend:
ingress:
enabled: true
- className: pcloud-ingress-public
+ className: {{ .Values.Network.IngressClass }}
+ {{ if .Values.Network.CertificateIssuer }}
annotations:
acme.cert-manager.io/http01-edit-in-place: "true"
- cert-manager.io/cluster-issuer: "{{ .Global.Id }}-public"
+ cert-manager.io/cluster-issuer: "{{ .Values.Network.CertificateIssuer }}"
+ {{ end }}
hosts:
- - "penpot.{{ .Global.Domain }}"
+ - "{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}"
tls:
- hosts:
- - "penpot.{{ .Global.Domain }}"
- secretName: cert-penpot.{{ .Global.Domain }}
+ - "{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}"
+ secretName: cert-{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}
persistence:
enabled: true
config:
- publicURI: https://penpot.{{ .Global.Domain }}
+ publicURI: https://{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}
# flags: "enable-registration enable-login"
- flags: "enable-registration enable-insecure-register disable-demo-users disable-demo-warning"
+ flags: "enable-login-with-oidc enable-registration enable-insecure-register disable-demo-users disable-demo-warning" # TODO(gio): remove enable-insecure-register?
postgresql:
host: penpot-postgresql.{{ .Release.Namespace }}.svc.cluster.local
database: penpot
@@ -43,6 +66,24 @@
password: penpot
redis:
host: penpot-redis-headless.{{ .Release.Namespace }}.svc.cluster.local
+ providers:
+ oidc:
+ enabled: true
+ baseURI: https://hydra.{{ .Global.Domain }}
+ clientID: ""
+ clientSecret: ""
+ authURI: ""
+ tokenURI: ""
+ userURI: ""
+ roles: ""
+ rolesAttribute: ""
+ scopes: ""
+ nameAttribute: "name"
+ emailAttribute: "email"
+ existingSecret: oauth2-credentials
+ secretKeys:
+ oidcClientIDKey: client_id
+ oidcClientSecretKey: client_secret
redis:
image:
tag: 7.0.8-debian-11-r16