core/installer/values-tmpl/penpot.yaml

apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: penpot
  namespace: {{ .Release.Namespace }}
spec:
  grantTypes:
  - authorization_code
  responseTypes:
  - code
  scope: "openid profile email"
  secretName: oauth2-credentials # TODO(gio): config
  redirectUris:
  - https://{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}/api/auth/oauth/oidc/callback # TODO
  hydraAdmin:
    endpoint: /admin/clients
    forwardedProto: https
    port: 80
    url: http://hydra-admin.esrt-core-auth.svc.cluster.local
  tokenEndpointAuthMethod: client_secret_post
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: penpot
  namespace: {{ .Release.Namespace }}
spec:
  chart:
    spec:
      chart: charts/penpot
      sourceRef:
        kind: GitRepository
        name: pcloud
        namespace: {{ .Global.Id }}
  interval: 1m0s
  values:
    global:
      postgresqlEnabled: true
      redisEnabled: true
    fullnameOverride: penpot
    frontend:
      ingress:
        enabled: true
        className: {{ .Values.Network.IngressClass }}
        {{ if .Values.Network.CertificateIssuer }}
        annotations:
          acme.cert-manager.io/http01-edit-in-place: "true"
          cert-manager.io/cluster-issuer: "{{ .Values.Network.CertificateIssuer }}"
        {{ end }}
        hosts:
        - "{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}"
        tls:
        - hosts:
          - "{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}"
          secretName: cert-{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}
    persistence:
      enabled: true
    config:
      publicURI: https://{{ .Values.Subdomain }}.{{ .Values.Network.Domain }}
      # flags: "enable-registration enable-login"
      flags: "enable-login-with-oidc enable-registration enable-insecure-register disable-demo-users disable-demo-warning" # TODO(gio): remove enable-insecure-register?
      postgresql:
        host: penpot-postgresql.{{ .Release.Namespace }}.svc.cluster.local
        database: penpot
        username: penpot
        password: penpot
      redis:
        host: penpot-redis-headless.{{ .Release.Namespace }}.svc.cluster.local
      providers:
        oidc:
          enabled: true
          baseURI: https://hydra.{{ .Global.Domain }}
          clientID: ""
          clientSecret: ""
          authURI: ""
          tokenURI: ""
          userURI: ""
          roles: ""
          rolesAttribute: ""
          scopes: ""
          nameAttribute: "name"
          emailAttribute: "email"
        existingSecret: oauth2-credentials
        secretKeys:
          oidcClientIDKey: client_id
          oidcClientSecretKey: client_secret
    redis:
      image:
        tag: 7.0.8-debian-11-r16
    postgresql:
      image:
        tag: 15.3.0-debian-11-r16
      auth:
        username: penpot
        password: penpot
        database: penpot