diff --git a/README.org b/README.org index c4e50db..71c3911 100644 --- a/README.org +++ b/README.org @@ -48,13 +48,47 @@ Below you'll find an overview of the charts and an intro to get you started. - [[charts/][Dispatch]]: A incident management and coordination system developed by Netflix. -- [[charts/foundationdb][FoundationDB]] (=fdb-operator=): Distributed database with ACID transactions developed by Apple. +- [[charts/foundationdb][FoundationDB]] (=fdb-operator=): Distributed database with ACID transactions developed by Apple. + This buils and deploys, but I don't actively use it at the moment. - [[charts/hasura-engine][Hasura]]: Connects to databases and services to provide a realtime GraphQL API. - [[charts/netbox][Netbox]]: Modeling and docs for IP address management (IPAM) and datacenter infrastructure management (DCIM). +- [[charts/penpot][Penpot]]: Design and prototyping tool. For visual collaboration on visuals, prototypes, UX and more. + +*** Requirements + +You may need the following: + +* S3 compatible storage +* PostgreSQL + +All tests are run on the latest version of Kubernetes and Helm and no consideration is taken to vendor-specific +implementations. + +*** Principles + +So what makes this repo different from others? It is KISS and Safe of course. + +- All secrets and ingresses are defined in a secret external from the chart +- We expect that an ingress terminates external connection and TLS +- Always use object storage over block storage when possible +- Never rely on vendor-specific components +- We prefer open source +- We never leave room for plaintext secrets, a sane default +- We always leave for initContainers +- We use as few values as possible in values.yaml +- Always use external databases and transports +- We always configure for OIDC when possible +- A values file should be possible to read up on in minutes +- We only support the current major version of Kubernetes and the application +- Always enable service accounts +- Use semver for versioning + +If you see a chart that does not comply with these principles, please open an issue. + *** 🧑‍💻 Usage **** Exploration diff --git a/charts/attic/Chart.yaml b/charts/attic/Chart.yaml index 336e45c..65f2aea 100644 --- a/charts/attic/Chart.yaml +++ b/charts/attic/Chart.yaml @@ -1,12 +1,11 @@ ---- apiVersion: v2 name: attic-repo description: A Nix binary caching server appVersion: b43d12 type: application -version: 0.5 +version: 0.5.0 maintainers: - - name: Tommy Skaug - email: tommy@skaug.me +- name: Tommy Skaug + email: tommy@skaug.me diff --git a/charts/conduit/Chart.yaml b/charts/conduit/Chart.yaml index 46a3a6b..fa1a54b 100644 --- a/charts/conduit/Chart.yaml +++ b/charts/conduit/Chart.yaml @@ -4,3 +4,6 @@ description: Conduit is a simple, fast and reliable chat server powered by Matri type: application version: 0.2.9 appVersion: "0.6.0" +maintainers: +- name: Tommy Skaug + email: tommy@skaug.me diff --git a/charts/dispatch/Chart.yaml b/charts/dispatch/Chart.yaml index 81b8caf..5910a39 100644 --- a/charts/dispatch/Chart.yaml +++ b/charts/dispatch/Chart.yaml @@ -1,4 +1,7 @@ apiVersion: v2 name: dispatch description: Netflix Dispatch incident management system -version: 0.3.2 \ No newline at end of file +version: 0.3.2 +maintainers: +- name: Tommy Skaug + email: tommy@skaug.me diff --git a/charts/fdb-operator/Chart.yaml b/charts/fdb-operator/Chart.yaml index 03f7e93..98df70d 100644 --- a/charts/fdb-operator/Chart.yaml +++ b/charts/fdb-operator/Chart.yaml @@ -4,20 +4,9 @@ description: A Helm chart for foundationDB operator home: https://www.foundationdb.org/ sources: - https://github.com/FoundationDB/fdb-kubernetes-operator/tree/master/helm/fdb-operator -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. type: application -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. version: 0.2.2 -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. appVersion: v1.30.0 maintainers: -- name: "foundationdb-ci" +- name: Tommy Skaug + email: tommy@skaug.me diff --git a/charts/hasura-engine/Chart.yaml b/charts/hasura-engine/Chart.yaml index b97a628..26676b3 100644 --- a/charts/hasura-engine/Chart.yaml +++ b/charts/hasura-engine/Chart.yaml @@ -2,4 +2,7 @@ apiVersion: v2 name: hasura-engine description: GraphQL Engine to make data accessible over a GraphQL API type: application -version: 0.1.2 \ No newline at end of file +version: 0.1.2 +maintainers: +- name: Tommy Skaug + email: tommy@skaug.me diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml index a4ac3af..d62566b 100644 --- a/charts/netbox/Chart.yaml +++ b/charts/netbox/Chart.yaml @@ -1,4 +1,3 @@ ---- apiVersion: v2 name: netbox description: | @@ -12,5 +11,5 @@ appVersion: 3.6.3 type: application version: 5.5.3 maintainers: - - name: Tommy Skaug - email: tommy@skaug.me +- name: Tommy Skaug + email: tommy@skaug.me diff --git a/charts/penpot/.helmignore b/charts/penpot/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/penpot/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/penpot/Chart.yaml b/charts/penpot/Chart.yaml new file mode 100644 index 0000000..b25cd31 --- /dev/null +++ b/charts/penpot/Chart.yaml @@ -0,0 +1,16 @@ +name: penpot +maintainers: +- name: Tommy Skaug + email: tommy@skaug.me +apiVersion: v2 +appVersion: 1.19.3 +version: 2.0.0 +description: Penpot is a design and prototyping platform for teams and individuals. +home: https://github.com/tommy-skaug/charts +icon: https://avatars.githubusercontent.com/u/30179644?s=200&v=4 +keywords: +- kubernetes +- penpot +- design +sources: +- https://github.com/penpot/penpot diff --git a/charts/penpot/templates/_helpers.tpl b/charts/penpot/templates/_helpers.tpl new file mode 100644 index 0000000..97aeedf --- /dev/null +++ b/charts/penpot/templates/_helpers.tpl @@ -0,0 +1,57 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "penpot.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "penpot.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "penpot.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "penpot.labels" -}} +helm.sh/chart: {{ include "penpot.chart" . }} +app.kubernetes.io/name: {{ include "penpot.name" . }}-frontend +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + + +{{/* +Create the name of the service account to use. +*/}} +{{- define "penpot.serviceAccountName" -}} +{{- if .Values.serviceAccount.enabled -}} + {{ default (include "penpot.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/penpot/templates/deployment-backend.yaml b/charts/penpot/templates/deployment-backend.yaml new file mode 100644 index 0000000..f1f21a1 --- /dev/null +++ b/charts/penpot/templates/deployment-backend.yaml @@ -0,0 +1,62 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "penpot.fullname" . }}-backend + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.backend.replicaCount }} + selector: + matchLabels: + {{- include "penpot.backendSelectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "penpot.backendSelectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "penpot.serviceAccountName" . }} + securityContext: + podSecurityContext: + enabled: true + fsGroup: 1001 + + containers: + - name: {{ .Chart.Name }}-backend + image: + repository: "penpotapp/backend:{{ .Values.penpotVersion.tag }}" + imagePullPolicy: IfNotPresent + containerSecurityContext: + enabled: true + runAsUser: 1001 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: false + runAsNonRoot: true + volumeMounts: + - mountPath: /opt/data + name: app-data + readOnly: false + env: + - name: PENPOT_PUBLIC_URI + value: {{ .Values.config.publicURI | quote }} + - name: PENPOT_FLAGS + value: "$PENPOT_FLAGS {{ .Values.config.flags }}" + - name: PENPOT_TELEMETRY_ENABLED + value: false + - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST + value: {{ .Values.registrationDomainWhitelist | quote }} + envFrom: + - secretRef: + name: {{ .Values.envFromSecret }} + ports: + - name: http + containerPort: 6060 + protocol: TCP + resources: + {{- toYaml .Values.backend.resources | nindent 12 }} + volumes: + - name: app-data + emptyDir: {} diff --git a/charts/penpot/templates/deployment-exporter.yaml b/charts/penpot/templates/deployment-exporter.yaml new file mode 100644 index 0000000..05ba6db --- /dev/null +++ b/charts/penpot/templates/deployment-exporter.yaml @@ -0,0 +1,49 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "penpot.fullname" . }}-exporter + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.exporter.replicaCount }} + template: + spec: + serviceAccountName: {{ include "penpot.serviceAccountName" . }} + securityContext: + podSecurityContext: + enabled: true + fsGroup: 1001 + + readOnlyRootFilesystem: false + runAsNonRoot: true + containers: + - name: {{ .Chart.Name }}-exporter + image: + repository: "penpotapp/exporter:{{ .Values.penpotVersion.tag }}" + imagePullPolicy: IfNotPresent + containerSecurityContext: + enabled: true + runAsUser: 1001 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + env: + - name: PENPOT_PUBLIC_URI + value: {{ .Values.config.publicURI | quote }} + - name: PENPOT_FLAGS + value: "$PENPOT_FLAGS {{ .Values.config.flags }}" + - name: PENPOT_TELEMETRY_ENABLED + value: false + - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST + value: {{ .Values.registrationDomainWhitelist | quote }} + envFrom: + - secretRef: + name: {{ .Values.envFromSecret }} + ports: + - name: http + containerPort: 6061 + protocol: TCP + resources: + {{- toYaml .Values.frontend.resources | nindent 12 }} diff --git a/charts/penpot/templates/deployment-frontend.yaml b/charts/penpot/templates/deployment-frontend.yaml new file mode 100644 index 0000000..ef97abd --- /dev/null +++ b/charts/penpot/templates/deployment-frontend.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "penpot.fullname" . }}-frontend + namespace: {{ .Release.Namespace }} + labels: + {{- include "penpot.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.frontend.replicaCount }} + template: + spec: + serviceAccountName: {{ include "penpot.serviceAccountName" . }} + securityContext: + podSecurityContext: + enabled: true + fsGroup: 1001 + containers: + - name: {{ .Chart.Name }}-frontend + image: "penpotapp/frontend:{{ .Values.penpotVersion.tag }}" + imagePullPolicy: IfNotPresent + containerSecurityContext: + enabled: true + runAsUser: 1001 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: false + runAsNonRoot: true + env: + - name: PENPOT_PUBLIC_URI + value: {{ .Values.config.publicURI | quote }} + - name: PENPOT_FLAGS + value: "$PENPOT_FLAGS {{ .Values.config.flags }}" + - name: PENPOT_TELEMETRY_ENABLED + value: false + - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST + value: {{ .Values.registrationDomainWhitelist | quote }} + envFrom: + - secretRef: + name: {{ .Values.envFromSecret }} + ports: + - name: http + containerPort: 80 + protocol: TCP + resources: + {{- toYaml .Values.frontend.resources | nindent 12 }} + diff --git a/charts/penpot/templates/serviceaccount.yaml b/charts/penpot/templates/serviceaccount.yaml new file mode 100644 index 0000000..f8a960e --- /dev/null +++ b/charts/penpot/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "penpot.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/penpot/templates/services.yaml b/charts/penpot/templates/services.yaml new file mode 100644 index 0000000..0804fd9 --- /dev/null +++ b/charts/penpot/templates/services.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "penpot.fullname" . }}-frontend + namespace: {{ .Release.Namespace }} +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "penpot.fullname" . }}-exporter + namespace: {{ .Release.Namespace }} +spec: + type: ClusterIP + ports: + - port: 6061 + targetPort: http + protocol: TCP + name: http +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "penpot.fullname" . }}-backend + namespace: {{ .Release.Namespace }} +spec: + type: ClusterIP + ports: + - port: 6060 + targetPort: http + protocol: TCP + name: http \ No newline at end of file diff --git a/charts/penpot/values.yaml b/charts/penpot/values.yaml new file mode 100644 index 0000000..d3845f8 --- /dev/null +++ b/charts/penpot/values.yaml @@ -0,0 +1,27 @@ +envFromSecret: penpot-secret +penpotVersion: 1.19.3 + +publicURI: "http://localhost:8080" +registrationDomainWhitelist: "localhost" +flags: "enable-registration enable-login disable-demo-users disable-demo-warning disable-secure-session-cookies" + +serviceAccount: + name: "penpot-sa" + +backend: + replicaCount: 1 + resources: + limits: {} + requests: {} + +frontend: + replicaCount: 1 + resources: + limits: {} + requests: {} + +exporter: + replicaCount: 1 + resources: + limits: {} + requests: {}