diff --git a/README.org b/README.org index bfac7c4..4673e80 100644 --- a/README.org +++ b/README.org @@ -86,7 +86,8 @@ So what makes this repo different from others? It is KISS and Safe of course. - We only support the current major version of Kubernetes and the application - Always enable service accounts - Use semver for versioning - +- A chart should install on a small scale with default values +- All charts are validated for structure and syntax before compilation If you see a chart that does not comply with these principles, please open an issue. *** 🧑‍💻 Usage diff --git a/charts/penpot/templates/deployment-backend.yaml b/charts/penpot/templates/deployment-backend.yaml index f1f21a1..e10f81f 100644 --- a/charts/penpot/templates/deployment-backend.yaml +++ b/charts/penpot/templates/deployment-backend.yaml @@ -9,25 +9,21 @@ spec: replicas: {{ .Values.backend.replicaCount }} selector: matchLabels: - {{- include "penpot.backendSelectorLabels" . | nindent 6 }} + app: {{ include "penpot.fullname" . }}-backend template: metadata: labels: - {{- include "penpot.backendSelectorLabels" . | nindent 8 }} + app: {{ include "penpot.fullname" . }}-backend spec: serviceAccountName: {{ include "penpot.serviceAccountName" . }} securityContext: - podSecurityContext: - enabled: true - fsGroup: 1001 + fsGroup: 1001 containers: - name: {{ .Chart.Name }}-backend - image: - repository: "penpotapp/backend:{{ .Values.penpotVersion.tag }}" - imagePullPolicy: IfNotPresent - containerSecurityContext: - enabled: true + image: "penpotapp/backend:{{ .Values.penpotVersion }}" + imagePullPolicy: IfNotPresent + securityContext: runAsUser: 1001 allowPrivilegeEscalation: false capabilities: @@ -41,11 +37,11 @@ spec: readOnly: false env: - name: PENPOT_PUBLIC_URI - value: {{ .Values.config.publicURI | quote }} + value: {{ .Values.publicURL | quote }} - name: PENPOT_FLAGS - value: "$PENPOT_FLAGS {{ .Values.config.flags }}" + value: "$PENPOT_FLAGS {{ .Values.flags }}" - name: PENPOT_TELEMETRY_ENABLED - value: false + value: "false" - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST value: {{ .Values.registrationDomainWhitelist | quote }} envFrom: diff --git a/charts/penpot/templates/deployment-exporter.yaml b/charts/penpot/templates/deployment-exporter.yaml index 05ba6db..c1a3ba6 100644 --- a/charts/penpot/templates/deployment-exporter.yaml +++ b/charts/penpot/templates/deployment-exporter.yaml @@ -7,35 +7,37 @@ metadata: {{- include "penpot.labels" . | nindent 4 }} spec: replicas: {{ .Values.exporter.replicaCount }} + selector: + matchLabels: + app: {{ include "penpot.fullname" . }}-exporter template: + metadata: + labels: + app: {{ include "penpot.fullname" . }}-exporter spec: serviceAccountName: {{ include "penpot.serviceAccountName" . }} securityContext: - podSecurityContext: - enabled: true - fsGroup: 1001 + fsGroup: 1001 - readOnlyRootFilesystem: false - runAsNonRoot: true containers: - name: {{ .Chart.Name }}-exporter - image: - repository: "penpotapp/exporter:{{ .Values.penpotVersion.tag }}" - imagePullPolicy: IfNotPresent - containerSecurityContext: - enabled: true + image: "penpotapp/exporter:{{ .Values.penpotVersion }}" + imagePullPolicy: IfNotPresent + securityContext: runAsUser: 1001 allowPrivilegeEscalation: false capabilities: drop: - all + readOnlyRootFilesystem: false + runAsNonRoot: true env: - name: PENPOT_PUBLIC_URI - value: {{ .Values.config.publicURI | quote }} + value: {{ .Values.publicURL | quote }} - name: PENPOT_FLAGS - value: "$PENPOT_FLAGS {{ .Values.config.flags }}" + value: "$PENPOT_FLAGS {{ .Values.flags }}" - name: PENPOT_TELEMETRY_ENABLED - value: false + value: "false" - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST value: {{ .Values.registrationDomainWhitelist | quote }} envFrom: diff --git a/charts/penpot/templates/deployment-frontend.yaml b/charts/penpot/templates/deployment-frontend.yaml index ef97abd..6954836 100644 --- a/charts/penpot/templates/deployment-frontend.yaml +++ b/charts/penpot/templates/deployment-frontend.yaml @@ -7,19 +7,22 @@ metadata: {{- include "penpot.labels" . | nindent 4 }} spec: replicas: {{ .Values.frontend.replicaCount }} + selector: + matchLabels: + app: {{ include "penpot.fullname" . }}-frontend template: + metadata: + labels: + app: {{ include "penpot.fullname" . }}-frontend spec: serviceAccountName: {{ include "penpot.serviceAccountName" . }} securityContext: - podSecurityContext: - enabled: true - fsGroup: 1001 + fsGroup: 1001 containers: - name: {{ .Chart.Name }}-frontend - image: "penpotapp/frontend:{{ .Values.penpotVersion.tag }}" + image: "penpotapp/frontend:{{ .Values.penpotVersion }}" imagePullPolicy: IfNotPresent - containerSecurityContext: - enabled: true + securityContext: runAsUser: 1001 allowPrivilegeEscalation: false capabilities: @@ -29,11 +32,11 @@ spec: runAsNonRoot: true env: - name: PENPOT_PUBLIC_URI - value: {{ .Values.config.publicURI | quote }} + value: {{ .Values.publicURL | quote }} - name: PENPOT_FLAGS - value: "$PENPOT_FLAGS {{ .Values.config.flags }}" + value: "$PENPOT_FLAGS {{ .Values.flags }}" - name: PENPOT_TELEMETRY_ENABLED - value: false + value: "false" - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST value: {{ .Values.registrationDomainWhitelist | quote }} envFrom: diff --git a/charts/penpot/values.yaml b/charts/penpot/values.yaml index d3845f8..d16b79e 100644 --- a/charts/penpot/values.yaml +++ b/charts/penpot/values.yaml @@ -1,7 +1,7 @@ envFromSecret: penpot-secret penpotVersion: 1.19.3 -publicURI: "http://localhost:8080" +publicURL: "http://localhost:8080" registrationDomainWhitelist: "localhost" flags: "enable-registration enable-login disable-demo-users disable-demo-warning disable-secure-session-cookies"