apps/design: add penpot preliminarily

Waiting on https://github.com/truecharts/charts/pull/17061

apps/design-kustomization.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: add-design
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  path: ./apps/design
+  sourceRef:
+    kind: GitRepository
+    name: stackspout

apps/design/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - penpot-kustomization.yaml
+  - penpot-secrets-kustomization.yaml

apps/design/penpot-kustomization.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: penpot
+  namespace: flux-system
+spec:
+  interval: 5m
+  retryInterval: 2m
+  timeout: 10m
+  wait: true
+  prune: true
+  path: ./apps/design/penpot
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: local-path-provisioner
+    - name: penpot-secrets
+    - name: nginx
+    - name: single-sign-on
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
+      - kind: ConfigMap
+        name: stackspin-penpot-kustomization-variables
+      - kind: Secret
+        name: stackspin-penpot-variables
+      # OIDC
+      - kind: Secret
+        name: stackspin-penpot-oauth-variables
+      - kind: ConfigMap
+        name: stackspin-single-sign-on-kustomization-variables

apps/design/penpot-secrets-kustomization.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: penpot-secrets
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 4m
+  wait: true
+  prune: true
+  path: ./apps/design/penpot-secrets
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: secrets-controller
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables

apps/design/penpot-secrets/penpot-kustomization-variables.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-penpot-kustomization-variables
+  namespace: flux-system
+data:
+  penpot_domain: design.${domain}

apps/design/penpot-secrets/penpot-oauth-secret.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-penpot-oauth-variables
+  namespace: flux-system
+spec:
+  data:
+    client_id: penpot
+  fields:
+  - fieldName: client_secret
+    length: "32"

apps/design/penpot-secrets/penpot-variables.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-penpot-variables
+  namespace: flux-system
+spec:
+  fields:
+  - fieldName: password

apps/design/penpot/penpot-oauth-client.yaml

@@ -0,0 +1,21 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: penpot-oauth-client
+  # Has to live in the same namespace as the stackspin-penpot-oauth-variables secret
+  namespace: flux-system
+spec:
+  # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-penpot-oauth-variables
+  #redirectUris:
+  #  - https://${penpot_domain}/oauth/openid/
+  #tokenEndpointAuthMethod: client_secret_post

apps/design/penpot/penpot-pvc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: penpot-data
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "penpot"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path

apps/design/penpot/penpot-release.yaml

@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: penpot
+  namespace: stackspout
+spec:
+  releaseName: penpot
+  chart:
+    spec:
+      chart: penpot
+      version: 4.0.12
+      sourceRef:
+        kind: HelmRepository
+        name: truecharts
+        namespace: flux-system
+  interval: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-penpot-values
+      optional: false
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-penpot-override
+      optional: true
+    - kind: Secret
+      name: stackspin-penpot-override
+      optional: true

apps/design/penpot/penpot-values-configmap.yaml

@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-penpot-values
+  namespace: stackspout
+data:
+  values.yaml: |
+    # TODO verify structure matches chart
+    commonLabels:
+      stackspin.net/backupSet: "penpot"
+    podLabels:
+      stackspin.net/backupSet: "penpot"
+    # TODO Configure PVC for data & database including backup labels
+    podAnnotations:
+      backup.velero.io/backup-volumes: "data"
+    persistence:
+      enabled: true
+      existingClaim: "penpot-data"
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          kubernetes.io/tls-acme: "true"
+        hosts:
+          - host: "${penpot_domain}"
+            paths:
+               - path: /
+                 pathType: Prefix
+        tls:
+          - secretName: penpot-tls
+            hosts:
+              - "${penpot_domain}"
+        integrations:
+          certManager:
+            enabled: true
+    penpot:
+      public_uri: "https://${penpot_domain}"
+      #registration_domain_whitelist: []
+      #flags:
+      #  backend_api_doc: false
+      #  cors: false
+      #  demo_users: false
+      #  demo_warning: false
+      #  insecure_register: false
+      #  log_emails: false
+      #  log_invitation_token: false
+      #  login: true
+      #  mail_verification: true
+      #  registration: true
+      #  secure_session_cookies: true
+      #  user_feedback: false
+      identity_providers:
+        oidc:
+          enabled: true
+          client_id: "${client_id}"
+          client_secret: "${client_secret}"
+          base_uri: "https://${hydra_domain}"
+          #autoDiscoverUrl: 'https://${hydra_domain}/.well-known/openid-configuration'
+      smtp:
+        enabled: "${outgoing_mail_enabled}"
+        host: "${outgoing_mail_smtp_host}"
+        port: "${outgoing_mail_smtp_port}"
+        username: "${outgoing_mail_smtp_user}"
+        pass: "${outgoing_mail_smtp_password}"
+        default_from: "${outgoing_mail_from_address}"
+        default_reply_to: "${outgoing_mail_from_address}"
+
+    persistence:
+      assets:
+        enabled: true
+        mountPath: /opt/data/assets
+        targetSelectAll: true

apps/kustomization.yaml

@@ -8,6 +8,6 @@ resources:
   - flow-kustomization.yaml
   - meet-kustomization.yaml
   - status-kustomization.yaml
-  #- design-kustomization.yaml #to be configured
+  - design-kustomization.yaml
   #- sprint-kustomization.yaml #charts outdated
   #- video-kustomization.yaml #missing storage