Skip to content

feat(helm): add Temporal workflow engine support (required since Postiz v2.12.0)#21

Open
pirona wants to merge 4 commits into
gitroomhq:mainfrom
pirona:feat/temporal-support
Open

feat(helm): add Temporal workflow engine support (required since Postiz v2.12.0)#21
pirona wants to merge 4 commits into
gitroomhq:mainfrom
pirona:feat/temporal-support

Conversation

@pirona

@pirona pirona commented Jun 17, 2026

Copy link
Copy Markdown

Add Temporal workflow engine support (required since Postiz v2.12.0)

Postiz has depended on Temporal since v2.12.0, but the Helm chart had no way to deploy or configure it. This PR adds opt-in Temporal support alongside the existing PostgreSQL/Redis sub-charts.


Context: I'm a Linux/Kubernetes systems engineer (CKA certified), running Postiz on a self-hosted K3s cluster. I needed Temporal support to get v2.x working. I want to be transparent: I used Claude Code (Anthropic's AI coding assistant) to help implement and validate this chart contribution. The design decisions, testing, and homelab use case are mine — I reached out to AI humbly to handle the Helm templating I wouldn't have had time to do properly on my own.


What this adds

New templates:

  • temporal-deployment.yamltemporalio/auto-setup with postgres12 backend
  • temporal-service.yaml — ClusterIP on port 7233 (gRPC)
  • temporal-dynamicconfig.yaml — ConfigMap with development-sql.yaml preset
  • temporal-secret.yaml — PostgreSQL credentials for the Temporal user
  • temporal-init-job.yaml — post-install/post-upgrade Job that creates a dedicated temporal PostgreSQL role via the postgres superuser (skipped when reusing the main Postiz user)

Updated:

  • values.yaml — new temporal: section (opt-in, enabled: false by default) + expanded env and secrets maps covering all variables in the current Postiz documentation (~40 non-sensitive vars, ~60 sensitive vars)
  • postiz-config.yaml — injects TEMPORAL_ADDRESS, TEMPORAL_NAMESPACE, TEMPORAL_TLS when Temporal is enabled or an external address is set
  • NOTES.txt — post-install guidance: search-attribute reminder, multi-replica warning, backup note

Behaviour

Scenario Config Result
Bundled Temporal (new installs) temporal.enabled: true Deploys temporalio/auto-setup + init job
External / Temporal Cloud temporal.enabled: false + temporal.address: <host:port> Only injects env vars, no deployment
Disabled entirely temporal.enabled: false, no address Temporal env vars omitted

Non-breaking

temporal.enabled defaults to false — existing deployments are unaffected by a plain helm upgrade.

Tested on

  • K3s v1.31, Helm 3.16, Postiz v2.21.8, temporalio/auto-setup:1.28.1
  • PostgreSQL via Bitnami sub-chart (shared instance, dedicated temporal user)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added Temporal workflow orchestration support with automatic initialization and deployment configuration.
  • Documentation

    • Added comprehensive deployment and upgrade guidance including setup instructions, networking options, and prerequisite checks.
  • Chores

    • Updated Helm chart version to 1.1.0 and application version to v2.21.8.
    • Expanded default configuration values for ingress, PostgreSQL, and environment variables.

billisdead and others added 3 commits June 17, 2026 08:12
- Chart.yaml: bump to version 1.1.0, appVersion v2.21.8
- values.yaml: add temporal section (enabled/address/namespace/tls/apiKey/postgresql),
  expand env (~40 non-sensitive vars) and secrets (~60 sensitive vars) to match
  current Postiz documentation — covers all social providers, email SMTP,
  OAuth OIDC, AI/generation, analytics, MCP, payments, short-link services
- postiz-config.yaml: inject TEMPORAL_ADDRESS (auto-computed or override),
  TEMPORAL_NAMESPACE and TEMPORAL_TLS when temporal.enabled or address is set
- temporal-deployment.yaml: temporalio/auto-setup:1.28.1, postgres12 backend,
  ES disabled, dynamicconfig volume mount, liveness/readiness probes
- temporal-service.yaml: ClusterIP on port 7233 (gRPC)
- temporal-dynamicconfig.yaml: ConfigMap with development-sql.yaml content
- temporal-init-job.yaml: post-install/upgrade Job that creates the temporal
  PostgreSQL user via the postgres superuser before Temporal starts
- temporal-secret.yaml: Secret for temporal PostgreSQL credentials
- NOTES.txt: post-install guidance, search-attribute creation reminder,
  multi-replica/local-storage warning, backup reminder

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When temporal.postgresql.user == postgresql.auth.username, the user
already exists with CREATEDB — temporalio/auto-setup handles database
creation itself. The init job only runs for a distinct dedicated user.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Opt-in rather than opt-out: existing deployments that do not need
the bundled Temporal instance are unaffected by a plain helm upgrade.
Users who want the self-hosted setup explicitly set temporal.enabled=true.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@pirona, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 40 minutes and 15 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b272f00a-ef87-4cf3-a8b0-f36eb27c4eb3

📥 Commits

Reviewing files that changed from the base of the PR and between 49aa205 and 8d7b128.

📒 Files selected for processing (5)
  • charts/postiz/templates/NOTES.txt
  • charts/postiz/templates/postiz-config.yaml
  • charts/postiz/templates/temporal-init-job.yaml
  • charts/postiz/templates/temporal-secret.yaml
  • charts/postiz/values.yaml
📝 Walkthrough

Walkthrough

Bumps the Postiz Helm chart from 1.0.5/1.3.0 to 1.1.0/v2.21.8. Adds a complete embedded Temporal deployment as optional Kubernetes resources (Deployment, Service, Secret, dynamic-config ConfigMap, and PostgreSQL init Job). Expands values.yaml with Temporal configuration, Bitnami-style PostgreSQL settings, and a large set of env/secrets placeholders. Updates NOTES.txt with post-deploy operator guidance.

Changes

Postiz Helm Chart — Temporal Integration and Expansion

Layer / File(s) Summary
Chart version bump and values foundation
charts/postiz/Chart.yaml, charts/postiz/values.yaml
Bumps chart to 1.1.0 / v2.21.8, restructures the ingress block with explicit host/path/TLS example, and updates postgresql values to Bitnami-subchart style with an auth.postgresPassword field used by the Temporal init job.
Temporal values section, env/secrets expansion, and ConfigMap wiring
charts/postiz/values.yaml, charts/postiz/templates/postiz-config.yaml
Adds a temporal values block (enabled, address, namespace, TLS, apiKey, image, Postgres credentials); greatly expands env and secrets placeholders for OAuth, storage, analytics, payments, and MCP; injects TEMPORAL_ADDRESS/TEMPORAL_NAMESPACE/TEMPORAL_TLS into the Postiz ConfigMap conditionally.
Temporal Kubernetes resources: Secret, ConfigMap, Service, Deployment
charts/postiz/templates/temporal-secret.yaml, charts/postiz/templates/temporal-dynamicconfig.yaml, charts/postiz/templates/temporal-service.yaml, charts/postiz/templates/temporal-deployment.yaml
Four new conditionally-rendered templates: an Opaque Secret with POSTGRES_PWD and optional TEMPORAL_API_KEY; a dynamic-config ConfigMap with limit.maxIDLength: 255; a ClusterIP Service on gRPC port 7233; and a Deployment running the Temporal auto-setup image with PostgreSQL env, volume-mounted dynamic config, and TCP probes.
Temporal PostgreSQL init job
charts/postiz/templates/temporal-init-job.yaml
A batch/v1 Job with post-install/post-upgrade Helm hooks that waits for PostgreSQL readiness via an initContainer, then executes SQL to create the Temporal Postgres role with CREATEDB if it does not already exist, gated by a user-mismatch condition.
Post-deploy NOTES and operator guidance
charts/postiz/templates/NOTES.txt
Populates NOTES.txt with templated post-deploy output: access URL (ingress/NodePort/port-forward), conditional Temporal guidance (status commands, search-attribute creation, external address, or disabled warning), replica/local-storage warning, and a pg_dump backup reminder.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 Hop, hop, the chart hops high,
Temporal flows where workflows fly!
A Secret, a Job, a Service in place,
NOTES.txt guides with temporal grace.
Version bumped — now v2.21.8 gleams,
Scheduling posts is easier than it seems! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: adding Temporal workflow engine support to the Helm chart, with context about the version requirement.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/postiz/templates/NOTES.txt`:
- Around line 4-5: The NOTES.txt file hard-codes the https:// scheme and only
displays the host from the ingress configuration, but the actual ingress
configuration may support HTTP-only setups and custom paths. Update the ingress
URL output in the NOTES.txt template to dynamically use the correct scheme (http
or https based on TLS settings) and include the path prefix from the first
ingress host entry. Review the ingress template structure and .Values.ingress
configuration to determine how TLS is enabled and how paths are defined, then
construct the full URL accordingly instead of hard-coding https://.
- Around line 6-10: The kubectl port-forward example in the else block hardcodes
port 80 as the service port, but the actual service port is configurable via
.Values.service.port. Replace the hardcoded "80" in the port-forward command
with the templated value from .Values.service.port so that the forwarding works
correctly when the service port is customized to any value other than 80.
- Around line 17-25: The kubectl commands in the NOTES.txt template (kubectl get
pods, kubectl logs job, and kubectl exec deploy) do not specify a namespace
flag, causing them to default to the current namespace and fail for non-default
installations. Add the `-n {{ .Release.Namespace }}` flag to each of these
kubectl commands to scope them to the actual release namespace where Postiz is
deployed, ensuring the commands execute against the correct namespace regardless
of the user's current context.

In `@charts/postiz/templates/postiz-config.yaml`:
- Around line 15-17: The external Temporal configuration block (the else if
.Values.temporal.address conditional) currently only exports TEMPORAL_ADDRESS
but ignores namespace and TLS settings from values. Add conditional exports for
TEMPORAL_NAMESPACE and TEMPORAL_TLS within the same else if block, checking if
.Values.temporal.namespace and .Values.temporal.tls exist respectively, so that
external and Cloud Temporal setups have access to all required configuration
parameters.

In `@charts/postiz/templates/temporal-init-job.yaml`:
- Line 35: The PGHOST environment variable is hardcoded to {{ .Release.Name
}}-postgresql at line 35 and line 60, but this may differ from the actual
database host configured in the Temporal runtime through
.Values.temporal.postgresql.seeds. Update both PGHOST assignments to use the
same source as the Temporal runtime configuration (reference
.Values.temporal.postgresql.seeds) so that the init job connects to the same
database endpoint as the Temporal deployment, preventing inconsistency when
users override the postgresql.seeds value.
- Around line 43-51: The unquoted heredoc delimiter at the psql command (<<-SQL)
causes the shell to expand $TEMPORAL_USER and $TEMPORAL_PWD variables before
passing the SQL to psql, which breaks if credentials contain special characters
like quotes. Change the heredoc to use a quoted delimiter (<<-'SQL') to prevent
shell expansion, then use psql's --set option to pass the variables securely
into the SQL context, allowing them to be referenced as SQL variables within the
DO block instead of relying on shell variable substitution.

In `@charts/postiz/values.yaml`:
- Around line 67-70: Remove the hardcoded default passwords from the values.yaml
file by replacing the postgresPassword value (currently set to
postgres-admin-password around line 70) and any similar hardcoded temporal
password values (around line 104) with empty strings or null values to eliminate
predictable default credentials. Additionally, update the temporal-secret.yaml
template to add required field validation checks that ensure these password
values are explicitly provided when temporal.enabled is set to true, allowing
the deployment to fail fast with a clear error message rather than using
insecure defaults.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 46e88ff1-1e14-492c-a201-e7eb7a7f00ee

📥 Commits

Reviewing files that changed from the base of the PR and between 5d6a9de and 49aa205.

📒 Files selected for processing (9)
  • charts/postiz/Chart.yaml
  • charts/postiz/templates/NOTES.txt
  • charts/postiz/templates/postiz-config.yaml
  • charts/postiz/templates/temporal-deployment.yaml
  • charts/postiz/templates/temporal-dynamicconfig.yaml
  • charts/postiz/templates/temporal-init-job.yaml
  • charts/postiz/templates/temporal-secret.yaml
  • charts/postiz/templates/temporal-service.yaml
  • charts/postiz/values.yaml

Comment thread charts/postiz/templates/NOTES.txt Outdated
Comment thread charts/postiz/templates/NOTES.txt
Comment thread charts/postiz/templates/NOTES.txt Outdated
Comment thread charts/postiz/templates/postiz-config.yaml Outdated
Comment thread charts/postiz/templates/temporal-init-job.yaml Outdated
Comment thread charts/postiz/templates/temporal-init-job.yaml
Comment thread charts/postiz/values.yaml Outdated
NOTES.txt:
- Detect ingress scheme dynamically (http/https based on .Values.ingress.tls)
- Include first path in ingress URL output
- Use .Values.service.port in port-forward example instead of hardcoded 80
- Add -n {{ .Release.Namespace }} to all kubectl commands

postiz-config.yaml:
- Merge temporal enabled/external branches: external address now also emits
  TEMPORAL_NAMESPACE and TEMPORAL_TLS, not just TEMPORAL_ADDRESS

temporal-init-job.yaml:
- Use .Values.temporal.postgresql.seeds as PGHOST source (with fallback to
  bitnami sub-chart service name) so init job and runtime use the same host
- Switch to quoted heredoc (<<-'SQL') + psql --set to pass credentials as
  psql variables, preventing shell expansion from breaking on special chars

temporal-secret.yaml:
- Add required validation: temporal.postgresql.password must be set explicitly
  when temporal.enabled=true

values.yaml:
- Remove hardcoded default passwords (postgresPassword, temporal.postgresql.password)
  replaced with empty strings to avoid predictable default credentials

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant