Skip to content

feat(chart): extraEnvFrom, optional uploads PVC, optional bundled Temporal#22

Open
aoterolorenzo wants to merge 3 commits into
gitroomhq:mainfrom
aoterolorenzo:feat/external-secret-and-temporal
Open

feat(chart): extraEnvFrom, optional uploads PVC, optional bundled Temporal#22
aoterolorenzo wants to merge 3 commits into
gitroomhq:mainfrom
aoterolorenzo:feat/external-secret-and-temporal

Conversation

@aoterolorenzo

@aoterolorenzo aoterolorenzo commented Jul 2, 2026

Copy link
Copy Markdown

What & why

Adapts the chart for production self-hosting on Kubernetes, where you typically:

  1. run an external PostgreSQL and Redis (not the bundled Bitnami subcharts),
  2. keep secrets in an existing Secret (SealedSecret / ExternalSecret) rather than plaintext in values.yaml, and
  3. need Temporal, which Postiz has required since v2.12 for scheduled posts / background workflows — the current chart doesn't deploy it, so scheduling doesn't work out of the box.

All changes are opt-in and default-off; rendering existing values is unchanged.

Changes

  • extraEnvFrom — extra envFrom sources appended to the container, so sensitive env can come from a Secret you manage yourself.
  • Chart-managed secrets Secret is now conditional ({{- if .Values.secrets }}). Set secrets: null to omit it entirely and supply everything via extraEnvFrom. A populated secrets: still renders exactly as before.
  • persistence.* — optional PersistentVolumeClaim for STORAGE_PROVIDER=local uploads (mount via extraVolumes/extraVolumeMounts, e.g. /uploads + /config by subPath).
  • temporal.* — optional bundled Temporal via temporalio/auto-setup, using SQL visibility (ENABLE_ES=false, no Elasticsearch) against an external PostgreSQL, with TLS knobs and password-from-Secret. Point TEMPORAL_ADDRESS at <release>-temporal:7233.
  • Bump appVersion 1.3.0 → 2.21.9, chart 1.0.5 → 1.1.0.

Backward compatibility

Defaults keep bundled PostgreSQL/Redis enabled, temporal.enabled: false, persistence.enabled: false, extraEnvFrom: [], and the populated secrets: map — so existing installs render identically.

Testing

helm template / helm lint pass for: defaults, temporal.enabled=true with external Postgres + extraEnvFrom + PVC, and secrets: null (no plaintext Secret rendered). Deployed against Crunchy PostgreSQL (direct connection) + Dragonfly with Temporal SQL visibility.

Draft: opening as a proposal — happy to split (extraEnvFrom vs Temporal) into separate PRs if you'd prefer, and to adjust naming/conventions.

Summary by CodeRabbit

  • New Features

    • Added optional persistent storage for uploads.
    • Added support for extra environment sources.
    • Added an optional bundled Temporal setup for workflows.
    • Updated the chart to a new app and chart version.
  • Bug Fixes

    • Secret and environment settings now render only when configured, reducing accidental empty resources.

…poral

Make the chart usable for production self-hosting on Kubernetes with an
external PostgreSQL/Redis and secrets sourced from an existing Secret.

- extraEnvFrom: inject sensitive env from an existing Secret (e.g. a
  SealedSecret/ExternalSecret) instead of plaintext `secrets` in values.
- Render the chart-managed `secrets` Secret only when non-empty, so you can
  drop it entirely (`secrets: null`) and rely on extraEnvFrom.
- persistence.*: optional PVC for STORAGE_PROVIDER=local uploads.
- temporal.*: optional bundled Temporal (temporalio/auto-setup) with SQL
  visibility (ENABLE_ES=false) against an external PostgreSQL. Postiz >= 2.12
  requires a Temporal service for scheduled posts.
- Bump appVersion 1.3.0 -> 2.21.9, chart 1.0.5 -> 1.1.0.

All additions are opt-in and default-off; existing values render unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates the Postiz Helm chart version and appVersion, makes the Secret template and Deployment secretRef conditional on .Values.secrets, adds extraEnvFrom support, introduces a PersistentVolumeClaim template for optional persistence, and adds bundled Temporal Deployment/Service templates with corresponding values.yaml configuration blocks.

Changes

Helm Chart Updates

Layer / File(s) Summary
Chart version bump
charts/postiz/Chart.yaml
Chart version bumped to 1.1.0 and appVersion bumped to "2.21.9".
Conditional secrets and extraEnvFrom wiring
charts/postiz/templates/postiz-secret.yaml, charts/postiz/templates/postiz-deployment.yaml, charts/postiz/values.yaml
Secret manifest and Deployment secretRef now render only when .Values.secrets is set; Deployment adds extraEnvFrom rendering; values.yaml adds extraEnvFrom key and updates the sensitive env vars comment.
Persistent storage support
charts/postiz/templates/postiz-pvc.yaml, charts/postiz/values.yaml
New PVC template conditionally rendered via persistence.enabled, with matching persistence values block for storage class, access mode, size, and annotations.
Temporal Deployment and Service
charts/postiz/templates/temporal-deployment.yaml, charts/postiz/templates/temporal-service.yaml, charts/postiz/values.yaml
New Temporal Deployment (image, DB/TLS env vars, probes, resources, scheduling) and Service (ClusterIP, port 7233), both gated by temporal.enabled, with a matching temporal values configuration block.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant ValuesYAML as values.yaml
  participant TemporalDeployment as temporal-deployment.yaml
  participant TemporalService as temporal-service.yaml
  participant K8sAPI as Kubernetes API

  ValuesYAML->>TemporalDeployment: temporal.enabled, image, db, tls, resources
  TemporalDeployment->>TemporalDeployment: render env vars, probes, resources
  TemporalDeployment->>K8sAPI: apply Deployment manifest
  ValuesYAML->>TemporalService: temporal.enabled
  TemporalService->>K8sAPI: apply Service manifest (port 7233)
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main chart changes: extraEnvFrom, optional uploads PVC, and optional bundled Temporal.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

aoterolorenzo and others added 2 commits July 7, 2026 21:04
auto-setup's schema tool reads POSTGRES_TLS_*, but the Temporal server config
template reads SQL_TLS_ENABLED / SQL_HOST_VERIFICATION. Without them the server
connects to Postgres without TLS and a TLS-only server rejects it (schema setup
succeeds, server then fails the schema-version check). Derive both from
temporal.db.tls.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SQL visibility exposes only 3 Text search-attribute slots; auto-setup's demo
Custom*Field attributes consume two. Add temporal.skipAddCustomSearchAttributes
(default true) so apps can register their own custom attributes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@aoterolorenzo aoterolorenzo marked this pull request as ready for review July 8, 2026 16:10

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (3)
charts/postiz/templates/temporal-deployment.yaml (2)

23-97: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add pod and container securityContext for production readiness.

The PR targets production self-hosting, but the Temporal deployment defines no securityContext at the pod or container level. Without it, the container may run as root with default capabilities. Even if the temporalio/auto-setup image requires elevated permissions for schema setup, a pod-level runAsNonRoot: true with a fsGroup and a container-level readOnlyRootFilesystem: true (if feasible) or at minimum allowPrivilegeEscalation: false would improve the security posture.

🛡️ Suggested securityContext additions
     spec:
+      securityContext:
+        runAsNonRoot: true
+        fsGroup: 1000
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
         - name: temporal
           image: "{{ .Values.temporal.image.repository }}:{{ .Values.temporal.image.tag }}"
           imagePullPolicy: {{ .Values.temporal.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           ports:

If the auto-setup image requires root for schema migration, consider making the security context configurable via .Values.temporal.podSecurityContext and .Values.temporal.securityContext so operators can tighten it in their environment.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/postiz/templates/temporal-deployment.yaml` around lines 23 - 97, The
Temporal deployment template is missing pod and container security hardening, so
add securityContext handling in the temporal deployment manifest using the
existing temporal container spec. Update the deployment to support configurable
.Values.temporal.podSecurityContext and .Values.temporal.securityContext, and
apply at least runAsNonRoot/fsGroup at the pod level plus
allowPrivilegeEscalation false and, if possible for the auto-setup image,
readOnlyRootFilesystem at the container level. Keep the changes localized around
the temporal container definition so operators can tighten defaults without
breaking schema setup.

49-50: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Quote secretKeyRef name and key values.

Unquoted name and key values can break YAML rendering if the values contain special characters (e.g., colons, leading spaces). Helm best practice is to quote all string values in rendered manifests.

♻️ Proposed fix
             - name: POSTGRES_PWD
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.temporal.db.passwordSecret.name }}
-                  key: {{ .Values.temporal.db.passwordSecret.key }}
+                  name: {{ .Values.temporal.db.passwordSecret.name | quote }}
+                  key: {{ .Values.temporal.db.passwordSecret.key | quote }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/postiz/templates/temporal-deployment.yaml` around lines 49 - 50, The
Temporal deployment template is rendering secretKeyRef fields with unquoted
string values, which can cause YAML issues when the values contain special
characters. Update the secret reference in the temporal-deployment.yaml template
so the name and key values under secretKeyRef are quoted, keeping the fix
localized to the templating logic that reads
.Values.temporal.db.passwordSecret.name and
.Values.temporal.db.passwordSecret.key.
charts/postiz/values.yaml (1)

112-147: 🔒 Security & Privacy | 🔵 Trivial

Prefer temporalio/server over the deprecated auto-setup image. temporalio/auto-setup is deprecated, so this default should move to the supported server image for new deployments.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/postiz/values.yaml` around lines 112 - 147, The bundled Temporal
configuration still defaults to the deprecated temporalio/auto-setup image, so
update the temporal section to use the supported temporalio/server image for new
deployments. Adjust the temporal.image.repository value and any related image
assumptions in the temporal block so the default points to the server image
while preserving the existing optional bundled setup behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@charts/postiz/templates/temporal-deployment.yaml`:
- Around line 23-97: The Temporal deployment template is missing pod and
container security hardening, so add securityContext handling in the temporal
deployment manifest using the existing temporal container spec. Update the
deployment to support configurable .Values.temporal.podSecurityContext and
.Values.temporal.securityContext, and apply at least runAsNonRoot/fsGroup at the
pod level plus allowPrivilegeEscalation false and, if possible for the
auto-setup image, readOnlyRootFilesystem at the container level. Keep the
changes localized around the temporal container definition so operators can
tighten defaults without breaking schema setup.
- Around line 49-50: The Temporal deployment template is rendering secretKeyRef
fields with unquoted string values, which can cause YAML issues when the values
contain special characters. Update the secret reference in the
temporal-deployment.yaml template so the name and key values under secretKeyRef
are quoted, keeping the fix localized to the templating logic that reads
.Values.temporal.db.passwordSecret.name and
.Values.temporal.db.passwordSecret.key.

In `@charts/postiz/values.yaml`:
- Around line 112-147: The bundled Temporal configuration still defaults to the
deprecated temporalio/auto-setup image, so update the temporal section to use
the supported temporalio/server image for new deployments. Adjust the
temporal.image.repository value and any related image assumptions in the
temporal block so the default points to the server image while preserving the
existing optional bundled setup behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 292c8884-ac46-45f6-a9c5-d47ece16634b

📥 Commits

Reviewing files that changed from the base of the PR and between 5d6a9de and 99e20eb.

📒 Files selected for processing (7)
  • charts/postiz/Chart.yaml
  • charts/postiz/templates/postiz-deployment.yaml
  • charts/postiz/templates/postiz-pvc.yaml
  • charts/postiz/templates/postiz-secret.yaml
  • charts/postiz/templates/temporal-deployment.yaml
  • charts/postiz/templates/temporal-service.yaml
  • charts/postiz/values.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant