feat(chart): extraEnvFrom, optional uploads PVC, optional bundled Temporal#22
feat(chart): extraEnvFrom, optional uploads PVC, optional bundled Temporal#22aoterolorenzo wants to merge 3 commits into
Conversation
…poral Make the chart usable for production self-hosting on Kubernetes with an external PostgreSQL/Redis and secrets sourced from an existing Secret. - extraEnvFrom: inject sensitive env from an existing Secret (e.g. a SealedSecret/ExternalSecret) instead of plaintext `secrets` in values. - Render the chart-managed `secrets` Secret only when non-empty, so you can drop it entirely (`secrets: null`) and rely on extraEnvFrom. - persistence.*: optional PVC for STORAGE_PROVIDER=local uploads. - temporal.*: optional bundled Temporal (temporalio/auto-setup) with SQL visibility (ENABLE_ES=false) against an external PostgreSQL. Postiz >= 2.12 requires a Temporal service for scheduled posts. - Bump appVersion 1.3.0 -> 2.21.9, chart 1.0.5 -> 1.1.0. All additions are opt-in and default-off; existing values render unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThis PR updates the Postiz Helm chart version and appVersion, makes the Secret template and Deployment secretRef conditional on ChangesHelm Chart Updates
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant ValuesYAML as values.yaml
participant TemporalDeployment as temporal-deployment.yaml
participant TemporalService as temporal-service.yaml
participant K8sAPI as Kubernetes API
ValuesYAML->>TemporalDeployment: temporal.enabled, image, db, tls, resources
TemporalDeployment->>TemporalDeployment: render env vars, probes, resources
TemporalDeployment->>K8sAPI: apply Deployment manifest
ValuesYAML->>TemporalService: temporal.enabled
TemporalService->>K8sAPI: apply Service manifest (port 7233)
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Tools execution failed with the following error: Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error) Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
auto-setup's schema tool reads POSTGRES_TLS_*, but the Temporal server config template reads SQL_TLS_ENABLED / SQL_HOST_VERIFICATION. Without them the server connects to Postgres without TLS and a TLS-only server rejects it (schema setup succeeds, server then fails the schema-version check). Derive both from temporal.db.tls. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SQL visibility exposes only 3 Text search-attribute slots; auto-setup's demo Custom*Field attributes consume two. Add temporal.skipAddCustomSearchAttributes (default true) so apps can register their own custom attributes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
🧹 Nitpick comments (3)
charts/postiz/templates/temporal-deployment.yaml (2)
23-97: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd pod and container
securityContextfor production readiness.The PR targets production self-hosting, but the Temporal deployment defines no
securityContextat the pod or container level. Without it, the container may run as root with default capabilities. Even if thetemporalio/auto-setupimage requires elevated permissions for schema setup, a pod-levelrunAsNonRoot: truewith afsGroupand a container-levelreadOnlyRootFilesystem: true(if feasible) or at minimumallowPrivilegeEscalation: falsewould improve the security posture.🛡️ Suggested securityContext additions
spec: + securityContext: + runAsNonRoot: true + fsGroup: 1000 {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} containers: - name: temporal image: "{{ .Values.temporal.image.repository }}:{{ .Values.temporal.image.tag }}" imagePullPolicy: {{ .Values.temporal.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL ports:If the
auto-setupimage requires root for schema migration, consider making the security context configurable via.Values.temporal.podSecurityContextand.Values.temporal.securityContextso operators can tighten it in their environment.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/postiz/templates/temporal-deployment.yaml` around lines 23 - 97, The Temporal deployment template is missing pod and container security hardening, so add securityContext handling in the temporal deployment manifest using the existing temporal container spec. Update the deployment to support configurable .Values.temporal.podSecurityContext and .Values.temporal.securityContext, and apply at least runAsNonRoot/fsGroup at the pod level plus allowPrivilegeEscalation false and, if possible for the auto-setup image, readOnlyRootFilesystem at the container level. Keep the changes localized around the temporal container definition so operators can tighten defaults without breaking schema setup.
49-50: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winQuote
secretKeyRefname and key values.Unquoted
nameandkeyvalues can break YAML rendering if the values contain special characters (e.g., colons, leading spaces). Helm best practice is to quote all string values in rendered manifests.♻️ Proposed fix
- name: POSTGRES_PWD valueFrom: secretKeyRef: - name: {{ .Values.temporal.db.passwordSecret.name }} - key: {{ .Values.temporal.db.passwordSecret.key }} + name: {{ .Values.temporal.db.passwordSecret.name | quote }} + key: {{ .Values.temporal.db.passwordSecret.key | quote }}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/postiz/templates/temporal-deployment.yaml` around lines 49 - 50, The Temporal deployment template is rendering secretKeyRef fields with unquoted string values, which can cause YAML issues when the values contain special characters. Update the secret reference in the temporal-deployment.yaml template so the name and key values under secretKeyRef are quoted, keeping the fix localized to the templating logic that reads .Values.temporal.db.passwordSecret.name and .Values.temporal.db.passwordSecret.key.charts/postiz/values.yaml (1)
112-147: 🔒 Security & Privacy | 🔵 TrivialPrefer
temporalio/serverover the deprecatedauto-setupimage.temporalio/auto-setupis deprecated, so this default should move to the supported server image for new deployments.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/postiz/values.yaml` around lines 112 - 147, The bundled Temporal configuration still defaults to the deprecated temporalio/auto-setup image, so update the temporal section to use the supported temporalio/server image for new deployments. Adjust the temporal.image.repository value and any related image assumptions in the temporal block so the default points to the server image while preserving the existing optional bundled setup behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@charts/postiz/templates/temporal-deployment.yaml`:
- Around line 23-97: The Temporal deployment template is missing pod and
container security hardening, so add securityContext handling in the temporal
deployment manifest using the existing temporal container spec. Update the
deployment to support configurable .Values.temporal.podSecurityContext and
.Values.temporal.securityContext, and apply at least runAsNonRoot/fsGroup at the
pod level plus allowPrivilegeEscalation false and, if possible for the
auto-setup image, readOnlyRootFilesystem at the container level. Keep the
changes localized around the temporal container definition so operators can
tighten defaults without breaking schema setup.
- Around line 49-50: The Temporal deployment template is rendering secretKeyRef
fields with unquoted string values, which can cause YAML issues when the values
contain special characters. Update the secret reference in the
temporal-deployment.yaml template so the name and key values under secretKeyRef
are quoted, keeping the fix localized to the templating logic that reads
.Values.temporal.db.passwordSecret.name and
.Values.temporal.db.passwordSecret.key.
In `@charts/postiz/values.yaml`:
- Around line 112-147: The bundled Temporal configuration still defaults to the
deprecated temporalio/auto-setup image, so update the temporal section to use
the supported temporalio/server image for new deployments. Adjust the
temporal.image.repository value and any related image assumptions in the
temporal block so the default points to the server image while preserving the
existing optional bundled setup behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 292c8884-ac46-45f6-a9c5-d47ece16634b
📒 Files selected for processing (7)
charts/postiz/Chart.yamlcharts/postiz/templates/postiz-deployment.yamlcharts/postiz/templates/postiz-pvc.yamlcharts/postiz/templates/postiz-secret.yamlcharts/postiz/templates/temporal-deployment.yamlcharts/postiz/templates/temporal-service.yamlcharts/postiz/values.yaml
What & why
Adapts the chart for production self-hosting on Kubernetes, where you typically:
values.yaml, andAll changes are opt-in and default-off; rendering existing values is unchanged.
Changes
extraEnvFrom— extraenvFromsources appended to the container, so sensitive env can come from a Secret you manage yourself.secretsSecret is now conditional ({{- if .Values.secrets }}). Setsecrets: nullto omit it entirely and supply everything viaextraEnvFrom. A populatedsecrets:still renders exactly as before.persistence.*— optionalPersistentVolumeClaimforSTORAGE_PROVIDER=localuploads (mount viaextraVolumes/extraVolumeMounts, e.g./uploads+/configbysubPath).temporal.*— optional bundled Temporal viatemporalio/auto-setup, using SQL visibility (ENABLE_ES=false, no Elasticsearch) against an external PostgreSQL, with TLS knobs and password-from-Secret. PointTEMPORAL_ADDRESSat<release>-temporal:7233.appVersion1.3.0 → 2.21.9, chart 1.0.5 → 1.1.0.Backward compatibility
Defaults keep bundled PostgreSQL/Redis enabled,
temporal.enabled: false,persistence.enabled: false,extraEnvFrom: [], and the populatedsecrets:map — so existing installs render identically.Testing
helm template/helm lintpass for: defaults,temporal.enabled=truewith external Postgres +extraEnvFrom+ PVC, andsecrets: null(no plaintext Secret rendered). Deployed against Crunchy PostgreSQL (direct connection) + Dragonfly with Temporal SQL visibility.Summary by CodeRabbit
New Features
Bug Fixes