From 92ceb76f23113a813091f7e8bdfb748f02650386 Mon Sep 17 00:00:00 2001 From: billisdead Date: Wed, 17 Jun 2026 08:37:05 +0200 Subject: [PATCH] fix(helm): address CodeRabbit review findings NOTES.txt: - Detect ingress scheme dynamically (http/https based on .Values.ingress.tls) - Include first path in ingress URL output - Use .Values.service.port in port-forward example instead of hardcoded 80 - Add -n {{ .Release.Namespace }} to all kubectl commands postiz-config.yaml: - Merge temporal enabled/external branches: external address now also emits TEMPORAL_NAMESPACE and TEMPORAL_TLS, not just TEMPORAL_ADDRESS temporal-init-job.yaml: - Use .Values.temporal.postgresql.seeds as PGHOST source (with fallback to bitnami sub-chart service name) so init job and runtime use the same host - Switch to quoted heredoc (<<-'SQL') + psql --set to pass credentials as psql variables, preventing shell expansion from breaking on special chars temporal-secret.yaml: - Add required validation: temporal.postgresql.password must be set explicitly when temporal.enabled=true values.yaml: - Remove hardcoded default passwords (postgresPassword, temporal.postgresql.password) replaced with empty strings to avoid predictable default credentials Co-Authored-By: Claude Sonnet 4.6 --- charts/postiz/templates/NOTES.txt | 12 +++++----- charts/postiz/templates/postiz-config.yaml | 4 +--- .../postiz/templates/temporal-init-job.yaml | 22 ++++++++++--------- charts/postiz/templates/temporal-secret.yaml | 2 +- charts/postiz/values.yaml | 4 ++-- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/charts/postiz/templates/NOTES.txt b/charts/postiz/templates/NOTES.txt index b86cad7..2be0324 100644 --- a/charts/postiz/templates/NOTES.txt +++ b/charts/postiz/templates/NOTES.txt @@ -2,11 +2,11 @@ Postiz has been deployed! Access URL: {{- if .Values.ingress.enabled }} - https://{{ (first .Values.ingress.hosts).host }} + {{ if .Values.ingress.tls }}https{{ else }}http{{ end }}://{{ (first .Values.ingress.hosts).host }}{{ (first (first .Values.ingress.hosts).paths).path }} {{- else if eq .Values.service.type "NodePort" }} http://:{{ .Values.service.nodePort }} {{- else }} - kubectl port-forward svc/{{ include "postiz.fullname" . }} 5000:80 + kubectl port-forward svc/{{ include "postiz.fullname" . }} 5000:{{ .Values.service.port }} http://localhost:5000 {{- end }} @@ -14,11 +14,11 @@ Access URL: Temporal: Internal address : {{ include "postiz.fullname" . }}-temporal:7233 - Status : kubectl get pods -l app.kubernetes.io/component=temporal - Init job logs : kubectl logs job/{{ include "postiz.fullname" . }}-temporal-init + Status : kubectl -n {{ .Release.Namespace }} get pods -l app.kubernetes.io/component=temporal + Init job logs : kubectl -n {{ .Release.Namespace }} logs job/{{ include "postiz.fullname" . }}-temporal-init After first deploy, create Temporal search attributes: - kubectl exec deploy/{{ include "postiz.fullname" . }}-temporal -- \ + kubectl -n {{ .Release.Namespace }} exec deploy/{{ include "postiz.fullname" . }}-temporal -- \ temporal operator search-attribute create \ --namespace {{ .Values.temporal.namespace | default "default" }} \ --name organizationId --type Keyword \ @@ -41,6 +41,6 @@ WARNING: replicaCount={{ .Values.replicaCount }} with STORAGE_PROVIDER=local is Upgrade reminder: Always back up the PostgreSQL database before upgrading Postiz: - kubectl exec -n -- \ + kubectl exec -n {{ .Release.Namespace }} -- \ pg_dump -U {{ .Values.postgresql.auth.username }} {{ .Values.postgresql.auth.database }} \ > postiz-backup-$(date +%Y%m%d).sql diff --git a/charts/postiz/templates/postiz-config.yaml b/charts/postiz/templates/postiz-config.yaml index 3a7599a..df46e34 100644 --- a/charts/postiz/templates/postiz-config.yaml +++ b/charts/postiz/templates/postiz-config.yaml @@ -8,10 +8,8 @@ data: {{- range $key, $value := .Values.env }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- if .Values.temporal.enabled }} + {{- if or .Values.temporal.enabled .Values.temporal.address }} TEMPORAL_ADDRESS: {{ default (printf "%s-temporal:7233" (include "postiz.fullname" .)) .Values.temporal.address | quote }} TEMPORAL_NAMESPACE: {{ .Values.temporal.namespace | default "default" | quote }} TEMPORAL_TLS: {{ .Values.temporal.tls | toString | quote }} - {{- else if .Values.temporal.address }} - TEMPORAL_ADDRESS: {{ .Values.temporal.address | quote }} {{- end }} diff --git a/charts/postiz/templates/temporal-init-job.yaml b/charts/postiz/templates/temporal-init-job.yaml index b693a19..b93777b 100644 --- a/charts/postiz/templates/temporal-init-job.yaml +++ b/charts/postiz/templates/temporal-init-job.yaml @@ -32,7 +32,7 @@ spec: done env: - name: PGHOST - value: {{ printf "%s-postgresql" .Release.Name | quote }} + value: {{ default (printf "%s-postgresql" .Release.Name) .Values.temporal.postgresql.seeds | splitList "," | first | quote }} containers: - name: create-temporal-user image: postgres:16-alpine @@ -41,23 +41,25 @@ spec: - -c - | export PGPASSWORD="$POSTGRES_PASSWORD" - psql -h "$PGHOST" -U postgres <<-SQL - DO \$\$ BEGIN - IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '$TEMPORAL_USER') THEN + psql -h "$PGHOST" -U postgres \ + --set=temporal_user="$TEMPORAL_USER" \ + --set=temporal_pwd="$TEMPORAL_PWD" <<-'SQL' + DO $$ BEGIN + IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = :'temporal_user') THEN EXECUTE format( 'CREATE ROLE %I WITH LOGIN PASSWORD %L CREATEDB', - '$TEMPORAL_USER', - '$TEMPORAL_PWD' + :'temporal_user', + :'temporal_pwd' ); - RAISE NOTICE 'Role $TEMPORAL_USER created.'; + RAISE NOTICE 'Role created.'; ELSE - RAISE NOTICE 'Role $TEMPORAL_USER already exists, skipping.'; + RAISE NOTICE 'Role already exists, skipping.'; END IF; - END \$\$; + END $$; SQL env: - name: PGHOST - value: {{ printf "%s-postgresql" .Release.Name | quote }} + value: {{ default (printf "%s-postgresql" .Release.Name) .Values.temporal.postgresql.seeds | splitList "," | first | quote }} - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/postiz/templates/temporal-secret.yaml b/charts/postiz/templates/temporal-secret.yaml index 1e76e3a..8d65538 100644 --- a/charts/postiz/templates/temporal-secret.yaml +++ b/charts/postiz/templates/temporal-secret.yaml @@ -7,7 +7,7 @@ metadata: {{- include "postiz.labels" . | nindent 4 }} type: Opaque data: - POSTGRES_PWD: {{ .Values.temporal.postgresql.password | b64enc | quote }} + POSTGRES_PWD: {{ required "temporal.postgresql.password is required when temporal.enabled=true" .Values.temporal.postgresql.password | b64enc | quote }} {{- if .Values.temporal.apiKey }} TEMPORAL_API_KEY: {{ .Values.temporal.apiKey | b64enc | quote }} {{- end }} diff --git a/charts/postiz/values.yaml b/charts/postiz/values.yaml index ddcec6f..104047c 100644 --- a/charts/postiz/values.yaml +++ b/charts/postiz/values.yaml @@ -67,7 +67,7 @@ postgresql: # postgresPassword is used by the temporal init job to create the temporal user. # Set this explicitly; if left empty, Bitnami generates a random password # that the init job cannot retrieve. - postgresPassword: postgres-admin-password + postgresPassword: "" service: ports: postgresql: 5432 @@ -101,7 +101,7 @@ temporal: # Credentials for the temporal user created in the shared PostgreSQL instance. # The init job creates this user via the postgres superuser before Temporal starts. user: temporal - password: "temporal-password" + password: "" # seeds: PostgreSQL hostname. Defaults to the Bitnami postgresql sub-chart service. seeds: ""