feat(helm): add Temporal support and expand env coverage for v2.21.8

- Chart.yaml: bump to version 1.1.0, appVersion v2.21.8 - values.yaml: add temporal section (enabled/address/namespace/tls/apiKey/postgresql), expand env (~40 non-sensitive vars) and secrets (~60 sensitive vars) to match current Postiz documentation — covers all social providers, email SMTP, OAuth OIDC, AI/generation, analytics, MCP, payments, short-link services - postiz-config.yaml: inject TEMPORAL_ADDRESS (auto-computed or override), TEMPORAL_NAMESPACE and TEMPORAL_TLS when temporal.enabled or address is set - temporal-deployment.yaml: temporalio/auto-setup:1.28.1, postgres12 backend, ES disabled, dynamicconfig volume mount, liveness/readiness probes - temporal-service.yaml: ClusterIP on port 7233 (gRPC) - temporal-dynamicconfig.yaml: ConfigMap with development-sql.yaml content - temporal-init-job.yaml: post-install/upgrade Job that creates the temporal PostgreSQL user via the postgres superuser before Temporal starts - temporal-secret.yaml: Secret for temporal PostgreSQL credentials - NOTES.txt: post-install guidance, search-attribute creation reminder, multi-replica/local-storage warning, backup reminder Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-16 17:53:18 +02:00
parent 5d6a9de2d5
commit fc931e4707
9 changed files with 452 additions and 22 deletions
@@ -2,8 +2,8 @@ apiVersion: v2
 name: postiz-app
 description: A Social Media Scheduling App
 type: application
-version: 1.0.5
+version: 1.1.0
-appVersion: "1.3.0"
+appVersion: "v2.21.8"
 maintainers:
  - name: jonathan-irvin
    email: offendingcommit@gmail.com
@@ -0,0 +1,46 @@
 Postiz has been deployed!
 Access URL:
 {{- if .Values.ingress.enabled }}
  https://{{ (first .Values.ingress.hosts).host }}
 {{- else if eq .Values.service.type "NodePort" }}
  http://<node-ip>:{{ .Values.service.nodePort }}
 {{- else }}
  kubectl port-forward svc/{{ include "postiz.fullname" . }} 5000:80
  http://localhost:5000
 {{- end }}
 {{- if .Values.temporal.enabled }}
 Temporal:
  Internal address : {{ include "postiz.fullname" . }}-temporal:7233
  Status           : kubectl get pods -l app.kubernetes.io/component=temporal
  Init job logs    : kubectl logs job/{{ include "postiz.fullname" . }}-temporal-init
  After first deploy, create Temporal search attributes:
    kubectl exec deploy/{{ include "postiz.fullname" . }}-temporal -- \
      temporal operator search-attribute create \
        --namespace {{ .Values.temporal.namespace | default "default" }} \
        --name organizationId --type Keyword \
        --name postId --type Keyword
 {{- else if .Values.temporal.address }}
 Temporal (external): {{ .Values.temporal.address }}
 {{- else }}
 WARNING: Temporal is disabled and no address is configured.
  Postiz v2.12.0+ requires Temporal for post scheduling.
  Set temporal.enabled=true or provide temporal.address.
 {{- end }}
 {{- if and (gt (.Values.replicaCount | int) 1) (eq (.Values.env.STORAGE_PROVIDER | default "local") "local") }}
 WARNING: replicaCount={{ .Values.replicaCount }} with STORAGE_PROVIDER=local is unsupported.
  Local uploads are not shared across replicas. Use Cloudflare R2 or an RWX PVC.
 {{- end }}
 Upgrade reminder:
  Always back up the PostgreSQL database before upgrading Postiz:
    kubectl exec -n <namespace> <postgresql-pod> -- \
      pg_dump -U {{ .Values.postgresql.auth.username }} {{ .Values.postgresql.auth.database }} \
      > postiz-backup-$(date +%Y%m%d).sql
@@ -8,3 +8,10 @@ data:
  {{- range $key, $value := .Values.env }}
  {{ $key }}: {{ $value | quote }}
  {{- end }}
  {{- if .Values.temporal.enabled }}
  TEMPORAL_ADDRESS: {{ default (printf "%s-temporal:7233" (include "postiz.fullname" .)) .Values.temporal.address | quote }}
  TEMPORAL_NAMESPACE: {{ .Values.temporal.namespace | default "default" | quote }}
  TEMPORAL_TLS: {{ .Values.temporal.tls | toString | quote }}
  {{- else if .Values.temporal.address }}
  TEMPORAL_ADDRESS: {{ .Values.temporal.address | quote }}
  {{- end }}
@@ -0,0 +1,68 @@
 {{- if .Values.temporal.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "postiz.fullname" . }}-temporal
  labels:
    {{- include "postiz.labels" . | nindent 4 }}
    app.kubernetes.io/component: temporal
 spec:
  replicas: 1
  selector:
    matchLabels:
      {{- include "postiz.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: temporal
  template:
    metadata:
      labels:
        {{- include "postiz.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/component: temporal
    spec:
      containers:
        - name: temporal
          image: "{{ .Values.temporal.image.repository }}:{{ .Values.temporal.image.tag }}"
          imagePullPolicy: {{ .Values.temporal.image.pullPolicy }}
          ports:
            - name: grpc
              containerPort: 7233
              protocol: TCP
          env:
            - name: DB
              value: "postgres12"
            - name: DB_PORT
              value: "5432"
            - name: POSTGRES_USER
              value: {{ .Values.temporal.postgresql.user | quote }}
            - name: POSTGRES_PWD
              valueFrom:
                secretKeyRef:
                  name: {{ include "postiz.fullname" . }}-temporal-secret
                  key: POSTGRES_PWD
            - name: POSTGRES_SEEDS
              value: {{ default (printf "%s-postgresql" .Release.Name) .Values.temporal.postgresql.seeds | quote }}
            - name: DYNAMIC_CONFIG_FILE_PATH
              value: "config/dynamicconfig/development-sql.yaml"
            - name: ENABLE_ES
              value: "false"
            - name: TEMPORAL_NAMESPACE
              value: {{ .Values.temporal.namespace | default "default" | quote }}
          volumeMounts:
            - name: dynamicconfig
              mountPath: /etc/temporal/config/dynamicconfig
          livenessProbe:
            tcpSocket:
              port: grpc
            initialDelaySeconds: 30
            periodSeconds: 15
            failureThreshold: 5
          readinessProbe:
            tcpSocket:
              port: grpc
            initialDelaySeconds: 15
            periodSeconds: 10
            failureThreshold: 5
      volumes:
        - name: dynamicconfig
          configMap:
            name: {{ include "postiz.fullname" . }}-temporal-dynamicconfig
 {{- end }}
@@ -0,0 +1,16 @@
 {{- if .Values.temporal.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "postiz.fullname" . }}-temporal-dynamicconfig
  labels:
    {{- include "postiz.labels" . | nindent 4 }}
 data:
  development-sql.yaml: |
    limit.maxIDLength:
      - value: 255
        constraints: {}
    system.forceSearchAttributesCacheRefreshOnRead:
      - value: true
        constraints: {}
 {{- end }}
@@ -0,0 +1,73 @@
 {{- if .Values.temporal.enabled }}
 {{- if .Values.postgresql.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: {{ include "postiz.fullname" . }}-temporal-init
  labels:
    {{- include "postiz.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
  backoffLimit: 6
  template:
    metadata:
      labels:
        app.kubernetes.io/component: temporal-init
        {{- include "postiz.selectorLabels" . | nindent 8 }}
    spec:
      restartPolicy: OnFailure
      initContainers:
        - name: wait-for-postgres
          image: postgres:16-alpine
          command:
            - sh
            - -c
            - |
              until pg_isready -h $PGHOST -p 5432 -U postgres; do
                echo "Waiting for PostgreSQL..."; sleep 3
              done
          env:
            - name: PGHOST
              value: {{ printf "%s-postgresql" .Release.Name | quote }}
      containers:
        - name: create-temporal-user
          image: postgres:16-alpine
          command:
            - sh
            - -c
            - |
              export PGPASSWORD="$POSTGRES_PASSWORD"
              psql -h "$PGHOST" -U postgres <<-SQL
                DO \$\$ BEGIN
                  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '$TEMPORAL_USER') THEN
                    EXECUTE format(
                      'CREATE ROLE %I WITH LOGIN PASSWORD %L CREATEDB',
                      '$TEMPORAL_USER',
                      '$TEMPORAL_PWD'
                    );
                    RAISE NOTICE 'Role $TEMPORAL_USER created.';
                  ELSE
                    RAISE NOTICE 'Role $TEMPORAL_USER already exists, skipping.';
                  END IF;
                END \$\$;
              SQL
          env:
            - name: PGHOST
              value: {{ printf "%s-postgresql" .Release.Name | quote }}
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ printf "%s-postgresql" .Release.Name | quote }}
                  key: postgres-password
            - name: TEMPORAL_USER
              value: {{ .Values.temporal.postgresql.user | quote }}
            - name: TEMPORAL_PWD
              valueFrom:
                secretKeyRef:
                  name: {{ include "postiz.fullname" . }}-temporal-secret
                  key: POSTGRES_PWD
 {{- end }}
 {{- end }}
@@ -0,0 +1,14 @@
 {{- if .Values.temporal.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "postiz.fullname" . }}-temporal-secret
  labels:
    {{- include "postiz.labels" . | nindent 4 }}
 type: Opaque
 data:
  POSTGRES_PWD: {{ .Values.temporal.postgresql.password | b64enc | quote }}
  {{- if .Values.temporal.apiKey }}
  TEMPORAL_API_KEY: {{ .Values.temporal.apiKey | b64enc | quote }}
  {{- end }}
 {{- end }}
@@ -0,0 +1,19 @@
 {{- if .Values.temporal.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "postiz.fullname" . }}-temporal
  labels:
    {{- include "postiz.labels" . | nindent 4 }}
    app.kubernetes.io/component: temporal
 spec:
  type: ClusterIP
  ports:
    - port: 7233
      targetPort: grpc
      protocol: TCP
      name: grpc
  selector:
    {{- include "postiz.selectorLabels" . | nindent 4 }}
    app.kubernetes.io/component: temporal
 {{- end }}
@@ -26,11 +26,9 @@ service:
  additionalPorts: []
 ingress:
-  enabled: false  # Disabled by default
+  enabled: false
  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths:
@@ -38,9 +36,6 @@ ingress:
          pathType: Prefix
          port: 80
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local
  extraRules: []
 resources: {}
@@ -62,18 +57,22 @@ tolerations: []
 affinity: {}
-# PostgreSQL configuration
+# PostgreSQL configuration (Bitnami sub-chart)
 postgresql:
  enabled: true
  auth:
    username: postiz
    password: postiz-password
    database: postiz
    # postgresPassword is used by the temporal init job to create the temporal user.
    # Set this explicitly; if left empty, Bitnami generates a random password
    # that the init job cannot retrieve.
    postgresPassword: postgres-admin-password
  service:
    ports:
      postgresql: 5432
-# Redis configuration
+# Redis configuration (Bitnami sub-chart)
 redis:
  enabled: true
  auth:
@@ -83,21 +82,134 @@ redis:
      ports:
        redis: 6379
-# Environment variables
+# Temporal workflow orchestration (required since Postiz v2.12.0)
 # temporal.enabled=true  → deploys Temporal alongside Postiz using the postgresql sub-chart
 # temporal.enabled=false → Temporal must be deployed separately; set temporal.address
 temporal:
  enabled: true
  # address: override auto-computed service address (<release>-temporal:7233)
  address: ""
  namespace: "default"
  tls: false
  # apiKey: only required for Temporal Cloud; leave empty for self-hosted
  apiKey: ""
  image:
    repository: temporalio/auto-setup
    tag: "1.28.1"
    pullPolicy: IfNotPresent
  postgresql:
    # Credentials for the temporal user created in the shared PostgreSQL instance.
    # The init job creates this user via the postgres superuser before Temporal starts.
    user: temporal
    password: "temporal-password"
    # seeds: PostgreSQL hostname. Defaults to the Bitnami postgresql sub-chart service.
    seeds: ""
 # Non-sensitive environment variables (injected via ConfigMap)
 env:
  # === Required ===
  FRONTEND_URL: "http://localhost:4200"
  NEXT_PUBLIC_BACKEND_URL: "http://localhost:3000"
-  BACKEND_INTERNAL_URL: "http://backend:3000"
+  BACKEND_INTERNAL_URL: "http://localhost:3000"
  # === Application behaviour ===
  IS_GENERAL: "true"
  NX_ADD_PLUGINS: "false"
  MAIN_URL: ""
  DISABLE_REGISTRATION: "false"
  RUN_CRON: ""
  API_LIMIT: "90"
  RESTRICT_UPLOAD_DOMAINS: ""
  DISALLOW_PLUS: ""
  DISABLE_IMAGE_COMPRESSION: "false"
  MOBILE_APP_SCHEME: ""
  NOT_SECURED: "false"
  # === Storage ===
  STORAGE_PROVIDER: "local"
  UPLOAD_DIRECTORY: ""
  NEXT_PUBLIC_UPLOAD_STATIC_DIRECTORY: ""
-  NX_ADD_PLUGINS: "false"
+  CLOUDFLARE_REGION: "auto"
  IS_GENERAL: "true"
-# Sensitive environment variables (to be stored in Secrets)
+  # === Email ===
  EMAIL_PROVIDER: "resend"
  EMAIL_HOST: ""
  EMAIL_PORT: ""
  EMAIL_SECURE: "false"
  EMAIL_FROM_ADDRESS: ""
  EMAIL_FROM_NAME: ""
  # === OAuth / OIDC sign-in ===
  POSTIZ_GENERIC_OAUTH: "false"
  POSTIZ_OAUTH_URL: ""
  POSTIZ_OAUTH_AUTH_URL: ""
  POSTIZ_OAUTH_TOKEN_URL: ""
  POSTIZ_OAUTH_USERINFO_URL: ""
  POSTIZ_OAUTH_SCOPE: "openid profile email"
  NEXT_PUBLIC_POSTIZ_OAUTH_DISPLAY_NAME: ""
  NEXT_PUBLIC_POSTIZ_OAUTH_LOGO_URL: ""
  # === Social providers — non-sensitive settings ===
  X_URL: ""
  DISABLE_X_ANALYTICS: ""
  STRIP_LINKS_FROM_X_POSTS: ""
  MASTODON_URL: "https://mastodon.social"
  NEYNAR_LOGIN_URL: ""
  MEWE_HOST: ""
  # === MCP / Agent ===
  MCP_URL: ""
  BACKEND_URL: ""
  # === Payments ===
  FEE_AMOUNT: "0.05"
  # === Analytics & tracking (frontend) ===
  NEXT_PUBLIC_SENTRY_DSN: ""
  NEXT_PUBLIC_GTM_ID: ""
  NEXT_PUBLIC_FACEBOOK_PIXEL: ""
  NEXT_PUBLIC_POSTHOG_HOST: ""
  NEXT_PUBLIC_POSTHOG_KEY: ""
  SENTRY_ORG: ""
  SENTRY_PROJECT: ""
  SENTRY_SPOTLIGHT: "false"
  # === Misc frontend ===
  NEXT_PUBLIC_DISCORD_SUPPORT: ""
  NEXT_PUBLIC_POLOTNO: ""
  NEXT_PUBLIC_VERSION: ""
  NEXT_PUBLIC_APP_VERSION: ""
  NEXT_PUBLIC_OVERRIDE_BACKEND_URL: ""
  # === Runtime ===
  PORT: "3000"
  TZ: "UTC"
  NODE_ENV: "production"
 # Sensitive environment variables (injected via Secret)
 secrets:
  # === Required ===
  DATABASE_URL: ""
  REDIS_URL: ""
  JWT_SECRET: ""
  # === Storage — Cloudflare R2 ===
  CLOUDFLARE_ACCOUNT_ID: ""
  CLOUDFLARE_ACCESS_KEY: ""
  CLOUDFLARE_SECRET_ACCESS_KEY: ""
  CLOUDFLARE_BUCKETNAME: ""
  CLOUDFLARE_BUCKET_URL: ""
  # === Email ===
  RESEND_API_KEY: ""
  EMAIL_USER: ""
  EMAIL_PASS: ""
  # === OAuth / OIDC sign-in ===
  POSTIZ_OAUTH_CLIENT_ID: ""
  POSTIZ_OAUTH_CLIENT_SECRET: ""
  # === Social providers ===
  X_API_KEY: ""
  X_API_SECRET: ""
  LINKEDIN_CLIENT_ID: ""
@@ -106,9 +218,84 @@ secrets:
  REDDIT_CLIENT_SECRET: ""
  GITHUB_CLIENT_ID: ""
  GITHUB_CLIENT_SECRET: ""
-  RESEND_API_KEY: ""
+  FACEBOOK_APP_ID: ""
-  CLOUDFLARE_ACCOUNT_ID: ""
+  FACEBOOK_APP_SECRET: ""
-  CLOUDFLARE_ACCESS_KEY: ""
+  INSTAGRAM_APP_ID: ""
-  CLOUDFLARE_SECRET_ACCESS_KEY: ""
+  INSTAGRAM_APP_SECRET: ""
-  CLOUDFLARE_BUCKETNAME: ""
+  THREADS_APP_ID: ""
-  CLOUDFLARE_BUCKET_URL: ""
+  THREADS_APP_SECRET: ""
  YOUTUBE_CLIENT_ID: ""
  YOUTUBE_CLIENT_SECRET: ""
  GOOGLE_GMB_CLIENT_ID: ""
  GOOGLE_GMB_CLIENT_SECRET: ""
  TIKTOK_CLIENT_ID: ""
  TIKTOK_CLIENT_SECRET: ""
  PINTEREST_CLIENT_ID: ""
  PINTEREST_CLIENT_SECRET: ""
  DRIBBBLE_CLIENT_ID: ""
  DRIBBBLE_CLIENT_SECRET: ""
  DISCORD_CLIENT_ID: ""
  DISCORD_CLIENT_SECRET: ""
  DISCORD_BOT_TOKEN_ID: ""
  SLACK_ID: ""
  SLACK_SECRET: ""
  SLACK_SIGNING_SECRET: ""
  TELEGRAM_TOKEN: ""
  TELEGRAM_BOT_NAME: ""
  MASTODON_CLIENT_ID: ""
  MASTODON_CLIENT_SECRET: ""
  NEYNAR_CLIENT_ID: ""
  NEYNAR_SECRET_KEY: ""
  MEWE_APP_ID: ""
  MEWE_API_KEY: ""
  TWITCH_CLIENT_ID: ""
  TWITCH_CLIENT_SECRET: ""
  KICK_CLIENT_ID: ""
  KICK_SECRET: ""
  VK_ID: ""
  WHOP_CLIENT_ID: ""
  BEEHIIVE_API_KEY: ""
  BEEHIIVE_PUBLICATION_ID: ""
  LISTMONK_DOMAIN: ""
  LISTMONK_USER: ""
  LISTMONK_API_KEY: ""
  LISTMONK_LIST_ID: ""
  LISTMONK_WELCOME_TEMPLATE_ID: ""
  EXTENSION_ID: ""
  # === AI / Generation ===
  OPENAI_API_KEY: ""
  OPENAI_APP_CHALLANGE: ""
  ELEVENSLABS_API_KEY: ""
  FAL_KEY: ""
  TAVILY_API_KEY: ""
  KIEAI_API_KEY: ""
  TRANSLOADIT_AUTH: ""
  TRANSLOADIT_SECRET: ""
  TRANSLOADIT_TEMPLATE: ""
  # === Payments ===
  STRIPE_PUBLISHABLE_KEY: ""
  STRIPE_SECRET_KEY: ""
  STRIPE_SIGNING_KEY: ""
  STRIPE_SIGNING_KEY_CONNECT: ""
  STRIPE_DISCOUNT_ID: ""
  NOWPAYMENTS_API_KEY: ""
  NOWPAYMENTS_AMOUNT: ""
  # === Analytics secrets ===
  FACEBOOK_PIXEL_ACCESS_TOKEN: ""
  NEXT_PUBLIC_TRACKING_TRIAL: ""
  DATAFAST_API_KEY: ""
  DATAFAST_WEBSITE_ID: ""
  SENTRY_AUTH_TOKEN: ""
  # === MCP / Agent ===
  AGENT_API_KEY: ""
  AGENT_MEDIA_SSO_KEY: ""
  # === Short-link providers ===
  DUB_TOKEN: ""
  SHORT_IO_SECRET_KEY: ""
  KUTT_API_KEY: ""
  LINK_DRIP_API_KEY: ""