viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

postiz: disable unused providers + pin temporal vs Keel force-policy

Browse source 
Two changes in one commit because they are coupled — the DISABLED_PROVIDERS
addition cannot land safely without the Keel exclusion on temporal:

1. Add DISABLED_PROVIDERS env on postiz Helm chart. Live DB audit showed
   only 'instagram-standalone' connected; all other Postiz providers
   were idle-polling Temporal task queues. List excludes x, linkedin,
   reddit, threads, youtube, tiktok, pinterest, dribbble, slack,
   discord, mastodon, bluesky, lemmy, warpcast, vk, beehiiv, telegram,
   wordpress, nostr, farcaster. Keeps facebook + instagram + the
   standalone variant active.

2. temporal deployment needs keel.sh/policy=never (set live via kubectl
   annotate). Keel was rolling temporalio/auto-setup 1.28.1 -> 0.20.0
   on every helm reconcile because :0.20.0 is published in the same
   registry path but is a DIFFERENT (legacy Cassandra-based) image
   stream. Memory id 1933 trap; new variant captured in id 2315-2319.

   The annotation is set live (not in TF) because the existing TF block
   has lifecycle.ignore_changes = [keel.sh/policy] so the chart
   reconcile won't reset it. Long-term fix: add temporal to the
   Kyverno keel-mutate-existing exclude list so it survives a
   namespace re-label.
This commit is contained in:
Viktor Barzin 2026-05-21 10:04:22 +00:00
parent 533a89a010
commit 1b21d4819e
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
stacks/postiz/modules/postiz/main.tf
View file

@ -157,6 +157,14 @@ resource "helm_release" "postiz" {
NX_ADD_PLUGINS = "false"
# Postiz uses Temporal for cron/scheduling bring our own; Helm chart doesn't.
TEMPORAL_ADDRESS = "temporal:7233"
# Live audit (2026-05-21): only `instagram-standalone` is connected
# in the Integration table. Disable polling/workers for every other
# provider to stop unused queues idle-polling Temporal. Keep facebook
# + instagram providers loaded since their ESO secrets are still
# populated. Re-enable by removing this env entirely. NOTE: temporal
# deployment must have keel.sh/policy=never first (see memory id
# 2315-2319 for the Keel force-policy trap that fires here otherwise).
DISABLED_PROVIDERS = "x,linkedin,reddit,threads,youtube,tiktok,pinterest,dribbble,slack,discord,mastodon,bluesky,lemmy,warpcast,vk,beehiiv,telegram,wordpress,nostr,farcaster"
}
# Postiz reads DATABASE_URL/REDIS_URL from this Secret. The chart does