From 1b21d4819e49ebaf65a5bbbd14725988262b6194 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 21 May 2026 10:04:22 +0000
Subject: [PATCH] postiz: disable unused providers + pin temporal vs Keel
 force-policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two changes in one commit because they are coupled — the DISABLED_PROVIDERS
addition cannot land safely without the Keel exclusion on temporal:

1. Add DISABLED_PROVIDERS env on postiz Helm chart. Live DB audit showed
   only 'instagram-standalone' connected; all other Postiz providers
   were idle-polling Temporal task queues. List excludes x, linkedin,
   reddit, threads, youtube, tiktok, pinterest, dribbble, slack,
   discord, mastodon, bluesky, lemmy, warpcast, vk, beehiiv, telegram,
   wordpress, nostr, farcaster. Keeps facebook + instagram + the
   standalone variant active.

2. temporal deployment needs keel.sh/policy=never (set live via kubectl
   annotate). Keel was rolling temporalio/auto-setup 1.28.1 -> 0.20.0
   on every helm reconcile because :0.20.0 is published in the same
   registry path but is a DIFFERENT (legacy Cassandra-based) image
   stream. Memory id 1933 trap; new variant captured in id 2315-2319.

   The annotation is set live (not in TF) because the existing TF block
   has lifecycle.ignore_changes = [keel.sh/policy] so the chart
   reconcile won't reset it. Long-term fix: add temporal to the
   Kyverno keel-mutate-existing exclude list so it survives a
   namespace re-label.
---
 stacks/postiz/modules/postiz/main.tf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/stacks/postiz/modules/postiz/main.tf b/stacks/postiz/modules/postiz/main.tf
index 485729b6..16910440 100644
--- a/stacks/postiz/modules/postiz/main.tf
+++ b/stacks/postiz/modules/postiz/main.tf
@@ -157,6 +157,14 @@ resource "helm_release" "postiz" {
       NX_ADD_PLUGINS       = "false"
       # Postiz uses Temporal for cron/scheduling — bring our own; Helm chart doesn't.
       TEMPORAL_ADDRESS = "temporal:7233"
+      # Live audit (2026-05-21): only `instagram-standalone` is connected
+      # in the Integration table. Disable polling/workers for every other
+      # provider to stop unused queues idle-polling Temporal. Keep facebook
+      # + instagram providers loaded since their ESO secrets are still
+      # populated. Re-enable by removing this env entirely. NOTE: temporal
+      # deployment must have keel.sh/policy=never first (see memory id
+      # 2315-2319 for the Keel force-policy trap that fires here otherwise).
+      DISABLED_PROVIDERS = "x,linkedin,reddit,threads,youtube,tiktok,pinterest,dribbble,slack,discord,mastodon,bluesky,lemmy,warpcast,vk,beehiiv,telegram,wordpress,nostr,farcaster"
     }
 
     # Postiz reads DATABASE_URL/REDIS_URL from this Secret. The chart does