postiz + instagram-poster: deploy fixes after first apply

- postiz: pin chart name to 'postiz-app' (was 'postiz', wrong path) and override bundled bitnami subchart images to bitnamilegacy/* — Bitnami removed bitnami/postgresql + bitnami/redis from DockerHub in Aug 2025 (Broadcom acquisition). - postiz: enable initial registration (DISABLE_REGISTRATION=false) so first admin user can be created in UI; tighten after. - instagram-poster: add securityContext (fsGroup/runAsUser=10001) so kubelet chowns the PVC mount for the non-root 'poster' user; was crashing on alembic with 'unable to open database file'. - instagram-poster: bump image_tag to 24935ab4 (uvicorn now binds to port 8000 to match Service contract; was 8080 -> probe 404).
2026-05-09 00:47:14 +00:00 · 2026-05-09 00:47:14 +00:00 · 71e3439650
commit 71e3439650
parent d5a01b6ad2
3 changed files with 23 additions and 2 deletions
--- a/stacks/instagram-poster/modules/instagram-poster/main.tf
+++ b/stacks/instagram-poster/modules/instagram-poster/main.tf
@ -152,6 +152,15 @@ resource "kubernetes_deployment" "instagram_poster" {
          name = "registry-credentials"
        }

+        # PVC mounts as root by default; pod runs as uid/gid 10001 (poster).
+        # fs_group makes kubelet chown the volume to gid 10001 on mount.
+        security_context {
+          fs_group        = 10001
+          run_as_user     = 10001
+          run_as_group    = 10001
+          run_as_non_root = true
+        }
+
        container {
          name  = "instagram-poster"
          image = local.image
--- a/stacks/instagram-poster/terragrunt.hcl
+++ b/stacks/instagram-poster/terragrunt.hcl
@ -19,5 +19,5 @@ dependency "external-secrets" {

 inputs = {
  # Bump per deploy. Use 8-char git SHA — :latest causes stale pull-through cache.
-  image_tag = "23f8b4ed"
+  image_tag = "24935ab4"
 }
--- a/stacks/postiz/modules/postiz/main.tf
+++ b/stacks/postiz/modules/postiz/main.tf
@ -102,7 +102,7 @@ resource "helm_release" "postiz" {
  timeout          = 600

  repository = "oci://ghcr.io/gitroomhq/postiz-helmchart/charts"
-  chart      = "postiz"
+  chart      = "postiz-app"
  version    = var.chart_version

  values = [yamlencode({
@ -184,8 +184,15 @@ resource "helm_release" "postiz" {
    # PG/Redis Services are ClusterIP and only routable from the postiz
    # namespace, so the credentials never leave the pod network. Promotion to
    # CNPG with Vault-rotated creds is the next step.
+    # Bitnami removed bitnami/postgresql + bitnami/redis from DockerHub
+    # (Broadcom acquisition, Aug 2025). Older tags moved to bitnamilegacy/*.
    postgresql = {
      enabled = true
+      image = {
+        registry   = "docker.io"
+        repository = "bitnamilegacy/postgresql"
+        tag        = "16.4.0-debian-12-r7"
+      }
      auth = {
        username = "postiz"
        database = "postiz"
@ -194,6 +201,11 @@ resource "helm_release" "postiz" {

    redis = {
      enabled = true
+      image = {
+        registry   = "docker.io"
+        repository = "bitnamilegacy/redis"
+        tag        = "7.4.0-debian-12-r2"
+      }
    }
  })]