From 71e343965085c47d266cfa71f6e5bf1e740f6751 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 9 May 2026 00:47:14 +0000 Subject: [PATCH] postiz + instagram-poster: deploy fixes after first apply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - postiz: pin chart name to 'postiz-app' (was 'postiz', wrong path) and override bundled bitnami subchart images to bitnamilegacy/* — Bitnami removed bitnami/postgresql + bitnami/redis from DockerHub in Aug 2025 (Broadcom acquisition). - postiz: enable initial registration (DISABLE_REGISTRATION=false) so first admin user can be created in UI; tighten after. - instagram-poster: add securityContext (fsGroup/runAsUser=10001) so kubelet chowns the PVC mount for the non-root 'poster' user; was crashing on alembic with 'unable to open database file'. - instagram-poster: bump image_tag to 24935ab4 (uvicorn now binds to port 8000 to match Service contract; was 8080 -> probe 404). --- .../modules/instagram-poster/main.tf | 9 +++++++++ stacks/instagram-poster/terragrunt.hcl | 2 +- stacks/postiz/modules/postiz/main.tf | 14 +++++++++++++- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/stacks/instagram-poster/modules/instagram-poster/main.tf b/stacks/instagram-poster/modules/instagram-poster/main.tf index c4879bab..3f2f235f 100644 --- a/stacks/instagram-poster/modules/instagram-poster/main.tf +++ b/stacks/instagram-poster/modules/instagram-poster/main.tf @@ -152,6 +152,15 @@ resource "kubernetes_deployment" "instagram_poster" { name = "registry-credentials" } + # PVC mounts as root by default; pod runs as uid/gid 10001 (poster). + # fs_group makes kubelet chown the volume to gid 10001 on mount. + security_context { + fs_group = 10001 + run_as_user = 10001 + run_as_group = 10001 + run_as_non_root = true + } + container { name = "instagram-poster" image = local.image diff --git a/stacks/instagram-poster/terragrunt.hcl b/stacks/instagram-poster/terragrunt.hcl index df54666f..b309c258 100644 --- a/stacks/instagram-poster/terragrunt.hcl +++ b/stacks/instagram-poster/terragrunt.hcl @@ -19,5 +19,5 @@ dependency "external-secrets" { inputs = { # Bump per deploy. Use 8-char git SHA — :latest causes stale pull-through cache. - image_tag = "23f8b4ed" + image_tag = "24935ab4" } diff --git a/stacks/postiz/modules/postiz/main.tf b/stacks/postiz/modules/postiz/main.tf index 6da6db89..a33b39cf 100644 --- a/stacks/postiz/modules/postiz/main.tf +++ b/stacks/postiz/modules/postiz/main.tf @@ -102,7 +102,7 @@ resource "helm_release" "postiz" { timeout = 600 repository = "oci://ghcr.io/gitroomhq/postiz-helmchart/charts" - chart = "postiz" + chart = "postiz-app" version = var.chart_version values = [yamlencode({ @@ -184,8 +184,15 @@ resource "helm_release" "postiz" { # PG/Redis Services are ClusterIP and only routable from the postiz # namespace, so the credentials never leave the pod network. Promotion to # CNPG with Vault-rotated creds is the next step. + # Bitnami removed bitnami/postgresql + bitnami/redis from DockerHub + # (Broadcom acquisition, Aug 2025). Older tags moved to bitnamilegacy/*. postgresql = { enabled = true + image = { + registry = "docker.io" + repository = "bitnamilegacy/postgresql" + tag = "16.4.0-debian-12-r7" + } auth = { username = "postiz" database = "postiz" @@ -194,6 +201,11 @@ resource "helm_release" "postiz" { redis = { enabled = true + image = { + registry = "docker.io" + repository = "bitnamilegacy/redis" + tag = "7.4.0-debian-12-r2" + } } })]