viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

postiz + instagram-poster: deploy fixes after first apply

Browse source 
- postiz: pin chart name to 'postiz-app' (was 'postiz', wrong path)
  and override bundled bitnami subchart images to bitnamilegacy/* —
  Bitnami removed bitnami/postgresql + bitnami/redis from DockerHub
  in Aug 2025 (Broadcom acquisition).
- postiz: enable initial registration (DISABLE_REGISTRATION=false)
  so first admin user can be created in UI; tighten after.
- instagram-poster: add securityContext (fsGroup/runAsUser=10001)
  so kubelet chowns the PVC mount for the non-root 'poster' user;
  was crashing on alembic with 'unable to open database file'.
- instagram-poster: bump image_tag to 24935ab4 (uvicorn now binds
  to port 8000 to match Service contract; was 8080 -> probe 404).
This commit is contained in:
Viktor Barzin 2026-05-09 00:47:14 +00:00
parent d5a01b6ad2
commit 71e3439650
No known key found for this signature in database
GPG key ID: 4056458DBDBF8863
3 changed files with 23 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
stacks/instagram-poster/modules/instagram-poster/main.tf
View file

@ -152,6 +152,15 @@ resource "kubernetes_deployment" "instagram_poster" {
name = "registry-credentials" name = "registry-credentials"
} }
# PVC mounts as root by default; pod runs as uid/gid 10001 (poster).
# fs_group makes kubelet chown the volume to gid 10001 on mount.
security_context {
fs_group = 10001
run_as_user = 10001
run_as_group = 10001
run_as_non_root = true
}
container { container {
name = "instagram-poster" name = "instagram-poster"
image = local.image image = local.image

2
stacks/instagram-poster/terragrunt.hcl
View file

@ -19,5 +19,5 @@ dependency "external-secrets" {
inputs = { inputs = {
# Bump per deploy. Use 8-char git SHA :latest causes stale pull-through cache. # Bump per deploy. Use 8-char git SHA :latest causes stale pull-through cache.
image_tag = "23f8b4ed" image_tag = "24935ab4"
} }

14
stacks/postiz/modules/postiz/main.tf
View file

@ -102,7 +102,7 @@ resource "helm_release" "postiz" {
timeout = 600 timeout = 600
repository = "oci://ghcr.io/gitroomhq/postiz-helmchart/charts" repository = "oci://ghcr.io/gitroomhq/postiz-helmchart/charts"
chart = "postiz" chart = "postiz-app"
version = var.chart_version version = var.chart_version
values = [yamlencode({ values = [yamlencode({
@ -184,8 +184,15 @@ resource "helm_release" "postiz" {
# PG/Redis Services are ClusterIP and only routable from the postiz # PG/Redis Services are ClusterIP and only routable from the postiz
# namespace, so the credentials never leave the pod network. Promotion to # namespace, so the credentials never leave the pod network. Promotion to
# CNPG with Vault-rotated creds is the next step. # CNPG with Vault-rotated creds is the next step.
# Bitnami removed bitnami/postgresql + bitnami/redis from DockerHub
# (Broadcom acquisition, Aug 2025). Older tags moved to bitnamilegacy/*.
postgresql = { postgresql = {
enabled = true enabled = true
image = {
registry = "docker.io"
repository = "bitnamilegacy/postgresql"
tag = "16.4.0-debian-12-r7"
}
auth = { auth = {
username = "postiz" username = "postiz"
database = "postiz" database = "postiz"
@ -194,6 +201,11 @@ resource "helm_release" "postiz" {
redis = { redis = {
enabled = true enabled = true
image = {
registry = "docker.io"
repository = "bitnamilegacy/redis"
tag = "7.4.0-debian-12-r2"
}
} }
})] })]