All checks were successful
ci/woodpecker/push/default Pipeline was successful
postiz's live deployment (Helm + Temporal + Elasticsearch + Authentik OIDC + static-DB password) came from the never-merged branch `wizard/postiz-cnpg-oidc`, so master's HCL was stale and a `terragrunt apply` would have DESTROYED the stack. This lands that postiz config to master so HCL == state == live (CI green; destroy-landmine gone). Kept PARKED (postiz + temporal replicas = 0): IG-via-postiz is Meta- blocked (it hardcodes retired Instagram scopes → OAuth "Invalid Scopes"), which is why it was parked; IG runs via the instagram-poster service. To revive later: flip postiz `replicaCount` + temporal `replicas` back to 1 and re-check image pins. Notes captured in this reconcile: - ES image pinned to 7.17.28 (the branch's 7.17.24 was a DOWNGRADE vs the live data → ES refused to start "cannot downgrade node 7.17.28→7.17.24"; caught + rolled back during this work). - The 4 Authentik resources (app/provider/group/binding) were re-imported into state (adopted, not recreated — no duplicate AK objects); the obsolete `external_secret_jwt` ExternalSecret was removed (Retain → its synced secret was kept). - Vault-side cleanup (removing the unused pg-postiz rotated role) is deliberately NOT included here — deferred, postiz uses a static secret/postiz database_url. State was already reconciled by a local `scripts/tg apply`; this commit is the HCL catch-up (CI re-apply is a no-op). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
46 lines
1.1 KiB
HCL
46 lines
1.1 KiB
HCL
variable "tls_secret_name" {
|
|
type = string
|
|
sensitive = true
|
|
description = "Name of the wildcard TLS Secret to copy into the postiz namespace."
|
|
}
|
|
|
|
variable "tier" {
|
|
type = string
|
|
description = "Workload tier label applied to the namespace (e.g. 4-aux)."
|
|
}
|
|
|
|
variable "namespace" {
|
|
type = string
|
|
default = "postiz"
|
|
description = "Kubernetes namespace for Postiz."
|
|
}
|
|
|
|
variable "host" {
|
|
type = string
|
|
default = "postiz"
|
|
description = "Ingress hostname label (joined with root_domain by ingress_factory)."
|
|
}
|
|
|
|
variable "image_tag" {
|
|
type = string
|
|
default = "v2.21.7"
|
|
description = "Postiz container image tag."
|
|
}
|
|
|
|
variable "chart_version" {
|
|
type = string
|
|
default = "1.0.5"
|
|
description = "Postiz Helm chart version (OCI ghcr.io/gitroomhq/postiz-helmchart)."
|
|
}
|
|
|
|
variable "storage_size" {
|
|
type = string
|
|
default = "20Gi"
|
|
description = "Persistent volume size for /uploads."
|
|
}
|
|
|
|
variable "oauth_client_secret" {
|
|
type = string
|
|
sensitive = true
|
|
description = "Authentik OIDC client secret for Postiz generic OAuth (from authentik_provider_oauth2.postiz)."
|
|
}
|