Merge pull request #1 from piewared/feature/MAKE_TEMPORAL_OPTIONAL

Feature/make temporal optional

Author: piewared

.copier-answers.yml.jinja

@@ -12,4 +12,5 @@ project_slug: {{ project_slug }}
 python_version: '{{ python_version }}'
 use_postgres: {{ use_postgres }}
 use_redis: {{ use_redis }}
+use_temporal: {{ use_temporal }}
 version: {{ version }}

copier.yml

@@ -125,6 +125,11 @@ use_redis:
   help: "Include Redis for caching and sessions?"
   default: yes
 
+use_temporal:
+  type: bool
+  help: "Include Temporal for workflow orchestration?"
+  default: yes
+
 use_postgres:
   type: bool
   help: "Use PostgreSQL instead of SQLite?"

infra/docker/prod/postgres/admin-scripts/sync-passwords.sh

@@ -56,13 +56,18 @@ read_secret_value() {
 # Ensure required env vars exist (populated via docker-compose)
 require_env APP_DB_USER
 require_env APP_DB_RO_USER
-require_env TEMPORAL_DB_USER
+# TEMPORAL_DB_USER is optional - only required if Temporal is enabled
 
 APP_USER_PASSWORD=$(read_secret_value POSTGRES_APP_USER_PW postgres_app_user_pw)
 APP_RO_PASSWORD=$(read_secret_value POSTGRES_APP_RO_PW postgres_app_ro_pw)
-TEMPORAL_PASSWORD=$(read_secret_value POSTGRES_TEMPORAL_PW postgres_temporal_pw)
 SUPERUSER_PASSWORD=$(read_secret_value POSTGRES_PASSWORD postgres_password)
 
+# Temporal password is optional
+TEMPORAL_PASSWORD=""
+if [ -n "${TEMPORAL_DB_USER:-}" ]; then
+    TEMPORAL_PASSWORD=$(read_secret_value POSTGRES_TEMPORAL_PW postgres_temporal_pw)
+fi
+
 log "Synchronizing Postgres role passwords with secrets..."
 
 PSQL_CMD=(psql -h 127.0.0.1 -U postgres -v ON_ERROR_STOP=1)
@@ -87,14 +92,13 @@ else
     fi
 fi
 
+# Sync App and superuser passwords (always required)
 "${PSQL_CMD[@]}" \
   -d postgres \
   -v APP_USER="${APP_DB_USER}" \
   -v APP_RO_USER="${APP_DB_RO_USER}" \
-  -v TEMPORAL_USER="${TEMPORAL_DB_USER}" \
   -v APP_USER_PASSWORD="${APP_USER_PASSWORD}" \
   -v APP_RO_USER_PASSWORD="${APP_RO_PASSWORD}" \
-  -v TEMPORAL_USER_PASSWORD="${TEMPORAL_PASSWORD}" \
   -v SUPERUSER_PASSWORD="${SUPERUSER_PASSWORD}" <<'SQL'
 \set ON_ERROR_STOP on
 
@@ -109,10 +113,23 @@ WHERE EXISTS (SELECT 1 FROM pg_roles WHERE rolname = :'APP_USER')
 SELECT format('ALTER ROLE %I WITH PASSWORD %L', :'APP_RO_USER', :'APP_RO_USER_PASSWORD')
 WHERE EXISTS (SELECT 1 FROM pg_roles WHERE rolname = :'APP_RO_USER')
 \gexec
+SQL
+
+# Sync Temporal password only if Temporal is enabled
+if [ -n "${TEMPORAL_DB_USER:-}" ] && [ -n "${TEMPORAL_PASSWORD:-}" ]; then
+    log "Syncing Temporal user password..."
+    "${PSQL_CMD[@]}" \
+      -d postgres \
+      -v TEMPORAL_USER="${TEMPORAL_DB_USER}" \
+      -v TEMPORAL_USER_PASSWORD="${TEMPORAL_PASSWORD}" <<'SQL'
+\set ON_ERROR_STOP on
 
 SELECT format('ALTER ROLE %I WITH PASSWORD %L', :'TEMPORAL_USER', :'TEMPORAL_USER_PASSWORD')
 WHERE EXISTS (SELECT 1 FROM pg_roles WHERE rolname = :'TEMPORAL_USER')
 \gexec
 SQL
+else
+    log "Temporal disabled, skipping Temporal password sync"
+fi
 
 log "Password synchronization complete."

infra/docker/prod/postgres/init-scripts/01-init-app.sh

@@ -1,26 +1,28 @@
 #!/bin/sh
 set -eu
 
-# Required env (provided by your entrypoint/compose)
+# =============================================================================
+# PostgreSQL Initialization Script
+# =============================================================================
+# This script initializes:
+#   1. Application database (always) - roles, schema, and permissions
+#   2. Temporal databases (optional) - only if TEMPORAL_DB_USER is set
+# =============================================================================
+
+# Required env for App DB (provided by your entrypoint/compose)
 : "${APP_DB:?missing APP_DB}"
-: "${APP_DB_OWNER:?missing APP_DB_OWNER}"   # NOLOGIN owner (app)
+: "${APP_DB_OWNER:?missing APP_DB_OWNER}"             # NOLOGIN owner (app)
 : "${APP_DB_USER:?missing APP_DB_USER}"               # app_user (LOGIN)
-: "${APP_DB_RO_USER:?missing APP_DB_RO_USER}"         # app_ro  (LOGIN)
-: "${TEMPORAL_DB_USER:?missing TEMPORAL_DB_USER}"               # e.g., temporal_user
-: "${POSTGRES_APP_USER_PW:?missing POSTGRES_APP_USER_PW}"       # password for app user
-: "${POSTGRES_APP_RO_PW:?missing POSTGRES_APP_RO_PW}"           # password for read-only user
-: "${POSTGRES_TEMPORAL_PW:?missing POSTGRES_TEMPORAL_PW}"
-
-# Optional override for Temporal owner (NOLOGIN). Default: "<temporal_user>_owner"
-TEMPORAL_DB_OWNER="${TEMPORAL_DB_OWNER:-${TEMPORAL_DB_USER}_owner}"
-
-# Database names (override if you like)
-TEMPORAL_DB="${TEMPORAL_DB:-temporal}"
-TEMPORAL_VIS_DB="${TEMPORAL_VIS_DB:-temporal_visibility}"
+: "${APP_DB_RO_USER:?missing APP_DB_RO_USER}"         # app_ro (LOGIN)
+: "${POSTGRES_APP_USER_PW:?missing POSTGRES_APP_USER_PW}"   # password for app user
+: "${POSTGRES_APP_RO_PW:?missing POSTGRES_APP_RO_PW}"       # password for read-only user
 
 APP_SCHEMA="${APP_SCHEMA:-app}"
 
-echo "==> Initializing roles/db for ${APP_DB} and Temporal"
+# =============================================================================
+# App Database Initialization
+# =============================================================================
+echo "==> Initializing roles/db for ${APP_DB}"
 
 psql -v ON_ERROR_STOP=1 \
   -v APP_DB="${APP_DB}" \
@@ -29,11 +31,6 @@ psql -v ON_ERROR_STOP=1 \
   -v APP_RO_USER="${APP_DB_RO_USER}" \
   -v APP_USER_PASSWORD="${POSTGRES_APP_USER_PW}" \
   -v APP_RO_USER_PASSWORD="${POSTGRES_APP_RO_PW}" \
-  -v TEMPORAL_OWNER_USER="${TEMPORAL_DB_OWNER}" \
-  -v TEMPORAL_USER="${TEMPORAL_DB_USER}" \
-  -v TEMPORAL_USER_PASSWORD="${POSTGRES_TEMPORAL_PW}" \
-  -v TEMPORAL_DB="${TEMPORAL_DB}" \
-  -v TEMPORAL_VIS_DB="${TEMPORAL_VIS_DB}" \
   -v APP_SCHEMA="${APP_SCHEMA}" <<'PSQL'
 \set ON_ERROR_STOP on
 
@@ -112,7 +109,32 @@ SELECT format(
 )\gexec
 
 \echo === App DB/roles initialized (3-role pattern) ===
+PSQL
+
+echo "==> App database initialization completed"
+
+# =============================================================================
+# Temporal Database Initialization (Optional)
+# =============================================================================
+# Only run if TEMPORAL_DB_USER is set (indicates Temporal is enabled)
 
+if [ -n "${TEMPORAL_DB_USER:-}" ] && [ -n "${POSTGRES_TEMPORAL_PW:-}" ]; then
+  echo "==> Temporal enabled, initializing Temporal roles/databases"
+
+  # Optional override for Temporal owner (NOLOGIN). Default: "<temporal_user>_owner"
+  TEMPORAL_DB_OWNER="${TEMPORAL_DB_OWNER:-${TEMPORAL_DB_USER}_owner}"
+
+  # Database names (override if you like)
+  TEMPORAL_DB="${TEMPORAL_DB:-temporal}"
+  TEMPORAL_VIS_DB="${TEMPORAL_VIS_DB:-temporal_visibility}"
+
+  psql -v ON_ERROR_STOP=1 \
+    -v TEMPORAL_OWNER_USER="${TEMPORAL_DB_OWNER}" \
+    -v TEMPORAL_USER="${TEMPORAL_DB_USER}" \
+    -v TEMPORAL_USER_PASSWORD="${POSTGRES_TEMPORAL_PW}" \
+    -v TEMPORAL_DB="${TEMPORAL_DB}" \
+    -v TEMPORAL_VIS_DB="${TEMPORAL_VIS_DB}" <<'PSQL'
+\set ON_ERROR_STOP on
 
 \echo === Creating Temporal roles and databases ===
 
@@ -204,4 +226,9 @@ SELECT format(
 
 PSQL
 
+  echo "==> Temporal database initialization completed"
+else
+  echo "==> Temporal disabled (TEMPORAL_DB_USER not set), skipping Temporal database setup"
+fi
+
 echo "==> Init completed"

infra/docker/prod/postgres/verify-init.sh

@@ -6,11 +6,14 @@ APP_DB="${APP_DB:-${APP_DB:-appdb}}"
 APP_USER="${APP_DB_USER:-${APP_DB_USER:-appuser}}"
 APP_RO="${APP_DB_RO_USER:-${APP_DB_RO_USER:-appreadonly}}"
 APP_OWNER="${APP_DB_OWNER:-${APP_DB_OWNER:-owner}}"
-TEMPORAL_DB="${TEMPORAL_DB:-${TEMPORAL_DB:-temporal}}"
-TEMPORAL_DB_USER="${TEMPORAL_DB_USER:-${TEMPORAL_DB_USER:-temporaluser}}"
-TEMPORAL_DB_OWNER="${TEMPORAL_DB_OWNER:-${TEMPORAL_DB_USER}_owner}"
 APP_SCHEMA="${APP_SCHEMA:-app}"
 
+# Temporal variables - only set if TEMPORAL_DB_USER is provided (no defaults)
+# When Temporal is disabled, these should be empty/unset
+TEMPORAL_DB="${TEMPORAL_DB:-}"
+TEMPORAL_DB_USER="${TEMPORAL_DB_USER:-}"
+TEMPORAL_DB_OWNER="${TEMPORAL_DB_OWNER:-${TEMPORAL_DB_USER:+${TEMPORAL_DB_USER}_owner}}"
+
 # Comma-separated list of subnets that SHOULD be allowed via hostssl
 # e.g. "172.30.50.0/24,10.10.0.0/16"
 ALLOWED_SUBNETS="${ALLOWED_SUBNETS:-172.30.50.0/24}"
@@ -31,7 +34,11 @@ warn(){ printf "⚠️  %s\n" "$*"; }
 
 echo "== Verifying Postgres (host: postgres) =="
 echo "   DB=$APP_DB  OWNER=$APP_OWNER  USER=$APP_USER  RO=$APP_RO  SCHEMA=$APP_SCHEMA"
-echo "   Temporal DB=$TEMPORAL_DB  USER=$TEMPORAL_DB_USER  OWNER=$TEMPORAL_DB_OWNER"
+if [ -n "${TEMPORAL_DB_USER:-}" ]; then
+  echo "   Temporal DB=$TEMPORAL_DB  USER=$TEMPORAL_DB_USER  OWNER=$TEMPORAL_DB_OWNER"
+else
+  echo "   Temporal: disabled"
+fi
 echo
 
 # --- Core: roles / db / schema / grants ---------------------------------------
@@ -53,20 +60,23 @@ echo
   || bad "Role ${APP_OWNER} should be NOLOGIN"
 ok "App DB role login attributes look correct (${APP_USER}/${APP_RO} LOGIN, ${APP_OWNER} NOLOGIN)"
 
-# Temporal DB roles exist?
+# Temporal DB roles exist? (only check if Temporal is enabled)
+if [ -n "${TEMPORAL_DB_USER:-}" ]; then
+  [ "$($PSQL -c "SELECT COUNT(*) FROM pg_roles WHERE rolname='${TEMPORAL_DB_USER}';")" = "1" ] \
+    || bad "Role ${TEMPORAL_DB_USER} does not exist"
+  [ "$($PSQL -c "SELECT COUNT(*) FROM pg_roles WHERE rolname='${TEMPORAL_DB_OWNER}';")" = "1" ] \
+    || bad "Role ${TEMPORAL_DB_OWNER} does not exist"
 
-[ "$($PSQL -c "SELECT COUNT(*) FROM pg_roles WHERE rolname='${TEMPORAL_DB_USER}';")" = "1" ] \
-  || bad "Role ${TEMPORAL_DB_USER} does not exist"
-[ "$($PSQL -c "SELECT COUNT(*) FROM pg_roles WHERE rolname='${TEMPORAL_DB_OWNER}';")" = "1" ] \
-  || bad "Role ${TEMPORAL_DB_OWNER} does not exist"
+  # LOGIN/NOLOGIN checks
+  [ "$($PSQL -c "SELECT rolcanlogin FROM pg_roles WHERE rolname='${TEMPORAL_DB_USER}';")" = "t" ] \
+    || bad "Role ${TEMPORAL_DB_USER} missing LOGIN"
+  [ "$($PSQL -c "SELECT rolcanlogin FROM pg_roles WHERE rolname='${TEMPORAL_DB_OWNER}';")" = "f" ] \
+    || bad "Role ${TEMPORAL_DB_OWNER} should be NOLOGIN"
 
-# LOGIN/NOLOGIN checks
-[ "$($PSQL -c "SELECT rolcanlogin FROM pg_roles WHERE rolname='${TEMPORAL_DB_USER}';")" = "t" ] \
-  || bad "Role ${TEMPORAL_DB_USER} missing LOGIN"
-[ "$($PSQL -c "SELECT rolcanlogin FROM pg_roles WHERE rolname='${TEMPORAL_DB_OWNER}';")" = "f" ] \
-  || bad "Role ${TEMPORAL_DB_OWNER} should be NOLOGIN"
-
-ok "Temporal DB role login attributes look correct (${TEMPORAL_DB_USER} LOGIN, ${TEMPORAL_DB_OWNER} NOLOGIN)"
+  ok "Temporal DB role login attributes look correct (${TEMPORAL_DB_USER} LOGIN, ${TEMPORAL_DB_OWNER} NOLOGIN)"
+else
+  ok "Temporal disabled, skipping Temporal role checks"
+fi
 
 # Database ownership
 OWNER="$($PSQL -c "SELECT pg_get_userbyid(datdba) FROM pg_database WHERE datname='${APP_DB}';")"

infra/helm/api-forge/templates/deployments/postgres.yaml

@@ -31,7 +31,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: postgres
-          image: {{ .Values.postgres.image | default "app_data_postgres_image:latest" }}
+          image: {{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag | default "latest" }}
           imagePullPolicy: {{ .Values.global.imagePullPolicy | default "IfNotPresent" }}
           command: ["/opt/entry/start-scripts/universal-entrypoint.sh"]
           args: ["/bin/sh", "-lc", "/opt/entry/start-scripts/pg-start.sh"]

infra/helm/api-forge/templates/deployments/redis.yaml

@@ -30,7 +30,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: redis
-          image: {{ .Values.redis.image | default "app_data_redis_image:latest" }}
+          image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag | default "latest" }}
           imagePullPolicy: {{ .Values.global.imagePullPolicy | default "IfNotPresent" }}
           env:
             - name: TZ

infra/helm/api-forge/templates/deployments/temporal.yaml

@@ -31,7 +31,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: temporal
-          image: {{ .Values.temporal.image | default "my-temporal-server:latest" }}
+          image: {{ .Values.temporal.image.repository }}:{{ .Values.temporal.image.tag | default "latest" }}
           imagePullPolicy: {{ .Values.global.imagePullPolicy | default "IfNotPresent" }}
           command: ["/universal-entrypoint.sh"]
           args: ["/opt/entry/scripts/entrypoint.sh"]

infra/helm/api-forge/templates/jobs/postgres-verifier.yaml

@@ -8,6 +8,11 @@ metadata:
     app.kubernetes.io/name: postgres-verifier
     app.kubernetes.io/component: database-verification
     app.kubernetes.io/part-of: api-forge
+  annotations:
+    # Run on install and upgrade, delete previous job before creating new one
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "10"
+    "helm.sh/hook-delete-policy": before-hook-creation
 spec:
   # Keep successful job for 30 minutes for debugging
   ttlSecondsAfterFinished: 1800

infra/helm/api-forge/templates/jobs/temporal-namespace-init.yaml

@@ -8,6 +8,12 @@ metadata:
     app.kubernetes.io/name: temporal-namespace-init
     app.kubernetes.io/component: workflow-engine-init
     app.kubernetes.io/part-of: api-forge
+  annotations:
+    # Run on install and upgrade, delete previous job before creating new one
+    # Weight 15 ensures this runs after schema-setup (weight 5) and verifier (weight 10)
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "15"
+    "helm.sh/hook-delete-policy": before-hook-creation
 spec:
   # Keep successful job for 30 minutes for debugging
   ttlSecondsAfterFinished: 1800