chore(deps): update docker.io/library/postgres docker tag to v18

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Update	Change
docker.io/library/postgres	major	14.2 → 18.4

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ciaranroche for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated the default PostgreSQL container image from version 14.2 to 18.4, bringing performance improvements, security updates, and new database features.

Walkthrough

The default PostgreSQL container image in charts/values.yaml is updated from docker.io/library/postgres:14.2 to docker.io/library/postgres:18.4. This is a single-line change to the database.postgresql image tag; no other values or configuration are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain surface — verify before merge.

docker.io/library/postgres:18.4 is a mutable tag on Docker Hub (official library image). Confirm the following before this lands:

• CVE exposure delta: postgres:14.2 carries known CVEs (e.g., CVE-2022-1552, CVE-2022-2625). Verify 18.4 resolves those and does not introduce new critical/high CVEs — run grype docker.io/library/postgres:18.4 or equivalent.
• Tag pinning (CWE-829 — Inclusion of Functionality from Untrusted Control Sphere): Mutable tags allow silent image substitution on re-pull. Pin to a digest (postgres:18.4@sha256:<digest>) in production deployments to prevent supply chain drift.
• Major version jump (14 → 18): PostgreSQL 15, 16, 17, and 18 each introduced breaking changes in authentication, extensions, and pg_hba.conf defaults (e.g., scram-sha-256 as default auth, removal of deprecated functions). Existing data volumes or init scripts targeting PG14 behavior may fail silently or break on first boot.
• No digest or image signing attestation is referenced in this diff. For a K8s platform context, enforce image admission via policy (e.g., Kyverno/OPA) that rejects unverified digests — CWE-494 (Download of Code Without Integrity Check).

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
No Privileged Containers	⚠️ Warning	PostgreSQL container in postgresql.yaml lacks securityContext definition, allowing it to run with default elevated privileges (CWE-665). Official postgres image runs as root by default.	Add securityContext to PostgreSQL container spec with runAsUser, allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, and drop ALL capabilities.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating PostgreSQL docker image to v18, which directly corresponds to the version bump from 14.2 to 18.4.
Description check	✅ Passed	The description is related to the changeset, providing dependency update details with version information for the PostgreSQL image upgrade.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No log statements leak secrets. Headers masked via MaskingMiddleware, connection strings redacted with redactPassword(), no unmasked credentials/tokens/passwords in log calls.
No Hardcoded Secrets	✅ Passed	The hardcoded value hyperfleet-dev-password in charts/values.yaml (line 324) is a development-only placeholder explicitly marked with (development only) comment. Documentation directs product...
No Weak Cryptography	✅ Passed	PR changes only a container image version in charts/values.yaml; no cryptographic code, banned primitives, or timing-sensitive comparisons were added or modified.
No Injection Vectors	✅ Passed	PR contains only a static Helm values.yaml update: postgres image 14.2→18.4. No injection vectors found: no SQL concatenation (CWE-89), exec calls with user input (CWE-78), unsafe template.HTML (CW...
No Pii Or Sensitive Data In Logs	✅ Passed	PR only changes PostgreSQL image version in charts/values.yaml; no logging statements added that could expose PII or sensitive data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/docker.io-library-postgres-18.x

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/docker.io-library-postgres-18.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/values.yaml`:
- Line 318: The PostgreSQL image version jump from 14 to 18.4 in the values.yaml
file will break existing deployments due to data directory incompatibility
across major versions. Add a new configuration parameter (such as
postgresql.version or postgresql.majorVersion) to the values.yaml file to gate
this change, include a deprecation warning or migration flag in the default
values, and add comprehensive migration instructions in the NOTES.txt file that
document the required pg_upgrade or dump/restore steps for users with existing
PostgreSQL installations. Ensure the values.yaml comments clearly warn about the
breaking change and provide links to upgrade documentation.
- Line 318: Bump the Chart.yaml version to indicate a breaking change from the
PostgreSQL upgrade (PostgreSQL 14 to 18 is a major version change). Update all
references to postgres:14.2 in README.md (lines 142, 146, 148) to reflect the
new postgres:18.4 image. Add migration guidance to NOTES.txt that clearly warns
users about the breaking PostgreSQL upgrade and provides steps for safe data
migration during the upgrade process.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 36f839fb-41ca-430e-994e-875a5a825c43

📥 Commits

Reviewing files that changed from the base of the PR and between 24ec42b and 9c3244f.

📒 Files selected for processing (1)

• charts/values.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

PostgreSQL 14→18 upgrade requires data migration; existing deployments will fail.

This jumps four major versions. PostgreSQL data directories are NOT forward-compatible across major versions. Existing StatefulSets that restart with this image will crash with binary incompatibility errors (CWE-665: Improper Initialization). Production impact: data inaccessible, service down.

Required before merge:

• Add migration instructions to NOTES.txt or values.yaml comments
• Consider gating this behind a new flag (e.g., postgresql.version) with validation
• Document pg_upgrade or dump/restore steps for existing installations

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/values.yaml` at line 318, The PostgreSQL image version jump from 14 to
18.4 in the values.yaml file will break existing deployments due to data
directory incompatibility across major versions. Add a new configuration
parameter (such as postgresql.version or postgresql.majorVersion) to the
values.yaml file to gate this change, include a deprecation warning or migration
flag in the default values, and add comprehensive migration instructions in the
NOTES.txt file that document the required pg_upgrade or dump/restore steps for
users with existing PostgreSQL installations. Ensure the values.yaml comments
clearly warn about the breaking change and provide links to upgrade
documentation.

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify chart version was bumped and docs are consistent

echo "=== Chart.yaml version ==="
cat charts/Chart.yaml | grep -E '^version:'

echo -e "\n=== README.md postgres image references ==="
rg -n 'postgres:14\.2|postgres:18\.4' charts/README.md

echo -e "\n=== NOTES.txt upgrade warnings ==="
if [ -f charts/templates/NOTES.txt ]; then
  rg -n -i 'upgrade|migration|postgres.*14|postgres.*18' charts/templates/NOTES.txt || echo "No upgrade warnings found"
else
  echo "NOTES.txt does not exist"
fi

echo -e "\n=== values.yaml comment warnings ==="
rg -n -B2 -A2 'postgres:18\.4' charts/values.yaml

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 1558

---

🏁 Script executed:

#!/bin/bash

echo "=== Git diff for Chart.yaml version ==="
git diff HEAD~1 charts/Chart.yaml | grep -E '^\+version:|^-version:' || echo "No version change detected in diff"

echo -e "\n=== Full NOTES.txt content ==="
if [ -f charts/templates/NOTES.txt ]; then
  cat -n charts/templates/NOTES.txt
else
  echo "NOTES.txt not found"
fi

echo -e "\n=== Full values.yaml postgresql section ==="
sed -n '310,330p' charts/values.yaml

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 2980

---

Chart.yaml version not bumped despite breaking PostgreSQL upgrade path; README.md stale; missing migration guidance in NOTES.txt.

PostgreSQL 14 → 18 is a breaking change requiring data migration. This PR introduces that incompatibility without:

1. Incrementing Chart.yaml version (currently 1.1.0, no change detected)
2. Updating README.md (lines 142, 146, 148 still reference postgres:14.2)
3. Adding migration warnings to NOTES.txt (no upgrade/migration guidance present)

Users upgrading will face silent database failures without a documented migration path.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/values.yaml` at line 318, Bump the Chart.yaml version to indicate a
breaking change from the PostgreSQL upgrade (PostgreSQL 14 to 18 is a major
version change). Update all references to postgres:14.2 in README.md (lines 142,
146, 148) to reflect the new postgres:18.4 image. Add migration guidance to
NOTES.txt that clearly warns users about the breaking PostgreSQL upgrade and
provides steps for safe data migration during the upgrade process.

[ciaranRoche]

Closing — this bumps PostgreSQL from 14.2 to 18.4, which is a 4 major version jump. PostgreSQL data directories are not forward-compatible across major versions — existing StatefulSets would crash on restart with binary incompatibility errors.

The safe patch-level update (14.2 → 14.23, same major version) is included in #237 (HYPERFLEET-1264) instead.