From 47d1f1ec39cf318477e3cad0fa5aaaba599d66ae Mon Sep 17 00:00:00 2001 From: Sten Date: Thu, 28 May 2026 16:13:08 +0200 Subject: [PATCH] fix(infra): drop bad postgres securityContext + un-own shared namespace Address Codex review on PR #17: [P1] Postgres official image's entrypoint requires root to chown a fresh PVC, then drops to the postgres user via gosu. Forcing runAsNonRoot+runAsUser=999 blocks the chown and initdb fails on a fresh volume. Drop the securityContext; matches the existing vaultwarden-postgresql pattern. [P2] The forte-drop namespace was declared as a managed resource in the postgres Application. Since minio lives in the same namespace from a separate Application, an Argo prune of the pg app would delete the namespace and cascade-delete minio. Remove the Namespace resource; rely on syncOptions: CreateNamespace=true on both apps (already set). --- .../forte-drop-postgresql/resources/postgresql.yaml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml b/infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml index dac60e0..659ba9b 100644 --- a/infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml +++ b/infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml @@ -43,13 +43,10 @@ spec: containers: - name: postgresql image: postgres:16-alpine - securityContext: - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 - allowPrivilegeEscalation: false - capabilities: - drop: [ALL] + # NOTE: no securityContext. The official postgres image's entrypoint must + # start as root to chown a fresh /var/lib/postgresql/data, then drops to + # the postgres user (uid 70 in alpine) via gosu. Forcing runAsNonRoot here + # breaks initdb on a fresh PVC. Matches the vaultwarden-postgresql pattern. ports: - name: tcp-postgresql containerPort: 5432