fix(infra): drop bad postgres securityContext + un-own shared namespace
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 6s
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 6s
Address Codex review on PR #17: [P1] Postgres official image's entrypoint requires root to chown a fresh PVC, then drops to the postgres user via gosu. Forcing runAsNonRoot+runAsUser=999 blocks the chown and initdb fails on a fresh volume. Drop the securityContext; matches the existing vaultwarden-postgresql pattern. [P2] The forte-drop namespace was declared as a managed resource in the postgres Application. Since minio lives in the same namespace from a separate Application, an Argo prune of the pg app would delete the namespace and cascade-delete minio. Remove the Namespace resource; rely on syncOptions: CreateNamespace=true on both apps (already set).
This commit is contained in:
Sten
@@ -43,13 +43,10 @@ spec:
|
|||||||
containers:
|
containers:
|
||||||
- name: postgresql
|
- name: postgresql
|
||||||
image: postgres:16-alpine
|
image: postgres:16-alpine
|
||||||
securityContext:
|
# NOTE: no securityContext. The official postgres image's entrypoint must
|
||||||
runAsNonRoot: true
|
# start as root to chown a fresh /var/lib/postgresql/data, then drops to
|
||||||
runAsUser: 999
|
# the postgres user (uid 70 in alpine) via gosu. Forcing runAsNonRoot here
|
||||||
runAsGroup: 999
|
# breaks initdb on a fresh PVC. Matches the vaultwarden-postgresql pattern.
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
capabilities:
|
|
||||||
drop: [ALL]
|
|
||||||
ports:
|
ports:
|
||||||
- name: tcp-postgresql
|
- name: tcp-postgresql
|
||||||
containerPort: 5432
|
containerPort: 5432
|
||||||
|
|||||||
Reference in New Issue
Block a user