From 69848e42f02ecedfe6af1201e0b482fc837205df Mon Sep 17 00:00:00 2001
From: Sten <sten@Sten-sin-MacBook-Pro.local>
Date: Thu, 28 May 2026 16:05:48 +0200
Subject: [PATCH] fix(infra): pin minio/mc tags + add postgres securityContext
 + harden bootstrap script

Address ai-review feedback on PR #17:
- Pin quay.io/minio/minio and mc to specific RELEASE tags (Renovate
  will bump). 'latest' is unpredictable in GitOps.
- Bootstrap script: set -e -> set -euo pipefail.
- Postgres container: runAsNonRoot, uid/gid 999, drop ALL caps,
  no privilege escalation. Matches PSS restricted profile.
---
 .../overlays/upc-dev/forte-drop-minio/resources/minio.yaml | 6 +++---
 .../forte-drop-postgresql/resources/postgresql.yaml        | 7 +++++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/infra/overlays/upc-dev/forte-drop-minio/resources/minio.yaml b/infra/overlays/upc-dev/forte-drop-minio/resources/minio.yaml
index 51bde97..69d1e3a 100644
--- a/infra/overlays/upc-dev/forte-drop-minio/resources/minio.yaml
+++ b/infra/overlays/upc-dev/forte-drop-minio/resources/minio.yaml
@@ -45,7 +45,7 @@ spec:
     spec:
       containers:
       - name: minio
-        image: quay.io/minio/minio:latest
+        image: quay.io/minio/minio:RELEASE.2024-12-18T13-15-44Z
         args:
         - server
         - /data
@@ -121,7 +121,7 @@ spec:
       restartPolicy: OnFailure
       containers:
       - name: mc
-        image: quay.io/minio/mc:latest
+        image: quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z
         env:
         - name: MINIO_ROOT_USER
           valueFrom:
@@ -137,7 +137,7 @@ spec:
         - sh
         - -c
         - |
-          set -e
+          set -euo pipefail
           until mc alias set local http://forte-drop-minio:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" 2>/dev/null; do
             echo "waiting for minio..."
             sleep 2
diff --git a/infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml b/infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml
index c1b26d1..dac60e0 100644
--- a/infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml
+++ b/infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml
@@ -43,6 +43,13 @@ spec:
       containers:
       - name: postgresql
         image: postgres:16-alpine
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 999
+          runAsGroup: 999
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ALL]
         ports:
         - name: tcp-postgresql
           containerPort: 5432