Follow-up to 47d1f1e — the previous commit only updated postgres'
securityContext; this drops the explicit Namespace resource as the
Codex review flagged. Both apps still get the namespace created via
syncOptions: CreateNamespace=true.
Address Codex review on PR #17:
[P1] Postgres official image's entrypoint requires root to chown a
fresh PVC, then drops to the postgres user via gosu. Forcing
runAsNonRoot+runAsUser=999 blocks the chown and initdb fails on a
fresh volume. Drop the securityContext; matches the existing
vaultwarden-postgresql pattern.
[P2] The forte-drop namespace was declared as a managed resource
in the postgres Application. Since minio lives in the same
namespace from a separate Application, an Argo prune of the pg
app would delete the namespace and cascade-delete minio. Remove
the Namespace resource; rely on syncOptions: CreateNamespace=true
on both apps (already set).
Address ai-review feedback on PR #17:
- Pin quay.io/minio/minio and mc to specific RELEASE tags (Renovate
will bump). 'latest' is unpredictable in GitOps.
- Bootstrap script: set -e -> set -euo pipefail.
- Postgres container: runAsNonRoot, uid/gid 999, drop ALL caps,
no privilege escalation. Matches PSS restricted profile.
