feat(infra): forte-drop in-cluster postgres + nightly backup (prod) #17
@@ -45,7 +45,7 @@ spec:
|
||||
spec:
|
||||
containers:
|
||||
- name: minio
|
||||
image: quay.io/minio/minio:latest
|
||||
image: quay.io/minio/minio:RELEASE.2024-12-18T13-15-44Z
|
||||
|
jorgen.stensrud marked this conversation as resolved
Outdated
|
||||
args:
|
||||
- server
|
||||
- /data
|
||||
@@ -121,7 +121,7 @@ spec:
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
- name: mc
|
||||
image: quay.io/minio/mc:latest
|
||||
image: quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z
|
||||
|
jorgen.stensrud marked this conversation as resolved
Outdated
gitea_admin
commented
Using ':latest' tag is discouraged as it can lead to unpredictable deployments; pin to a specific version. #ai-review-inline Using ':latest' tag is discouraged as it can lead to unpredictable deployments; pin to a specific version.
```suggestion
image: quay.io/minio/mc:RELEASE.2024-03-15T01-07-19Z
```
#ai-review-inline
|
||||
env:
|
||||
- name: MINIO_ROOT_USER
|
||||
valueFrom:
|
||||
@@ -137,7 +137,7 @@ spec:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
set -e
|
||||
set -euo pipefail
|
||||
|
jorgen.stensrud marked this conversation as resolved
Outdated
gitea_admin
commented
Shell script should include 'set -uo pipefail' for better error handling and safer execution. #ai-review-inline Shell script should include 'set -uo pipefail' for better error handling and safer execution.
```suggestion
set -euo pipefail
```
#ai-review-inline
|
||||
until mc alias set local http://forte-drop-minio:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" 2>/dev/null; do
|
||||
echo "waiting for minio..."
|
||||
sleep 2
|
||||
|
||||
@@ -43,6 +43,13 @@ spec:
|
||||
containers:
|
||||
|
jorgen.stensrud marked this conversation as resolved
gitea_admin
commented
Container is missing securityContext which should be set for security best practices. #ai-review-inline Container is missing securityContext which should be set for security best practices.
```suggestion
containers:
- name: postgresql
securityContext:
runAsNonRoot: true
runAsUser: 999
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
```
#ai-review-inline
|
||||
- name: postgresql
|
||||
image: postgres:16-alpine
|
||||
|
jorgen.stensrud marked this conversation as resolved
gitea_admin
commented
Container image should use a pinned digest or exact tag instead of 'postgres:16-alpine' for better security and reproducibility. #ai-review-inline Container image should use a pinned digest or exact tag instead of 'postgres:16-alpine' for better security and reproducibility.
```suggestion
image: postgres:16.1-alpine
```
#ai-review-inline
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 999
|
||||
runAsGroup: 999
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: [ALL]
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
containerPort: 5432
|
||||
|
||||
Reference in New Issue
Block a user
Using ':latest' tag is discouraged as it can lead to unpredictable deployments; pin to a specific version.
#ai-review-inline