Update docker.io/library/postgres Docker tag to v14.22

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Update	Change	Pending
docker.io/library/postgres	minor	14.2 → 14.22	14.23

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated PostgreSQL container image to version 14.22 in the Helm chart configuration.

Walkthrough

The default PostgreSQL container image tag under database.postgresql.image in charts/values.yaml is updated from docker.io/library/postgres:14.2 to docker.io/library/postgres:14.22. No logic, API contracts, or exported entities are affected.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

---

Supply chain surface (CWE-1395, CWE-693): Confirm docker.io/library/postgres:14.22 digest is pinned or verified in the deployment pipeline. Floating tags on docker.io are a known image substitution vector — verify the SHA256 digest matches the upstream official release before merging. Check CVE tracker for any outstanding CVEs between 14.2 and 14.22 via docker scout cves docker.io/library/postgres:14.22.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title directly matches the changeset: updates PostgreSQL Docker image tag from 14.2 to 14.22 in values.yaml.
Description check	✅ Passed	Description relates to the changeset, documenting the postgres package update from 14.2 to 14.22 via Renovate/MintMaker.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No log statements found containing unredacted tokens, passwords, credentials, or secrets. Code uses redactPassword() for safe connection string logging.
No Hardcoded Secrets	✅ Passed	The PR only updates a public Docker image tag (postgres:14.2 → 14.22) with no hardcoded secrets, base64 strings, embedded credentials, or secret-like variables introduced.
No Weak Cryptography	✅ Passed	PR contains only a PostgreSQL Docker image version bump (14.2→14.22) with no weak cryptographic primitives, insecure implementations, or non-constant-time secret comparisons detected in code.
No Injection Vectors	✅ Passed	PR only modifies Docker image tag in values.yaml (14.2→14.22); no code changes. Comprehensive scan found zero SQL injection (CWE-89), command injection (CWE-78), XSS (CWE-79), or unsafe deserializa...
No Privileged Containers	✅ Passed	PR only updates PostgreSQL image tag from 14.2→14.22, no privileged container configurations introduced or modified. Existing PostgreSQL deployment lacks securityContext (pre-existing issue, not in...
No Pii Or Sensitive Data In Logs	✅ Passed	PR modifies only a Docker image tag (postgres:14.2→14.22) in YAML config. Contains no logging statements, code, or potential PII exposure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/docker.io-library-postgres-14.x

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/docker.io-library-postgres-14.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign aredenba-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/values.yaml`:
- Line 308: The charts/README.md file is out of sync with the updated
values.yaml file. The postgres image version has been changed to 14.22 in
values.yaml, but README.md still references the old version 14.2 in three places
(database table, database.postgresql table, and database.postgresql.image row).
Run the make helm-docs command to regenerate the charts/README.md file from
values.yaml and the helm template, then commit the updated README.md file. This
will ensure the documentation stays in sync and the make test-helm target's
verify-helm-docs check will pass.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3bdc51bc-c073-4448-be77-e32eec2279db

📥 Commits

Reviewing files that changed from the base of the PR and between b4bff38 and 7032326.

📒 Files selected for processing (1)

• charts/values.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for stale references to postgres:14.2 in docs and templates
rg 'postgres:14\.2' charts/

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 1308

---

🏁 Script executed:

#!/bin/bash
# Check if README is auto-generated and look for related tooling
cd charts
ls -la | grep -i readme
cat README.md | head -20

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 915

---

🏁 Script executed:

#!/bin/bash
# Search for helm-docs or similar documentation generation in Makefile
grep -r "helm-docs\|README" Makefile* .github/ 2>/dev/null || echo "No helm-docs found in standard locations"

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 647

---

🏁 Script executed:

#!/bin/bash
# Check the actual content of README.md around the database.postgresql.image section
sed -n '140,160p' charts/README.md

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 3393

---

Run make helm-docs to regenerate charts/README.md.

The chart README is auto-generated from values.yaml and README.md.gotmpl using helm-docs. The current README.md still documents postgres:14.2 in three places (database table, database.postgresql table, and database.postgresql.image row), but values.yaml now specifies 14.22. Run make helm-docs to regenerate the documentation, then commit the result. The make test-helm target includes a verify-helm-docs check that will fail until README.md is in sync with values.yaml.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/values.yaml` at line 308, The charts/README.md file is out of sync
with the updated values.yaml file. The postgres image version has been changed
to 14.22 in values.yaml, but README.md still references the old version 14.2 in
three places (database table, database.postgresql table, and
database.postgresql.image row). Run the make helm-docs command to regenerate the
charts/README.md file from values.yaml and the helm template, then commit the
updated README.md file. This will ensure the documentation stays in sync and the
make test-helm target's verify-helm-docs check will pass.