eqtylab · captjt · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,7 @@
 Session.vim
 .netrwhist
 .history
+.zed/
 
 # Helm
 /**/*.tgz

diff --git a/containers/postgresql-17.9-bitnami-custom/Dockerfile b/containers/postgresql-17.9-bitnami-custom/Dockerfile
@@ -0,0 +1,113 @@
+# syntax=docker/dockerfile:1.7
+
+ARG BITNAMI_BASE_IMAGE=docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r4
+ARG POSTGRESQL_VERSION=17.9
+ARG POSTGRESQL_SHA256=3b9a62538a8da151e807a3ddb1198e8605f2032544d78f403ae883d27ecf1ee4
+ARG POSTGRESQL_SOURCE_URL=https://ftp.postgresql.org/pub/source/v17.9/postgresql-17.9.tar.bz2
+
+FROM ${BITNAMI_BASE_IMAGE} AS builder
+
+ARG POSTGRESQL_VERSION
+ARG POSTGRESQL_SHA256
+ARG POSTGRESQL_SOURCE_URL
+
+USER root
+
+# Compile PostgreSQL 17.9 with the same feature set exposed by Bitnami's
+# public 17.6 Debian image so we can retain Bitnami's runtime scripts/layout.
+RUN apt-get update \
+ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+      bison \
+      build-essential \
+      ca-certificates \
+      curl \
+      flex \
+      libedit-dev \
+      libicu-dev \
+      libldap2-dev \
+      libsasl2-dev \
+      libssl-dev \
+      libxml2-dev \
+      libxslt1-dev \
+      liblz4-dev \
+      perl \
+      pkg-config \
+      uuid-dev \
+      zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /tmp/postgresql-src \
+ && mkdir -p /tmp/bitnami-extras/lib /tmp/bitnami-extras/licenses /tmp/bitnami-extras/share/extension \
+ && cp -a /opt/bitnami/postgresql/lib/pgaudit.so /tmp/bitnami-extras/lib/ \
+ && cp -a /opt/bitnami/postgresql/licenses/pgaudit-17.1.0.txt /tmp/bitnami-extras/licenses/ \
+ && cp -a /opt/bitnami/postgresql/share/extension/pgaudit.control /tmp/bitnami-extras/share/extension/ \
+ && cp -a /opt/bitnami/postgresql/share/extension/pgaudit--17.0--17.1.sql /tmp/bitnami-extras/share/extension/ \
+ && cp -a /opt/bitnami/postgresql/share/extension/pgaudit--17.1.sql /tmp/bitnami-extras/share/extension/ \
+ && curl -fsSL "${POSTGRESQL_SOURCE_URL}" -o /tmp/postgresql.tar.bz2 \
+ && echo "${POSTGRESQL_SHA256}  /tmp/postgresql.tar.bz2" | sha256sum -c - \
+ && tar -xjf /tmp/postgresql.tar.bz2 -C /tmp/postgresql-src --strip-components=1 \
+ && rm -rf /opt/bitnami/postgresql \
+ && cd /tmp/postgresql-src \
+ && ./configure \
+      --prefix=/opt/bitnami/postgresql \
+      --with-libedit-preferred \
+      --with-openssl \
+      --with-libxml \
+      --with-libxslt \
+      --with-readline \
+      --with-icu \
+      --with-uuid=e2fs \
+      --with-ldap \
+      --with-lz4 \
+      CFLAGS=-O2 \
+      CXXFLAGS=-O2 \
+      CC=gcc \
+      LDFLAGS="-Wl,-rpath=/opt/bitnami/common/lib -L/opt/bitnami/common/lib -Wl,-rpath=/opt/bitnami/postgresql/lib -L/opt/bitnami/postgresql/lib" \
+      CPPFLAGS="-I/opt/bitnami/common/include -I/opt/bitnami/postgresql/include" \
+ && make -j"$(nproc)" world-bin \
+ && make install-world-bin \
+ && mkdir -p /opt/bitnami/postgresql/lib /opt/bitnami/postgresql/licenses /opt/bitnami/postgresql/share/extension \
+ && cp -a /tmp/bitnami-extras/lib/pgaudit.so /opt/bitnami/postgresql/lib/ \
+ && cp -a /tmp/bitnami-extras/licenses/pgaudit-17.1.0.txt /opt/bitnami/postgresql/licenses/ \
+ && cp -a /tmp/bitnami-extras/share/extension/pgaudit.control /opt/bitnami/postgresql/share/extension/ \
+ && cp -a /tmp/bitnami-extras/share/extension/pgaudit--17.0--17.1.sql /opt/bitnami/postgresql/share/extension/ \
+ && cp -a /tmp/bitnami-extras/share/extension/pgaudit--17.1.sql /opt/bitnami/postgresql/share/extension/ \
+ && strip /opt/bitnami/postgresql/bin/* /opt/bitnami/postgresql/lib/*.so* || true \
+ && rm -rf /tmp/postgresql-src /tmp/postgresql.tar.bz2 /tmp/bitnami-extras
+
+FROM ${BITNAMI_BASE_IMAGE}
+
+ARG BITNAMI_BASE_IMAGE
+ARG POSTGRESQL_VERSION
+ARG POSTGRESQL_SOURCE_URL
+
+USER root
+
+# Bring the Debian 12 packages forward and drop optional tools that were in the
+# original client scan while keeping Bitnami's entrypoint contract intact.
+RUN apt-get update \
+ && DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y \
+ && DEBIAN_FRONTEND=noninteractive apt-get purge -y --auto-remove \
+      gnupg2 \
+      libsqlite3-0 \
+      sqlite3 \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
+
+RUN rm -rf /opt/bitnami/postgresql
+COPY --from=builder /opt/bitnami/postgresql /opt/bitnami/postgresql
+
+RUN /opt/bitnami/scripts/postgresql/postunpack.sh \
+ && chmod -R g+rwX /opt/bitnami/postgresql \
+ && find / -perm /6000 -type f -exec chmod a-s {} \; || true
+
+LABEL org.opencontainers.image.title="bitnami-postgresql-custom" \
+      org.opencontainers.image.description="Custom PostgreSQL 17.9 image using Bitnami runtime layout and entrypoint" \
+      org.opencontainers.image.source="https://github.com/eqtylab/deployment/tree/main/containers/postgresql-17.9-bitnami-custom" \
+      org.opencontainers.image.base.name="${BITNAMI_BASE_IMAGE}" \
+      org.opencontainers.image.version="${POSTGRESQL_VERSION}"
+
+ENV APP_VERSION="${POSTGRESQL_VERSION}" \
+    PATH="/opt/bitnami/postgresql/bin:/opt/bitnami/common/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+USER 1001
diff --git a/containers/postgresql-17.9-bitnami-custom/README.md b/containers/postgresql-17.9-bitnami-custom/README.md
@@ -0,0 +1,106 @@
+# PostgreSQL 17.9 Bitnami-Derived Custom Image
+
+This image keeps Bitnami's PostgreSQL runtime layout, scripts, and entrypoint
+from the public `bitnamilegacy/postgresql:17.6.0-debian-12-r4` image, but
+replaces the PostgreSQL server binaries with an upstream PostgreSQL 17.9 build.
+It also preserves Bitnami's bundled `pgaudit` extension so the stock Bitnami
+startup path still works.
+
+## Why this exists
+
+Bitnami's public registries currently expose `17.6.0-debian-12-r4` as the
+newest public PostgreSQL 17 image we could verify, but Trivy still reports
+PostgreSQL CVEs that are fixed in 17.8+.
+
+Bitnami does not appear to publish a public PostgreSQL 17.9 component tarball,
+so this build takes the practical fallback path:
+
+- keep Bitnami's entrypoint and container conventions
+- preserve Bitnami-added `pgaudit` files expected by the default config
+- compile PostgreSQL 17.9 from the official PostgreSQL source release
+- install it into `/opt/bitnami/postgresql`
+- retain the same Helm/runtime behavior expected by the Bitnami image
+
+## Base image
+
+- runtime base: `docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r4`
+- PostgreSQL source: `https://ftp.postgresql.org/pub/source/v17.9/postgresql-17.9.tar.bz2`
+
+## Build
+
+```bash
+docker buildx build \
+  --platform linux/amd64 \
+  --tag ghcr.io/eqtylab/bitnami-postgresql:17.9-custom-p2 \
+  --load \
+  containers/postgresql-17.9-bitnami-custom
+```
+
+Or use the helper script:
+
+```bash
+PUSH=1 ./containers/postgresql-17.9-bitnami-custom/build.sh \
+  ghcr.io/eqtylab/bitnami-postgresql:17.9-custom-p2
+```
+
+## Verify
+
+After the build:
+
+```bash
+docker run --rm --platform linux/amd64 \
+  --entrypoint /bin/bash \
+  ghcr.io/eqtylab/bitnami-postgresql:17.9-custom-p2 \
+  -lc '/opt/bitnami/postgresql/bin/postgres --version'
+```
+
+Expected output:
+
+```text
+postgres (PostgreSQL) 17.9
+```
+
+To smoke test the default startup path:
+
+```bash
+docker run -d --platform linux/amd64 \
+  --name pg179-smoke \
+  -e ALLOW_EMPTY_PASSWORD=yes \
+  ghcr.io/eqtylab/bitnami-postgresql:17.9-custom-p2
+
+docker logs pg179-smoke
+docker inspect --format '{{.State.Status}} {{.State.ExitCode}}' pg179-smoke
+```
+
+When healthy, the logs should include:
+
+```text
+LOG:  pgaudit extension initialized
+LOG:  starting PostgreSQL 17.9
+LOG:  database system is ready to accept connections
+```
+
+## Trivy
+
+On the locally validated image, Trivy no longer reported PostgreSQL-specific
+HIGH/CRITICAL findings. The remaining HIGH/CRITICAL results were Debian 12
+package residuals:
+
+- glibc `CVE-2026-0861`
+- openldap `CVE-2023-2953`
+- ncurses `CVE-2025-69720`
+- systemd `CVE-2026-29111`
+- zlib `CVE-2023-45853`
+
+`libsqlite3-0` was removed from the final image, which eliminated the SQLite
+CRITICAL reported by Trivy. The remaining CRITICAL is `zlib`, which Debian
+tracks as a Bookworm false positive because the vulnerable MiniZip code is not
+built in the shipped binary package.
+
+## Notes
+
+- This is a custom derivative, not an official Bitnami-supported image.
+- It is intended as a controlled bridge while moving off the archived Bitnami
+  Legacy line or onto a managed PostgreSQL service.
+- The Debian package findings from scanners may still include Bookworm
+  residuals that do not yet have vendor backports.
diff --git a/containers/postgresql-17.9-bitnami-custom/build.sh b/containers/postgresql-17.9-bitnami-custom/build.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+IMAGE_REF="${1:-}"
+PLATFORM="${PLATFORM:-linux/amd64}"
+PUSH="${PUSH:-0}"
+BASE_IMAGE="${BASE_IMAGE:-docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r4}"
+POSTGRESQL_VERSION="${POSTGRESQL_VERSION:-17.9}"
+POSTGRESQL_SOURCE_URL="${POSTGRESQL_SOURCE_URL:-https://ftp.postgresql.org/pub/source/v17.9/postgresql-17.9.tar.bz2}"
+POSTGRESQL_SHA256="${POSTGRESQL_SHA256:-3b9a62538a8da151e807a3ddb1198e8605f2032544d78f403ae883d27ecf1ee4}"
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+
+if [[ -z "${IMAGE_REF}" ]]; then
+  echo "usage: $0 <registry/repository:tag>" >&2
+  exit 1
+fi
+
+OUTPUT_FLAG="--load"
+if [[ "${PUSH}" == "1" ]]; then
+  OUTPUT_FLAG="--push"
+fi
+
+docker buildx build \
+  --pull \
+  --platform "${PLATFORM}" \
+  --build-arg BITNAMI_BASE_IMAGE="${BASE_IMAGE}" \
+  --build-arg POSTGRESQL_VERSION="${POSTGRESQL_VERSION}" \
+  --build-arg POSTGRESQL_SOURCE_URL="${POSTGRESQL_SOURCE_URL}" \
+  --build-arg POSTGRESQL_SHA256="${POSTGRESQL_SHA256}" \
+  --tag "${IMAGE_REF}" \
+  "${OUTPUT_FLAG}" \
+  "${SCRIPT_DIR}"
diff --git a/containers/postgresql-legacy-patch/Dockerfile b/containers/postgresql-legacy-patch/Dockerfile
@@ -0,0 +1,26 @@
+# syntax=docker/dockerfile:1.7
+
+ARG BASE_IMAGE=docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r4
+FROM ${BASE_IMAGE}
+
+USER root
+
+# Refresh Debian 12 packages in the frozen legacy image while preserving the
+# Bitnami PostgreSQL entrypoint and filesystem layout expected by the chart.
+RUN apt-get update \
+ && DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y \
+ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+      ca-certificates \
+ && DEBIAN_FRONTEND=noninteractive apt-get purge -y --auto-remove \
+      gnupg2 \
+      sqlite3 \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
+
+ARG PATCH_IMAGE_SOURCE=https://github.com/eqtylab/deployment/tree/main/containers/postgresql-legacy-patch
+LABEL org.opencontainers.image.title="postgresql-legacy-patch" \
+      org.opencontainers.image.description="Temporary patched fork of Bitnami Legacy PostgreSQL 17 for Governance Platform client deployments" \
+      org.opencontainers.image.source="${PATCH_IMAGE_SOURCE}" \
+      org.opencontainers.image.base.name="${BASE_IMAGE}"
+
+USER 1001
diff --git a/containers/postgresql-legacy-patch/README.md b/containers/postgresql-legacy-patch/README.md
@@ -0,0 +1,85 @@
+# PostgreSQL Legacy Patch Image
+
+This directory builds a temporary patched fork of the PostgreSQL image that is
+running in the client environment today.
+
+## Base image
+
+The client scan reported:
+
+- image name: `docker.io/bitnamilegacy/postgresql:17-debian-12`
+- image label version: `17.5.0`
+
+To avoid drift from the floating `17-debian-12` tag, the Dockerfile defaults to
+the matching versioned legacy image:
+
+- `docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r17`
+
+That keeps the Bitnami PostgreSQL 17 layout and entrypoint intact while pulling
+in newer Debian 12 security fixes during the rebuild.
+
+## What this image changes
+
+- Starts from the same Bitnami legacy PostgreSQL 17 image line.
+- Runs `apt-get dist-upgrade` to pull current Debian 12 security updates.
+- Removes `gnupg2` and `sqlite3`, which were flagged in the scan and are not
+  required for normal PostgreSQL runtime.
+
+## Build
+
+Build and push an amd64 image to your registry:
+
+```bash
+docker buildx build \
+  --platform linux/amd64 \
+  --build-arg BASE_IMAGE=docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r17 \
+  --tag <registry>/<repo>/postgresql:17.5.0-debian-12-r17-p1 \
+  --push \
+  containers/postgresql-legacy-patch
+```
+
+Or use the helper script:
+
+```bash
+PUSH=1 ./containers/postgresql-legacy-patch/build.sh \
+  <registry>/<repo>/postgresql:17.5.0-debian-12-r17-p1
+```
+
+If you want to override the base image explicitly:
+
+```bash
+PUSH=1 ./containers/postgresql-legacy-patch/build.sh \
+  <registry>/<repo>/postgresql:17.5.0-debian-12-r17-p1 \
+  docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r17
+```
+
+## Capture the digest
+
+After pushing, record the digest and use it in Helm:
+
+```bash
+docker buildx imagetools inspect <registry>/<repo>/postgresql:17.5.0-debian-12-r17-p1
+```
+
+## Helm override
+
+Use the rebuilt image in your client values:
+
+```yaml
+postgresql:
+  image:
+    registry: <registry>
+    repository: <repo>/postgresql
+    tag: 17.5.0-debian-12-r17-p1
+```
+
+If you add digest support later, prefer pinning the digest as well.
+
+## Verification
+
+Before rolling to the client namespace:
+
+1. Run the rebuilt image in a non-production namespace.
+2. Mount a restored copy of the PostgreSQL volume or restore from backup.
+3. Confirm PostgreSQL starts cleanly and accepts connections.
+4. Rescan the pushed image with the same scanner the client is using.