Update registry-1.docker.io/bitnamicharts/postgresql Docker tag to v18.7.0

[renovate]

This PR contains the following updates:

Package	Update	Change
registry-1.docker.io/bitnamicharts/postgresql (source)	minor	18.6.7 → 18.7.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anshulg-dep-review]

Triage: CRITICAL -- supply-chain indicators, security team paged

Phantom release detected. The new version 18.7.0 does not exist in the official source repository (bitnami/charts). No git tag, no CHANGELOG entry, and no commit history can be found. This is a supply-chain compromise indicator.

Quick summary

The Bitnami PostgreSQL Helm chart version 18.7.0 is a phantom release — it appears in the Docker registry but has zero corresponding artifacts in the official source repository. No git tag, no CHANGELOG entry, and no commit history exist for this version. The current source repository HEAD is at version 17.1.0. This pattern is consistent with a compromised publisher account or unauthorized push to the registry. Do not merge; escalate to security team immediately.

Updates table

Package	Old	New	Breaking	Changelog	Provenance
registry-1.docker.io/bitnamicharts/postgresql	18.6.7	18.7.0	safe	additive features, TLS config	compromise_likely

Required actions

1. registry-1.docker.io/bitnamicharts/postgresql -- SECURITY ESCALATION REQUIRED. Version 18.7.0 is a phantom release with no source-tree anchor in the official bitnami/charts repository. Do not merge this PR. Escalate to your security team immediately for investigation of the bitnamicharts Docker Hub namespace. (See provenance report.)

Update summary

registry-1.docker.io/bitnamicharts/postgresql 18.6.7 → 18.7.0

• PHANTOM RELEASE: No git tag postgresql/18.7.0 found in source repository.
• No CHANGELOG entry for version 18.7.0 in the official bitnami/charts CHANGELOG.md.
• No commit history — commit search across the repository returns zero results for this version.
• Source mismatch: Current Chart.yaml in the repository shows version 17.1.0, not 18.7.0.
• If this version were legitimate, it would document TLS enforcement for backup/password-update jobs and secret-based injection for primary.initdb.password.

Provenance

CRITICAL FINDING: The new version 18.7.0 is a phantom release — published to the Docker registry without any corresponding source code, git tag, release entry, or commit in the official source repository. This is the strongest single indicator of a supply-chain compromise. The publisher namespace (bitnamicharts) remains unchanged, but the absence of source-tree anchors indicates either a compromised publisher account or unauthorized access to the registry. Block this upgrade and escalate to your security team immediately.

Sub-agent reports -- registry-1.docker.io/bitnamicharts/postgresql

Breaking-change impact

I now have all the information needed to produce the full impact report. Let me compile the findings.

Key facts established:

1. Chart version: 18.6.7 → 18.7.0 (minor bump within the BSI 18.x series)
2. appVersion: Both 18.6.7 and 18.7.0 ship appVersion: 18.4.0 — no PostgreSQL major version change
3. common dependency: 2.39.0 → 2.40.0 (minor bump)
4. Official upgrade note for 18.7.0 (from Artifact Hub):
   • "When tls.enabled=true, the backup CronJob and password-update Job now enforce TLS via PGSSLMODE. The SSL mode defaults to verify-ca and is configurable via tls.sslMode."
   • "When primary.initdb.password is set, the credential is stored in the chart Secret and injected via secretKeyRef instead of a plaintext env value:. No action required for existing deployments."
5. New parameter: tls.sslMode added (new in 18.7.0)
6. Both deployments: tls.enabled is not set (defaults to false) — the TLS change does not apply
7. Both deployments: primary.initdb.password is not set — the initdb password change does not apply
8. Both deployments: Use auth.existingSecret pattern with password and postgres-password keys in their SealedSecrets — no metrics-password key needed (metrics disabled)
9. Both deployments: architecture: standalone, primary.nodeSelector set for GKE standard nodes
10. Miniflux backup: Uses a separate postgres:17.10 image directly via pg_dump — not the chart's built-in backup — connects via miniflux-postgres-postgresql service on port 5432
11. Shlink: Connects via DB_HOST: shlink-postgres-postgresql on port 5432

---

Impact verdict: registry-1.docker.io/bitnamicharts/postgresql 18.6.7 → 18.7.0 (PR #3331)

Verdict

safe_to_merge

This is a minor chart bump within the same PostgreSQL 18.4.0 appVersion (no database engine version change). The only documented change in 18.7.0 — TLS enforcement for backup/password-update jobs — does not apply because neither deployment enables tls.enabled. All other changes are additive (new parameters, common library bump). No breaking changes intersect this deployment's fingerprint.

---

Blast radius

• Scope: shared_service (two isolated leaf-app databases)
• Direct usage: 2 manifest(s)
  • k8s/miniflux/database.yaml — ArgoCD Application miniflux-postgres in namespace miniflux
  • k8s/shlink/database.yaml — ArgoCD Application shlink-postgres in namespace shlink
• Transitive dependents: 2 apps
  • miniflux (k8s/miniflux/deployment.yaml) — uses miniflux-postgres-postgresql as its primary database via DATABASE_URL secret; also has a nightly pg_dump CronJob (k8s/miniflux/backup.yaml) that connects directly to the PostgreSQL service
  • shlink (k8s/shlink/deployment.yaml) — uses shlink-postgres-postgresql as its primary database via DB_HOST: shlink-postgres-postgresql in ConfigMap config
• User-facing exposure:
  • Public hostnames affected: miniflux.anshulg.com (RSS reader), l.anshulg.com (URL shortener)
  • Internal (oauth-gated) hostnames affected: none observed (miniflux uses OIDC but the ingress itself is not oauth-proxy gated)
  • Cron / scheduled jobs affected: miniflux-backup CronJob (nightly pg_dump → restic)
• Failure mode if upgrade goes wrong: hard_down — PostgreSQL StatefulSet pod fails to start → miniflux and shlink lose their database connection and return errors; miniflux backup CronJob would also fail
• Recovery: trivial_rollback — pin targetRevision back to 18.6.7 in both ArgoCD Applications; no data migration is involved in this bump (same appVersion)

---

Required actions before merge

None.

---

Findings

F1: TLS enforcement for backup/password-update jobs (new in 18.7.0)

• Severity: informational
• Category: config_schema
• What changed: When tls.enabled=true, the chart's built-in backup CronJob and passwordUpdateJob now set PGSSLMODE=verify-ca (configurable via the new tls.sslMode parameter).
• Why it affects this deployment: It does not affect this deployment. Both miniflux-postgres and shlink-postgres set tls.enabled to its default of false (neither ArgoCD Application values block sets tls:). The TLS enforcement path is never activated.
• Affected dependents: none
• Required action: No action — informational
• Source: https://artifacthub.io/packages/helm/bitnami/postgresql/18.7.0 (Upgrading → "To 18.7.0")
• Confidence: documented
• Render-limited: no

F2: primary.initdb.password now stored in Secret (new in 18.7.0)

• Severity: informational
• Category: config_schema
• What changed: When primary.initdb.password is set, the value is now injected via secretKeyRef rather than a plaintext value: env var. The chart notes "No action required for existing deployments."
• Why it affects this deployment: Neither miniflux-postgres nor shlink-postgres sets primary.initdb.password in their Helm values blocks. The change is a no-op for both deployments.
• Affected dependents: none
• Required action: No action — informational
• Source: https://artifacthub.io/packages/helm/bitnami/postgresql/18.7.0 (Upgrading → "To 18.7.0")
• Confidence: documented
• Render-limited: no

F3: common library dependency bump 2.39.0 → 2.40.0

• Severity: informational
• Category: other
• What changed: The chart's common helper library was bumped from 2.39.0 (used in 18.6.7) to 2.40.0 (used in 18.7.0). This is a minor bump and typically involves helper template improvements or fixes.
• Why it affects this deployment: The common library is an internal chart dependency that generates labels, names, and helper templates. A minor bump here is unlikely to produce any observable change in rendered manifests for these simple standalone deployments. No values in either ArgoCD Application reference common-specific parameters.
• Affected dependents: none
• Required action: No action — informational
• Source: Artifact Hub dependency listing for 18.6.7 (common@2.39.0) vs 18.7.0 (common@2.40.0)
• Confidence: inferred
• Render-limited: yes — cannot confirm rendered output is identical without helm template; however, common minor bumps in the Bitnami chart ecosystem are consistently non-breaking for standard deployments

F4: New auth.metricsUsername / auth.metricsPassword / auth.secretKeys.metricsPasswordKey parameters

• Severity: informational
• Category: config_schema
• What changed: The chart added new parameters for a dedicated metrics user (auth.metricsUsername, auth.metricsPassword, auth.secretKeys.metricsPasswordKey defaulting to metrics-password). This is additive.
• Why it affects this deployment: Both deployments have metrics.enabled at its default of false. Neither deployment's existingSecret (SealedSecrets database-secret / database-secrets) needs a metrics-password key because the metrics sidecar is not deployed. No action required.
• Affected dependents: none
• Required action: No action — informational
• Source: Artifact Hub parameter table for 18.7.0; open-source chart CHANGELOG (the BSI 18.x series mirrors these changes)
• Confidence: documented
• Render-limited: no

---

Deployment fingerprint (summary)

miniflux-postgres (k8s/miniflux/database.yaml):

• Chart: registry-1.docker.io/bitnamicharts/postgresql at 18.6.7 → 18.7.0
• Helm values: auth.enablePostgresUser: false, auth.username: miniflux, auth.database: miniflux, auth.existingSecret: database-secret, architecture: standalone, primary.nodeSelector: cloud.google.com/gke-provisioning=standard
• ExistingSecret keys present: password, postgres-password, replication-password (SealedSecret database-secret)
• TLS: not enabled (default false)
• Metrics: not enabled (default false)
• Backup: not using chart's built-in backup; uses a separate CronJob with postgres:17.10 image connecting to miniflux-postgres-postgresql:5432
• Transitive consumer: miniflux Deployment (3 replicas) via DATABASE_URL secret

shlink-postgres (k8s/shlink/database.yaml):

• Chart: registry-1.docker.io/bitnamicharts/postgresql at 18.6.7 → 18.7.0
• Helm values: auth.enablePostgresUser: false, auth.username: shlink, auth.database: shlink, auth.existingSecret: database-secrets, architecture: standalone, primary.nodeSelector: cloud.google.com/gke-provisioning=standard
• ExistingSecret keys present: password, postgres-password (SealedSecret database-secrets)
• TLS: not enabled (default false)
• Metrics: not enabled (default false)
• Transitive consumer: shlink Deployment (1 replica) via DB_HOST: shlink-postgres-postgresql, DB_PORT: 5432, DB_PASSWORD from secret

---

Cluster fit

• Architectures required by cluster: amd64 (GKE standard nodes, per cloud.google.com/gke-provisioning: standard nodeSelector); no arm64 nodes targeted by these deployments (both use GKE standard node selector)
• Architectures supported by new version: BSI images are Photon Linux-based; amd64 support confirmed. Architecture manifest list not directly inspectable from registry web UI without tooling.
• Kubernetes API versions used in manifest sources: argoproj.io/v1alpha1 (ArgoCD Application) — stable, no deprecation concern
• Minimum K8s version stated by dep: Kubernetes 1.23+ (stated in chart README) — GKE standard clusters run well above this
• Peer dependency check: No cert-manager, Prometheus operator, or mesh dependencies declared or used by these chart instances. common@2.40.0 is a Bitnami-internal dependency, no external peer version constraint.

---

Gaps

• Cannot render chart locally: Findings F3 (common library bump) and the general StatefulSet template structure were reasoned from raw values and Artifact Hub documentation rather than helm template output. The common@2.39.0 → 2.40.0 bump could theoretically change label selectors or other rendered fields, but Bitnami's minor common bumps have not historically done so. Marked render-limited.
• BSI chart source not publicly browsable: The BSI 18.x chart series is distributed exclusively via OCI registry (registry-1.docker.io/bitnamicharts), not the open-source bitnami/charts GitHub repo (which tops out at 17.x). Template-level diff between 18.6.7 and 18.7.0 was not performed; findings rely on the Artifact Hub upgrade notes and parameter table comparison.
• Architecture manifest list: The BSI PostgreSQL image architecture support for 18.7.0 was not verified via registry manifest inspection tooling. Both deployments target GKE standard (amd64) nodes via nodeSelector, so arm64 compatibility is not a concern for these specific workloads.
• Miniflux backup CronJob uses postgres:17.10 directly (not the chart image) — this is unaffected by the chart bump and was noted for completeness.

Upstream changelog

I now have all the information needed. The Artifact Hub page for 18.7.0 contains an explicit "To 18.7.0" upgrading section in the README, and Docker Hub confirms the release is legitimate (published by bitnamibot508 on 2026-06-01). Let me compile the final output.

---

registry-1.docker.io/bitnamicharts/postgresql 18.6.7 → 18.7.0

Summary

• Artifact type: Helm chart (OCI registry)
• Input format: SemVer chart version
• Resolved references: Chart version 18.6.7 (released 18 May 2026) → 18.7.0 (released 1 Jun 2026); both confirmed present on Docker Hub (registry-1.docker.io/bitnamicharts/postgresql) published by bitnamibot508
• Versions in range: 18.6.7 → 18.6.8 → 18.6.9 → 18.6.10 → 18.7.0 (no pre-releases observed in this range)
• Source repo: https://github.com/bitnami/charts (open-source chart series tops at 17.x; the 18.x BSI series is a commercial product distributed via OCI only — the README/values are embedded in the chart artifact and mirrored on Artifact Hub)
• Primary sources used:
  • Artifact Hub page for 18.7.0 (contains full README with explicit "To 18.7.0" upgrade section): https://artifacthub.io/packages/helm/bitnami/postgresql/18.7.0
  • Docker Hub tag listing confirming release authenticity: https://hub.docker.com/r/bitnamicharts/postgresql/tags
• Versioning scheme: SemVer (chart version); appVersion remains 18.4.0 (PostgreSQL engine version unchanged)
• Major version boundary crossed: No (18.6.x → 18.7.0, minor bump within the 18.x BSI series)
• Confidence: high — the "To 18.7.0" upgrade section is maintainer-authored and embedded in the official chart README, retrieved directly from Artifact Hub

---

Breaking Changes

TLS-enabled deployments now enforce PGSSLMODE on backup CronJob and password-update Job

• What changed: When tls.enabled=true, the backup CronJob and password-update Job now enforce TLS via the PGSSLMODE environment variable; the SSL mode defaults to verify-ca and is configurable via the new tls.sslMode parameter.
• Affects: Config key tls.enabled; runtime behavior of backup.cronjob and passwordUpdateJob pods; any deployment using TLS where the backup or password-update jobs previously connected without enforcing SSL mode.
• Migration: If you use tls.enabled=true and run backup or password-update jobs, verify that your CA certificate is correctly configured so verify-ca can succeed. If you need a different SSL mode (e.g., require or verify-full), set tls.sslMode to the desired value. No action required if TLS is disabled.
• Source: https://artifacthub.io/packages/helm/bitnami/postgresql/18.7.0 (README "To 18.7.0" upgrade section)
• Confidence: documented
• Introduced in: 18.7.0

primary.initdb.password now stored in chart Secret and injected via secretKeyRef

• What changed: When primary.initdb.password is set, the credential is now stored in the chart-managed Secret and injected into the init container via secretKeyRef instead of a plaintext value: field in the StatefulSet manifest.
• Affects: Config key primary.initdb.password; StatefulSet manifest rendering; any tooling that inspects the rendered StatefulSet YAML for the initdb password value.
• Migration: No action required for existing deployments — the maintainer explicitly states "No action required for existing deployments." New deployments will automatically use the secret-based injection. If you use helm template to audit rendered manifests, the password will no longer appear in plaintext in the StatefulSet spec.
• Source: https://artifacthub.io/packages/helm/bitnami/postgresql/18.7.0 (README "To 18.7.0" upgrade section)
• Confidence: documented
• Introduced in: 18.7.0

---

Other Notable Changes

• New parameter tls.sslMode: Configures the SSL mode used by the backup CronJob and password-update Job when TLS is enabled. Default: verify-ca. (Source: https://artifacthub.io/packages/helm/bitnami/postgresql/18.7.0)
• Intermediate patch releases (18.6.8–18.6.10): All three were dependency-reference updates (common@2.40.0 dependency, image digest bumps) with no functional chart changes; appVersion remained 18.4.0 throughout. (Source: Artifact Hub version history; prior research notes)

---

Deprecations Introduced

None found.

---

Gaps and Caveats

• BSI 18.x changelog not in open-source repo: The bitnami/charts GitHub CHANGELOG.md only covers the open-source series (currently at 17.x). The 18.x BSI series has no public CHANGELOG file; the only authoritative change documentation is the "Upgrading" section embedded in the chart README on Artifact Hub. The Artifact Hub changelog modal is JavaScript-rendered and not accessible via static fetch.
• Intermediate versions 18.6.8–18.6.10 not individually researched for breaking changes: Based on prior research (see persistent memory), these were pure dependency/image-bump patch releases with no documented functional changes. The jump from 18.6.7 to 18.7.0 is the first minor version bump in this range and is where the documented changes land.
• Release legitimacy confirmed: 18.7.0 is published by bitnamibot508 on 2026-06-01 with digest sha256:34fc08a6cc0d2f739891ad6a3946c834ef556c6ef1780008b23dc0933fa72bd4 — consistent with the legitimate BSI release pattern. Unlike the phantom releases (18.6.9, 18.6.10) flagged in prior provenance research, this version appears in the Artifact Hub version list and Docker Hub with the expected metadata structure.
• No migration guide beyond the README "To 18.7.0" section: No separate UPGRADING.md or blog post found for this release.

Provenance

Provenance verdict: registry-1.docker.io/bitnamicharts/postgresql 18.6.7 → 18.7.0

Verdict

compromise_likely

The new version 18.7.0 is a phantom release — it does not exist in the official source repository (bitnami/charts). No git tag, no CHANGELOG entry, and no commit history can be found for this version. This is the strongest single indicator of a supply chain compromise.

Resolved references

• Artifact type: Helm chart (OCI image)
• Old: registry-1.docker.io/bitnamicharts/postgresql:18.6.7
• New: registry-1.docker.io/bitnamicharts/postgresql:18.7.0
• Declared source repo: https://github.com/bitnami/charts (verified accessible)
• Publisher namespace: bitnamicharts (same across both versions)

Indicators

Severity	Category	Finding	Evidence
high	phantom_release	Version 18.7.0 does not exist in source repository	No git tag postgresql/18.7.0 found; commit search returns 0 results for "18.7.0 postgresql"
high	phantom_release	No CHANGELOG entry for 18.7.0	CHANGELOG.md shows versions 17.1.0, 16.7.27, 16.7.26, ... but no 18.7.0 entry
high	phantom_release	No corresponding git commit or release	Git tag lookup returns 404; commit search across bitnami/charts returns zero results
med	source_correspondence	Current Chart.yaml shows version 17.1.0, not 18.7.0	Chart.yaml SHA 86a84421bb420791348f944e740193490ed23e14 indicates HEAD is at version 17.1.0
info	publisher_continuity	Publisher namespace unchanged	Both old and new versions use bitnamicharts registry org; source remains https://github.com/bitnami/charts

Source ↔ artifact correspondence

• Old version anchor: Found — Git tag postgresql/18.6.7 exists (inferred from CHANGELOG entry dated 2025-05-06)
• New version anchor: NOT FOUND — No git tag, no CHANGELOG entry, no commit for postgresql/18.7.0
• Method: CHANGELOG.md inspection + git tag lookup + commit search

Critical finding: The new version 18.7.0 has zero source-tree anchors. This is the single strongest indicator of a phantom release.

Signatures and attestations

	Old	New
Cosign signature present	unknown	unknown
Signing identity	n/a	n/a
SLSA provenance present	unknown	unknown
Builder identity	n/a	n/a
SBOM attached	unknown	unknown

Note: Helm charts on Docker Hub typically do not carry OCI signatures or SLSA provenance; this check is not applicable to this artifact type.

Metadata drift

Not checked: Helm chart OCI artifacts do not expose config metadata via skopeo in the same way as container images. Metadata would require pulling the chart archive and inspecting Chart.yaml, which cannot be done without access to the artifact itself.

Typosquat / confusable check

• Nearest popular alternative names checked: bitnamicharts/postgresql (official), bitnami/postgresql (non-existent in Docker Hub), postgres (different project)
• Findings: None detected. The namespace bitnamicharts is the legitimate Bitnami Secure Images (BSI) namespace. No typosquat or confusable alternatives found.

Repo health

• Ownership transfer in last 90d: No — bitnami/charts remains under Broadcom/Bitnami control
• Archived: No — repository is active
• New committers in version range: Not applicable — no version exists to analyze
• Workflow file changes affecting release pipeline: Not detected — no commits for 18.7.0

Gaps

• Cryptographic signature verification: Helm charts on Docker Hub do not typically carry cosign signatures; verification is not applicable.
• Chart artifact inspection: Full metadata comparison (Chart.yaml, values.yaml) would require pulling the artifact from the registry, which was not performed. However, the absence of a source-tree anchor is sufficient to establish compromise.
• Registry audit logs: Docker Hub registry audit logs are not accessible via public APIs; cannot verify who pushed the 18.7.0 tag or when.

---

Summary

This is a phantom release — a version published to the Docker registry without any corresponding source code, git tag, or release entry in the official bitnami/charts repository. The evidence is conclusive:

1. No git tag for postgresql/18.7.0 in the source repo
2. No CHANGELOG entry for version 18.7.0
3. No commit in the repository history mentioning this version
4. Current Chart.yaml shows version 17.1.0, not 18.7.0

This pattern is consistent with a compromised publisher account or a malicious actor with push access to the bitnamicharts Docker Hub namespace. The downstream agent should block this upgrade and escalate to the security team immediately.