fix: remove pgvector postStart lifecycle hook that leaked password in logs

[Ygnas]

The pgvector image now auto-enables the vector extension, making the postStart hook unnecessary. This also eliminates the plaintext PGPASSWORD leak in test logs.

│ INFO     2026-03-26 11:42:05,970 llama_stack.providers.remote.vector_io.pgvector.pgvector:64 vector_io::pgvector: Vector                                                                                                                         │
│          extension not found, creating...                                                                                                                                                                                                        │
│ INFO     2026-03-26 11:42:06,015 llama_stack.providers.remote.vector_io.pgvector.pgvector:66 vector_io::pgvector: Vector                                                                                                                         │
│          extension created successfully

Pull Request

Summary

Related Issues

• Fixes:
• JIRA:

Please review and indicate how it has been tested

• Locally
• Jenkins

Additional Requirements

• If this PR introduces a new test image, did you create a PR to mirror it in disconnected environment?
• If this PR introduces new marker(s)/adds a new component, was relevant ticket created to update relevant Jenkins job?

Summary by CodeRabbit

• Chores
  • Removed automatic extension initialization from the pgvector container startup. The container now launches with its standard image, ports, environment variables, and mounts but no longer runs post-start setup commands to create extensions automatically.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/cherry-pick', '/verified', '/lgtm', '/hold', '/wip', '/build-push-pr-image'}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: c89cf8f4-10d7-4dfe-8193-510f560b0749

📥 Commits

Reviewing files that changed from the base of the PR and between 6510dd2 and 8047833.

📒 Files selected for processing (1)

• tests/fixtures/vector_io.py

💤 Files with no reviewable changes (1)

• tests/fixtures/vector_io.py

---

📝 Walkthrough

Walkthrough

Removed the lifecycle.postStart.exec.command hook from the pgvector container in get_pgvector_deployment_template(); the deployment template no longer runs psql at container post-start to create the vector extension.

Changes

Cohort / File(s)	Summary
Test Fixtures tests/fixtures/vector_io.py	Deleted the 15-line lifecycle.postStart.exec.command from the pgvector container spec that executed psql to create the vector extension using PGVECTOR_USER/PGVECTOR_PASSWORD during container startup.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Actionable Issues

• Functional verification required: Ensure the vector extension is created by another reliable mechanism (image, init container, migration, or provisioning script). Failure to create the extension will cause runtime errors.
• Credential handling: Confirm PGVECTOR_USER and PGVECTOR_PASSWORD are removed from configs if no longer used, to avoid unnecessary credential exposure (see CWE-200: Information Exposure).

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides context for the change but leaves required template sections incomplete. The Summary section is missing detailed explanation, and Related Issues/testing checkboxes remain unchecked with placeholder text.	Fill in the Summary section with the rationale already provided in the introduction, mark testing checkboxes (Locally/Jenkins), and specify any related issues or JIRA tickets.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: removing a pgvector postStart lifecycle hook that caused a security issue (plaintext password leak in logs).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Bobbins228]

/lgtm nice catch thanks Ignas

[ChristianZaccaria]

/LGTM if the tests don't actually exercise vector similarity search. In that case, removing the lifecycle hook fixes the password leak with no functional impact. Worth double-checking that PGVector isn't used for vector search in our tests.

[ChristianZaccaria]

/lgtm /approve

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.