From e71141b3849bce05d887aa42b883b75dcc402697 Mon Sep 17 00:00:00 2001 From: ValClarkson Date: Fri, 22 May 2026 10:56:45 -0400 Subject: [PATCH 1/6] chore(image-collector): bump otel/opentelemetry-collector-contrib 0.147.0 -> 0.152.0 Pulls in the latest stable contrib release (May 12, 2026), refreshing the vendored Go dependency snapshot that the collector binary ships with. This is the canonical fix for the 10 transitive-dep CVEs that trivy currently reports against otelcol-contrib in our built images. Risk: low. The operator's generated collector configs only reference stable, mainstream components (filelog, sqlquery, resource, transform, batch, groupbyattrs/compact, resourcedetection, debug). None have had breaking config schema changes between 0.147 and 0.152. The OTel metrics/logging kuttl suite (otel-logging-and-metrics) exercises the end-to-end pipeline and runs on every PR. Co-authored-by: Cursor --- components/image-collector/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/image-collector/Dockerfile b/components/image-collector/Dockerfile index 1daf01c14..6d0eaaf27 100644 --- a/components/image-collector/Dockerfile +++ b/components/image-collector/Dockerfile @@ -4,7 +4,7 @@ # Rather than build the binary, retrieve the already-built binary from # the OpenTelemetry image -FROM otel/opentelemetry-collector-contrib:0.147.0 AS collector +FROM otel/opentelemetry-collector-contrib:0.152.0 AS collector # Aggregate the collector licenses from binary # and from root of the PGO repo From cf7345dae180ae885576dde1265936ba4f32416c Mon Sep 17 00:00:00 2001 From: ValClarkson Date: Fri, 22 May 2026 10:57:27 -0400 Subject: [PATCH 2/6] chore(image-pgadmin): bump pgadmin4 9.13 -> 9.15 Refreshes the pgAdmin 4 version installed in the standalone pgAdmin container to the current upstream stable on PyPI (9.15, released 2026). Picks up two upstream minors (9.14 and 9.15) of bug fixes and Kerberos / auth improvements; no breaking changes to pgAdmin's configuration API or the system_config.py / config_local.py contract that the image relies on. Co-authored-by: Cursor --- components/image-pgadmin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/image-pgadmin/Dockerfile b/components/image-pgadmin/Dockerfile index 7662c809b..f5b830450 100644 --- a/components/image-pgadmin/Dockerfile +++ b/components/image-pgadmin/Dockerfile @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 ARG BASE_VERSION=ubi9 -ARG PGADMIN4_VERSION=9.13 +ARG PGADMIN4_VERSION=9.15 ARG PYTHON_VERSION=3.11 ARG PG_MAJOR=18 From 7c411877ae46034eb9d20561bb990ad12d774b24 Mon Sep 17 00:00:00 2001 From: ValClarkson Date: Fri, 22 May 2026 11:01:58 -0400 Subject: [PATCH 3/6] chore(image-pgadmin): refresh base packages with microdnf update during build Runs `microdnf update -y --nodocs` after registering the EPEL and PGDG repos but before installing the additional packages. This forces the build to pull current patch levels for everything already in the ubi9/ubi-minimal base image, closing the window between when Red Hat republishes the base image and when CVE-patched packages land in the RHEL/EPEL repos. Co-authored-by: Cursor --- components/image-pgadmin/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/components/image-pgadmin/Dockerfile b/components/image-pgadmin/Dockerfile index f5b830450..c079ad08e 100644 --- a/components/image-pgadmin/Dockerfile +++ b/components/image-pgadmin/Dockerfile @@ -97,6 +97,7 @@ ARG BASE_VERSION RUN rpm -ivh "https://dl.fedoraproject.org/pub/epel/epel-release-latest-${BASE_VERSION##ubi}.noarch.rpm" \ && rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-${BASE_VERSION##ubi}-$(arch)/pgdg-redhat-repo-latest.noarch.rpm" \ +&& microdnf update -y --nodocs \ && microdnf install -y --nodocs --setopt install_weak_deps=0 \ --enablerepo='epel' \ 'krb5-libs' \ From 7354bc2b35a173e9e485ee2b3bd34d3d5c4c4c13 Mon Sep 17 00:00:00 2001 From: ValClarkson Date: Fri, 22 May 2026 11:14:44 -0400 Subject: [PATCH 4/6] chore(image-postgres): bump patroni 4.0.6 -> 4.1.3 Pulls in upstream bug fixes and Kubernetes client updates from the Patroni 4.1.x line. Release notes: https://github.com/patroni/patroni/releases/tag/v4.1.0 https://github.com/patroni/patroni/releases/tag/v4.1.1 https://github.com/patroni/patroni/releases/tag/v4.1.2 https://github.com/patroni/patroni/releases/tag/v4.1.3 Co-authored-by: Cursor --- components/image-postgres/Dockerfile.postgres | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/image-postgres/Dockerfile.postgres b/components/image-postgres/Dockerfile.postgres index fb8f59ec9..8d4e25b11 100644 --- a/components/image-postgres/Dockerfile.postgres +++ b/components/image-postgres/Dockerfile.postgres @@ -4,7 +4,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal -ARG PATRONI_VERSION=4.0.6 +ARG PATRONI_VERSION=4.1.3 ARG PGBACKREST_VERSION=2.58.0 ARG POSTGRES_VERSION=18 From bfe31b26f058d5ee1f6cc289be2bcd824ac219a9 Mon Sep 17 00:00:00 2001 From: ValClarkson Date: Fri, 22 May 2026 11:15:47 -0400 Subject: [PATCH 5/6] chore(images): refresh base packages with microdnf update during build Run 'microdnf update -y --nodocs' before installing additional packages in every component Dockerfile that derives from a UBI base, mirroring what we already do in image-pgadmin. This guarantees the resulting image picks up RHEL Z-stream errata that landed after ubi-minimal was last republished, instead of inheriting whatever vulnerable versions happened to be baked into the parent layer. Files updated: * components/image-collector/Dockerfile * components/image-pgbackrest/Dockerfile * components/image-pgbouncer/Dockerfile * components/image-postgres/Dockerfile.postgres * components/image-postgres/Dockerfile.postgres-upgrade * components/image-postgres/Dockerfile.postgis This matches the equivalent change already present in the internal Crunchy build of these images. Co-authored-by: Cursor --- components/image-collector/Dockerfile | 3 ++- components/image-pgbackrest/Dockerfile | 1 + components/image-pgbouncer/Dockerfile | 1 + components/image-postgres/Dockerfile.postgis | 4 ++++ components/image-postgres/Dockerfile.postgres | 5 +++++ components/image-postgres/Dockerfile.postgres-upgrade | 4 ++++ 6 files changed, 17 insertions(+), 1 deletion(-) diff --git a/components/image-collector/Dockerfile b/components/image-collector/Dockerfile index 6d0eaaf27..6f4853f2f 100644 --- a/components/image-collector/Dockerfile +++ b/components/image-collector/Dockerfile @@ -34,6 +34,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal COPY --from=build --chmod=0777 /otelcol-contrib /otelcol-contrib COPY --from=build /licenses /licenses -RUN microdnf install -y 'logrotate' 'procps-ng' +RUN microdnf update -y --nodocs \ + && microdnf install -y 'logrotate' 'procps-ng' USER 2 diff --git a/components/image-pgbackrest/Dockerfile b/components/image-pgbackrest/Dockerfile index f3a45f3de..302095f8a 100644 --- a/components/image-pgbackrest/Dockerfile +++ b/components/image-pgbackrest/Dockerfile @@ -38,6 +38,7 @@ RUN rpm -ivh \ # Delete the repo file as it is large and unneeded. ARG PGBACKREST_VERSION RUN rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pgdg-redhat-repo-latest.noarch.rpm" \ + && microdnf update -y --nodocs \ && microdnf install -y --nodocs --setopt install_weak_deps=0 'shadow-utils' \ && groupadd --gid 26 postgres \ && useradd --gid 26 --uid 26 --no-log-init postgres \ diff --git a/components/image-pgbouncer/Dockerfile b/components/image-pgbouncer/Dockerfile index 56b9ea220..cc8609e4d 100644 --- a/components/image-pgbouncer/Dockerfile +++ b/components/image-pgbouncer/Dockerfile @@ -8,6 +8,7 @@ ARG PGBOUNCER_VERSION=1.24.1 # The c-ares package is in the rhel-9-for-$(arch)-baseos-rpms repo, so we must enable it RUN rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pgdg-redhat-repo-latest.noarch.rpm" \ + && microdnf update -y --nodocs \ && microdnf install -y --nodocs --setopt install_weak_deps=0 \ --enablerepo="rhel-9-for-$(arch)-baseos-rpms" \ "pgbouncer-${PGBOUNCER_VERSION}" \ diff --git a/components/image-postgres/Dockerfile.postgis b/components/image-postgres/Dockerfile.postgis index 7ecceb188..d9bd7321f 100644 --- a/components/image-postgres/Dockerfile.postgis +++ b/components/image-postgres/Dockerfile.postgis @@ -26,6 +26,10 @@ rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pg # Disable module to avoid conflicts microdnf --assumeyes module disable postgresql || true +# Refresh base packages so any CVE patches that landed in the upstream +# repos after the parent crunchy-postgres image was built are picked up. +microdnf update -y --nodocs + microdnf install -y --nodocs --setopt install_weak_deps=0 \ --enablerepo="codeready-builder-for-rhel-9-$(arch)-rpms" \ perl \ diff --git a/components/image-postgres/Dockerfile.postgres b/components/image-postgres/Dockerfile.postgres index 8d4e25b11..31d33431d 100644 --- a/components/image-postgres/Dockerfile.postgres +++ b/components/image-postgres/Dockerfile.postgres @@ -32,6 +32,11 @@ rpm -ivh "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm # Disable the built-in PostgreSQL module to avoid conflicts with PGDG packages microdnf --assumeyes module disable postgresql || true +# Refresh all base-image packages against the current RHEL/EPEL/PGDG repos so +# the build picks up CVE patches that landed after ubi-minimal was last +# republished. +microdnf update -y --nodocs + # Ensure complete timezone database is present (some minimal UBI layers # can have tzdata partially pruned); reinstall guarantees fresh /usr/share/zoneinfo microdnf reinstall -y --nodocs 'tzdata' diff --git a/components/image-postgres/Dockerfile.postgres-upgrade b/components/image-postgres/Dockerfile.postgres-upgrade index ed4542a73..1b0ee55ac 100644 --- a/components/image-postgres/Dockerfile.postgres-upgrade +++ b/components/image-postgres/Dockerfile.postgres-upgrade @@ -18,6 +18,10 @@ rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pg # Disable module to avoid conflicts microdnf --assumeyes module disable postgresql || true +# Refresh base packages so any CVE patches that landed in the upstream +# repos after the parent crunchy-postgres image was built are picked up. +microdnf update -y --nodocs + # Build package list for all target versions PKGS="$(for POSTGRES_VERSION in ${POSTGRES_UPGRADE_VERSIONS}; do POSTGRES_MAJOR_VERSION="${POSTGRES_VERSION%.*}" From 79fe98472931f03be2ca1ef96701d7a4c864bb9c Mon Sep 17 00:00:00 2001 From: ValClarkson Date: Fri, 22 May 2026 11:16:02 -0400 Subject: [PATCH 6/6] chore(image-pgbouncer): bump pgbouncer 1.24.1 -> 1.25.2 Pulls in two minor releases worth of upstream bug fixes and security hardening from the pgbouncer 1.25.x line. The matching PGDG package 'pgbouncer-1.25.2-42PGDG.rhel9.7' was published to https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/ on 09-May-2026, one day after upstream tagged v1.25.2. Release notes: https://www.pgbouncer.org/2025-11-09.html (1.25.0) https://www.pgbouncer.org/2025-12-03.html (1.25.1) https://www.pgbouncer.org/2026-05-08.html (1.25.2) Co-authored-by: Cursor --- components/image-pgbouncer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/image-pgbouncer/Dockerfile b/components/image-pgbouncer/Dockerfile index cc8609e4d..e7fad45c2 100644 --- a/components/image-pgbouncer/Dockerfile +++ b/components/image-pgbouncer/Dockerfile @@ -4,7 +4,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal -ARG PGBOUNCER_VERSION=1.24.1 +ARG PGBOUNCER_VERSION=1.25.2 # The c-ares package is in the rhel-9-for-$(arch)-baseos-rpms repo, so we must enable it RUN rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pgdg-redhat-repo-latest.noarch.rpm" \