feat: update internal PostgreSQL to v16

[zdrapela]

Description

Upgrade the integrated PostgreSQL from version 15 to 16.

Which issue(s) does this PR fix or relate to

• Fixes https://issues.redhat.com/browse/RHIDP-10941

PR acceptance criteria

• Tests
• Documentation

How to test changes / Special notes to the reviewer

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rm3l for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 RHIDP-10941 - Partially compliant Compliant requirements: Update the RHDH Operator configuration to deploy PostgreSQL 16 for the integrated database. Ensure new Operator deployments create a PostgreSQL 16 database by default. Non-compliant requirements: Document the configuration changes in the PR. Requires further human verification: Ensure existing deployments continue to work (backward compatibility).

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🔒 Security concerns Supply-chain risk: several new references use quay.io/fedora/postgresql-16:latest (a floating tag). Using :latest increases the risk of unintentionally pulling changed/unvetted content over time. Prefer an immutable digest (or at minimum a specific version tag) and ensure the final shipped manifests/CSV point to the supported Red Hat image source.

⚡ Recommended focus areas for review Image Source The ticket goal is to use the Red Hat supported PostgreSQL 16 image, but the operator RELATED_IMAGE_postgresql and relatedImages are set to quay.io/fedora/postgresql-16:latest. Validate that release artifacts substitute this to registry.redhat.io/rhel9/postgresql-16 (or an approved internal mirror) and that the CSV ends up referencing the supported image for disconnected/restricted environments. env: - name: OPERATOR_NAME value: rhdh-operator - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: RELATED_IMAGE_postgresql value: quay.io/fedora/postgresql-16:latest - name: RELATED_IMAGE_backstage value: quay.io/rhdh-community/rhdh:next - name: RELATED_IMAGE_catalog_index value: quay.io/rhdh/plugin-catalog-index:1.9 image: quay.io/rhdh/rhdh-rhel9-operator:1.9 livenessProbe: httpGet: path: /healthz port: health initialDelaySeconds: 15 periodSeconds: 20 name: manager ports: - containerPort: 8081 name: health - containerPort: 8443 name: metrics readinessProbe: httpGet: path: /readyz port: health initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 500m ephemeral-storage: 20Mi memory: 1Gi requests: cpu: 10m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true volumeMounts: - mountPath: /default-config name: default-config - mountPath: /plugin-deps name: plugin-deps securityContext: runAsNonRoot: true serviceAccountName: rhdh-controller-manager terminationGracePeriodSeconds: 10 volumes: - configMap: name: rhdh-default-config name: default-config - configMap: name: rhdh-plugin-deps optional: true name: plugin-deps permissions: - rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch serviceAccountName: rhdh-controller-manager strategy: deployment installModes: - supported: false type: OwnNamespace - supported: false type: SingleNamespace - supported: false type: MultiNamespace - supported: true type: AllNamespaces keywords: - Backstage - RHDH links: - name: Product Page url: https://developers.redhat.com/products/developer-hub/overview/ - name: Documentation url: https://access.redhat.com/documentation/en-us/red_hat_developer_hub - name: Life Cycle url: https://access.redhat.com/node/7025299 - name: Support Policies url: https://access.redhat.com/policy/developerhub-support-policy - name: Sources url: https://github.com/redhat-developer/rhdh-operator maintainers: - email: rhdh-notifications@redhat.com name: Red Hat Developer Hub Team maturity: alpha minKubeVersion: 1.25.0 provider: name: Red Hat Inc. url: https://www.redhat.com/ relatedImages: - image: quay.io/fedora/postgresql-16:latest name: postgresql Tag Stability Multiple manifests pin PostgreSQL via the floating :latest tag, which can break reproducibility and upgrades and may violate operator bundle best practices (relatedImages typically should be immutable/digest-pinned). Consider using a versioned tag and/or digest pinning for RELATED_IMAGE_postgresql and all rendered statefulsets/jobs that reference the image. env: - name: OPERATOR_NAME value: rhdh-operator - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: RELATED_IMAGE_postgresql value: quay.io/fedora/postgresql-16:latest - name: RELATED_IMAGE_backstage value: quay.io/rhdh-community/rhdh:next - name: RELATED_IMAGE_catalog_index value: quay.io/rhdh/plugin-catalog-index:1.9 image: quay.io/rhdh/rhdh-rhel9-operator:1.9 livenessProbe: httpGet: path: /healthz port: health initialDelaySeconds: 15 periodSeconds: 20 name: manager ports: - containerPort: 8081 name: health - containerPort: 8443 name: metrics readinessProbe: httpGet: path: /readyz port: health initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 500m ephemeral-storage: 20Mi memory: 1Gi requests: cpu: 10m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true volumeMounts: - mountPath: /default-config name: default-config - mountPath: /plugin-deps name: plugin-deps securityContext: runAsNonRoot: true serviceAccountName: rhdh-controller-manager terminationGracePeriodSeconds: 10 volumes: - configMap: name: rhdh-default-config name: default-config - configMap: name: rhdh-plugin-deps optional: true name: plugin-deps permissions: - rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch serviceAccountName: rhdh-controller-manager strategy: deployment installModes: - supported: false type: OwnNamespace - supported: false type: SingleNamespace - supported: false type: MultiNamespace - supported: true type: AllNamespaces keywords: - Backstage - RHDH links: - name: Product Page url: https://developers.redhat.com/products/developer-hub/overview/ - name: Documentation url: https://access.redhat.com/documentation/en-us/red_hat_developer_hub - name: Life Cycle url: https://access.redhat.com/node/7025299 - name: Support Policies url: https://access.redhat.com/policy/developerhub-support-policy - name: Sources url: https://github.com/redhat-developer/rhdh-operator maintainers: - email: rhdh-notifications@redhat.com name: Red Hat Developer Hub Team maturity: alpha minKubeVersion: 1.25.0 provider: name: Red Hat Inc. url: https://www.redhat.com/ relatedImages: - image: quay.io/fedora/postgresql-16:latest name: postgresql

📄 References redhat-developer/rhdh-operator/pkg/model/testdata/janus-db-statefulset.yaml [18-47] redhat-developer/rhdh-operator/config/profile/rhdh/default-config/db-statefulset.yaml [60-90] redhat-developer/rhdh-operator/config/profile/backstage.io/default-config/db-statefulset.yaml [60-90] redhat-developer/rhdh-chart/charts/backstage/values.yaml [283-310] redhat-developer/rhdh-operator/config/profile/rhdh/default-config/db-statefulset.yaml [1-11] redhat-developer/rhdh-operator/config/profile/backstage.io/default-config/db-statefulset.yaml [12-27] redhat-developer/rhdh-operator/pkg/model/testdata/default-config/db-statefulset.yaml [1-18] redhat-developer/rhdh-operator/pkg/model/testdata/rhdh-db-statefulset.yaml [1-17]

[rhdh-qodo-merge]

PR Type

Enhancement

---

Description

• Upgrade PostgreSQL image references from v15 to v16 across all configuration files

• Update container image tags in manifests, config profiles, and test data

• Update registry mirror configuration for restricted environment deployments

---

File Walkthrough

	Relevant files
Configuration changes	11 files prepare-restricted-environment.sh Update PostgreSQL registry mirror to v16                                  +2/-2      backstage-default-config_v1_configmap.yaml Update PostgreSQL image reference to v16                                  +1/-1      backstage-operator.clusterserviceversion.yaml Update PostgreSQL image references in operator manifest    +2/-2      rhdh-default-config_v1_configmap.yaml Update PostgreSQL image reference to v16                                  +1/-1      rhdh-plugin-deps_v1_configmap.yaml Update PostgreSQL image for SonataFlow database job            +1/-1      db-statefulset.yaml Update PostgreSQL image reference to v16                                  +1/-1      db-statefulset.yaml Update PostgreSQL image reference to v16                                  +1/-1      deployment-patch.yaml Update PostgreSQL image in operator deployment patch          +1/-1      sonataflow.yaml Update PostgreSQL image for SonataFlow database job            +1/-1      install.yaml Update PostgreSQL image references in distribution manifest +1/-1      install.yaml Update PostgreSQL image references in distribution manifest +3/-3
Tests	3 files db-statefulset.yaml Update PostgreSQL image in test data fixture                          +1/-1      ips-db-statefulset.yaml Update PostgreSQL image in test data fixture                          +1/-1      rhdh-db-statefulset.yaml Update PostgreSQL image in test data fixture                          +1/-1

---

[rhdh-qodo-merge]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Use the official Red Hat image The PR incorrectly uses a Fedora community PostgreSQL image. It should be updated to use the official Red Hat supported image (registry.redhat.io/rhel9/postgresql-16) as required by the ticket. Examples: bundle/rhdh/manifests/backstage-operator.clusterserviceversion.yaml [338] value: quay.io/fedora/postgresql-16:latest bundle/rhdh/manifests/rhdh-default-config_v1_configmap.yaml [90] image: quay.io/fedora/postgresql-16:latest # will be replaced with the actual image Solution Walkthrough: Before: # In various YAML configuration files: ... spec: containers: - name: postgresql # The PR uses a Fedora community image image: quay.io/fedora/postgresql-16:latest ... # In the ClusterServiceVersion: relatedImages: - image: quay.io/fedora/postgresql-16:latest name: postgresql ... After: # In various YAML configuration files: ... spec: containers: - name: postgresql # Should use the official Red Hat supported image image: registry.redhat.io/rhel9/postgresql-16 ... # In the ClusterServiceVersion: relatedImages: - image: registry.redhat.io/rhel9/postgresql-16 name: postgresql ... Suggestion importance[1-10]: 10 __ Why: This suggestion addresses a critical flaw where the PR uses an unsupported community image instead of the required Red Hat supported image, directly contradicting the core requirement of the associated ticket.	High
Security	Harden psql container security Add a securityContext to the psql container in bundle/rhdh/manifests/rhdh-plugin-deps_v1_configmap.yaml to enforce runAsNonRoot: true and allowPrivilegeEscalation: false for security hardening. bundle/rhdh/manifests/rhdh-plugin-deps_v1_configmap.yaml [95-100] - name: psql image: quay.io/fedora/postgresql-16:latest + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false resources: limits: cpu: "100m" memory: "128Mi" Apply / Chat Suggestion importance[1-10]: 8 __ Why: This suggestion provides a significant security improvement by proposing to run the psql container as a non-root user and preventing privilege escalation, which is a critical security best practice.	Medium
General	Pin image version instead of latest Replace the :latest tag with a specific version tag (e.g., :16) for the postgresql-16 image to ensure predictable deployments. This should be applied across all relevant YAML files. bundle/backstage.io/manifests/backstage-default-config_v1_configmap.yaml [87] -image: quay.io/fedora/postgresql-16:latest # will be replaced with the actual image +image: quay.io/fedora/postgresql-16:16 # will be replaced with the actual image Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly points out that using the :latest tag is a bad practice for deployment stability. Pinning to a specific version like :16 improves reproducibility, which is a valuable improvement.	Low
	Parameterize Postgres version In .rhdh/scripts/prepare-restricted-environment.sh, define a variable for the PostgreSQL version (e.g., PG_VERSION=16) and use it to construct image source URLs, simplifying future upgrades. .rhdh/scripts/prepare-restricted-environment.sh [1138-1139] -- ${registry_url_internal}/rhel9/postgresql-16 -source: registry.redhat.io/rhel9/postgresql-16 +- ${registry_url_internal}/rhel9/postgresql-${PG_VERSION} +source: registry.redhat.io/rhel9/postgresql-${PG_VERSION} Apply / Chat Suggestion importance[1-10]: 5 __ Why: This is a good suggestion for improving the maintainability of the shell script by using a variable for the PostgreSQL version, making future updates easier and less error-prone.	Low
Organization best practice	Quote interpolated shell variables Quote the expanded registry URL so unexpected characters/spaces in registry_url_internal cannot break the generated YAML. .rhdh/scripts/prepare-restricted-environment.sh [1137-1139] - mirrors: - - ${registry_url_internal}/rhel9/postgresql-16 + - "${registry_url_internal}/rhel9/postgresql-16" source: registry.redhat.io/rhel9/postgresql-16 Apply / Chat Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Harden shell scripts by quoting variables to avoid word-splitting/globbing and brittle output.	Low
More

[github-actions]

PR images are available:

1. https://quay.io/rhdh-community/operator:0.9.0-pr-2139-5da5a44
2. https://quay.io/rhdh-community/operator-bundle:0.9.0-pr-2139-5da5a44
3. https://quay.io/rhdh-community/operator-catalog:0.9.0-pr-2139-5da5a44