Use of Bitnami postgresql as a subchart/dependency is fragile and may reprsent a security issue going forwards #16
Description
this is a follow on issue to #14 that was mittigated in #15
Bitnami deprecated their free docker images and kind of by proxy the helm charts
The helm charts work but they target the bitnami "secure" images which are no longer free to access as tagged/pinned versions or you are forced on to the "latest" tag which while might be fine in a testing/ci scenario are a complete no no in a production environment, especially when the environment in question itself is about managing change of your infrastructure more broadly
The quick fix mentioned above basically changed the postgresql image to target the bitnamilegacy images whcih are a snapshot in time of the original bitnami images and no longer recieve any form of updates - this represents a longer term security issue overall
This issue is to initially prompt a discussion about how best we should mittigate this, they way i see this is that there are a number of possible options (personal opinion will come in a second reply)
- Do nothing - continue to use Bitnami Helm Chart with an image pinned at bitnamilegacy
- Update the subchart dependency to the latest version of bitnami's postgresql and/or use the "latest" tag for postgresql
- Remove all support for managing postgresql within this chart - expecting the user to pre-configure postgresql however they desire
- Migrate to an alternative more stable helm subchart for postgresql
Throwing the gates open for discussion and views or alternative ideas so we can come up with some consensus on a way forwards