Skip to content

v1.4.3

Latest

Choose a tag to compare

@github-actions github-actions released this 01 Jul 15:48
v1.4.3
490fe1d

Class: security

Removes every credential value from the Helm chart, in response to a repeated
AWS Marketplace static/default-password review finding. The bundled upstream
pgagroal version is unchanged at 2.1.0 and the runtime image is functionally
identical to 1.4.0-1.4.2.

Security

  • Chart is credentials-by-reference only - no credential value anywhere.
    The chart no longer contains credentials.username / credentials.password
    values or a Secret template. It references an operator-supplied Kubernetes
    Secret via credentials.existingSecret (default pgagroal-pg-credentials)
    and renders only a secretKeyRef; the default helm template and all
    rendered manifests contain no credential value of any kind. The render
    fails closed if credentials.existingSecret is empty.

Removed

  • credentials.create, credentials.username, credentials.password, and
    the chart-created Secret template (templates/secret.yaml). Credentials are
    provided only via credentials.existingSecret - create the Secret with keys
    PG_USERNAME and PG_PASSWORD before installing. (Since 1.4.2 the default
    was already an external Secret, so no default deployment changes.)

This release bundles upstream pgagroal 2.1.0 (unchanged). Elevarq
packaging version is 1.4.3.


Supply chain

  • Image (Docker Hub): docker.io/elevarq/pgagroal:1.4.3
  • Image (GHCR): ghcr.io/elevarq/pgagroal:1.4.3
  • Digest: sha256:4c1c9b1f385763fe61701012d000f14bb4979abdd53ed9faa78f089e453b14ae
  • Architectures: linux/amd64, linux/arm64
  • Signed with cosign (keyless, GitHub OIDC)
  • SBOM and SLSA provenance attached as OCI attestations

Verify signature and attestations:

IMAGE=docker.io/elevarq/pgagroal:1.4.3   # or ghcr.io/elevarq/pgagroal:1.4.3

cosign verify "$IMAGE" \
  --certificate-identity-regexp='https://github.com/Elevarq/' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

cosign verify-attestation --type spdxjson      "$IMAGE"   # SBOM
cosign verify-attestation --type slsaprovenance "$IMAGE"   # provenance

Full verification guide:
https://github.com/Elevarq/pgAgroal/blob/main/docs/security/supply-chain-and-release-security.md