chore(deps): update quay.io/maestro/eclipse-mosquitto docker tag to v2.0.20

[red-hat-konflux]

This PR contains the following updates:

Package	Update	Change
quay.io/maestro/eclipse-mosquitto	patch	2.0.18 → 2.0.20

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

Walkthrough

Updated the Mosquitto MQTT broker container image tag in the Helm chart values from version 2.0.18 to 2.0.20. No configuration structure or logic was altered.

Changes

Cohort / File(s)	Summary
Mosquitto broker image update charts/maestro-server/values.yaml	Bumped container image tag for mosquitto.image from quay.io/maestro/eclipse-mosquitto:2.0.18 to quay.io/maestro/eclipse-mosquitto:2.0.20.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating the Mosquitto Docker image tag from 2.0.18 to 2.0.20 in the Helm chart values file.
Description check	✅ Passed	The description clearly relates to the changeset, providing a detailed table showing the dependency update from 2.0.18 to 2.0.20, along with relevant configuration and documentation information.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/quay.io-maestro-eclipse-mosquitto-2.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/maestro-server/values.yaml`:
- Line 185: Update README.md's parameter table to change the MQTT image version
from 2.0.18 to 2.0.20 to match the change in charts/maestro-server/values.yaml
(the image entry using quay.io/maestro/eclipse-mosquitto). Also consider
replacing the tag-only image reference with a digest-pinned reference
(quay.io/maestro/eclipse-mosquitto@sha256:...) in values.yaml to improve
supply-chain security; if you add a digest, ensure the README example and any
documentation reflect the same pinned digest and note that digests are preferred
for reproducibility.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 98778d77-2fb7-45ef-8cd1-42e9caae9763

📥 Commits

Reviewing files that changed from the base of the PR and between 001af75 and 7fcb8af.

📒 Files selected for processing (1)

• charts/maestro-server/values.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Find official release/security notes for Eclipse Mosquitto 2.0.20 (vs 2.0.18), and confirm the immutable digest for quay.io/maestro/eclipse-mosquitto:2.0.20 on Quay.

💡 Result:

Eclipse Mosquitto 2.0.20 official release notes: Released on 2024-10-16 as a bugfix release (no security fixes mentioned). Key changes vs 2.0.18 (bugfix release on 2023-09-18): Broker: - Fix QoS 1 / QoS 2 publish incorrectly returning "no subscribers". Closes #3128. - Open files with appropriate access on Windows. Closes #3119. - Don't allow invalid response topic values. - Fix some strict protocol compliance issues. Closes #3052. Client library: - Fix cmake build on OS X. Closes #3125. Clients: - Fix mosquitto_rr not honouring -R. Closes #2893. Windows: - Installer will start/stop the mosquitto service when installing/uninstalling. Build: - Fix build on NetBSD. No CVEs or security vulnerabilities listed specifically for 2.0.20; prior security issues addressed in earlier releases like 2.0.19. Immutable digest for quay.io/maestro/eclipse-mosquitto:2.0.20: No public sources found confirming the existence or digest of this specific image on Quay.io. Searches returned official Docker Hub eclipse-mosquitto:2.0.20 details (manifest digest sha256:a6a334b129fce60f4876a0276744f5790f97333821534d39b330706f5fe214da for one platform), but no matches for 'maestro' namespace. The image may be private, non-existent, or from an unindexed third-party repo.

Citations:

• 1: https://mosquitto.org/blog/2024/10/version-2-0-20-released/
• 2: https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt
• 3: https://mosquitto.org/ChangeLog.txt
• 4: https://mosquitto.org/blog/
• 5: https://mosquitto.org/blog/2023/09/version-2-0-18-released/
• 6: https://www.cvedetails.com/version/1869286/Eclipse-Mosquitto-2.0.20.html
• 7: http://opencve.ameos.net/cve/?product=mosquitto&vendor=eclipse
• 8: https://hub.docker.com/layers/library/eclipse-mosquitto/2.0.20/images/sha256-a6a334b129fce60f4876a0276744f5790f97333821534d39b330706f5fe214da
• 9: https://hub.docker.com/layers/arm64v8/eclipse-mosquitto/2.0.20/images/sha256-8f93133e92a8f78397937f8e54ee82fc63d7d353c24ad5b4fb5d9171ccfca052
• 10: https://hub.docker.com/layers/library/eclipse-mosquitto/2.0.18/images/sha256-f43889926d948c1146751bce701373b71c16a81e5de9b2986b7589221fa4d9e9
• 11: eclipse-mosquitto 2.0.19 docker-library/official-images#17662
• 12: https://registry.hub.docker.com/_/eclipse-mosquitto
• 13: https://registry.hub.docker.com/_/eclipse-mosquitto/
• 14: https://hub.docker.com/r/arm64v8/eclipse-mosquitto
• 15: https://hub.docker.com/r/smartmeio/eclipse-mosquitto
• 16: eclipse-mosquitto 2.0.0 docker-library/official-images#9209
• 17: Push image to a different registry, in addition to Docker Hub eclipse-mosquitto/mosquitto#2279

---

🏁 Script executed:

# Search for references to maestro/eclipse-mosquitto or quay.io in the repo
rg "maestro/eclipse-mosquitto|quay\.io.*maestro" --type yaml --type md --type txt

# Also check if there are any image building/digest documentation
rg "digest|sha256" charts/maestro-server/ --type yaml -A 2 -B 2

# Check for any CI/CD or image build configuration
fd -t f "\.github|Dockerfile|\.gitlab|\.circleci|Makefile|makefile" | head -20

Repository: openshift-online/maestro

Length of output: 606

---

🏁 Script executed:

# Check Dockerfiles for eclipse-mosquitto references
rg "eclipse-mosquitto" Dockerfile* --type text

# Check if any build config or documentation mentions image digests
fd -type f "\.md$|\.txt$|\.yaml$" | xargs rg -l "digest|image.*pinning|immutable" 2>/dev/null | head -10

# Check the main Dockerfile to understand image strategy
head -50 Dockerfile

Repository: openshift-online/maestro

Length of output: 942

---

🏁 Script executed:

# Check renovate.json for image update policy
cat renovate.json

# Check the README in charts/maestro-server for image documentation
cat charts/maestro-server/README.md | grep -A 5 -B 5 "mqtt.image"

Repository: openshift-online/maestro

Length of output: 1632

---

Update README.md to reflect the new MQTT image version, and consider digest pinning for supply chain security.

Line 185 correctly bumps the MQTT image tag to 2.0.20, a safe bugfix release (2024-10-16, no security fixes or CVEs). However, the README.md still lists the old version 2.0.18 in the parameter table and needs to be updated to 2.0.20.

Additionally, while tag-only references are convenient, digest pinning (@sha256:...) improves reproducibility and security. The maestro namespace images are organization-managed, so consider pinning to their immutable digests where available.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/maestro-server/values.yaml` at line 185, Update README.md's parameter
table to change the MQTT image version from 2.0.18 to 2.0.20 to match the change
in charts/maestro-server/values.yaml (the image entry using
quay.io/maestro/eclipse-mosquitto). Also consider replacing the tag-only image
reference with a digest-pinned reference
(quay.io/maestro/eclipse-mosquitto@sha256:...) in values.yaml to improve
supply-chain security; if you add a digest, ensure the README example and any
documentation reflect the same pinned digest and note that digests are preferred
for reproducibility.