Skip to content

Commit 9f7f4c2

Browse files
committed
docs: import CloudNativePG v1.30.0
1 parent f197e6f commit 9f7f4c2

16 files changed

Lines changed: 859 additions & 68 deletions

website/docusaurus.config.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ import type * as Preset from '@docusaurus/preset-classic';
66

77
const versionsConfig = require('./versions_config.json') as Record<string, import('@docusaurus/plugin-content-docs').VersionOptions>;
88

9-
const lastVersion = '1.29';
9+
const lastVersion = '1.30';
1010

1111
const config: Config = {
1212
title: 'CloudNativePG',

website/versioned_docs/version-1.30/appendixes/object_stores.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,26 @@ spec:
168168
[...]
169169
```
170170

171+
:::note
172+
Recent changes to the [boto3 implementation](https://github.com/boto/boto3/issues/4392)
173+
of [Amazon S3 Data Integrity Protections](https://docs.aws.amazon.com/sdkref/latest/guide/feature-dataintegrity.html)
174+
may lead to the `x-amz-content-sha256` error. If you encounter this issue, you
175+
can apply the following workaround by setting specific environment variables at
176+
the cluster level through `spec.env`:
177+
178+
```yaml
179+
apiVersion: postgresql.cnpg.io/v1
180+
kind: Cluster
181+
[...]
182+
spec:
183+
env:
184+
- name: AWS_REQUEST_CHECKSUM_CALCULATION
185+
value: when_required
186+
- name: AWS_RESPONSE_CHECKSUM_VALIDATION
187+
value: when_required
188+
```
189+
:::
190+
171191
### Using Object Storage with a private CA
172192

173193
Suppose you configure an Object Storage provider which uses a certificate

website/versioned_docs/version-1.30/image_catalog.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -234,7 +234,7 @@ You can install all the available catalogs by using the `kustomization` file
234234
present in the `image-catalogs` directory:
235235

236236
```shell
237-
kubectl apply -k https://github.com/cloudnative-pg/artifacts//image-catalogs?ref=main
237+
kubectl apply -k 'https://github.com/cloudnative-pg/artifacts//image-catalogs?ref=main'
238238
```
239239

240240
You can then view all the catalogs deployed with:

website/versioned_docs/version-1.30/installation_upgrade.md

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,12 @@ title: Installation and upgrades
1414
The operator can be installed like any other resource in Kubernetes,
1515
through a YAML manifest applied via `kubectl`.
1616

17-
You can install the [latest operator manifest](https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/releases/cnpg-1.30.0-rc1.yaml)
17+
You can install the [latest operator manifest](https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.30/releases/cnpg-1.30.0.yaml)
1818
for this minor release as follows:
1919

2020
```sh
2121
kubectl apply --server-side -f \
22-
https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/releases/cnpg-1.30.0-rc1.yaml
22+
https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.30/releases/cnpg-1.30.0.yaml
2323
```
2424

2525
You can verify that with:
@@ -277,18 +277,20 @@ only the operator itself.
277277

278278
These releases introduce changes worth reviewing before you upgrade. Two are
279279
security changes that apply to **1.30.0, 1.29.2, and 1.28.4**: operator-side
280-
password encoding and `search_path` hardening. The other three are new in
280+
password encoding (`CVE-2026-55765`) and `search_path` hardening
281+
(`CVE-2026-55769`). The other three are new in
281282
**1.30.0** only: the `DatabaseRole` resource for declarative role management,
282283
safe primary election via a per-cluster Lease, and operator-to-instance
283-
authentication on the instance manager's status port.
284+
authentication on the instance manager's status port (`GHSA-7qwx-x8ff-3px9`).
284285
In addition, if you are upgrading from a release **older than 1.29.1 or 1.28.3**,
285286
the metrics-exporter privilege separation from `CVE-2026-44477` also applies.
286287
Each is covered in its own subsection below.
287288

288-
#### Operator-side password encoding
289+
#### Operator-side password encoding (`CVE-2026-55765`)
289290

290-
Starting from versions 1.30.0, 1.29.2, and 1.28.4, for security reasons,
291-
CloudNativePG SCRAM-SHA-256 encodes role passwords **operator-side**
291+
Starting from versions 1.30.0, 1.29.2, and 1.28.4, for security reasons
292+
(`CVE-2026-55765` / `GHSA-w3gf-xc94-wvmj`), CloudNativePG SCRAM-SHA-256 encodes
293+
role passwords **operator-side**
292294
(client-side from PostgreSQL's point of view) before issuing
293295
`CREATE`/`ALTER ROLE` statements. As a result, the literal that reaches
294296
the PostgreSQL parser (and that extensions such as `pg_stat_statements`
@@ -328,10 +330,11 @@ according to its own `password_encryption` GUC.
328330
See ["Opting out of operator-side encoding"](declarative_role_management.md#opting-out-of-operator-side-encoding)
329331
for details.
330332

331-
#### `search_path` hardening
333+
#### `search_path` hardening (`CVE-2026-55769`)
332334

333-
Also starting from versions 1.30.0, 1.29.2, and 1.28.4, for security reasons,
334-
CloudNativePG pins the `search_path` to a fixed `pg_catalog, public,
335+
Also starting from versions 1.30.0, 1.29.2, and 1.28.4, for security reasons
336+
(`CVE-2026-55769` / `GHSA-x8c2-3p4r-v9r6`), CloudNativePG pins the `search_path`
337+
to a fixed `pg_catalog, public,
335338
pg_temp` on every connection it opens to PostgreSQL, so that a
336339
tenant-controlled `ALTER DATABASE`/`ALTER ROLE` setting can no longer
337340
influence how operator-issued queries resolve unqualified object names.
@@ -389,13 +392,16 @@ and `watch` verbs on `leases` in the `coordination.k8s.io` API group before
389392
upgrading, otherwise primaries will be unable to promote.
390393
:::
391394

392-
#### Operator-to-instance authentication
395+
#### Operator-to-instance authentication (`GHSA-7qwx-x8ff-3px9`)
393396

394397
Starting from version 1.30.0, the operator authenticates its calls to the
395398
sensitive endpoints of the instance manager's status port (backup,
396399
`pg_controldata`, partial WAL archive, and instance-manager upgrade) by pinning
397400
an in-memory client certificate. This is enabled automatically and requires no
398-
configuration. Status, health, and probe endpoints remain unauthenticated. See
401+
configuration. Status, health, and probe endpoints remain unauthenticated.
402+
This hardening is not backported; on releases earlier than 1.30.0, continue to
403+
restrict the status port (TCP 8000) with a `NetworkPolicy`, which remains its
404+
security boundary there. See
399405
[Operator-to-instance authentication](security.md#operator-to-instance-authentication)
400406
for details.
401407

website/versioned_docs/version-1.30/kubectl-plugin.md

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,11 @@ them in your systems.
3838

3939
#### Debian packages
4040

41-
For example, let's install the 1.30.0-rc1 release of the plugin, for an Intel based
41+
For example, let's install the 1.30.0 release of the plugin, for an Intel based
4242
64 bit server. First, we download the right `.deb` file.
4343

4444
```sh
45-
wget https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.30.0-rc1/kubectl-cnpg_1.30.0-rc1_linux_x86_64.deb \
45+
wget https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.30.0/kubectl-cnpg_1.30.0_linux_x86_64.deb \
4646
--output-document kube-plugin.deb
4747
```
4848

@@ -53,17 +53,17 @@ $ sudo dpkg -i kube-plugin.deb
5353
Selecting previously unselected package cnpg.
5454
(Reading database ... 6688 files and directories currently installed.)
5555
Preparing to unpack kube-plugin.deb ...
56-
Unpacking cnpg (1.30.0-rc1) ...
57-
Setting up cnpg (1.30.0-rc1) ...
56+
Unpacking cnpg (1.30.0) ...
57+
Setting up cnpg (1.30.0) ...
5858
```
5959

6060
#### RPM packages
6161

62-
As in the example for `.rpm` packages, let's install the 1.30.0-rc1 release for an
62+
As in the example for `.rpm` packages, let's install the 1.30.0 release for an
6363
Intel 64 bit machine. Note the `--output` flag to provide a file name.
6464

6565
```sh
66-
curl -L https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.30.0-rc1/kubectl-cnpg_1.30.0-rc1_linux_x86_64.rpm \
66+
curl -L https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.30.0/kubectl-cnpg_1.30.0_linux_x86_64.rpm \
6767
--output kube-plugin.rpm
6868
```
6969

@@ -77,7 +77,7 @@ Dependencies resolved.
7777
Package Architecture Version Repository Size
7878
====================================================================================================
7979
Installing:
80-
cnpg x86_64 1.30.0-rc1-1 @commandline 20 M
80+
cnpg x86_64 1.30.0-1 @commandline 20 M
8181

8282
Transaction Summary
8383
====================================================================================================
@@ -306,9 +306,9 @@ sandbox-3 0/604DE38 0/604DE38 0/604DE38 0/604DE38 00:00:00 00:00:00 00
306306
Instances status
307307
Name Current LSN Replication role Status QoS Manager Version Node
308308
---- ----------- ---------------- ------ --- --------------- ----
309-
sandbox-1 0/604DE38 Primary OK BestEffort 1.30.0-rc1 k8s-eu-worker
310-
sandbox-2 0/604DE38 Standby (async) OK BestEffort 1.30.0-rc1 k8s-eu-worker2
311-
sandbox-3 0/604DE38 Standby (async) OK BestEffort 1.30.0-rc1 k8s-eu-worker
309+
sandbox-1 0/604DE38 Primary OK BestEffort 1.30.0 k8s-eu-worker
310+
sandbox-2 0/604DE38 Standby (async) OK BestEffort 1.30.0 k8s-eu-worker2
311+
sandbox-3 0/604DE38 Standby (async) OK BestEffort 1.30.0 k8s-eu-worker
312312
```
313313

314314
If you require more detailed status information, use the `--verbose` option (or
@@ -362,9 +362,9 @@ sandbox-primary primary 1 1 1
362362
Instances status
363363
Name Current LSN Replication role Status QoS Manager Version Node
364364
---- ----------- ---------------- ------ --- --------------- ----
365-
sandbox-1 0/6053720 Primary OK BestEffort 1.30.0-rc1 k8s-eu-worker
366-
sandbox-2 0/6053720 Standby (async) OK BestEffort 1.30.0-rc1 k8s-eu-worker2
367-
sandbox-3 0/6053720 Standby (async) OK BestEffort 1.30.0-rc1 k8s-eu-worker
365+
sandbox-1 0/6053720 Primary OK BestEffort 1.30.0 k8s-eu-worker
366+
sandbox-2 0/6053720 Standby (async) OK BestEffort 1.30.0 k8s-eu-worker2
367+
sandbox-3 0/6053720 Standby (async) OK BestEffort 1.30.0 k8s-eu-worker
368368
```
369369

370370
With an additional `-v` (e.g. `kubectl cnpg status sandbox -v -v`), you can
@@ -640,12 +640,12 @@ Archive: report_operator_<TIMESTAMP>.zip
640640

641641
```output
642642
====== Beginning of Previous Log =====
643-
2023-03-28T12:56:41.251711811Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.30.0-rc1","build":{"Version":"1.30.0-rc1+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
643+
2023-03-28T12:56:41.251711811Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.30.0","build":{"Version":"1.30.0+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
644644
2023-03-28T12:56:41.251851909Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting pprof HTTP server","addr":"0.0.0.0:6060"}
645645
<snipped …>
646646
647647
====== End of Previous Log =====
648-
2023-03-28T12:57:09.854306024Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.30.0-rc1","build":{"Version":"1.30.0-rc1+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
648+
2023-03-28T12:57:09.854306024Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.30.0","build":{"Version":"1.30.0+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
649649
2023-03-28T12:57:09.854363943Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting pprof HTTP server","addr":"0.0.0.0:6060"}
650650
```
651651

website/versioned_docs/version-1.30/monitoring.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1004,7 +1004,7 @@ metadata:
10041004
spec:
10051005
containers:
10061006
- name: curl
1007-
image: curlimages/curl:8.17.0
1007+
image: curlimages/curl:8.21.0
10081008
command: ['sleep', '3600']
10091009
EOF
10101010
```

website/versioned_docs/version-1.30/operator_conf.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,15 @@ Name | Description
6868
`STANDBY_TCP_USER_TIMEOUT` | Defines the [`TCP_USER_TIMEOUT` socket option](https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-TCP-USER-TIMEOUT) in milliseconds for replication connections from standby instances to the primary. Default is 5000 (5 seconds). Set to `0` to use the system's default.
6969
`WATCH_NAMESPACE` | Specifies the namespace(s) where the operator should watch for resources. Multiple namespaces can be specified separated by commas. If not set, the operator watches all namespaces (cluster-wide mode).
7070

71+
:::warning
72+
CloudNativePG does NOT currently support running multiple operators on
73+
the same cluster. While this can be achieved through the use of namespaced
74+
deployments using `ENABLE_WEBHOOK_NAMESPACE_SUFFIX` and `WATCH_NAMESPACE`,
75+
multiple operators still use the same set of shared CRDs. We cannot
76+
guarantee a backwards compatible upgrade across multiple concurrently
77+
running operators.
78+
:::
79+
7180
Values in `INHERITED_ANNOTATIONS` and `INHERITED_LABELS` support path-like wildcards. For example, the value `example.com/*` will match
7281
both the value `example.com/one` and `example.com/two`.
7382

@@ -221,4 +230,4 @@ You can also access pprof using the browser at [http://localhost:6060/debug/ppro
221230
This is **not** the intended way to expose the feature in production.
222231
Treat pprof as a sensitive debugging interface and never expose it publicly.
223232
If you must access it remotely, secure it with proper network policies and access controls.
224-
:::
233+
:::

website/versioned_docs/version-1.30/preview_version.md

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,16 @@ intended for public testing prior to the final release.
2020

2121
## Current Preview Version
2222

23-
The current preview version is **1.30.0-rc1**.
23+
There are currently no preview versions available.
24+
25+
<!--
26+
The current preview version is **1.31.0-rc1**.
2427
2528
For more information on the current preview version and how to test, please view the links below:
2629
27-
- [Announcement](https://cloudnative-pg.io/releases/cloudnative-pg-1-30.0-rc1-released/)
28-
- [Documentation](https://cloudnative-pg.io/docs/preview/)
30+
- [Announcement](https://cloudnative-pg.io/releases/cloudnative-pg-1-31.0-rc1-released/)
31+
- [Documentation](https://cloudnative-pg.io/docs/1.31/)
32+
-->
2933

3034
## Purpose of Release Candidates
3135

@@ -73,7 +77,7 @@ non-production environment:
7377
- **Report Issues:** **Immediately report any issues or unexpected behavior**
7478
by opening a GitHub issue and clearly marking it with a **`Release
7579
Candidate`** tag or label, along with the RC version number
76-
(e.g., `1.29.0-rc1`).
80+
(e.g., `1.31.0-rc1`).
7781

7882
## Usage Advisory
7983

website/versioned_docs/version-1.30/release_notes.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,16 +9,17 @@ title: Release notes
99

1010
History of user-visible changes for CloudNativePG, classified for each minor release.
1111

12-
- [CloudNativePG 1.30 - Release Candidate](release_notes/v1.30.md) (preview)
12+
<!-- - [CloudNativePG 1.31 - Release Candidate](release_notes/v1.31.md) (preview) -->
13+
- [CloudNativePG 1.30](release_notes/v1.30.md)
1314
- [CloudNativePG 1.29](release_notes/v1.29.md)
14-
- [CloudNativePG 1.28](release_notes/v1.28.md)
1515

1616
For information on the community support policy for CloudNativePG, please
1717
refer to ["Supported releases"](supported_releases.md).
1818

1919
Older releases:
2020

21-
- [CloudNativePG 1.27](release_notes/v1.27.md)
21+
- [CloudNativePG 1.28](release_notes/old/v1.28.md)
22+
- [CloudNativePG 1.27](release_notes/old/v1.27.md)
2223
- [CloudNativePG 1.26](release_notes/old/v1.26.md)
2324
- [CloudNativePG 1.25](release_notes/old/v1.25.md)
2425
- [CloudNativePG 1.24](release_notes/old/v1.24.md)

website/versioned_docs/version-1.30/release_notes/v1.27.md renamed to website/versioned_docs/version-1.30/release_notes/old/v1.27.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -506,8 +506,8 @@ on the release branch in GitHub.
506506

507507
### Important changes
508508

509-
- The default behavior of the [liveness probe](../instance_manager.md#liveness-probe) has been updated.
510-
An [isolated primary is now forcibly shut down](../instance_manager.md#primary-isolation)
509+
- The default behavior of the [liveness probe](../../instance_manager.md#liveness-probe) has been updated.
510+
An [isolated primary is now forcibly shut down](../../instance_manager.md#primary-isolation)
511511
within the configured `livenessProbeTimeout` (default: 30 seconds).
512512

513513
### Features

0 commit comments

Comments
 (0)