feat(helm): update chart cloudnative-pg ( 0.28.3 → 0.29.0 )#4013
Open
renovate[bot] wants to merge 1 commit into
Open
feat(helm): update chart cloudnative-pg ( 0.28.3 → 0.29.0 )#4013renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
| datasource | package | from | to | | ---------- | -------------- | ------ | ------ | | helm | cloudnative-pg | 0.28.3 | 0.29.0 | Signed-off-by: Winston R. Milling <wrmilling@users.noreply.github.com>
There was a problem hiding this comment.
cloudnative-pg chart: 0.28.3 → 0.29.0 (operator: 1.29.1 → 1.30.0)
Verdict: Safe to merge — no breaking changes affect this repo. Brings important security fixes.
Security fixes (all apply to this repo):
- CVE-2026-55769 (
search_pathprivilege escalation): A database owner could plant overloaded operators inpublicschema to escalate privileges on operator superuser connections. Fixed by pinningsearch_pathon all pooled connections. Relevant since all 4 clusters useenableSuperuserAccess: true. - GHSA-7qwx-x8ff-3px9 (unauthenticated operator-to-instance calls): Instance manager control endpoints previously relied on network isolation only. The operator now uses ECDSA client certificates for authentication. This fix is not backported — only available in 1.30+.
- CVE-2026-55765 (cleartext passwords in logs): The operator now SCRAM-SHA-256 encodes passwords before issuing role commands, preventing cleartext exposure in
pg_stat_statementsorpgaudit.
Deprecations:
- In-tree Barman Cloud support deprecation has been extended to 1.31.0 (previously scheduled for 1.30.0). All 4 clusters (
mastodon-psql-v17,synapse-psql-v17,synapse-st-psql-v17,shared-psql-v17) use in-treebarmanObjectStore— this continues to work in 1.30.0 but migration to the Barman Cloud Plugin should be planned before 1.31.0. status.latestGeneratedNodeis deprecated (instance serial numbers now reuse lowest free slot). No repo impact — this is an internal status field.
New features worth noting:
- Primary Lease for safe promotion: A Kubernetes
Leaseobject serializes primary promotion, improving upgrade safety. Relevant since all clusters useprimaryUpdateStrategy: unsupervised. - DatabaseRole CRD: Manage PostgreSQL roles as standalone Kubernetes objects instead of inline in the Cluster spec. Could simplify role management for Mastodon/Synapse databases in the future.
clusterreference immutability:Database,Pooler,Publication,Subscription, andScheduledBackupresources can no longer change their cluster reference. All 4ScheduledBackupresources in this repo already point to the correct clusters — no impact.
Relevant bug fixes:
- Fixed backups stuck in
startedphase when instance manager restarts during operator upgrade - Fixed concurrent
Backuprace conditions leaking replication slots and PostgreSQL sessions - Fixed superuser being locked out after disabling and re-enabling
enableSuperuserAccess - Fixed
ScheduledBackupcontroller loop when backup status patches fail - Fixed bootstrap recovery race where
.historyfiles were rejected by split-brain guard - Fixed switchover deadlock when WAL-archiver plugin enabled
CRD changes: Chart has crds: create: true, so new CRDs (e.g. DatabaseRole) will be created and existing ones updated automatically. RBAC templates add permissions for databaseroles resources and endpointslices (for plugin reload detection).
Not applicable to this repo:
- PgBouncer image catalog management — no
Poolerresources used - TLS client certificates for declarative roles — no
DatabaseRoleresources used pg_upgradein-place major upgrades to PG 19+ — clusters run PG 17- VPA/HPA label selector — no autoscaling configured
Known issues: No bugs or regressions reported against v1.30.0 in the upstream issue tracker as of today (released 2026-06-29).
Sources consulted:
- Chart release notes (v0.29.0)
- Operator release notes (v1.30.0)
- Chart diff (v0.28.3...v0.29.0)
- Upstream issue tracker (searched for bugs/regressions against v1.30.0)
Claude Review Usage
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.28.3→0.29.0Release Notes
cloudnative-pg/charts (cloudnative-pg)
v0.29.0Compare Source
CloudNativePG Operator Helm Chart
What's Changed
New Contributors
Full Changelog: cloudnative-pg/charts@cluster-v0.7.0...cloudnative-pg-v0.29.0
Configuration
📅 Schedule: (in timezone America/Chicago)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.