Skip to content

feat(helm): update chart cloudnative-pg ( 0.28.3 → 0.29.0 )#4013

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/cloudnative-pg-0.x
Open

feat(helm): update chart cloudnative-pg ( 0.28.3 → 0.29.0 )#4013
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/cloudnative-pg-0.x

Conversation

@renovate

@renovate renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
cloudnative-pg (source) minor 0.28.30.29.0

Release Notes

cloudnative-pg/charts (cloudnative-pg)

v0.29.0

Compare Source

CloudNativePG Operator Helm Chart

What's Changed

New Contributors

Full Changelog: cloudnative-pg/charts@cluster-v0.7.0...cloudnative-pg-v0.29.0


Configuration

📅 Schedule: (in timezone America/Chicago)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

| datasource | package        | from   | to     |
| ---------- | -------------- | ------ | ------ |
| helm       | cloudnative-pg | 0.28.3 | 0.29.0 |


Signed-off-by: Winston R. Milling <wrmilling@users.noreply.github.com>

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cloudnative-pg chart: 0.28.3 → 0.29.0 (operator: 1.29.1 → 1.30.0)

Verdict: Safe to merge — no breaking changes affect this repo. Brings important security fixes.

Security fixes (all apply to this repo):

  • CVE-2026-55769 (search_path privilege escalation): A database owner could plant overloaded operators in public schema to escalate privileges on operator superuser connections. Fixed by pinning search_path on all pooled connections. Relevant since all 4 clusters use enableSuperuserAccess: true.
  • GHSA-7qwx-x8ff-3px9 (unauthenticated operator-to-instance calls): Instance manager control endpoints previously relied on network isolation only. The operator now uses ECDSA client certificates for authentication. This fix is not backported — only available in 1.30+.
  • CVE-2026-55765 (cleartext passwords in logs): The operator now SCRAM-SHA-256 encodes passwords before issuing role commands, preventing cleartext exposure in pg_stat_statements or pgaudit.

Deprecations:

  • In-tree Barman Cloud support deprecation has been extended to 1.31.0 (previously scheduled for 1.30.0). All 4 clusters (mastodon-psql-v17, synapse-psql-v17, synapse-st-psql-v17, shared-psql-v17) use in-tree barmanObjectStore — this continues to work in 1.30.0 but migration to the Barman Cloud Plugin should be planned before 1.31.0.
  • status.latestGeneratedNode is deprecated (instance serial numbers now reuse lowest free slot). No repo impact — this is an internal status field.

New features worth noting:

  • Primary Lease for safe promotion: A Kubernetes Lease object serializes primary promotion, improving upgrade safety. Relevant since all clusters use primaryUpdateStrategy: unsupervised.
  • DatabaseRole CRD: Manage PostgreSQL roles as standalone Kubernetes objects instead of inline in the Cluster spec. Could simplify role management for Mastodon/Synapse databases in the future.
  • cluster reference immutability: Database, Pooler, Publication, Subscription, and ScheduledBackup resources can no longer change their cluster reference. All 4 ScheduledBackup resources in this repo already point to the correct clusters — no impact.

Relevant bug fixes:

  • Fixed backups stuck in started phase when instance manager restarts during operator upgrade
  • Fixed concurrent Backup race conditions leaking replication slots and PostgreSQL sessions
  • Fixed superuser being locked out after disabling and re-enabling enableSuperuserAccess
  • Fixed ScheduledBackup controller loop when backup status patches fail
  • Fixed bootstrap recovery race where .history files were rejected by split-brain guard
  • Fixed switchover deadlock when WAL-archiver plugin enabled

CRD changes: Chart has crds: create: true, so new CRDs (e.g. DatabaseRole) will be created and existing ones updated automatically. RBAC templates add permissions for databaseroles resources and endpointslices (for plugin reload detection).

Not applicable to this repo:

  • PgBouncer image catalog management — no Pooler resources used
  • TLS client certificates for declarative roles — no DatabaseRole resources used
  • pg_upgrade in-place major upgrades to PG 19+ — clusters run PG 17
  • VPA/HPA label selector — no autoscaling configured

Known issues: No bugs or regressions reported against v1.30.0 in the upstream issue tracker as of today (released 2026-06-29).

Sources consulted:

@github-actions

Copy link
Copy Markdown

Claude Review Usage

When (UTC) Version Model Turns Cost
2026-06-29 19:12 0.28.3 -> 0.29.0 claude-sonnet-4-6 26 $0.5226

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants