Skip to content
This documentation is sourced from a third-party project and is not maintained by pgEdge.

Release notes for CloudNativePG 1.29

History of user-visible changes in the 1.29 minor release of CloudNativePG.

For a complete list of changes, please refer to the commits on the release branch in GitHub.

Version 1.29.2

Release date: Jun 29, 2026

Important changes

  • Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.31.0, rather than 1.30.0. Users are still encouraged to migrate to the Barman Cloud Plugin. (#11083)

  • The cluster reference is now immutable on the Database, Pooler, Publication, Subscription, and ScheduledBackup resources. Pointing one of these objects at a different cluster has no well-defined semantics and previously left the controllers in an inconsistent state; the update is now rejected at the API server via a CEL validation rule. (#10743)

Enhancements

  • Enabled pg_upgrade in-place major upgrades to PostgreSQL 19 or later for clusters that use Image Volume extensions, building on the extension-path support added to pg_upgrade in PostgreSQL 19. During the upgrade Job, the source- and target-version extension images are mounted side by side, so the old server keeps its libraries and a failed upgrade reverts cleanly. (#10366)

  • Added a label selector to the Cluster scale subresource (status.selector), making a Cluster a valid targetRef for the Vertical Pod Autoscaler (VPA) and Horizontal Pod Autoscaler (HPA), which can now map a Cluster to its instance pods. Contributed by @sebv004. (#8996)

  • The operator now emits a Warning PrimaryStatusCheckFailed event on the Cluster when the primary pod is Ready from the kubelet perspective but the operator's /pg/status check fails and failover is deferred, giving users visibility into the deferral via kubectl describe cluster. (#10509)

  • The operator now reloads a CNPG-i plugin automatically when its pods are rolled: it watches the EndpointSlices backing plugin Services and re-enqueues every cluster using the plugin once the new pods become Ready, so an upgraded plugin is picked up without waiting for the next resync. (#10836)

Security and Supply Chain

  • CVE-2026-55769 / GHSA-x8c2-3p4r-v9r6: search_path pinning on operator-issued connections: a database owner could plant overloaded built-in operators in the public schema and alter the search_path so that operator introspection probes, running as the cluster superuser, resolved those overloads before pg_catalog, a CWE-426 privilege-escalation chain (same class as CVE-2018-1058) that could lead to in-pod RCE via COPY ... FROM PROGRAM. The operator now pins search_path = pg_catalog, public, pg_temp on every pooled connection so it ships in the startup message and takes precedence over tenant-controlled defaults. (#10774, GHSA-x8c2-3p4r-v9r6)

  • CVE-2026-55765 / GHSA-w3gf-xc94-wvmj: operator-side SCRAM-SHA-256 password encoding: the operator now SCRAM-SHA-256 encodes cleartext role passwords before issuing CREATE/ALTER ROLE ... PASSWORD, so the literal PostgreSQL parses (and that extensions such as pg_stat_statements or pgaudit may capture) is the SCRAM verifier rather than the cleartext secret. Pre-hashed (MD5 or SCRAM) values are forwarded unchanged, and the per-Secret annotation cnpg.io/passwordPassthrough: "enabled" opts out. (#10724, GHSA-w3gf-xc94-wvmj)

Changes

  • Added support for Kubernetes 1.36. (#10900)

  • Updated the default PostgreSQL version to 18.4. (#10719)

  • Updated the Kubernetes versions used to test the operator on public cloud providers. (#10720, #10563, #11033)

Fixes

  • Fixed spec.postgresql.parameters accepting keys that are not valid PostgreSQL parameter names, which could inject arbitrary directives into postgresql.conf; key names are now validated by the webhook. (#11029)

  • Fixed declarative Database, Publication, and Subscription objects reporting a stale primary-side status forever after their cluster was demoted to a replica; the controller now re-checks the replica condition and watches the Cluster so a demotion is detected promptly. (#10871)

  • Fixed non-sequential pod names (for example -1, -3) caused by the instance serial counter being advanced before the corresponding Job and PVCs were created; the bump is now persisted only after those resources exist. (#10491)

  • Fixed a switchover deadlock when a WAL-archiver plugin was enabled on an existing cluster: with primaryUpdateMethod: switchover the primary could not be rolled out because a clean demotion needs the archiver sidecar that is still missing. The operator now recreates the primary Pod in place so the sidecar is injected and archiving resumes. The check also covers plugins that inject the archiver as a native sidecar (an init container with restartPolicy: Always), such as the Barman Cloud plugin. (#11032, #11059)

  • Fixed a cluster staying in Setting up primary indefinitely when the instance-creation Job exhausted its backoff limit; the operator now detects the terminal Job failure and marks the cluster unrecoverable, naming the failed Job and pointing to its logs. (#11035)

  • Fixed deletion of a Database, Publication, or Subscription getting stuck in Terminating on a replica cluster, where the replica gate ran before the finalizer reconciler and the finalizer was never released. On a replica the PostgreSQL object is left to the primary cluster. (#10853)

  • Fixed a conflicting duplicate Database or Subscription with a delete reclaim policy dropping the PostgreSQL object owned by the surviving CR; the drop is now gated on a recorded reconciliation. (#10870)

  • Fixed the postgres superuser being left locked out after superuser access was disabled and then re-enabled, because the cached secret version was not invalidated and the password was never re-applied. Diagnosed by @mhartmann-jaconi. (#10834)

  • Fixed backups getting stuck in the started phase when the instance manager running them was restarted (for example by the in-place upgrade following an operator upgrade) before the backup reached running; the reconciliation is now rescheduled so the lost session is detected. (#10859)

  • Fixed exec/attach streaming to negotiate WebSocket with a SPDY fallback, restoring compatibility both with Kubernetes versions that have removed SPDY and with platforms such as OpenShift that reject WebSocket exec upgrades. Contributed by @bartscheers. (#10876, #10933)

  • Fixed resource leaks when concurrent Backup objects raced: backups now run in strict creation-time order, so an already-executing backup is never preempted by a newer one and its replication slot and PostgreSQL session are no longer orphaned on the primary. Contributed by @GabriFedi97. (#10747)

  • Fixed role reconciliation clearing the password on a PostgreSQL role when the referenced Secret could not be fetched; the role is now left untouched until the Secret becomes available, and per-action errors are aggregated for better visibility. (#10053)

  • Fixed a bootstrap failure where a metrics-exporter setup error (commonly a duplicate-key race with the controller) rolled back streaming_replica creation and wedged replica joins. The metrics-exporter step now runs in a separate transaction. Contributed by @BlaiseAntony. (#10749)

  • Fixed a ScheduledBackup controller loop that occurred when a Backup was created but its status patch never landed; the controller now adopts an existing Backup for the next iteration instead of looping on AlreadyExists. (#10612)

  • Fixed a nil-pointer panic when reconciling a Pooler whose Cluster has been deleted. (#10667)

  • Fixed bootstrap log handling so that all named log pipes (postgres, postgres.csv, and postgres.json) get consumers during WithActiveInstance, preventing regular files from being created in place of the named pipes. (#10043)

  • Fixed generation of invalid IPv6 URLs by wrapping the address in square brackets. Contributed by @Infinoid. (#10682)

  • Fixed an external cluster plugin still being treated as active when its configuration set enabled: false. (#10932)

  • Fixed a race during bootstrap recovery from an object store where the restore job could read a stale Cluster (primary not yet recorded and timeline still unset) and have its .history files rejected by the split-brain guard. When this happened, recovery stopped at the base backup's timeline and silently dropped transactions committed on later timelines. History files are now allowed while the cluster timeline is unset. Contributed by @dennispidun. (#10818)

  • Fixed a cache race during cluster creation when the server and client CA resolve to the same Secret (the default): a stale informer cache triggered a redundant Create that failed with AlreadyExists and could leave the cluster stuck in Unable to create required cluster objects. The operator now reuses the already-fetched CA Secret when the names match. (#10989)

  • Fixed the pg_basebackup bootstrap path overwriting or failing on a pre-existing PGDATA (for example after a replica Pod restart) by enforcing the same pre-flight directory check already applied by the other bootstrap methods; this also protects statically provisioned PVCs from being silently overwritten. (#11006)

  • Fixed the Cluster phase flapping between Healthy and a plugin-failure phase when a post-reconcile plugin hook returned an error; the Healthy phase is now registered as the last step of a successful reconciliation, so a loop that ends in a plugin error never reports Healthy. Contributed by @GabriFedi97. (#10421)

  • Fixed stale certificate data and partial reads after an external server's Secret was rotated (for example a CA bundle shrinking from two certificates to one): the file is now written atomically, so libpq always reads either the old or the new value, never a mix. Contributed by @Anand-240. (#10975)

  • Fixed plugin connectivity to use the plugin Service FQDN instead of its short name, avoiding failures when a cluster-level proxy is automatically injected into pods. Contributed by @kdautrey. (#10921)

  • Fixed excessive operator log noise from the per-request Cluster create/update validation webhook messages, now logged at debug instead of info. (#10984)

  • Fixed a first-primary bootstrap deadlock where a status-patch conflict after the data PVC was created but before the initialization Job was started left the orphan Pending PVC counted as an instance, blocking the bootstrap gate; the PVC-state reconciler now recreates the bootstrap Job reusing the assigned serial. (#11039)

  • Fixed external cluster names and secret selector references being joined into filesystem paths without validation, letting a .. component or path separator escape the external secrets directory when the instance manager dumps connection material; these values are now rejected at the validating webhook and re-checked at the write site. Reported by @r0binak. (#11045)

  • Fixed a backup getting stuck in pending forever: the concurrent-backup gate ran on every reconcile and could overwrite an already-completed phase written asynchronously by the instance manager. The gate now runs only while the backup phase is still unset or pending. (#11056)

  • Fixed a declarative VolumeSnapshot backup being permanently marked as failed when a stale cache made the operator re-create a snapshot it had already provisioned, failing with AlreadyExists. The operator now tolerates the collision when the existing snapshot carries this backup's label and adopts it; a collision with a foreign snapshot still surfaces as an error. (#11071)

  • Fixed a volume snapshot backup being discarded on a transient instance-manager connection error (for example a dial timeout from a brief pod-network disruption) during the finalize step, even when its snapshots were already provisioned; such network errors are now retried instead of treated as terminal. (#11069)

  • Fixed a replica switchover losing its status.demotionToken when a reconcile was requeued between storing the token and cleaning up the transition metadata (for example a cleanup patch failing against a flaky webhook); the empty no-change token is no longer patched back over the stored value. (#11075)

  • cnpg plugin:

    • Fixed kubectl cnpg psql on Windows, where execution relied on a Unix-only system call and failed with "not supported by windows"; Windows now launches kubectl exec as a child process. Contributed by @Utkarsh-sharma47. (#10972)

    • Fixed an unbounded memory leak in kubectl cnpg logs -f on busy clusters, where a per-log-group timer was never released; timers are now reused across iterations. Contributed by @Anand-240. (#10976)

Version 1.29.1

Release date: May 8, 2026

Security and Supply Chain

  • CVE-2026-44477 / GHSA-423p-g724-fr39: metrics exporter privilege escalation: the metrics exporter no longer authenticates as the postgres superuser. It now uses a dedicated cnpg_metrics_exporter role with pg_monitor privileges only, closing a chain that let a low-privilege database user gain PostgreSQL superuser. (GHSA-423p-g724-fr39)

    Upgrade impact: custom monitoring queries that read user-owned tables, or use target_databases: '*' against databases where PUBLIC CONNECT has been revoked, need explicit GRANT statements to cnpg_metrics_exporter. See "Custom query privileges and safety" and "Manually creating the metrics exporter role" in the monitoring documentation.

    For replica clusters, upgrade the source primary cluster before any replica clusters that consume from it. The cnpg_metrics_exporter role is created on the source primary and replicates downstream; a replica cluster upgraded first will scrape against a missing role until the source primary upgrades. The manual-recovery section linked above also covers replica clusters.

  • Schema-qualified catalog references in default monitoring queries: hardened the shipped monitoring configuration and documentation samples by qualifying every pg_catalog object explicitly. Unqualified references resolve through search_path, which a database user can manipulate to shadow built-in objects. (#10576)

  • Discoverable SBOM and provenance attestations: SBOM and SLSA provenance attached to operator container images now follow the OCI 1.1 Referrers spec, so standard registry tooling and supply-chain scanners can discover them automatically. (#10601)

  • CVE remediation in github.com/jackc/pgx/v5: bumped to v5.9.2 to pick up upstream fixes for CVE-2026-33816 (memory-safety in pgproto3) and GHSA-j88v-2chj-qfwx (SQL injection via simple-protocol dollar-quoted string handling). (#10437, #10499)

  • CVE remediation in the Go runtime: built with Go 1.26.3 to pick up upstream fixes in crypto/x509, crypto/tls, net/http, and net (CVE-2026-32280, CVE-2026-32281, CVE-2026-33810, CVE-2026-33814, CVE-2026-33811, CVE-2026-39825). (#10463, #10647)

  • Build pipeline hardening: the Go 1.26.3 bump also addresses CVE-2026-42501 (cmd/go module-checksum validation), reducing supply-chain exposure during release builds. The affected code paths are not reachable from the running operator. (#10647)

Changes

  • Switched TLS peer verification from VerifyPeerCertificate to VerifyConnection, which runs on every completed handshake (the former is skipped on resumed TLS 1.3 sessions). Session resumption is not enabled in CloudNativePG today, so this has no observable effect, but it future-proofs verification if session caching is introduced later. (#10478)

Fixes

  • Fixed a failover window where the former primary kept its primary label. If it returned during failover (for example, after a transient network partition), the -rw service kept routing to it, replicas could reconnect, and committed writes were lost to pg_rewind. The old primary is now labeled unhealthy to isolate it from service traffic during failover. (#10409)

  • Fixed failover not being triggered when the node hosting the primary becomes unreachable. The operator now reads the pod's Ready condition (flipped to False by the node controller when the kubelet stops reporting) instead of ContainersReady, which stays stale as True in that scenario. Combined with the spurious-failover guard (#10445), failover triggers only when Kubernetes itself marks the pod not Ready. (#10448)

  • Fixed spurious failovers caused by transient failures on the primary's HTTP status endpoint. (#10445)

  • Fixed escaping of backslashes and control characters in PostgreSQL configuration values. Previously, such characters in parameters like log_line_prefix could corrupt the configuration file or be silently stripped at runtime. (#10515)

  • Fixed restore_command construction to shell-quote each argument. Values such as a destinationPath containing whitespace (for example, s3://my bucket/wal) were word-split by the POSIX shell and passed to the WAL restore tool as separate arguments. (#10518)

  • Tightened recoveryTarget validation in the admission webhook: targetXID must now be a non-negative 32-bit integer, and targetName must be shorter than 64 bytes and free of ASCII control characters. Malformed values are rejected at admission instead of failing later during PostgreSQL recovery. (#10565)

  • Fixed snapshot restores failing when leftover pgsql_tmp* directories were present in the data directory. (#10447)

  • Fixed a deadlock occurring when PVC storage size and resource requests are changed simultaneously. (#10427)

Version 1.29.0

Release date: Mar 31, 2026

Important changes

  • Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.30.0, rather than 1.29.0. Users are still encouraged to migrate to the Barman Cloud Plugin. (#10167)

Features

  • PostgreSQL extensions in image catalogs: extended the ImageCatalog functionality to support PostgreSQL extensions. This allows users to define and manage extension-specific images within a catalog, simplifying the deployment of customized PostgreSQL builds. (#9781)

  • Dynamic network access control via pod selectors: introduced the declarative definition of podSelectorRefs to manage pg_hba.conf rules dynamically. By using label selectors to identify client pods, the operator automatically resolves their ephemeral IP addresses and updates the PostgreSQL host-based authentication rules accordingly. This ensures that only authorized workloads in the same namespace can connect to the database, eliminating the need for manual IP management or static CIDR ranges. (#10148)

  • Shared ServiceAccount support: added an optional serviceAccountName field to both Cluster and Pooler specifications. This allows multiple resources to share a pre-existing ServiceAccount, facilitating one-time IAM configurations (such as AWS IRSA, GCP Workload Identity, or Azure Workload Identity) across all clusters and poolers. Contributed by @bozkayasalihx. (#9287)

Enhancements

  • Improved the Pooler CRD with support for granular configuration of TLS cipher suites and minimum/maximum TLS versions. This enables administrators to meet strict security compliance requirements for pooler-to-client and pooler-to-server connections. Contributed by @alex1989hu. (#9571)

  • Improved the reliability of major upgrades by setting BackoffLimit=0 on the upgrade job, preventing unnecessary retries of a failed pg_upgrade. The operator now automatically deletes the failed job when a user reverts the container image, allowing the cluster to restart gracefully on the original version. (#10104, #10298)

  • Improved the operator's observability by emitting native Kubernetes events during key phases of the reconciliation loop, providing visibility into the operator's decision-making process and the lifecycle of managed resources directly through kubectl get events. (#10040)

  • Extended support for the cnpg.io/reconciliationDisabled annotation on Backup resources. This allows administrators to temporarily freeze the operator's reconciliation logic for specific backup objects. Contributed by @GabriFedi97. (#10020)

  • Added a bin_path field to the postgresql.extensions stanza, as well as in ImageCatalog and ClusterImageCatalog resources. This allows extensions to specify directory paths for external binaries, which are automatically appended to the PATH environment variable of the Postgres process. (#10250)

  • Added an env field to the postgresql.extensions stanza, as well as in ImageCatalog and ClusterImageCatalog resources. This allows cluster administrators to define custom environment variables for the Postgres process. This field supports the ${image_root} placeholder to dynamically resolve to the extension's absolute mount path. (#10375)

  • Implemented a finalizer for plugins to ensure that resources managed by a plugin are gracefully cleaned up when the corresponding service is deleted. (#9560)

  • Improved role management by verifying the instance is the primary before each reconciliation cycle, avoiding unnecessary reconciliation attempts and spurious error messages on read-only replicas. (#9971)

  • The operator now honors the primaryUpdateMethod when adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. (#9720)

  • Refined the alpha.cnpg.io/unrecoverable annotation logic to allow it to function even on pods that have not yet reached the Ready state, facilitating the recovery of stuck instances. (#9968)

  • Introduced a "Terminal Error" phase for backups that encounter unrecoverable issues (such as invalid credentials or non-existent cloud buckets). This ensures the operator stops retrying doomed operations, preventing resource exhaustion and providing immediate, clear feedback in the status. (#9353)

  • Improved monitoring of long-running backups by introducing reconciliationStartedAt and reconciliationTerminatedAt fields to the Backup status. This change separates the operator's internal lifecycle from the actual backup tool's execution timing (startedAt/stoppedAt), allowing users to track when the operator begins processing a request. (#9351)

  • Added a Pending phase to the Backup status to explicitly indicate when a backup is queued and waiting for an available worker or instance availability. (#9364)

Security and Supply Chain

  • Security best practices integration: integrated the OpenSSF baseline scanner and added a SECURITY-INSIGHTS.yaml file to the repository to align with industry-standard security reporting. (#10054, #10062)

  • SLSA provenance and SBOMs: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images. Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. (#10048, #10074)

  • Password leak prevention: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. (#9950)

Changes

  • Updated the default PostgreSQL version to 18.3 (image 18.3-system-trixie). (#10090)

Fixes

  • Fixed a deadlock during operator upgrades affecting clusters using synchronous replication, where pods running the old and new operator versions computed different PostgreSQL configuration hashes, causing the uniformity check to block indefinitely and preventing both rolling updates and in-place upgrades from proceeding. (#10342)

  • Fixed an issue where fencing annotations could not be processed when the WAL disk was full, because the disk space check blocked the instance manager from starting. The check is now performed later in the lifecycle loop, after fencing is evaluated. (#10302)

  • Fixed an issue where replicas would get stuck in a Pending state if the VolumeSnapshot used for the initial bootstrap had been deleted. The operator now validates snapshot existence before use; if a snapshot is missing, it attempts to use the next available candidate or falls back to pg_basebackup. (#10192)

  • Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by @ermakov-oleg. (#9977)

  • Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. (#9952)

  • Fixed a bug in the CNPG-I reconciler hook that could lead to skipping subsequent plugins when a "continue" result was returned. Contributed by @sharifmshaker. (#9978)

  • Fixed a deadlock scenario that occurred when attempting to resize a filesystem on a PVC that was not currently attached to a Pod. Contributed by @jmealo. (#9981)

  • Fixed webhook validation of bootstrap recovery sources to accept external clusters configured with ConnectionParameters (for pg_basebackup-based recovery). Previously, these were incorrectly rejected unless a Barman object store or CNPG-i plugin was also configured. (#10268)

  • Volume names for extensions and tablespaces are now prefixed to avoid naming collisions with standard cluster volumes. (#9973)

  • When hibernating a non-healthy cluster, the operator now reports a WaitingForHealthy condition, making the deferred hibernation state visible through cnpg status. (#10193)

  • Fixed fencing to work correctly even when the target pod does not exist. Fencing operates on a cluster-level annotation and should not depend on pod existence; instance name validation is now performed only in the cnpg fencing on command. (#10035)

  • Fixed the cluster and pooler service reconcilers to correctly handle changes to all spec fields when using the patch update strategy. The reconciler now uses RFC 7386 JSON Merge Patching, preventing cloud-provider-set fields (such as loadBalancerClass) from being inadvertently removed. (#10190, #10311)

  • Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. (#10285)

  • Fixed the timeline history file validation to also apply to plugin-based WAL restore. Previously, the protection introduced in #9650 only covered in-tree restores, allowing plugins to bypass the check and download future timeline history files, causing timeline mismatch errors on replicas. (#9849)

  • cnpg plugin:

    • The cnpg plugin now correctly propagates ImagePullSecrets to the pgbench Job pod template. (#10174)

Supported versions