Skip to content

Update mono-repo packages#25

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/mono-repo-packages
Open

Update mono-repo packages#25
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/mono-repo-packages

Conversation

@renovate

@renovate renovate Bot commented May 18, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
argoproj/argo-cd patch v3.4.2v3.4.5
cert-manager/cert-manager minor v1.20.2v1.21.0
cloudnative-pg/cloudnative-pg minor v1.29.1v1.30.0
isindir/sops-secrets-operator patch 0.21.00.21.1
k3s-io/helm-controller patch v0.17.2v0.17.3
k8s.contrib.crd patch 4.2.14.2.2
lucsoft.k8s.NetworkPolicies minor 0.3.00.5.12
lucsoft.k8s.Resource minor 0.3.00.5.12
lucsoft.k8s.Workload patch 0.5.00.5.12
pkl.experimental.deepToTyped patch 1.2.01.2.1

Release Notes

argoproj/argo-cd (argoproj/argo-cd)

v3.4.5

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.4.5/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.4.5/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes
Dependency updates

Full Changelog: argoproj/argo-cd@v3.4.4...v3.4.5

v3.4.4

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.4.4/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.4.4/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes
Other work

Full Changelog: argoproj/argo-cd@v3.4.3...v3.4.4

v3.4.3

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.4.3/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.4.3/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes
  • f435b0f fix(cli): return immediately from 'app wait' when app is already in desired state (#​12211) (#​27503) (#​27713) (jheyduk)
  • b39fe4f fix(lint): unnecessary nesting (cherry-pick #​27815 for 3.4) (#​27817) (argo-cd-cherry-pick-bot[bot], Michael Crenshaw)
  • 668f2c5 fix(ui): don't prefetch errors (#​27877) (cherry-pick #​27925 for 3.4) (#​28024) (argo-cd-cherry-pick-bot[bot], Blake Pettersson)
  • b796979 fix(ui): return full source for non-hydrator apps in Parameters tab (cherry-pick #​26946 for 3.4) (#​27964) (Gabriel Barreto, himeshp)
  • 5d3f8a0 fix: honor repo depth setting in gitSourceHasChanges and fetch functions (cherry-pick #​27838 for 3.4) (#​28043) (argo-cd-cherry-pick-bot[bot], alexandresavicki, Cursor)
  • 35ed877 fix: nil-check (cherry-pick #​28039 for 3.4) (#​28040) (argo-cd-cherry-pick-bot[bot], Blake Pettersson, Soumya Ghosh Dastidar)
  • b0f1553 fix: prevent InvalidSpecError race in application controller startup (cherry-pick #​27672 for 3.4) (#​27845) (argo-cd-cherry-pick-bot[bot], Michele Baldessari)
  • 4fa0950 fix: truncate labels for deletion hook resources (cherry-pick #​27542 for 3.4) (#​27714) (argo-cd-cherry-pick-bot[bot], Jaewoo Choi)
Dependency updates
Other work
  • ce55c85 fix(gitops-engine): fix nil pointer dereference error in removeWebookMutation() (cherry-pick #​27749 for 3.4) (#​28031) (argo-cd-cherry-pick-bot[bot], Pierre Guinoiseau)

Full Changelog: argoproj/argo-cd@v3.4.2...v3.4.3

cert-manager/cert-manager (cert-manager/cert-manager)

v1.21.0

Compare Source

v1.20.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING]
Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression
Other (Cleanup or Flake)
cloudnative-pg/cloudnative-pg (cloudnative-pg/cloudnative-pg)

v1.30.0

Compare Source

Release date: Jun 29, 2026

Important changes
  • Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.31.0, rather than 1.30.0. Users are still encouraged to migrate to the Barman Cloud Plugin. (#​11083)

  • The cluster reference is now immutable on the Database, Pooler, Publication, Subscription, and ScheduledBackup resources. Pointing one of these objects at a different cluster has no well-defined semantics and previously left the controllers in an inconsistent state; the update is now rejected at the API server via a CEL validation rule. (#​10743)

Features
  • Primary Lease for safe primary election: introduced a Kubernetes Lease object (named after the cluster) that acts as a mutex serializing primary promotion: the instance manager must hold the lease before acting as primary and releases it on clean shutdown so replicas can promote without waiting for the full TTL. Timings are configurable via the new .spec.primaryLease stanza. The lease is a promotion gate, not a fence. Primary isolation remains responsible for fencing. (#​10627)

  • DatabaseRole CRD for declarative role management: introduced a DatabaseRole custom resource that manages a PostgreSQL role as a standalone Kubernetes object, instead of declaring it inline in the Cluster's .spec.managed.roles stanza. Each role gets its own lifecycle, status, and RBAC, which suits GitOps workflows and lets role definitions live next to the applications that own them. The spec reuses the same RoleConfiguration structure as the inline method, so migrating a role is a matter of moving the stanza into its own manifest. A databaseRoleReclaimPolicy field (retain, the default, or delete) controls what happens to the role when the resource is deleted, mirroring persistent volumes. (#​6155)

  • TLS client certificates for declarative roles: a DatabaseRole can now include a clientCertificate block to have the operator automatically generate and renew a TLS client certificate, signed by the cluster's client CA and stored in a <databaserole-name>-client-cert Secret. This enables password-free PostgreSQL cert authentication; the Secret is cleaned up when the feature is disabled or the DatabaseRole is deleted. (#​10896)

  • PgBouncer image management via image catalogs: the Pooler resource can now reference an entry in an ImageCatalog or ClusterImageCatalog through the new spec.pgbouncer.imageCatalogRef field, centralizing PgBouncer image management. When a catalog entry is updated, all referencing Poolers are automatically reconciled and roll out the new image without any change to their spec. The resolved image is reported in status.image, and a new status.phase (active, paused, inactive, or failed), also surfaced as a Phase column in kubectl get pooler, summarizes the lifecycle. (#​10568)

Enhancements
  • Enabled pg_upgrade in-place major upgrades to PostgreSQL 19 or later for clusters that use Image Volume extensions, building on the extension-path support added to pg_upgrade in PostgreSQL 19. During the upgrade Job, the source- and target-version extension images are mounted side by side, so the old server keeps its libraries and a failed upgrade reverts cleanly. (#​10366)

  • Added TLS support for the Pooler metrics endpoint via .spec.monitoring.tls.enabled. When enabled, the metrics server is served over HTTPS, reusing the certificate and key from .spec.pgbouncer.clientTLSSecret and reloading it on every handshake to support rotation without a restart; the generated PodMonitor scrapes over https accordingly. (#​10466)

  • Added a label selector to the Cluster scale subresource (status.selector), making a Cluster a valid targetRef for the Vertical Pod Autoscaler (VPA) and Horizontal Pod Autoscaler (HPA), which can now map a Cluster to its instance pods. Contributed by @​sebv004. (#​8996)

  • The operator now emits a Warning PrimaryStatusCheckFailed event on the Cluster when the primary pod is Ready from the kubelet perspective but the operator's /pg/status check fails and failover is deferred, giving users visibility into the deferral via kubectl describe cluster. (#​10509)

  • Added the ENABLE_WEBHOOK_NAMESPACE_SUFFIX flag, which suffixes the operator's webhook configuration names with -<OPERATOR_NAMESPACE> so that multiple operator instances can coexist on the same cluster. The operator only looks up these configurations; users must create and maintain them. Contributed by @​maxlengdell. (#​10420)

  • The operator now reloads a CNPG-i plugin automatically when its pods are rolled: it watches the EndpointSlices backing plugin Services and re-enqueues every cluster using the plugin once the new pods become Ready, so an upgraded plugin is picked up without waiting for the next resync. (#​10836)

  • Instance serial numbers are now assigned by reusing the lowest free slot among existing instance names, instead of always incrementing a global counter. Pod and PVC names stay stable across instance recreation (for example, an instance recreated after a node drain comes back with the same name), and serials freed by deleted instances are reclaimed. A new Initialized cluster condition reports whether the cluster has completed its first bootstrap, and status.latestGeneratedNode is deprecated: it is no longer written, but is preserved on the CRD for backward compatibility. (#​10548)

  • Defaulting and validation now run during reconciliation as a fallback when admission webhooks are unavailable, or configured to ignore failures, so the operator no longer reconciles invalid or incomplete specs. Missing defaults are applied directly, and validation failures are surfaced in the resource status instead of failing silently later. (#​10874)

Security
  • CVE-2026-55769 / GHSA-x8c2-3p4r-v9r6: search_path pinning on operator-issued connections: a database owner could plant overloaded built-in operators in the public schema and alter the search_path so that operator introspection probes, running as the cluster superuser, resolved those overloads before pg_catalog, a CWE-426 privilege-escalation chain (same class as CVE-2018-1058) that could lead to in-pod RCE via COPY ... FROM PROGRAM. The operator now pins search_path = pg_catalog, public, pg_temp on every pooled connection so it ships in the startup message and takes precedence over tenant-controlled defaults. (#​10774, GHSA-x8c2-3p4r-v9r6)

  • GHSA-7qwx-x8ff-3px9: authenticated operator-to-instance-manager calls: the instance manager's remote webserver relied on network isolation rather than authentication for its operator-only control endpoints, so any party able to reach the pod's status port could invoke them, disrupting backup orchestration and WAL archival and reading operational metadata. (The upgrade endpoint is SHA-256-pinned, so this did not permit arbitrary code execution.) The operator now generates an in-memory ECDSA P-256 client certificate at startup and reconciles its SHA-256 fingerprint into the cluster status; the instance manager rejects requests to sensitive endpoints that do not present a matching certificate. This hardening is not backported; earlier releases should continue to restrict the status port with a NetworkPolicy. (#​10579, GHSA-7qwx-x8ff-3px9)

  • CVE-2026-55765 / GHSA-w3gf-xc94-wvmj: operator-side SCRAM-SHA-256 password encoding: the operator now SCRAM-SHA-256 encodes cleartext role passwords before issuing CREATE/ALTER ROLE ... PASSWORD, so the literal PostgreSQL parses (and that extensions such as pg_stat_statements or pgaudit may capture) is the SCRAM verifier rather than the cleartext secret. Pre-hashed (MD5 or SCRAM) values are forwarded unchanged, and the per-Secret annotation cnpg.io/passwordPassthrough: "enabled" opts out. (#​10724, GHSA-w3gf-xc94-wvmj)

Changes
  • Added support for Kubernetes 1.36. (#​10900)

  • Updated the default PostgreSQL version to 18.4. (#​10719)

  • Updated the Kubernetes versions used to test the operator on public cloud providers. (#​10720, #​10563, #​11033)

Fixes
  • Fixed declarative Database, Publication, and Subscription objects reporting a stale primary-side status forever after their cluster was demoted to a replica; the controller now re-checks the replica condition and watches the Cluster so a demotion is detected promptly. (#​10871)

  • Fixed non-sequential pod names (for example -1, -3) caused by the instance serial counter being advanced before the corresponding Job and PVCs were created; the bump is now persisted only after those resources exist. (#​10491)

  • Fixed deletion of a Database, Publication, or Subscription getting stuck in Terminating on a replica cluster, where the replica gate ran before the finalizer reconciler and the finalizer was never released. On a replica the PostgreSQL object is left to the primary cluster. (#​10853)

  • Fixed a conflicting duplicate Database or Subscription with a delete reclaim policy dropping the PostgreSQL object owned by the surviving CR; the drop is now gated on a recorded reconciliation. (#​10870)

  • Fixed the postgres superuser being left locked out after superuser access was disabled and then re-enabled, because the cached secret version was not invalidated and the password was never re-applied. Diagnosed by @​mhartmann-jaconi. (#​10834)

  • Fixed backups getting stuck in the started phase when the instance manager running them was restarted (for example by the in-place upgrade following an operator upgrade) before the backup reached running; the reconciliation is now rescheduled so the lost session is detected. (#​10859)

  • Fixed exec/attach streaming to negotiate WebSocket with a SPDY fallback, restoring compatibility both with Kubernetes versions that have removed SPDY and with platforms such as OpenShift that reject WebSocket exec upgrades. Contributed by @​bartscheers. (#​10876, #​10933)

  • Fixed resource leaks when concurrent Backup objects raced: backups now run in strict creation-time order, so an already-executing backup is never preempted by a newer one and its replication slot and PostgreSQL session are no longer orphaned on the primary. Contributed by @​GabriFedi97. (#​10747)

  • Fixed role reconciliation clearing the password on a PostgreSQL role when the referenced Secret could not be fetched; the role is now left untouched until the Secret becomes available, and per-action errors are aggregated for better visibility. (#​10053)

  • Fixed a bootstrap failure where a metrics-exporter setup error (commonly a duplicate-key race with the controller) rolled back streaming_replica creation and wedged replica joins. The metrics-exporter step now runs in a separate transaction. Contributed by @​BlaiseAntony. (#​10749)

  • Fixed a ScheduledBackup controller loop that occurred when a Backup was created but its status patch never landed; the controller now adopts an existing Backup for the next iteration instead of looping on AlreadyExists. (#​10612)

  • Fixed a nil-pointer panic when reconciling a Pooler whose Cluster has been deleted. (#​10667)

  • Fixed bootstrap log handling so that all named log pipes (postgres, postgres.csv, and postgres.json) get consumers during WithActiveInstance, preventing regular files from being created in place of the named pipes. (#​10043)

  • Fixed generation of invalid IPv6 URLs by wrapping the address in square brackets. Contributed by @​Infinoid. (#​10682)

  • Fixed an external cluster plugin still being treated as active when its configuration set enabled: false. (#​10932)

  • Fixed a race during bootstrap recovery from an object store where the restore job could read a stale Cluster (primary not yet recorded and timeline still unset) and have its .history files rejected by the split-brain guard. When this happened, recovery stopped at the base backup's timeline and silently dropped transactions committed on later timelines. History files are now allowed while the cluster timeline is unset. Contributed by @​dennispidun. (#​10818)

  • Fixed a race where deleting an instance's PVCs could leave the instance permanently stuck: if the data PVC was removed while a WAL PVC was still terminating, the operator recreated the instance bound to the terminating volume, leaving the Pod unschedulable and blocking all further reconciliation. The operator now waits for terminating PVCs to be fully removed before recreating or reattaching an instance, and surfaces the wait through a log line and the cluster phase. (#​11017)

  • Fixed a cache race during cluster creation when the server and client CA resolve to the same Secret (the default): a stale informer cache triggered a redundant Create that failed with AlreadyExists and could leave the cluster stuck in Unable to create required cluster objects. The operator now reuses the already-fetched CA Secret when the names match. (#​10989)

  • Fixed the pg_basebackup bootstrap path overwriting or failing on a pre-existing PGDATA (for example after a replica Pod restart) by enforcing the same pre-flight directory check already applied by the other bootstrap methods; this also protects statically provisioned PVCs from being silently overwritten. (#​11006)

  • Fixed the Cluster phase flapping between Healthy and a plugin-failure phase when a post-reconcile plugin hook returned an error; the Healthy phase is now registered as the last step of a successful reconciliation, so a loop that ends in a plugin error never reports Healthy. Contributed by @​GabriFedi97. (#​10421)

  • Fixed stale certificate data and partial reads after an external server's Secret was rotated (for example a CA bundle shrinking from two certificates to one): the file is now written atomically, so libpq always reads either the old or the new value, never a mix. Contributed by @​Anand-240. (#​10975)

  • Fixed plugin connectivity to use the plugin Service FQDN instead of its short name, avoiding failures when a cluster-level proxy is automatically injected into pods. Contributed by @​kdautrey. (#​10921)

  • Fixed excessive operator log noise from the per-request Cluster create/update validation webhook messages, now logged at debug instead of info. (#​10984)

  • Fixed spec.postgresql.parameters accepting keys that are not valid PostgreSQL parameter names, which could inject arbitrary directives into postgresql.conf; key names are now validated by the webhook. (#​11029)

  • Fixed a switchover deadlock when a WAL-archiver plugin was enabled on an existing cluster: with primaryUpdateMethod: switchover the primary could not be rolled out because a clean demotion needs the archiver sidecar that is still missing. The operator now recreates the primary Pod in place so the sidecar is injected and archiving resumes. The check also covers plugins that inject the archiver as a native sidecar (an init container with restartPolicy: Always), such as the Barman Cloud plugin. (#​11032, #​11059)

  • Fixed a cluster staying in Setting up primary indefinitely when the instance-creation Job exhausted its backoff limit; the operator now detects the terminal Job failure and marks the cluster unrecoverable, naming the failed Job and pointing to its logs. (#​11035)

  • Fixed a first-primary bootstrap deadlock where a status-patch conflict after the data PVC was created but before the initialization Job was started left the orphan Pending PVC counted as an instance, blocking the bootstrap gate; the PVC-state reconciler now recreates the bootstrap Job reusing the assigned serial. (#​11039)

  • Fixed external cluster names and secret selector references being joined into filesystem paths without validation, letting a .. component or path separator escape the external secrets directory when the instance manager dumps connection material; these values are now rejected at the validating webhook and re-checked at the write site. Reported by @​r0binak. (#​11045)

  • Fixed a backup getting stuck in pending forever: the concurrent-backup gate ran on every reconcile and could overwrite an already-completed phase written asynchronously by the instance manager. The gate now runs only while the backup phase is still unset or pending. (#​11056)

  • Fixed a declarative VolumeSnapshot backup being permanently marked as failed when a stale cache made the operator re-create a snapshot it had already provisioned, failing with AlreadyExists. The operator now tolerates the collision when the existing snapshot carries this backup's label and adopts it; a collision with a foreign snapshot still surfaces as an error. (#​11071)

  • Fixed a volume snapshot backup being discarded on a transient instance-manager connection error (for example a dial timeout from a brief pod-network disruption) during the finalize step, even when its snapshots were already provisioned; such network errors are now retried instead of treated as terminal. (#​11069)

  • Fixed a replica switchover losing its status.demotionToken when a reconcile was requeued between storing the token and cleaning up the transition metadata (for example a cleanup patch failing against a flaky webhook); the empty no-change token is no longer patched back over the stored value. (#​11075)

  • cnpg plugin:

    • Fixed kubectl cnpg psql on Windows, where execution relied on a Unix-only system call and failed with "not supported by windows"; Windows now launches kubectl exec as a child process. Contributed by @​Utkarsh-sharma47. (#​10972)

    • Fixed an unbounded memory leak in kubectl cnpg logs -f on busy clusters, where a per-log-group timer was never released; timers are now reused across iterations. Contributed by @​Anand-240. (#​10976)

Supported versions
  • Kubernetes 1.36, 1.35, and 1.34
  • PostgreSQL 18, 17, 16, 15, and 14
    • PostgreSQL 18.4 is the default image
    • PostgreSQL 14 support ends on November 12, 2026

v1.29.2

Compare Source

Release date: Jun 29, 2026

Important changes
  • Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.31.0, rather than 1.30.0. Users are still encouraged to migrate to the Barman Cloud Plugin. (#​11083)

  • The cluster reference is now immutable on the Database, Pooler, Publication, Subscription, and ScheduledBackup resources. Pointing one of these objects at a different cluster has no well-defined semantics and previously left the controllers in an inconsistent state; the update is now rejected at the API server via a CEL validation rule. (#​10743)

Enhancements
  • Enabled pg_upgrade in-place major upgrades to PostgreSQL 19 or later for clusters that use Image Volume extensions, building on the extension-path support added to pg_upgrade in PostgreSQL 19. During the upgrade Job, the source- and target-version extension images are mounted side by side, so the old server keeps its libraries and a failed upgrade reverts cleanly. (#​10366)

  • Added a label selector to the Cluster scale subresource (status.selector), making a Cluster a valid targetRef for the Vertical Pod Autoscaler (VPA) and Horizontal Pod Autoscaler (HPA), which can now map a Cluster to its instance pods. Contributed by @​sebv004. (#​8996)

  • The operator now emits a Warning PrimaryStatusCheckFailed event on the Cluster when the primary pod is Ready from the kubelet perspective but the operator's /pg/status check fails and failover is deferred, giving users visibility into the deferral via kubectl describe cluster. (#​10509)

  • The operator now reloads a CNPG-i plugin automatically when its pods are rolled: it watches the EndpointSlices backing plugin Services and re-enqueues every cluster using the plugin once the new pods become Ready, so an upgraded plugin is picked up without waiting for the next resync. (#​10836)

Security and Supply Chain
  • CVE-2026-55769 / GHSA-x8c2-3p4r-v9r6: search_path pinning on operator-issued connections: a database owner could plant overloaded built-in operators in the public schema and alter the search_path so that operator introspection probes, running as the cluster superuser, resolved those overloads before pg_catalog, a CWE-426 privilege-escalation chain (same class as CVE-2018-1058) that could lead to in-pod RCE via COPY ... FROM PROGRAM. The operator now pins search_path = pg_catalog, public, pg_temp on every pooled connection so it ships in the startup message and takes precedence over tenant-controlled defaults. (#​10774, GHSA-x8c2-3p4r-v9r6)

  • CVE-2026-55765 / GHSA-w3gf-xc94-wvmj: operator-side SCRAM-SHA-256 password encoding: the operator now SCRAM-SHA-256 encodes cleartext role passwords before issuing CREATE/ALTER ROLE ... PASSWORD, so the literal PostgreSQL parses (and that extensions such as pg_stat_statements or pgaudit may capture) is the SCRAM verifier rather than the cleartext secret. Pre-hashed (MD5 or SCRAM) values are forwarded unchanged, and the per-Secret annotation cnpg.io/passwordPassthrough: "enabled" opts out. (#​10724, GHSA-w3gf-xc94-wvmj)

Changes
  • Added support for Kubernetes 1.36. (#​10900)

  • Updated the default PostgreSQL version to 18.4. (#​10719)

  • Updated the Kubernetes versions used to test the operator on public cloud providers. (#​10720, #​10563, #​11033)

Fixes
  • Fixed spec.postgresql.parameters accepting keys that are not valid PostgreSQL parameter names, which could inject arbitrary directives into postgresql.conf; key names are now validated by the webhook. (#​11029)

  • Fixed declarative Database, Publication, and Subscription objects reporting a stale primary-side status forever after their cluster was demoted to a replica; the controller now re-checks the replica condition and watches the Cluster so a demotion is detected promptly. (#​10871)

  • Fixed non-sequential pod names (for example -1, -3) caused by the instance serial counter being advanced before the corresponding Job and PVCs were created; the bump is now persisted only after those resources exist. (#​10491)

  • Fixed a switchover deadlock when a WAL-archiver plugin was enabled on an existing cluster: with primaryUpdateMethod: switchover the primary could not be rolled out because a clean demotion needs the archiver sidecar that is still missing. The operator now recreates the primary Pod in place so the sidecar is injected and archiving resumes. The check also covers plugins that inject the archiver as a native sidecar (an init container with restartPolicy: Always), such as the Barman Cloud plugin. (#​11032, #​11059)

  • Fixed a cluster staying in Setting up primary indefinitely when the instance-creation Job exhausted its backoff limit; the operator now detects the terminal Job failure and marks the cluster unrecoverable, naming the failed Job and pointing to its logs. (#​11035)

  • Fixed deletion of a Database, Publication, or Subscription getting stuck in Terminating on a replica cluster, where the replica gate ran before the finalizer reconciler and the finalizer was never released. On a replica the PostgreSQL object is left to the primary cluster. (#​10853)

  • Fixed a conflicting duplicate Database or Subscription with a delete reclaim policy dropping the PostgreSQL object owned by the surviving CR; the drop is now gated on a recorded reconciliation. (#​10870)

  • Fixed the postgres superuser being left locked out after superuser access was disabled and then re-enabled, because the cached secret version was not invalidated and the password was never re-applied. Diagnosed by @​mhartmann-jaconi. (#​10834)

  • Fixed backups getting stuck in the started phase when the instance manager running them was restarted (for example by the in-place upgrade following an operator upgrade) before the backup reached running; the reconciliation is now rescheduled so the lost session is detected. (#​10859)

  • Fixed exec/attach streaming to negotiate WebSocket with a SPDY fallback, restoring compatibility both with Kubernetes versions that have removed SPDY and with platforms such as OpenShift that reject WebSocket exec upgrades. Contributed by [@​bartscheers](https://redirect.github.com/b

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented May 18, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined
Post-upgrade command 'pkl project resolve packages/*/' has not been added to the allowed list in allowedCommands

@renovate renovate Bot force-pushed the renovate/mono-repo-packages branch from bf85faf to c546b59 Compare May 20, 2026 21:49
@renovate renovate Bot changed the title Update mono-repo packages Update mono-repo packages to v0.4.0 May 20, 2026
@renovate renovate Bot force-pushed the renovate/mono-repo-packages branch from c546b59 to f471e15 Compare May 28, 2026 19:45
@renovate renovate Bot changed the title Update mono-repo packages to v0.4.0 Update mono-repo packages May 28, 2026
@renovate renovate Bot force-pushed the renovate/mono-repo-packages branch 3 times, most recently from 10db1e1 to 3767090 Compare June 6, 2026 12:46
@lucsoft lucsoft force-pushed the main branch 3 times, most recently from e49c35f to 60f4406 Compare June 6, 2026 14:52
@renovate renovate Bot force-pushed the renovate/mono-repo-packages branch 2 times, most recently from e427d5c to e8f79d7 Compare June 10, 2026 09:15
@renovate renovate Bot force-pushed the renovate/mono-repo-packages branch 5 times, most recently from 397e1da to 3bb1096 Compare June 25, 2026 01:55
@renovate renovate Bot force-pushed the renovate/mono-repo-packages branch 3 times, most recently from 1ac9867 to bbe8642 Compare June 29, 2026 19:53
@renovate renovate Bot force-pushed the renovate/mono-repo-packages branch 2 times, most recently from d2f20aa to 9ad1c90 Compare July 9, 2026 01:50
@renovate renovate Bot force-pushed the renovate/mono-repo-packages branch from 9ad1c90 to bf5d73f Compare July 9, 2026 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants