Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wgdgY-006J25-1N for pgsql-announce@arkaria.postgresql.org; Mon, 06 Jul 2026 07:24:10 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wgdgX-00FkzU-0q for pgsql-announce@arkaria.postgresql.org; Mon, 06 Jul 2026 07:24:09 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wgdgW-00Fkyc-1V for pgsql-announce@lists.postgresql.org; Mon, 06 Jul 2026 07:24:08 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wgdgU-000000020r4-0B0N for pgsql-announce@lists.postgresql.org; Mon, 06 Jul 2026 07:24:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:From:To:Subject: MIME-Version:Content-Type:Sender:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=X8XWlkjCf2R+nLUGA8ioQeCHYldYJFWq706wXdoDfBY=; b=P+uZlhdLvCDRTeWR2hmjsZtOj7 gcdqYmN9gOpmH6tpYprg19wFhXOh+eCPeN/rV6YUrUOpUhWqOn0iuAr8A4U6a7/LuUbwT57FZls1V Fn+Y04jaWZ3Ke5zvtWeX/m+hv4yP1e7uEM3Mh8mULAxmBHHTnuntMZ2CxVGpXeiosmADL0jSbQ1/b EgMRuqkR7/n0aZK2iZrMYf3ay8q6Rer5Vesb12YiN+MQZShKaCRlmOzB6S2loqmSo1tQIMeFSjAp9 IN2mU2TJb8WkB0r2PDHQ0LMQGV1H/8KbyOE6NGJlVi8kX5CPzaiCPu/zAxEWBUgi/jW9M3k77aClu Df6SOByw==; Received: from wrigleys.postgresql.org ([2a02:16a8:dc51::60]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wgdgS-00BRxI-1p for pgsql-announce@lists.postgresql.org; Mon, 06 Jul 2026 07:24:04 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wgdgR-00DzAc-1O for pgsql-announce@lists.postgresql.org; Mon, 06 Jul 2026 07:24:03 +0000 Content-Type: multipart/alternative; boundary="===============1548912185722829967==" MIME-Version: 1.0 Subject: CloudNativePG 1.30.0 Released! To: PostgreSQL Announce From: The CloudNativePG Contributors via PostgreSQL Announce Reply-To: gabriele.bartolini@gmail.com Date: Mon, 06 Jul 2026 07:23:45 +0000 Message-ID: <178332262529.108997.2090215691477642985@wrigleys.postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-pglister-tags: related X-pglister-tagsig: dcc69af5c1870fd0f9dd4162b0cc713b46a927eea8ede2687f0f7311e77d6d30 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --===============1548912185722829967== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable The CloudNativePG Community is excited to announce the immediate availabili= ty of **CloudNativePG 1.30.0**! This minor release introduces the new `DatabaseRole` CRD for declarative, G= itOps-friendly PostgreSQL role management and a Lease-based primary electio= n primitive for safer failover, alongside notable security and operational = improvements, further cementing CloudNativePG as the leading operator for r= unning PostgreSQL workloads on Kubernetes. We are also pleased to announce the release of maintenance versions **1.29.= 2** and **1.28.4**, the latter of which is the final planned release in the= 1.28.x series. We encourage users on 1.28 to plan their upgrade to 1.29 or= 1.30. With the release of CloudNativePG 1.30.0, the CloudNativePG 1.28.x series r= eaches its End-of-Life (EOL) date of June 30, 2026, and the EOL date for th= e CloudNativePG 1.29.x series is confirmed as September 29, 2026. ## Highlights in 1.30.0 ### DatabaseRole CRD for declarative role management The headline addition in 1.30 is the new `DatabaseRole` custom resource, wh= ich manages a PostgreSQL role as a standalone Kubernetes object rather than= inline in the Cluster=E2=80=99s `.spec.managed.roles` stanza. Each role no= w has its own lifecycle, status and RBAC, which suits GitOps workflows and = lets role definitions live next to the applications that own them. Migratin= g an existing role is a matter of moving its stanza into a dedicated manife= st. A `DatabaseRole` can also include a `clientCertificate` block, having the o= perator automatically generate and renew a TLS client certificate signed by= the cluster=E2=80=99s client CA and stored in a `-clien= t-cert` Secret. This enables password-free PostgreSQL `cert` authentication= , with the Secret cleaned up automatically when the feature is disabled or = the resource is deleted. ### Primary Lease for safe primary election CloudNativePG 1.30 introduces a Kubernetes `Lease` object, named after the = cluster, that acts as a mutex serializing primary promotion. The instance m= anager must hold the lease before acting as primary and releases it on clea= n shutdown, so replicas can promote without waiting for the full TTL. Timin= gs are configurable through the new `.spec.primaryLease` stanza. To be precise about the architecture: the lease is a promotion gate, not a = fence. Primary isolation remains responsible for fencing =E2=80=94 the Leas= e closes the window for an uncoordinated promotion during transitions. ## Enhanced Security and Resilience This release includes significant improvements focused on stability, securi= ty, and supply-chain integrity: * `search_path` pinning ([CVE-2026-55769](https://github.com/cloudnative-pg= /cloudnative-pg/security/advisories/GHSA-x8c2-3p4r-v9r6)): Fixed a privileg= e-escalation vulnerability (CWE-426) where a database owner could plant ove= rloaded operators in the public schema. The operator now pins `search_path = =3D pg_catalog, public, pg_temp` on its pooled connections. * SCRAM-SHA-256 password encoding ([CVE-2026-55765](https://github.com/clou= dnative-pg/cloudnative-pg/security/advisories/GHSA-w3gf-xc94-wvmj)): The op= erator now SCRAM-SHA-256 encodes cleartext passwords before issuing `CREATE= /ALTER ROLE` commands, so the SCRAM verifier =E2=80=94 rather than the clea= rtext secret =E2=80=94 is what could ever appear in logs or extension captu= res. * Authenticated instance communication ([GHSA-7qwx-x8ff-3px9](https://githu= b.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-7qwx-x8ff-3px9= )): Operator-to-instance-manager communication is now authenticated via ECD= SA certificates. This hardening is new in 1.30.0 and is not backported; on = earlier releases continue to restrict the instance status port with a `Netw= orkPolicy`. ## Other Notable Enhancements * In-place major upgrades with Image Volume extensions =E2=80=94 `pg_upgrad= e` in-place upgrades are now supported for clusters using Image Volume exte= nsions, mounting the source- and target-version extension images side by si= de so a failed upgrade reverts cleanly. * PgBouncer image management via Image Catalogs =E2=80=94 the `Pooler` can = now reference an `ImageCatalog` or `ClusterImageCatalog` entry through `spe= c.pgbouncer.imageCatalogRef`, with referencing Poolers automatically reconc= iled and rolled out when a catalog entry changes. * TLS for the Pooler metrics endpoint via `.spec.monitoring.tls.enabled`, w= ith hot certificate reloading on every handshake. * Cluster as a VPA/HPA target through a new `status.selector` on the scale = subresource, mapping a Cluster to its instance pods. * Primary status visibility =E2=80=94 the operator now emits a `PrimaryStat= usCheckFailed` warning event when a primary pod looks Ready to the kubelet = but fails the operator=E2=80=99s `/pg/status` check, surfacing failover def= errals via `kubectl describe cluster`. This release also adds support for Kubernetes 1.36 and updates the default = PostgreSQL version to 18.4. **Heads-up on an API change:** the `cluster` reference is now immutable on = the `Database`, `Pooler`, `Publication`, `Subscription` and `ScheduledBacku= p` resources. Re-pointing one of these at a different cluster is now reject= ed by a CEL validation rule at the API server, as it had no well-defined se= mantics. Dive into the full list of changes and fixes in the [release notes for Clou= dNativePG 1.30](https://cloudnative-pg.io/docs/1.30/release_notes/v1.30/). ## Maintenance Releases: 1.29.2 & 1.28.4 In parallel with the 1.30 release, we have also shipped maintenance updates= for the previous stable series. Both backport the security fixes above =E2= =80=94 including `search_path` pinning and SCRAM-SHA-256 password encoding = =E2=80=94 along with VPA/HPA support, primary status visibility, automatic = CNPG-I plugin reloading, Kubernetes 1.36 support, the updated PostgreSQL 18= .4 default, and dozens of bug fixes: * CloudNativePG 1.29.2: [see the release notes for 1.29](https://cloudnativ= e-pg.io/docs/1.29/release_notes/v1.29/#version-1292). * CloudNativePG 1.28.4: the final planned maintenance release for the 1.28.= x series =E2=80=94 [see the release notes for 1.28](https://cloudnative-pg.= io/docs/1.28/release_notes/v1.28/#version-1284). We strongly recommend plan= ning an upgrade to a currently supported version. We encourage all users to upgrade to the latest stable versions to benefit = from the latest features, security enhancements, and bug fixes. Follow the [upgrade instructions](https://cloudnative-pg.io/docs/1.30/insta= llation_upgrade/#upgrades) for a smooth transition. ## Get Involved with the Community [Join us](https://github.com/cloudnative-pg/cloudnative-pg?tab=3Dreadme-ov-= file#communications) to help shape the future of cloud-native Postgres! If you=E2=80=99re using CloudNativePG in production, consider [adding your = organization as an adopter](https://github.com/cloudnative-pg/cloudnative-p= g/blob/main/ADOPTERS.md) to support the project=E2=80=99s growth and evolut= ion. Thank you for your continued support! Upgrade today and discover how CloudN= ativePG can elevate your PostgreSQL experience to new heights. --===============1548912185722829967== Content-Type: text/html; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable CloudNativePG 1.30.0 Released!
 

CloudNativePG 1.30.0 Released!

The CloudNativePG Community is excited to a= nnounce the immediate availability of CloudNativePG 1.30.0= !

This minor release introduces the new DatabaseRole CRD for declarative, GitOps-friendly PostgreSQL role m= anagement and a Lease-based primary election primitive for safer failover, = alongside notable security and operational improvements, further cementing = CloudNativePG as the leading operator for running PostgreSQL workloads on K= ubernetes.

We are also pleased to announce the release= of maintenance versions 1.29.2 and 1.28.4, the latter of which is the final planned release in the 1.28.x series. W= e encourage users on 1.28 to plan their upgrade to 1.29 or 1.30.

With the release of CloudNativePG 1.30.0, t= he CloudNativePG 1.28.x series reaches its End-of-Life (EOL) date of June 3= 0, 2026, and the EOL date for the CloudNativePG 1.29.x series is confirmed = as September 29, 2026.

Highlights in 1.30.0

DatabaseRole CRD for declarativ= e role management

The headline addition in 1.30 is the new DatabaseRole custom resource, which manages a PostgreSQL role as= a standalone Kubernetes object rather than inline in the Cluster=E2=80=99s= .spec.managed.roles stanza. Each role now has its own lifecyc= le, status and RBAC, which suits GitOps workflows and lets role definitions= live next to the applications that own them. Migrating an existing role is= a matter of moving its stanza into a dedicated manifest.

A DatabaseRole can also includ= e a clientCertificate block, having the operator automatically= generate and renew a TLS client certificate signed by the cluster=E2=80=99= s client CA and stored in a <databaserole-name>-client-cert Secret. This enables password-free PostgreSQL cert authent= ication, with the Secret cleaned up automatically when the feature is disab= led or the resource is deleted.

Primary Lease for safe primary = election

CloudNativePG 1.30 introduces a Kubernetes = Lease object, named after the cluster, that acts as a mutex se= rializing primary promotion. The instance manager must hold the lease befor= e acting as primary and releases it on clean shutdown, so replicas can prom= ote without waiting for the full TTL. Timings are configurable through the = new .spec.primaryLease stanza.

To be precise about the architecture: the l= ease is a promotion gate, not a fence. Primary isolation remains responsibl= e for fencing =E2=80=94 the Lease closes the window for an uncoordinated pr= omotion during transitions.

Enhanced Security and Resilienc= e

This release includes significant improveme= nts focused on stability, security, and supply-chain integrity:

  • search_pa= th pinning (CVE-2026-55769): Fixed a privilege-escalation vu= lnerability (CWE-426) where a database owner could plant overloaded operato= rs in the public schema. The operator now pins search_path =3D pg_cat= alog, public, pg_temp on its pooled connections.
  • SCRAM-SHA-256 p= assword encoding (CVE-2026-55765): The operator now SCRAM-SHA-256 e= ncodes cleartext passwords before issuing CREATE/ALTER ROLE co= mmands, so the SCRAM verifier =E2=80=94 rather than the cleartext secret = =E2=80=94 is what could ever appear in logs or extension captures.
  • Authenticated i= nstance communication (GHSA-7qwx-x8ff-3px9): Operator-to-instance-m= anager communication is now authenticated via ECDSA certificates. This hard= ening is new in 1.30.0 and is not backported; on earlier releases continue = to restrict the instance status port with a NetworkPolicy.

Other Notable Enhancements

  • In-place major = upgrades with Image Volume extensions =E2=80=94 pg_upgrade in-= place upgrades are now supported for clusters using Image Volume extensions= , mounting the source- and target-version extension images side by side so = a failed upgrade reverts cleanly.
  • PgBouncer image= management via Image Catalogs =E2=80=94 the Pooler can now re= ference an ImageCatalog or ClusterImageCatalog en= try through spec.pgbouncer.imageCatalogRef, with referencing P= oolers automatically reconciled and rolled out when a catalog entry changes= .
  • TLS for the Poo= ler metrics endpoint via .spec.monitoring.tls.enabled, with ho= t certificate reloading on every handshake.
  • Cluster as a VP= A/HPA target through a new status.selector on the scale subres= ource, mapping a Cluster to its instance pods.
  • Primary status = visibility =E2=80=94 the operator now emits a PrimaryStatusCheckFaile= d warning event when a primary pod looks Ready to the kubelet but fa= ils the operator=E2=80=99s /pg/status check, surfacing failove= r deferrals via kubectl describe cluster.

This release also adds support for Kubernet= es 1.36 and updates the default PostgreSQL version to 18.4.

Heads-up on an API change:= the cluster reference is now immutable on the Database<= /code>, Pooler, Publication, Subscription and ScheduledBackup resources. Re-pointing one of these = at a different cluster is now rejected by a CEL validation rule at the API = server, as it had no well-defined semantics.

Dive into the full list of changes and fixe= s in the release notes for C= loudNativePG 1.30.

Maintenance Releases: 1.29.2 &a= mp; 1.28.4

In parallel with the 1.30 release, we have = also shipped maintenance updates for the previous stable series. Both backp= ort the security fixes above =E2=80=94 including search_path p= inning and SCRAM-SHA-256 password encoding =E2=80=94 along with VPA/HPA sup= port, primary status visibility, automatic CNPG-I plugin reloading, Kuberne= tes 1.36 support, the updated PostgreSQL 18.4 default, and dozens of bug fi= xes:

We encourage all users to upgrade to the la= test stable versions to benefit from the latest features, security enhancem= ents, and bug fixes.

Follow the upgrade instructions for a smooth transition.<= /p>

Get Involved with the Community=

Join us to help shape the future of clo= ud-native Postgres!

If you=E2=80=99re using CloudNativePG in pr= oduction, consider adding your organization as an adopter to support the project=E2= =80=99s growth and evolution.

Thank you for your continued support! Upgra= de today and discover how CloudNativePG can elevate your PostgreSQL experie= nce to new heights.

This email was sent to you from The CloudNativePG Contributors. It was deli= vered on their behalf by the PostgreSQL project. Any questions about the content of the message shou= ld be sent to The CloudNativePG Contributors.

You were sent this email as a subscriber of the pgsql-announce mai= linglist, for the content tag Related Open Source. To unsubscribe from further emails, or change which emails you want to receive, please click th= e personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.
 
--===============1548912185722829967==--