Release notes from cloudnative-pg

v1.29.0-rc1

2026-03-13T09:03:57Z

Release date: Mar 13, 2026

Important changes

Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.30.0, rather than 1.29.0. Users are still encouraged to migrate to the Barman Cloud Plugin. (#10167)

Features

PostgreSQL extensions in image catalogs: extended the ImageCatalog functionality to support PostgreSQL extensions. This allows users to define and manage extension-specific images within a catalog, simplifying the deployment of customized PostgreSQL builds. (#9781)
Dynamic network access control via pod selectors: introduced the declarative definition of podSelectorRefs to manage pg_hba.conf rules dynamically. By using label selectors to identify client pods, the operator automatically resolves their ephemeral IP addresses and updates the PostgreSQL host-based authentication rules accordingly. This ensures that only authorized workloads in the same namespace can connect to the database, eliminating the need for manual IP management or static CIDR ranges. (#10148)
Shared ServiceAccount support: added an optional serviceAccountName field to both Cluster and Pooler specifications. This allows multiple resources to share a pre-existing ServiceAccount, facilitating one-time IAM configurations (such as AWS IRSA, GCP Workload Identity, or Azure Workload Identity) across all clusters and poolers. Contributed by @bozkayasalihx. (#9287)

Enhancements

Improved the Pooler CRD with support for granular configuration of TLS cipher suites and minimum/maximum TLS versions. This enables administrators to meet strict security compliance requirements for pooler-to-client and pooler-to-server connections. Contributed by @alex1989hu. (#9571)
Improved the reliability of major upgrades by setting BackoffLimit=0 on the upgrade job, preventing unnecessary retries of a failed pg_upgrade. The operator now automatically deletes the failed job when a user reverts the container image, allowing the cluster to restart gracefully on the original version. (#10104)
Improved the operator's observability by emitting native Kubernetes events during key phases of the reconciliation loop. This provides much better visibility into the operator's decision-making process and the lifecycle of managed resources directly through kubectl get events. (#10040)
Extended support for the cnpg.io/reconciliationDisabled annotation on Backup resources. This allows administrators to temporarily freeze the operator's reconciliation logic for specific backup objects. Contributed by @GabriFedi97. (#10020)
Added a bin_path field to the postgresql.extensions stanza, as well as in ImageCatalog and ClusterImageCatalog resources. This allows extensions to specify directory paths for external binaries, which are automatically appended to the PATH environment variable of the Postgres process. (#10250)
Implemented a finalizer for plugins to ensure that resources managed by a plugin are gracefully cleaned up when the corresponding service is deleted. (#9560)
Enhanced the security and reliability of role management by verifying the primary status of an instance before each reconciliation cycle. (#9971)
The operator now honors the primaryUpdateMethod when adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. (#9720)
Refined the alpha.cnpg.io/unrecoverable annotation logic to allow it to function even on pods that have not yet reached the Ready state, facilitating the recovery of stuck instances. (#9968)
Introduced a "Terminal Error" phase for backups that encounter unrecoverable issues (such as invalid credentials or non-existent cloud buckets). This ensures the operator stops retrying doomed operations, preventing resource exhaustion and providing immediate, clear feedback in the status. (#9353)
Improved monitoring of long-running backups by introducing reconciliationStartedAt and reconciliationTerminatedAt fields to the Backup status. This change separates the operator's internal lifecycle from the actual backup tool's execution timing (startedAt/stoppedAt), allowing users to track when the operator begins processing a request. (#9351)
Added a Pending phase to the Backup status to explicitly indicate when a backup is queued and waiting for an available worker or instance availability. (#9364)

Security and Supply Chain

Security best practices integration: integrated the OpenSSF baseline scanner and added a SECURITY-INSIGHTS.yaml file to the repository to align with industry-standard security reporting. (#10054, #10062)
SLSA provenance and SBOMs: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images. Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. (#10048, #10074)
Password leak prevention: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. (#9950)

Changes

Updated the default PostgreSQL version to 18.3 (image 18.3-system-trixie). (#10090)

Fixes

Fixed an issue where replicas would get stuck in a Pending state if the VolumeSnapshot used for the initial bootstrap had been deleted. The operator now validates snapshot existence before use; if a snapshot is missing, it attempts to use the next available candidate or falls back to pg_basebackup. (#10192)
Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by @ermakov-oleg. (#9977)
Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. (#9952)
Fixed a bug in the CNPG-I reconciler hook that could lead to skipping subsequent plugins when a "continue" result was returned. Contributed by @sharifmshaker. (#9978)
Fixed a deadlock scenario that occurred when attempting to resize a filesystem on a PVC that was not currently attached to a Pod. Contributed by @jmealo. (#9981)
Refined the bootstrap recovery logic by adding a missing check for ConnectionParameters and updating error messages to include all valid configuration types. (#10268)
Volume names for extensions and tablespaces are now prefixed to avoid naming collisions with standard cluster volumes. (#9973)
Improved feedback when hibernating a non-healthy cluster. While the operator correctly defers hibernation until a cluster recovers, this state is now explicitly reported via a WaitingForHealthy condition, making it visible through cnpg status. (#10193)
Removed unnecessary pod existence checks from the FencingMetadataExecutor to streamline the fencing process, particularly in environments where pods may be quickly deleted. (#10035)
Fixed the cluster and pooler service reconcilers to detect changes to all spec fields (such as loadBalancerSourceRanges) when using the patch update strategy, which previously only compared selectors, labels, and annotations. (#10190)
Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. (#10285)
cnpg plugin:
- The cnpg plugin now correctly propagates ImagePullSecrets to the pgbench Job pod template. (#10174)

Supported versions

Kubernetes 1.35, 1.34, and 1.33
PostgreSQL 18, 17, 16, 15, and 14
- PostgreSQL 18.3 is the default image
- PostgreSQL 14 support ends on November 12, 2026

v1.28.1

2026-02-06T13:07:38Z

Release date: Feb 5, 2026

Enhancements

Added support for Azure's DefaultAzureCredential authentication mechanism for backup and recovery operations. This can be enabled by setting azureCredentials.useDefaultAzureCredentials: true in the backup configuration, simplifying authentication in Azure environments without requiring explicit storage account keys or SAS tokens. (#9468)

Fixes

Fixed validation of PostgreSQL extension names containing underscores (e.g., pg_partman, pg_ivm). Extension names with underscores are automatically sanitized to use hyphens for Kubernetes volume names while preserving the original name in mount paths. Webhook validation prevents naming conflicts after sanitization. Contributed by @shusaan. (#9386)
Fixed a critical issue where the TimelineID in the cluster status was not reset to 1 after a major version upgrade. Because pg_upgrade initializes a new timeline, keeping the old ID (e.g., timeline 2) caused replicas to attempt to restore incompatible history files from object storage, leading to fatal "requested timeline is not a child of this server's history" errors. (#9830)
Fixed an issue where stale TLS status fields in the Pooler were not cleared after being removed from the specification. This was particularly critical when upgrading to v1.28.0, where the ServerTLS field was repurposed, causing PgBouncer to use incorrect certificates and resulting in "unsupported certificate" errors that blocked all application connectivity. The operator now explicitly clears ServerCA, ClientCA, ClientTLS, and ServerTLS status fields when they are no longer configured. (#9397)
Fixed a bug where replicas could enter a crash-loop by attempting to download timeline history files from future timelines. This occurred when stale files remained in the WAL archive from a previous cluster life, and replicas would incorrectly try to fetch them during recovery. (#9650)
Fixed a race condition in replica_cluster setups during designated primary transitions, preventing transient "no primary" states in the replica cluster. (#9601)
The backup controller now uses the unique instance session ID to detect instance manager restarts. This prevents the operator from incorrectly assuming a backup is still progressing if the underlying container has crashed and restarted, which previously led to orphaned backup objects. (#9370)
Fixed a validation gap in Azure object store configurations where the storageAccount was not required when using explicit credentials (such as a storage key or SAS token). The operator now enforces that a storage account name is provided in these cases and that connectionString is mutually exclusive with other authentication parameters. (#9604)
Optimized the deletion path so the operator begins cleaning up resources immediately when a cluster is marked for deletion. This significantly reduces the time a cluster remains in Terminating status while waiting for internal reconciliation loops. (#9555)
Fixed an issue where replication slots were not properly dropped from replicas when the feature was disabled or the cluster was reconfigured. This ensures that unused slots do not cause WAL build-up on the primary. (#9381)
Fixed an issue where imagePullSecrets were not added to the ServiceAccount created for the Pooler. Previously, these secrets were applied to the Deployment but not the SA, which caused image pull failures in restricted environments using certain security policies. (#9427)
Added a check to verify ownership before the operator deletes a PodMonitor. This prevents the operator from accidentally deleting manually managed monitoring resources that happen to share a name with expected CNPG resources. Contributed by @juliamertz. (#9340)
Fixed a bug where pg_stat_archiver metrics would continue to report stale data on standby instances after a switchover. The exporter now skips these metrics on standbys, as PostgreSQL only provides valid archiver stats on the primary. (#9411)
Clarified the interpretation of timestamp formats for recovery targetTime. Timestamps provided without an explicit timezone are now consistently interpreted as UTC. Contributed by @pchovelon. (#8937)
Fixed backup status updates to prevent "resource has been modified" errors during concurrent updates. (#9551)
Fixed event reporting to use the correct pod name when a backup pod is not found. (#9552)
Improved performance of scheduled backup operations for clusters with a very high number of historical backups. (#9489)
Fixed error handling when removing finalizers on Database objects. (#9431)
cnpg plugin:
- Updated the status command to display "Disabled" when the skipWalArchiving annotation is present on a cluster. This replaces confusing "starting up" or "unknown" states when WAL archiving is intentionally bypassed. (#9709)
- Fixed the logs --follow command to continue polling for new pods instead of exiting prematurely when all current log streams complete. (#9599)

v1.27.3

2026-02-06T13:08:15Z

Release date: Feb 5, 2026

Enhancements

Added support for Azure's DefaultAzureCredential authentication mechanism for backup and recovery operations. This can be enabled by setting azureCredentials.useDefaultAzureCredentials: true in the backup configuration, simplifying authentication in Azure environments without requiring explicit storage account keys or SAS tokens. (#9468)

Fixes

Fixed validation of PostgreSQL extension names containing underscores (e.g., pg_partman, pg_ivm). Extension names with underscores are automatically sanitized to use hyphens for Kubernetes volume names while preserving the original name in mount paths. Webhook validation prevents naming conflicts after sanitization. Contributed by @shusaan. (#9386)
Fixed a critical issue where the TimelineID in the cluster status was not reset to 1 after a major version upgrade. Because pg_upgrade initializes a new timeline, keeping the old ID (e.g., timeline 2) caused replicas to attempt to restore incompatible history files from object storage, leading to fatal "requested timeline is not a child of this server's history" errors. (#9830)
Fixed a bug where replicas could enter a crash-loop by attempting to download timeline history files from future timelines. This occurred when stale files remained in the WAL archive from a previous cluster life, and replicas would incorrectly try to fetch them during recovery. (#9650)
Fixed a race condition in replica_cluster setups during designated primary transitions, preventing transient "no primary" states in the replica cluster. (#9601)
The backup controller now uses the unique instance session ID to detect instance manager restarts. This prevents the operator from incorrectly assuming a backup is still progressing if the underlying container has crashed and restarted, which previously led to orphaned backup objects. (#9370)
Fixed a validation gap in Azure object store configurations where the storageAccount was not required when using explicit credentials (such as a storage key or SAS token). The operator now enforces that a storage account name is provided in these cases and that connectionString is mutually exclusive with other authentication parameters. (#9604)
Optimized the deletion path so the operator begins cleaning up resources immediately when a cluster is marked for deletion. This significantly reduces the time a cluster remains in Terminating status while waiting for internal reconciliation loops. (#9555)
Fixed an issue where replication slots were not properly dropped from replicas when the feature was disabled or the cluster was reconfigured. This ensures that unused slots do not cause WAL build-up on the primary. (#9381)
Fixed an issue where imagePullSecrets were not added to the ServiceAccount created for the Pooler. Previously, these secrets were applied to the Deployment but not the SA, which caused image pull failures in restricted environments using certain security policies. (#9427)
Added a check to verify ownership before the operator deletes a PodMonitor. This prevents the operator from accidentally deleting manually managed monitoring resources that happen to share a name with expected CNPG resources. Contributed by @juliamertz. (#9340)
Fixed a bug where pg_stat_archiver metrics would continue to report stale data on standby instances after a switchover. The exporter now skips these metrics on standbys, as PostgreSQL only provides valid archiver stats on the primary. (#9411)
Clarified the interpretation of timestamp formats for recovery targetTime. Timestamps provided without an explicit timezone are now consistently interpreted as UTC. Contributed by @pchovelon. (#8937)
Fixed backup status updates to prevent "resource has been modified" errors during concurrent updates. (#9551)
Fixed event reporting to use the correct pod name when a backup pod is not found. (#9552)
Improved performance of scheduled backup operations for clusters with a very high number of historical backups. (#9489)
Fixed error handling when removing finalizers on Database objects. (#9431)
cnpg plugin:
- Updated the status command to display "Disabled" when the skipWalArchiving annotation is present on a cluster. This replaces confusing "starting up" or "unknown" states when WAL archiving is intentionally bypassed. (#9709)
- Fixed the logs --follow command to continue polling for new pods instead of exiting prematurely when all current log streams complete. (#9599)

v1.28.0

2025-12-09T17:21:42Z

Release date: Dec 9, 2025

Features

Quorum-Based Failover Promoted to Stable: Promoted the quorum-based failover feature, introduced experimentally in 1.27.0, to a stable API. This data-driven failover mechanism is now configured via the spec.postgresql.synchronous.failoverQuorum field, graduating from the previous alpha.cnpg.io/failoverQuorum annotation. (#8589)
Declarative Foreign Data Management: Introduced comprehensive declarative management for Foreign Data Wrappers (FDW) by extending the Database CRD. This feature adds the .spec.fdws and .spec.servers fields, allowing you to manage FDW extensions and their corresponding foreign servers directly from the Database resource. This work was implemented by Ying Zhu (@EdwinaZhu) as part of the LFX Mentorship Program 2025 Term 2. (#7942, #8401)

Changes

Updated the default PostgreSQL version to 18.1-system-trixie. (#9178)
Updated the default PgBouncer version to 1.25.1 for new Pooler deployments. (#9367)

Enhancements

Enabled simultaneous image and configuration changes when using primaryUpdateMethod: restart, allowing you to update the container image (including PostgreSQL version or extensions) and PostgreSQL configuration settings in the same operation. Note that when using primaryUpdateMethod: switchover, image and configuration changes must still be performed separately to avoid configuration mismatches during the switchover process. (#8241)
Improved network failure detection for replica instances by setting the default tcp_user_timeout to 5 seconds. This change helps replicas detect and recover from silent network drops more quickly. Previously, replicas could wait up to 127 seconds before detecting such failures; with the new timeout, they reconnect to the primary within 5 seconds. To preserve the previous behavior, set STANDBY_TCP_USER_TIMEOUT to 0 in the operator configuration. (#9317)
Adopted standard Kubernetes recommended labels (e.g., app.kubernetes.io/name) for all resources generated by CloudNativePG (Clusters, Backups, Poolers, etc.). Contributed by @JefeDavis. (#8087)
Introduced securityContext at the pod level and containerSecurityContext for individual containers (including postgres, init, and sidecars). This provides granular control over security settings, replacing the previous cluster-wide postgres and operator user settings. Contributed by @x0ddf. (#6614)
Introduced the alpha.cnpg.io/unrecoverable=true annotation for replica pods. When applied, this annotation instructs the operator to permanently delete the instance by removing its Pod and PVCs, after which it will recreate the replica from the primary. (#8178)
Introduced a new caching layer for user-defined monitoring queries to reduce load on the PostgreSQL database. (#8003)
Enhanced PgBouncer integration by automatically setting auth_dbname to the pgbouncer database, simplifying auth setup. (#8671)
Allowed providing stage-specific pg_restore options (preRestore, postRestore, dataRestore) during database import. Contributed by @hanshal101. (#7690)
Added the PostgreSQL majorVersion to the Backup object's status for easier identification and management. (#8464)
Enhanced cluster restore to wait for all init containers to complete before starting the restore process. This ensures that backup tools running in init containers finish preparing the data before the restore begins. The implementation correctly handles Kubernetes init container sidecars by ignoring those with RestartPolicy=Always. (#9026)
Added the PGBOUNCER_IMAGE_NAME operator configuration parameter to allow overriding the default PgBouncer image. This is useful for air-gapped environments or when using internal registries. (#9232)
cnpg plugin:
- Added a --timeout flag to the kubectl cnpg status command for configuring the timeout for filesystem operations such as calculating cluster size. The default remains 10 seconds but can be adjusted for large clusters where operations may take longer. (#9201)
- Improved cnpg report to generate more shell-friendly file names. (#8984)

Security

Allowed providing fine-grained custom TLS configurations for PgBouncer. The Pooler CRD was extended with clientTLSSecret, clientCASecret, serverTLSSecret, and serverCASecret fields under .spec.pgbouncer. These fields enable users to supply their own certificates for both client-to-pooler and pooler-to-server connections, taking precedence over the operator-generated certificates. (#8692)
Added optional TLS support for the operator's metrics server (port 8080). This feature is opt-in and enabled by setting the METRICS_CERT_DIR environment variable, which instructs the operator to look for tls.crt and tls.key files in the specified directory. When unset, the server continues to use HTTP for backward compatibility. (#8997)
Enabled cnpg report operator to work with minimal permissions by making only the operator deployment required. All other resources (pods, secrets, config maps, events, webhooks, and OLM data) are now optional and collected on a best-efforts basis. The command gracefully handles permission errors for those resources by logging clear warnings and continuing report generation with available data, rather than failing completely. This enables least-privileged access, where users may have limited, namespace-scoped permissions. (#8982)

Fixes

Improved resilience of all probe types (liveness, readiness, and startup) to transient Kubernetes API server connectivity issues. Probes now use a caching mechanism that falls back to cached cluster definitions during brief network interruptions, preventing unnecessary pod restarts and probe failures. (#9148)
Fixed the CheckEmptyWalArchive safeguard to run correctly when restoring from a volume snapshot using CNPG-I backup/WAL plugins (e.g., plugin-barman-cloud). Previously, this check was skipped for plugin-based implementations. (#9306)
Improved error reporting when ImageCatalog retrieval fails. The operator now emits a Warning event and logs errors for all failure types, not just NotFound errors, improving visibility into configuration issues. (#9266)
Fixed TLS certificate verification issues when connecting to CNPG-I plugins by adding the cnpg.io/pluginServerName annotation. This allows customizing the DNS name used for certificate verification in environments where the plugin's certificate uses a different DNS name than the Service name. (#9222)
Fixed an issue where the instance manager controller could fail to restart after an error, reporting a "controller already exists" message. The controller now uses SkipNameValidation for subsequent initialization attempts. Contributed by @mateusoliveira43. (#9123)
Fixed incorrect WAL restore path handling in plugins when the destination path is absolute, preventing path duplication issues. Contributed by @Endevir. (#9093)
Fixed the CREATE PUBLICATION SQL generation for multi-table publications to be backward-compatible with PostgreSQL 13+. The previously generated syntax was only valid for PostgreSQL 15+ and caused syntax errors on older versions. (#8888)
Fixed backup failures in complex pod definitions by reliably selecting the postgres container by name instead of by index. Contributed by @Joda89. (#8964)
cnpg plugin:
- Fixed bugs in cnpg report log collection, especially when fetching previous logs. The collector now correctly fetches previous and current logs in separate requests and gracefully handles missing previous logs (e.g., on containers with no restart history), ensuring current logs are always collected. (#8992)

Supported versions

Kubernetes 1.34, 1.33, and 1.32
PostgreSQL 18, 17, 16, 15, and 14
- PostgreSQL 18.1 is the default image

v1.27.2

2025-12-09T16:11:52Z

Release date: Dec 9, 2025

!!! Warning Version 1.27 will be supported until 9 March 2026.

Changes

Updated the default PostgreSQL version to 18.1-system-trixie. (#9178)
Updated the default PgBouncer version to 1.25.1 for new Pooler deployments. (#9367)

Enhancements

Added the PostgreSQL majorVersion to the Backup object's status for easier identification and management. (#8464)
Added the PGBOUNCER_IMAGE_NAME operator configuration parameter to allow overriding the default PgBouncer image. This is useful for air-gapped environments or when using internal registries. (#9232)
cnpg plugin:
- Added a --timeout flag to the kubectl cnpg status command for configuring the timeout for filesystem operations such as calculating cluster size. The default remains 10 seconds but can be adjusted for large clusters where operations may take longer. (#9201)
- Improved cnpg report to generate more shell-friendly file names. (#8984)

Fixes

Improved resilience of all probe types (liveness, readiness, and startup) to transient Kubernetes API server connectivity issues. Probes now use a caching mechanism that falls back to cached cluster definitions during brief network interruptions, preventing unnecessary pod restarts and probe failures. (#9148)
Fixed the CheckEmptyWalArchive safeguard to run correctly when restoring from a volume snapshot using CNPG-I backup/WAL plugins (e.g., plugin-barman-cloud). Previously, this check was skipped for plugin-based implementations. (#9306)
Improved error reporting when ImageCatalog retrieval fails. The operator now emits a Warning event and logs errors for all failure types, not just NotFound errors, improving visibility into configuration issues. (#9266)
Fixed TLS certificate verification issues when connecting to CNPG-I plugins by adding the cnpg.io/pluginServerName annotation. This allows customizing the DNS name used for certificate verification in environments where the plugin's certificate uses a different DNS name than the Service name. (#9222)
Fixed an issue where the instance manager controller could fail to restart after an error, reporting a "controller already exists" message. The controller now uses SkipNameValidation for subsequent initialization attempts. Contributed by @mateusoliveira43. (#9123)
Fixed incorrect WAL restore path handling in plugins when the destination path is absolute, preventing path duplication issues. Contributed by @Endevir. (#9093)
Fixed the CREATE PUBLICATION SQL generation for multi-table publications to be backward-compatible with PostgreSQL 13+. The previously generated syntax was only valid for PostgreSQL 15+ and caused syntax errors on older versions. (#8888)
Fixed backup failures in complex pod definitions by reliably selecting the postgres container by name instead of by index. Contributed by @Joda89. (#8964)
cnpg plugin:
- Fixed bugs in cnpg report log collection, especially when fetching previous logs. The collector now correctly fetches previous and current logs in separate requests and gracefully handles missing previous logs (e.g., on containers with no restart history), ensuring current logs are always collected. (#8992)

v1.26.3

2025-12-09T15:39:36Z

Release date: Dec 9, 2025

!!! Warning This is the final release in the 1.26.x series. Users are strongly encouraged to upgrade to a newer minor version, as 1.26 is no longer supported.

Changes

Updated the default PostgreSQL version to 18.1-system-trixie. (#9178)
Updated the default PgBouncer version to 1.25.1 for new Pooler deployments. (#9367)

Enhancements

Added the PostgreSQL majorVersion to the Backup object's status for easier identification and management. (#8464)
Added the PGBOUNCER_IMAGE_NAME operator configuration parameter to allow overriding the default PgBouncer image. This is useful for air-gapped environments or when using internal registries. (#9232)
cnpg plugin:
- Improved cnpg report to generate more shell-friendly file names. (#8984)

Fixes

Fixed the CheckEmptyWalArchive safeguard to run correctly when restoring from a volume snapshot using CNPG-I backup/WAL plugins (e.g., plugin-barman-cloud). Previously, this check was skipped for plugin-based implementations. (#9306)
Fixed TLS certificate verification issues when connecting to CNPG-I plugins by adding the cnpg.io/pluginServerName annotation. This allows customizing the DNS name used for certificate verification in environments where the plugin's certificate uses a different DNS name than the Service name. (#9222)
Fixed an issue where the instance manager controller could fail to restart after an error, reporting a "controller already exists" message. The controller now uses SkipNameValidation for subsequent initialization attempts. Contributed by @mateusoliveira43. (#9123)
Fixed incorrect WAL restore path handling in plugins when the destination path is absolute, preventing path duplication issues. Contributed by @Endevir. (#9093)
Fixed the CREATE PUBLICATION SQL generation for multi-table publications to be backward-compatible with PostgreSQL 13+. The previously generated syntax was only valid for PostgreSQL 15+ and caused syntax errors on older versions. (#8888)
Fixed backup failures in complex pod definitions by reliably selecting the postgres container by name instead of by index. Contributed by @Joda89. (#8964)
cnpg plugin:
- Fixed bugs in cnpg report log collection, especially when fetching previous logs. The collector now correctly fetches previous and current logs in separate requests and gracefully handles missing previous logs (e.g., on containers with no restart history), ensuring current logs are always collected. (#8992)

v1.28.0-rc2

2025-11-28T17:04:44Z

Release date: Nov 28, 2025

Enhancements:

Improved network failure detection for replica instances by setting the default tcp_user_timeout to 5 seconds. This change helps replicas detect and recover from silent network drops more quickly. Previously, replicas could wait up to 127 seconds before detecting such failures; with the new timeout, they reconnect to the primary within 5 seconds. To preserve the previous behavior, set STANDBY_TCP_USER_TIMEOUT to 0 in the operator configuration. (#9317)
Enhanced cluster restore to wait for all init containers to complete before starting the restore process. This ensures that backup tools running in init containers finish preparing the data before the restore begins. The implementation correctly handles Kubernetes init container sidecars by ignoring those with RestartPolicy=Always. (#9026)

Added the PGBOUNCER_IMAGE_NAME operator configuration parameter to allow overriding the default PgBouncer image. This is useful for air-gapped environments or when using internal registries. (#9232)
cnpg plugin:
- Added a --timeout flag to the kubectl cnpg status command for configuring the timeout for filesystem operations such as calculating cluster size. The default remains 10 seconds but can be adjusted for large clusters where operations may take longer. (#9201)

Fixes:

Improved resilience of all probe types (liveness, readiness, and startup) to transient Kubernetes API server connectivity issues. Probes now use a caching mechanism that falls back to cached cluster definitions during brief network interruptions, preventing unnecessary pod restarts and probe failures. (#9148)

Fixed the CheckEmptyWalArchive safeguard to run correctly when restoring from a volume snapshot using CNPG-I backup/WAL plugins (e.g., plugin-barman-cloud). Previously, this check was skipped for plugin-based implementations. (#9306)

Improved error reporting when ImageCatalog retrieval fails. The operator now emits a Warning event and logs errors for all failure types, not just NotFound errors, improving visibility into configuration issues. (#9266)

Fixed TLS certificate verification issues when connecting to CNPG-I plugins by adding the cnpg.io/pluginServerName annotation. This allows customizing the DNS name used for certificate verification in environments where the plugin's certificate uses a different DNS name than the Service name. (#9222)

Fixed an issue where the instance manager controller could fail to restart after an error, reporting a "controller already exists" message. The controller now uses SkipNameValidation for subsequent initialization attempts. Contributed by @mateusoliveira43. (#9123)

Fixed incorrect WAL restore path handling in plugins when the destination path is absolute, preventing path duplication issues. Contributed by @Endevir. (#9093)

v1.28.0-rc1

2025-11-07T16:25:23Z

Release date: Nov 7, 2025

Features

Quorum-Based Failover Promoted to Stable: Promoted the quorum-based failover feature, introduced experimentally in 1.27.0, to a stable API. This data-driven failover mechanism is now configured via the spec.postgresql.synchronous.failoverQuorum field, graduating from the previous alpha.cnpg.io/failoverQuorum annotation. (#8589)
Declarative Foreign Data Management: Introduced comprehensive declarative management for Foreign Data Wrappers (FDW) by extending the Database CRD. This feature adds the .spec.fdws and .spec.servers fields, allowing you to manage FDW extensions and their corresponding foreign servers directly from the Database resource. This work was implemented by Ying Zhu (@EdwinaZhu) as part of the LFX Mentorship Program 2025 Term 2. (#7942, #8401)

Enhancements:

Enabled simultaneous image and configuration changes, allowing you to update the container image (including PostgreSQL version or extensions) and PostgreSQL configuration settings in the same operation. The operator first applies the image change, followed by the configuration changes in a subsequent rollout, ensuring safe and consistent cluster updates. (#8115)
Introduced securityContext at the pod level and containerSecurityContext for individual containers (including postgres, init, and sidecars). This provides granular control over security settings, replacing the previous cluster-wide postgres and operator user settings. Contributed by @x0ddf. (#6614)
Adopted standard Kubernetes recommended labels (e.g., app.kubernetes.io/name) for all resources generated by CloudNativePG (Clusters, Backups, Poolers, etc.). Contributed by @JefeDavis. (#8087)
Introduced a new caching layer for user-defined monitoring queries to reduce load on the PostgreSQL database. (#8003)
Introduced the alpha.cnpg.io/unrecoverable=true annotation for replica pods. When applied, this annotation instructs the operator to permanently delete the instance by removing its Pod and PVCs, after which it will recreate the replica from the primary. (#8178)
Enhanced PgBouncer integration by automatically setting auth_dbname to the pgbouncer database, simplifying auth setup. (#8671)
Allowed providing stage-specific pg_restore options (preRestore, postRestore, dataRestore) during database import. Contributed by @hanshal101. (#7690)
Added the PostgreSQL majorVersion to the Backup object's status for easier identification and management. (#8464)

Security:

Allowed providing fine-grained custom TLS configurations for PgBouncer. The Pooler CRD was extended with clientTLSSecret, clientCASecret, serverTLSSecret, and serverCASecret fields under .spec.pgbouncer. These fields enable users to supply their own certificates for both client-to-pooler and pooler-to-server connections, taking precedence over the operator-generated certificates. (#8692)
Added optional TLS support for the operator's metrics server (port 8080). This feature is opt-in and enabled by setting the METRICS_CERT_DIR environment variable, which instructs the operator to look for tls.crt and tls.key files in the specified directory. When unset, the server continues to use HTTP for backward compatibility. (#8997)
Enabled cnpg report operator to work with minimal permissions by making only the operator deployment required. All other resources (pods, secrets, config maps, events, webhooks, and OLM data) are now optional and collected on a best-efforts basis. The command gracefully handles permission errors for those resources by logging clear warnings and continuing report generation with available data, rather than failing completely. This enables least-privileged access, where users may have limited, namespace-scoped permissions. (#8982)

Fixes:

Fixed the CREATE PUBLICATION SQL generation for multi-table publications to be backward-compatible with PostgreSQL 13+. The previously generated syntax was only valid for PostgreSQL 15+ and caused syntax errors on older versions. (#8888)
Fixed backup failures in complex pod definitions by reliably selecting the postgres container by name instead of by index. (#8964)
cnpg plugin:
- Fixed bugs in cnpg report log collection, especially when fetching previous logs. The collector now correctly fetches previous and current logs in separate requests and gracefully handles missing previous logs (e.g., on containers with no restart history), ensuring current logs are always collected. (#8992)

Supported versions

Kubernetes 1.34, 1.33, and 1.32
PostgreSQL 18, 17, 16, 15, and 14
- PostgreSQL 18.0 is the default image

v1.27.1

2025-10-23T13:40:02Z

Release date: Oct 23, 2025

Changes

Delayed the decommissioning of native in-core support for Barman Cloud to at least version 1.29. (#8670)
Adopted the new format of postgres-containers and postgis-containers images and image catalog artifacts, and updated the default PostgreSQL version to 18.0-system-trixie (PostgreSQL 18 is now supported). (#8578, #8760, #8558)
Deprecated the monitoring.enablePodMonitor field in the Cluster and Pooler resources. This field will be removed in a future release. Users who rely on PodMonitor resources should create them manually instead. (#8753)

Enhancements

Added support for overriding the PgBouncer auth_type, server_tls_sslmode, and client_tls_sslmode settings, which were previously hardcoded. Default values remain consistent with the former behavior but can now be customized when required. (#8674)
Added a CHECKPOINT step before PostgreSQL smart and fast shutdowns to reduce shutdown duration and replica promotion time, especially on systems with a high checkpoint_timeout. (#8867)
Added a warning in the instance manager for deprecated or unsupported OS versions, based on the official postgres-containers project. (#8601)
Improved certificate parsing error reporting. Failures now log specific errors instead of a generic message, aiding troubleshooting. This is particularly relevant after the CVE-2025-58187 fix in Go 1.25.2 and 1.24.8, which may trigger parsing failures for invalid DNS SANs. (#8801)
Added a check to ensure the destination WAL archive path is empty when bootstrapping a cluster using the pg_basebackup method, consistent with other bootstrap methods. (#8895)
Added validation to prevent backups from running on hibernated clusters. Backups attempted on such clusters now fail with reason ClusterIsHibernated, following the standard prerequisite check pattern. (#8870)
Added support for pprof profiling. Instances can now enable the pprof tool by adding the alpha.cnpg.io/enableInstancePprof annotation to the Cluster resource for advanced debugging. (#7876)
cnpg plugin:
- Updated the Flexible I/O Tester (FIO) image to wallnerryan/fiotools-aio:v2, as provided by Ryan Wallner. (#8847)
- Enhanced the cnpg status backup command to provide more detailed status information when using a barman-cloud-based backup plugin. (#8780, #8690)

Fixes

Fixed backup restoration failures when using custom WAL segment sizes with parallel WAL recovery. The operator no longer manages the end-of-WAL file marker during restoration, preventing errors when backups span multiple WAL segments. (#8873)
Fixed a bug in major upgrades where a volume snapshot from a previous minor version could be incorrectly used to optimize replica creation. (#8475)
Fixed initdb to wait for the application user secret before bootstrapping a new cluster, preventing potential race conditions. (#8663)

Fixed quorum-based failover to work correctly in clusters with only two instances using synchronous replication. (#8680)

Fixed configuration hash calculation to ignore internal configuration fields, preventing unnecessary reconciliations. (#8868)
Fixed the connection retry logic in the cnpgi plugin. The reconciliation loop now detects connection pool changes correctly and uses exponential backoff to reduce "closed pool" errors. (#8554)
Fixed volume snapshot usage during replica scaling to work with backup plugins. Previously, this optimization was only available with the in-tree backup implementation, but now clusters using backup plugins can also leverage volume snapshots when creating new replicas. (#8506)
Fixed the Pooler templating to correctly inherit settings for the bootstrap controller init container. (#8394)
Fixed webhook errors to use the correct API group (postgresql.cnpg.io) in Pooler and backup webhooks, ensuring consistent API error reporting. (#8485)
Fixed a potential nil pointer dereference in the hibernation reconciler when handling errors. Contributed by @PascalBourdier. (#8756)
Fixed an issue in the environment cache where callers could inadvertently modify shared data. The LoadEnv function now returns a copy of cached environment slices to prevent mutations from affecting the cache. (#8880)

v1.26.2

2025-10-23T13:18:48Z

Release date: Oct 23, 2025

Changes

Delayed the decommissioning of native in-core support for Barman Cloud to at least version 1.29. (#8670)
Adopted the new format of postgres-containers and postgis-containers images and image catalog artifacts, and updated the default PostgreSQL version to 18.0-system-trixie (PostgreSQL 18 is now supported). (#8578, #8760, #8558)
Deprecated the monitoring.enablePodMonitor field in the Cluster and Pooler resources. This field will be removed in a future release. Users who rely on PodMonitor resources should create them manually instead. (#8753)

Enhancements

Added support for overriding the PgBouncer auth_type, server_tls_sslmode, and client_tls_sslmode settings, which were previously hardcoded. Default values remain consistent with the former behavior but can now be customized when required. (#8674)
Added a CHECKPOINT step before PostgreSQL smart and fast shutdowns to reduce shutdown duration and replica promotion time, especially on systems with a high checkpoint_timeout. (#8867)
Added a warning in the instance manager for deprecated or unsupported OS versions, based on the official postgres-containers project. (#8601)
Improved certificate parsing error reporting. Failures now log specific errors instead of a generic message, aiding troubleshooting. This is particularly relevant after the CVE-2025-58187 fix in Go 1.25.2 and 1.24.8, which may trigger parsing failures for invalid DNS SANs. (#8801)
Added a check to ensure the destination WAL archive path is empty when bootstrapping a cluster using the pg_basebackup method, consistent with other bootstrap methods. (#8895)
Added validation to prevent backups from running on hibernated clusters. Backups attempted on such clusters now fail with reason ClusterIsHibernated, following the standard prerequisite check pattern. (#8870)
Added support for pprof profiling. Instances can now enable the pprof tool by adding the alpha.cnpg.io/enableInstancePprof annotation to the Cluster resource for advanced debugging. (#7876)
cnpg plugin:
- Updated the Flexible I/O Tester (FIO) image to wallnerryan/fiotools-aio:v2, as provided by Ryan Wallner. (#8847)
- Enhanced the cnpg status backup command to provide more detailed status information when using a barman-cloud-based backup plugin. (#8780, #8690)

Fixes

Fixed backup restoration failures when using custom WAL segment sizes with parallel WAL recovery. The operator no longer manages the end-of-WAL file marker during restoration, preventing errors when backups span multiple WAL segments. (#8873)
Fixed a bug in major upgrades where a volume snapshot from a previous minor version could be incorrectly used to optimize replica creation. (#8475)
Fixed initdb to wait for the application user secret before bootstrapping a new cluster, preventing potential race conditions. (#8663)
Fixed the connection retry logic in the cnpgi plugin. The reconciliation loop now detects connection pool changes correctly and uses exponential backoff to reduce "closed pool" errors. (#8554)
Fixed volume snapshot usage during replica scaling to work with backup plugins. Previously, this optimization was only available with the in-tree backup implementation, but now clusters using backup plugins can also leverage volume snapshots when creating new replicas. (#8506)
Fixed the Pooler templating to correctly inherit settings for the bootstrap controller init container. (#8394)
Fixed webhook errors to use the correct API group (postgresql.cnpg.io) in Pooler and backup webhooks, ensuring consistent API error reporting. (#8485)
Fixed a potential nil pointer dereference in the hibernation reconciler when handling errors. Contributed by @PascalBourdier. (#8756)
Fixed an issue in the environment cache where callers could inadvertently modify shared data. The LoadEnv function now returns a copy of cached environment slices to prevent mutations from affecting the cache. (#8880)