Release notes for CloudNativePG 1.20 ==================================== History of user-visible changes in the 1.20 minor release of CloudNativePG. For a complete list of changes, please refer to the `commits `_ on the release branch in GitHub. Version 1.20.6 -------------- **Release date:** Feb 2, 2024 .. Warning:: This is expected to be the last release in the 1.20.X series. Users are encouraged to update to a newer minor version soon.   Enhancements: - Tailor ephemeral volume storage in a Postgres cluster using a claim template through the ``ephemeralVolumeSource`` option (#3678) - Introduce the ``pgadmin4`` command in the ``cnpg`` plugin for ``kubectl`` , providing a straightforward method to demonstrate connecting to a given database cluster and navigate its content in a local environment such as kind - for evaluation purposes only (#3701) - Allow customization of PostgreSQL’s ident map file via the ``.spec.postgresql.pg_ident`` stanza, through a list of user name maps (#3534) Fixes: - Prevent an unrecoverable issue with ``pg_rewind`` failing due to ``postgresql.auto.conf`` being read-only on clusters where the ``ALTER SYSTEM`` SQL command is disabled - the default (#3728) - Reduce the risk of disk space shortage when using the import facility of the ``initdb`` bootstrap method, by disabling the durability settings in the PostgreSQL instance for the duration of the import process (#3743) - Avoid pod restart due to erroneous resource quantity comparisons, e.g. “1 != 1000m” (#3706) - Properly escape reserved characters in ``pgpass`` connection fields (#3713) - Prevent systematic rollout of pods due to considering zero and nil different values in ``.spec.projectedVolumeTemplate.sources`` (#3647) Version 1.20.5 -------------- **Release date:** Dec 21, 2023 Security: - By default, TLSv1.3 is now enforced on all PostgreSQL 12 or higher installations. Additionally, users can configure the ``ssl_ciphers`` , ``ssl_min_protocol_version`` , and ``ssl_max_protocol_version`` GUCs (#3408). - Integration of Docker image scanning with Dockle and Snyk to enhance security measures (#3300). Enhancements: - Improved reconciliation of external clusters (#3533). - Introduction of the ability to enable/disable the ``ALTER SYSTEM`` command (#3535). - Support for Prometheus’ dynamic relabeling through the ``podMonitorMetricRelabelings`` and ``podMonitorRelabelings`` options in the ``.spec.monitoring`` stanza of the ``Cluster`` and ``Pooler`` resources (#3075). - Elimination of the use of the ``PGPASSFILE`` environment variable when establishing a network connection to PostgreSQL (#3522). - Improved ``cnpg report`` plugin command by collecting a cluster’s PVCs (#3357). - Enhancement of the ``cnpg status`` plugin command, providing information about managed roles, including alerts (#3310). - Connection pooler: - Scaling down instances of a ``Pooler`` resource to 0 is now possible (#3517). - Addition of the ``cnpg.io/podRole`` label with a value of ‘pooler’ to every pooler deployment, differentiating them from instance pods (#3396). Fixes: - Reconciliation of metadata, annotations, and labels of ``PodDisruptionBudget`` resources (#3312 and #3434). - Reconciliation of the metadata of the managed credential secrets (#3316). - Resolution of a bug in the backup snapshot code where an error reading the body would be handled as an overall error, leaving the backup process indefinitely stuck (#3321). - Implicit setting of online backup with the ``cnpg backup`` plugin command when either ``immediate-checkpoint`` or ``wait-for-archive`` options are requested (#3449). - Disabling of wal_sender_timeout when joining through pg_basebackup (#3586) - Reloading of secrets used by external clusters (#3565) - Connection pooler: - Ensuring the controller watches all secrets owned by a ``Pooler`` resource (#3428). - Reconciliation of ``RoleBinding`` for ``Pooler`` resources (#3391). - Reconciliation of ``imagePullSecret`` for ``Pooler`` resources (#3389). - Reconciliation of the service of a ``Pooler`` and addition of the required labels (#3349). - Extension of ``Pooler`` labels to the deployment as well, not just the pods (#3350). Changes: - Default operand image set to PostgreSQL 16.1 (#3270). Version 1.20.4 -------------- **Release date:** Nov 3, 2023 Enhancements: - Enhance the ``status`` command of the ``cnpg`` plugin for ``kubectl`` with progress information on active streaming base backups (#3101) - Allow the configuration of ``max_prepared_statements`` with the pgBouncer ``Pooler`` resource (#3174) Fixes: - Suspend WAL archiving during a switchover and resume it when it is completed (#3227) - Ensure that the instance manager always uses ``synchronous_commit = local`` when managing the PostgreSQL cluster (#3143) - Custom certificates for streaming replication user through ``.spec.certificates.replicationTLSSecret`` are now working (#3209) - Set the ``cnpg.io/cluster`` label to the ``Pooler`` pods (#3153) Changes: - Stop using the ``postgresql.auto.conf`` file inside PGDATA to control Postgres replication settings, and replace it with a file named ``override.conf`` (#2812) Technical enhancements: - Use extended query protocol for PostgreSQL in the instance manager (#3152) Version 1.20.3 -------------- **Release date:** Oct 11, 2023 Important Changes: - Change the default value of ``stopDelay`` to 1800 seconds instead of 30 seconds (#2848) - Introduce a new parameter, called ``smartShutdownTimeout`` , to control the window of time reserved for the smart shutdown of Postgres to complete; the general formula to compute the overall timeout to stop Postgres is ``max(stopDelay - smartShutdownTimeout, 30)`` (#2848) - Change the default value of ``startDelay`` to 3600, instead of 30 seconds (#2847) - Replace the livenessProbe initial delay with a more proper Kubernetes startup probe to deal with the start of a Postgres server (#2847) - Change the default value of ``switchoverDelay`` to 3600 seconds instead of 40000000 seconds (#2846) - Stop supporting the ``postgresql`` label - replaced by ``cnpg.io/cluster`` in 1.18 (#2744) Security: - Add a default ``seccompProfile`` to the operator deployment (#2926) Enhancements: - Introduce the ``cnpg.io/coredumpFilter`` annotation to control the content of a core dump generated in the unlikely event of a PostgreSQL crash, by default set to exclude shared memory segments from the dump (#2733) - Allow to configure ephemeral-storage limits for the shared memory and temporary data ephemeral volumes (#2830) - Validate resource limits and requests through the webhook (#2663) - Ensure that PostgreSQL’s ``shared_buffers`` are coherent with the pods’ allocated memory resources (#2840) - Add ``uri`` and ``jdbc-uri`` fields in the credential secrets to facilitate developers when connecting their applications to the database (#2186) - Add a new phase ``Waiting for the instances to become active`` for finer control of a cluster’s state waiting for the replicas to be ready (#2612) - Improve detection of Pod rollout conditions through the ``podSpec`` annotation (#2243) - Add primary timestamp and uptime to the kubectl plugin’s ``status`` command (#2953) Fixes: - Ensure that the primary instance is always recreated first by prioritizing ready PVCs with a primary role (#2544) - Honor the ``cnpg.io/skipEmptyWalArchiveCheck`` annotation during recovery to bypass the check for an empty WAL archive (#2731) - Prevent a cluster from being stuck when the PostgreSQL server is down but the pod is up on the primary (#2966) - Avoid treating the designated primary in a replica cluster as a regular HA replica when replication slots are enabled (#2960) - Reconcile services every time the selectors change or when labels/annotations need to be changed (#2918) - Defaults to ``app`` both the owner and database during recovery bootstrap (#2957) - Avoid write-read concurrency on cached cluster (#2884) - Remove empty items, make them unique and sort in the ``ResourceName`` sections of the generated roles (#2875) - Ensure that the ``ContinuousArchiving`` condition is properly set to ‘failed’ in case of errors (#2625) - Make the ``Backup`` resource reconciliation cycle more resilient on interruptions by stopping only if the backup is completed or failed (#2591) - Reconcile PodMonitor ``labels`` and ``annotations`` (#2583) - Fix backup failure due to missing RBAC ``resourceNames`` on the ``Role`` object (#2956) - Observability: - Add TCP port label to default ``pg_stat_replication`` metric (#2961) - Fix the ``pg_wal_stat`` default metric for Prometheus (#2569) - Improve the ``pg_replication`` default metric for Prometheus (#2744 and #2750) - Use ``alertInstanceLabelFilter`` instead of ``alertName`` in the provided Grafana dashboard - Enforce ``standard_conforming_strings`` in metric collection (#2888) Changes: - Set the default operand image to PostgreSQL 16.0 - Fencing now uses PostgreSQL’s fast shutdown instead of smart shutdown to halt an instance (#3051) - Rename webhooks from kb.io to cnpg.io group (#2851) - Replace the ``cnpg snapshot`` command with ``cnpg backup -m volumeSnapshot`` for the ``kubectl`` plugin - Let the ``cnpg hibernate`` plugin command use the ``ClusterManifestAnnotationName`` and ``PgControldataAnnotationName`` annotations on PVCs (#2657) - Add the ``cnpg.io/instanceRole`` label while deprecating the existing ``role`` label (#2915) Technical enhancements: - Replace ``k8s-api-docgen`` with ``gen-crd-api-reference-docs`` to automatically build the API reference documentation (#2606) Version 1.20.2 -------------- **Release date:** July 27, 2023 Enhancements: - New ``logs`` command in the kubectl plugin, to retrieve or follow the logs of all pods in a cluster (#2375) - Add support for specifying priorityClassName in pods, helping Kubernetes make scheduling decisions (#2043) - Add a metric and status field to monitor node usage by a CloudNativePG cluster (#2257) - Various enhancements to the documentation: - Add troubleshooting instructions relating to hugepages (#1390) - Extend the FAQs page (#2344) Technical enhancements: - Add a check at the start of the restore process to ensure it can proceed; give improved error diagnostics if it cannot (#2419) - Improve handling of non-expiring passwords in managed roles (#2334) Fixes: - Ensure the logic of setting the recovery target matches that of Postgres (#2460) - Prevent taking over service accounts not owned by the cluster, by setting ownerMetadata only during service account creation (#2462) - Ensure correct permissions of the PGDATA directory for initdb and restore (#2384) - Prevent a possible crash of the instance manager during the configuration reload (#2393) - Prevent the LastFailedArchiveTime alert from triggering if a new backup has been successful after the failed ones (#1751) - Prevent services from targeting non-instance pods (#2336) Security: - Updated all project dependencies to the latest versions Version 1.20.1 -------------- **Release date:** June 12, 2023 Enhancements: - Add the ``snapshot`` command to the ``cnpg`` plugin to create a consistent cold backup of the cluster from a standby using the Kubernetes ``VolumeSnapshot`` standard resource (#1960) - First implementation of recovery from a set of CSI VolumeSnapshot resources via the ``.spec.bootstrap.recovery.volumeSnapshot`` stanza (#1960) - Add ``pg_failover_slots`` to managed extensions (#2057) - Improved Grafana dashboard with updated instructions in the documentation and the quickstart guide (#1916) - Introduce the ``schemaOnly`` option in the ``import`` stanza, to avoid exporting and importing data when you bootstrap a new Postgres Cluster from one or more existing databases (#2234) - Add support for TopologySpreadConstraints to manage scheduling of instance pods (#2202) - Add ``PodMonitor`` support to the ``Pooler`` for PgBouncer (#2034) - Add option to override the default Kubernetes scheduler (#2013) - Allow configuration of deployment strategy of a ``Pooler`` resource (#1983) - Update default PostgreSQL version to 15.3 (#2022) - Use PgBouncer 1.19 by default (#2018) Technical enhancements: - Updated k8s kind tested versions (#2054) - Declarative roles should ignore passwords if not set, easing management of previously existing roles (#2029) - Use separate transactions to reconcile role credentials. Before this patch, the operator would revert the synchronization of all roles if one failed (#2004) - Ensure fencing is removed during cluster restore (#1987) - Improve logging when deleting Pods (#2136) Fixes: - Fix unbound variable with k3s engine which could prevent setup on K3’s (#2157) - Report the correct PG version in the metrics (#2126) - Use the correct walStorage key in the documentation (#2140) - Halt reconciliation when the operator cannot connect with the instances, and provide a clear diagnostic on such occasions. This will help clarify cases where network issues obstruct normal operation of CloudNativePG (#2145), (#2233), and (#2242) Version 1.20.0 -------------- **Release date:** April 27, 2023 .. Note:: CloudNativePG 1.20 introduces some changes to the default behavior of a few features for newly created `Cluster` resources, compared to previous versions of the operator. The goal of these changes is to improve the resilience of a Postgres cluster out of the box through convention over configuration. For clusters with one or more replicas: - Backup from standby is now enabled by default, unless `target` is explicitly set to `primary` - Restart of the primary is now the default method to complete the unsupervised rolling update procedure (`primaryUpdateMethod` defaults to `restart` , unless explicitly set to `switchover` ) For further information, please refer to the "Installation and upgrades" section.   Features: - **Declarative role management:** introduce the ``managed.roles`` stanza in the ``Cluster`` spec to provide full lifecycle management of database roles, by providing an abstraction to the related DDL commands in PostgreSQL, such as ``CREATE ROLE`` and ``ALTER ROLE`` (#1524, #1793 and #1815) - **Declarative hibernation of a PostgreSQL cluster:** introduce a new annotation called ``cnpg.io/hibernation`` to declaratively hibernate a PostgreSQL cluster by deleting all pods and keeping the PVCs only; the feature also implements the inverse procedure (#1657) Enhancements: - Improve the ``--logs`` option of the ``report`` command of the ``cnpg`` plugin for ``kubectl`` to also include the previous logs where available (#1811) - The ``-any`` service is now disabled by default (#1755) Security: - Enable customization of ``SeccompProfile`` through override via a local file (#1827) Fixes: - Apply the PostgreSQL configuration provided by the user during the ``initdb`` bootstrap phase, before the server is started the first time (#1858)