CloudNativePG Files

Release date: Mar 31, 2026

:::warning This is the final release in the 1.27.x series. Users are strongly encouraged to upgrade to a newer minor version, as 1.27 is no longer supported. :::

Important changes

• Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.30.0, rather than 1.29.0. Users are still encouraged to migrate to the Barman Cloud Plugin. (#10167)

Enhancements

• Improved the Pooler CRD with support for granular configuration of TLS cipher suites and minimum/maximum TLS versions. This enables administrators to meet strict security compliance requirements for pooler-to-client and pooler-to-server connections. Contributed by @alex1989hu. (#9571)

• Improved the reliability of major upgrades by setting BackoffLimit=0 on the upgrade job, preventing unnecessary retries of a failed pg_upgrade. The operator now automatically deletes the failed job when a user reverts the container image, allowing the cluster to restart gracefully on the original version. (#10104, #10298)

• Improved role management by verifying the instance is the primary before each reconciliation cycle, avoiding unnecessary reconciliation attempts and spurious error messages on read-only replicas. (#9971)

• Extended the CRD schemas for Cluster, ImageCatalog, and ClusterImageCatalog to accept the extensions, bin_path, and env fields introduced in 1.29. The operator ignores these fields on older versions, but accepting them in the schema allows users to share a single manifest across clusters running different CNPG versions. (#10131, #10387)

• The operator now honors the primaryUpdateMethod when adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. (#9720)

Security and Supply Chain

• Security best practices integration: integrated the OpenSSF baseline scanner and added a SECURITY-INSIGHTS.yaml file to the repository to align with industry-standard security reporting. (#10054, #10062)

• SLSA provenance and SBOMs: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images. Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. (#10048, #10074)

• Password leak prevention: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. (#9950)

Changes

• Updated the default PostgreSQL version to 18.3 (image 18.3-system-trixie). (#10090)

Fixes

• Fixed an issue where fencing annotations could not be processed when the WAL disk was full, because the disk space check blocked the instance manager from starting. The check is now performed later in the lifecycle loop, after fencing is evaluated. (#10302)

• Fixed an issue where replicas would get stuck in a Pending state if the VolumeSnapshot used for the initial bootstrap had been deleted. The operator now validates snapshot existence before use; if a snapshot is missing, it attempts to use the next available candidate or falls back to pg_basebackup. (#10192)

• Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by @ermakov-oleg. (#9977)

• Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. (#9952)

• Fixed a bug in the CNPG-I reconciler hook that could lead to skipping subsequent plugins when a "continue" result was returned. Contributed by @sharifmshaker. (#9978)

• Fixed a deadlock scenario that occurred when attempting to resize a filesystem on a PVC that was not currently attached to a Pod. Contributed by @jmealo. (#9981)

• Fixed webhook validation of bootstrap recovery sources to accept external clusters configured with ConnectionParameters (for pg_basebackup-based recovery). Previously, these were incorrectly rejected unless a Barman object store or CNPG-i plugin was also configured. (#10268)

• Volume names for extensions and tablespaces are now prefixed to avoid naming collisions with standard cluster volumes. (#9973)

• When hibernating a non-healthy cluster, the operator now reports a WaitingForHealthy condition, making the deferred hibernation state visible through cnpg status. (#10193)

• Fixed fencing to work correctly even when the target pod does not exist. Fencing operates on a cluster-level annotation and should not depend on pod existence; instance name validation is now performed only in the cnpg fencing on command. (#10035)

• Fixed the cluster and pooler service reconcilers to correctly handle changes to all spec fields when using the patch update strategy. The reconciler now uses RFC 7386 JSON Merge Patching, preventing cloud-provider-set fields (such as loadBalancerClass) from being inadvertently removed. (#10190, #10311)

• Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. (#10285)

• Fixed the timeline history file validation to also apply to plugin-based WAL restore. Previously, the protection introduced in #9650 only covered in-tree restores, allowing plugins to bypass the check and download future timeline history files, causing timeline mismatch errors on replicas. (#9849)

• cnpg plugin:

  • The cnpg plugin now correctly propagates ImagePullSecrets to the pgbench Job pod template. (#10174)