From 17e42ccbdd9c586ff4a950fde173ee400cbf4385 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Wed, 10 Dec 2025 19:31:16 +0000 Subject: [PATCH] chore: Update manifests after change --- .../ClusterRole-cloudnative-pg-edit.yaml | 4 +- .../ClusterRole-cloudnative-pg-view.yaml | 4 +- .../ClusterRole-cloudnative-pg.yaml | 4 +- .../ClusterRoleBinding-cloudnative-pg.yaml | 4 +- ...figMap-cnpg-controller-manager-config.yaml | 4 +- .../ConfigMap-cnpg-default-monitoring.yaml | 4 +- ...efinition-clusters.postgresql.cnpg.io.yaml | 495 +++++++++++++++++- ...finition-databases.postgresql.cnpg.io.yaml | 232 +++++++- ...Definition-poolers.postgresql.cnpg.io.yaml | 57 ++ .../Deployment-cloudnative-pg.yaml | 14 +- ...n-cnpg-mutating-webhook-configuration.yaml | 4 +- .../PodMonitor-cloudnative-pg.yaml | 4 +- .../Service-cnpg-webhook-service.yaml | 4 +- .../ServiceAccount-cloudnative-pg.yaml | 4 +- ...cnpg-validating-webhook-configuration.yaml | 4 +- 15 files changed, 794 insertions(+), 48 deletions(-) diff --git a/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg-edit.yaml b/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg-edit.yaml index d0a7d5d00..04fca0d2b 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg-edit.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg-edit.yaml @@ -3,10 +3,10 @@ kind: ClusterRole metadata: name: cloudnative-pg-edit labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: diff --git a/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg-view.yaml b/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg-view.yaml index c72ba9ef5..f0a7774e3 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg-view.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg-view.yaml @@ -3,10 +3,10 @@ kind: ClusterRole metadata: name: cloudnative-pg-view labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: diff --git a/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg.yaml b/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg.yaml index 266517fc7..fc86aaa91 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/ClusterRole-cloudnative-pg.yaml @@ -3,10 +3,10 @@ kind: ClusterRole metadata: name: cloudnative-pg labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: diff --git a/clusters/cl01tl/manifests/cloudnative-pg/ClusterRoleBinding-cloudnative-pg.yaml b/clusters/cl01tl/manifests/cloudnative-pg/ClusterRoleBinding-cloudnative-pg.yaml index 0649744e5..31cd3a8ca 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/ClusterRoleBinding-cloudnative-pg.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/ClusterRoleBinding-cloudnative-pg.yaml @@ -3,10 +3,10 @@ kind: ClusterRoleBinding metadata: name: cloudnative-pg labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/clusters/cl01tl/manifests/cloudnative-pg/ConfigMap-cnpg-controller-manager-config.yaml b/clusters/cl01tl/manifests/cloudnative-pg/ConfigMap-cnpg-controller-manager-config.yaml index 74356ef1f..12812c582 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/ConfigMap-cnpg-controller-manager-config.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/ConfigMap-cnpg-controller-manager-config.yaml @@ -4,9 +4,9 @@ metadata: name: cnpg-controller-manager-config namespace: cloudnative-pg labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm data: {} diff --git a/clusters/cl01tl/manifests/cloudnative-pg/ConfigMap-cnpg-default-monitoring.yaml b/clusters/cl01tl/manifests/cloudnative-pg/ConfigMap-cnpg-default-monitoring.yaml index b2764b982..863cd9249 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/ConfigMap-cnpg-default-monitoring.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/ConfigMap-cnpg-default-monitoring.yaml @@ -4,10 +4,10 @@ metadata: name: cnpg-default-monitoring namespace: cloudnative-pg labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm cnpg.io/reload: "" data: diff --git a/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-clusters.postgresql.cnpg.io.yaml b/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-clusters.postgresql.cnpg.io.yaml index 8fad70a18..1d9d63909 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-clusters.postgresql.cnpg.io.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-clusters.postgresql.cnpg.io.yaml @@ -1486,19 +1486,59 @@ spec: type: array pgDumpExtraOptions: description: |- - List of custom options to pass to the `pg_dump` command. IMPORTANT: - Use these options with caution and at your own risk, as the operator - does not validate their content. Be aware that certain options may - conflict with the operator's intended functionality or design. + List of custom options to pass to the `pg_dump` command. + + IMPORTANT: Use with caution. The operator does not validate these options, + and certain flags may interfere with its intended functionality or design. + You are responsible for ensuring that the provided options are compatible + with your environment and desired behavior. + items: + type: string + type: array + pgRestoreDataOptions: + description: |- + Custom options to pass to the `pg_restore` command during the `data` + section. This setting overrides the generic `pgRestoreExtraOptions` value. + + IMPORTANT: Use with caution. The operator does not validate these options, + and certain flags may interfere with its intended functionality or design. + You are responsible for ensuring that the provided options are compatible + with your environment and desired behavior. items: type: string type: array pgRestoreExtraOptions: description: |- - List of custom options to pass to the `pg_restore` command. IMPORTANT: - Use these options with caution and at your own risk, as the operator - does not validate their content. Be aware that certain options may - conflict with the operator's intended functionality or design. + List of custom options to pass to the `pg_restore` command. + + IMPORTANT: Use with caution. The operator does not validate these options, + and certain flags may interfere with its intended functionality or design. + You are responsible for ensuring that the provided options are compatible + with your environment and desired behavior. + items: + type: string + type: array + pgRestorePostdataOptions: + description: |- + Custom options to pass to the `pg_restore` command during the `post-data` + section. This setting overrides the generic `pgRestoreExtraOptions` value. + + IMPORTANT: Use with caution. The operator does not validate these options, + and certain flags may interfere with its intended functionality or design. + You are responsible for ensuring that the provided options are compatible + with your environment and desired behavior. + items: + type: string + type: array + pgRestorePredataOptions: + description: |- + Custom options to pass to the `pg_restore` command during the `pre-data` + section. This setting overrides the generic `pgRestoreExtraOptions` value. + + IMPORTANT: Use with caution. The operator does not validate these options, + and certain flags may interfere with its intended functionality or design. + You are responsible for ensuring that the provided options are compatible + with your environment and desired behavior. items: type: string type: array @@ -1557,6 +1597,7 @@ spec: options: description: |- The list of options that must be passed to initdb when creating the cluster. + Deprecated: This could lead to inconsistent configurations, please use the explicit provided parameters instead. If defined, explicit values will be ignored. @@ -3677,6 +3718,14 @@ spec: Deprecated: This feature will be removed in an upcoming release. If you need this functionality, you can create a PodMonitor manually. type: boolean + metricsQueriesTTL: + description: |- + The interval during which metrics computed from queries are considered current. + Once it is exceeded, a new scrape will trigger a rerun + of the queries. + If not set, defaults to 30 seconds, in line with Prometheus scraping defaults. + Setting this to zero disables the caching mechanism and can cause heavy load on the PostgreSQL server. + type: string podMonitorMetricRelabelings: description: |- The list of metric relabelings for the `PodMonitor`. Applied to samples before ingestion. @@ -3914,6 +3963,237 @@ spec: - name type: object type: array + podSecurityContext: + description: |- + Override the PodSecurityContext applied to every Pod of the cluster. + When set, this overrides the operator's default PodSecurityContext for the cluster. + If omitted, the operator defaults are used. + This field doesn't have any effect if SecurityContextConstraints are present. + properties: + appArmorProfile: + description: |- + appArmorProfile is the AppArmor options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". + type: string + type: + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + fsGroup: + description: |- + A special supplemental group that applies to all containers in a pod. + Some volume types allow the Kubelet to change the ownership of that volume + to be owned by the pod: + + 1. The owning GID will be the FSGroup + 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + 3. The permission bits are OR'd with rw-rw---- + + If unset, the Kubelet will not modify the ownership and permissions of any volume. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: |- + fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + before being exposed inside Pod. This field will only apply to + volume types which support fsGroup based ownership(and permissions). + It will have no effect on ephemeral volume types such as: secret, configmaps + and emptydir. + Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + Note that this field cannot be set when spec.os.name is windows. + type: string + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxChangePolicy: + description: |- + seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. + It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. + Valid values are "MountOption" and "Recursive". + + "Recursive" means relabeling of all files on all Pod volumes by the container runtime. + This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. + + "MountOption" mounts all eligible Pod volumes with `-o context` mount option. + This requires all Pods that share the same volume to use the same SELinux label. + It is not possible to share the same volume among privileged and unprivileged Pods. + Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes + whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their + CSIDriver instance. Other volumes are always re-labelled recursively. + "MountOption" value is allowed only when SELinuxMount feature gate is enabled. + + If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. + If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes + and "Recursive" for all other volumes. + + This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. + + All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. + Note that this field cannot be set when spec.os.name is windows. + type: string + seLinuxOptions: + description: |- + The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies to the container. + type: string + role: + description: Role is a SELinux role label that applies to the container. + type: string + type: + description: Type is a SELinux type label that applies to the container. + type: string + user: + description: User is a SELinux user label that applies to the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + supplementalGroups: + description: |- + A list of groups applied to the first process run in each container, in + addition to the container's primary GID and fsGroup (if specified). If + the SupplementalGroupsPolicy feature is enabled, the + supplementalGroupsPolicy field determines whether these are in addition + to or instead of any group memberships defined in the container image. + If unspecified, no additional groups are added, though group memberships + defined in the container image may still be used, depending on the + supplementalGroupsPolicy field. + Note that this field cannot be set when spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: |- + Defines how supplemental groups of the first container processes are calculated. + Valid values are "Merge" and "Strict". If not specified, "Merge" is used. + (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled + and the container runtime must implement support for this feature. + Note that this field cannot be set when spec.os.name is windows. + type: string + sysctls: + description: |- + Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object postgresGID: default: 26 description: The GID of the `postgres` user inside the image, defaults to `26` @@ -4125,6 +4405,12 @@ spec: - required - preferred type: string + failoverQuorum: + description: |- + FailoverQuorum enables a quorum-based check before failover, improving + data durability and safety during failover events in CloudNativePG-managed + PostgreSQL clusters. + type: boolean maxStandbyNamesFromCluster: description: |- Specifies the maximum number of local cluster pods that can be @@ -4177,7 +4463,10 @@ spec: description: |- Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been successfully updated: - it can be with a switchover (`switchover`) or in-place (`restart` - default) + it can be with a switchover (`switchover`) or in-place (`restart` - default). + Note: when using `switchover`, the operator will reject updates that change both + the image name and PostgreSQL configuration parameters simultaneously to avoid + configuration mismatches during the switchover process. enum: - switchover - restart @@ -5018,6 +5307,194 @@ spec: required: - type type: object + securityContext: + description: |- + Override the SecurityContext applied to every Container in the Pod of the cluster. + When set, this overrides the operator's default Container SecurityContext. + If omitted, the operator defaults are used. + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + appArmorProfile: + description: |- + appArmorProfile is the AppArmor options to use by this container. If set, this profile + overrides the pod's appArmorProfile. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". + type: string + type: + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: |- + procMount denotes the type of proc mount to use for the containers. + The default value is Default which uses the container runtime defaults for + readonly paths and masked paths. + This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies to the container. + type: string + role: + description: Role is a SELinux role label that applies to the container. + type: string + type: + description: Type is a SELinux type label that applies to the container. + type: string + user: + description: User is a SELinux user label that applies to the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object serviceAccountTemplate: description: Configure the generation of the service account properties: diff --git a/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-databases.postgresql.cnpg.io.yaml b/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-databases.postgresql.cnpg.io.yaml index 7206ea217..731492429 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-databases.postgresql.cnpg.io.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-databases.postgresql.cnpg.io.yaml @@ -131,16 +131,16 @@ spec: ensure: default: present description: |- - Specifies whether an extension/schema should be present or absent in - the database. If set to `present`, the extension/schema will be - created if it does not exist. If set to `absent`, the - extension/schema will be removed if it exists. + Specifies whether an object (e.g schema) should be present or absent + in the database. If set to `present`, the object will be created if + it does not exist. If set to `absent`, the extension/schema will be + removed if it exists. enum: - present - absent type: string name: - description: Name of the extension/schema + description: Name of the object (extension, schema, FDW, server) type: string schema: description: |- @@ -160,6 +160,95 @@ spec: - name type: object type: array + fdws: + description: The list of foreign data wrappers to be managed in the database + items: + description: FDWSpec configures an Foreign Data Wrapper in a database + properties: + ensure: + default: present + description: |- + Specifies whether an object (e.g schema) should be present or absent + in the database. If set to `present`, the object will be created if + it does not exist. If set to `absent`, the extension/schema will be + removed if it exists. + enum: + - present + - absent + type: string + handler: + description: |- + Name of the handler function (e.g., "postgres_fdw_handler"). + This will be empty if no handler is specified. In that case, + the default handler is registered when the FDW extension is created. + type: string + name: + description: Name of the object (extension, schema, FDW, server) + type: string + options: + description: Options specifies the configuration options for the FDW. + items: + description: OptionSpec holds the name, value and the ensure field for an option + properties: + ensure: + default: present + description: |- + Specifies whether an option should be present or absent in + the database. If set to `present`, the option will be + created if it does not exist. If set to `absent`, the + option will be removed if it exists. + enum: + - present + - absent + type: string + name: + description: Name of the option + type: string + value: + description: Value of the option + type: string + required: + - name + - value + type: object + type: array + owner: + description: |- + Owner specifies the database role that will own the Foreign Data Wrapper. + The role must have superuser privileges in the target database. + type: string + usage: + description: List of roles for which `USAGE` privileges on the FDW are granted or revoked. + items: + description: UsageSpec configures a usage for a foreign data wrapper + properties: + name: + description: Name of the usage + type: string + x-kubernetes-validations: + - message: name is required + rule: self != '' + type: + default: grant + description: The type of usage + enum: + - grant + - revoke + type: string + required: + - name + type: object + type: array + validator: + description: |- + Name of the validator function (e.g., "postgres_fdw_validator"). + This will be empty if no validator is specified. In that case, + the default validator is registered when the FDW extension is created. + type: string + required: + - name + type: object + type: array icuLocale: description: |- Maps to the `ICU_LOCALE` parameter of `CREATE DATABASE`. This @@ -246,16 +335,16 @@ spec: ensure: default: present description: |- - Specifies whether an extension/schema should be present or absent in - the database. If set to `present`, the extension/schema will be - created if it does not exist. If set to `absent`, the - extension/schema will be removed if it exists. + Specifies whether an object (e.g schema) should be present or absent + in the database. If set to `present`, the object will be created if + it does not exist. If set to `absent`, the extension/schema will be + removed if it exists. enum: - present - absent type: string name: - description: Name of the extension/schema + description: Name of the object (extension, schema, FDW, server) type: string owner: description: |- @@ -267,6 +356,87 @@ spec: - name type: object type: array + servers: + description: The list of foreign servers to be managed in the database + items: + description: ServerSpec configures a server of a foreign data wrapper + properties: + ensure: + default: present + description: |- + Specifies whether an object (e.g schema) should be present or absent + in the database. If set to `present`, the object will be created if + it does not exist. If set to `absent`, the extension/schema will be + removed if it exists. + enum: + - present + - absent + type: string + fdw: + description: The name of the Foreign Data Wrapper (FDW) + type: string + x-kubernetes-validations: + - message: fdw is required + rule: self != '' + name: + description: Name of the object (extension, schema, FDW, server) + type: string + options: + description: |- + Options specifies the configuration options for the server + (key is the option name, value is the option value). + items: + description: OptionSpec holds the name, value and the ensure field for an option + properties: + ensure: + default: present + description: |- + Specifies whether an option should be present or absent in + the database. If set to `present`, the option will be + created if it does not exist. If set to `absent`, the + option will be removed if it exists. + enum: + - present + - absent + type: string + name: + description: Name of the option + type: string + value: + description: Value of the option + type: string + required: + - name + - value + type: object + type: array + usage: + description: List of roles for which `USAGE` privileges on the server are granted or revoked. + items: + description: UsageSpec configures a usage for a foreign data wrapper + properties: + name: + description: Name of the usage + type: string + x-kubernetes-validations: + - message: name is required + rule: self != '' + type: + default: grant + description: The type of usage + enum: + - grant + - revoke + type: string + required: + - name + type: object + type: array + required: + - fdw + - name + type: object + type: array tablespace: description: |- Maps to the `TABLESPACE` parameter of `CREATE DATABASE`. @@ -326,6 +496,27 @@ spec: - name type: object type: array + fdws: + description: FDWs is the status of the managed FDWs + items: + description: DatabaseObjectStatus is the status of the managed database objects + properties: + applied: + description: |- + True of the object has been installed successfully in + the database + type: boolean + message: + description: Message is the object reconciliation message + type: string + name: + description: The name of the object + type: string + required: + - applied + - name + type: object + type: array message: description: Message is the reconciliation output message type: string @@ -356,6 +547,27 @@ spec: - name type: object type: array + servers: + description: Servers is the status of the managed servers + items: + description: DatabaseObjectStatus is the status of the managed database objects + properties: + applied: + description: |- + True of the object has been installed successfully in + the database + type: boolean + message: + description: Message is the object reconciliation message + type: string + name: + description: The name of the object + type: string + required: + - applied + - name + type: object + type: array type: object required: - metadata diff --git a/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-poolers.postgresql.cnpg.io.yaml b/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-poolers.postgresql.cnpg.io.yaml index 8d894da40..e6a612298 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-poolers.postgresql.cnpg.io.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/CustomResourceDefinition-poolers.postgresql.cnpg.io.yaml @@ -311,6 +311,30 @@ spec: query. In case it is specified, also an AuthQuery (e.g. "SELECT usename, passwd FROM pg_catalog.pg_shadow WHERE usename=$1") has to be specified and no automatic CNPG Cluster integration will be triggered. + + Deprecated. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + clientCASecret: + description: |- + ClientCASecret provides PgBouncer’s client_tls_ca_file, the root + CA for validating client certificates + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + clientTLSSecret: + description: |- + ClientTLSSecret provides PgBouncer’s client_tls_key_file (private key) + and client_tls_cert_file (certificate) used to accept client connections properties: name: description: Name of the referent. @@ -347,6 +371,29 @@ spec: - session - transaction type: string + serverCASecret: + description: |- + ServerCASecret provides PgBouncer’s server_tls_ca_file, the root + CA for validating PostgreSQL certificates + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serverTLSSecret: + description: |- + ServerTLSSecret, when pointing to a TLS secret, provides pgbouncer's + `server_tls_key_file` and `server_tls_cert_file`, used when + authenticating against PostgreSQL. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object type: object serviceTemplate: description: Template for the Service to be created @@ -8799,6 +8846,16 @@ spec: description: The ResourceVersion of the secret type: string type: object + clientTLS: + description: The client TLS secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object pgBouncerSecrets: description: The version of the secrets used by PgBouncer properties: diff --git a/clusters/cl01tl/manifests/cloudnative-pg/Deployment-cloudnative-pg.yaml b/clusters/cl01tl/manifests/cloudnative-pg/Deployment-cloudnative-pg.yaml index 679e598fb..fd723e6e1 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/Deployment-cloudnative-pg.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/Deployment-cloudnative-pg.yaml @@ -4,10 +4,10 @@ metadata: name: cloudnative-pg namespace: cloudnative-pg labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm spec: replicas: 2 @@ -18,9 +18,9 @@ spec: template: metadata: annotations: - checksum/rbac: ecc7ac52a42c48513234accf4bd785afb5889e77f0672f57c00b875960e3497a - checksum/config: c9268d2e1b50fbad8b125b152e51e44e51e393aef15b37b31b8ef35e60c039ec - checksum/monitoring-config: 5b7dc0c42a24b297d6f659777324c4105b8ce5e022ee55e973a2f3697f4e7702 + checksum/rbac: 625d3dbff4558ad674205e1cd8555211cddb507d587760354c9c1871e366b859 + checksum/config: ffb213960dde6a3a8cc898d67058389735af67e191de063efd4d39b4e1130db4 + checksum/monitoring-config: 1e0e508ea8c794ca396cd418f9fc622311e161e94283828fa8b61896a86f60c9 labels: app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg @@ -36,14 +36,14 @@ spec: - /manager env: - name: OPERATOR_IMAGE_NAME - value: "ghcr.io/cloudnative-pg/cloudnative-pg:1.27.1" + value: "ghcr.io/cloudnative-pg/cloudnative-pg:1.28.0" - name: OPERATOR_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: MONITORING_QUERIES_CONFIGMAP value: "cnpg-default-monitoring" - image: "ghcr.io/cloudnative-pg/cloudnative-pg:1.27.1" + image: "ghcr.io/cloudnative-pg/cloudnative-pg:1.28.0" imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/clusters/cl01tl/manifests/cloudnative-pg/MutatingWebhookConfiguration-cnpg-mutating-webhook-configuration.yaml b/clusters/cl01tl/manifests/cloudnative-pg/MutatingWebhookConfiguration-cnpg-mutating-webhook-configuration.yaml index b28cd2bc5..35f8c9ce2 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/MutatingWebhookConfiguration-cnpg-mutating-webhook-configuration.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/MutatingWebhookConfiguration-cnpg-mutating-webhook-configuration.yaml @@ -3,10 +3,10 @@ kind: MutatingWebhookConfiguration metadata: name: cnpg-mutating-webhook-configuration labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm webhooks: - admissionReviewVersions: diff --git a/clusters/cl01tl/manifests/cloudnative-pg/PodMonitor-cloudnative-pg.yaml b/clusters/cl01tl/manifests/cloudnative-pg/PodMonitor-cloudnative-pg.yaml index 33ef5d3bc..71f4431f4 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/PodMonitor-cloudnative-pg.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/PodMonitor-cloudnative-pg.yaml @@ -4,10 +4,10 @@ metadata: name: cloudnative-pg namespace: cloudnative-pg labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm spec: selector: diff --git a/clusters/cl01tl/manifests/cloudnative-pg/Service-cnpg-webhook-service.yaml b/clusters/cl01tl/manifests/cloudnative-pg/Service-cnpg-webhook-service.yaml index b2cf1ebaa..48e5432ac 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/Service-cnpg-webhook-service.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/Service-cnpg-webhook-service.yaml @@ -4,10 +4,10 @@ metadata: name: cnpg-webhook-service namespace: cloudnative-pg labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP diff --git a/clusters/cl01tl/manifests/cloudnative-pg/ServiceAccount-cloudnative-pg.yaml b/clusters/cl01tl/manifests/cloudnative-pg/ServiceAccount-cloudnative-pg.yaml index 4a34d54f4..1577c7d93 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/ServiceAccount-cloudnative-pg.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/ServiceAccount-cloudnative-pg.yaml @@ -4,8 +4,8 @@ metadata: name: cloudnative-pg namespace: cloudnative-pg labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm diff --git a/clusters/cl01tl/manifests/cloudnative-pg/ValidatingWebhookConfiguration-cnpg-validating-webhook-configuration.yaml b/clusters/cl01tl/manifests/cloudnative-pg/ValidatingWebhookConfiguration-cnpg-validating-webhook-configuration.yaml index b511767c2..2645fd317 100644 --- a/clusters/cl01tl/manifests/cloudnative-pg/ValidatingWebhookConfiguration-cnpg-validating-webhook-configuration.yaml +++ b/clusters/cl01tl/manifests/cloudnative-pg/ValidatingWebhookConfiguration-cnpg-validating-webhook-configuration.yaml @@ -3,10 +3,10 @@ kind: ValidatingWebhookConfiguration metadata: name: cnpg-validating-webhook-configuration labels: - helm.sh/chart: cloudnative-pg-0.26.1 + helm.sh/chart: cloudnative-pg-0.27.0 app.kubernetes.io/name: cloudnative-pg app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" + app.kubernetes.io/version: "1.28.0" app.kubernetes.io/managed-by: Helm webhooks: - admissionReviewVersions: