This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [av1155/houndarr](https://github.com/av1155/houndarr) | patch | `v1.6.4` → `v1.6.5` |
---
### Release Notes
<details>
<summary>av1155/houndarr (av1155/houndarr)</summary>
### [`v1.6.5`](https://github.com/av1155/houndarr/releases/tag/v1.6.5)
[Compare Source](https://github.com/av1155/houndarr/compare/v1.6.4...v1.6.5)
##### Fixed
- Accessing Houndarr via links from dashboard apps (Homepage, Homarr, Organizr) no longer redirects to `/login`; session cookies now default to `SameSite=Lax` instead of `Strict` ([#​318](https://github.com/av1155/houndarr/issues/318)).
##### Added
- `HOUNDARR_COOKIE_SAMESITE` environment variable to configure the `SameSite` cookie policy; accepts `lax` (default) or `strict` ([#​318](https://github.com/av1155/houndarr/issues/318)).
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEwMi44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJnaXRodWItcmVsZWFzZXMiXX0=-->
Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/5383
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| g33kphr33k/musicgrabber | patch | `2.5.3` → `2.5.4` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMCIsInVwZGF0ZWRJblZlciI6IjQzLjEwMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJkb2NrZXIiLCJkb2NrZXIiXX0=-->
Reviewed-on: #5328
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [cloudnative-pg](https://cloudnative-pg.io) ([source](https://github.com/cloudnative-pg/charts)) | minor | `0.27.1` → `0.28.0` |
| [cloudnative-pg/cloudnative-pg](https://github.com/cloudnative-pg/cloudnative-pg) | minor | `1.28.1` → `1.29.0` |
---
### Release Notes
<details>
<summary>cloudnative-pg/charts (cloudnative-pg)</summary>
### [`v0.28.0`](https://github.com/cloudnative-pg/charts/releases/tag/cloudnative-pg-v0.28.0)
[Compare Source](https://github.com/cloudnative-pg/charts/compare/cloudnative-pg-v0.27.1...cloudnative-pg-v0.28.0)
CloudNativePG Operator Helm Chart
#### What's Changed
- fix(security): harden GitHub Actions workflows against expression injection by [@​mnencia](https://github.com/mnencia) in [#​823](https://github.com/cloudnative-pg/charts/pull/823)
- feat(monitoring): add support for custom PodMonitor by [@​Dashing-Nelson](https://github.com/Dashing-Nelson) in [#​724](https://github.com/cloudnative-pg/charts/pull/724)
- Release cloudnative-pg-v0.28.0 by [@​cnpg-bot](https://github.com/cnpg-bot) in [#​845](https://github.com/cloudnative-pg/charts/pull/845)
#### New Contributors
- [@​Dashing-Nelson](https://github.com/Dashing-Nelson) made their first contribution in [#​724](https://github.com/cloudnative-pg/charts/pull/724)
**Full Changelog**: <https://github.com/cloudnative-pg/charts/compare/cluster-v0.6.0...cloudnative-pg-v0.28.0>
</details>
<details>
<summary>cloudnative-pg/cloudnative-pg (cloudnative-pg/cloudnative-pg)</summary>
### [`v1.29.0`](https://github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.29.0)
[Compare Source](https://github.com/cloudnative-pg/cloudnative-pg/compare/v1.28.2...v1.29.0-rc1)
**Release date:** Mar 31, 2026
##### Important changes
- Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.30.0, rather than 1.29.0. Users are still encouraged to migrate to the Barman Cloud Plugin. ([#​10167](https://github.com/cloudnative-pg/cloudnative-pg/pull/10167)) <!-- 1.28 1.27 -->
##### Features
- **PostgreSQL extensions in image catalogs**: extended the `ImageCatalog` functionality to support PostgreSQL extensions. This allows users to define and manage extension-specific images within a catalog, simplifying the deployment of customized PostgreSQL builds. ([#​9781](https://github.com/cloudnative-pg/cloudnative-pg/pull/9781))
- **Dynamic network access control via pod selectors**: introduced the declarative definition of `podSelectorRefs` to manage `pg_hba.conf` rules dynamically. By using label selectors to identify client pods, the operator automatically resolves their ephemeral IP addresses and updates the PostgreSQL host-based authentication rules accordingly. This ensures that only authorized workloads in the same namespace can connect to the database, eliminating the need for manual IP management or static CIDR ranges. ([#​10148](https://github.com/cloudnative-pg/cloudnative-pg/pull/10148))
- **Shared `ServiceAccount` support**: added an optional `serviceAccountName` field to both `Cluster` and `Pooler` specifications. This allows multiple resources to share a pre-existing ServiceAccount, facilitating one-time IAM configurations (such as AWS IRSA, GCP Workload Identity, or Azure Workload Identity) across all clusters and poolers. Contributed by [@​bozkayasalihx](https://github.com/bozkayasalihx). ([#​9287](https://github.com/cloudnative-pg/cloudnative-pg/pull/9287))
##### Enhancements
- Improved the `Pooler` CRD with support for granular configuration of TLS cipher suites and minimum/maximum TLS versions. This enables administrators to meet strict security compliance requirements for pooler-to-client and pooler-to-server connections. Contributed by [@​alex1989hu](https://github.com/alex1989hu). ([#​9571](https://github.com/cloudnative-pg/cloudnative-pg/pull/9571)) <!-- 1.28 1.27 1.25 -->
- Improved the reliability of major upgrades by setting `BackoffLimit=0` on the upgrade job, preventing unnecessary retries of a failed `pg_upgrade`. The operator now automatically deletes the failed job when a user reverts the container image, allowing the cluster to restart gracefully on the original version. ([#​10104](https://github.com/cloudnative-pg/cloudnative-pg/pull/10104), [#​10298](https://github.com/cloudnative-pg/cloudnative-pg/pull/10298)) <!-- 1.28 1.27 -->
- Improved the operator's observability by emitting native Kubernetes events during key phases of the reconciliation loop, providing visibility into the operator's decision-making process and the lifecycle of managed resources directly through `kubectl get events`. ([#​10040](https://github.com/cloudnative-pg/cloudnative-pg/pull/10040))
- Extended support for the `cnpg.io/reconciliationDisabled` annotation on Backup resources. This allows administrators to temporarily freeze the operator's reconciliation logic for specific backup objects. Contributed by [@​GabriFedi97](https://github.com/GabriFedi97). ([#​10020](https://github.com/cloudnative-pg/cloudnative-pg/pull/10020))
- Added a `bin_path` field to the `postgresql.extensions` stanza, as well as in `ImageCatalog` and `ClusterImageCatalog` resources. This allows extensions to specify directory paths for external binaries, which are automatically appended to the `PATH` environment variable of the Postgres process. ([#​10250](https://github.com/cloudnative-pg/cloudnative-pg/pull/10250))
- Added an `env` field to the `postgresql.extensions` stanza, as well as in `ImageCatalog` and `ClusterImageCatalog` resources. This allows cluster administrators to define custom environment variables for the Postgres process. This field supports the `${image_root}` placeholder to dynamically resolve to the extension's absolute mount path. ([#​10375](https://github.com/cloudnative-pg/cloudnative-pg/pull/10375))
- Implemented a finalizer for plugins to ensure that resources managed by a plugin are gracefully cleaned up when the corresponding service is deleted. ([#​9560](https://github.com/cloudnative-pg/cloudnative-pg/pull/9560))
- Improved role management by verifying the instance is the primary before each reconciliation cycle, avoiding unnecessary reconciliation attempts and spurious error messages on read-only replicas. ([#​9971](https://github.com/cloudnative-pg/cloudnative-pg/pull/9971)) <!-- 1.28 1.27 1.25 -->
- The operator now honors the `primaryUpdateMethod` when adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. ([#​9720](https://github.com/cloudnative-pg/cloudnative-pg/pull/9720)) <!-- 1.28 1.27 -->
- Refined the `alpha.cnpg.io/unrecoverable` annotation logic to allow it to function even on pods that have not yet reached the `Ready` state, facilitating the recovery of stuck instances. ([#​9968](https://github.com/cloudnative-pg/cloudnative-pg/pull/9968)) <!-- 1.28 -->
- Introduced a "Terminal Error" phase for backups that encounter unrecoverable issues (such as invalid credentials or non-existent cloud buckets). This ensures the operator stops retrying doomed operations, preventing resource exhaustion and providing immediate, clear feedback in the status. ([#​9353](https://github.com/cloudnative-pg/cloudnative-pg/pull/9353))
- Improved monitoring of long-running backups by introducing `reconciliationStartedAt` and `reconciliationTerminatedAt` fields to the `Backup` status. This change separates the operator's internal lifecycle from the actual backup tool's execution timing (`startedAt`/`stoppedAt`), allowing users to track when the operator begins processing a request. ([#​9351](https://github.com/cloudnative-pg/cloudnative-pg/pull/9351))
- Added a `Pending` phase to the `Backup` status to explicitly indicate when a backup is queued and waiting for an available worker or instance availability. ([#​9364](https://github.com/cloudnative-pg/cloudnative-pg/pull/9364))
##### Security and Supply Chain
- **Security best practices integration**: integrated the OpenSSF baseline scanner and added a `SECURITY-INSIGHTS.yaml` file to the repository to align with industry-standard security reporting. ([#​10054](https://github.com/cloudnative-pg/cloudnative-pg/pull/10054), <!-- 1.28 1.27 1.25 --> [#​10062](https://github.com/cloudnative-pg/cloudnative-pg/pull/10062)) <!-- 1.28 1.27 1.25 -->
- **SLSA provenance and SBOMs**: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images. Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. ([#​10048](https://github.com/cloudnative-pg/cloudnative-pg/pull/10048), <!-- 1.28 1.27 1.25 --> [#​10074](https://github.com/cloudnative-pg/cloudnative-pg/pull/10074)) <!-- 1.28 1.27 1.25 -->
- **Password leak prevention**: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. ([#​9950](https://github.com/cloudnative-pg/cloudnative-pg/pull/9950)) <!-- 1.28 1.27 1.25 -->
##### Changes
- Updated the default PostgreSQL version to 18.3 (image `18.3-system-trixie`). ([#​10090](https://github.com/cloudnative-pg/cloudnative-pg/pull/10090)) <!-- 1.28 1.27 1.25 -->
##### Fixes
- Fixed a deadlock during operator upgrades affecting clusters using synchronous replication, where pods running the old and new operator versions computed different PostgreSQL configuration hashes, causing the uniformity check to block indefinitely and preventing both rolling updates and in-place upgrades from proceeding. ([#​10342](https://github.com/cloudnative-pg/cloudnative-pg/pull/10342)) <!-- 1.28 -->
- Fixed an issue where fencing annotations could not be processed when the WAL disk was full, because the disk space check blocked the instance manager from starting. The check is now performed later in the lifecycle loop, after fencing is evaluated. ([#​10302](https://github.com/cloudnative-pg/cloudnative-pg/pull/10302)) <!-- 1.28 1.27 -->
- Fixed an issue where replicas would get stuck in a `Pending` state if the `VolumeSnapshot` used for the initial bootstrap had been deleted. The operator now validates snapshot existence before use; if a snapshot is missing, it attempts to use the next available candidate or falls back to `pg_basebackup`. ([#​10192](https://github.com/cloudnative-pg/cloudnative-pg/pull/10192)) <!-- 1.28 1.27 1.25 -->
- Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by [@​ermakov-oleg](https://github.com/ermakov-oleg). ([#​9977](https://github.com/cloudnative-pg/cloudnative-pg/pull/9977)) <!-- 1.28 1.27 1.25 -->
- Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. ([#​9952](https://github.com/cloudnative-pg/cloudnative-pg/pull/9952)) <!-- 1.28 1.27 1.25 -->
- Fixed a bug in the CNPG-I reconciler hook that could lead to skipping subsequent plugins when a "continue" result was returned. Contributed by [@​sharifmshaker](https://github.com/sharifmshaker). ([#​9978](https://github.com/cloudnative-pg/cloudnative-pg/pull/9978)) <!-- 1.28 1.27 -->
- Fixed a deadlock scenario that occurred when attempting to resize a filesystem on a PVC that was not currently attached to a Pod. Contributed by [@​jmealo](https://github.com/jmealo). ([#​9981](https://github.com/cloudnative-pg/cloudnative-pg/pull/9981)) <!-- 1.28 1.27 -->
- Fixed webhook validation of bootstrap recovery sources to accept external clusters configured with `ConnectionParameters` (for `pg_basebackup`-based recovery). Previously, these were incorrectly rejected unless a Barman object store or CNPG-i plugin was also configured. ([#​10268](https://github.com/cloudnative-pg/cloudnative-pg/pull/10268)) <!-- 1.28 1.27 1.25 -->
- Volume names for extensions and tablespaces are now prefixed to avoid naming collisions with standard cluster volumes. ([#​9973](https://github.com/cloudnative-pg/cloudnative-pg/pull/9973)) <!-- 1.28 1.27 -->
- When hibernating a non-healthy cluster, the operator now reports a `WaitingForHealthy` condition, making the deferred hibernation state visible through `cnpg status`. ([#​10193](https://github.com/cloudnative-pg/cloudnative-pg/pull/10193)) <!-- 1.28 1.27 1.25 -->
- Fixed fencing to work correctly even when the target pod does not exist. Fencing operates on a cluster-level annotation and should not depend on pod existence; instance name validation is now performed only in the `cnpg fencing on` command. ([#​10035](https://github.com/cloudnative-pg/cloudnative-pg/pull/10035)) <!-- 1.28 1.27 1.25 -->
- Fixed the cluster and pooler service reconcilers to correctly handle changes to all spec fields when using the patch update strategy. The reconciler now uses RFC 7386 JSON Merge Patching, preventing cloud-provider-set fields (such as `loadBalancerClass`) from being inadvertently removed. ([#​10190](https://github.com/cloudnative-pg/cloudnative-pg/pull/10190), [#​10311](https://github.com/cloudnative-pg/cloudnative-pg/pull/10311)) <!-- 1.28 1.27 1.25 -->
- Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. ([#​10285](https://github.com/cloudnative-pg/cloudnative-pg/pull/10285)) <!-- 1.28 1.27 1.25 -->
- Fixed the timeline history file validation to also apply to plugin-based WAL restore. Previously, the protection introduced in [#​9650](https://github.com/cloudnative-pg/cloudnative-pg/pull/9650) only covered in-tree restores, allowing plugins to bypass the check and download future timeline history files, causing timeline mismatch errors on replicas. ([#​9849](https://github.com/cloudnative-pg/cloudnative-pg/pull/9849)) <!-- 1.28 1.27 1.25 -->
- `cnpg` plugin:
- The cnpg plugin now correctly propagates ImagePullSecrets to the `pgbench` Job pod template. ([#​10174](https://github.com/cloudnative-pg/cloudnative-pg/pull/10174)) <!-- 1.28 1.27 1.25 -->
##### Supported versions
- Kubernetes 1.35, 1.34, and 1.33
- PostgreSQL 18, 17, 16, 15, and 14
- PostgreSQL 18.3 is the default image
- [PostgreSQL 14 support ends on November 12, 2026](https://www.postgresql.org/support/versioning/)
### [`v1.28.2`](https://github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.28.2)
[Compare Source](https://github.com/cloudnative-pg/cloudnative-pg/compare/v1.28.1...v1.28.2)
**Release date:** Mar 31, 2026
##### Important changes
- Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.30.0, rather than 1.29.0. Users are still encouraged to migrate to the Barman Cloud Plugin. ([#​10167](https://github.com/cloudnative-pg/cloudnative-pg/pull/10167)) <!-- 1.28 1.27 -->
##### Enhancements
- Improved the `Pooler` CRD with support for granular configuration of TLS cipher suites and minimum/maximum TLS versions. This enables administrators to meet strict security compliance requirements for pooler-to-client and pooler-to-server connections. Contributed by [@​alex1989hu](https://github.com/alex1989hu). ([#​9571](https://github.com/cloudnative-pg/cloudnative-pg/pull/9571)) <!-- 1.28 1.27 1.25 -->
- Improved the reliability of major upgrades by setting `BackoffLimit=0` on the upgrade job, preventing unnecessary retries of a failed `pg_upgrade`. The operator now automatically deletes the failed job when a user reverts the container image, allowing the cluster to restart gracefully on the original version. ([#​10104](https://github.com/cloudnative-pg/cloudnative-pg/pull/10104), [#​10298](https://github.com/cloudnative-pg/cloudnative-pg/pull/10298)) <!-- 1.28 1.27 -->
- Improved role management by verifying the instance is the primary before each reconciliation cycle, avoiding unnecessary reconciliation attempts and spurious error messages on read-only replicas. ([#​9971](https://github.com/cloudnative-pg/cloudnative-pg/pull/9971)) <!-- 1.28 1.27 1.25 -->
- Extended the CRD schemas for `Cluster`, `ImageCatalog`, and `ClusterImageCatalog` to accept the `extensions`, `bin_path`, and `env` fields introduced in 1.29. The operator ignores these fields on older versions, but accepting them in the schema allows users to share a single manifest across clusters running different CNPG versions. ([#​10131](https://github.com/cloudnative-pg/cloudnative-pg/pull/10131), [#​10387](https://github.com/cloudnative-pg/cloudnative-pg/pull/10387)) <!-- 1.28 1.27 -->
- The operator now honors the `primaryUpdateMethod` when adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. ([#​9720](https://github.com/cloudnative-pg/cloudnative-pg/pull/9720)) <!-- 1.28 1.27 -->
- Refined the `alpha.cnpg.io/unrecoverable` annotation logic to allow it to function even on pods that have not yet reached the `Ready` state, facilitating the recovery of stuck instances. ([#​9968](https://github.com/cloudnative-pg/cloudnative-pg/pull/9968)) <!-- 1.28 -->
##### Security and Supply Chain
- **Security best practices integration**: integrated the OpenSSF baseline scanner and added a `SECURITY-INSIGHTS.yaml` file to the repository to align with industry-standard security reporting. ([#​10054](https://github.com/cloudnative-pg/cloudnative-pg/pull/10054), <!-- 1.28 1.27 1.25 --> [#​10062](https://github.com/cloudnative-pg/cloudnative-pg/pull/10062)) <!-- 1.28 1.27 1.25 -->
- **SLSA provenance and SBOMs**: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images. Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. ([#​10048](https://github.com/cloudnative-pg/cloudnative-pg/pull/10048), <!-- 1.28 1.27 1.25 --> [#​10074](https://github.com/cloudnative-pg/cloudnative-pg/pull/10074)) <!-- 1.28 1.27 1.25 -->
- **Password leak prevention**: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. ([#​9950](https://github.com/cloudnative-pg/cloudnative-pg/pull/9950)) <!-- 1.28 1.27 1.25 -->
##### Changes
- Updated the default PostgreSQL version to 18.3 (image `18.3-system-trixie`). ([#​10090](https://github.com/cloudnative-pg/cloudnative-pg/pull/10090)) <!-- 1.28 1.27 1.25 -->
##### Fixes
- Fixed a deadlock during operator upgrades affecting clusters using synchronous replication, where pods running the old and new operator versions computed different PostgreSQL configuration hashes, causing the uniformity check to block indefinitely and preventing both rolling updates and in-place upgrades from proceeding. ([#​10342](https://github.com/cloudnative-pg/cloudnative-pg/pull/10342)) <!-- 1.28 -->
- Fixed an issue where fencing annotations could not be processed when the WAL disk was full, because the disk space check blocked the instance manager from starting. The check is now performed later in the lifecycle loop, after fencing is evaluated. ([#​10302](https://github.com/cloudnative-pg/cloudnative-pg/pull/10302)) <!-- 1.28 1.27 -->
- Fixed an issue where replicas would get stuck in a `Pending` state if the `VolumeSnapshot` used for the initial bootstrap had been deleted. The operator now validates snapshot existence before use; if a snapshot is missing, it attempts to use the next available candidate or falls back to `pg_basebackup`. ([#​10192](https://github.com/cloudnative-pg/cloudnative-pg/pull/10192)) <!-- 1.28 1.27 1.25 -->
- Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by [@​ermakov-oleg](https://github.com/ermakov-oleg). ([#​9977](https://github.com/cloudnative-pg/cloudnative-pg/pull/9977)) <!-- 1.28 1.27 1.25 -->
- Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. ([#​9952](https://github.com/cloudnative-pg/cloudnative-pg/pull/9952)) <!-- 1.28 1.27 1.25 -->
- Fixed a bug in the CNPG-I reconciler hook that could lead to skipping subsequent plugins when a "continue" result was returned. Contributed by [@​sharifmshaker](https://github.com/sharifmshaker). ([#​9978](https://github.com/cloudnative-pg/cloudnative-pg/pull/9978)) <!-- 1.28 1.27 -->
- Fixed a deadlock scenario that occurred when attempting to resize a filesystem on a PVC that was not currently attached to a Pod. Contributed by [@​jmealo](https://github.com/jmealo). ([#​9981](https://github.com/cloudnative-pg/cloudnative-pg/pull/9981)) <!-- 1.28 1.27 -->
- Fixed webhook validation of bootstrap recovery sources to accept external clusters configured with `ConnectionParameters` (for `pg_basebackup`-based recovery). Previously, these were incorrectly rejected unless a Barman object store or CNPG-i plugin was also configured. ([#​10268](https://github.com/cloudnative-pg/cloudnative-pg/pull/10268)) <!-- 1.28 1.27 1.25 -->
- Volume names for extensions and tablespaces are now prefixed to avoid naming collisions with standard cluster volumes. ([#​9973](https://github.com/cloudnative-pg/cloudnative-pg/pull/9973)) <!-- 1.28 1.27 -->
- When hibernating a non-healthy cluster, the operator now reports a `WaitingForHealthy` condition, making the deferred hibernation state visible through `cnpg status`. ([#​10193](https://github.com/cloudnative-pg/cloudnative-pg/pull/10193)) <!-- 1.28 1.27 1.25 -->
- Fixed fencing to work correctly even when the target pod does not exist. Fencing operates on a cluster-level annotation and should not depend on pod existence; instance name validation is now performed only in the `cnpg fencing on` command. ([#​10035](https://github.com/cloudnative-pg/cloudnative-pg/pull/10035)) <!-- 1.28 1.27 1.25 -->
- Fixed the cluster and pooler service reconcilers to correctly handle changes to all spec fields when using the patch update strategy. The reconciler now uses RFC 7386 JSON Merge Patching, preventing cloud-provider-set fields (such as `loadBalancerClass`) from being inadvertently removed. ([#​10190](https://github.com/cloudnative-pg/cloudnative-pg/pull/10190), [#​10311](https://github.com/cloudnative-pg/cloudnative-pg/pull/10311)) <!-- 1.28 1.27 1.25 -->
- Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. ([#​10285](https://github.com/cloudnative-pg/cloudnative-pg/pull/10285)) <!-- 1.28 1.27 1.25 -->
- Fixed the timeline history file validation to also apply to plugin-based WAL restore. Previously, the protection introduced in [#​9650](https://github.com/cloudnative-pg/cloudnative-pg/pull/9650) only covered in-tree restores, allowing plugins to bypass the check and download future timeline history files, causing timeline mismatch errors on replicas. ([#​9849](https://github.com/cloudnative-pg/cloudnative-pg/pull/9849)) <!-- 1.28 1.27 1.25 -->
- `cnpg` plugin:
- The cnpg plugin now correctly propagates ImagePullSecrets to the `pgbench` Job pod template. ([#​10174](https://github.com/cloudnative-pg/cloudnative-pg/pull/10174)) <!-- 1.28 1.27 1.25 -->
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEwMi42IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJoZWxtIl19-->
Reviewed-on: #5367
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| xenrox/ntfy-alertmanager | major | `0.5.0` → `1.0.0` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkb2NrZXIiXX0=-->
Reviewed-on: #5312
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [ghcr.io/haveagitgat/tdarr](https://github.com/HaveAGitGat/tdarr_express_be) | minor | `2.66.01` → `2.67.01` |
| [ghcr.io/haveagitgat/tdarr_node](https://github.com/HaveAGitGat/tdarr_express_be) | minor | `2.66.01` → `2.67.01` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZG9ja2VyIl19-->
Reviewed-on: #5271
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [binwiederhier/ntfy](https://github.com/binwiederhier/ntfy) | minor | `2.20.1` → `2.21.0` |
| [binwiederhier/ntfy](https://ntfy.sh/) ([source](https://github.com/binwiederhier/ntfy)) | minor | `v2.20.1` → `v2.21.0` |
---
### Release Notes
<details>
<summary>binwiederhier/ntfy (binwiederhier/ntfy)</summary>
### [`v2.21.0`](https://github.com/binwiederhier/ntfy/releases/tag/v2.21.0)
[Compare Source](https://github.com/binwiederhier/ntfy/compare/v2.20.1...v2.21.0)
This release adds the ability to verify email addresses using the `smtp-sender-verify` flag. This is a change that is required because ntfy.sh was used to send unsolicited emails and the AWS SES account was suspended. Going forward, ntfy.sh won't be able to send emails unless the email address was verified ahead of time.
**Features:**
- Add verified email recipients feature with `smtp-sender-verify` config flag, allowing server admins to require email
address verification before sending email notifications ([#​1681](https://github.com/binwiederhier/ntfy/pull/1681))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkb2NrZXIiXX0=-->
Reviewed-on: #5300
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [favonia/cloudflare-ddns](https://github.com/favonia/cloudflare-ddns) | minor | `1.15.1` → `1.16.0` |
---
### Release Notes
<details>
<summary>favonia/cloudflare-ddns (favonia/cloudflare-ddns)</summary>
### [`v1.16.0`](https://github.com/favonia/cloudflare-ddns/blob/HEAD/CHANGELOG.markdown#1160-2026-03-30)
[Compare Source](https://github.com/favonia/cloudflare-ddns/compare/v1.15.1...v1.16.0)
Despite the gap of over a year since the last release, we are not aware of any security vulnerability affecting the default configuration. As always, please review the changelog and watch for warnings or errors when upgrading.
#### Highlights
1. **WAF lists now support /128 IPv6 entries.** Cloudflare’s API now accepts individual IPv6 addresses in WAF lists. New `IP4_DEFAULT_PREFIX_LEN` (default `/32`) and `IP6_DEFAULT_PREFIX_LEN` (default `/64`) control how bare addresses are stored in WAF lists. Users can now set `IP6_DEFAULT_PREFIX_LEN` to `128` for per-address granularity. DNS records currently ignore prefix lengths, but will use these in the future.
2. **Multi-instance support via comment-based selection.** New `MANAGED_RECORDS_COMMENT_REGEX` and `MANAGED_WAF_LIST_ITEMS_COMMENT_REGEX` let multiple updater instances safely share the same domain or WAF list, each managing only records or items with matching comments. New `WAF_LIST_ITEM_COMMENT` provides a fallback comment for WAF list items, similar to how `RECORD_COMMENT` serves as a fallback for DNS records.
3. **Multi-IP detection and reconciliation.** Providers now return multiple IP addresses, each with a CIDR prefix length, and the reconciliation algorithm has been redesigned to handle them correctly. The experimental `local.iface` provider now collects all matching global unicast addresses from the specified interface, instead of just the first one. Multi-address support in `url:` and `file:` providers is also experimental.
4. **New `file:` provider.** Reads IP addresses from a local file, re-reading each detection cycle. This enables integration with external scripts or monitoring systems without restarting the updater. (Multi-address support is experimental.)
5. **New variants of `url:` (`url.via4:` and `url.via6:`) for transport overrides.** By default, `url:<url>` connects using the same IP family as the address being detected. Override the IP family used to connect with `url.via4:<url>` or `url.via6:<url>` (e.g., get an IPv6 address over an IPv4 connection). (Multi-address support in URL-based providers is experimental.)
6. **Rewritten user-facing messages.** Many log messages have been reworded into clearer, more natural English.
#### Your Feedback Wanted
The IP prefix length work in this release lays the groundwork for several upcoming features. We’d love your input on the proposed configuration syntax:
- **Per-domain IPv6 host IDs** ([#​764](https://github.com/favonia/cloudflare-ddns/issues/764)):
- `IP6_DOMAINS=sub.example.com{hostid6=::2}`
- `IP6_DOMAINS=sub.example.com{hostid6=preserve}` (keep the detected host IDs)
- `IP6_DOMAINS=sub.example.com{hostid6=mac(77:cc:a7:f9:45:94)}` (compute an [EUI-64](https://en.wikipedia.org/wiki/IPv6_address#Modified_EUI-64) host ID from a MAC address)
- `DOMAINS=sub1.example.com{hostid6=::aad1},sub2.example.com{hostid6=preserve}`
- **Detection IP filtering** ([#​1138](https://github.com/favonia/cloudflare-ddns/issues/1138)):
- `IP6_DETECTION_FILTER=keep-all`
- `IP6_DETECTION_FILTER=!addr-in(fc00::/7)`
- `IP6_DETECTION_FILTER=subnet-in(2001:db8:abcd::/48)`
- `IP4_DETECTION_FILTER=!addr-in(10.0.0.0/8) && !addr-in(192.168.0.0/16)`
- `IP6_DETECTION_FILTER=contains(2002:dead:beef::/100) || contains(2005:dead:beef::/100)`
| input | `addr-in(1.1.0.0/16)` | `subnet-in(1.1.0.0/16)` | `contains(1.1.0.0/16)` |
| ------------ | ---------------------------------- | ----------------------- | ---------------------- |
| `1.1.1.1/8` | ✔️ | ❌️ | ✔️ |
| `1.1.1.1/16` | ✔️ | ✔️ | ✔️ |
| `1.1.1.1/24` | ✔️ | ✔️ | ❌️ |
| `1.2.2.2/8` | ❌️ (`1.2.2.2` not in `1.1.0.0/16`) | ❌️ | ✔️ |
Also planned: a linter for boolean expressions targeting advanced usage of `PROXIED` and the upcoming `IP4/6_DETECTION_FILTER`, and further robustness improvements to the default `cloudflare.trace` provider.
#### Reminder from the Past
As a reminder, since 1.13.0, **the updater no longer drops privileges internally, and `PUID` and `PGID` are ignored.** Please use Docker’s built-in mechanism to drop privileges. The old Docker Compose template may grant unneeded privileges to the new updater, which is not recommended. Please review the new, simpler, and more secure template in [README](./README.markdown). In a nutshell, **remove the `cap_add` attribute and replace the environment variables `PUID` and `PGID` with the [`user: "UID:GID"` attribute](https://docs.docker.com/reference/compose-file/services/#user)**. Similar options may exist for systems not using Docker Compose.
#### Other Notes
**Shoutrrr support is no longer experimental.** The shoutrrr notification integration, introduced in 1.12.0, is now considered stable.
#### Detailed Changes
##### Features
- The detection model has been redesigned so that providers return multiple IP addresses, each with a CIDR prefix length. New `IP4_DEFAULT_PREFIX_LEN` and `IP6_DEFAULT_PREFIX_LEN` settings control how bare addresses are stored in WAF lists. ([#​1144](https://github.com/favonia/cloudflare-ddns/issues/1144)) ([#​1156](https://github.com/favonia/cloudflare-ddns/issues/1156))
- The reconciliation algorithm has been redesigned to handle complex metadata mismatches when multiple IP addresses result in multiple records. ([#​1015](https://github.com/favonia/cloudflare-ddns/issues/1015)) ([#​1020](https://github.com/favonia/cloudflare-ddns/issues/1020)) ([#​1022](https://github.com/favonia/cloudflare-ddns/issues/1022)) ([#​1115](https://github.com/favonia/cloudflare-ddns/issues/1115))
- New `file:` provider reads IP addresses from a local file. ([#​1148](https://github.com/favonia/cloudflare-ddns/issues/1148))
- New `static:<ip1>,<ip2>,...` and `static.empty` providers have been added. `static.empty` actively clears managed content for a given IP family. ([#​1102](https://github.com/favonia/cloudflare-ddns/issues/1102)) ([#​1135](https://github.com/favonia/cloudflare-ddns/issues/1135))
- The `url:`, `file:`, and `static:` providers now accept addresses in CIDR notation (e.g., `198.51.100.1/24`). ([#​1159](https://github.com/favonia/cloudflare-ddns/issues/1159)) ([#​1169](https://github.com/favonia/cloudflare-ddns/issues/1169))
- The experimental `local.iface` provider now collects all matching global unicast addresses. ([#​1095](https://github.com/favonia/cloudflare-ddns/issues/1095))
- New `MANAGED_RECORDS_COMMENT_REGEX` selects only DNS records whose comments match a regex. ([#​1103](https://github.com/favonia/cloudflare-ddns/issues/1103))
- New `MANAGED_WAF_LIST_ITEMS_COMMENT_REGEX` and `WAF_LIST_ITEM_COMMENT` provide the same comment-based selection for WAF list items. ([#​1106](https://github.com/favonia/cloudflare-ddns/issues/1106))
- New `url.via4:<url>` and `url.via6:<url>` providers override the IP family used to connect to a custom URL. ([#​1131](https://github.com/favonia/cloudflare-ddns/issues/1131))
- The updater now warns about likely misconfigured `SHOUTRRR` values. ([#​1111](https://github.com/favonia/cloudflare-ddns/issues/1111))
##### Bug Fixes
- The configuration parser now warns about extra commas in lists (e.g., `a,,b`) except for trailing commas, which were silently ignored. ([#​1177](https://github.com/favonia/cloudflare-ddns/issues/1177))
- The updater now exits gracefully when `EMOJI` or `QUIET` is invalid. ([#​1174](https://github.com/favonia/cloudflare-ddns/issues/1174))
- The updater invalidates relevant zone search cache entries when a zone cannot be found for faster recovery. ([#​1125](https://github.com/favonia/cloudflare-ddns/issues/1125))
- API token verification is now stricter, catching malformed tokens before any update attempts. ([#​1126](https://github.com/favonia/cloudflare-ddns/issues/1126))
- Providers (especially `cloudflare.trace` and `cloudflare.doh`) now validate detected IP addresses more strictly. ([#​1097](https://github.com/favonia/cloudflare-ddns/issues/1097)) ([#​1099](https://github.com/favonia/cloudflare-ddns/issues/1099)) ([#​1101](https://github.com/favonia/cloudflare-ddns/issues/1101)) ([#​1151](https://github.com/favonia/cloudflare-ddns/issues/1151))
- WAF list entries in the configuration are now deduplicated. ([#​1091](https://github.com/favonia/cloudflare-ddns/issues/1091))
- The updater now warns when a configured domain does not look like a fully qualified domain name. ([#​1019](https://github.com/favonia/cloudflare-ddns/issues/1019))
- The updater now warns when DNS records and WAF list items for the same domain have mixed ownership (some managed, some not). ([#​1173](https://github.com/favonia/cloudflare-ddns/issues/1173))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkb2NrZXIiXX0=-->
Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/5301
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [frederikemmer/MediaLyze](https://github.com/frederikemmer/MediaLyze) | minor | `0.3.0` → `0.4.0` |
| [ghcr.io/frederikemmer/medialyze](https://github.com/frederikemmer/MediaLyze) | minor | `0.3.0` → `0.4.0` |
---
### Release Notes
<details>
<summary>frederikemmer/MediaLyze (frederikemmer/MediaLyze)</summary>
### [`v0.4.0`](https://github.com/frederikemmer/MediaLyze/blob/HEAD/CHANGELOG.md#v040)
[Compare Source](https://github.com/frederikemmer/MediaLyze/compare/v0.3.0...v0.4.0)
> 2026-03-30
First "rough" implementation for detecting duplicate files. May break desktop install use v0.3.0 if it's not working properly.
##### ✨ New
- add per-library duplicate detection with `off` (default), `filename`, `filehash`, `both` modes ([#​16](https://github.com/frederikemmer/MediaLyze/issues/16))
- view and search through duplicates on library page
- scan performance tuning in `App settings` with separate controls for per-scan analysis workers and parallel library scans
##### 🐛 Bug fixes
- rework scan execution so discovery streams files directly into analysis and duplicate workers, live progress reflects worker completion, and configured worker counts now affect real throughput
- stop auto-resuming or auto-queuing stale startup jobs, clear pending watchdog debounce requests on cancel, and improve failed scan diagnostics with copyable detailed error payloads
- tighten the duplicate and library-settings UI by capping visible duplicate variants with internal scrolling, aligning scan controls consistently, and making the `dev` desktop artifact build manual-only
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEwMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkb2NrZXIiXX0=-->
Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/5294
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
2026-03-30 19:11:36 +00:00
89 changed files with 655 additions and 233 deletions
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
