alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 5 Actions Activity

chore(deps): update dependency cloudnative-pg/cloudnative-pg to v1.29.1 #6695

Merged
renovate-bot merged 1 commits from renovate/unified-cloudnative-pg into main 2026-05-08 20:30:04 +00:00
Conversation 0 Commits 1 Files Changed 1 +1 -1
renovate-bot commented 2026-05-08 20:29:46 +00:00
Collaborator
Copy Link

This PR contains the following updates:

Package Update Change
cloudnative-pg/cloudnative-pg patch 1.29.01.29.1

Release Notes

cloudnative-pg/cloudnative-pg (cloudnative-pg/cloudnative-pg)

v1.29.1

Compare Source

Release date: May 8, 2026

Security and Supply Chain

  • CVE-2026-44477 / GHSA-423p-g724-fr39: metrics exporter privilege escalation: the metrics exporter no longer authenticates as the postgres superuser. It now uses a dedicated cnpg_metrics_exporter role with pg_monitor privileges only, closing a chain that let a low-privilege database user gain PostgreSQL superuser. (GHSA-423p-g724-fr39)

    Upgrade impact: custom monitoring queries that read user-owned tables, or use target_databases: '*' against databases where PUBLIC CONNECT has been revoked, need explicit GRANT statements to cnpg_metrics_exporter. See "Custom query privileges and safety" and "Manually creating the metrics exporter role" in the monitoring documentation.

    For replica clusters, upgrade the source primary cluster before any replica clusters that consume from it. The cnpg_metrics_exporter role is created on the source primary and replicates downstream; a replica cluster upgraded first will scrape against a missing role until the source primary upgrades. The manual-recovery section linked above also covers replica clusters.

  • Schema-qualified catalog references in default monitoring queries: hardened the shipped monitoring configuration and documentation samples by qualifying every pg_catalog object explicitly. Unqualified references resolve through search_path, which a database user can manipulate to shadow built-in objects. (#​10576)

  • Discoverable SBOM and provenance attestations: SBOM and SLSA provenance attached to operator container images now follow the OCI 1.1 Referrers spec, so standard registry tooling and supply-chain scanners can discover them automatically. (#​10601)

  • CVE remediation in github.com/jackc/pgx/v5: bumped to v5.9.2 to pick up upstream fixes for CVE-2026-33816 (memory-safety in pgproto3) and GHSA-j88v-2chj-qfwx (SQL injection via simple-protocol dollar-quoted string handling). (#​10437, #​10499)

  • CVE remediation in the Go runtime: built with Go 1.26.3 to pick up upstream fixes in crypto/x509, crypto/tls, net/http, and net (CVE-2026-32280, CVE-2026-32281, CVE-2026-33810, CVE-2026-33814, CVE-2026-33811, CVE-2026-39825). (#​10463, #​10647)

  • Build pipeline hardening: the Go 1.26.3 bump also addresses CVE-2026-42501 (cmd/go module-checksum validation), reducing supply-chain exposure during release builds. The affected code paths are not reachable from the running operator. (#​10647)

Changes
  • Switched TLS peer verification from VerifyPeerCertificate to VerifyConnection, which runs on every completed handshake (the former is skipped on resumed TLS 1.3 sessions). Session resumption is not enabled in CloudNativePG today, so this has no observable effect, but it future-proofs verification if session caching is introduced later. (#​10478)
Fixes

  • Fixed a failover window where the former primary kept its primary label. If it returned during failover (for example, after a transient network partition), the -rw service kept routing to it, replicas could reconnect, and committed writes were lost to pg_rewind. The old primary is now labeled unhealthy to isolate it from service traffic during failover. (#​10409)

  • Fixed failover not being triggered when the node hosting the primary becomes unreachable. The operator now reads the pod's Ready condition (flipped to False by the node controller when the kubelet stops reporting) instead of ContainersReady, which stays stale as True in that scenario. Combined with the spurious-failover guard (#​10445), failover triggers only when Kubernetes itself marks the pod not Ready. (#​10448)

  • Fixed spurious failovers caused by transient failures on the primary's HTTP status endpoint. (#​10445)

  • Fixed escaping of backslashes and control characters in PostgreSQL configuration values. Previously, such characters in parameters like log_line_prefix could corrupt the configuration file or be silently stripped at runtime. (#​10515)

  • Fixed restore_command construction to shell-quote each argument. Values such as a destinationPath containing whitespace (for example, s3://my bucket/wal) were word-split by the POSIX shell and passed to the WAL restore tool as separate arguments. (#​10518)

  • Tightened recoveryTarget validation in the admission webhook: targetXID must now be a non-negative 32-bit integer, and targetName must be shorter than 64 bytes and free of ASCII control characters. Malformed values are rejected at admission instead of failing later during PostgreSQL recovery. (#​10565)

  • Fixed snapshot restores failing when leftover pgsql_tmp* directories were present in the data directory. (#​10447)

  • Fixed a deadlock occurring when PVC storage size and resource requests are changed simultaneously. (#​10427)

Configuration

📅 Schedule: (in timezone America/Chicago)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cloudnative-pg/cloudnative-pg](https://github.com/cloudnative-pg/cloudnative-pg) | patch | `1.29.0` → `1.29.1` | --- ### Release Notes <details> <summary>cloudnative-pg/cloudnative-pg (cloudnative-pg/cloudnative-pg)</summary> ### [`v1.29.1`](https://github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.29.1) [Compare Source](https://github.com/cloudnative-pg/cloudnative-pg/compare/v1.29.0...v1.29.1) **Release date:** May 8, 2026 ##### Security and Supply Chain - **`CVE-2026-44477` / `GHSA-423p-g724-fr39`: metrics exporter privilege escalation**: the metrics exporter no longer authenticates as the `postgres` superuser. It now uses a dedicated `cnpg_metrics_exporter` role with `pg_monitor` privileges only, closing a chain that let a low-privilege database user gain PostgreSQL superuser. ([`GHSA-423p-g724-fr39`](https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39)) <!-- 1.29 1.28 1.25 --> Upgrade impact: custom monitoring queries that read user-owned tables, or use `target_databases: '*'` against databases where `PUBLIC CONNECT` has been revoked, need explicit `GRANT` statements to `cnpg_metrics_exporter`. See ["Custom query privileges and safety"](../monitoring.md#custom-query-privileges-and-safety) and ["Manually creating the metrics exporter role"](../monitoring.md#manually-creating-the-metrics-exporter-role) in the monitoring documentation. For replica clusters, upgrade the source primary cluster before any replica clusters that consume from it. The `cnpg_metrics_exporter` role is created on the source primary and replicates downstream; a replica cluster upgraded first will scrape against a missing role until the source primary upgrades. The manual-recovery section linked above also covers replica clusters. - **Schema-qualified catalog references in default monitoring queries**: hardened the shipped monitoring configuration and documentation samples by qualifying every `pg_catalog` object explicitly. Unqualified references resolve through `search_path`, which a database user can manipulate to shadow built-in objects. ([#&#8203;10576](https://github.com/cloudnative-pg/cloudnative-pg/pull/10576)) <!-- 1.29 1.28 1.25 --> - **Discoverable SBOM and provenance attestations**: SBOM and SLSA provenance attached to operator container images now follow the OCI 1.1 Referrers spec, so standard registry tooling and supply-chain scanners can discover them automatically. ([#&#8203;10601](https://github.com/cloudnative-pg/cloudnative-pg/pull/10601)) <!-- 1.29 1.28 1.25 --> - **CVE remediation in `github.com/jackc/pgx/v5`**: bumped to v5.9.2 to pick up upstream fixes for `CVE-2026-33816` (memory-safety in `pgproto3`) and `GHSA-j88v-2chj-qfwx` (SQL injection via simple-protocol dollar-quoted string handling). ([#&#8203;10437](https://github.com/cloudnative-pg/cloudnative-pg/pull/10437), [#&#8203;10499](https://github.com/cloudnative-pg/cloudnative-pg/pull/10499)) - **CVE remediation in the Go runtime**: built with Go 1.26.3 to pick up upstream fixes in `crypto/x509`, `crypto/tls`, `net/http`, and `net` (CVE-2026-32280, CVE-2026-32281, CVE-2026-33810, CVE-2026-33814, CVE-2026-33811, CVE-2026-39825). ([#&#8203;10463](https://github.com/cloudnative-pg/cloudnative-pg/pull/10463), [#&#8203;10647](https://github.com/cloudnative-pg/cloudnative-pg/pull/10647)) <!-- 1.29 1.28 1.25 --> - **Build pipeline hardening**: the Go 1.26.3 bump also addresses CVE-2026-42501 (`cmd/go` module-checksum validation), reducing supply-chain exposure during release builds. The affected code paths are not reachable from the running operator. ([#&#8203;10647](https://github.com/cloudnative-pg/cloudnative-pg/pull/10647)) <!-- 1.29 1.28 1.25 --> ##### Changes - Switched TLS peer verification from `VerifyPeerCertificate` to `VerifyConnection`, which runs on every completed handshake (the former is skipped on resumed TLS 1.3 sessions). Session resumption is not enabled in CloudNativePG today, so this has no observable effect, but it future-proofs verification if session caching is introduced later. ([#&#8203;10478](https://github.com/cloudnative-pg/cloudnative-pg/pull/10478)) <!-- 1.29 1.28 1.25 --> ##### Fixes - Fixed a failover window where the former primary kept its primary label. If it returned during failover (for example, after a transient network partition), the `-rw` service kept routing to it, replicas could reconnect, and committed writes were lost to `pg_rewind`. The old primary is now labeled `unhealthy` to isolate it from service traffic during failover. ([#&#8203;10409](https://github.com/cloudnative-pg/cloudnative-pg/pull/10409)) <!-- 1.29 1.28 1.25 --> - Fixed failover not being triggered when the node hosting the primary becomes unreachable. The operator now reads the pod's `Ready` condition (flipped to `False` by the node controller when the kubelet stops reporting) instead of `ContainersReady`, which stays stale as `True` in that scenario. Combined with the spurious-failover guard ([#&#8203;10445](https://github.com/cloudnative-pg/cloudnative-pg/pull/10445)), failover triggers only when Kubernetes itself marks the pod not Ready. ([#&#8203;10448](https://github.com/cloudnative-pg/cloudnative-pg/pull/10448)) <!-- 1.29 1.28 1.25 --> - Fixed spurious failovers caused by transient failures on the primary's HTTP status endpoint. ([#&#8203;10445](https://github.com/cloudnative-pg/cloudnative-pg/pull/10445)) <!-- 1.29 1.28 1.25 --> - Fixed escaping of backslashes and control characters in PostgreSQL configuration values. Previously, such characters in parameters like `log_line_prefix` could corrupt the configuration file or be silently stripped at runtime. ([#&#8203;10515](https://github.com/cloudnative-pg/cloudnative-pg/pull/10515)) <!-- 1.29 1.28 1.25 --> - Fixed `restore_command` construction to shell-quote each argument. Values such as a `destinationPath` containing whitespace (for example, `s3://my bucket/wal`) were word-split by the POSIX shell and passed to the WAL restore tool as separate arguments. ([#&#8203;10518](https://github.com/cloudnative-pg/cloudnative-pg/pull/10518)) <!-- 1.29 1.28 1.25 --> - Tightened `recoveryTarget` validation in the admission webhook: `targetXID` must now be a non-negative 32-bit integer, and `targetName` must be shorter than 64 bytes and free of ASCII control characters. Malformed values are rejected at admission instead of failing later during PostgreSQL recovery. ([#&#8203;10565](https://github.com/cloudnative-pg/cloudnative-pg/pull/10565)) <!-- 1.29 1.28 1.25 --> - Fixed snapshot restores failing when leftover `pgsql_tmp*` directories were present in the data directory. ([#&#8203;10447](https://github.com/cloudnative-pg/cloudnative-pg/pull/10447)) <!-- 1.29 1.28 1.25 --> - Fixed a deadlock occurring when PVC storage size and resource requests are changed simultaneously. ([#&#8203;10427](https://github.com/cloudnative-pg/cloudnative-pg/pull/10427)) <!-- 1.29 1.28 1.25 --> </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzAuOSIsInVwZGF0ZWRJblZlciI6IjQzLjE3MC45IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJnaXRodWItcmVsZWFzZXMiXX0=-->
renovate-bot added the automergegithub-releases labels 2026-05-08 20:29:46 +00:00
renovate-bot added 1 commit 2026-05-08 20:29:49 +00:00
chore(deps): update dependency cloudnative-pg/cloudnative-pg to v1.29.1
Some checks are pending
renovate/stability-days Updates have not met minimum release age requirement
Details
lint-test-helm / lint-helm (pull_request) Successful in 32s
Details
render-manifests / render-manifests (pull_request) Successful in 56s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 29s
Details
3b8cf6e546
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-05-08 20:29:58 +00:00
renovate-bot merged commit d646678926 into main 2026-05-08 20:30:04 +00:00
renovate-bot deleted branch renovate/unified-cloudnative-pg 2026-05-08 20:30:09 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Renovate
Issue generated by Renovate.
 automerge
This PR will be automerged by Renovate.
 chart
Chart update generated by Renovate.
 docker
Docker update generated by Renovate.
github-actions
Github Action update generated by Renovate.
github-releases
Github Release generated by Renovate
 helm
Helm update generated by Renovate.
image
Image update generated by Renovate.
 stale
PR or Issue that has not been updated recently.
No Label automerge github-releases
Milestone
No items
No Milestone
Assignees
Clear assignees
gitea-bot renovate-bot alexlebens
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#6695
Delete Branch "renovate/unified-cloudnative-pg"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?