From c6febeeaffe9a75ec61b59ebf46a2495007aa362 Mon Sep 17 00:00:00 2001 From: Marco Nenciarini Date: Mon, 29 Jun 2026 19:07:46 +0200 Subject: [PATCH] Release cloudnative-pg-v0.29.0 Signed-off-by: Marco Nenciarini --- charts/cloudnative-pg/Chart.yaml | 4 +- charts/cloudnative-pg/README.md | 2 +- charts/cloudnative-pg/templates/_helpers.tpl | 13 + .../cloudnative-pg/templates/crds/crds.yaml | 770 +++++++++++++++++- charts/cloudnative-pg/templates/rbac.yaml | 2 + 5 files changed, 755 insertions(+), 36 deletions(-) diff --git a/charts/cloudnative-pg/Chart.yaml b/charts/cloudnative-pg/Chart.yaml index 7c967eec2f..5666df498e 100644 --- a/charts/cloudnative-pg/Chart.yaml +++ b/charts/cloudnative-pg/Chart.yaml @@ -22,12 +22,12 @@ description: CloudNativePG Operator Helm Chart kubeVersion: ">=1.29.0-0" icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg type: application -version: "0.28.3" +version: "0.29.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning, they should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.29.1" +appVersion: "1.30.0" sources: - https://github.com/cloudnative-pg/charts keywords: diff --git a/charts/cloudnative-pg/README.md b/charts/cloudnative-pg/README.md index 9f6dde8959..232ff0b653 100644 --- a/charts/cloudnative-pg/README.md +++ b/charts/cloudnative-pg/README.md @@ -1,6 +1,6 @@ # cloudnative-pg -![Version: 0.28.3](https://img.shields.io/badge/Version-0.28.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.29.1](https://img.shields.io/badge/AppVersion-1.29.1-informational?style=flat-square) +![Version: 0.29.0](https://img.shields.io/badge/Version-0.29.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.30.0](https://img.shields.io/badge/AppVersion-1.30.0-informational?style=flat-square) CloudNativePG Operator Helm Chart diff --git a/charts/cloudnative-pg/templates/_helpers.tpl b/charts/cloudnative-pg/templates/_helpers.tpl index 045b06d9da..6c6e031ea9 100644 --- a/charts/cloudnative-pg/templates/_helpers.tpl +++ b/charts/cloudnative-pg/templates/_helpers.tpl @@ -167,7 +167,17 @@ namespace scope or clusterwide verbs: - create - get + - list - update + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch - apiGroups: - monitoring.coreos.com resources: @@ -196,6 +206,7 @@ namespace scope or clusterwide resources: - backups - clusters + - databaseroles - databases - poolers - publications @@ -243,6 +254,7 @@ namespace scope or clusterwide - postgresql.cnpg.io resources: - clusters/finalizers + - databaseroles/finalizers - poolers/finalizers verbs: - update @@ -250,6 +262,7 @@ namespace scope or clusterwide - postgresql.cnpg.io resources: - clusters/status + - databaseroles/status - poolers/status - failoverquorums/status verbs: diff --git a/charts/cloudnative-pg/templates/crds/crds.yaml b/charts/cloudnative-pg/templates/crds/crds.yaml index 9273574870..62c8634b56 100644 --- a/charts/cloudnative-pg/templates/crds/crds.yaml +++ b/charts/cloudnative-pg/templates/crds/crds.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: backups.postgresql.cnpg.io spec: @@ -476,7 +476,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: clusterimagecatalogs.postgresql.cnpg.io spec: @@ -520,6 +520,35 @@ spec: Specification of the desired behavior of the ClusterImageCatalog. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: + componentImages: + description: |- + ComponentImages is a list of named images for components other than PostgreSQL + (e.g. pgbouncer). Keys must be unique within a catalog. + items: + description: CatalogComponentImage is a named image entry for a + non-PostgreSQL component. + properties: + image: + description: Image is the container image reference. + type: string + key: + description: Key is the unique identifier for this image within + the catalog. + maxLength: 63 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - image + - key + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Component image keys must be unique + rule: self.all(e, self.filter(f, f.key==e.key).size() == 1) images: description: List of CatalogImages available in the catalog items: @@ -620,7 +649,11 @@ spec: type: string type: array name: - description: The name of the extension, required + description: |- + The name of the extension, required. The limit of 59 characters + leaves room for the prefix the operator adds when deriving the + extension's Kubernetes Volume name (capped at 63 characters). + maxLength: 59 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$ type: string @@ -664,7 +697,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: clusters.postgresql.cnpg.io spec: @@ -1814,10 +1847,11 @@ spec: description: |- Compress a backup file (a tar file per tablespace) while streaming it to the object store. Available options are empty string (no - compression, default), `gzip`, `bzip2`, and `snappy`. + compression, default), `gzip`, `bzip2`, `lz4`, and `snappy`. enum: - bzip2 - gzip + - lz4 - snappy type: string encryption: @@ -3406,10 +3440,11 @@ spec: description: |- Compress a backup file (a tar file per tablespace) while streaming it to the object store. Available options are empty string (no - compression, default), `gzip`, `bzip2`, and `snappy`. + compression, default), `gzip`, `bzip2`, `lz4`, and `snappy`. enum: - bzip2 - gzip + - lz4 - snappy type: string encryption: @@ -3960,6 +3995,8 @@ spec: description: |- List of one or more existing roles to which this role will be immediately added as a new member. Default empty. + Changes to the list are applied to an existing role through + `GRANT` and `REVOKE` statements, not only at role creation. items: type: string type: array @@ -3967,7 +4004,7 @@ spec: default: true description: |- Whether a role "inherits" the privileges of roles it is a member of. - Defaults is `true`. + Default is `true`. type: boolean login: description: |- @@ -3981,8 +4018,10 @@ spec: type: string passwordSecret: description: |- - Secret containing the password of the role (if present) - If null, the password will be ignored unless DisablePassword is set + Secret containing the password of the role (if present). + If null, the password will be ignored unless DisablePassword is set. + When set, the secret must follow the `kubernetes.io/basic-auth` format + and contain both a `username` and a `password` field. properties: name: description: Name of the referent. @@ -5193,7 +5232,11 @@ spec: type: string type: array name: - description: The name of the extension, required + description: |- + The name of the extension, required. The limit of 59 characters + leaves room for the prefix the operator adds when deriving the + extension's Kubernetes Volume name (capped at 63 characters). + maxLength: 59 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$ type: string @@ -5403,6 +5446,53 @@ spec: || self.standbyNamesPre.size()==0) && (!has(self.standbyNamesPost) || self.standbyNamesPost.size()==0)) type: object + primaryLease: + description: |- + Configuration of the Kubernetes `Lease` used to coordinate safe primary + election within the cluster. When omitted, the operator applies built-in + defaults; tune these values only if you understand the consequences for + failover timing. + properties: + leaseDurationSeconds: + default: 15 + description: |- + How long, in seconds, the primary lease is considered valid before it + expires and another instance may acquire it. It must be greater than + `renewDeadlineSeconds`. + Defaults to 15. + format: int32 + minimum: 1 + type: integer + releasedLeaseDurationSeconds: + default: 1 + description: |- + The TTL, in seconds, written when the primary explicitly releases the + lease on a clean shutdown, allowing a replica to promote without waiting + for the full lease duration to expire. + Defaults to 1. + format: int32 + minimum: 1 + type: integer + renewDeadlineSeconds: + default: 10 + description: |- + How long, in seconds, the current primary keeps retrying to renew the + lease before giving up and stopping. It must be smaller than + `leaseDurationSeconds`. + Defaults to 10. + format: int32 + minimum: 1 + type: integer + retryPeriodSeconds: + default: 2 + description: |- + How frequently, in seconds, a non-holder instance retries acquiring or + renewing the lease. + Defaults to 2. + format: int32 + minimum: 1 + type: integer + type: object primaryUpdateMethod: default: restart description: |- @@ -7733,8 +7823,10 @@ spec: Deprecated: the field is not set for backup plugins. type: object latestGeneratedNode: - description: ID of the latest generated node (used to avoid node name - clashing) + description: |- + ID of the latest generated node (used to avoid node name clashing) + + Deprecated: this field is not set anymore type: integer managedRolesStatus: description: ManagedRolesStatus reports the state of the managed roles @@ -7753,8 +7845,10 @@ spec: type: string type: array description: |- - CannotReconcile lists roles that cannot be reconciled in PostgreSQL, - with an explanation of the cause + CannotReconcile lists roles that cannot be reconciled, with an + explanation of the cause. Failures may originate in PostgreSQL + (e.g. dropping a role that owns objects) or in Kubernetes (e.g. + the referenced password Secret cannot be fetched). type: object passwordStatus: additionalProperties: @@ -7778,6 +7872,12 @@ spec: description: OnlineUpdateEnabled shows if the online upgrade is enabled inside the cluster type: boolean + operatorCertificateFingerprint: + description: |- + OperatorCertificateFingerprint is the SHA256 fingerprint of the operator's + in-memory client certificate public key. The instance manager pins this + fingerprint to authenticate requests from the operator. + type: string pgDataImageInfo: description: PGDataImageInfo contains the details of the latest image that has run on the current data directory. @@ -7878,7 +7978,11 @@ spec: type: string type: array name: - description: The name of the extension, required + description: |- + The name of the extension, required. The limit of 59 characters + leaves room for the prefix the operator adds when deriving the + extension's Kubernetes Volume name (capped at 63 characters). + maxLength: 59 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$ type: string @@ -8067,6 +8171,13 @@ spec: description: The resource version of the "postgres" user secret type: string type: object + selector: + description: |- + Selector is the serialized form of the label selector that identifies + the pods managed by this cluster. Populated by the operator and exposed + through the scale sub-resource so an autoscaler (such as HPA or VPA) + can discover the managed instance pods. + type: string switchReplicaClusterStatus: description: SwitchReplicaClusterStatus is the status of the switch to replica cluster @@ -8103,6 +8214,130 @@ spec: - state type: object type: array + targetPgDataImageInfo: + description: |- + TargetPGDataImageInfo contains the details of the target image for an + in-progress major upgrade. It is set before the upgrade Job is created, + and cleared on successful completion or when the upgrade is rolled back. + properties: + extensions: + description: Extensions contains the container image extensions + available for the current Image + items: + description: |- + ExtensionConfiguration is the configuration used to add + PostgreSQL extensions to the Cluster. + properties: + bin_path: + description: |- + A list of directories within the image to be appended to the + PostgreSQL process's `PATH` environment variable. + items: + type: string + type: array + dynamic_library_path: + description: |- + The list of directories inside the image which should be added to dynamic_library_path. + If not defined, defaults to "/lib". + items: + type: string + type: array + env: + description: |- + Env is a list of custom environment variables to be set in the + PostgreSQL process for this extension. It is the responsibility of the + cluster administrator to ensure the variables are correct for the + specific extension. Note that changes to these variables require + a manual cluster restart to take effect. + items: + description: |- + ExtensionEnvVar defines an environment variable for a specific extension + image volume. + properties: + name: + description: |- + Name of the environment variable to be injected into the + PostgreSQL process. + minLength: 1 + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + value: + description: |- + Value of the environment variable. CloudNativePG performs a direct + replacement of this value, with support for placeholder expansion. + The ${`image_root`} placeholder resolves to the absolute mount path + of the extension's volume (e.g., `/extensions/my-extension`). This + is particularly useful for allowing applications or libraries to + locate specific directories within the mounted image. + Unrecognized placeholders are rejected. To include a literal ${...} + in the value, escape it as $${...}. + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + extension_control_path: + description: |- + The list of directories inside the image which should be added to extension_control_path. + If not defined, defaults to "/share". + items: + type: string + type: array + image: + description: The image containing the extension. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object + ld_library_path: + description: The list of directories inside the image which + should be added to ld_library_path. + items: + type: string + type: array + name: + description: |- + The name of the extension, required. The limit of 59 characters + leaves room for the prefix the operator adds when deriving the + extension's Kubernetes Volume name (capped at 63 characters). + maxLength: 59 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: array + image: + description: Image is the image name + type: string + majorVersion: + description: MajorVersion is the major version of the image + type: integer + required: + - image + - majorVersion + type: object targetPrimary: description: |- Target primary instance, this is different from the previous one @@ -8160,6 +8395,7 @@ spec: storage: true subresources: scale: + labelSelectorPath: .status.selector specReplicasPath: .spec.instances statusReplicasPath: .status.instances status: {} @@ -8168,7 +8404,335 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 + helm.sh/resource-policy: keep + name: databaseroles.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: DatabaseRole + listKind: DatabaseRoleList + plural: databaseroles + singular: databaserole + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.cluster.name + name: Cluster + type: string + - jsonPath: .spec.name + name: PG Name + type: string + - jsonPath: .status.applied + name: Applied + type: boolean + - description: Latest reconciliation message + jsonPath: .status.message + name: Message + type: string + name: v1 + schema: + openAPIV3Schema: + description: DatabaseRole is the Schema for the databaseroles API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + Specification of the desired DatabaseRole. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + properties: + bypassrls: + description: |- + Whether a role bypasses every row-level security (RLS) policy. + Default is `false`. + type: boolean + clientCertificate: + description: |- + ClientCertificate configures the operator to generate and renew a TLS client + certificate for this role, signed by the cluster's client CA. The certificate + is stored in a Secret named `-client-cert`. + Requires login to be true. + properties: + enabled: + default: true + description: |- + Enabled turns on client certificate issuance for this role. When true, + the role must have login enabled. Defaults to true when the block is present. + type: boolean + type: object + cluster: + description: The corresponding cluster + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cluster reference is immutable after creation + rule: self == oldSelf + comment: + description: Description of the role + type: string + connectionLimit: + default: -1 + description: |- + If the role can log in, this specifies how many concurrent + connections the role can make. `-1` (the default) means no limit. + format: int64 + type: integer + createdb: + description: |- + When set to `true`, the role being defined will be allowed to create + new databases. Specifying `false` (default) will deny a role the + ability to create databases. + type: boolean + createrole: + description: |- + Whether the role will be permitted to create, alter, drop, comment + on, change the security label for, and grant or revoke membership in + other roles. Default is `false`. + type: boolean + databaseRoleReclaimPolicy: + default: retain + description: The policy for end-of-life maintenance of this role + enum: + - delete + - retain + type: string + disablePassword: + description: DisablePassword indicates that a role's password should + be set to NULL in Postgres + type: boolean + ensure: + default: present + description: Ensure the role is `present` or `absent` - defaults to + "present" + enum: + - present + - absent + type: string + inRoles: + description: |- + List of one or more existing roles to which this role will be + immediately added as a new member. Default empty. + Changes to the list are applied to an existing role through + `GRANT` and `REVOKE` statements, not only at role creation. + items: + type: string + type: array + inherit: + default: true + description: |- + Whether a role "inherits" the privileges of roles it is a member of. + Default is `true`. + type: boolean + login: + description: |- + Whether the role is allowed to log in. A role having the `login` + attribute can be thought of as a user. Roles without this attribute + are useful for managing database privileges, but are not users in + the usual sense of the word. Default is `false`. + type: boolean + name: + description: Name of the role + type: string + passwordSecret: + description: |- + Secret containing the password of the role (if present). + If null, the password will be ignored unless DisablePassword is set. + When set, the secret must follow the `kubernetes.io/basic-auth` format + and contain both a `username` and a `password` field. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + replication: + description: |- + Whether a role is a replication role. A role must have this + attribute (or be a superuser) in order to be able to connect to the + server in replication mode (physical or logical replication) and in + order to be able to create or drop replication slots. A role having + the `replication` attribute is a very highly privileged role, and + should only be used on roles actually used for replication. Default + is `false`. + type: boolean + superuser: + description: |- + Whether the role is a `superuser` who can override all access + restrictions within the database - superuser status is dangerous and + should be used only when really needed. You must yourself be a + superuser to create a new superuser. Defaults is `false`. + type: boolean + validUntil: + description: |- + Date and time after which the role's password is no longer valid. + When omitted, the password will never expire (default). + format: date-time + type: string + required: + - cluster + - name + type: object + x-kubernetes-validations: + - message: name is immutable + rule: self.name == oldSelf.name + - message: 'ensure: absent is not supported for DatabaseRole; delete the + resource with databaseRoleReclaimPolicy: delete instead' + rule: '!has(self.ensure) || self.ensure != ''absent''' + - message: the role name postgres is reserved + rule: self.name != 'postgres' + - message: the role name streaming_replica is reserved + rule: self.name != 'streaming_replica' + - message: role names starting with pg_ are reserved by PostgreSQL + rule: '!self.name.startsWith(''pg_'')' + - message: role names starting with cnpg_ are reserved by the operator + rule: '!self.name.startsWith(''cnpg_'')' + - message: role name must not be empty + rule: self.name.size() != 0 + - message: passwordSecret and disablePassword are mutually exclusive + rule: '!has(self.passwordSecret) || !has(self.disablePassword) || !self.disablePassword' + - message: clientCertificate requires the role to have login enabled + rule: '!has(self.clientCertificate) || !self.clientCertificate.enabled + || self.login' + status: + description: |- + Most recently observed status of the DatabaseRole. This data may not be up + to date. Populated by the system. Read-only. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + properties: + applied: + description: Applied is true if the role was reconciled correctly + type: boolean + clientCertificate: + description: |- + ClientCertificate holds the observed state of the generated TLS client + certificate, when client certificate issuance is enabled. + properties: + expiration: + description: Expiration is the expiration time of the generated + client certificate, in RFC3339 format. + type: string + message: + description: |- + Message contains a human-readable explanation of the current certificate status, + such as why issuance was skipped or why an existing Secret was left untouched. + type: string + type: object + conditions: + description: Conditions for the DatabaseRole object + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: Message is the reconciliation error message + type: string + observedGeneration: + description: |- + A sequence number representing the latest + desired state that was synchronized + format: int64 + type: integer + secretResourceVersion: + description: |- + SecretResourceVersion is the resource version of the password secret + last applied to the role; a change to it triggers reconciliation. + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: databases.postgresql.cnpg.io spec: @@ -8253,6 +8817,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cluster reference is immutable after creation + rule: self == oldSelf collationVersion: description: |- Maps to the `COLLATION_VERSION` parameter of `CREATE DATABASE`. This @@ -8763,7 +9330,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: failoverquorums.postgresql.cnpg.io spec: @@ -8841,7 +9408,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: imagecatalogs.postgresql.cnpg.io spec: @@ -8884,6 +9451,35 @@ spec: Specification of the desired behavior of the ImageCatalog. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: + componentImages: + description: |- + ComponentImages is a list of named images for components other than PostgreSQL + (e.g. pgbouncer). Keys must be unique within a catalog. + items: + description: CatalogComponentImage is a named image entry for a + non-PostgreSQL component. + properties: + image: + description: Image is the container image reference. + type: string + key: + description: Key is the unique identifier for this image within + the catalog. + maxLength: 63 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - image + - key + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Component image keys must be unique + rule: self.all(e, self.filter(f, f.key==e.key).size() == 1) images: description: List of CatalogImages available in the catalog items: @@ -8984,7 +9580,11 @@ spec: type: string type: array name: - description: The name of the extension, required + description: |- + The name of the extension, required. The limit of 59 characters + leaves room for the prefix the operator adds when deriving the + extension's Kubernetes Volume name (capped at 63 characters). + maxLength: 59 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$ type: string @@ -9028,7 +9628,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: poolers.postgresql.cnpg.io spec: @@ -9050,6 +9650,9 @@ spec: - jsonPath: .spec.type name: Type type: string + - jsonPath: .status.phase + name: Phase + type: string name: v1 schema: openAPIV3Schema: @@ -9088,6 +9691,9 @@ spec: required: - name type: object + x-kubernetes-validations: + - message: cluster reference is immutable after creation + rule: self == oldSelf deploymentStrategy: description: The deployment strategy to use for pgbouncer to replace existing pods with new ones @@ -9142,19 +9748,23 @@ spec: format: int32 type: integer monitoring: - description: |- - The configuration of the monitoring infrastructure of this pooler. - - Deprecated: This feature will be removed in an upcoming release. If - you need this functionality, you can create a PodMonitor manually. + description: The configuration of the monitoring infrastructure of + this pooler. properties: enablePodMonitor: default: false - description: Enable or disable the `PodMonitor` + description: |- + Enable or disable the `PodMonitor` + + Deprecated: This feature will be removed in an upcoming release. If + you need this functionality, you can create a PodMonitor manually. type: boolean podMonitorMetricRelabelings: - description: The list of metric relabelings for the `PodMonitor`. - Applied to samples before ingestion. + description: |- + The list of metric relabelings for the `PodMonitor`. Applied to samples before ingestion. + + Deprecated: This feature will be removed in an upcoming release. If + you need this functionality, you can create a PodMonitor manually. items: description: |- RelabelConfig allows dynamic rewriting of the label set for targets, alerts, @@ -9241,8 +9851,11 @@ spec: type: object type: array podMonitorRelabelings: - description: The list of relabelings for the `PodMonitor`. Applied - to samples before scraping. + description: |- + The list of relabelings for the `PodMonitor`. Applied to samples before scraping. + + Deprecated: This feature will be removed in an upcoming release. If + you need this functionality, you can create a PodMonitor manually. items: description: |- RelabelConfig allows dynamic rewriting of the label set for targets, alerts, @@ -9328,6 +9941,18 @@ spec: type: string type: object type: array + tls: + description: |- + Configure TLS communication for the metrics endpoint. + Changing tls.enabled option will force a rollout of all instances. + properties: + enabled: + default: false + description: |- + Enable TLS for the monitoring endpoint. + Changing this option will force a rollout of all instances. + type: boolean + type: object type: object pgbouncer: description: The PgBouncer configuration @@ -9376,6 +10001,46 @@ spec: required: - name type: object + image: + description: |- + Image is the pgbouncer container image to use. When set, it takes + precedence over ImageCatalogRef and the operator default, but is + overridden by an explicit image set in the pod template. + type: string + imageCatalogRef: + description: |- + ImageCatalogRef points to an entry in an ImageCatalog or ClusterImageCatalog. + Mutually exclusive with Image. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + key: + description: Key identifies the entry within the catalog's + componentImages list. + maxLength: 63 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - key + - kind + - name + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: Only ImageCatalog and ClusterImageCatalog are supported + rule: self.kind == 'ImageCatalog' || self.kind == 'ClusterImageCatalog' + - message: apiGroup must be postgresql.cnpg.io + rule: self.apiGroup == 'postgresql.cnpg.io' parameters: additionalProperties: type: string @@ -9429,6 +10094,9 @@ spec: - name type: object type: object + x-kubernetes-validations: + - message: image and imageCatalogRef are mutually exclusive + rule: '!(has(self.image) && has(self.imageCatalogRef))' serviceAccountName: description: |- Name of an existing ServiceAccount in the same namespace to use for the pooler. @@ -18330,10 +18998,34 @@ spec: date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: + error: + description: Error is the latest admission validation error + type: string + image: + description: |- + Image is the resolved pgbouncer container image that the operator is + using for this Pooler, including any override coming from spec.template. + While Phase is Active or Paused this field reflects what the Deployment + actually runs; while Phase is Inactive or Failed it may carry the last + successfully resolved value (or be empty if the Pooler has never reconciled + successfully). + type: string instances: description: The number of pods trying to be scheduled format: int32 type: integer + phase: + description: Phase summarizes the overall lifecycle state of the Pooler. + enum: + - active + - paused + - inactive + - failed + type: string + phaseReason: + description: PhaseReason is a human-readable explanation of the current + Phase. + type: string secrets: description: The resource version of the config object properties: @@ -18409,7 +19101,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: publications.postgresql.cnpg.io spec: @@ -18478,6 +19170,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cluster reference is immutable after creation + rule: self == oldSelf dbname: description: |- The name of the database where the publication will be installed in @@ -18605,7 +19300,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: scheduledbackups.postgresql.cnpg.io spec: @@ -18675,6 +19370,9 @@ spec: required: - name type: object + x-kubernetes-validations: + - message: cluster reference is immutable after creation + rule: self == oldSelf immediate: description: If the first backup has to be immediately start after creation or not @@ -18770,6 +19468,9 @@ spec: to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: + error: + description: Error is the latest admission validation error + type: string lastCheckTime: description: The latest time the schedule format: date-time @@ -18797,7 +19498,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.21.0 helm.sh/resource-policy: keep name: subscriptions.postgresql.cnpg.io spec: @@ -18866,6 +19567,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cluster reference is immutable after creation + rule: self == oldSelf dbname: description: |- The name of the database where the publication will be installed in diff --git a/charts/cloudnative-pg/templates/rbac.yaml b/charts/cloudnative-pg/templates/rbac.yaml index 0dc17080d1..759b0bc02b 100644 --- a/charts/cloudnative-pg/templates/rbac.yaml +++ b/charts/cloudnative-pg/templates/rbac.yaml @@ -132,6 +132,7 @@ rules: - backups - clusters - clusters/status + - databaseroles - databases - failoverquorums - poolers @@ -162,6 +163,7 @@ rules: - backups - clusters - clusters/status + - databaseroles - databases - failoverquorums - poolers