diff --git a/_/ClusterRole/cloudnative-pg-edit.yaml b/_/ClusterRole/cloudnative-pg-edit.yaml index f7df888..fd8458f 100644 --- a/_/ClusterRole/cloudnative-pg-edit.yaml +++ b/_/ClusterRole/cloudnative-pg-edit.yaml @@ -5,8 +5,8 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cloudnative-pg-edit rules: - apiGroups: @@ -14,10 +14,14 @@ rules: resources: - backups - clusters + - clusters/status - databases + - failoverquorums - poolers - publications - scheduledbackups + - imagecatalogs + - clusterimagecatalogs - subscriptions verbs: - create diff --git a/_/ClusterRole/cloudnative-pg-view.yaml b/_/ClusterRole/cloudnative-pg-view.yaml index 9b8c8b9..37d5f1c 100644 --- a/_/ClusterRole/cloudnative-pg-view.yaml +++ b/_/ClusterRole/cloudnative-pg-view.yaml @@ -5,8 +5,8 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cloudnative-pg-view rules: - apiGroups: @@ -14,10 +14,14 @@ rules: resources: - backups - clusters + - clusters/status - databases + - failoverquorums - poolers - publications - scheduledbackups + - imagecatalogs + - clusterimagecatalogs - subscriptions verbs: - get diff --git a/_/ClusterRole/cloudnative-pg.yaml b/_/ClusterRole/cloudnative-pg.yaml index f85b3ff..187326c 100644 --- a/_/ClusterRole/cloudnative-pg.yaml +++ b/_/ClusterRole/cloudnative-pg.yaml @@ -5,8 +5,8 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cloudnative-pg rules: - apiGroups: @@ -165,6 +165,16 @@ rules: - patch - update - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - failoverquorums + verbs: + - create + - delete + - get + - list + - watch - apiGroups: - postgresql.cnpg.io resources: @@ -197,6 +207,7 @@ rules: resources: - clusters/status - poolers/status + - failoverquorums/status verbs: - get - patch diff --git a/_/ClusterRoleBinding/cloudnative-pg.yaml b/_/ClusterRoleBinding/cloudnative-pg.yaml index f9ac4a8..cc07797 100644 --- a/_/ClusterRoleBinding/cloudnative-pg.yaml +++ b/_/ClusterRoleBinding/cloudnative-pg.yaml @@ -5,8 +5,8 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cloudnative-pg roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/CustomResourceDefinition/backups.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/backups.postgresql.cnpg.io.yaml index 2e5fa85..743ce57 100644 --- a/_/CustomResourceDefinition/backups.postgresql.cnpg.io.yaml +++ b/_/CustomResourceDefinition/backups.postgresql.cnpg.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.20.1 helm.sh/resource-policy: keep name: backups.postgresql.cnpg.io spec: @@ -33,7 +33,7 @@ spec: name: v1 schema: openAPIV3Schema: - description: Backup is the Schema for the backups API + description: A Backup resource is a request for a PostgreSQL backup by the user. properties: apiVersion: description: >- @@ -200,6 +200,9 @@ spec: required: - cluster type: object + x-kubernetes-validations: + - message: BackupSpec is immutable once set + rule: oldSelf == self status: description: >- Most recently observed status of the backup. This data may not @@ -274,6 +277,14 @@ spec: - key - name type: object + useDefaultAzureCredentials: + description: >- + Use the default Azure authentication flow, which + includes DefaultAzureCredential. + + This allows authentication using environment variables + and managed identities. + type: boolean type: object backupId: description: The ID of the Barman backup @@ -381,7 +392,25 @@ spec: podName: description: The pod name type: string + sessionID: + description: >- + The instance manager session ID. This is a unique + identifier generated at instance manager + + startup and changes on every restart (including + container reboots). Used to detect if + + the instance manager was restarted during long-running + operations like backups, which + + would terminate any running backup process. + type: string type: object + majorVersion: + description: |- + The PostgreSQL major version that was running when the + backup was taken. + type: integer method: description: The backup method being used type: string @@ -398,6 +427,16 @@ spec: type: string description: A map containing the plugin metadata type: object + reconciliationStartedAt: + description: When the backup process was started by the operator + format: date-time + type: string + reconciliationTerminatedAt: + description: >- + When the reconciliation was terminated by the operator + (either successfully or not) + format: date-time + type: string s3Credentials: description: The credentials to use to upload data to S3 properties: @@ -498,11 +537,11 @@ spec: type: array type: object startedAt: - description: When the backup was started + description: When the backup execution was started by the backup tool format: date-time type: string stoppedAt: - description: When the backup was terminated + description: When the backup execution was terminated by the backup tool format: date-time type: string tablespaceMapFile: diff --git a/_/CustomResourceDefinition/clusterimagecatalogs.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/clusterimagecatalogs.postgresql.cnpg.io.yaml index 2a4a90e..056d662 100644 --- a/_/CustomResourceDefinition/clusterimagecatalogs.postgresql.cnpg.io.yaml +++ b/_/CustomResourceDefinition/clusterimagecatalogs.postgresql.cnpg.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.20.1 helm.sh/resource-policy: keep name: clusterimagecatalogs.postgresql.cnpg.io spec: @@ -66,6 +66,175 @@ spec: items: description: CatalogImage defines the image and major version properties: + extensions: + description: The configuration of the extensions to be added + items: + description: >- + ExtensionConfiguration is the configuration used to + add + + PostgreSQL extensions to the Cluster. + properties: + bin_path: + description: >- + A list of directories within the image to be + appended to the + + PostgreSQL process's `PATH` environment + variable. + items: + type: string + type: array + dynamic_library_path: + description: >- + The list of directories inside the image which + should be added to dynamic_library_path. + + If not defined, defaults to "/lib". + items: + type: string + type: array + env: + description: >- + Env is a list of custom environment variables to + be set in the + + PostgreSQL process for this extension. It is the + responsibility of the + + cluster administrator to ensure the variables + are correct for the + + specific extension. Note that changes to these + variables require + + a manual cluster restart to take effect. + items: + description: >- + ExtensionEnvVar defines an environment + variable for a specific extension + + image volume. + properties: + name: + description: >- + Name of the environment variable to be + injected into the + + PostgreSQL process. + minLength: 1 + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + value: + description: >- + Value of the environment variable. + CloudNativePG performs a direct + + replacement of this value, with support + for placeholder expansion. + + The ${`image_root`} placeholder resolves + to the absolute mount path + + of the extension's volume (e.g., + `/extensions/my-extension`). This + + is particularly useful for allowing + applications or libraries to + + locate specific directories within the + mounted image. + + Unrecognized placeholders are rejected. To + include a literal ${...} + + in the value, escape it as $${...}. + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + extension_control_path: + description: >- + The list of directories inside the image which + should be added to extension_control_path. + + If not defined, defaults to "/share". + items: + type: string + type: array + image: + description: The image containing the extension. + properties: + pullPolicy: + description: >- + Policy for pulling OCI objects. Possible + values are: + + Always: the kubelet always attempts to pull + the reference. Container creation will fail + If the pull fails. + + Never: the kubelet never pulls the reference + and only uses a local image or artifact. + Container creation will fail if the + reference isn't present. + + IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull fails. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + type: string + reference: + description: >- + Required: Image or artifact reference to be + used. + + Behaves in the same way as + pod.spec.containers[*].image. + + Pull secrets will be assembled in the same + way as for the container image by looking up + node credentials, SA image pull secrets, and + pod spec image pull secrets. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher level + config management to default or override + + container images in workload controllers + like Deployments and StatefulSets. + type: string + type: object + ld_library_path: + description: >- + The list of directories inside the image which + should be added to ld_library_path. + items: + type: string + type: array + name: + description: The name of the extension, required + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map image: description: The image reference type: string diff --git a/_/CustomResourceDefinition/clusters.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/clusters.postgresql.cnpg.io.yaml index 6d0817a..b9998c8 100644 --- a/_/CustomResourceDefinition/clusters.postgresql.cnpg.io.yaml +++ b/_/CustomResourceDefinition/clusters.postgresql.cnpg.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.20.1 helm.sh/resource-policy: keep name: clusters.postgresql.cnpg.io spec: @@ -37,7 +37,11 @@ spec: name: v1 schema: openAPIV3Schema: - description: Cluster is the Schema for the PostgreSQL API + description: >- + Cluster defines the API schema for a highly available PostgreSQL + database cluster + + managed by CloudNativePG. properties: apiVersion: description: >- @@ -223,10 +227,6 @@ spec: Also, matchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires enabling - MatchLabelKeysInPodAffinity feature gate - (enabled by default). items: type: string type: array @@ -258,10 +258,6 @@ spec: Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires enabling - MatchLabelKeysInPodAffinity feature gate - (enabled by default). items: type: string type: array @@ -542,10 +538,6 @@ spec: Also, matchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires enabling - MatchLabelKeysInPodAffinity feature gate - (enabled by default). items: type: string type: array @@ -576,10 +568,6 @@ spec: Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires enabling - MatchLabelKeysInPodAffinity feature gate - (enabled by default). items: type: string type: array @@ -733,9 +721,9 @@ spec: expressions, etc.), compute a sum by iterating through the elements of - this field and adding + this field and subtracting - "weight" to the sum if the node has pods which + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. @@ -851,10 +839,6 @@ spec: Also, matchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires enabling - MatchLabelKeysInPodAffinity feature gate - (enabled by default). items: type: string type: array @@ -886,10 +870,6 @@ spec: Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires enabling - MatchLabelKeysInPodAffinity feature gate - (enabled by default). items: type: string type: array @@ -1170,10 +1150,6 @@ spec: Also, matchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires enabling - MatchLabelKeysInPodAffinity feature gate - (enabled by default). items: type: string type: array @@ -1204,10 +1180,6 @@ spec: Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires enabling - MatchLabelKeysInPodAffinity feature gate - (enabled by default). items: type: string type: array @@ -1718,13 +1690,16 @@ spec: Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to - Equal. + Valid operators are Exists, Equal, Lt, and Gt. + Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + + Lt and Gt perform numeric comparisons (requires + feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: >- @@ -1835,6 +1810,14 @@ spec: - key - name type: object + useDefaultAzureCredentials: + description: >- + Use the default Azure authentication flow, which + includes DefaultAzureCredential. + + This allows authentication using environment + variables and managed identities. + type: boolean type: object data: description: >- @@ -1894,11 +1877,11 @@ spec: to the object store. Available options are empty string (no - compression, default), `gzip`, `bzip2` or + compression, default), `gzip`, `bzip2`, and `snappy`. enum: - - gzip - bzip2 + - gzip - snappy type: string encryption: @@ -2145,11 +2128,16 @@ spec: object store. Available options are empty string (no compression, - default), `gzip`, `bzip2` or `snappy`. + default), `gzip`, `bzip2`, + + `lz4`, `snappy`, `xz`, and `zstd`. enum: - - gzip - bzip2 + - gzip + - lz4 - snappy + - xz + - zstd type: string encryption: description: >- @@ -2445,32 +2433,104 @@ spec: pgDumpExtraOptions: description: >- List of custom options to pass to the `pg_dump` - command. IMPORTANT: + command. + + + IMPORTANT: Use with caution. The operator does + not validate these options, + + and certain flags may interfere with its + intended functionality or design. + + You are responsible for ensuring that the + provided options are compatible + + with your environment and desired behavior. + items: + type: string + type: array + pgRestoreDataOptions: + description: >- + Custom options to pass to the `pg_restore` + command during the `data` + + section. This setting overrides the generic + `pgRestoreExtraOptions` value. + + + IMPORTANT: Use with caution. The operator does + not validate these options, - Use these options with caution and at your own - risk, as the operator + and certain flags may interfere with its + intended functionality or design. - does not validate their content. Be aware that - certain options may + You are responsible for ensuring that the + provided options are compatible - conflict with the operator's intended - functionality or design. + with your environment and desired behavior. items: type: string type: array pgRestoreExtraOptions: description: >- List of custom options to pass to the - `pg_restore` command. IMPORTANT: + `pg_restore` command. - Use these options with caution and at your own - risk, as the operator - does not validate their content. Be aware that - certain options may + IMPORTANT: Use with caution. The operator does + not validate these options, - conflict with the operator's intended - functionality or design. + and certain flags may interfere with its + intended functionality or design. + + You are responsible for ensuring that the + provided options are compatible + + with your environment and desired behavior. + items: + type: string + type: array + pgRestorePostdataOptions: + description: >- + Custom options to pass to the `pg_restore` + command during the `post-data` + + section. This setting overrides the generic + `pgRestoreExtraOptions` value. + + + IMPORTANT: Use with caution. The operator does + not validate these options, + + and certain flags may interfere with its + intended functionality or design. + + You are responsible for ensuring that the + provided options are compatible + + with your environment and desired behavior. + items: + type: string + type: array + pgRestorePredataOptions: + description: >- + Custom options to pass to the `pg_restore` + command during the `pre-data` + + section. This setting overrides the generic + `pgRestoreExtraOptions` value. + + + IMPORTANT: Use with caution. The operator does + not validate these options, + + and certain flags may interfere with its + intended functionality or design. + + You are responsible for ensuring that the + provided options are compatible + + with your environment and desired behavior. items: type: string type: array @@ -2551,6 +2611,7 @@ spec: The list of options that must be passed to initdb when creating the cluster. + Deprecated: This could lead to inconsistent configurations, @@ -2997,8 +3058,11 @@ spec: type: string targetTime: description: >- - The target time as a timestamp in the RFC3339 - standard + The target time as a timestamp in RFC3339 format + or PostgreSQL timestamp format. + + Timestamps without an explicit timezone are + interpreted as UTC. type: string targetXID: description: The target transaction ID @@ -3302,8 +3366,10 @@ spec: properties: name: description: >- - Name of the environment variable. Must be a - C_IDENTIFIER. + Name of the environment variable. + + May consist of any printable ASCII characters except + '='. type: string value: description: >- @@ -3391,6 +3457,63 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: >- + The key within the env file. An invalid key + will prevent the pod from starting. + + The keys defined within a source may consist + of any printable ASCII characters except '='. + + During Alpha stage of the EnvFiles feature + gate, the key size is limited to 128 + characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must be + defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the specified + key does not exist, + + the environment variable will not be set in + the Pod's containers. + + + If optional is set to false and the specified + key does not exist, + + an error will be returned during Pod creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the '..' + path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing the + env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: >- Selects a resource of the container: only @@ -3468,7 +3591,9 @@ spec: sources to the pods to be used by Env items: - description: EnvFromSource represents the source of a set of ConfigMaps + description: >- + EnvFromSource represents the source of a set of ConfigMaps + or Secrets properties: configMapRef: description: The ConfigMap to select from @@ -3496,8 +3621,11 @@ spec: x-kubernetes-map-type: atomic prefix: description: >- - An optional identifier to prepend to each key in the - ConfigMap. Must be a C_IDENTIFIER. + Optional text to prepend to the name of each + environment variable. + + May consist of any printable ASCII characters except + '='. type: string secretRef: description: The Secret to select from @@ -3774,8 +3902,7 @@ spec: resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is - enabled users are allowed to specify resource + Users are allowed to specify resource requirements that are lower than previous value but must @@ -3913,18 +4040,14 @@ spec: has a different purpose than storageClassName, it can be changed after the claim is created. An - empty string value means that no - VolumeAttributesClass - - will be applied to the claim but it's not - allowed to reset this field to empty string once - it is set. + empty string or nil value indicates that no - If unspecified and the PersistentVolumeClaim is - unbound, the default VolumeAttributesClass + VolumeAttributesClass will be applied to the + claim. If the claim enters an Infeasible error + state, - will be set by the persistentvolume controller - if it exists. + this field can be reset to its previous value + (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this @@ -3938,10 +4061,6 @@ spec: More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - - (Beta) Using this field requires the - VolumeAttributesClass feature gate to be enabled - (off by default). type: string volumeMode: description: >- @@ -4071,6 +4190,14 @@ spec: - key - name type: object + useDefaultAzureCredentials: + description: >- + Use the default Azure authentication flow, + which includes DefaultAzureCredential. + + This allows authentication using environment + variables and managed identities. + type: boolean type: object data: description: >- @@ -4130,11 +4257,11 @@ spec: to the object store. Available options are empty string (no - compression, default), `gzip`, `bzip2` or + compression, default), `gzip`, `bzip2`, and `snappy`. enum: - - gzip - bzip2 + - gzip - snappy type: string encryption: @@ -4383,11 +4510,16 @@ spec: object store. Available options are empty string (no compression, - default), `gzip`, `bzip2` or `snappy`. + default), `gzip`, `bzip2`, + + `lz4`, `snappy`, `xz`, and `zstd`. enum: - - gzip - bzip2 + - gzip + - lz4 - snappy + - xz + - zstd type: string encryption: description: >- @@ -4536,6 +4668,18 @@ spec: default: true description: Enabled is true if this plugin will be used type: boolean + isWALArchiver: + default: false + description: >- + Marks the plugin as the WAL archiver. At most one + plugin can be + + designated as a WAL archiver. This cannot be + enabled if the + + `.spec.backup.barmanObjectStore` configuration is + present. + type: boolean name: description: Name is the plugin name type: string @@ -4696,9 +4840,6 @@ spec: The major version of PostgreSQL we want to use from the ImageCatalog type: integer - x-kubernetes-validations: - - message: Major is immutable - rule: self == oldSelf name: description: Name is the name of resource being referenced type: string @@ -5734,25 +5875,21 @@ spec: trafficDistribution: description: >- TrafficDistribution offers a way to - express preferences for how traffic is - - distributed to Service endpoints. - Implementations can use this field as a + express preferences for how traffic - hint, but are not required to guarantee - strict adherence. If the field is + is distributed to Service endpoints. + Implementations can use this field - not set, the implementation will apply - its default routing strategy. If set + as a hint, but are not required to + guarantee strict adherence. If the - to "PreferClose", implementations should - prioritize endpoints that are + field is not set, the implementation + will apply its default routing - topologically close (e.g., same zone). + strategy. If set to "PreferClose", + implementations should prioritize - This is a beta field and requires - enabling ServiceTrafficDistribution - feature. + endpoints that are in the same zone. type: string type: description: >- @@ -5921,12 +6058,42 @@ spec: type: boolean enablePodMonitor: default: false - description: Enable or disable the `PodMonitor` + description: >- + Enable or disable the `PodMonitor` + + + Deprecated: This feature will be removed in an upcoming + release. If + + you need this functionality, you can create a PodMonitor + manually. type: boolean + metricsQueriesTTL: + description: >- + The interval during which metrics computed from queries + are considered current. + + Once it is exceeded, a new scrape will trigger a rerun + + of the queries. + + If not set, defaults to 30 seconds, in line with + Prometheus scraping defaults. + + Setting this to zero disables the caching mechanism and + can cause heavy load on the PostgreSQL server. + type: string podMonitorMetricRelabelings: description: >- The list of metric relabelings for the `PodMonitor`. Applied to samples before ingestion. + + + Deprecated: This feature will be removed in an upcoming + release. If + + you need this functionality, you can create a PodMonitor + manually. items: description: >- RelabelConfig allows dynamic rewriting of the label @@ -5941,7 +6108,7 @@ spec: action: default: replace description: >- - Action to perform based on the regex matching. + action to perform based on the regex matching. `Uppercase` and `Lowercase` actions require @@ -5978,7 +6145,7 @@ spec: type: string modulus: description: >- - Modulus to take of the hash of the source label + modulus to take of the hash of the source label values. @@ -5987,12 +6154,12 @@ spec: type: integer regex: description: >- - Regular expression against which the extracted - value is matched. + regex defines the regular expression against which + the extracted value is matched. type: string replacement: description: >- - Replacement value against which a Replace action + replacement value against which a Replace action is performed if the regular expression matches. @@ -6002,13 +6169,13 @@ spec: type: string separator: description: >- - Separator is the string between concatenated + separator defines the string between concatenated SourceLabels. type: string sourceLabels: description: >- - The source labels select values from existing - labels. Their content is + sourceLabels defines the source labels select + values from existing labels. Their content is concatenated using the configured Separator and matched against the @@ -6016,17 +6183,20 @@ spec: configured regular expression. items: description: >- - LabelName is a valid Prometheus label name which - may only contain ASCII + LabelName is a valid Prometheus label name. - letters, numbers, as well as underscores. - pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + For Prometheus 3.x, a label name is valid if it + contains UTF-8 characters. + + For Prometheus 2.x, a label name is only valid + if it contains ASCII characters, letters, + numbers, as well as underscores. type: string type: array targetLabel: description: >- - Label to which the resulting string is written in - a replacement. + targetLabel defines the label to which the + resulting string is written in a replacement. It is mandatory for `Replace`, `HashMod`, @@ -6043,6 +6213,13 @@ spec: description: >- The list of relabelings for the `PodMonitor`. Applied to samples before scraping. + + + Deprecated: This feature will be removed in an upcoming + release. If + + you need this functionality, you can create a PodMonitor + manually. items: description: >- RelabelConfig allows dynamic rewriting of the label @@ -6057,7 +6234,7 @@ spec: action: default: replace description: >- - Action to perform based on the regex matching. + action to perform based on the regex matching. `Uppercase` and `Lowercase` actions require @@ -6094,7 +6271,7 @@ spec: type: string modulus: description: >- - Modulus to take of the hash of the source label + modulus to take of the hash of the source label values. @@ -6103,12 +6280,12 @@ spec: type: integer regex: description: >- - Regular expression against which the extracted - value is matched. + regex defines the regular expression against which + the extracted value is matched. type: string replacement: description: >- - Replacement value against which a Replace action + replacement value against which a Replace action is performed if the regular expression matches. @@ -6118,13 +6295,13 @@ spec: type: string separator: description: >- - Separator is the string between concatenated + separator defines the string between concatenated SourceLabels. type: string sourceLabels: description: >- - The source labels select values from existing - labels. Their content is + sourceLabels defines the source labels select + values from existing labels. Their content is concatenated using the configured Separator and matched against the @@ -6132,17 +6309,20 @@ spec: configured regular expression. items: description: >- - LabelName is a valid Prometheus label name which - may only contain ASCII + LabelName is a valid Prometheus label name. - letters, numbers, as well as underscores. - pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + For Prometheus 3.x, a label name is valid if it + contains UTF-8 characters. + + For Prometheus 2.x, a label name is only valid + if it contains ASCII characters, letters, + numbers, as well as underscores. type: string type: array targetLabel: description: >- - Label to which the resulting string is written in - a replacement. + targetLabel defines the label to which the + resulting string is written in a replacement. It is mandatory for `Replace`, `HashMod`, @@ -6203,6 +6383,18 @@ spec: default: true description: Enabled is true if this plugin will be used type: boolean + isWALArchiver: + default: false + description: >- + Marks the plugin as the WAL archiver. At most one + plugin can be + + designated as a WAL archiver. This cannot be enabled + if the + + `.spec.backup.barmanObjectStore` configuration is + present. + type: boolean name: description: Name is the plugin name type: string @@ -6215,141 +6407,852 @@ spec: - name type: object type: array - postgresGID: - default: 26 - description: >- - The GID of the `postgres` user inside the image, defaults to - `26` - format: int64 - type: integer - postgresUID: - default: 26 + podSecurityContext: description: >- - The UID of the `postgres` user inside the image, defaults to - `26` - format: int64 - type: integer - postgresql: - description: Configuration of the PostgreSQL server - properties: - enableAlterSystem: - description: >- - If this parameter is true, the user will be able to - invoke `ALTER SYSTEM` + Override the PodSecurityContext applied to every Pod of the + cluster. - on this CloudNativePG Cluster. + When set, this overrides the operator's default + PodSecurityContext for the cluster. - This should only be used for debugging and - troubleshooting. + If omitted, the operator defaults are used. - Defaults to false. - type: boolean - ldap: - description: Options to specify LDAP configuration - properties: - bindAsAuth: - description: Bind as authentication configuration - properties: - prefix: - description: Prefix for the bind authentication option - type: string - suffix: - description: Suffix for the bind authentication option - type: string - type: object - bindSearchAuth: - description: Bind+Search authentication configuration - properties: - baseDN: - description: Root DN to begin the user search - type: string - bindDN: - description: DN of the user to bind to the directory - type: string - bindPassword: - description: >- - Secret with the password for the user to bind to - the directory - properties: - key: - description: >- - The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: '' - description: >- - Name of the referent. + This field doesn't have any effect if + SecurityContextConstraints are present. + properties: + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options to use by the + containers in this pod. - This field is effectively required, but due - to backwards compatibility is + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile loaded on the + node that should be used. - allowed to be empty. Instances of this type - with an empty value here are + The profile must be preconfigured on the node to + work. - almost certainly wrong. + Must match the loaded name of the profile. - More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: >- - Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - searchAttribute: - description: Attribute to match against the username - type: string - searchFilter: - description: >- - Search filter to use when doing the search+bind - authentication - type: string - type: object - port: - description: LDAP server port - type: integer - scheme: - description: >- - LDAP schema to be used, possible options are `ldap` - and `ldaps` - enum: - - ldap - - ldaps - type: string - server: - description: LDAP hostname or IP address + Must be set if and only if type is "Localhost". type: string - tls: + type: description: >- - Set to 'true' to enable LDAP over TLS. 'false' is - default - type: boolean - type: object - parameters: - additionalProperties: - type: string - description: PostgreSQL configuration options (postgresql.conf) + type indicates which kind of AppArmor profile will + be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type type: object - pg_hba: + fsGroup: description: >- - PostgreSQL Host Based Authentication rules (lines to be - appended + A special supplemental group that applies to all + containers in a pod. - to the pg_hba.conf file) - items: - type: string - type: array - pg_ident: - description: |- - PostgreSQL User Name Maps rules (lines to be appended - to the pg_ident.conf file) - items: - type: string + Some volume types allow the Kubelet to change the + ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files created in the + volume will be owned by FSGroup) + + 3. The permission bits are OR'd with rw-rw---- + + + If unset, the Kubelet will not modify the ownership and + permissions of any volume. + + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume + + before being exposed inside Pod. This field will only + apply to + + volume types which support fsGroup based ownership(and + permissions). + + It will have no effect on ephemeral volume types such + as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and "Always". If not + specified, "Always" is used. + + Note that this field cannot be set when spec.os.name is + windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified in + SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as a non-root + user. + + If true, the Kubelet will validate the image at runtime + to ensure that it + + does not run as UID 0 (root) and fail to start the + container if it does. + + If unset or false, no such validation will be performed. + + May also be set in SecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the container process. + + Defaults to user specified in image metadata if + unspecified. + + May also be set in SecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified in + SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxChangePolicy: + description: >- + seLinuxChangePolicy defines how the container's SELinux + label is applied to all volumes used by the Pod. + + It has no effect on nodes that do not support SELinux or + to volumes does not support SELinux. + + Valid values are "MountOption" and "Recursive". + + + "Recursive" means relabeling of all files on all Pod + volumes by the container runtime. + + This may be slow for large volumes, but allows mixing + privileged and unprivileged Pods sharing the same volume + on the same node. + + + "MountOption" mounts all eligible Pod volumes with `-o + context` mount option. + + This requires all Pods that share the same volume to use + the same SELinux label. + + It is not possible to share the same volume among + privileged and unprivileged Pods. + + Eligible volumes are in-tree FibreChannel and iSCSI + volumes, and all CSI volumes + + whose CSI driver announces SELinux support by setting + spec.seLinuxMount: true in their + + CSIDriver instance. Other volumes are always re-labelled + recursively. + + "MountOption" value is allowed only when SELinuxMount + feature gate is enabled. + + + If not specified and SELinuxMount feature gate is + enabled, "MountOption" is used. + + If not specified and SELinuxMount feature gate is + disabled, "MountOption" is used for ReadWriteOncePod + volumes + + and "Recursive" for all other volumes. + + + This field affects only Pods that have SELinux label + set, either in PodSecurityContext or in SecurityContext + of all containers. + + + All Pods that use the same volume should use the same + seLinuxChangePolicy, otherwise some pods can get stuck + in ContainerCreating state. + + Note that this field cannot be set when spec.os.name is + windows. + type: string + seLinuxOptions: + description: >- + The SELinux context to be applied to all containers. + + If unspecified, the container runtime will allocate a + random SELinux context for each + + container. May also be set in SecurityContext. If set + in + + both SecurityContext and PodSecurityContext, the value + specified in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when spec.os.name is + windows. + properties: + level: + description: >- + Level is SELinux level label that applies to the + container. + type: string + role: + description: >- + Role is a SELinux role label that applies to the + container. + type: string + type: + description: >- + Type is a SELinux type label that applies to the + container. + type: string + user: + description: >- + User is a SELinux user label that applies to the + container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the containers in this + pod. + + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile defined in a + file on the node should be used. + + The profile must be preconfigured on the node to + work. + + Must be a descending path, relative to the kubelet's + configured seccomp profile location. + + Must be set if type is "Localhost". Must NOT be set + for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp profile will be + applied. + + Valid options are: + + + Localhost - a profile defined in a file on the node + should be used. + + RuntimeDefault - the container runtime default + profile should be used. + + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first process run in + each container, in + + addition to the container's primary GID and fsGroup (if + specified). If + + the SupplementalGroupsPolicy feature is enabled, the + + supplementalGroupsPolicy field determines whether these + are in addition + + to or instead of any group memberships defined in the + container image. + + If unspecified, no additional groups are added, though + group memberships + + defined in the container image may still be used, + depending on the + + supplementalGroupsPolicy field. + + Note that this field cannot be set when spec.os.name is + windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: >- + Defines how supplemental groups of the first container + processes are calculated. + + Valid values are "Merge" and "Strict". If not specified, + "Merge" is used. + + (Alpha) Using the field requires the + SupplementalGroupsPolicy feature gate to be enabled + + and the container runtime must implement support for + this feature. + + Note that this field cannot be set when spec.os.name is + windows. + type: string + sysctls: + description: >- + Sysctls hold a list of namespaced sysctls used for the + pod. Pods with unsupported + + sysctls (by the container runtime) might fail to launch. + + Note that this field cannot be set when spec.os.name is + windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + description: >- + The Windows specific settings applied to all containers. + + If unspecified, the options within a container's + SecurityContext will be used. + + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA admission + webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of the GMSA + credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container should be run + as a 'Host Process' container. + + All of a Pod's containers must have the same + effective HostProcess value + + (it is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). + + In addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the entrypoint of the + container process. + + Defaults to the user specified in image metadata if + unspecified. + + May also be set in PodSecurityContext. If set in + both SecurityContext and + + PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: string + type: object + type: object + podSelectorRefs: + description: >- + PodSelectorRefs defines named pod label selectors that can + be referenced + + in pg_hba rules using the ${podselector:NAME} syntax in the + address field. + + The operator resolves matching pod IPs and the instance + manager expands + + pg_hba lines accordingly. Only pods in the Cluster's own + namespace are considered. + items: + description: >- + PodSelectorRef defines a named pod label selector for use + in pg_hba rules. + + Pods matching the selector in the Cluster's namespace will + have their IPs + + resolved and made available for pg_hba address expansion + via the + + `${podselector:NAME}` syntax. + properties: + name: + description: >- + Name is the identifier used to reference this selector + in pg_hba rules + + via the ${podselector:NAME} syntax in the address + field. + minLength: 1 + pattern: ^[a-z]([a-z0-9_-]*[a-z0-9])?$ + type: string + selector: + description: >- + Selector is a label selector that identifies the pods + whose IPs + + should be resolved. Only pods in the Cluster's + namespace are considered. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship to + a set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + - selector + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + postgresGID: + default: 26 + description: >- + The GID of the `postgres` user inside the image, defaults to + `26` + format: int64 + type: integer + postgresUID: + default: 26 + description: >- + The UID of the `postgres` user inside the image, defaults to + `26` + format: int64 + type: integer + postgresql: + description: Configuration of the PostgreSQL server + properties: + enableAlterSystem: + description: >- + If this parameter is true, the user will be able to + invoke `ALTER SYSTEM` + + on this CloudNativePG Cluster. + + This should only be used for debugging and + troubleshooting. + + Defaults to false. + type: boolean + extensions: + description: The configuration of the extensions to be added + items: + description: >- + ExtensionConfiguration is the configuration used to + add + + PostgreSQL extensions to the Cluster. + properties: + bin_path: + description: >- + A list of directories within the image to be + appended to the + + PostgreSQL process's `PATH` environment variable. + items: + type: string + type: array + dynamic_library_path: + description: >- + The list of directories inside the image which + should be added to dynamic_library_path. + + If not defined, defaults to "/lib". + items: + type: string + type: array + env: + description: >- + Env is a list of custom environment variables to + be set in the + + PostgreSQL process for this extension. It is the + responsibility of the + + cluster administrator to ensure the variables are + correct for the + + specific extension. Note that changes to these + variables require + + a manual cluster restart to take effect. + items: + description: >- + ExtensionEnvVar defines an environment variable + for a specific extension + + image volume. + properties: + name: + description: >- + Name of the environment variable to be + injected into the + + PostgreSQL process. + minLength: 1 + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + value: + description: >- + Value of the environment variable. + CloudNativePG performs a direct + + replacement of this value, with support for + placeholder expansion. + + The ${`image_root`} placeholder resolves to + the absolute mount path + + of the extension's volume (e.g., + `/extensions/my-extension`). This + + is particularly useful for allowing + applications or libraries to + + locate specific directories within the + mounted image. + + Unrecognized placeholders are rejected. To + include a literal ${...} + + in the value, escape it as $${...}. + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + extension_control_path: + description: >- + The list of directories inside the image which + should be added to extension_control_path. + + If not defined, defaults to "/share". + items: + type: string + type: array + image: + description: The image containing the extension. + properties: + pullPolicy: + description: >- + Policy for pulling OCI objects. Possible + values are: + + Always: the kubelet always attempts to pull + the reference. Container creation will fail If + the pull fails. + + Never: the kubelet never pulls the reference + and only uses a local image or artifact. + Container creation will fail if the reference + isn't present. + + IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the reference + isn't present and the pull fails. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + type: string + reference: + description: >- + Required: Image or artifact reference to be + used. + + Behaves in the same way as + pod.spec.containers[*].image. + + Pull secrets will be assembled in the same way + as for the container image by looking up node + credentials, SA image pull secrets, and pod + spec image pull secrets. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher level + config management to default or override + + container images in workload controllers like + Deployments and StatefulSets. + type: string + type: object + ld_library_path: + description: >- + The list of directories inside the image which + should be added to ld_library_path. + items: + type: string + type: array + name: + description: The name of the extension, required + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + ldap: + description: Options to specify LDAP configuration + properties: + bindAsAuth: + description: Bind as authentication configuration + properties: + prefix: + description: Prefix for the bind authentication option + type: string + suffix: + description: Suffix for the bind authentication option + type: string + type: object + bindSearchAuth: + description: Bind+Search authentication configuration + properties: + baseDN: + description: Root DN to begin the user search + type: string + bindDN: + description: DN of the user to bind to the directory + type: string + bindPassword: + description: >- + Secret with the password for the user to bind to + the directory + properties: + key: + description: >- + The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but due + to backwards compatibility is + + allowed to be empty. Instances of this type + with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + searchAttribute: + description: Attribute to match against the username + type: string + searchFilter: + description: >- + Search filter to use when doing the search+bind + authentication + type: string + type: object + port: + description: LDAP server port + type: integer + scheme: + description: >- + LDAP schema to be used, possible options are `ldap` + and `ldaps` + enum: + - ldap + - ldaps + type: string + server: + description: LDAP hostname or IP address + type: string + tls: + description: >- + Set to 'true' to enable LDAP over TLS. 'false' is + default + type: boolean + type: object + parameters: + additionalProperties: + type: string + description: PostgreSQL configuration options (postgresql.conf) + type: object + pg_hba: + description: >- + PostgreSQL Host Based Authentication rules (lines to be + appended + + to the pg_hba.conf file). + + Use the ${podselector:NAME} syntax to reference a pod + selector; + + the rule will be expanded for each Pod IP matching that + selector. + items: + type: string + type: array + pg_ident: + description: |- + PostgreSQL User Name Maps rules (lines to be appended + to the pg_ident.conf file) + items: + type: string type: array promotionTimeout: description: >- @@ -6397,7 +7300,6 @@ spec: feature properties: dataDurability: - default: required description: >- If set to "required", data durability is strictly enforced. Write operations @@ -6426,6 +7328,16 @@ spec: - required - preferred type: string + failoverQuorum: + description: >- + FailoverQuorum enables a quorum-based check before + failover, improving + + data durability and safety during failover events in + CloudNativePG-managed + + PostgreSQL clusters. + type: boolean maxStandbyNamesFromCluster: description: >- Specifies the maximum number of local cluster pods @@ -6513,7 +7425,15 @@ spec: updated: it can be with a switchover (`switchover`) or in-place - (`restart` - default) + (`restart` - default). + + Note: when using `switchover`, the operator will reject + updates that change both + + the image name and PostgreSQL configuration parameters + simultaneously to avoid + + configuration mismatches during the switchover process. enum: - switchover - restart @@ -6570,6 +7490,42 @@ spec: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes format: int32 type: integer + isolationCheck: + description: >- + Configure the feature that extends the liveness + probe for a primary + + instance. In addition to the basic checks, this + verifies whether the + + primary is isolated from the Kubernetes API server + and from its + + replicas, ensuring that it can be safely shut down + if network + + partition or API unavailability is detected. Enabled + by default. + properties: + connectionTimeout: + default: 1000 + description: >- + Timeout in milliseconds for connections during + the primary isolation check + type: integer + enabled: + default: true + description: >- + Whether primary isolation checking is enabled + for the liveness probe + type: boolean + requestTimeout: + default: 1000 + description: >- + Timeout in milliseconds for requests during the + primary isolation check + type: integer + type: object periodSeconds: description: |- How often (in seconds) to perform the probe. @@ -6648,6 +7604,14 @@ spec: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes format: int32 type: integer + maximumLag: + anyOf: + - type: integer + - type: string + description: Lag limit. Used only for `streaming` strategy + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true periodSeconds: description: |- How often (in seconds) to perform the probe. @@ -6705,6 +7669,13 @@ spec: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes format: int32 type: integer + type: + description: The probe strategy + enum: + - pg_isready + - streaming + - query + type: string type: object startup: description: The startup probe configuration @@ -6726,6 +7697,14 @@ spec: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes format: int32 type: integer + maximumLag: + anyOf: + - type: integer + - type: string + description: Lag limit. Used only for `streaming` strategy + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true periodSeconds: description: |- How often (in seconds) to perform the probe. @@ -6783,6 +7762,13 @@ spec: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes format: int32 type: integer + type: + description: The probe strategy + enum: + - pg_isready + - streaming + - query + type: string type: object type: object projectedVolumeTemplate: @@ -7144,37 +8130,286 @@ spec: Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu - and requests.memory) are currently - supported. - properties: - containerName: - description: >- - Container name: required for volumes, - optional for env vars - type: string - divisor: - anyOf: - - type: integer - - type: string - description: >- - Specifies the output format of the - exposed resources, defaults to "1" - pattern: >- - ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently + supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: >- + Projects an auto-rotating credential bundle + (private key and certificate + + chain) that the pod can use either as a TLS client + or server. + + + Kubelet generates a private key and uses it to + send a + + PodCertificateRequest to the named signer. Once + the signer approves the + + request and issues a certificate chain, Kubelet + writes the key and + + certificate chain to the pod filesystem. The pod + does not start until + + certificates have been issued for each + podCertificate projected volume + + source in its spec. + + + Kubelet will begin trying to rotate the + certificate at the time indicated + + by the signer using the + PodCertificateRequest.Status.BeginRefreshAt + + timestamp. + + + Kubelet can write a single file, indicated by the + credentialBundlePath + + field, or separate files, indicated by the keyPath + and + + certificateChainPath fields. + + + The credential bundle is a single file in PEM + format. The first PEM + + entry is the private key (in PKCS#8 format), and + the remaining PEM + + entries are the certificate chain issued by the + signer (typically, + + signers will return their certificate chain in + leaf-to-root order). + + + Prefer using the credential bundle format, since + your application code + + can read it atomically. If you use keyPath and + certificateChainPath, + + your application must make two separate file + reads. If these coincide + + with a certificate rotation, it is possible that + the private key and leaf + + certificate you read may not correspond to each + other. Your application + + will need to check for this condition, and re-read + until they are + + consistent. + + + The named signer controls chooses the format of + the certificate it + + issues; consult the signer implementation's + documentation to learn how to + + use the certificates it issues. + properties: + certificateChainPath: + description: >- + Write the certificate chain at this path in + the projected volume. + + + Most applications should use + credentialBundlePath. When using keyPath + + and certificateChainPath, your application + needs to check that the key + + and leaf certificate are consistent, because + it is possible to read the + + files mid-rotation. + type: string + credentialBundlePath: + description: >- + Write the credential bundle at this path in + the projected volume. + + + The credential bundle is a single file that + contains multiple PEM blocks. + + The first PEM block is a PRIVATE KEY block, + containing a PKCS#8 private + + key. + + + The remaining blocks are CERTIFICATE blocks, + containing the issued + + certificate chain from the signer (leaf and + any intermediates). + + + Using credentialBundlePath lets your Pod's + application code make a single + + atomic read that retrieves a consistent key + and certificate chain. If you + + project them to separate files, your + application code will need to + + additionally check that the leaf certificate + was issued to the key. + type: string + keyPath: + description: >- + Write the key at this path in the projected + volume. + + + Most applications should use + credentialBundlePath. When using keyPath + + and certificateChainPath, your application + needs to check that the key + + and leaf certificate are consistent, because + it is possible to read the + + files mid-rotation. + type: string + keyType: + description: >- + The type of keypair Kubelet will generate for + the pod. + + + Valid values are "RSA3072", "RSA4096", + "ECDSAP256", "ECDSAP384", + + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: >- + maxExpirationSeconds is the maximum lifetime + permitted for the + + certificate. + + + Kubelet copies this value verbatim into the + PodCertificateRequests it + + generates for this projection. + + + If omitted, kube-apiserver will set it to + 86400(24 hours). kube-apiserver + + will reject values shorter than 3600 (1 + hour). The maximum allowable + + value is 7862400 (91 days). + + + The signer implementation is then free to + issue a certificate with any + + lifetime *shorter* than MaxExpirationSeconds, + but no shorter than 3600 + + seconds (1 hour). This constraint is enforced + by kube-apiserver. + + `kubernetes.io` signers will never issue + certificates with a lifetime + + longer than 24 hours. + format: int32 + type: integer + signerName: + description: >- + Kubelet's generated CSRs will be addressed to + this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: >- + userAnnotations allow pod authors to pass + additional information to + + the signer implementation. Kubernetes does + not restrict or validate this + + metadata in any way. + + + These values are copied verbatim into the + `spec.unverifiedUserAnnotations` field of + + the PodCertificateRequest objects that Kubelet + creates. + + + Entries are subject to the same validation as + object metadata annotations, + + with the addition that all keys must be + domain-prefixed. No restrictions + + are placed on values, except an overall size + limitation on the entire field. + + + Signers should document the keys and values + they support. Signers should + + deny requests that contain keys they do not + recognize. + type: object + required: + - keyType + - signerName type: object secret: description: >- @@ -7435,6 +8670,22 @@ spec: set to `_cnpg_`. pattern: ^[0-9a-z_]*$ type: string + synchronizeLogicalDecoding: + description: >- + When enabled, the operator automatically manages + synchronization of logical + + decoding (replication) slots across + high-availability clusters. + + + Requires one of the following conditions: + + - PostgreSQL version 17 or later + + - PostgreSQL version < 17 with pg_failover_slots + extension enabled + type: boolean type: object synchronizeReplicas: description: >- @@ -7479,137 +8730,483 @@ spec: properties: claims: description: >- - Claims lists the names of resources, defined in - spec.resourceClaims, + Claims lists the names of resources, defined in + spec.resourceClaims, + + that are used by this container. + + + This field depends on the + + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for + containers. + items: + description: >- + ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: >- + Name must match the name of one entry in + pod.spec.resourceClaims of + + the Pod where this field is used. It makes that + resource available + + inside a container. + type: string + request: + description: >- + Request is the name chosen for a request in the + referenced claim. + + If empty, everything from the claim is made + available, otherwise + + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of compute resources + allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of compute + resources required. + + If Requests is omitted for a container, it defaults to + Limits if that is explicitly specified, + + otherwise to an implementation-defined value. Requests + cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + schedulerName: + description: >- + If specified, the pod will be dispatched by specified + Kubernetes + + scheduler. If not specified, the pod will be dispatched by + the default + + scheduler. More info: + + https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/ + type: string + seccompProfile: + description: |- + The SeccompProfile applied to every Pod and Container. + Defaults to: `RuntimeDefault` + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile defined in a file + on the node should be used. + + The profile must be preconfigured on the node to work. + + Must be a descending path, relative to the kubelet's + configured seccomp profile location. + + Must be set if type is "Localhost". Must NOT be set for + any other type. + type: string + type: + description: >- + type indicates which kind of seccomp profile will be + applied. + + Valid options are: + + + Localhost - a profile defined in a file on the node + should be used. + + RuntimeDefault - the container runtime default profile + should be used. + + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + securityContext: + description: >- + Override the SecurityContext applied to every Container in + the Pod of the cluster. + + When set, this overrides the operator's default Container + SecurityContext. + + If omitted, the operator defaults are used. + properties: + allowPrivilegeEscalation: + description: >- + AllowPrivilegeEscalation controls whether a process can + gain more + + privileges than its parent process. This bool directly + controls if + + the no_new_privs flag will be set on the container + process. + + AllowPrivilegeEscalation is true always when the + container is: + + 1) run as Privileged + + 2) has CAP_SYS_ADMIN + + Note that this field cannot be set when spec.os.name is + windows. + type: boolean + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options to use by this + container. If set, this profile + + overrides the pod's appArmorProfile. + + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile loaded on the + node that should be used. + + The profile must be preconfigured on the node to + work. + + Must match the loaded name of the profile. + + Must be set if and only if type is "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor profile will + be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: >- + The capabilities to add/drop when running containers. + + Defaults to the default set of capabilities granted by + the container runtime. + + Note that this field cannot be set when spec.os.name is + windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: >- + Run container in privileged mode. + + Processes in privileged containers are essentially + equivalent to root on the host. + + Defaults to false. + + Note that this field cannot be set when spec.os.name is + windows. + type: boolean + procMount: + description: >- + procMount denotes the type of proc mount to use for the + containers. + + The default value is Default which uses the container + runtime defaults for + + readonly paths and masked paths. + + This requires the ProcMountType feature flag to be + enabled. + + Note that this field cannot be set when spec.os.name is + windows. + type: string + readOnlyRootFilesystem: + description: >- + Whether this container has a read-only root filesystem. + + Default is false. + + Note that this field cannot be set when spec.os.name is + windows. + type: boolean + runAsGroup: + description: >- + The GID to run the entrypoint of the container process. + + Uses runtime default if unset. + + May also be set in PodSecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified in + SecurityContext takes precedence. + + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as a non-root + user. + + If true, the Kubelet will validate the image at runtime + to ensure that it + + does not run as UID 0 (root) and fail to start the + container if it does. + + If unset or false, no such validation will be performed. + + May also be set in PodSecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the container process. + + Defaults to user specified in image metadata if + unspecified. + + May also be set in PodSecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified in + SecurityContext takes precedence. + + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to the container. + + If unspecified, the container runtime will allocate a + random SELinux context for each + + container. May also be set in PodSecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified in + SecurityContext takes precedence. + + Note that this field cannot be set when spec.os.name is + windows. + properties: + level: + description: >- + Level is SELinux level label that applies to the + container. + type: string + role: + description: >- + Role is a SELinux role label that applies to the + container. + type: string + type: + description: >- + Type is a SELinux type label that applies to the + container. + type: string + user: + description: >- + User is a SELinux user label that applies to the + container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by this container. If seccomp + options are - that are used by this container. + provided at both the pod & container level, the + container options + override the pod options. - This is an alpha field and requires enabling the + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile defined in a + file on the node should be used. - DynamicResourceAllocation feature gate. + The profile must be preconfigured on the node to + work. + Must be a descending path, relative to the kubelet's + configured seccomp profile location. - This field is immutable. It can only be set for - containers. - items: - description: >- - ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: >- - Name must match the name of one entry in - pod.spec.resourceClaims of + Must be set if type is "Localhost". Must NOT be set + for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp profile will be + applied. - the Pod where this field is used. It makes that - resource available + Valid options are: - inside a container. - type: string - request: - description: >- - Request is the name chosen for a request in the - referenced claim. - If empty, everything from the claim is made - available, otherwise + Localhost - a profile defined in a file on the node + should be used. - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: >- - ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: >- - Limits describes the maximum amount of compute resources - allowed. + RuntimeDefault - the container runtime default + profile should be used. - More info: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + Unconfined - no profile should be applied. + type: string + required: + - type type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: >- - ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true + windowsOptions: description: >- - Requests describes the minimum amount of compute - resources required. + The Windows specific settings applied to all containers. - If Requests is omitted for a container, it defaults to - Limits if that is explicitly specified, + If unspecified, the options from the PodSecurityContext + will be used. - otherwise to an implementation-defined value. Requests - cannot exceed Limits. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. - More info: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - schedulerName: - description: >- - If specified, the pod will be dispatched by specified - Kubernetes + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA admission + webhook - scheduler. If not specified, the pod will be dispatched by - the default + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the - scheduler. More info: + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of the GMSA + credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container should be run + as a 'Host Process' container. - https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/ - type: string - seccompProfile: - description: |- - The SeccompProfile applied to every Pod and Container. - Defaults to: `RuntimeDefault` - properties: - localhostProfile: - description: >- - localhostProfile indicates a profile defined in a file - on the node should be used. + All of a Pod's containers must have the same + effective HostProcess value - The profile must be preconfigured on the node to work. + (it is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). - Must be a descending path, relative to the kubelet's - configured seccomp profile location. + In addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the entrypoint of the + container process. - Must be set if type is "Localhost". Must NOT be set for - any other type. - type: string - type: - description: >- - type indicates which kind of seccomp profile will be - applied. + Defaults to the user specified in image metadata if + unspecified. - Valid options are: + May also be set in PodSecurityContext. If set in + both SecurityContext and + PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: string + type: object + type: object + serviceAccountName: + description: >- + Name of an existing ServiceAccount in the same namespace to + use for the cluster. - Localhost - a profile defined in a file on the node - should be used. + When specified, the operator will not create a new + ServiceAccount - RuntimeDefault - the container runtime default profile - should be used. + but will use the provided one. This is useful for sharing a + single - Unconfined - no profile should be applied. - type: string - required: - - type - type: object + ServiceAccount across multiple clusters (e.g., for cloud IAM + configurations). + + If not specified, a ServiceAccount will be created with the + cluster name. + + Mutually exclusive with ServiceAccountTemplate. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + x-kubernetes-validations: + - message: serviceAccountName is immutable + rule: self == oldSelf serviceAccountTemplate: description: Configure the generation of the service account properties: @@ -7667,7 +9264,8 @@ spec: Make sure you reserve enough time for the operator to request a fast shutdown of Postgres - (that is: `stopDelay` - `smartShutdownTimeout`). + (that is: `stopDelay` - `smartShutdownTimeout`). Default is + 180 seconds. format: int32 type: integer startDelay: @@ -7860,8 +9458,7 @@ spec: resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled - users are allowed to specify resource requirements + Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the @@ -7996,17 +9593,13 @@ spec: a different purpose than storageClassName, it can be changed after the claim is created. An - empty string value means that no - VolumeAttributesClass + empty string or nil value indicates that no - will be applied to the claim but it's not allowed to - reset this field to empty string once it is set. + VolumeAttributesClass will be applied to the claim. + If the claim enters an Infeasible error state, - If unspecified and the PersistentVolumeClaim is - unbound, the default VolumeAttributesClass - - will be set by the persistentvolume controller if it - exists. + this field can be reset to its previous value + (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be @@ -8018,10 +9611,6 @@ spec: More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - - (Beta) Using this field requires the - VolumeAttributesClass feature gate to be enabled - (off by default). type: string volumeMode: description: >- @@ -8284,8 +9873,7 @@ spec: resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is - enabled users are allowed to specify resource + Users are allowed to specify resource requirements that are lower than previous value but must @@ -8425,18 +10013,14 @@ spec: storageClassName, it can be changed after the claim is created. - An empty string value means that no - VolumeAttributesClass + An empty string or nil value indicates that no - will be applied to the claim but it's not - allowed to reset this field to empty string - once it is set. + VolumeAttributesClass will be applied to the + claim. If the claim enters an Infeasible error + state, - If unspecified and the PersistentVolumeClaim - is unbound, the default VolumeAttributesClass - - will be set by the persistentvolume controller - if it exists. + this field can be reset to its previous value + (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this @@ -8450,10 +10034,6 @@ spec: More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - - (Beta) Using this field requires the - VolumeAttributesClass feature gate to be - enabled (off by default). type: string volumeMode: description: >- @@ -8744,9 +10324,6 @@ spec: If this value is nil, the behavior is equivalent to the Honor policy. - - This is a beta-level feature default enabled by the - NodeInclusionPolicyInPodTopologySpread feature flag. type: string nodeTaintsPolicy: description: >- @@ -8766,9 +10343,6 @@ spec: If this value is nil, the behavior is equivalent to the Ignore policy. - - This is a beta-level feature default enabled by the - NodeInclusionPolicyInPodTopologySpread feature flag. type: string topologyKey: description: >- @@ -9018,8 +10592,7 @@ spec: resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled - users are allowed to specify resource requirements + Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the @@ -9154,17 +10727,13 @@ spec: a different purpose than storageClassName, it can be changed after the claim is created. An - empty string value means that no - VolumeAttributesClass - - will be applied to the claim but it's not allowed to - reset this field to empty string once it is set. + empty string or nil value indicates that no - If unspecified and the PersistentVolumeClaim is - unbound, the default VolumeAttributesClass + VolumeAttributesClass will be applied to the claim. + If the claim enters an Infeasible error state, - will be set by the persistentvolume controller if it - exists. + this field can be reset to its previous value + (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be @@ -9176,10 +10745,6 @@ spec: More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - - (Beta) Using this field requires the - VolumeAttributesClass feature gate to be enabled - (off by default). type: string volumeMode: description: >- @@ -9253,11 +10818,6 @@ spec: - hash type: object type: array - azurePVCUpdateEnabled: - description: >- - AzurePVCUpdateEnabled shows if the PVC online upgrade is - enabled for this cluster - type: boolean certificates: description: >- The configuration for the CA and related certificates, @@ -9495,7 +11055,10 @@ spec: format. This field is calculated from the content of - FirstRecoverabilityPointByMethod + FirstRecoverabilityPointByMethod. + + + Deprecated: the field is not set for backup plugins. type: string firstRecoverabilityPointByMethod: additionalProperties: @@ -9503,7 +11066,10 @@ spec: type: string description: >- The first recoverability point, stored as a date in RFC3339 - format, per backup method type + format, per backup method type. + + + Deprecated: the field is not set for backup plugins. type: object healthyPVC: description: List of all the PVCs not dangling nor initializing @@ -9536,6 +11102,9 @@ spec: InstanceReportedState describes the last reported state of an instance during a reconciliation loop properties: + ip: + description: IP address of the instance + type: string isPrimary: description: indicates if an instance is the primary one type: boolean @@ -9561,7 +11130,10 @@ spec: format: int32 type: integer lastFailedBackup: - description: Stored as a date in RFC3339 format + description: |- + Last failed backup, stored as a date in RFC3339 format. + + Deprecated: the field is not set for backup plugins. type: string lastPromotionToken: description: |- @@ -9570,10 +11142,13 @@ spec: type: string lastSuccessfulBackup: description: >- - Last successful backup, stored as a date in RFC3339 format + Last successful backup, stored as a date in RFC3339 format. This field is calculated from the content of - LastSuccessfulBackupByMethod + LastSuccessfulBackupByMethod. + + + Deprecated: the field is not set for backup plugins. type: string lastSuccessfulBackupByMethod: additionalProperties: @@ -9581,7 +11156,10 @@ spec: type: string description: >- Last successful backup, stored as a date in RFC3339 format, - per backup method type + per backup method type. + + + Deprecated: the field is not set for backup plugins. type: object latestGeneratedNode: description: >- @@ -9637,6 +11215,188 @@ spec: OnlineUpdateEnabled shows if the online upgrade is enabled inside the cluster type: boolean + pgDataImageInfo: + description: >- + PGDataImageInfo contains the details of the latest image + that has run on the current data directory. + properties: + extensions: + description: >- + Extensions contains the container image extensions + available for the current Image + items: + description: >- + ExtensionConfiguration is the configuration used to + add + + PostgreSQL extensions to the Cluster. + properties: + bin_path: + description: >- + A list of directories within the image to be + appended to the + + PostgreSQL process's `PATH` environment variable. + items: + type: string + type: array + dynamic_library_path: + description: >- + The list of directories inside the image which + should be added to dynamic_library_path. + + If not defined, defaults to "/lib". + items: + type: string + type: array + env: + description: >- + Env is a list of custom environment variables to + be set in the + + PostgreSQL process for this extension. It is the + responsibility of the + + cluster administrator to ensure the variables are + correct for the + + specific extension. Note that changes to these + variables require + + a manual cluster restart to take effect. + items: + description: >- + ExtensionEnvVar defines an environment variable + for a specific extension + + image volume. + properties: + name: + description: >- + Name of the environment variable to be + injected into the + + PostgreSQL process. + minLength: 1 + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + value: + description: >- + Value of the environment variable. + CloudNativePG performs a direct + + replacement of this value, with support for + placeholder expansion. + + The ${`image_root`} placeholder resolves to + the absolute mount path + + of the extension's volume (e.g., + `/extensions/my-extension`). This + + is particularly useful for allowing + applications or libraries to + + locate specific directories within the + mounted image. + + Unrecognized placeholders are rejected. To + include a literal ${...} + + in the value, escape it as $${...}. + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + extension_control_path: + description: >- + The list of directories inside the image which + should be added to extension_control_path. + + If not defined, defaults to "/share". + items: + type: string + type: array + image: + description: The image containing the extension. + properties: + pullPolicy: + description: >- + Policy for pulling OCI objects. Possible + values are: + + Always: the kubelet always attempts to pull + the reference. Container creation will fail If + the pull fails. + + Never: the kubelet never pulls the reference + and only uses a local image or artifact. + Container creation will fail if the reference + isn't present. + + IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the reference + isn't present and the pull fails. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + type: string + reference: + description: >- + Required: Image or artifact reference to be + used. + + Behaves in the same way as + pod.spec.containers[*].image. + + Pull secrets will be assembled in the same way + as for the container image by looking up node + credentials, SA image pull secrets, and pod + spec image pull secrets. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher level + config management to default or override + + container images in workload controllers like + Deployments and StatefulSets. + type: string + type: object + ld_library_path: + description: >- + The list of directories inside the image which + should be added to ld_library_path. + items: + type: string + type: array + name: + description: The name of the extension, required + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: array + image: + description: Image is the image name + type: string + majorVersion: + description: MajorVersion is the major version of the image + type: integer + required: + - image + - majorVersion + type: object phase: description: Current phase of the cluster type: string @@ -9705,6 +11465,36 @@ spec: - version type: object type: array + podSelectorRefs: + description: >- + PodSelectorRefs contains the resolved pod IPs for each named + selector + + defined in spec.podSelectorRefs. + items: + description: >- + PodSelectorRefStatus contains the resolved pod IPs for a + named selector. + properties: + ips: + description: |- + IPs is the list of pod IPs matching the selector. + Each IP is a single address (no CIDR notation). + items: + type: string + type: array + name: + description: >- + Name corresponds to the name in the spec's + PodSelectorRef. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map poolerIntegrations: description: The integration needed by poolers referencing the cluster properties: @@ -9810,6 +11600,9 @@ spec: switching a cluster to a replica cluster. type: boolean type: object + systemID: + description: SystemID is the latest detected PostgreSQL SystemID + type: string tablespacesStatus: description: >- TablespacesStatus reports the state of the declarative diff --git a/_/CustomResourceDefinition/databases.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/databases.postgresql.cnpg.io.yaml index f1a7c53..3212775 100644 --- a/_/CustomResourceDefinition/databases.postgresql.cnpg.io.yaml +++ b/_/CustomResourceDefinition/databases.postgresql.cnpg.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.20.1 helm.sh/resource-policy: keep name: databases.postgresql.cnpg.io spec: @@ -165,6 +165,185 @@ spec: - present - absent type: string + extensions: + description: The list of extensions to be managed in the database + items: + description: ExtensionSpec configures an extension in a database + properties: + ensure: + default: present + description: >- + Specifies whether an object (e.g schema) should be + present or absent + + in the database. If set to `present`, the object will + be created if + + it does not exist. If set to `absent`, the + extension/schema will be + + removed if it exists. + enum: + - present + - absent + type: string + name: + description: Name of the object (extension, schema, FDW, server) + type: string + schema: + description: >- + The name of the schema in which to install the + extension's objects, + + in case the extension allows its contents to be + relocated. If not + + specified (default), and the extension's control file + does not + + specify a schema either, the current default object + creation schema + + is used. + type: string + version: + description: >- + The version of the extension to install. If empty, the + operator will + + install the default version (whatever is specified in + the + + extension's control file) + type: string + required: + - name + type: object + type: array + fdws: + description: >- + The list of foreign data wrappers to be managed in the + database + items: + description: FDWSpec configures an Foreign Data Wrapper in a database + properties: + ensure: + default: present + description: >- + Specifies whether an object (e.g schema) should be + present or absent + + in the database. If set to `present`, the object will + be created if + + it does not exist. If set to `absent`, the + extension/schema will be + + removed if it exists. + enum: + - present + - absent + type: string + handler: + description: >- + Name of the handler function (e.g., + "postgres_fdw_handler"). + + This will be empty if no handler is specified. In that + case, + + the default handler is registered when the FDW + extension is created. + type: string + name: + description: Name of the object (extension, schema, FDW, server) + type: string + options: + description: >- + Options specifies the configuration options for the + FDW. + items: + description: >- + OptionSpec holds the name, value and the ensure + field for an option + properties: + ensure: + default: present + description: >- + Specifies whether an option should be present or + absent in + + the database. If set to `present`, the option + will be + + created if it does not exist. If set to + `absent`, the + + option will be removed if it exists. + enum: + - present + - absent + type: string + name: + description: Name of the option + type: string + value: + description: Value of the option + type: string + required: + - name + - value + type: object + type: array + owner: + description: >- + Owner specifies the database role that will own the + Foreign Data Wrapper. + + The role must have superuser privileges in the target + database. + type: string + usage: + description: >- + List of roles for which `USAGE` privileges on the FDW + are granted or revoked. + items: + description: >- + UsageSpec configures a usage for a foreign data + wrapper + properties: + name: + description: Name of the usage + type: string + x-kubernetes-validations: + - message: name is required + rule: self != '' + type: + default: grant + description: The type of usage + enum: + - grant + - revoke + type: string + required: + - name + type: object + type: array + validator: + description: >- + Name of the validator function (e.g., + "postgres_fdw_validator"). + + This will be empty if no validator is specified. In + that case, + + the default validator is registered when the FDW + extension is created. + type: string + required: + - name + type: object + type: array icuLocale: description: >- Maps to the `ICU_LOCALE` parameter of `CREATE DATABASE`. @@ -277,6 +456,146 @@ spec: The role name of the user who owns the database inside PostgreSQL. type: string + schemas: + description: The list of schemas to be managed in the database + items: + description: SchemaSpec configures a schema in a database + properties: + ensure: + default: present + description: >- + Specifies whether an object (e.g schema) should be + present or absent + + in the database. If set to `present`, the object will + be created if + + it does not exist. If set to `absent`, the + extension/schema will be + + removed if it exists. + enum: + - present + - absent + type: string + name: + description: Name of the object (extension, schema, FDW, server) + type: string + owner: + description: >- + The role name of the user who owns the schema inside + PostgreSQL. + + It maps to the `AUTHORIZATION` parameter of `CREATE + SCHEMA` and the + + `OWNER TO` command of `ALTER SCHEMA`. + type: string + required: + - name + type: object + type: array + servers: + description: The list of foreign servers to be managed in the database + items: + description: ServerSpec configures a server of a foreign data wrapper + properties: + ensure: + default: present + description: >- + Specifies whether an object (e.g schema) should be + present or absent + + in the database. If set to `present`, the object will + be created if + + it does not exist. If set to `absent`, the + extension/schema will be + + removed if it exists. + enum: + - present + - absent + type: string + fdw: + description: The name of the Foreign Data Wrapper (FDW) + type: string + x-kubernetes-validations: + - message: fdw is required + rule: self != '' + name: + description: Name of the object (extension, schema, FDW, server) + type: string + options: + description: >- + Options specifies the configuration options for the + server + + (key is the option name, value is the option value). + items: + description: >- + OptionSpec holds the name, value and the ensure + field for an option + properties: + ensure: + default: present + description: >- + Specifies whether an option should be present or + absent in + + the database. If set to `present`, the option + will be + + created if it does not exist. If set to + `absent`, the + + option will be removed if it exists. + enum: + - present + - absent + type: string + name: + description: Name of the option + type: string + value: + description: Value of the option + type: string + required: + - name + - value + type: object + type: array + usage: + description: >- + List of roles for which `USAGE` privileges on the + server are granted or revoked. + items: + description: >- + UsageSpec configures a usage for a foreign data + wrapper + properties: + name: + description: Name of the usage + type: string + x-kubernetes-validations: + - message: name is required + rule: self != '' + type: + default: grant + description: The type of usage + enum: + - grant + - revoke + type: string + required: + - name + type: object + type: array + required: + - fdw + - name + type: object + type: array tablespace: description: >- Maps to the `TABLESPACE` parameter of `CREATE DATABASE`. @@ -334,6 +653,52 @@ spec: applied: description: Applied is true if the database was reconciled correctly type: boolean + extensions: + description: Extensions is the status of the managed extensions + items: + description: >- + DatabaseObjectStatus is the status of the managed database + objects + properties: + applied: + description: |- + True of the object has been installed successfully in + the database + type: boolean + message: + description: Message is the object reconciliation message + type: string + name: + description: The name of the object + type: string + required: + - applied + - name + type: object + type: array + fdws: + description: FDWs is the status of the managed FDWs + items: + description: >- + DatabaseObjectStatus is the status of the managed database + objects + properties: + applied: + description: |- + True of the object has been installed successfully in + the database + type: boolean + message: + description: Message is the object reconciliation message + type: string + name: + description: The name of the object + type: string + required: + - applied + - name + type: object + type: array message: description: Message is the reconciliation output message type: string @@ -343,6 +708,52 @@ spec: desired state that was synchronized format: int64 type: integer + schemas: + description: Schemas is the status of the managed schemas + items: + description: >- + DatabaseObjectStatus is the status of the managed database + objects + properties: + applied: + description: |- + True of the object has been installed successfully in + the database + type: boolean + message: + description: Message is the object reconciliation message + type: string + name: + description: The name of the object + type: string + required: + - applied + - name + type: object + type: array + servers: + description: Servers is the status of the managed servers + items: + description: >- + DatabaseObjectStatus is the status of the managed database + objects + properties: + applied: + description: |- + True of the object has been installed successfully in + the database + type: boolean + message: + description: Message is the object reconciliation message + type: string + name: + description: The name of the object + type: string + required: + - applied + - name + type: object + type: array type: object required: - metadata diff --git a/_/CustomResourceDefinition/failoverquorums.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/failoverquorums.postgresql.cnpg.io.yaml new file mode 100644 index 0000000..2f85180 --- /dev/null +++ b/_/CustomResourceDefinition/failoverquorums.postgresql.cnpg.io.yaml @@ -0,0 +1,92 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.20.1 + helm.sh/resource-policy: keep + name: failoverquorums.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: FailoverQuorum + listKind: FailoverQuorumList + plural: failoverquorums + singular: failoverquorum + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + FailoverQuorum contains the information about the current failover + quorum status of a PG cluster. It is updated by the instance manager + of the primary node and reset to zero by the operator to trigger + an update. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + status: + description: Most recently observed status of the failover quorum. + properties: + method: + description: Contains the latest reported Method value. + type: string + primary: + description: |- + Primary is the name of the primary instance that updated + this object the latest time. + type: string + standbyNames: + description: |- + StandbyNames is the list of potentially synchronous + instance names. + items: + type: string + type: array + standbyNumber: + description: >- + StandbyNumber is the number of synchronous standbys that + transactions + + need to wait for replies from. + type: integer + type: object + required: + - metadata + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/imagecatalogs.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/imagecatalogs.postgresql.cnpg.io.yaml index 52fb91b..cbf812c 100644 --- a/_/CustomResourceDefinition/imagecatalogs.postgresql.cnpg.io.yaml +++ b/_/CustomResourceDefinition/imagecatalogs.postgresql.cnpg.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.20.1 helm.sh/resource-policy: keep name: imagecatalogs.postgresql.cnpg.io spec: @@ -65,6 +65,175 @@ spec: items: description: CatalogImage defines the image and major version properties: + extensions: + description: The configuration of the extensions to be added + items: + description: >- + ExtensionConfiguration is the configuration used to + add + + PostgreSQL extensions to the Cluster. + properties: + bin_path: + description: >- + A list of directories within the image to be + appended to the + + PostgreSQL process's `PATH` environment + variable. + items: + type: string + type: array + dynamic_library_path: + description: >- + The list of directories inside the image which + should be added to dynamic_library_path. + + If not defined, defaults to "/lib". + items: + type: string + type: array + env: + description: >- + Env is a list of custom environment variables to + be set in the + + PostgreSQL process for this extension. It is the + responsibility of the + + cluster administrator to ensure the variables + are correct for the + + specific extension. Note that changes to these + variables require + + a manual cluster restart to take effect. + items: + description: >- + ExtensionEnvVar defines an environment + variable for a specific extension + + image volume. + properties: + name: + description: >- + Name of the environment variable to be + injected into the + + PostgreSQL process. + minLength: 1 + pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + type: string + value: + description: >- + Value of the environment variable. + CloudNativePG performs a direct + + replacement of this value, with support + for placeholder expansion. + + The ${`image_root`} placeholder resolves + to the absolute mount path + + of the extension's volume (e.g., + `/extensions/my-extension`). This + + is particularly useful for allowing + applications or libraries to + + locate specific directories within the + mounted image. + + Unrecognized placeholders are rejected. To + include a literal ${...} + + in the value, escape it as $${...}. + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + extension_control_path: + description: >- + The list of directories inside the image which + should be added to extension_control_path. + + If not defined, defaults to "/share". + items: + type: string + type: array + image: + description: The image containing the extension. + properties: + pullPolicy: + description: >- + Policy for pulling OCI objects. Possible + values are: + + Always: the kubelet always attempts to pull + the reference. Container creation will fail + If the pull fails. + + Never: the kubelet never pulls the reference + and only uses a local image or artifact. + Container creation will fail if the + reference isn't present. + + IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull fails. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + type: string + reference: + description: >- + Required: Image or artifact reference to be + used. + + Behaves in the same way as + pod.spec.containers[*].image. + + Pull secrets will be assembled in the same + way as for the container image by looking up + node credentials, SA image pull secrets, and + pod spec image pull secrets. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher level + config management to default or override + + container images in workload controllers + like Deployments and StatefulSets. + type: string + type: object + ld_library_path: + description: >- + The list of directories inside the image which + should be added to ld_library_path. + items: + type: string + type: array + name: + description: The name of the extension, required + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map image: description: The image reference type: string diff --git a/_/CustomResourceDefinition/poolers.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/poolers.postgresql.cnpg.io.yaml index 4efbfb8..ade707d 100644 --- a/_/CustomResourceDefinition/poolers.postgresql.cnpg.io.yaml +++ b/_/CustomResourceDefinition/poolers.postgresql.cnpg.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.20.1 helm.sh/resource-policy: keep name: poolers.postgresql.cnpg.io spec: @@ -174,6 +174,13 @@ spec: description: >- The configuration of the monitoring infrastructure of this pooler. + + + Deprecated: This feature will be removed in an upcoming + release. If + + you need this functionality, you can create a PodMonitor + manually. properties: enablePodMonitor: default: false @@ -197,7 +204,7 @@ spec: action: default: replace description: >- - Action to perform based on the regex matching. + action to perform based on the regex matching. `Uppercase` and `Lowercase` actions require @@ -234,7 +241,7 @@ spec: type: string modulus: description: >- - Modulus to take of the hash of the source label + modulus to take of the hash of the source label values. @@ -243,12 +250,12 @@ spec: type: integer regex: description: >- - Regular expression against which the extracted - value is matched. + regex defines the regular expression against which + the extracted value is matched. type: string replacement: description: >- - Replacement value against which a Replace action + replacement value against which a Replace action is performed if the regular expression matches. @@ -258,13 +265,13 @@ spec: type: string separator: description: >- - Separator is the string between concatenated + separator defines the string between concatenated SourceLabels. type: string sourceLabels: description: >- - The source labels select values from existing - labels. Their content is + sourceLabels defines the source labels select + values from existing labels. Their content is concatenated using the configured Separator and matched against the @@ -272,17 +279,20 @@ spec: configured regular expression. items: description: >- - LabelName is a valid Prometheus label name which - may only contain ASCII + LabelName is a valid Prometheus label name. + + For Prometheus 3.x, a label name is valid if it + contains UTF-8 characters. - letters, numbers, as well as underscores. - pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + For Prometheus 2.x, a label name is only valid + if it contains ASCII characters, letters, + numbers, as well as underscores. type: string type: array targetLabel: description: >- - Label to which the resulting string is written in - a replacement. + targetLabel defines the label to which the + resulting string is written in a replacement. It is mandatory for `Replace`, `HashMod`, @@ -313,7 +323,7 @@ spec: action: default: replace description: >- - Action to perform based on the regex matching. + action to perform based on the regex matching. `Uppercase` and `Lowercase` actions require @@ -350,7 +360,7 @@ spec: type: string modulus: description: >- - Modulus to take of the hash of the source label + modulus to take of the hash of the source label values. @@ -359,12 +369,12 @@ spec: type: integer regex: description: >- - Regular expression against which the extracted - value is matched. + regex defines the regular expression against which + the extracted value is matched. type: string replacement: description: >- - Replacement value against which a Replace action + replacement value against which a Replace action is performed if the regular expression matches. @@ -374,13 +384,13 @@ spec: type: string separator: description: >- - Separator is the string between concatenated + separator defines the string between concatenated SourceLabels. type: string sourceLabels: description: >- - The source labels select values from existing - labels. Their content is + sourceLabels defines the source labels select + values from existing labels. Their content is concatenated using the configured Separator and matched against the @@ -388,17 +398,20 @@ spec: configured regular expression. items: description: >- - LabelName is a valid Prometheus label name which - may only contain ASCII + LabelName is a valid Prometheus label name. - letters, numbers, as well as underscores. - pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ + For Prometheus 3.x, a label name is valid if it + contains UTF-8 characters. + + For Prometheus 2.x, a label name is only valid + if it contains ASCII characters, letters, + numbers, as well as underscores. type: string type: array targetLabel: description: >- - Label to which the resulting string is written in - a replacement. + targetLabel defines the label to which the + resulting string is written in a replacement. It is mandatory for `Replace`, `HashMod`, @@ -440,6 +453,36 @@ spec: has to be specified and no automatic CNPG Cluster integration will be triggered. + + + Deprecated. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + clientCASecret: + description: >- + ClientCASecret provides PgBouncer’s client_tls_ca_file, + the root + + CA for validating client certificates + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + clientTLSSecret: + description: >- + ClientTLSSecret provides PgBouncer’s client_tls_key_file + (private key) + + and client_tls_cert_file (certificate) used to accept + client connections properties: name: description: Name of the referent. @@ -488,7 +531,58 @@ spec: - session - transaction type: string + serverCASecret: + description: >- + ServerCASecret provides PgBouncer’s server_tls_ca_file, + the root + + CA for validating PostgreSQL certificates + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serverTLSSecret: + description: >- + ServerTLSSecret, when pointing to a TLS secret, provides + pgbouncer's + + `server_tls_key_file` and `server_tls_cert_file`, used + when + + authenticating against PostgreSQL. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object type: object + serviceAccountName: + description: >- + Name of an existing ServiceAccount in the same namespace to + use for the pooler. + + When specified, the operator will not create a new + ServiceAccount + + but will use the provided one. This is useful for sharing a + single + + ServiceAccount across multiple poolers (e.g., for cloud IAM + configurations). + + If not specified, a ServiceAccount will be created with the + pooler name. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + x-kubernetes-validations: + - message: serviceAccountName is immutable + rule: self == oldSelf serviceTemplate: description: Template for the Service to be created properties: @@ -1182,24 +1276,21 @@ spec: trafficDistribution: description: >- TrafficDistribution offers a way to express - preferences for how traffic is + preferences for how traffic - distributed to Service endpoints. Implementations - can use this field as a + is distributed to Service endpoints. Implementations + can use this field - hint, but are not required to guarantee strict - adherence. If the field is + as a hint, but are not required to guarantee strict + adherence. If the - not set, the implementation will apply its default - routing strategy. If set + field is not set, the implementation will apply its + default routing - to "PreferClose", implementations should prioritize - endpoints that are + strategy. If set to "PreferClose", implementations + should prioritize - topologically close (e.g., same zone). - - This is a beta field and requires enabling - ServiceTrafficDistribution feature. + endpoints that are in the same zone. type: string type: description: >- @@ -1774,10 +1865,6 @@ spec: Also, matchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires - enabling MatchLabelKeysInPodAffinity - feature gate (enabled by default). items: type: string type: array @@ -1811,10 +1898,6 @@ spec: Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires - enabling MatchLabelKeysInPodAffinity - feature gate (enabled by default). items: type: string type: array @@ -2100,10 +2183,6 @@ spec: Also, matchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires - enabling MatchLabelKeysInPodAffinity - feature gate (enabled by default). items: type: string type: array @@ -2137,10 +2216,6 @@ spec: Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires - enabling MatchLabelKeysInPodAffinity - feature gate (enabled by default). items: type: string type: array @@ -2299,9 +2374,9 @@ spec: anti-affinity expressions, etc.), compute a sum by iterating through the - elements of this field and adding + elements of this field and subtracting - "weight" to the sum if the node has pods + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the @@ -2422,10 +2497,6 @@ spec: Also, matchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires - enabling MatchLabelKeysInPodAffinity - feature gate (enabled by default). items: type: string type: array @@ -2459,10 +2530,6 @@ spec: Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires - enabling MatchLabelKeysInPodAffinity - feature gate (enabled by default). items: type: string type: array @@ -2748,10 +2815,6 @@ spec: Also, matchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires - enabling MatchLabelKeysInPodAffinity - feature gate (enabled by default). items: type: string type: array @@ -2785,10 +2848,6 @@ spec: Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - - This is a beta field and requires - enabling MatchLabelKeysInPodAffinity - feature gate (enabled by default). items: type: string type: array @@ -3013,8 +3072,10 @@ spec: properties: name: description: >- - Name of the environment variable. Must - be a C_IDENTIFIER. + Name of the environment variable. + + May consist of any printable ASCII + characters except '='. type: string value: description: >- @@ -3106,6 +3167,68 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: >- + FileKeyRef selects a key of the env + file. + + Requires the EnvFiles feature gate to be + enabled. + properties: + key: + description: >- + The key within the env file. An invalid + key will prevent the pod from starting. + + The keys defined within a source may + consist of any printable ASCII + characters except '='. + + During Alpha stage of the EnvFiles + feature gate, the key size is limited to + 128 characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must + be defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the + specified key does not exist, + + the environment variable will not be set + in the Pod's containers. + + + If optional is set to false and the + specified key does not exist, + + an error will be returned during Pod + creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the + '..' path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: >- Selects a resource of the container: @@ -3187,12 +3310,10 @@ spec: List of sources to populate environment variables in the container. - The keys defined within a source must be a - C_IDENTIFIER. All invalid keys + The keys defined within a source may consist + of any printable ASCII characters except '='. - will be reported as an event when the - container is starting. When a key exists in - multiple + When a key exists in multiple sources, the value associated with the last source will take precedence. @@ -3204,7 +3325,7 @@ spec: items: description: >- EnvFromSource represents the source of a set - of ConfigMaps + of ConfigMaps or Secrets properties: configMapRef: description: The ConfigMap to select from @@ -3234,9 +3355,11 @@ spec: x-kubernetes-map-type: atomic prefix: description: >- - An optional identifier to prepend to - each key in the ConfigMap. Must be a - C_IDENTIFIER. + Optional text to prepend to the name of + each environment variable. + + May consist of any printable ASCII + characters except '='. type: string secretRef: description: The Secret to select from @@ -3623,6 +3746,18 @@ spec: - port type: object type: object + stopSignal: + description: >- + StopSignal defines which signal will be + sent to a container when it is being + stopped. + + If not specified, the default is defined + by the container runtime in use. + + StopSignal can only be set for Pods with a + non-empty .spec.os.name + type: string type: object livenessProbe: description: >- @@ -4196,7 +4331,11 @@ spec: type: integer type: object resizePolicy: - description: Resources resize policy for the container. + description: >- + Resources resize policy for the container. + + This field cannot be set on ephemeral + containers. items: description: >- ContainerResizePolicy represents resource @@ -4240,8 +4379,7 @@ spec: that are used by this container. - This is an alpha field and requires - enabling the + This field depends on the DynamicResourceAllocation feature gate. @@ -4323,18 +4461,16 @@ spec: RestartPolicy defines the restart behavior of individual containers in a pod. - This field may only be set for init - containers, and the only allowed value is - "Always". - - For non-init containers or when this field is - not specified, + This overrides the pod-level restart policy. + When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. - Setting the RestartPolicy as "Always" for the - init container will have the following effect: + Additionally, setting the RestartPolicy as + "Always" for the init container will + + have the following effect: this init container will be continually restarted on @@ -4365,6 +4501,89 @@ spec: completed. type: string + restartPolicyRules: + description: >- + Represents a list of rules to be checked to + determine if the + + container should be restarted on exit. The + rules are evaluated in + + order. Once a rule matches a container exit + condition, the remaining + + rules are ignored. If no rule matches the + container exit condition, + + the Container-level restart policy determines + the whether the container + + is restarted or not. Constraints on the rules: + + - At most 20 rules are allowed. + + - Rules can have the same action. + + - Identical rules are not forbidden in + validations. + + When rules are specified, container MUST set + RestartPolicy explicitly + + even it if matches the Pod's RestartPolicy. + items: + description: >- + ContainerRestartRule describes how a + container exit is handled. + properties: + action: + description: >- + Specifies the action taken on a + container exit if the requirements + + are satisfied. The only possible value + is "Restart" to restart the + + container. + type: string + exitCodes: + description: >- + Represents the exit codes to check on + container exits. + properties: + operator: + description: >- + Represents the relationship between the + container exit code(s) and the + + specified values. Possible values are: + + - In: the requirement is satisfied if + the container exit code is in the + set of specified values. + - NotIn: the requirement is satisfied if + the container exit code is + not in the set of specified values. + type: string + values: + description: >- + Specifies the set of values to check for + container exit codes. + + At most 255 elements are allowed. + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic securityContext: description: >- SecurityContext defines the security options @@ -5418,8 +5637,10 @@ spec: properties: name: description: >- - Name of the environment variable. Must - be a C_IDENTIFIER. + Name of the environment variable. + + May consist of any printable ASCII + characters except '='. type: string value: description: >- @@ -5511,6 +5732,68 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: >- + FileKeyRef selects a key of the env + file. + + Requires the EnvFiles feature gate to be + enabled. + properties: + key: + description: >- + The key within the env file. An invalid + key will prevent the pod from starting. + + The keys defined within a source may + consist of any printable ASCII + characters except '='. + + During Alpha stage of the EnvFiles + feature gate, the key size is limited to + 128 characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must + be defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the + specified key does not exist, + + the environment variable will not be set + in the Pod's containers. + + + If optional is set to false and the + specified key does not exist, + + an error will be returned during Pod + creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the + '..' path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: >- Selects a resource of the container: @@ -5592,12 +5875,10 @@ spec: List of sources to populate environment variables in the container. - The keys defined within a source must be a - C_IDENTIFIER. All invalid keys + The keys defined within a source may consist + of any printable ASCII characters except '='. - will be reported as an event when the - container is starting. When a key exists in - multiple + When a key exists in multiple sources, the value associated with the last source will take precedence. @@ -5609,7 +5890,7 @@ spec: items: description: >- EnvFromSource represents the source of a set - of ConfigMaps + of ConfigMaps or Secrets properties: configMapRef: description: The ConfigMap to select from @@ -5639,9 +5920,11 @@ spec: x-kubernetes-map-type: atomic prefix: description: >- - An optional identifier to prepend to - each key in the ConfigMap. Must be a - C_IDENTIFIER. + Optional text to prepend to the name of + each environment variable. + + May consist of any printable ASCII + characters except '='. type: string secretRef: description: The Secret to select from @@ -6020,6 +6303,18 @@ spec: - port type: object type: object + stopSignal: + description: >- + StopSignal defines which signal will be + sent to a container when it is being + stopped. + + If not specified, the default is defined + by the container runtime in use. + + StopSignal can only be set for Pods with a + non-empty .spec.os.name + type: string type: object livenessProbe: description: >- @@ -6604,8 +6899,7 @@ spec: that are used by this container. - This is an alpha field and requires - enabling the + This field depends on the DynamicResourceAllocation feature gate. @@ -6689,11 +6983,71 @@ spec: container within a pod. - This may only be set for init containers. You + You cannot set this field on ephemeral + containers. + type: string + restartPolicyRules: + description: >- + Represents a list of rules to be checked to + determine if the + + container should be restarted on exit. You cannot set this field on ephemeral containers. - type: string + items: + description: >- + ContainerRestartRule describes how a + container exit is handled. + properties: + action: + description: >- + Specifies the action taken on a + container exit if the requirements + + are satisfied. The only possible value + is "Restart" to restart the + + container. + type: string + exitCodes: + description: >- + Represents the exit codes to check on + container exits. + properties: + operator: + description: >- + Represents the relationship between the + container exit code(s) and the + + specified values. Possible values are: + + - In: the requirement is satisfied if + the container exit code is in the + set of specified values. + - NotIn: the requirement is satisfied if + the container exit code is + not in the set of specified values. + type: string + values: + description: >- + Specifies the set of values to check for + container exit codes. + + At most 255 elements are allowed. + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic securityContext: description: >- Optional: SecurityContext defines the security @@ -7582,8 +7936,15 @@ spec: Host networking requested for this pod. Use the host's network namespace. - If this option is set, the ports that will be used - must be specified. + When using HostNetwork you should specify ports so + the scheduler is aware. + + When `hostNetwork` is true, specified `hostPort` + fields in port definitions must match + `containerPort`, + + and unspecified `hostPort` fields in port + definitions are defaulted to match `containerPort`. Default to false. type: boolean @@ -7626,6 +7987,32 @@ spec: If not specified, the pod's hostname will be set to a system-defined value. type: string + hostnameOverride: + description: >- + HostnameOverride specifies an explicit override for + the pod's hostname as perceived by the pod. + + This field only specifies the pod's hostname and + does not affect its DNS records. + + When this field is set to a non-empty string: + + - It takes precedence over the values set in + `hostname` and `subdomain`. + + - The Pod's hostname will be set to this value. + + - `setHostnameAsFQDN` must be nil or set to false. + + - `hostNetwork` must be set to false. + + + This field must be a valid DNS subdomain as defined + in RFC 1123 and contain at most 64 characters. + + Requires the HostnameOverride feature gate to be + enabled. + type: string imagePullSecrets: description: >- ImagePullSecrets is an optional list of references @@ -7692,7 +8079,7 @@ spec: by finding the highest request/limit for each resource type, and then using the max of - of that value or the sum of the normal containers. + that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. @@ -7784,8 +8171,10 @@ spec: properties: name: description: >- - Name of the environment variable. Must - be a C_IDENTIFIER. + Name of the environment variable. + + May consist of any printable ASCII + characters except '='. type: string value: description: >- @@ -7877,6 +8266,68 @@ spec: - fieldPath type: object x-kubernetes-map-type: atomic + fileKeyRef: + description: >- + FileKeyRef selects a key of the env + file. + + Requires the EnvFiles feature gate to be + enabled. + properties: + key: + description: >- + The key within the env file. An invalid + key will prevent the pod from starting. + + The keys defined within a source may + consist of any printable ASCII + characters except '='. + + During Alpha stage of the EnvFiles + feature gate, the key size is limited to + 128 characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must + be defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the + specified key does not exist, + + the environment variable will not be set + in the Pod's containers. + + + If optional is set to false and the + specified key does not exist, + + an error will be returned during Pod + creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the + '..' path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: >- Selects a resource of the container: @@ -7958,12 +8409,10 @@ spec: List of sources to populate environment variables in the container. - The keys defined within a source must be a - C_IDENTIFIER. All invalid keys + The keys defined within a source may consist + of any printable ASCII characters except '='. - will be reported as an event when the - container is starting. When a key exists in - multiple + When a key exists in multiple sources, the value associated with the last source will take precedence. @@ -7975,7 +8424,7 @@ spec: items: description: >- EnvFromSource represents the source of a set - of ConfigMaps + of ConfigMaps or Secrets properties: configMapRef: description: The ConfigMap to select from @@ -8005,9 +8454,11 @@ spec: x-kubernetes-map-type: atomic prefix: description: >- - An optional identifier to prepend to - each key in the ConfigMap. Must be a - C_IDENTIFIER. + Optional text to prepend to the name of + each environment variable. + + May consist of any printable ASCII + characters except '='. type: string secretRef: description: The Secret to select from @@ -8394,6 +8845,18 @@ spec: - port type: object type: object + stopSignal: + description: >- + StopSignal defines which signal will be + sent to a container when it is being + stopped. + + If not specified, the default is defined + by the container runtime in use. + + StopSignal can only be set for Pods with a + non-empty .spec.os.name + type: string type: object livenessProbe: description: >- @@ -8967,7 +9430,11 @@ spec: type: integer type: object resizePolicy: - description: Resources resize policy for the container. + description: >- + Resources resize policy for the container. + + This field cannot be set on ephemeral + containers. items: description: >- ContainerResizePolicy represents resource @@ -9011,8 +9478,7 @@ spec: that are used by this container. - This is an alpha field and requires - enabling the + This field depends on the DynamicResourceAllocation feature gate. @@ -9094,18 +9560,16 @@ spec: RestartPolicy defines the restart behavior of individual containers in a pod. - This field may only be set for init - containers, and the only allowed value is - "Always". - - For non-init containers or when this field is - not specified, + This overrides the pod-level restart policy. + When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. - Setting the RestartPolicy as "Always" for the - init container will have the following effect: + Additionally, setting the RestartPolicy as + "Always" for the init container will + + have the following effect: this init container will be continually restarted on @@ -9136,6 +9600,89 @@ spec: completed. type: string + restartPolicyRules: + description: >- + Represents a list of rules to be checked to + determine if the + + container should be restarted on exit. The + rules are evaluated in + + order. Once a rule matches a container exit + condition, the remaining + + rules are ignored. If no rule matches the + container exit condition, + + the Container-level restart policy determines + the whether the container + + is restarted or not. Constraints on the rules: + + - At most 20 rules are allowed. + + - Rules can have the same action. + + - Identical rules are not forbidden in + validations. + + When rules are specified, container MUST set + RestartPolicy explicitly + + even it if matches the Pod's RestartPolicy. + items: + description: >- + ContainerRestartRule describes how a + container exit is handled. + properties: + action: + description: >- + Specifies the action taken on a + container exit if the requirements + + are satisfied. The only possible value + is "Restart" to restart the + + container. + type: string + exitCodes: + description: >- + Represents the exit codes to check on + container exits. + properties: + operator: + description: >- + Represents the relationship between the + container exit code(s) and the + + specified values. Possible values are: + + - In: the requirement is satisfied if + the container exit code is in the + set of specified values. + - NotIn: the requirement is satisfied if + the container exit code is + not in the set of specified values. + type: string + values: + description: >- + Specifies the set of values to check for + container exit codes. + + At most 255 elements are allowed. + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic securityContext: description: >- SecurityContext defines the security options @@ -10041,6 +10588,8 @@ spec: - spec.hostUsers + - spec.resources + - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions @@ -10218,9 +10767,9 @@ spec: by name. - This is an alpha field and requires enabling the + This is a stable field but requires that the - DynamicResourceAllocation feature gate. + DynamicResourceAllocation feature gate is enabled. This field is immutable. @@ -10314,8 +10863,8 @@ spec: containers in the pod. It supports specifying Requests and Limits for - "cpu" and "memory" resource names only. - ResourceClaims are not supported. + "cpu", "memory" and "hugepages-" resource names + only. ResourceClaims are not supported. This field enables fine-grained control over @@ -10338,7 +10887,7 @@ spec: that are used by this container. - This is an alpha field and requires enabling the + This field depends on the DynamicResourceAllocation feature gate. @@ -11032,13 +11581,17 @@ spec: Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults - to Equal. + Valid operators are Exists, Equal, Lt, and Gt. + Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). type: string tolerationSeconds: description: >- @@ -11313,10 +11866,6 @@ spec: If this value is nil, the behavior is equivalent to the Honor policy. - - This is a beta-level feature default enabled - by the NodeInclusionPolicyInPodTopologySpread - feature flag. type: string nodeTaintsPolicy: description: >- @@ -11336,10 +11885,6 @@ spec: If this value is nil, the behavior is equivalent to the Ignore policy. - - This is a beta-level feature default enabled - by the NodeInclusionPolicyInPodTopologySpread - feature flag. type: string topologyKey: description: >- @@ -12450,9 +12995,8 @@ spec: resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature - is enabled users are allowed to specify - resource requirements + Users are allowed to specify resource + requirements that are lower than previous value but must still be higher than capacity @@ -12595,19 +13139,16 @@ spec: different purpose than storageClassName, it can be changed after the claim is - created. An empty string value means - that no VolumeAttributesClass + created. An empty string or nil value + indicates that no - will be applied to the claim but it's - not allowed to reset this field to empty - string once it is set. + VolumeAttributesClass will be applied to + the claim. If the claim enters an + Infeasible error state, - If unspecified and the - PersistentVolumeClaim is unbound, the - default VolumeAttributesClass - - will be set by the persistentvolume - controller if it exists. + this field can be reset to its previous + value (including nil) to cancel the + modification. If the resource referred to by volumeAttributesClass does not exist, @@ -12621,10 +13162,6 @@ spec: More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - - (Beta) Using this field requires the - VolumeAttributesClass feature gate to be - enabled (off by default). type: string volumeMode: description: >- @@ -12911,17 +13448,11 @@ spec: Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - - More info: - https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: description: >- endpoints is the endpoint name that details Glusterfs topology. - - More info: - https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string path: description: >- @@ -13039,7 +13570,8 @@ spec: Sub path mounts for containers are not supported - (spec.containers[*].volumeMounts.subpath). + (spec.containers[*].volumeMounts.subpath) + before 1.33. The field spec.securityContext.fsGroupChangePolicy has @@ -13101,7 +13633,7 @@ spec: pod. More info: - https://examples.k8s.io/volumes/iscsi/README.md + https://kubernetes.io/docs/concepts/storage/volumes/#iscsi properties: chapAuthDiscovery: description: >- @@ -13754,6 +14286,262 @@ spec: type: array x-kubernetes-list-type: atomic type: object + podCertificate: + description: >- + Projects an auto-rotating credential + bundle (private key and certificate + + chain) that the pod can use either as a + TLS client or server. + + + Kubelet generates a private key and uses + it to send a + + PodCertificateRequest to the named + signer. Once the signer approves the + + request and issues a certificate chain, + Kubelet writes the key and + + certificate chain to the pod + filesystem. The pod does not start + until + + certificates have been issued for each + podCertificate projected volume + + source in its spec. + + + Kubelet will begin trying to rotate the + certificate at the time indicated + + by the signer using the + PodCertificateRequest.Status.BeginRefreshAt + + timestamp. + + + Kubelet can write a single file, + indicated by the credentialBundlePath + + field, or separate files, indicated by + the keyPath and + + certificateChainPath fields. + + + The credential bundle is a single file + in PEM format. The first PEM + + entry is the private key (in PKCS#8 + format), and the remaining PEM + + entries are the certificate chain issued + by the signer (typically, + + signers will return their certificate + chain in leaf-to-root order). + + + Prefer using the credential bundle + format, since your application code + + can read it atomically. If you use + keyPath and certificateChainPath, + + your application must make two separate + file reads. If these coincide + + with a certificate rotation, it is + possible that the private key and leaf + + certificate you read may not correspond + to each other. Your application + + will need to check for this condition, + and re-read until they are + + consistent. + + + The named signer controls chooses the + format of the certificate it + + issues; consult the signer + implementation's documentation to learn + how to + + use the certificates it issues. + properties: + certificateChainPath: + description: >- + Write the certificate chain at this path + in the projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + credentialBundlePath: + description: >- + Write the credential bundle at this path + in the projected volume. + + + The credential bundle is a single file + that contains multiple PEM blocks. + + The first PEM block is a PRIVATE KEY + block, containing a PKCS#8 private + + key. + + + The remaining blocks are CERTIFICATE + blocks, containing the issued + + certificate chain from the signer (leaf + and any intermediates). + + + Using credentialBundlePath lets your + Pod's application code make a single + + atomic read that retrieves a consistent + key and certificate chain. If you + + project them to separate files, your + application code will need to + + additionally check that the leaf + certificate was issued to the key. + type: string + keyPath: + description: >- + Write the key at this path in the + projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + keyType: + description: >- + The type of keypair Kubelet will + generate for the pod. + + + Valid values are "RSA3072", "RSA4096", + "ECDSAP256", "ECDSAP384", + + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: >- + maxExpirationSeconds is the maximum + lifetime permitted for the + + certificate. + + + Kubelet copies this value verbatim into + the PodCertificateRequests it + + generates for this projection. + + + If omitted, kube-apiserver will set it + to 86400(24 hours). kube-apiserver + + will reject values shorter than 3600 (1 + hour). The maximum allowable + + value is 7862400 (91 days). + + + The signer implementation is then free + to issue a certificate with any + + lifetime *shorter* than + MaxExpirationSeconds, but no shorter + than 3600 + + seconds (1 hour). This constraint is + enforced by kube-apiserver. + + `kubernetes.io` signers will never issue + certificates with a lifetime + + longer than 24 hours. + format: int32 + type: integer + signerName: + description: >- + Kubelet's generated CSRs will be + addressed to this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: >- + userAnnotations allow pod authors to + pass additional information to + + the signer implementation. Kubernetes + does not restrict or validate this + + metadata in any way. + + + These values are copied verbatim into + the `spec.unverifiedUserAnnotations` + field of + + the PodCertificateRequest objects that + Kubelet creates. + + + Entries are subject to the same + validation as object metadata + annotations, + + with the addition that all keys must be + domain-prefixed. No restrictions + + are placed on values, except an overall + size limitation on the entire field. + + + Signers should document the keys and + values they support. Signers should + + deny requests that contain keys they do + not recognize. + type: object + required: + - keyType + - signerName + type: object secret: description: >- secret information about the secret data @@ -13966,9 +14754,6 @@ spec: Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - - More info: - https://examples.k8s.io/volumes/rbd/README.md properties: fsType: description: >- @@ -14420,6 +15205,76 @@ spec: x-kubernetes-list-map-keys: - name x-kubernetes-list-type: map + workloadRef: + description: >- + WorkloadRef provides a reference to the Workload + object that this Pod belongs to. + + This field is used by the scheduler to identify the + PodGroup and apply the + + correct group scheduling policies. The Workload + object referenced + + by this field may not exist at the time the Pod is + created. + + This field is immutable, but a Workload object with + the same name + + may be recreated with different policies. Doing this + during pod scheduling + + may result in the placement not conforming to the + expected policies. + properties: + name: + description: >- + Name defines the name of the Workload object + this Pod belongs to. + + Workload must be in the same namespace as the + Pod. + + If it doesn't match any existing Workload, the + Pod will remain unschedulable + + until a Workload object is created and observed + by the kube-scheduler. + + It must be a DNS subdomain. + type: string + podGroup: + description: >- + PodGroup is the name of the PodGroup within the + Workload that this Pod + + belongs to. If it doesn't match any existing + PodGroup within the Workload, + + the Pod will remain unschedulable until the + Workload object is recreated + + and observed by the kube-scheduler. It must be a + DNS label. + type: string + podGroupReplicaKey: + description: >- + PodGroupReplicaKey specifies the replica key of + the PodGroup to which this + + Pod belongs. It is used to distinguish pods + belonging to different replicas + + of the same pod group. The pod group policy is + applied separately to each replica. + + When set, it must be a DNS label. + type: string + required: + - name + - podGroup + type: object required: - containers type: object @@ -14430,6 +15285,7 @@ spec: enum: - rw - ro + - r type: string required: - cluster @@ -14462,6 +15318,16 @@ spec: description: The ResourceVersion of the secret type: string type: object + clientTLS: + description: The client TLS secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object pgBouncerSecrets: description: The version of the secrets used by PgBouncer properties: diff --git a/_/CustomResourceDefinition/publications.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/publications.postgresql.cnpg.io.yaml index e81835b..1957ed1 100644 --- a/_/CustomResourceDefinition/publications.postgresql.cnpg.io.yaml +++ b/_/CustomResourceDefinition/publications.postgresql.cnpg.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.20.1 helm.sh/resource-policy: keep name: publications.postgresql.cnpg.io spec: diff --git a/_/CustomResourceDefinition/scheduledbackups.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/scheduledbackups.postgresql.cnpg.io.yaml index e40f658..6722d30 100644 --- a/_/CustomResourceDefinition/scheduledbackups.postgresql.cnpg.io.yaml +++ b/_/CustomResourceDefinition/scheduledbackups.postgresql.cnpg.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.20.1 helm.sh/resource-policy: keep name: scheduledbackups.postgresql.cnpg.io spec: diff --git a/_/CustomResourceDefinition/subscriptions.postgresql.cnpg.io.yaml b/_/CustomResourceDefinition/subscriptions.postgresql.cnpg.io.yaml index 0348b00..0728e4a 100644 --- a/_/CustomResourceDefinition/subscriptions.postgresql.cnpg.io.yaml +++ b/_/CustomResourceDefinition/subscriptions.postgresql.cnpg.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.20.1 helm.sh/resource-policy: keep name: subscriptions.postgresql.cnpg.io spec: @@ -117,10 +117,18 @@ spec: additionalProperties: type: string description: >- - Subscription parameters part of the `WITH` clause as - expected by + Subscription parameters included in the `WITH` clause of the + PostgreSQL - PostgreSQL `CREATE SUBSCRIPTION` command + `CREATE SUBSCRIPTION` command. Most parameters cannot be + changed + + after the subscription is created and will be ignored if + modified + + later, except for a limited set documented at: + + https://www.postgresql.org/docs/current/sql-altersubscription.html#SQL-ALTERSUBSCRIPTION-PARAMS-SET type: object publicationDBName: description: >- diff --git a/_/MutatingWebhookConfiguration/cnpg-mutating-webhook-configuration.yaml b/_/MutatingWebhookConfiguration/cnpg-mutating-webhook-configuration.yaml index bab784e..fc3cb28 100644 --- a/_/MutatingWebhookConfiguration/cnpg-mutating-webhook-configuration.yaml +++ b/_/MutatingWebhookConfiguration/cnpg-mutating-webhook-configuration.yaml @@ -5,8 +5,8 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cnpg-mutating-webhook-configuration webhooks: - admissionReviewVersions: @@ -51,6 +51,27 @@ webhooks: resources: - clusters sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: cnpg-webhook-service + namespace: cloudnative-pg + path: /mutate-postgresql-cnpg-io-v1-database + port: 443 + failurePolicy: Fail + name: mdatabase.cnpg.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - databases + sideEffects: None - admissionReviewVersions: - v1 clientConfig: diff --git a/_/ValidatingWebhookConfiguration/cnpg-validating-webhook-configuration.yaml b/_/ValidatingWebhookConfiguration/cnpg-validating-webhook-configuration.yaml index cb2f463..66c33d8 100644 --- a/_/ValidatingWebhookConfiguration/cnpg-validating-webhook-configuration.yaml +++ b/_/ValidatingWebhookConfiguration/cnpg-validating-webhook-configuration.yaml @@ -5,8 +5,8 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cnpg-validating-webhook-configuration webhooks: - admissionReviewVersions: @@ -72,6 +72,27 @@ webhooks: resources: - scheduledbackups sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: cnpg-webhook-service + namespace: cloudnative-pg + path: /validate-postgresql-cnpg-io-v1-database + port: 443 + failurePolicy: Fail + name: vdatabase.cnpg.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - databases + sideEffects: None - admissionReviewVersions: - v1 clientConfig: diff --git a/cloudnative-pg/Cluster/shared-cluster.yaml b/cloudnative-pg/Cluster/shared-cluster.yaml index d7cad1c..04e41fa 100644 --- a/cloudnative-pg/Cluster/shared-cluster.yaml +++ b/cloudnative-pg/Cluster/shared-cluster.yaml @@ -4,7 +4,7 @@ metadata: name: shared-cluster namespace: cloudnative-pg spec: - imageName: ghcr.io/cloudnative-pg/postgresql:16.1 + imageName: ghcr.io/cloudnative-pg/postgis:18-3-system-trixie instances: 3 managed: roles: @@ -12,8 +12,5 @@ spec: name: balancer passwordSecret: name: balancer-db-credentials - postgresql: - parameters: - shared_preload_libraries: vector storage: size: 20Gi diff --git a/cloudnative-pg/ConfigMap/cnpg-controller-manager-config.yaml b/cloudnative-pg/ConfigMap/cnpg-controller-manager-config.yaml index d0d84d8..f3dcc85 100644 --- a/cloudnative-pg/ConfigMap/cnpg-controller-manager-config.yaml +++ b/cloudnative-pg/ConfigMap/cnpg-controller-manager-config.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cnpg-controller-manager-config namespace: cloudnative-pg diff --git a/cloudnative-pg/ConfigMap/cnpg-default-monitoring.yaml b/cloudnative-pg/ConfigMap/cnpg-default-monitoring.yaml index c1185d2..8464a10 100644 --- a/cloudnative-pg/ConfigMap/cnpg-default-monitoring.yaml +++ b/cloudnative-pg/ConfigMap/cnpg-default-monitoring.yaml @@ -3,30 +3,30 @@ data: queries: | backends: query: | - SELECT sa.datname - , sa.usename - , sa.application_name - , states.state - , COALESCE(sa.count, 0) AS total - , COALESCE(sa.max_tx_secs, 0) AS max_tx_duration_seconds - FROM ( VALUES ('active') - , ('idle') - , ('idle in transaction') - , ('idle in transaction (aborted)') - , ('fastpath function call') - , ('disabled') - ) AS states(state) - LEFT JOIN ( - SELECT datname - , state - , usename - , COALESCE(application_name, '') AS application_name - , COUNT(*) - , COALESCE(EXTRACT (EPOCH FROM (max(now() - xact_start))), 0) AS max_tx_secs - FROM pg_catalog.pg_stat_activity - GROUP BY datname, state, usename, application_name - ) sa ON states.state = sa.state - WHERE sa.usename IS NOT NULL + SELECT sa.datname + , sa.usename + , sa.application_name + , states.state + , COALESCE(sa.count, 0) AS total + , COALESCE(sa.max_tx_secs, 0) AS max_tx_duration_seconds + FROM ( VALUES ('active') + , ('idle') + , ('idle in transaction') + , ('idle in transaction (aborted)') + , ('fastpath function call') + , ('disabled') + ) AS states(state) + LEFT JOIN ( + SELECT datname + , state + , usename + , COALESCE(application_name, '') AS application_name + , COUNT(*) + , COALESCE(EXTRACT (EPOCH FROM (max(now() - xact_start))), 0) AS max_tx_secs + FROM pg_catalog.pg_stat_activity + GROUP BY datname, state, usename, application_name + ) sa ON states.state = sa.state + WHERE sa.usename IS NOT NULL metrics: - datname: usage: "LABEL" @@ -49,22 +49,22 @@ data: backends_waiting: query: | - SELECT count(*) AS total - FROM pg_catalog.pg_locks blocked_locks - JOIN pg_catalog.pg_locks blocking_locks - ON blocking_locks.locktype = blocked_locks.locktype - AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database - AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation - AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page - AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple - AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid - AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid - AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid - AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid - AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid - AND blocking_locks.pid != blocked_locks.pid - JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid - WHERE NOT blocked_locks.granted + SELECT count(*) AS total + FROM pg_catalog.pg_locks blocked_locks + JOIN pg_catalog.pg_locks blocking_locks + ON blocking_locks.locktype = blocked_locks.locktype + AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database + AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation + AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page + AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple + AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid + AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid + AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid + AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid + AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid + AND blocking_locks.pid != blocked_locks.pid + JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid + WHERE NOT blocked_locks.granted metrics: - total: usage: "GAUGE" @@ -102,16 +102,17 @@ data: description: "Time at which postgres started (based on epoch)" pg_replication: - query: "SELECT CASE WHEN ( - NOT pg_catalog.pg_is_in_recovery() - OR pg_catalog.pg_last_wal_receive_lsn() = pg_catalog.pg_last_wal_replay_lsn()) - THEN 0 - ELSE GREATEST (0, - EXTRACT(EPOCH FROM (now() - pg_catalog.pg_last_xact_replay_timestamp()))) - END AS lag, - pg_catalog.pg_is_in_recovery() AS in_recovery, - EXISTS (TABLE pg_stat_wal_receiver) AS is_wal_receiver_up, - (SELECT count(*) FROM pg_catalog.pg_stat_replication) AS streaming_replicas" + query: | + SELECT CASE WHEN ( + NOT pg_catalog.pg_is_in_recovery() + OR pg_catalog.pg_last_wal_receive_lsn() = pg_catalog.pg_last_wal_replay_lsn()) + THEN 0 + ELSE GREATEST (0, + EXTRACT(EPOCH FROM (now() - pg_catalog.pg_last_xact_replay_timestamp()))) + END AS lag, + pg_catalog.pg_is_in_recovery() AS in_recovery, + EXISTS (TABLE pg_stat_wal_receiver) AS is_wal_receiver_up, + (SELECT count(*) FROM pg_catalog.pg_stat_replication) AS streaming_replicas metrics: - lag: usage: "GAUGE" @@ -167,6 +168,9 @@ data: , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_failed_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_failed_wal_start_lsn , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time FROM pg_catalog.pg_stat_archiver + predicate_query: | + SELECT NOT pg_catalog.pg_is_in_recovery() + OR pg_catalog.current_setting('archive_mode') = 'always' metrics: - archived_count: usage: "COUNTER" @@ -379,20 +383,20 @@ data: pg_stat_replication: primary: true query: | - SELECT usename - , COALESCE(application_name, '') AS application_name - , COALESCE(client_addr::text, '') AS client_addr - , COALESCE(client_port::text, '') AS client_port - , EXTRACT(EPOCH FROM backend_start) AS backend_start - , COALESCE(pg_catalog.age(backend_xmin), 0) AS backend_xmin_age - , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), sent_lsn) AS sent_diff_bytes - , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), write_lsn) AS write_diff_bytes - , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), flush_lsn) AS flush_diff_bytes - , COALESCE(pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), replay_lsn),0) AS replay_diff_bytes - , COALESCE((EXTRACT(EPOCH FROM write_lag)),0)::float AS write_lag_seconds - , COALESCE((EXTRACT(EPOCH FROM flush_lag)),0)::float AS flush_lag_seconds - , COALESCE((EXTRACT(EPOCH FROM replay_lag)),0)::float AS replay_lag_seconds - FROM pg_catalog.pg_stat_replication + SELECT usename + , COALESCE(application_name, '') AS application_name + , COALESCE(client_addr::text, '') AS client_addr + , COALESCE(client_port::text, '') AS client_port + , EXTRACT(EPOCH FROM backend_start) AS backend_start + , COALESCE(pg_catalog.age(backend_xmin), 0) AS backend_xmin_age + , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), sent_lsn) AS sent_diff_bytes + , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), write_lsn) AS write_diff_bytes + , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), flush_lsn) AS flush_diff_bytes + , COALESCE(pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), replay_lsn),0) AS replay_diff_bytes + , COALESCE((EXTRACT(EPOCH FROM write_lag)),0)::float AS write_lag_seconds + , COALESCE((EXTRACT(EPOCH FROM flush_lag)),0)::float AS flush_lag_seconds + , COALESCE((EXTRACT(EPOCH FROM replay_lag)),0)::float AS replay_lag_seconds + FROM pg_catalog.pg_stat_replication metrics: - usename: usage: "LABEL" @@ -448,14 +452,46 @@ data: - setting: usage: "GAUGE" description: "Setting value" + + pg_extensions: + query: | + SELECT + current_database() as datname, + name as extname, + default_version, + installed_version, + CASE + WHEN default_version = installed_version THEN 0 + ELSE 1 + END AS update_available + FROM pg_catalog.pg_available_extensions + WHERE installed_version IS NOT NULL + metrics: + - datname: + usage: "LABEL" + description: "Name of the database" + - extname: + usage: "LABEL" + description: "Extension name" + - default_version: + usage: "LABEL" + description: "Default version" + - installed_version: + usage: "LABEL" + description: "Installed version" + - update_available: + usage: "GAUGE" + description: "An update is available" + target_databases: + - '*' kind: ConfigMap metadata: labels: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 + app.kubernetes.io/version: 1.29.0 cnpg.io/reload: '' - helm.sh/chart: cloudnative-pg-0.23.1 + helm.sh/chart: cloudnative-pg-0.28.0 name: cnpg-default-monitoring namespace: cloudnative-pg diff --git a/cloudnative-pg/Deployment/cloudnative-pg.yaml b/cloudnative-pg/Deployment/cloudnative-pg.yaml index 1bc41c6..eb3bdfb 100644 --- a/cloudnative-pg/Deployment/cloudnative-pg.yaml +++ b/cloudnative-pg/Deployment/cloudnative-pg.yaml @@ -5,8 +5,8 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cloudnative-pg namespace: cloudnative-pg spec: @@ -18,9 +18,9 @@ spec: template: metadata: annotations: - checksum/config: 31844124280868de949b74c53d63c6df096838350c32f641627f2de692e1f5fb - checksum/monitoring-config: 3cfcfcddb84ad11cc19e95adaa7d190fbfeed4c6cf9168ad1f8865854d9f3aad - checksum/rbac: 6b2438edd4867faa4740f44d14c4203456b4c1380d34cf27e6b5c0fd7de4838c + checksum/config: 1b0703c95b4ee680d176bff9c527b0aa792c9296c2c7ce6d0d9feb8a4a719a9c + checksum/monitoring-config: e386a85eeb1c33f87053f6424690f9a77e6ef7247a617162dbaee9b370fb70d1 + checksum/rbac: de6f8c0801db717a56d299947c958973df088ff20a44e5058af807c196824bd6 labels: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/name: cloudnative-pg @@ -36,19 +36,19 @@ spec: - /manager env: - name: OPERATOR_IMAGE_NAME - value: ghcr.io/cloudnative-pg/cloudnative-pg:1.25.0 + value: ghcr.io/cloudnative-pg/cloudnative-pg:1.29.0 - name: OPERATOR_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: MONITORING_QUERIES_CONFIGMAP value: cnpg-default-monitoring - image: ghcr.io/cloudnative-pg/cloudnative-pg:1.25.0 + image: ghcr.io/cloudnative-pg/cloudnative-pg:1.29.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /readyz - port: 9443 + port: webhook-server scheme: HTTPS initialDelaySeconds: 3 name: manager @@ -62,7 +62,7 @@ spec: readinessProbe: httpGet: path: /readyz - port: 9443 + port: webhook-server scheme: HTTPS initialDelaySeconds: 3 resources: {} @@ -76,6 +76,13 @@ spec: runAsUser: 10001 seccompProfile: type: RuntimeDefault + startupProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: webhook-server + scheme: HTTPS + periodSeconds: 5 volumeMounts: - mountPath: /controller name: scratch-data diff --git a/cloudnative-pg/Service/cnpg-webhook-service.yaml b/cloudnative-pg/Service/cnpg-webhook-service.yaml index fe76ff5..ec77880 100644 --- a/cloudnative-pg/Service/cnpg-webhook-service.yaml +++ b/cloudnative-pg/Service/cnpg-webhook-service.yaml @@ -5,8 +5,8 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cnpg-webhook-service namespace: cloudnative-pg spec: diff --git a/cloudnative-pg/ServiceAccount/cloudnative-pg.yaml b/cloudnative-pg/ServiceAccount/cloudnative-pg.yaml index b414843..f50c66e 100644 --- a/cloudnative-pg/ServiceAccount/cloudnative-pg.yaml +++ b/cloudnative-pg/ServiceAccount/cloudnative-pg.yaml @@ -5,7 +5,7 @@ metadata: app.kubernetes.io/instance: cloudnative-pg app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/version: 1.25.0 - helm.sh/chart: cloudnative-pg-0.23.1 + app.kubernetes.io/version: 1.29.0 + helm.sh/chart: cloudnative-pg-0.28.0 name: cloudnative-pg namespace: cloudnative-pg