From 6193560729bdeea75201b9cee1c6da92035e7767 Mon Sep 17 00:00:00 2001 From: Benjamin Blattberg Date: Tue, 10 May 2022 14:40:05 -0500 Subject: [PATCH 1/7] Enable seccomp on containers (#3193) As of Kubernetes v1.19, SecurityContext has a seccompProfile field that can be set to RuntimeDefault to limit syscalls. This PR adds that setting to the containers in order to (a) limit syscalls from PGO-managed containers, while (b) not preventing users from using other tools involving sidecars, etc. Issue [sc-11286] --- config/manager/manager.yaml | 2 ++ .../postgrescluster/instance_test.go | 8 +++++ .../postgrescluster/pgbackrest_test.go | 2 ++ .../postgrescluster/volumes_test.go | 6 ++++ internal/initialize/security.go | 10 ++++++ internal/initialize/security_test.go | 7 ++-- internal/pgadmin/reconcile_test.go | 8 +++++ internal/pgbackrest/reconcile_test.go | 8 +++++ internal/pgbouncer/reconcile_test.go | 12 +++++++ internal/postgres/reconcile_test.go | 6 ++++ .../kuttl/e2e/security-context/00-assert.yaml | 34 +++++++++++++++++++ 11 files changed, 101 insertions(+), 2 deletions(-) diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 0d74474344..a5278c3807 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -38,4 +38,6 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pgo diff --git a/internal/controller/postgrescluster/instance_test.go b/internal/controller/postgrescluster/instance_test.go index c20bd9fe10..48546f1e9b 100644 --- a/internal/controller/postgrescluster/instance_test.go +++ b/internal/controller/postgrescluster/instance_test.go @@ -563,6 +563,8 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) { privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbackrest/server name: pgbackrest-server @@ -610,6 +612,8 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) { privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbackrest/server name: pgbackrest-server @@ -665,6 +669,8 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) { privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbackrest/server name: pgbackrest-server @@ -712,6 +718,8 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) { privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbackrest/server name: pgbackrest-server diff --git a/internal/controller/postgrescluster/pgbackrest_test.go b/internal/controller/postgrescluster/pgbackrest_test.go index 74478155c0..aea24d65bd 100644 --- a/internal/controller/postgrescluster/pgbackrest_test.go +++ b/internal/controller/postgrescluster/pgbackrest_test.go @@ -2504,6 +2504,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbackrest/conf.d name: pgbackrest-config diff --git a/internal/controller/postgrescluster/volumes_test.go b/internal/controller/postgrescluster/volumes_test.go index b02b136a26..bef2765ac2 100644 --- a/internal/controller/postgrescluster/volumes_test.go +++ b/internal/controller/postgrescluster/volumes_test.go @@ -991,6 +991,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -1044,6 +1046,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -1099,6 +1103,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/initialize/security.go b/internal/initialize/security.go index b7cbba14c7..2d17c9881a 100644 --- a/internal/initialize/security.go +++ b/internal/initialize/security.go @@ -20,6 +20,9 @@ import ( ) // RestrictedPodSecurityContext returns a v1.PodSecurityContext with safe defaults. +// Note: All current containers have security context set by `RestrictedSecurityContext` +// which has recommended limits; if more pods/containers are added +// make sure to set the SC on the container // See https://docs.k8s.io/concepts/security/pod-security-standards/ func RestrictedPodSecurityContext() *corev1.PodSecurityContext { return &corev1.PodSecurityContext{ @@ -43,5 +46,12 @@ func RestrictedSecurityContext() *corev1.SecurityContext { // Fail to start the container if its image runs as UID 0 (root). RunAsNonRoot: Bool(true), + + // Restrict syscalls with RuntimeDefault seccomp. + // Set this on the container-level to avoid interfering + // with sidecars and injected containers. + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, } } diff --git a/internal/initialize/security_test.go b/internal/initialize/security_test.go index 0ed976eb53..f2473ecd63 100644 --- a/internal/initialize/security_test.go +++ b/internal/initialize/security_test.go @@ -97,8 +97,11 @@ func TestRestrictedSecurityContext(t *testing.T) { "Containers must be required to run as non-root users.") } - assert.Assert(t, sc.SeccompProfile == nil, - "The RuntimeDefault seccomp profile must be required, or allow specific additional profiles.") + if assert.Check(t, sc.SeccompProfile != nil) { + assert.Assert(t, sc.SeccompProfile.Type == "RuntimeDefault", + "Seccomp profile must be explicitly set to one of the allowed values.") + } + }) if assert.Check(t, sc.ReadOnlyRootFilesystem != nil) { diff --git a/internal/pgadmin/reconcile_test.go b/internal/pgadmin/reconcile_test.go index dd981ef5d7..e69393afde 100644 --- a/internal/pgadmin/reconcile_test.go +++ b/internal/pgadmin/reconcile_test.go @@ -241,6 +241,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgadmin name: pgadmin-startup @@ -278,6 +280,8 @@ initContainers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgadmin name: pgadmin-startup @@ -473,6 +477,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgadmin name: pgadmin-startup @@ -514,6 +520,8 @@ initContainers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgadmin name: pgadmin-startup diff --git a/internal/pgbackrest/reconcile_test.go b/internal/pgbackrest/reconcile_test.go index 853191432e..171b0cfd0f 100644 --- a/internal/pgbackrest/reconcile_test.go +++ b/internal/pgbackrest/reconcile_test.go @@ -571,6 +571,8 @@ func TestAddServerToInstancePod(t *testing.T) { privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbackrest/server name: pgbackrest-server @@ -617,6 +619,8 @@ func TestAddServerToInstancePod(t *testing.T) { privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbackrest/server name: pgbackrest-server @@ -701,6 +705,8 @@ func TestAddServerToRepoPod(t *testing.T) { privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbackrest/server name: pgbackrest-server @@ -743,6 +749,8 @@ func TestAddServerToRepoPod(t *testing.T) { privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbackrest/server name: pgbackrest-server diff --git a/internal/pgbouncer/reconcile_test.go b/internal/pgbouncer/reconcile_test.go index 84bdde0b8b..5aec210b9c 100644 --- a/internal/pgbouncer/reconcile_test.go +++ b/internal/pgbouncer/reconcile_test.go @@ -141,6 +141,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbouncer name: pgbouncer-config @@ -169,6 +171,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbouncer name: pgbouncer-config @@ -245,6 +249,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbouncer name: pgbouncer-config @@ -278,6 +284,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbouncer name: pgbouncer-config @@ -345,6 +353,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbouncer name: pgbouncer-config @@ -377,6 +387,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/pgbouncer name: pgbouncer-config diff --git a/internal/postgres/reconcile_test.go b/internal/postgres/reconcile_test.go index 2ff453cd41..80f296399b 100644 --- a/internal/postgres/reconcile_test.go +++ b/internal/postgres/reconcile_test.go @@ -143,6 +143,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /pgconf/tls name: cert-volume @@ -181,6 +183,8 @@ containers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /pgconf/tls name: cert-volume @@ -247,6 +251,8 @@ initContainers: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /pgconf/tls name: cert-volume diff --git a/testing/kuttl/e2e/security-context/00-assert.yaml b/testing/kuttl/e2e/security-context/00-assert.yaml index a6a5f48b6a..69f7f85cf6 100644 --- a/testing/kuttl/e2e/security-context/00-assert.yaml +++ b/testing/kuttl/e2e/security-context/00-assert.yaml @@ -35,6 +35,8 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault --- # instance apiVersion: v1 @@ -54,30 +56,40 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - name: replication-cert-copy securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - name: pgbackrest securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - name: pgbackrest-config securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - name: exporter securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault initContainers: - name: postgres-startup securityContext: @@ -85,12 +97,16 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - name: nss-wrapper-init securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault --- # pgAdmin apiVersion: v1 @@ -110,6 +126,8 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault initContainers: - name: pgadmin-startup securityContext: @@ -117,12 +135,16 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - name: nss-wrapper-init securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault --- # pgBouncer apiVersion: v1 @@ -139,12 +161,16 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - name: pgbouncer-config securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault --- # pgBackRest repo apiVersion: v1 @@ -165,12 +191,16 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - name: pgbackrest-config securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault initContainers: - name: pgbackrest-log-dir securityContext: @@ -178,9 +208,13 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - name: nss-wrapper-init securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault From e746b2847d8483f15e75dbaabb069ef0829f2b2c Mon Sep 17 00:00:00 2001 From: Benjamin Blattberg Date: Wed, 11 May 2022 16:22:28 -0500 Subject: [PATCH 2/7] Deflake TestReconcileReplicaCreateBackup (#3198) TestReconcileReplicaCreateBackup was flaking in envtest-existing runs; experimentation revealed this was due to garbage collection. Following current practice, this PR skips the test in envtest-existing runs. Issue [sc-14382] --- internal/controller/postgrescluster/pgbackrest.go | 8 ++++---- internal/controller/postgrescluster/pgbackrest_test.go | 10 ++++++++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/internal/controller/postgrescluster/pgbackrest.go b/internal/controller/postgrescluster/pgbackrest.go index 4c9396ad52..0e8c505060 100644 --- a/internal/controller/postgrescluster/pgbackrest.go +++ b/internal/controller/postgrescluster/pgbackrest.go @@ -2270,8 +2270,8 @@ func (r *Reconciler) reconcileReplicaCreateBackup(ctx context.Context, replicaCreateRepo v1beta1.PGBackRestRepo) error { var replicaCreateRepoStatus *v1beta1.RepoStatus - for i, r := range postgresCluster.Status.PGBackRest.Repos { - if r.Name == replicaCreateRepo.Name { + for i, repo := range postgresCluster.Status.PGBackRest.Repos { + if repo.Name == replicaCreateRepo.Name { replicaCreateRepoStatus = &postgresCluster.Status.PGBackRest.Repos[i] break } @@ -2494,8 +2494,8 @@ func (r *Reconciler) reconcileStanzaCreate(ctx context.Context, return } replicaCreateRepoName := postgresCluster.Spec.Backups.PGBackRest.Repos[0].Name - for i, r := range postgresCluster.Status.PGBackRest.Repos { - if r.Name == replicaCreateRepoName { + for i, repo := range postgresCluster.Status.PGBackRest.Repos { + if repo.Name == replicaCreateRepoName { replicaCreateRepoStatus = &postgresCluster.Status.PGBackRest.Repos[i] break } diff --git a/internal/controller/postgrescluster/pgbackrest_test.go b/internal/controller/postgrescluster/pgbackrest_test.go index aea24d65bd..5d68f727fe 100644 --- a/internal/controller/postgrescluster/pgbackrest_test.go +++ b/internal/controller/postgrescluster/pgbackrest_test.go @@ -848,6 +848,11 @@ func TestGetPGBackRestExecSelector(t *testing.T) { } func TestReconcileReplicaCreateBackup(t *testing.T) { + // Garbage collector cleans up test resources before the test completes + if strings.EqualFold(os.Getenv("USE_EXISTING_CLUSTER"), "true") { + t.Skip("USE_EXISTING_CLUSTER: Test fails due to garbage collection") + } + ctx := context.Background() _, tClient := setupKubernetes(t) require.ParallelCapacity(t, 1) @@ -908,6 +913,7 @@ func TestReconcileReplicaCreateBackup(t *testing.T) { // now find the expected job jobs := &batchv1.JobList{} err = tClient.List(ctx, jobs, &client.ListOptions{ + Namespace: postgresCluster.Namespace, LabelSelector: naming.PGBackRestBackupJobSelector(clusterName, replicaCreateRepo.Name, naming.BackupReplicaCreate), }) @@ -994,8 +1000,8 @@ func TestReconcileReplicaCreateBackup(t *testing.T) { // verify the status has been updated properly var replicaCreateRepoStatus *v1beta1.RepoStatus - for i, r := range postgresCluster.Status.PGBackRest.Repos { - if r.Name == replicaCreateRepo.Name { + for i, repo := range postgresCluster.Status.PGBackRest.Repos { + if repo.Name == replicaCreateRepo.Name { replicaCreateRepoStatus = &postgresCluster.Status.PGBackRest.Repos[i] break } From fb5e4f0a5dac1e301106e61e7dd6ff252a0fdd4d Mon Sep 17 00:00:00 2001 From: Andrew L'Ecuyer Date: Tue, 5 Apr 2022 20:43:34 +0000 Subject: [PATCH 3/7] Add Script for Updating the Monitoring Installer Adds a script for updating the "monitoring" Kustomize installer in the PGO examples repo using specific pgMonitor tag provided. Issue: [sc-13611] --- hack/update-pgmonitor-installer.sh | 76 ++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100755 hack/update-pgmonitor-installer.sh diff --git a/hack/update-pgmonitor-installer.sh b/hack/update-pgmonitor-installer.sh new file mode 100755 index 0000000000..00591f131f --- /dev/null +++ b/hack/update-pgmonitor-installer.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash + +# Copyright 2022 Crunchy Data Solutions, Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script updates the Kustomize installer for monitoring with the latest Grafana, +# Prometheus and Alert Manager configuration per the pgMonitor tag specified + +directory=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +# The pgMonitor tag to use to refresh the current monitoring installer +pgmonitor_tag=v4.6-RC1 + +# Set the directory for the monitoring Kustomize installer +pgo_examples_monitoring_dir="${directory}/../../postgres-operator-examples/kustomize/monitoring" + +# Create a tmp directory for checking out the pgMonitor tag +tmp_dir="${directory}/pgmonitor_tmp/" +mkdir -p "${tmp_dir}" + +# Clone the pgMonitor repo and checkout the tag provided +git -C "${tmp_dir}" clone https://github.com/CrunchyData/pgmonitor.git +cd "${tmp_dir}/pgmonitor" +git checkout "${pgmonitor_tag}" + +# Deviation from pgMonitor default! +# Update "${DS_PROMETHEUS}" to "PROMETHEUS" in all containers dashboards +find "grafana/containers" -type f -exec \ + sed -i 's/${DS_PROMETHEUS}/PROMETHEUS/' {} \; +# Copy Grafana dashboards for containers +cp -r "grafana/containers/." "${pgo_examples_monitoring_dir}/config/grafana/dashboards" + +# Deviation from pgMonitor default! +# Update the dashboard location to the default for the Grafana container. +sed -i 's#/etc/grafana/crunchy_dashboards#/etc/grafana/provisioning/dashboards#' \ + "grafana/linux/crunchy_grafana_dashboards.yml" +cp "grafana/linux/crunchy_grafana_dashboards.yml" "${pgo_examples_monitoring_dir}/config/grafana" + +# Deviation from pgMonitor default! +# Update the URL for the Grafana data source configuration to use env vars for the Prometheus host +# and port. +sed -i 's#localhost:9090#$PROM_HOST:$PROM_PORT#' \ + "grafana/common/crunchy_grafana_datasource.yml" +cp "grafana/common/crunchy_grafana_datasource.yml" "${pgo_examples_monitoring_dir}/config/grafana" + +# Deviation from pgMonitor default! +# Update the URL for the Grafana data source configuration to use env vars for the Prometheus host +# and port. +cp "prometheus/containers/crunchy-prometheus.yml.containers" "prometheus/containers/crunchy-prometheus.yml" +cat << EOF >> prometheus/containers/crunchy-prometheus.yml +alerting: + alertmanagers: + - scheme: http + static_configs: + - targets: + - "crunchy-alertmanager:9093" +EOF +cp "prometheus/containers/crunchy-prometheus.yml" "${pgo_examples_monitoring_dir}/config/prometheus" + +# Copy the default Alert Manager configuration +cp "alertmanager/common/crunchy-alertmanager.yml" "${pgo_examples_monitoring_dir}/config/alertmanager" +cp "prometheus/containers/alert-rules.d/crunchy-alert-rules-pg.yml.containers.example" \ + "${pgo_examples_monitoring_dir}/config/alertmanager/crunchy-alert-rules-pg.yml" + +# Cleanup any temporary resources +rm -rf "${tmp_dir}" From 0a478a2d2d6dd086c1555fc960ecb208edf9392c Mon Sep 17 00:00:00 2001 From: ValClarkson Date: Thu, 12 May 2022 15:30:50 -0400 Subject: [PATCH 4/7] Pre-release update for v5.1.1 [sc-14408] --- .github/ISSUE_TEMPLATE/bug_report.md | 2 +- .github/ISSUE_TEMPLATE/feature_request.md | 2 +- .github/workflows/test.yaml | 6 +-- Makefile | 2 +- config/default/kustomization.yaml | 2 +- config/manager/manager.yaml | 18 ++++----- config/singlenamespace/kustomization.yaml | 2 +- docs/config.toml | 40 ++++++++++--------- docs/content/references/components.md | 10 +++-- docs/content/releases/5.1.1.md | 24 +++++++++++ examples/postgrescluster/postgrescluster.yaml | 6 +-- installers/olm/Makefile | 4 +- installers/olm/bundle.relatedImages.yaml | 2 + .../olm/config/redhat/related-images.yaml | 1 + .../postgrescluster/helpers_test.go | 6 +-- 15 files changed, 80 insertions(+), 47 deletions(-) create mode 100644 docs/content/releases/5.1.1.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 32324a5a55..08704bef34 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -29,7 +29,7 @@ Please provide the following details: - Platform: (`Kubernetes`, `OpenShift`, `Rancher`, `GKE`, `EKS`, `AKS` etc.) - Platform Version: (e.g. `1.20.3`, `4.7.0`) -- PGO Image Tag: (e.g. `ubi8-5.1.0-0`) +- PGO Image Tag: (e.g. `ubi8-5.1.1-0`) - Postgres Version (e.g. `14`) - Storage: (e.g. `hostpath`, `nfs`, or the name of your storage class) diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 960609a185..a9e9a9bee4 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -32,7 +32,7 @@ Please provide the following details: - Platform: (`Kubernetes`, `OpenShift`, `Rancher`, `GKE`, `EKS`, `AKS` etc.) - Platform Version: (e.g. `1.20.3`, `4.7.0`) -- PGO Image Tag: (e.g. `ubi8-5.1.0-0`) +- PGO Image Tag: (e.g. `ubi8-5.1.1-0`) - Postgres Version (e.g. `14`) - Storage: (e.g. `hostpath`, `nfs`, or the name of your storage class) - Number of Postgres clusters: (`XYZ`) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 96878007ca..a2156b53f8 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -72,9 +72,9 @@ jobs: - name: Prefetch container images run: | { - echo '"registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-13.6-1"' - echo '"registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-0"' - echo '"registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-2"' + echo '"registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-13.7-0"' + echo '"registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-1"' + echo '"registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-3"' } | jq --slurp --arg name 'image-prefetch' --argjson labels '{"name":"image-prefetch"}' '{ apiVersion: "apps/v1", kind: "DaemonSet", diff --git a/Makefile b/Makefile index b59b7da94d..377a8283a6 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ PGO_IMAGE_PREFIX ?= crunchydata PGO_IMAGE_TAG ?= $(PGO_BASEOS)-$(PGO_VERSION) PGO_VERSION ?= $(shell git describe --tags) PGO_PG_VERSION ?= 13 -PGO_PG_FULLVERSION ?= 13.4 +PGO_PG_FULLVERSION ?= 13.7 PGO_KUBE_CLIENT ?= kubectl RELTMPDIR=/tmp/release.$(PGO_VERSION) diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index a563b1aef4..e97bc2fa7a 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -11,4 +11,4 @@ bases: images: - name: postgres-operator newName: registry.developers.crunchydata.com/crunchydata/postgres-operator - newTag: ubi8-5.1.0-0 + newTag: ubi8-5.1.1-0 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index a5278c3807..8ce945a1b3 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -19,21 +19,21 @@ spec: - name: CRUNCHY_DEBUG value: "true" - name: RELATED_IMAGE_POSTGRES_13 - value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-13.6-1" + value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-13.7-0" - name: RELATED_IMAGE_POSTGRES_13_GIS_3.1 - value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-13.6-3.1-1" + value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-13.7-3.1-0" - name: RELATED_IMAGE_POSTGRES_14 - value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.2-1" - - name: RELATED_IMAGE_POSTGRES_14_GIS_3.1 - value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.2-3.1-1" + value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.3-0" + - name: RELATED_IMAGE_POSTGRES_14_GIS_3.2 + value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.3-3.2-0" - name: RELATED_IMAGE_PGADMIN - value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-0" + value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-1" - name: RELATED_IMAGE_PGBACKREST - value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-0" + value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-1" - name: RELATED_IMAGE_PGBOUNCER - value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-2" + value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-3" - name: RELATED_IMAGE_PGEXPORTER - value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.1.0-0" + value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.1.1-0" securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/config/singlenamespace/kustomization.yaml b/config/singlenamespace/kustomization.yaml index deadc9bcfc..ee58279218 100644 --- a/config/singlenamespace/kustomization.yaml +++ b/config/singlenamespace/kustomization.yaml @@ -14,4 +14,4 @@ patches: images: - name: postgres-operator newName: registry.developers.crunchydata.com/crunchydata/postgres-operator - newTag: ubi8-5.1.0-0 + newTag: ubi8-5.1.1-0 diff --git a/docs/config.toml b/docs/config.toml index d4f1c420c3..e6038fc59e 100644 --- a/docs/config.toml +++ b/docs/config.toml @@ -26,29 +26,31 @@ disableNavChevron = false # set true to hide next/prev chevron, default is false highlightClientSide = false # set true to use highlight.pack.js instead of the default hugo chroma highlighter menushortcutsnewtab = true # set true to open shortcuts links to a new tab/window enableGitInfo = true -operatorVersion = "5.1.0" -operatorVersionLatestRel5_0 = "5.0.5" -imageCrunchyPostgres = "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.2-1" -imageCrunchyPostgresPrivate = "registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.2-1" -imageCrunchyPGBackrest = "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-0" -imageCrunchyPGBackrestPrivate = "registry.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-0" -imageCrunchyPGBouncer = "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-2" -imageCrunchyExporter = "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.1.0-0" -imageCrunchyPGAdmin = "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-0" +operatorVersion = "5.1.1" +operatorVersionLatestRel5_0 = "5.0.6" +imageCrunchyPostgres = "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.3-0" +imageCrunchyPostgresPrivate = "registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.3-0" +imageCrunchyPGBackrest = "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-1" +imageCrunchyPGBackrestPrivate = "registry.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-1" +imageCrunchyPGBouncer = "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-3" +imageCrunchyExporter = "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.1.1-0" +imageCrunchyPGAdmin = "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-1" operatorRepository = "registry.developers.crunchydata.com/crunchydata/postgres-operator" operatorRepositoryPrivate = "registry.crunchydata.com/crunchydata/postgres-operator" -postgresOperatorTag = "ubi8-5.1.0-0" -PGBouncerComponentTagUbi8 = "ubi8-1.16-2" -PGBouncerTagUbi8 = "ubi8-5.1.0-0" -postgres14GIS31ComponentTagUbi8 = "ubi8-14.2-3.1-1" -postgres14GIS31TagUbi8 = "ubi8-14.2-3.1-5.1.0-0" +postgresOperatorTag = "ubi8-5.1.1-0" +PGBouncerComponentTagUbi8 = "ubi8-1.16-3" +PGBouncerTagUbi8 = "ubi8-5.1.1-0" +postgres14GIS32ComponentTagUbi8 = "ubi8-14.3-3.2-0" +postgres14GIS32TagUbi8 = "ubi8-14.3-3.2-5.1.1-0" +postgres14GIS31ComponentTagUbi8 = "ubi8-14.3-3.1-0" +postgres14GIS31TagUbi8 = "ubi8-14.3-3.1-5.1.1-0" fromPostgresVersion = "13" postgresVersion = "14" -postgresVersion14 = "14.2" -postgresVersion13 = "13.6" -postgresVersion12 = "12.10" -postgresVersion11 = "11.15" -postgresVersion10 = "10.20" +postgresVersion14 = "14.3" +postgresVersion13 = "13.7" +postgresVersion12 = "12.11" +postgresVersion11 = "11.16" +postgresVersion10 = "10.21" [outputs] home = [ "HTML", "RSS", "JSON"] diff --git a/docs/content/references/components.md b/docs/content/references/components.md index 70b0429ba9..a5e3bd8704 100644 --- a/docs/content/references/components.md +++ b/docs/content/references/components.md @@ -41,6 +41,7 @@ Note that for the 5.0.3 release and beyond, the Postgres containers were renamed | `crunchy-postgres` | {{< param postgresVersion12 >}} | 5.0.3 | {{< param operatorVersion >}} | | `crunchy-postgres` | {{< param postgresVersion11 >}} | 5.0.3 | {{< param operatorVersion >}} | | `crunchy-postgres` | {{< param postgresVersion10 >}} | 5.0.3 | {{< param operatorVersion >}} | +| `crunchy-postgres-gis` | {{< param postgresVersion14 >}}-3.2 | 5.1.1 | {{< param operatorVersion >}} | | `crunchy-postgres-gis` | {{< param postgresVersion14 >}}-3.1 | 5.0.3 | {{< param operatorVersion >}} | | `crunchy-postgres-gis` | {{< param postgresVersion13 >}}-3.1 | 5.0.3 | {{< param operatorVersion >}} | | `crunchy-postgres-gis` | {{< param postgresVersion13 >}}-3.0 | 5.0.3 | {{< param operatorVersion >}} | @@ -86,10 +87,10 @@ On the [developer portal](https://www.crunchydata.com/developers/download-postgr - `{{< param PGBouncerComponentTagUbi8 >}}` -PostGIS enabled containers have both the Postgres and PostGIS software versions included. For example, Postgres 14 with PostGIS 3.1 would use the following tags: +PostGIS enabled containers have both the Postgres and PostGIS software versions included. For example, Postgres 14 with PostGIS 3.2 would use the following tags: -- `{{< param postgres14GIS31ComponentTagUbi8 >}}` -- `{{< param postgres14GIS31TagUbi8 >}}` +- `{{< param postgres14GIS32ComponentTagUbi8 >}}` +- `{{< param postgres14GIS32TagUbi8 >}}` ## Extensions Compatibility @@ -113,6 +114,7 @@ The table also lists the initial PGO version that the version of the extension i | `pgAudit Analyze` | 1.0.8 | 14, 13, 12, 11, 10 | 5.0.3 | | `pgAudit Analyze` | 1.0.7 | 13, 12, 11, 10 | 5.0.0 | | `pg_cron` | 1.3.1 | 14, 13, 12, 11, 10 | 5.0.0 | +| `pg_partman` | 4.6.1 | 14, 13, 12, 11, 10 | 5.1.1 | | `pg_partman` | 4.6.0 | 14, 13, 12, 11, 10 | 5.0.4 | | `pg_partman` | 4.5.1 | 13, 12, 11, 10 | 5.0.0 | | `pgnodemx` | 1.3.0 | 14, 13, 12, 11, 10 | 5.1.0 | @@ -122,6 +124,7 @@ The table also lists the initial PGO version that the version of the extension i | `set_user` | 3.0.0 | 14, 13, 12, 11, 10 | 5.0.3 | | `set_user` | 2.0.1 | 13, 12, 11, 10 | 5.0.2 | | `set_user` | 2.0.0 | 13, 12, 11, 10 | 5.0.0 | +| `TimescaleDB` | 2.6.1 | 14, 13, 12 | 5.1.1 | | `TimescaleDB` | 2.6.0 | 14, 13, 12 | 5.1.0 | | `TimescaleDB` | 2.5.0 | 14, 13, 12 | 5.0.3 | | `TimescaleDB` | 2.4.2 | 13, 12 | 5.0.3 | @@ -137,6 +140,7 @@ The following extensions are available in the geospatially aware containers (`cr | Extension | Version | Postgres Versions | Initial PGO Version | |-----------|---------|-------------------|---------------------| +| `PostGIS` | 3.2 | 14 | 5.1.1 | | `PostGIS` | 3.1 | 14, 13 | 5.0.0 | | `PostGIS` | 3.0 | 13, 12 | 5.0.0 | | `PostGIS` | 2.5 | 12, 11 | 5.0.0 | diff --git a/docs/content/releases/5.1.1.md b/docs/content/releases/5.1.1.md new file mode 100644 index 0000000000..0734b1083e --- /dev/null +++ b/docs/content/releases/5.1.1.md @@ -0,0 +1,24 @@ +--- +title: "5.1.1" +date: +draft: false +weight: 849 +--- + +Crunchy Data announces the release of [Crunchy Postgres for Kubernetes](https://www.crunchydata.com/products/crunchy-postgresql-for-kubernetes/) 5.1.1. + +Crunchy Postgres for Kubernetes is powered by [PGO](https://github.com/CrunchyData/postgres-operator), the open source [Postgres Operator](https://github.com/CrunchyData/postgres-operator) from [Crunchy Data](https://www.crunchydata.com). [PGO](https://github.com/CrunchyData/postgres-operator) is released in conjunction with the [Crunchy Container Suite](https://github.com/CrunchyData/container-suite). + +Crunchy Postgres for Kubernetes 5.1.1 includes the following software versions upgrades: + +- [PostgreSQL](https://www.postgresql.org) versions 14.3, 13.7, 12.11, 11.16, and 10.21 are now available. +- [PostGIS](http://postgis.net/) version 3.2.1 is now available. +- The [pg_partman](https://github.com/pgpartman/pg_partman) extension is now at version 4.6.1. +- The [TimescaleDB](https://github.com/timescale/timescaledb) extension is now at version 2.6.1. + +Read more about how you can [get started]({{< relref "quickstart/_index.md" >}}) with Crunchy Postgres for Kubernetes. We recommend [forking the Postgres Operator examples](https://github.com/CrunchyData/postgres-operator-examples/fork) repo. + +## Fixes + +- It is now possible to perform major PostgreSQL version upgrades when using an external WAL directory. +- The documentation for pgAdmin 4 now clearly states that any pgAdmin user created by PGO will have a `@pgo` suffix. diff --git a/examples/postgrescluster/postgrescluster.yaml b/examples/postgrescluster/postgrescluster.yaml index c84f21b1ed..f211740dea 100644 --- a/examples/postgrescluster/postgrescluster.yaml +++ b/examples/postgrescluster/postgrescluster.yaml @@ -3,7 +3,7 @@ kind: PostgresCluster metadata: name: hippo spec: - image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.2-1 + image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.3-0 postgresVersion: 14 instances: - name: instance1 @@ -15,7 +15,7 @@ spec: storage: 1Gi backups: pgbackrest: - image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-0 + image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-1 repos: - name: repo1 volume: @@ -35,4 +35,4 @@ spec: storage: 1Gi proxy: pgBouncer: - image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-2 + image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-3 diff --git a/installers/olm/Makefile b/installers/olm/Makefile index a9ab260f1a..1b3b1e6d73 100644 --- a/installers/olm/Makefile +++ b/installers/olm/Makefile @@ -2,8 +2,8 @@ .SUFFIXES: CONTAINER ?= docker -PGO_VERSION ?= 5.1.0 -REPLACES_VERSION ?= 5.0.5 +PGO_VERSION ?= 5.1.1 +REPLACES_VERSION ?= 5.1.0 OS_KERNEL ?= $(shell bash -c 'echo $${1,,}' - `uname -s`) OS_MACHINE ?= $(shell bash -c 'echo $${1/x86_/amd}' - `uname -m`) diff --git a/installers/olm/bundle.relatedImages.yaml b/installers/olm/bundle.relatedImages.yaml index 510ea9b440..f712f67413 100644 --- a/installers/olm/bundle.relatedImages.yaml +++ b/installers/olm/bundle.relatedImages.yaml @@ -17,5 +17,7 @@ image: registry.connect.redhat.com/crunchydata/crunchy-postgres-gis@sha256: - name: POSTGRES_14_GIS_3.1 image: registry.connect.redhat.com/crunchydata/crunchy-postgres-gis@sha256: + - name: POSTGRES_14_GIS_3.2 + image: registry.connect.redhat.com/crunchydata/crunchy-postgres-gis@sha256: - name: postgres-operator image: registry.connect.redhat.com/crunchydata/postgres-operator@sha256: diff --git a/installers/olm/config/redhat/related-images.yaml b/installers/olm/config/redhat/related-images.yaml index f9e0aff6c5..de5ec88df7 100644 --- a/installers/olm/config/redhat/related-images.yaml +++ b/installers/olm/config/redhat/related-images.yaml @@ -25,3 +25,4 @@ spec: - { name: RELATED_IMAGE_POSTGRES_13_GIS_3.0, value: 'registry.connect.redhat.com/crunchydata/crunchy-postgres-gis@sha256:' } - { name: RELATED_IMAGE_POSTGRES_13_GIS_3.1, value: 'registry.connect.redhat.com/crunchydata/crunchy-postgres-gis@sha256:' } - { name: RELATED_IMAGE_POSTGRES_14_GIS_3.1, value: 'registry.connect.redhat.com/crunchydata/crunchy-postgres-gis@sha256:' } + - { name: RELATED_IMAGE_POSTGRES_14_GIS_3.2, value: 'registry.connect.redhat.com/crunchydata/crunchy-postgres-gis@sha256:' } diff --git a/internal/controller/postgrescluster/helpers_test.go b/internal/controller/postgrescluster/helpers_test.go index ff730b30bf..cce922787f 100644 --- a/internal/controller/postgrescluster/helpers_test.go +++ b/internal/controller/postgrescluster/helpers_test.go @@ -43,9 +43,9 @@ import ( var ( //TODO(tjmoore4): With the new RELATED_IMAGES defaulting behavior, tests could be refactored // to reference those environment variables instead of hard coded image values - CrunchyPostgresHAImage = "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-13.6-1" - CrunchyPGBackRestImage = "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-0" - CrunchyPGBouncerImage = "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-2" + CrunchyPostgresHAImage = "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-13.7-0" + CrunchyPGBackRestImage = "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-1" + CrunchyPGBouncerImage = "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-3" ) // Scale extends d according to PGO_TEST_TIMEOUT_SCALE. From 5f47d796c36afdfe11989cba64e9f2d9265155ef Mon Sep 17 00:00:00 2001 From: Val Date: Fri, 13 May 2022 12:12:45 -0400 Subject: [PATCH 5/7] Update Makefile --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 377a8283a6..dc50d25786 100644 --- a/Makefile +++ b/Makefile @@ -5,8 +5,8 @@ PGO_BASEOS ?= ubi8 PGO_IMAGE_PREFIX ?= crunchydata PGO_IMAGE_TAG ?= $(PGO_BASEOS)-$(PGO_VERSION) PGO_VERSION ?= $(shell git describe --tags) -PGO_PG_VERSION ?= 13 -PGO_PG_FULLVERSION ?= 13.7 +PGO_PG_VERSION ?= 14 +PGO_PG_FULLVERSION ?= 14.3 PGO_KUBE_CLIENT ?= kubectl RELTMPDIR=/tmp/release.$(PGO_VERSION) From 5ca3515191d97231c1413fbfc102816e5f3e96a0 Mon Sep 17 00:00:00 2001 From: Val Date: Fri, 13 May 2022 17:57:30 -0400 Subject: [PATCH 6/7] Update components.md added 5.0.6 component updates --- docs/content/references/components.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/content/references/components.md b/docs/content/references/components.md index a5e3bd8704..79338857d4 100644 --- a/docs/content/references/components.md +++ b/docs/content/references/components.md @@ -30,7 +30,8 @@ Note that for the 5.0.3 release and beyond, the Postgres containers were renamed |-----------|---------|------------------|------------------| | `crunchy-pgadmin4` | 4.30 | 5.1.0 | {{< param operatorVersion >}} | | `crunchy-pgbackrest` | 2.38 | 5.1.0 | {{< param operatorVersion >}} | -| `crunchy-pgbackrest` | 2.36 | 5.0.4 | {{< param operatorVersionLatestRel5_0 >}} | +| `crunchy-pgbackrest` | 2.38 | 5.0.5 | {{< param operatorVersionLatestRel5_0 >}} | +| `crunchy-pgbackrest` | 2.36 | 5.0.4 | 5.0.5 | | `crunchy-pgbackrest` | 2.35 | 5.0.3 | 5.0.3 | | `crunchy-pgbackrest` | 2.33 | 5.0.0 | 5.0.2 | | `crunchy-pgbouncer` | 1.16.2 | 5.1.0 | {{< param operatorVersion >}} | @@ -101,23 +102,29 @@ The table also lists the initial PGO version that the version of the extension i | Extension | Version | Postgres Versions | Initial PGO Version | |-----------|---------|-------------------|---------------------| | `pgAudit` | 1.6.2 | 14 | 5.1.0 | +| `pgAudit` | 1.6.2 | 14 | 5.0.6 | | `pgAudit` | 1.6.1 | 14 | 5.0.4 | | `pgAudit` | 1.6.0 | 14 | 5.0.3 | | `pgAudit` | 1.5.2 | 13 | 5.1.0 | +| `pgAudit` | 1.5.2 | 13 | 5.0.6 | | `pgAudit` | 1.5.0 | 13 | 5.0.0 | | `pgAudit` | 1.4.3 | 12 | 5.1.0 | | `pgAudit` | 1.4.1 | 12 | 5.0.0 | | `pgAudit` | 1.3.4 | 11 | 5.1.0 | +| `pgAudit` | 1.3.4 | 11 | 5.0.6 | | `pgAudit` | 1.3.2 | 11 | 5.0.0 | | `pgAudit` | 1.2.4 | 10 | 5.1.0 | +| `pgAudit` | 1.2.4 | 10 | 5.0.6 | | `pgAudit` | 1.2.2 | 10 | 5.0.0 | | `pgAudit Analyze` | 1.0.8 | 14, 13, 12, 11, 10 | 5.0.3 | | `pgAudit Analyze` | 1.0.7 | 13, 12, 11, 10 | 5.0.0 | | `pg_cron` | 1.3.1 | 14, 13, 12, 11, 10 | 5.0.0 | | `pg_partman` | 4.6.1 | 14, 13, 12, 11, 10 | 5.1.1 | +| `pg_partman` | 4.6.1 | 14, 13, 12, 11, 10 | 5.0.6 | | `pg_partman` | 4.6.0 | 14, 13, 12, 11, 10 | 5.0.4 | | `pg_partman` | 4.5.1 | 13, 12, 11, 10 | 5.0.0 | | `pgnodemx` | 1.3.0 | 14, 13, 12, 11, 10 | 5.1.0 | +| `pgnodemx` | 1.3.0 | 14, 13, 12, 11, 10 | 5.0.6 | | `pgnodemx` | 1.2.0 | 14, 13, 12, 11, 10 | 5.0.4 | | `pgnodemx` | 1.0.5 | 14, 13, 12, 11, 10 | 5.0.3 | | `pgnodemx` | 1.0.4 | 13, 12, 11, 10 | 5.0.0 | @@ -125,6 +132,7 @@ The table also lists the initial PGO version that the version of the extension i | `set_user` | 2.0.1 | 13, 12, 11, 10 | 5.0.2 | | `set_user` | 2.0.0 | 13, 12, 11, 10 | 5.0.0 | | `TimescaleDB` | 2.6.1 | 14, 13, 12 | 5.1.1 | +| `TimescaleDB` | 2.6.1 | 14, 13, 12 | 5.0.6 | | `TimescaleDB` | 2.6.0 | 14, 13, 12 | 5.1.0 | | `TimescaleDB` | 2.5.0 | 14, 13, 12 | 5.0.3 | | `TimescaleDB` | 2.4.2 | 13, 12 | 5.0.3 | @@ -141,6 +149,7 @@ The following extensions are available in the geospatially aware containers (`cr | Extension | Version | Postgres Versions | Initial PGO Version | |-----------|---------|-------------------|---------------------| | `PostGIS` | 3.2 | 14 | 5.1.1 | +| `PostGIS` | 3.2 | 14 | 5.0.6 | | `PostGIS` | 3.1 | 14, 13 | 5.0.0 | | `PostGIS` | 3.0 | 13, 12 | 5.0.0 | | `PostGIS` | 2.5 | 12, 11 | 5.0.0 | From af7901af3e4135d9106d093ff81ae544f4ca2ade Mon Sep 17 00:00:00 2001 From: Val Date: Mon, 16 May 2022 12:23:06 -0400 Subject: [PATCH 7/7] Update 5.1.1.md --- docs/content/releases/5.1.1.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/content/releases/5.1.1.md b/docs/content/releases/5.1.1.md index 0734b1083e..233c95e2ec 100644 --- a/docs/content/releases/5.1.1.md +++ b/docs/content/releases/5.1.1.md @@ -22,3 +22,7 @@ Read more about how you can [get started]({{< relref "quickstart/_index.md" >}}) - It is now possible to perform major PostgreSQL version upgrades when using an external WAL directory. - The documentation for pgAdmin 4 now clearly states that any pgAdmin user created by PGO will have a `@pgo` suffix. + +## Changes + +- The `seccompProfile` field in the `securityContext` for all containers is now set to `RuntimeDefault` in order to properly restrict syscalls.