fix(deps): update all non-major go dependencies#801
Merged
Conversation
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/all-non-major-go-dependencies
branch
3 times, most recently
from
e48ca9a to
8c601e7
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/all-non-major-go-dependencies
branch
from
8c601e7 to
244b9f0
Compare
| datasource | package | from | to | | ---------- | ---------------------------------------- | ------- | ------- | | go | github.com/cert-manager/cert-manager | v1.19.4 | v1.20.1 | | go | github.com/cloudnative-pg/cloudnative-pg | v1.28.1 | v1.29.0 | | go | github.com/cloudnative-pg/cnpg-i | v0.3.1 | v0.5.0 | | go | google.golang.org/grpc | v1.79.3 | v1.80.0 | Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/all-non-major-go-dependencies
branch
from
244b9f0 to
6db67f0
Compare
renovate
bot
changed the title
mnencia
approved these changes
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.19.4→v1.20.1v1.28.1→v1.29.0v0.3.1→v0.5.0v1.79.3→v1.80.0Release Notes
cert-manager/cert-manager (github.com/cert-manager/cert-manager)
v1.20.1Compare Source
v1.20.0Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.20.0 adds alpha support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta.
Changes by Kind
Feature
imagePullSecretsin thestartupapicheck-jobHelm template to enable pulling images from private registries. (#8186, @mathieu-clnk)parentRefoverride annotations on the Certificate resource. (#8518, @hjoshi123)venafi.cert-manager.io/custom-fieldsannotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#8301, @k0da)acme.cert-manager.io/http01-ingress-ingressclassnameto overridehttp01.ingress.ingressClassNamefield in HTTP-01 challenge solvers. (#8244, @lunarwhite)global.nodeSelectorto helm chart to perform amergeand allow for a singlenodeSelectorto be set across all services. (#8195, @StingRayZA)XListenerSetsfeature gate (#8394, @hjoshi123)Documentation
Bug or Regression
Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging (#8221, @wallrj-cyberark)
v1.25.5to fixCVE-2025-61727andCVE-2025-61729(#8290, @octo-sts[bot])cert-manager. Previously, it was set depending on various factors (namespace cert-manager is installed in and/or Helm release name). (#8162, @LiquidPL)Other (Cleanup or Flake)
XListenerSetsfeature gate toListenerSets(#8501, @hjoshi123)cloudnative-pg/cloudnative-pg (github.com/cloudnative-pg/cloudnative-pg)
v1.29.0Compare Source
Release date: Mar 31, 2026
Important changes
Features
PostgreSQL extensions in image catalogs: extended the
ImageCatalogfunctionality to support PostgreSQL extensions. This allows users to define and manage extension-specific images within a catalog, simplifying the deployment of customized PostgreSQL builds. (#9781)Dynamic network access control via pod selectors: introduced the declarative definition of
podSelectorRefsto managepg_hba.confrules dynamically. By using label selectors to identify client pods, the operator automatically resolves their ephemeral IP addresses and updates the PostgreSQL host-based authentication rules accordingly. This ensures that only authorized workloads in the same namespace can connect to the database, eliminating the need for manual IP management or static CIDR ranges. (#10148)Shared
ServiceAccountsupport: added an optionalserviceAccountNamefield to bothClusterandPoolerspecifications. This allows multiple resources to share a pre-existing ServiceAccount, facilitating one-time IAM configurations (such as AWS IRSA, GCP Workload Identity, or Azure Workload Identity) across all clusters and poolers. Contributed by @bozkayasalihx. (#9287)Enhancements
Improved the
PoolerCRD with support for granular configuration of TLS cipher suites and minimum/maximum TLS versions. This enables administrators to meet strict security compliance requirements for pooler-to-client and pooler-to-server connections. Contributed by @alex1989hu. (#9571)Improved the reliability of major upgrades by setting
BackoffLimit=0on the upgrade job, preventing unnecessary retries of a failedpg_upgrade. The operator now automatically deletes the failed job when a user reverts the container image, allowing the cluster to restart gracefully on the original version. (#10104, #10298)Improved the operator's observability by emitting native Kubernetes events during key phases of the reconciliation loop, providing visibility into the operator's decision-making process and the lifecycle of managed resources directly through
kubectl get events. (#10040)Extended support for the
cnpg.io/reconciliationDisabledannotation on Backup resources. This allows administrators to temporarily freeze the operator's reconciliation logic for specific backup objects. Contributed by @GabriFedi97. (#10020)Added a
bin_pathfield to thepostgresql.extensionsstanza, as well as inImageCatalogandClusterImageCatalogresources. This allows extensions to specify directory paths for external binaries, which are automatically appended to thePATHenvironment variable of the Postgres process. (#10250)Added an
envfield to thepostgresql.extensionsstanza, as well as inImageCatalogandClusterImageCatalogresources. This allows cluster administrators to define custom environment variables for the Postgres process. This field supports the${image_root}placeholder to dynamically resolve to the extension's absolute mount path. (#10375)Implemented a finalizer for plugins to ensure that resources managed by a plugin are gracefully cleaned up when the corresponding service is deleted. (#9560)
Improved role management by verifying the instance is the primary before each reconciliation cycle, avoiding unnecessary reconciliation attempts and spurious error messages on read-only replicas. (#9971)
The operator now honors the
primaryUpdateMethodwhen adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. (#9720)Refined the
alpha.cnpg.io/unrecoverableannotation logic to allow it to function even on pods that have not yet reached theReadystate, facilitating the recovery of stuck instances. (#9968)Introduced a "Terminal Error" phase for backups that encounter unrecoverable issues (such as invalid credentials or non-existent cloud buckets). This ensures the operator stops retrying doomed operations, preventing resource exhaustion and providing immediate, clear feedback in the status. (#9353)
Improved monitoring of long-running backups by introducing
reconciliationStartedAtandreconciliationTerminatedAtfields to theBackupstatus. This change separates the operator's internal lifecycle from the actual backup tool's execution timing (startedAt/stoppedAt), allowing users to track when the operator begins processing a request. (#9351)Added a
Pendingphase to theBackupstatus to explicitly indicate when a backup is queued and waiting for an available worker or instance availability. (#9364)Security and Supply Chain
Security best practices integration: integrated the OpenSSF baseline scanner and added a
SECURITY-INSIGHTS.yamlfile to the repository to align with industry-standard security reporting. (#10054, #10062)SLSA provenance and SBOMs: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images. Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. (#10048, #10074)
Password leak prevention: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. (#9950)
Changes
18.3-system-trixie). (#10090)Fixes
Fixed a deadlock during operator upgrades affecting clusters using synchronous replication, where pods running the old and new operator versions computed different PostgreSQL configuration hashes, causing the uniformity check to block indefinitely and preventing both rolling updates and in-place upgrades from proceeding. (#10342)
Fixed an issue where fencing annotations could not be processed when the WAL disk was full, because the disk space check blocked the instance manager from starting. The check is now performed later in the lifecycle loop, after fencing is evaluated. (#10302)
Fixed an issue where replicas would get stuck in a
Pendingstate if theVolumeSnapshotused for the initial bootstrap had been deleted. The operator now validates snapshot existence before use; if a snapshot is missing, it attempts to use the next available candidate or falls back topg_basebackup. (#10192)Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by @ermakov-oleg. (#9977)
Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. (#9952)
Fixed a bug in the CNPG-I reconciler hook that could lead to skipping subsequent plugins when a "continue" result was returned. Contributed by @sharifmshaker. (#9978)
Fixed a deadlock scenario that occurred when attempting to resize a filesystem on a PVC that was not currently attached to a Pod. Contributed by @jmealo. (#9981)
Fixed webhook validation of bootstrap recovery sources to accept external clusters configured with
ConnectionParameters(forpg_basebackup-based recovery). Previously, these were incorrectly rejected unless a Barman object store or CNPG-i plugin was also configured. (#10268)Volume names for extensions and tablespaces are now prefixed to avoid naming collisions with standard cluster volumes. (#9973)
When hibernating a non-healthy cluster, the operator now reports a
WaitingForHealthycondition, making the deferred hibernation state visible throughcnpg status. (#10193)Fixed fencing to work correctly even when the target pod does not exist. Fencing operates on a cluster-level annotation and should not depend on pod existence; instance name validation is now performed only in the
cnpg fencing oncommand. (#10035)Fixed the cluster and pooler service reconcilers to correctly handle changes to all spec fields when using the patch update strategy. The reconciler now uses RFC 7386 JSON Merge Patching, preventing cloud-provider-set fields (such as
loadBalancerClass) from being inadvertently removed. (#10190, #10311)Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. (#10285)
Fixed the timeline history file validation to also apply to plugin-based WAL restore. Previously, the protection introduced in #9650 only covered in-tree restores, allowing plugins to bypass the check and download future timeline history files, causing timeline mismatch errors on replicas. (#9849)
cnpgplugin:pgbenchJob pod template. (#10174)Supported versions
v1.28.2Compare Source
Release date: Mar 31, 2026
Important changes
Enhancements
Improved the
PoolerCRD with support for granular configuration of TLS cipher suites and minimum/maximum TLS versions. This enables administrators to meet strict security compliance requirements for pooler-to-client and pooler-to-server connections. Contributed by @alex1989hu. (#9571)Improved the reliability of major upgrades by setting
BackoffLimit=0on the upgrade job, preventing unnecessary retries of a failedpg_upgrade. The operator now automatically deletes the failed job when a user reverts the container image, allowing the cluster to restart gracefully on the original version. (#10104, #10298)Improved role management by verifying the instance is the primary before each reconciliation cycle, avoiding unnecessary reconciliation attempts and spurious error messages on read-only replicas. (#9971)
Extended the CRD schemas for
Cluster,ImageCatalog, andClusterImageCatalogto accept theextensions,bin_path, andenvfields introduced in 1.29. The operator ignores these fields on older versions, but accepting them in the schema allows users to share a single manifest across clusters running different CNPG versions. (#10131, #10387)The operator now honors the
primaryUpdateMethodwhen adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. (#9720)Refined the
alpha.cnpg.io/unrecoverableannotation logic to allow it to function even on pods that have not yet reached theReadystate, facilitating the recovery of stuck instances. (#9968)Security and Supply Chain
Security best practices integration: integrated the OpenSSF baseline scanner and added a
SECURITY-INSIGHTS.yamlfile to the repository to align with industry-standard security reporting. (#10054, #10062)SLSA provenance and SBOMs: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images. Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. (#10048, #10074)
Password leak prevention: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. (#9950)
Changes
18.3-system-trixie). (#10090)Fixes
Fixed a deadlock during operator upgrades affecting clusters using synchronous replication, where pods running the old and new operator versions computed different PostgreSQL configuration hashes, causing the uniformity check to block indefinitely and preventing both rolling updates and in-place upgrades from proceeding. (#10342)
Fixed an issue where fencing annotations could not be processed when the WAL disk was full, because the disk space check blocked the instance manager from starting. The check is now performed later in the lifecycle loop, after fencing is evaluated. (#10302)
Fixed an issue where replicas would get stuck in a
Pendingstate if theVolumeSnapshotused for the initial bootstrap had been deleted. The operator now validates snapshot existence before use; if a snapshot is missing, it attempts to use the next available candidate or falls back topg_basebackup. (#10192)Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by @ermakov-oleg. (#9977)
Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. (#9952)
Fixed a bug in the CNPG-I reconciler hook that could lead to skipping subsequent plugins when a "continue" result was returned. Contributed by @sharifmshaker. (#9978)
Fixed a deadlock scenario that occurred when attempting to resize a filesystem on a PVC that was not currently attached to a Pod. Contributed by @jmealo. (#9981)
Fixed webhook validation of bootstrap recovery sources to accept external clusters configured with
ConnectionParameters(forpg_basebackup-based recovery). Previously, these were incorrectly rejected unless a Barman object store or CNPG-i plugin was also configured. (#10268)Volume names for extensions and tablespaces are now prefixed to avoid naming collisions with standard cluster volumes. (#9973)
When hibernating a non-healthy cluster, the operator now reports a
WaitingForHealthycondition, making the deferred hibernation state visible throughcnpg status. (#10193)Fixed fencing to work correctly even when the target pod does not exist. Fencing operates on a cluster-level annotation and should not depend on pod existence; instance name validation is now performed only in the
cnpg fencing oncommand. (#10035)Fixed the cluster and pooler service reconcilers to correctly handle changes to all spec fields when using the patch update strategy. The reconciler now uses RFC 7386 JSON Merge Patching, preventing cloud-provider-set fields (such as
loadBalancerClass) from being inadvertently removed. (#10190, #10311)Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. (#10285)
Fixed the timeline history file validation to also apply to plugin-based WAL restore. Previously, the protection introduced in #9650 only covered in-tree restores, allowing plugins to bypass the check and download future timeline history files, causing timeline mismatch errors on replicas. (#9849)
cnpgplugin:pgbenchJob pod template. (#10174)cloudnative-pg/cnpg-i (github.com/cloudnative-pg/cnpg-i)
v0.5.0Compare Source
Reverts
v0.4.0Compare Source
Features
Bug Fixes
grpc/grpc-go (google.golang.org/grpc)
v1.80.0: Release 1.80.0Compare Source
Behavior Changes
LOGICAL_DNSclusters simultaneously when re-resolution is requested.Bug Fixes
LOGICAL_DNScluster resources instead of defaulting topick_first. (#8733)uint32value. (#8899)blackout_periodwas used instead ofweight_expiration_period. (#8915)New Features
Performance Improvements
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.