diff --git a/website/docs/cloudnative-pg.v1.md b/website/docs/cloudnative-pg.v1.md
index 96f272d..80a00be 100644
--- a/website/docs/cloudnative-pg.v1.md
+++ b/website/docs/cloudnative-pg.v1.md
@@ -984,7 +984,7 @@ _Appears in:_
| Field | Description | Required | Default | Validation |
| --- | --- | --- | --- | --- |
-| `name` _string_ | The name of the extension, required | True | | MinLength: 1
Pattern: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
|
+| `name` _string_ | The name of the extension, required | True | | MinLength: 1
Pattern: `^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$`
|
| `image` _[ImageVolumeSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#imagevolumesource-v1-core)_ | The image containing the extension, required | True | | |
| `extension_control_path` _string array_ | The list of directories inside the image which should be added to extension_control_path.
If not defined, defaults to "/share". | | | |
| `dynamic_library_path` _string array_ | The list of directories inside the image which should be added to dynamic_library_path.
If not defined, defaults to "/lib". | | | |
diff --git a/website/docs/imagevolume_extensions.md b/website/docs/imagevolume_extensions.md
index c759b8e..6defa81 100644
--- a/website/docs/imagevolume_extensions.md
+++ b/website/docs/imagevolume_extensions.md
@@ -137,9 +137,17 @@ spec:
The `name` field is **mandatory** and **must be unique within the cluster**, as
it determines the mount path (`/extensions/foo` in this example). It must
-consist of *lowercase alphanumeric characters or hyphens (`-`)* and must start
+consist of *lowercase alphanumeric characters, underscores (`_`) or hyphens (`-`)* and must start
and end with an alphanumeric character.
+:::note
+Extension names containing underscores (e.g., `pg_ivm`) are converted to use
+hyphens (e.g., `pg-ivm`) for Kubernetes volume names to comply with RFC 1123
+DNS label requirements. Do not use extension names that become identical after
+sanitization (e.g., `pg_ivm` and `pg-ivm` both sanitize to `pg-ivm`). The
+webhook validation will prevent such conflicts.
+:::
+
The `image` stanza follows the [Kubernetes `ImageVolume` API](https://kubernetes.io/docs/tasks/configure-pod-container/image-volumes/).
The `reference` must point to a valid container registry path for the extension
image.
diff --git a/website/docs/installation_upgrade.md b/website/docs/installation_upgrade.md
index 7baba55..c664743 100644
--- a/website/docs/installation_upgrade.md
+++ b/website/docs/installation_upgrade.md
@@ -14,12 +14,12 @@ title: Installation and upgrades
The operator can be installed like any other resource in Kubernetes,
through a YAML manifest applied via `kubectl`.
-You can install the [latest operator manifest](https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.28/releases/cnpg-1.28.0.yaml)
+You can install the [latest operator manifest](https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.28/releases/cnpg-1.28.1.yaml)
for this minor release as follows:
```sh
kubectl apply --server-side -f \
- https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.28/releases/cnpg-1.28.0.yaml
+ https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.28/releases/cnpg-1.28.1.yaml
```
You can verify that with:
diff --git a/website/docs/kubectl-plugin.md b/website/docs/kubectl-plugin.md
index 26521a9..25f07a7 100644
--- a/website/docs/kubectl-plugin.md
+++ b/website/docs/kubectl-plugin.md
@@ -38,11 +38,11 @@ them in your systems.
#### Debian packages
-For example, let's install the 1.28.0 release of the plugin, for an Intel based
+For example, let's install the 1.28.1 release of the plugin, for an Intel based
64 bit server. First, we download the right `.deb` file.
```sh
-wget https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.28.0/kubectl-cnpg_1.28.0_linux_x86_64.deb \
+wget https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.28.1/kubectl-cnpg_1.28.1_linux_x86_64.deb \
--output-document kube-plugin.deb
```
@@ -53,17 +53,17 @@ $ sudo dpkg -i kube-plugin.deb
Selecting previously unselected package cnpg.
(Reading database ... 6688 files and directories currently installed.)
Preparing to unpack kube-plugin.deb ...
-Unpacking cnpg (1.28.0) ...
-Setting up cnpg (1.28.0) ...
+Unpacking cnpg (1.28.1) ...
+Setting up cnpg (1.28.1) ...
```
#### RPM packages
-As in the example for `.rpm` packages, let's install the 1.28.0 release for an
+As in the example for `.rpm` packages, let's install the 1.28.1 release for an
Intel 64 bit machine. Note the `--output` flag to provide a file name.
```sh
-curl -L https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.28.0/kubectl-cnpg_1.28.0_linux_x86_64.rpm \
+curl -L https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.28.1/kubectl-cnpg_1.28.1_linux_x86_64.rpm \
--output kube-plugin.rpm
```
@@ -77,7 +77,7 @@ Dependencies resolved.
Package Architecture Version Repository Size
====================================================================================================
Installing:
- cnpg x86_64 1.28.0 @commandline 20 M
+ cnpg x86_64 1.28.1 @commandline 20 M
Transaction Summary
====================================================================================================
@@ -306,9 +306,9 @@ sandbox-3 0/604DE38 0/604DE38 0/604DE38 0/604DE38 00:00:00 00:00:00 00
Instances status
Name Current LSN Replication role Status QoS Manager Version Node
---- ----------- ---------------- ------ --- --------------- ----
-sandbox-1 0/604DE38 Primary OK BestEffort 1.28.0 k8s-eu-worker
-sandbox-2 0/604DE38 Standby (async) OK BestEffort 1.28.0 k8s-eu-worker2
-sandbox-3 0/604DE38 Standby (async) OK BestEffort 1.28.0 k8s-eu-worker
+sandbox-1 0/604DE38 Primary OK BestEffort 1.28.1 k8s-eu-worker
+sandbox-2 0/604DE38 Standby (async) OK BestEffort 1.28.1 k8s-eu-worker2
+sandbox-3 0/604DE38 Standby (async) OK BestEffort 1.28.1 k8s-eu-worker
```
If you require more detailed status information, use the `--verbose` option (or
@@ -362,9 +362,9 @@ sandbox-primary primary 1 1 1
Instances status
Name Current LSN Replication role Status QoS Manager Version Node
---- ----------- ---------------- ------ --- --------------- ----
-sandbox-1 0/6053720 Primary OK BestEffort 1.28.0 k8s-eu-worker
-sandbox-2 0/6053720 Standby (async) OK BestEffort 1.28.0 k8s-eu-worker2
-sandbox-3 0/6053720 Standby (async) OK BestEffort 1.28.0 k8s-eu-worker
+sandbox-1 0/6053720 Primary OK BestEffort 1.28.1 k8s-eu-worker
+sandbox-2 0/6053720 Standby (async) OK BestEffort 1.28.1 k8s-eu-worker2
+sandbox-3 0/6053720 Standby (async) OK BestEffort 1.28.1 k8s-eu-worker
```
With an additional `-v` (e.g. `kubectl cnpg status sandbox -v -v`), you can
@@ -640,12 +640,12 @@ Archive: report_operator_.zip
```output
====== Beginning of Previous Log =====
-2023-03-28T12:56:41.251711811Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.28.0","build":{"Version":"1.28.0+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
+2023-03-28T12:56:41.251711811Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.28.1","build":{"Version":"1.28.1+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
2023-03-28T12:56:41.251851909Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting pprof HTTP server","addr":"0.0.0.0:6060"}
====== End of Previous Log =====
-2023-03-28T12:57:09.854306024Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.28.0","build":{"Version":"1.28.0+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
+2023-03-28T12:57:09.854306024Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.28.1","build":{"Version":"1.28.1+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
2023-03-28T12:57:09.854363943Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting pprof HTTP server","addr":"0.0.0.0:6060"}
```
diff --git a/website/docs/release_notes/v1.27.md b/website/docs/release_notes/v1.27.md
index f4d44bd..d691936 100644
--- a/website/docs/release_notes/v1.27.md
+++ b/website/docs/release_notes/v1.27.md
@@ -11,6 +11,119 @@ For a complete list of changes, please refer to the
[commits](https://github.com/cloudnative-pg/cloudnative-pg/commits/release-1.27)
on the release branch in GitHub.
+## Version 1.27.3
+
+**Release date:** Feb 5, 2026
+
+### Enhancements
+
+- Added support for Azure's `DefaultAzureCredential` authentication mechanism
+ for backup and recovery operations. This can be enabled by setting
+ `azureCredentials.useDefaultAzureCredentials: true` in the backup
+ configuration, simplifying authentication in Azure environments without
+ requiring explicit storage account keys or SAS tokens.
+ ([#9468](https://github.com/cloudnative-pg/cloudnative-pg/pull/9468))
+
+- Added support for PostgreSQL extension names containing underscores (e.g.,
+ `pg_ivm`, `pg_stat_statements`). Extension names with underscores are
+ automatically sanitized to use hyphens for Kubernetes volume names while
+ preserving the original name in mount paths. Webhook validation prevents
+ naming conflicts after sanitization. Contributed by @shusaan.
+ ([#9386](https://github.com/cloudnative-pg/cloudnative-pg/pull/9386))
+
+### Fixes
+
+- Fixed a critical issue where the `TimelineID` in the cluster status was not
+ reset to 1 after a major version upgrade. Because `pg_upgrade` initializes a
+ new timeline, keeping the old ID (e.g., timeline 2) caused replicas to attempt
+ to restore incompatible history files from object storage, leading to fatal
+ "requested timeline is not a child of this server's history" errors.
+ ([#9830](https://github.com/cloudnative-pg/cloudnative-pg/pull/9830))
+
+- Fixed a bug where replicas could enter a crash-loop by attempting to download
+ timeline history files from future timelines. This occurred when stale files
+ remained in the WAL archive from a previous cluster life, and replicas would
+ incorrectly try to fetch them during recovery.
+ ([#9650](https://github.com/cloudnative-pg/cloudnative-pg/pull/9650))
+
+- Fixed a race condition in `replica_cluster` setups during designated primary
+ transitions, preventing transient "no primary" states in the replica cluster.
+ ([#9601](https://github.com/cloudnative-pg/cloudnative-pg/pull/9601))
+
+- The backup controller now uses the unique instance session ID to detect
+ instance manager restarts. This prevents the operator from incorrectly
+ assuming a backup is still progressing if the underlying container has crashed
+ and restarted, which previously led to orphaned backup objects.
+ ([#9370](https://github.com/cloudnative-pg/cloudnative-pg/pull/9370))
+
+- Fixed a validation gap in Azure object store configurations where the
+ `storageAccount` was not required when using explicit credentials (such as a
+ storage key or SAS token). The operator now enforces that a storage account
+ name is provided in these cases and that `connectionString` is mutually
+ exclusive with other authentication parameters.
+ ([#9604](https://github.com/cloudnative-pg/cloudnative-pg/pull/9604))
+
+- Optimized the deletion path so the operator begins cleaning up resources
+ immediately when a cluster is marked for deletion. This significantly reduces
+ the time a cluster remains in `Terminating` status while waiting for internal
+ reconciliation loops.
+ ([#9555](https://github.com/cloudnative-pg/cloudnative-pg/pull/9555))
+
+- Fixed an issue where replication slots were not properly dropped from
+ replicas when the feature was disabled or the cluster was reconfigured.
+ This ensures that unused slots do not cause WAL build-up on the primary.
+ ([#9381](https://github.com/cloudnative-pg/cloudnative-pg/pull/9381))
+
+- Fixed an issue where `imagePullSecrets` were not added to the `ServiceAccount`
+ created for the `Pooler`. Previously, these secrets were applied to the
+ Deployment but not the SA, which caused image pull failures in restricted
+ environments using certain security policies.
+ ([#9427](https://github.com/cloudnative-pg/cloudnative-pg/pull/9427))
+
+- Added a check to verify ownership before the operator deletes a `PodMonitor`.
+ This prevents the operator from accidentally deleting manually managed
+ monitoring resources that happen to share a name with expected CNPG
+ resources. Contributed by @juliamertz.
+ ([#9340](https://github.com/cloudnative-pg/cloudnative-pg/pull/9340))
+
+- Fixed a bug where `pg_stat_archiver` metrics would continue to report stale
+ data on standby instances after a switchover. The exporter now skips these
+ metrics on standbys, as PostgreSQL only provides valid archiver stats on the
+ primary.
+ ([#9411](https://github.com/cloudnative-pg/cloudnative-pg/pull/9411))
+
+- Clarified the interpretation of timestamp formats for recovery `targetTime`.
+ Timestamps provided without an explicit timezone are now consistently
+ interpreted as UTC. Contributed by @pchovelon.
+ ([#8937](https://github.com/cloudnative-pg/cloudnative-pg/pull/8937))
+
+- Fixed backup status updates to prevent "resource has been modified" errors
+ during concurrent updates.
+ ([#9551](https://github.com/cloudnative-pg/cloudnative-pg/pull/9551))
+
+- Fixed event reporting to use the correct pod name when a backup pod is not
+ found.
+ ([#9552](https://github.com/cloudnative-pg/cloudnative-pg/pull/9552))
+
+- Improved performance of scheduled backup operations for clusters with a very
+ high number of historical backups.
+ ([#9489](https://github.com/cloudnative-pg/cloudnative-pg/pull/9489))
+
+- Fixed error handling when removing finalizers on `Database` objects.
+ ([#9431](https://github.com/cloudnative-pg/cloudnative-pg/pull/9431))
+
+- `cnpg` plugin:
+
+ - Updated the `status` command to display "Disabled" when the
+ `skipWalArchiving` annotation is present on a cluster. This replaces
+ confusing "starting up" or "unknown" states when WAL archiving is
+ intentionally bypassed.
+ ([#9709](https://github.com/cloudnative-pg/cloudnative-pg/pull/9709))
+
+ - Fixed the `logs --follow` command to continue polling for new pods instead
+ of exiting prematurely when all current log streams complete.
+ ([#9599](https://github.com/cloudnative-pg/cloudnative-pg/pull/9599))
+
## Version 1.27.2
**Release date:** Dec 9, 2025
diff --git a/website/docs/release_notes/v1.28.md b/website/docs/release_notes/v1.28.md
index 4ea6432..fd2cbe4 100644
--- a/website/docs/release_notes/v1.28.md
+++ b/website/docs/release_notes/v1.28.md
@@ -11,6 +11,148 @@ For a complete list of changes, please refer to the
[commits](https://github.com/cloudnative-pg/cloudnative-pg/commits/release-1.28)
on the release branch in GitHub.
+
+
+## Version 1.28.1
+
+**Release date:** Feb 5, 2026
+
+### Enhancements
+
+- Added support for Azure's `DefaultAzureCredential` authentication mechanism
+ for backup and recovery operations. This can be enabled by setting
+ `azureCredentials.useDefaultAzureCredentials: true` in the backup
+ configuration, simplifying authentication in Azure environments without
+ requiring explicit storage account keys or SAS tokens.
+ ([#9468](https://github.com/cloudnative-pg/cloudnative-pg/pull/9468))
+
+- Added support for PostgreSQL extension names containing underscores (e.g.,
+ `pg_ivm`, `pg_stat_statements`). Extension names with underscores are
+ automatically sanitized to use hyphens for Kubernetes volume names while
+ preserving the original name in mount paths. Webhook validation prevents
+ naming conflicts after sanitization. Contributed by @shusaan.
+ ([#9386](https://github.com/cloudnative-pg/cloudnative-pg/pull/9386))
+
+### Fixes
+
+- Fixed a critical issue where the `TimelineID` in the cluster status was not
+ reset to 1 after a major version upgrade. Because `pg_upgrade` initializes a
+ new timeline, keeping the old ID (e.g., timeline 2) caused replicas to attempt
+ to restore incompatible history files from object storage, leading to fatal
+ "requested timeline is not a child of this server's history" errors.
+ ([#9830](https://github.com/cloudnative-pg/cloudnative-pg/pull/9830))
+
+- Fixed an issue where stale TLS status fields in the `Pooler` were not cleared
+ after being removed from the specification. This was particularly critical
+ when upgrading to v1.28.0, where the `ServerTLS` field was repurposed, causing
+ PgBouncer to use incorrect certificates and resulting in "unsupported
+ certificate" errors that blocked all application connectivity.
+ The operator now explicitly clears `ServerCA`, `ClientCA`, `ClientTLS`, and
+ `ServerTLS` status fields when they are no longer configured.
+ ([#9397](https://github.com/cloudnative-pg/cloudnative-pg/pull/9397))
+
+- Fixed a bug where replicas could enter a crash-loop by attempting to download
+ timeline history files from future timelines. This occurred when stale files
+ remained in the WAL archive from a previous cluster life, and replicas would
+ incorrectly try to fetch them during recovery.
+ ([#9650](https://github.com/cloudnative-pg/cloudnative-pg/pull/9650))
+
+- Fixed a race condition in `replica_cluster` setups during designated primary
+ transitions, preventing transient "no primary" states in the replica cluster.
+ ([#9601](https://github.com/cloudnative-pg/cloudnative-pg/pull/9601))
+
+- The backup controller now uses the unique instance session ID to detect
+ instance manager restarts. This prevents the operator from incorrectly
+ assuming a backup is still progressing if the underlying container has crashed
+ and restarted, which previously led to orphaned backup objects.
+ ([#9370](https://github.com/cloudnative-pg/cloudnative-pg/pull/9370))
+
+- Fixed a validation gap in Azure object store configurations where the
+ `storageAccount` was not required when using explicit credentials (such as a
+ storage key or SAS token). The operator now enforces that a storage account
+ name is provided in these cases and that `connectionString` is mutually
+ exclusive with other authentication parameters.
+ ([#9604](https://github.com/cloudnative-pg/cloudnative-pg/pull/9604))
+
+- Optimized the deletion path so the operator begins cleaning up resources
+ immediately when a cluster is marked for deletion. This significantly reduces
+ the time a cluster remains in `Terminating` status while waiting for internal
+ reconciliation loops.
+ ([#9555](https://github.com/cloudnative-pg/cloudnative-pg/pull/9555))
+
+- Fixed an issue where replication slots were not properly dropped from
+ replicas when the feature was disabled or the cluster was reconfigured.
+ This ensures that unused slots do not cause WAL build-up on the primary.
+ ([#9381](https://github.com/cloudnative-pg/cloudnative-pg/pull/9381))
+
+- Fixed an issue where `imagePullSecrets` were not added to the `ServiceAccount`
+ created for the `Pooler`. Previously, these secrets were applied to the
+ Deployment but not the SA, which caused image pull failures in restricted
+ environments using certain security policies.
+ ([#9427](https://github.com/cloudnative-pg/cloudnative-pg/pull/9427))
+
+- Added a check to verify ownership before the operator deletes a `PodMonitor`.
+ This prevents the operator from accidentally deleting manually managed
+ monitoring resources that happen to share a name with expected CNPG
+ resources. Contributed by @juliamertz.
+ ([#9340](https://github.com/cloudnative-pg/cloudnative-pg/pull/9340))
+
+- Fixed a bug where `pg_stat_archiver` metrics would continue to report stale
+ data on standby instances after a switchover. The exporter now skips these
+ metrics on standbys, as PostgreSQL only provides valid archiver stats on the
+ primary.
+ ([#9411](https://github.com/cloudnative-pg/cloudnative-pg/pull/9411))
+
+- Clarified the interpretation of timestamp formats for recovery `targetTime`.
+ Timestamps provided without an explicit timezone are now consistently
+ interpreted as UTC. Contributed by @pchovelon.
+ ([#8937](https://github.com/cloudnative-pg/cloudnative-pg/pull/8937))
+
+- Fixed backup status updates to prevent "resource has been modified" errors
+ during concurrent updates.
+ ([#9551](https://github.com/cloudnative-pg/cloudnative-pg/pull/9551))
+
+- Fixed event reporting to use the correct pod name when a backup pod is not
+ found.
+ ([#9552](https://github.com/cloudnative-pg/cloudnative-pg/pull/9552))
+
+- Improved performance of scheduled backup operations for clusters with a very
+ high number of historical backups.
+ ([#9489](https://github.com/cloudnative-pg/cloudnative-pg/pull/9489))
+
+- Fixed error handling when removing finalizers on `Database` objects.
+ ([#9431](https://github.com/cloudnative-pg/cloudnative-pg/pull/9431))
+
+- `cnpg` plugin:
+
+ - Updated the `status` command to display "Disabled" when the
+ `skipWalArchiving` annotation is present on a cluster. This replaces
+ confusing "starting up" or "unknown" states when WAL archiving is
+ intentionally bypassed.
+ ([#9709](https://github.com/cloudnative-pg/cloudnative-pg/pull/9709))
+
+ - Fixed the `logs --follow` command to continue polling for new pods instead
+ of exiting prematurely when all current log streams complete.
+ ([#9599](https://github.com/cloudnative-pg/cloudnative-pg/pull/9599))
+
## Version 1.28.0
**Release date:** Dec 9, 2025
diff --git a/website/versioned_docs/version-1.27/appendixes/_category_.json b/website/versioned_docs/version-1.27/appendixes/_category_.json
new file mode 100644
index 0000000..406ff35
--- /dev/null
+++ b/website/versioned_docs/version-1.27/appendixes/_category_.json
@@ -0,0 +1,7 @@
+{
+ "label": "Appendixes",
+ "position": 600,
+ "link": {
+ "type": "generated-index"
+ }
+}
diff --git a/website/versioned_docs/version-1.27/appendixes/object_stores.md b/website/versioned_docs/version-1.27/appendixes/object_stores.md
index 91d1dcb..2e35f76 100644
--- a/website/versioned_docs/version-1.27/appendixes/object_stores.md
+++ b/website/versioned_docs/version-1.27/appendixes/object_stores.md
@@ -27,6 +27,16 @@ You can also use any compatible implementation of the supported services.
The required setup depends on the chosen storage provider and is
discussed in the following sections.
+:::note Authentication Methods
+CloudNativePG does not independently test all authentication methods
+supported by `barman-cloud`. CloudNativePG's responsibility is limited to passing
+the provided credentials to `barman-cloud`, which then handles authentication
+according to its own implementation. Users should refer to the
+[Barman Cloud documentation](https://docs.pgbarman.org/release/latest/) to
+verify that their chosen authentication method is supported and properly
+configured.
+:::
+
## AWS S3
[AWS Simple Storage Service (S3)](https://aws.amazon.com/s3/) is
@@ -195,17 +205,15 @@ spec:
[Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/) is the
object storage service provided by Microsoft.
-In order to access your storage account for backup and recovery of
-CloudNativePG managed databases, you will need one of the following
-combinations of credentials:
+CloudNativePG supports the following authentication methods for Azure Blob Storage:
- [Connection String](https://docs.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string#configure-a-connection-string-for-an-azure-storage-account)
-- Storage account name and [Storage account access key](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
-- Storage account name and [Storage account SAS Token](https://docs.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
-- Storage account name and [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/introduction.html)
-properly configured.
+- Storage Account Name + [Storage Account Access Key](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
+- Storage Account Name + [Storage Account SAS Token](https://docs.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
+- [Azure AD Managed Identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
+- [Default Azure Credentials](https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python)
-Using **Azure AD Workload Identity**, you can avoid saving the credentials into a Kubernetes Secret,
+Using **Azure AD Managed Identity**, you can avoid saving the credentials into a Kubernetes Secret,
and have a Cluster configuration adding the `inheritFromAzureAD` as follows:
```yaml
@@ -220,6 +228,23 @@ spec:
inheritFromAzureAD: true
```
+Alternatively, you can use the **Default Azure Credentials** authentication mechanism, which provides
+a seamless authentication experience by supporting multiple authentication methods including environment
+variables, managed identities, and Azure CLI credentials. Add the `useDefaultAzureCredentials` flag
+as follows:
+
+```yaml
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+[...]
+spec:
+ backup:
+ barmanObjectStore:
+ destinationPath: ""
+ azureCredentials:
+ useDefaultAzureCredentials: true
+```
+
On the other side, using both **Storage account access key** or **Storage account SAS Token**,
the credentials need to be stored inside a Kubernetes Secret, adding data entries only when
needed. The following command performs that:
diff --git a/website/versioned_docs/version-1.27/cloudnative-pg.v1.md b/website/versioned_docs/version-1.27/cloudnative-pg.v1.md
index 9444e71..c601a24 100644
--- a/website/versioned_docs/version-1.27/cloudnative-pg.v1.md
+++ b/website/versioned_docs/version-1.27/cloudnative-pg.v1.md
@@ -971,7 +971,7 @@ _Appears in:_
| Field | Description | Required | Default | Validation |
| --- | --- | --- | --- | --- |
-| `name` _string_ | The name of the extension, required | True | | MinLength: 1
Pattern: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
|
+| `name` _string_ | The name of the extension, required | True | | MinLength: 1
Pattern: `^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$`
|
| `image` _[ImageVolumeSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#imagevolumesource-v1-core)_ | The image containing the extension, required | True | | |
| `extension_control_path` _string array_ | The list of directories inside the image which should be added to extension_control_path.
If not defined, defaults to "/share". | | | |
| `dynamic_library_path` _string array_ | The list of directories inside the image which should be added to dynamic_library_path.
If not defined, defaults to "/lib". | | | |
@@ -1200,6 +1200,7 @@ _Appears in:_
| --- | --- | --- | --- | --- |
| `podName` _string_ | The pod name | | | |
| `ContainerID` _string_ | The container ID | | | |
+| `sessionID` _string_ | The instance manager session ID. This is a unique identifier generated at instance manager
startup and changes on every restart (including container reboots). Used to detect if
the instance manager was restarted during long-running operations like backups, which
would terminate any running backup process. | | | |
#### InstanceReportedState
@@ -2167,7 +2168,7 @@ _Appears in:_
| `targetXID` _string_ | The target transaction ID | | | |
| `targetName` _string_ | The target name (to be previously created
with `pg_create_restore_point`) | | | |
| `targetLSN` _string_ | The target LSN (Log Sequence Number) | | | |
-| `targetTime` _string_ | The target time as a timestamp in the RFC3339 standard | | | |
+| `targetTime` _string_ | The target time as a timestamp in RFC3339 format or PostgreSQL timestamp format.
Timestamps without an explicit timezone are interpreted as UTC. | | | |
| `targetImmediate` _boolean_ | End recovery as soon as a consistent state is reached | | | |
| `exclusive` _boolean_ | Set the target to be exclusive. If omitted, defaults to false, so that
in Postgres, `recovery_target_inclusive` will be true | | | |
diff --git a/website/versioned_docs/version-1.27/cncf-projects/_category_.json b/website/versioned_docs/version-1.27/cncf-projects/_category_.json
new file mode 100644
index 0000000..0bb5a46
--- /dev/null
+++ b/website/versioned_docs/version-1.27/cncf-projects/_category_.json
@@ -0,0 +1,7 @@
+{
+ "label": "CNCF Projects Integrations",
+ "position": 590,
+ "link": {
+ "type": "generated-index"
+ }
+}
diff --git a/website/versioned_docs/version-1.27/cnpg_i.md b/website/versioned_docs/version-1.27/cnpg_i.md
index a922af4..06eadfb 100644
--- a/website/versioned_docs/version-1.27/cnpg_i.md
+++ b/website/versioned_docs/version-1.27/cnpg_i.md
@@ -200,7 +200,7 @@ must include this DNS name in its Subject Alternative Names (SAN).
To enable a plugin, configure the `.spec.plugins` section in your `Cluster`
resource. Refer to the CloudNativePG API Reference for the full
-[PluginConfiguration](https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PluginConfiguration)
+[PluginConfiguration](https://cloudnative-pg.io/docs/devel/cloudnative-pg.v1/#pluginconfiguration)
specification.
Example:
diff --git a/website/versioned_docs/version-1.27/connection_pooling.md b/website/versioned_docs/version-1.27/connection_pooling.md
index 98794d4..d7124fa 100644
--- a/website/versioned_docs/version-1.27/connection_pooling.md
+++ b/website/versioned_docs/version-1.27/connection_pooling.md
@@ -197,15 +197,38 @@ GRANT EXECUTE ON FUNCTION public.user_search(text)
## Pod templates
-You can take advantage of pod templates specification in the `template`
-section of a `Pooler` resource. For details, see
-[`PoolerSpec`](cloudnative-pg.v1.md#poolerspec) in the API reference.
-Using templates, you can configure pods as you like, including fine control
-over affinity and anti-affinity rules for pods and nodes. By default,
-containers use images from `ghcr.io/cloudnative-pg/pgbouncer`.
+The `Pooler` resource allows you to customize the underlying pods via the
+`template` section. This provides full access to the Kubernetes `PodSpec` for
+advanced configurations like scheduling constraints, custom security contexts,
+or resource overrides.
-This example shows `Pooler` specifying `PodAntiAffinity``:
+For a complete list of supported fields, see the
+[`PoolerSpec`](cloudnative-pg.v1.md#poolerspec) API reference.
+
+### Key requirements
+
+- **The `pgbouncer` container name:** When overriding container settings (like
+ images or resources), the name of the container **must** be set to
+ `pgbouncer`. The operator looks for this specific name to manage the
+ PgBouncer process.
+
+- **Mandatory `containers` field:** Since `template` follows the standard
+ Kubernetes `PodSpec` schema, the `containers` field is mandatory.
+
+- If you aren't modifying container-level settings, you must set it to an empty
+ array: `containers: []`.
+
+- If the `containers` field is missing, the API server will throw a
+ `ValidationError`.
+
+### Examples
+
+#### High availability with pod anti-affinity
+
+This configuration uses `podAntiAffinity` to ensure that PgBouncer pods are
+distributed across different nodes, preventing a single node failure from
+taking down the entire pool.
```yaml
apiVersion: postgresql.cnpg.io/v1
@@ -236,16 +259,10 @@ spec:
topologyKey: "kubernetes.io/hostname"
```
-:::note
- Explicitly set `.spec.template.spec.containers` to `[]` when not modified,
- as it's a required field for a `PodSpec`. If `.spec.template.spec.containers`
- isn't set, the Kubernetes api-server returns the following error when trying to
- apply the manifest:`error validating "pooler.yaml": error validating data:
- ValidationError(Pooler.spec.template.spec): missing required field
- "containers"`
-:::
+#### Custom image and resource limits
-This example sets resources and changes the used image:
+You can specify a custom image and define resource requests/limits. Note that
+the container name is explicitly set to `pgbouncer`.
```yaml
apiVersion: postgresql.cnpg.io/v1
@@ -264,6 +281,7 @@ spec:
app: pooler
spec:
containers:
+ # This name MUST be "pgbouncer"
- name: pgbouncer
image: my-pgbouncer:latest
resources:
@@ -624,9 +642,10 @@ spec:
### Deprecation of Automatic `PodMonitor` Creation
-!!!warning "Feature Deprecation Notice"
+:::warning[Feature Deprecation Notice]
The `.spec.monitoring.enablePodMonitor` field in the `Pooler` resource is
now deprecated and will be removed in a future version of the operator.
+:::
If you are currently using this feature, we strongly recommend you either
remove or set `.spec.monitoring.enablePodMonitor` to `false` and manually
diff --git a/website/versioned_docs/version-1.27/imagevolume_extensions.md b/website/versioned_docs/version-1.27/imagevolume_extensions.md
index e63976e..08140de 100644
--- a/website/versioned_docs/version-1.27/imagevolume_extensions.md
+++ b/website/versioned_docs/version-1.27/imagevolume_extensions.md
@@ -138,9 +138,17 @@ spec:
The `name` field is **mandatory** and **must be unique within the cluster**, as
it determines the mount path (`/extensions/foo` in this example). It must
-consist of *lowercase alphanumeric characters or hyphens (`-`)* and must start
+consist of *lowercase alphanumeric characters, underscores (`_`) or hyphens (`-`)* and must start
and end with an alphanumeric character.
+:::note
+Extension names containing underscores (e.g., `pg_ivm`) are converted to use
+hyphens (e.g., `pg-ivm`) for Kubernetes volume names to comply with RFC 1123
+DNS label requirements. Do not use extension names that become identical after
+sanitization (e.g., `pg_ivm` and `pg-ivm` both sanitize to `pg-ivm`). The
+webhook validation will prevent such conflicts.
+:::
+
The `image` stanza follows the [Kubernetes `ImageVolume` API](https://kubernetes.io/docs/tasks/configure-pod-container/image-volumes/).
The `reference` must point to a valid container registry path for the extension
image.
diff --git a/website/versioned_docs/version-1.27/installation_upgrade.md b/website/versioned_docs/version-1.27/installation_upgrade.md
index 266e502..e3434cc 100644
--- a/website/versioned_docs/version-1.27/installation_upgrade.md
+++ b/website/versioned_docs/version-1.27/installation_upgrade.md
@@ -14,12 +14,12 @@ title: Installation and upgrades
The operator can be installed like any other resource in Kubernetes,
through a YAML manifest applied via `kubectl`.
-You can install the [latest operator manifest](https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.27/releases/cnpg-1.27.2.yaml)
+You can install the [latest operator manifest](https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.27/releases/cnpg-1.27.3.yaml)
for this minor release as follows:
```sh
kubectl apply --server-side -f \
- https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.27/releases/cnpg-1.27.2.yaml
+ https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.27/releases/cnpg-1.27.3.yaml
```
You can verify that with:
diff --git a/website/versioned_docs/version-1.27/kubectl-plugin.md b/website/versioned_docs/version-1.27/kubectl-plugin.md
index 372aaf6..9256b5b 100644
--- a/website/versioned_docs/version-1.27/kubectl-plugin.md
+++ b/website/versioned_docs/version-1.27/kubectl-plugin.md
@@ -38,11 +38,11 @@ them in your systems.
#### Debian packages
-For example, let's install the 1.27.2 release of the plugin, for an Intel based
+For example, let's install the 1.27.3 release of the plugin, for an Intel based
64 bit server. First, we download the right `.deb` file.
```sh
-wget https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.27.2/kubectl-cnpg_1.27.2_linux_x86_64.deb \
+wget https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.27.3/kubectl-cnpg_1.27.3_linux_x86_64.deb \
--output-document kube-plugin.deb
```
@@ -53,17 +53,17 @@ $ sudo dpkg -i kube-plugin.deb
Selecting previously unselected package cnpg.
(Reading database ... 6688 files and directories currently installed.)
Preparing to unpack kube-plugin.deb ...
-Unpacking cnpg (1.27.2) ...
-Setting up cnpg (1.27.2) ...
+Unpacking cnpg (1.27.3) ...
+Setting up cnpg (1.27.3) ...
```
#### RPM packages
-As in the example for `.rpm` packages, let's install the 1.27.2 release for an
+As in the example for `.rpm` packages, let's install the 1.27.3 release for an
Intel 64 bit machine. Note the `--output` flag to provide a file name.
```sh
-curl -L https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.27.2/kubectl-cnpg_1.27.2_linux_x86_64.rpm \
+curl -L https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.27.3/kubectl-cnpg_1.27.3_linux_x86_64.rpm \
--output kube-plugin.rpm
```
@@ -77,7 +77,7 @@ Dependencies resolved.
Package Architecture Version Repository Size
====================================================================================================
Installing:
- cnpg x86_64 1.27.2 @commandline 20 M
+ cnpg x86_64 1.27.3 @commandline 20 M
Transaction Summary
====================================================================================================
@@ -306,9 +306,9 @@ sandbox-3 0/604DE38 0/604DE38 0/604DE38 0/604DE38 00:00:00 00:00:00 00
Instances status
Name Current LSN Replication role Status QoS Manager Version Node
---- ----------- ---------------- ------ --- --------------- ----
-sandbox-1 0/604DE38 Primary OK BestEffort 1.27.2 k8s-eu-worker
-sandbox-2 0/604DE38 Standby (async) OK BestEffort 1.27.2 k8s-eu-worker2
-sandbox-3 0/604DE38 Standby (async) OK BestEffort 1.27.2 k8s-eu-worker
+sandbox-1 0/604DE38 Primary OK BestEffort 1.27.3 k8s-eu-worker
+sandbox-2 0/604DE38 Standby (async) OK BestEffort 1.27.3 k8s-eu-worker2
+sandbox-3 0/604DE38 Standby (async) OK BestEffort 1.27.3 k8s-eu-worker
```
If you require more detailed status information, use the `--verbose` option (or
@@ -362,9 +362,9 @@ sandbox-primary primary 1 1 1
Instances status
Name Current LSN Replication role Status QoS Manager Version Node
---- ----------- ---------------- ------ --- --------------- ----
-sandbox-1 0/6053720 Primary OK BestEffort 1.27.2 k8s-eu-worker
-sandbox-2 0/6053720 Standby (async) OK BestEffort 1.27.2 k8s-eu-worker2
-sandbox-3 0/6053720 Standby (async) OK BestEffort 1.27.2 k8s-eu-worker
+sandbox-1 0/6053720 Primary OK BestEffort 1.27.3 k8s-eu-worker
+sandbox-2 0/6053720 Standby (async) OK BestEffort 1.27.3 k8s-eu-worker2
+sandbox-3 0/6053720 Standby (async) OK BestEffort 1.27.3 k8s-eu-worker
```
With an additional `-v` (e.g. `kubectl cnpg status sandbox -v -v`), you can
@@ -600,12 +600,12 @@ Archive: report_operator_.zip
```output
====== Beginning of Previous Log =====
-2023-03-28T12:56:41.251711811Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.27.2","build":{"Version":"1.27.2+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
+2023-03-28T12:56:41.251711811Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.27.3","build":{"Version":"1.27.3+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
2023-03-28T12:56:41.251851909Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting pprof HTTP server","addr":"0.0.0.0:6060"}
====== End of Previous Log =====
-2023-03-28T12:57:09.854306024Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.27.2","build":{"Version":"1.27.2+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
+2023-03-28T12:57:09.854306024Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.27.3","build":{"Version":"1.27.3+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
2023-03-28T12:57:09.854363943Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting pprof HTTP server","addr":"0.0.0.0:6060"}
```
diff --git a/website/versioned_docs/version-1.27/monitoring.md b/website/versioned_docs/version-1.27/monitoring.md
index 22d8630..214acdf 100644
--- a/website/versioned_docs/version-1.27/monitoring.md
+++ b/website/versioned_docs/version-1.27/monitoring.md
@@ -104,9 +104,10 @@ spec:
#### Deprecation of Automatic `PodMonitor` Creation
-!!!warning "Feature Deprecation Notice"
+:::warning[Feature Deprecation Notice]
The `.spec.monitoring.enablePodMonitor` field in the `Cluster` resource is
now deprecated and will be removed in a future version of the operator.
+:::
If you are currently using this feature, we strongly recommend you either
remove or set `.spec.monitoring.enablePodMonitor` to `false` and manually
diff --git a/website/versioned_docs/version-1.27/operator_conf.md b/website/versioned_docs/version-1.27/operator_conf.md
index a6c6c55..4a94b3e 100644
--- a/website/versioned_docs/version-1.27/operator_conf.md
+++ b/website/versioned_docs/version-1.27/operator_conf.md
@@ -48,8 +48,9 @@ Name | Description
`CERTIFICATE_DURATION` | Determines the lifetime of the generated certificates in days. Default is 90.
`CLUSTERS_ROLLOUT_DELAY` | The duration (in seconds) to wait between the roll-outs of different clusters during an operator upgrade. This setting controls the timing of upgrades across clusters, spreading them out to reduce system impact. The default value is `0` which means no delay between PostgreSQL cluster upgrades.
`CREATE_ANY_SERVICE` | When set to `true`, will create `-any` service for the cluster. Default is `false`
+`DRAIN_TAINTS` | Specifies the taint keys that should be interpreted as indicators of node drain. By default, it includes the taints commonly applied by [kubectl](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/), [Cluster Autoscaler](https://github.com/kubernetes/autoscaler), and [Karpenter](https://github.com/aws/karpenter-provider-aws): `node.kubernetes.io/unschedulable`, `ToBeDeletedByClusterAutoscaler`, `karpenter.sh/disrupted`, `karpenter.sh/disruption`.
`ENABLE_INSTANCE_MANAGER_INPLACE_UPDATES` | When set to `true`, enables in-place updates of the instance manager after an update of the operator, avoiding rolling updates of the cluster (default `false`)
-`EXPIRING_CHECK_THRESHOLD` | Determines the threshold, in days, for identifying a certificate as expiring. Default is 7.
+`EXPIRING_CHECK_THRESHOLD` | Determines the threshold, in days, for identifying a certificate as expiring. Default is 7.
`INCLUDE_PLUGINS` | A comma-separated list of plugins to be always included in the Cluster's reconciliation.
`INHERITED_ANNOTATIONS` | List of annotation names that, when defined in a `Cluster` metadata, will be inherited by all the generated resources, including pods
`INHERITED_LABELS` | List of label names that, when defined in a `Cluster` metadata, will be inherited by all the generated resources, including pods
@@ -62,7 +63,7 @@ Name | Description
`POSTGRES_IMAGE_NAME` | The name of the PostgreSQL image used by default for new clusters. Defaults to the version specified in the operator.
`PULL_SECRET_NAME` | Name of an additional pull secret to be defined in the operator's namespace and to be used to download images
`STANDBY_TCP_USER_TIMEOUT` | Defines the [`TCP_USER_TIMEOUT` socket option](https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-TCP-USER-TIMEOUT) for replication connections from standby instances to the primary. Default is 0 (system's default).
-`DRAIN_TAINTS` | Specifies the taint keys that should be interpreted as indicators of node drain. By default, it includes the taints commonly applied by [kubectl](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/), [Cluster Autoscaler](https://github.com/kubernetes/autoscaler), and [Karpenter](https://github.com/aws/karpenter-provider-aws): `node.kubernetes.io/unschedulable`, `ToBeDeletedByClusterAutoscaler`, `karpenter.sh/disrupted`, `karpenter.sh/disruption`.
+`WATCH_NAMESPACE` | Specifies the namespace(s) where the operator should watch for resources. Multiple namespaces can be specified separated by commas. If not set, the operator watches all namespaces (cluster-wide mode).
Values in `INHERITED_ANNOTATIONS` and `INHERITED_LABELS` support path-like wildcards. For example, the value `example.com/*` will match
both the value `example.com/one` and `example.com/two`.
diff --git a/website/versioned_docs/version-1.27/postgres_upgrades.md b/website/versioned_docs/version-1.27/postgres_upgrades.md
index 590181e..b193783 100644
--- a/website/versioned_docs/version-1.27/postgres_upgrades.md
+++ b/website/versioned_docs/version-1.27/postgres_upgrades.md
@@ -135,9 +135,10 @@ If the upgrade is successful, CloudNativePG:
:::warning
Re-cloning replicas can be time-consuming, especially for very large
databases. Plan accordingly to accommodate potential delays. After completing
- the upgrade, it is strongly recommended to take a full backup. Existing backup
- data (namely base backups and WAL files) is only available for the previous
- minor PostgreSQL release.
+ the upgrade, take a new base backup as soon as possible. Pre-upgrade backups
+ and WAL files cannot be used for point-in-time recovery (PITR) across major
+ version boundaries. See [Backup and WAL Archive Considerations](#backup-and-wal-archive-considerations)
+ for more details.
:::
:::warning
@@ -156,6 +157,71 @@ automatically decide the rollback.
Ensure you monitor the process closely and take corrective action if needed.
:::
+### Backup and WAL Archive Considerations
+
+When performing a major upgrade, `pg_upgrade` creates a new database system
+with a new *System ID* and resets the PostgreSQL timeline to 1. This has
+implications for backup and WAL archiving:
+
+- **Timeline file conflicts**: New timeline 1 files may overwrite timeline 1
+ files from the original cluster.
+- **Mixed version archives**: Without intervention, the archive will contain
+ WAL files and backups from both PostgreSQL versions.
+
+:::warning
+Point-in-time recovery (PITR) is not supported across major PostgreSQL version
+boundaries. You cannot use pre-upgrade backups to recover to a point in time
+after the upgrade. Take a new base backup as soon as possible after upgrading
+to establish a recovery baseline for the new major version.
+:::
+
+How backup systems handle major upgrades depends on the plugin implementation.
+Some plugins may automatically manage archive separation during upgrades, while
+others require manual configuration to use different archive paths for each
+major version. Consult your backup plugin documentation for its specific
+behavior during major upgrades.
+
+#### Example: Manual archive path separation with the Barman Cloud plugin
+
+The Barman Cloud plugin does not automatically separate archives during major
+upgrades. To preserve pre-upgrade backups and keep archives clean, change the
+`serverName` parameter when you trigger the upgrade.
+
+Before upgrade (PostgreSQL 16):
+
+```yaml
+spec:
+ imageName: ghcr.io/cloudnative-pg/postgresql:16-minimal-trixie
+ plugins:
+ - name: plugin-barman-cloud
+ enabled: true
+ parameters:
+ destinationPath: s3://my-bucket/
+ serverName: cluster-example-pg16
+```
+
+To trigger the upgrade, change both `imageName` and `serverName` together:
+
+```yaml
+spec:
+ imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
+ plugins:
+ - name: plugin-barman-cloud
+ enabled: true
+ parameters:
+ destinationPath: s3://my-bucket/
+ serverName: cluster-example-pg17
+```
+
+With this configuration, the old archive at `cluster-example-pg16` remains
+intact for pre-upgrade recovery, while the upgraded cluster writes to
+`cluster-example-pg17`.
+
+:::info
+The deprecated in-tree `barmanObjectStore` implementation also requires manual
+`serverName` changes to separate archives during major upgrades.
+:::
+
### Example: Performing a Major Upgrade
Consider the following PostgreSQL cluster running version 16:
diff --git a/website/versioned_docs/version-1.27/recovery.md b/website/versioned_docs/version-1.27/recovery.md
index 6240c00..94253e0 100644
--- a/website/versioned_docs/version-1.27/recovery.md
+++ b/website/versioned_docs/version-1.27/recovery.md
@@ -367,7 +367,7 @@ spec:
kind: VolumeSnapshot
apiGroup: snapshot.storage.k8s.io
recoveryTarget:
- targetTime: "2023-07-06T08:00:39"
+ targetTime: "2023-07-06T08:00:39Z"
externalClusters:
- name: origin
plugin:
@@ -405,9 +405,21 @@ Here are the recovery target criteria you can use:
targetTime
: Time stamp up to which recovery proceeds, expressed in
- [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339) format.
+ [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339) format, or as a
+ [timestamp](https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-RECOVERY-TARGET-TIME).
(The precise stopping point is also influenced by the `exclusive` option.)
+:::note
+ Timestamps without an explicit timezone suffix
+ (e.g., `2023-07-06 08:00:39`) are interpreted as UTC.
+:::
+
+:::warning
+ Always specify an explicit timezone in your timestamp to avoid ambiguity.
+ For example, use `2023-07-06T08:00:39Z` or `2023-07-06T08:00:39+02:00`
+ instead of `2023-07-06 08:00:39`.
+:::
+
:::warning
PostgreSQL recovery will stop when it encounters the first transaction that
occurs after the specified time. If no such transaction exists after the
@@ -623,4 +635,4 @@ data.
cluster. However, this is strongly discouraged unless you are highly
familiar with PostgreSQL's recovery process. Skipping the check incorrectly can
lead to severe data loss. Use with caution and only in expert scenarios.
-:::
\ No newline at end of file
+:::
diff --git a/website/versioned_docs/version-1.27/release_notes/old/v1.18.md b/website/versioned_docs/version-1.27/release_notes/old/v1.18.md
index db56530..7ca7145 100644
--- a/website/versioned_docs/version-1.27/release_notes/old/v1.18.md
+++ b/website/versioned_docs/version-1.27/release_notes/old/v1.18.md
@@ -68,7 +68,7 @@ Fixes:
CloudNativePG is dropping support for PostgreSQL 10, as PostgreSQL 10
reached End-of-Life (EOL) in November 2022. Versions 11 and newer are
supported. Please plan your migration to PostgreSQL 15 as soon as possible.
- Refer to ["Importing Postgres databases"](https://cloudnative-pg.io/documentation/current/database_import/)
+ Refer to ["Importing Postgres databases"](https://cloudnative-pg.io/docs/devel/database_import/)
for more information on PostgreSQL major offline upgrades.
:::
diff --git a/website/versioned_docs/version-1.27/release_notes/old/v1.19.md b/website/versioned_docs/version-1.27/release_notes/old/v1.19.md
index 9683e29..88adcfa 100644
--- a/website/versioned_docs/version-1.27/release_notes/old/v1.19.md
+++ b/website/versioned_docs/version-1.27/release_notes/old/v1.19.md
@@ -292,7 +292,7 @@ Important announcements:
- PostgreSQL version 10 is no longer supported as it has reached its EOL.
Versions 11 and newer are supported. Please plan your migration to
PostgreSQL 15 as soon as possible. Refer to
- ["Importing Postgres databases"](https://cloudnative-pg.io/documentation/current/database_import/)
+ ["Importing Postgres databases"](https://cloudnative-pg.io/docs/devel/database_import/)
for more information on PostgreSQL major offline upgrades.
Features:
diff --git a/website/versioned_docs/version-1.27/release_notes/v1.27.md b/website/versioned_docs/version-1.27/release_notes/v1.27.md
index f4d44bd..d691936 100644
--- a/website/versioned_docs/version-1.27/release_notes/v1.27.md
+++ b/website/versioned_docs/version-1.27/release_notes/v1.27.md
@@ -11,6 +11,119 @@ For a complete list of changes, please refer to the
[commits](https://github.com/cloudnative-pg/cloudnative-pg/commits/release-1.27)
on the release branch in GitHub.
+## Version 1.27.3
+
+**Release date:** Feb 5, 2026
+
+### Enhancements
+
+- Added support for Azure's `DefaultAzureCredential` authentication mechanism
+ for backup and recovery operations. This can be enabled by setting
+ `azureCredentials.useDefaultAzureCredentials: true` in the backup
+ configuration, simplifying authentication in Azure environments without
+ requiring explicit storage account keys or SAS tokens.
+ ([#9468](https://github.com/cloudnative-pg/cloudnative-pg/pull/9468))
+
+- Added support for PostgreSQL extension names containing underscores (e.g.,
+ `pg_ivm`, `pg_stat_statements`). Extension names with underscores are
+ automatically sanitized to use hyphens for Kubernetes volume names while
+ preserving the original name in mount paths. Webhook validation prevents
+ naming conflicts after sanitization. Contributed by @shusaan.
+ ([#9386](https://github.com/cloudnative-pg/cloudnative-pg/pull/9386))
+
+### Fixes
+
+- Fixed a critical issue where the `TimelineID` in the cluster status was not
+ reset to 1 after a major version upgrade. Because `pg_upgrade` initializes a
+ new timeline, keeping the old ID (e.g., timeline 2) caused replicas to attempt
+ to restore incompatible history files from object storage, leading to fatal
+ "requested timeline is not a child of this server's history" errors.
+ ([#9830](https://github.com/cloudnative-pg/cloudnative-pg/pull/9830))
+
+- Fixed a bug where replicas could enter a crash-loop by attempting to download
+ timeline history files from future timelines. This occurred when stale files
+ remained in the WAL archive from a previous cluster life, and replicas would
+ incorrectly try to fetch them during recovery.
+ ([#9650](https://github.com/cloudnative-pg/cloudnative-pg/pull/9650))
+
+- Fixed a race condition in `replica_cluster` setups during designated primary
+ transitions, preventing transient "no primary" states in the replica cluster.
+ ([#9601](https://github.com/cloudnative-pg/cloudnative-pg/pull/9601))
+
+- The backup controller now uses the unique instance session ID to detect
+ instance manager restarts. This prevents the operator from incorrectly
+ assuming a backup is still progressing if the underlying container has crashed
+ and restarted, which previously led to orphaned backup objects.
+ ([#9370](https://github.com/cloudnative-pg/cloudnative-pg/pull/9370))
+
+- Fixed a validation gap in Azure object store configurations where the
+ `storageAccount` was not required when using explicit credentials (such as a
+ storage key or SAS token). The operator now enforces that a storage account
+ name is provided in these cases and that `connectionString` is mutually
+ exclusive with other authentication parameters.
+ ([#9604](https://github.com/cloudnative-pg/cloudnative-pg/pull/9604))
+
+- Optimized the deletion path so the operator begins cleaning up resources
+ immediately when a cluster is marked for deletion. This significantly reduces
+ the time a cluster remains in `Terminating` status while waiting for internal
+ reconciliation loops.
+ ([#9555](https://github.com/cloudnative-pg/cloudnative-pg/pull/9555))
+
+- Fixed an issue where replication slots were not properly dropped from
+ replicas when the feature was disabled or the cluster was reconfigured.
+ This ensures that unused slots do not cause WAL build-up on the primary.
+ ([#9381](https://github.com/cloudnative-pg/cloudnative-pg/pull/9381))
+
+- Fixed an issue where `imagePullSecrets` were not added to the `ServiceAccount`
+ created for the `Pooler`. Previously, these secrets were applied to the
+ Deployment but not the SA, which caused image pull failures in restricted
+ environments using certain security policies.
+ ([#9427](https://github.com/cloudnative-pg/cloudnative-pg/pull/9427))
+
+- Added a check to verify ownership before the operator deletes a `PodMonitor`.
+ This prevents the operator from accidentally deleting manually managed
+ monitoring resources that happen to share a name with expected CNPG
+ resources. Contributed by @juliamertz.
+ ([#9340](https://github.com/cloudnative-pg/cloudnative-pg/pull/9340))
+
+- Fixed a bug where `pg_stat_archiver` metrics would continue to report stale
+ data on standby instances after a switchover. The exporter now skips these
+ metrics on standbys, as PostgreSQL only provides valid archiver stats on the
+ primary.
+ ([#9411](https://github.com/cloudnative-pg/cloudnative-pg/pull/9411))
+
+- Clarified the interpretation of timestamp formats for recovery `targetTime`.
+ Timestamps provided without an explicit timezone are now consistently
+ interpreted as UTC. Contributed by @pchovelon.
+ ([#8937](https://github.com/cloudnative-pg/cloudnative-pg/pull/8937))
+
+- Fixed backup status updates to prevent "resource has been modified" errors
+ during concurrent updates.
+ ([#9551](https://github.com/cloudnative-pg/cloudnative-pg/pull/9551))
+
+- Fixed event reporting to use the correct pod name when a backup pod is not
+ found.
+ ([#9552](https://github.com/cloudnative-pg/cloudnative-pg/pull/9552))
+
+- Improved performance of scheduled backup operations for clusters with a very
+ high number of historical backups.
+ ([#9489](https://github.com/cloudnative-pg/cloudnative-pg/pull/9489))
+
+- Fixed error handling when removing finalizers on `Database` objects.
+ ([#9431](https://github.com/cloudnative-pg/cloudnative-pg/pull/9431))
+
+- `cnpg` plugin:
+
+ - Updated the `status` command to display "Disabled" when the
+ `skipWalArchiving` annotation is present on a cluster. This replaces
+ confusing "starting up" or "unknown" states when WAL archiving is
+ intentionally bypassed.
+ ([#9709](https://github.com/cloudnative-pg/cloudnative-pg/pull/9709))
+
+ - Fixed the `logs --follow` command to continue polling for new pods instead
+ of exiting prematurely when all current log streams complete.
+ ([#9599](https://github.com/cloudnative-pg/cloudnative-pg/pull/9599))
+
## Version 1.27.2
**Release date:** Dec 9, 2025
diff --git a/website/versioned_docs/version-1.27/samples/k9s/plugins.yml b/website/versioned_docs/version-1.27/samples/k9s/plugins.yml
index b51ad07..3a84485 100644
--- a/website/versioned_docs/version-1.27/samples/k9s/plugins.yml
+++ b/website/versioned_docs/version-1.27/samples/k9s/plugins.yml
@@ -1,5 +1,5 @@
# Move/add to $XDG_CONFIG_HOME/k9s/plugins.yaml
-# Requires the cnpg kubectl plugin. See https://cloudnative-pg.io/documentation/current/kubectl-plugin/
+# Requires the cnpg kubectl plugin. See https://cloudnative-pg.io/docs/devel/kubectl-plugin/
#
# Cluster actions:
# b Request a new physical backup
@@ -131,4 +131,4 @@ plugins:
background: false
args:
- -c
- - "kubectl cnpg status $NAME -n $NAMESPACE --context \"$CONTEXT\" --verbose 2>&1 | less -R"
\ No newline at end of file
+ - "kubectl cnpg status $NAME -n $NAMESPACE --context \"$CONTEXT\" --verbose 2>&1 | less -R"
diff --git a/website/versioned_docs/version-1.28/appendixes/_category_.json b/website/versioned_docs/version-1.28/appendixes/_category_.json
new file mode 100644
index 0000000..406ff35
--- /dev/null
+++ b/website/versioned_docs/version-1.28/appendixes/_category_.json
@@ -0,0 +1,7 @@
+{
+ "label": "Appendixes",
+ "position": 600,
+ "link": {
+ "type": "generated-index"
+ }
+}
diff --git a/website/versioned_docs/version-1.28/appendixes/object_stores.md b/website/versioned_docs/version-1.28/appendixes/object_stores.md
index 91d1dcb..2e35f76 100644
--- a/website/versioned_docs/version-1.28/appendixes/object_stores.md
+++ b/website/versioned_docs/version-1.28/appendixes/object_stores.md
@@ -27,6 +27,16 @@ You can also use any compatible implementation of the supported services.
The required setup depends on the chosen storage provider and is
discussed in the following sections.
+:::note Authentication Methods
+CloudNativePG does not independently test all authentication methods
+supported by `barman-cloud`. CloudNativePG's responsibility is limited to passing
+the provided credentials to `barman-cloud`, which then handles authentication
+according to its own implementation. Users should refer to the
+[Barman Cloud documentation](https://docs.pgbarman.org/release/latest/) to
+verify that their chosen authentication method is supported and properly
+configured.
+:::
+
## AWS S3
[AWS Simple Storage Service (S3)](https://aws.amazon.com/s3/) is
@@ -195,17 +205,15 @@ spec:
[Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/) is the
object storage service provided by Microsoft.
-In order to access your storage account for backup and recovery of
-CloudNativePG managed databases, you will need one of the following
-combinations of credentials:
+CloudNativePG supports the following authentication methods for Azure Blob Storage:
- [Connection String](https://docs.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string#configure-a-connection-string-for-an-azure-storage-account)
-- Storage account name and [Storage account access key](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
-- Storage account name and [Storage account SAS Token](https://docs.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
-- Storage account name and [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/introduction.html)
-properly configured.
+- Storage Account Name + [Storage Account Access Key](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
+- Storage Account Name + [Storage Account SAS Token](https://docs.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
+- [Azure AD Managed Identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
+- [Default Azure Credentials](https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python)
-Using **Azure AD Workload Identity**, you can avoid saving the credentials into a Kubernetes Secret,
+Using **Azure AD Managed Identity**, you can avoid saving the credentials into a Kubernetes Secret,
and have a Cluster configuration adding the `inheritFromAzureAD` as follows:
```yaml
@@ -220,6 +228,23 @@ spec:
inheritFromAzureAD: true
```
+Alternatively, you can use the **Default Azure Credentials** authentication mechanism, which provides
+a seamless authentication experience by supporting multiple authentication methods including environment
+variables, managed identities, and Azure CLI credentials. Add the `useDefaultAzureCredentials` flag
+as follows:
+
+```yaml
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+[...]
+spec:
+ backup:
+ barmanObjectStore:
+ destinationPath: ""
+ azureCredentials:
+ useDefaultAzureCredentials: true
+```
+
On the other side, using both **Storage account access key** or **Storage account SAS Token**,
the credentials need to be stored inside a Kubernetes Secret, adding data entries only when
needed. The following command performs that:
diff --git a/website/versioned_docs/version-1.28/cloudnative-pg.v1.md b/website/versioned_docs/version-1.28/cloudnative-pg.v1.md
index 19221d8..0c6cbba 100644
--- a/website/versioned_docs/version-1.28/cloudnative-pg.v1.md
+++ b/website/versioned_docs/version-1.28/cloudnative-pg.v1.md
@@ -982,7 +982,7 @@ _Appears in:_
| Field | Description | Required | Default | Validation |
| --- | --- | --- | --- | --- |
-| `name` _string_ | The name of the extension, required | True | | MinLength: 1
Pattern: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
|
+| `name` _string_ | The name of the extension, required | True | | MinLength: 1
Pattern: `^[a-z0-9]([-a-z0-9_]*[a-z0-9])?$`
|
| `image` _[ImageVolumeSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#imagevolumesource-v1-core)_ | The image containing the extension, required | True | | |
| `extension_control_path` _string array_ | The list of directories inside the image which should be added to extension_control_path.
If not defined, defaults to "/share". | | | |
| `dynamic_library_path` _string array_ | The list of directories inside the image which should be added to dynamic_library_path.
If not defined, defaults to "/lib". | | | |
@@ -1237,6 +1237,7 @@ _Appears in:_
| --- | --- | --- | --- | --- |
| `podName` _string_ | The pod name | | | |
| `ContainerID` _string_ | The container ID | | | |
+| `sessionID` _string_ | The instance manager session ID. This is a unique identifier generated at instance manager
startup and changes on every restart (including container reboots). Used to detect if
the instance manager was restarted during long-running operations like backups, which
would terminate any running backup process. | | | |
#### InstanceReportedState
@@ -2230,7 +2231,7 @@ _Appears in:_
| `targetXID` _string_ | The target transaction ID | | | |
| `targetName` _string_ | The target name (to be previously created
with `pg_create_restore_point`) | | | |
| `targetLSN` _string_ | The target LSN (Log Sequence Number) | | | |
-| `targetTime` _string_ | The target time as a timestamp in the RFC3339 standard | | | |
+| `targetTime` _string_ | The target time as a timestamp in RFC3339 format or PostgreSQL timestamp format.
Timestamps without an explicit timezone are interpreted as UTC. | | | |
| `targetImmediate` _boolean_ | End recovery as soon as a consistent state is reached | | | |
| `exclusive` _boolean_ | Set the target to be exclusive. If omitted, defaults to false, so that
in Postgres, `recovery_target_inclusive` will be true | | | |
diff --git a/website/versioned_docs/version-1.28/cncf-projects/_category_.json b/website/versioned_docs/version-1.28/cncf-projects/_category_.json
new file mode 100644
index 0000000..0bb5a46
--- /dev/null
+++ b/website/versioned_docs/version-1.28/cncf-projects/_category_.json
@@ -0,0 +1,7 @@
+{
+ "label": "CNCF Projects Integrations",
+ "position": 590,
+ "link": {
+ "type": "generated-index"
+ }
+}
diff --git a/website/versioned_docs/version-1.28/cnpg_i.md b/website/versioned_docs/version-1.28/cnpg_i.md
index a922af4..06eadfb 100644
--- a/website/versioned_docs/version-1.28/cnpg_i.md
+++ b/website/versioned_docs/version-1.28/cnpg_i.md
@@ -200,7 +200,7 @@ must include this DNS name in its Subject Alternative Names (SAN).
To enable a plugin, configure the `.spec.plugins` section in your `Cluster`
resource. Refer to the CloudNativePG API Reference for the full
-[PluginConfiguration](https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PluginConfiguration)
+[PluginConfiguration](https://cloudnative-pg.io/docs/devel/cloudnative-pg.v1/#pluginconfiguration)
specification.
Example:
diff --git a/website/versioned_docs/version-1.28/connection_pooling.md b/website/versioned_docs/version-1.28/connection_pooling.md
index fb9a51f..3c94f6b 100644
--- a/website/versioned_docs/version-1.28/connection_pooling.md
+++ b/website/versioned_docs/version-1.28/connection_pooling.md
@@ -221,15 +221,38 @@ replicate similar behavior to the default setup.
## Pod templates
-You can take advantage of pod templates specification in the `template`
-section of a `Pooler` resource. For details, see
-[`PoolerSpec`](cloudnative-pg.v1.md#poolerspec) in the API reference.
-Using templates, you can configure pods as you like, including fine control
-over affinity and anti-affinity rules for pods and nodes. By default,
-containers use images from `ghcr.io/cloudnative-pg/pgbouncer`.
+The `Pooler` resource allows you to customize the underlying pods via the
+`template` section. This provides full access to the Kubernetes `PodSpec` for
+advanced configurations like scheduling constraints, custom security contexts,
+or resource overrides.
-This example shows `Pooler` specifying `PodAntiAffinity``:
+For a complete list of supported fields, see the
+[`PoolerSpec`](cloudnative-pg.v1.md#poolerspec) API reference.
+
+### Key requirements
+
+- **The `pgbouncer` container name:** When overriding container settings (like
+ images or resources), the name of the container **must** be set to
+ `pgbouncer`. The operator looks for this specific name to manage the
+ PgBouncer process.
+
+- **Mandatory `containers` field:** Since `template` follows the standard
+ Kubernetes `PodSpec` schema, the `containers` field is mandatory.
+
+- If you aren't modifying container-level settings, you must set it to an empty
+ array: `containers: []`.
+
+- If the `containers` field is missing, the API server will throw a
+ `ValidationError`.
+
+### Examples
+
+#### High availability with pod anti-affinity
+
+This configuration uses `podAntiAffinity` to ensure that PgBouncer pods are
+distributed across different nodes, preventing a single node failure from
+taking down the entire pool.
```yaml
apiVersion: postgresql.cnpg.io/v1
@@ -260,16 +283,10 @@ spec:
topologyKey: "kubernetes.io/hostname"
```
-:::note
- Explicitly set `.spec.template.spec.containers` to `[]` when not modified,
- as it's a required field for a `PodSpec`. If `.spec.template.spec.containers`
- isn't set, the Kubernetes api-server returns the following error when trying to
- apply the manifest:`error validating "pooler.yaml": error validating data:
- ValidationError(Pooler.spec.template.spec): missing required field
- "containers"`
-:::
+#### Custom image and resource limits
-This example sets resources and changes the used image:
+You can specify a custom image and define resource requests/limits. Note that
+the container name is explicitly set to `pgbouncer`.
```yaml
apiVersion: postgresql.cnpg.io/v1
@@ -288,6 +305,7 @@ spec:
app: pooler
spec:
containers:
+ # This name MUST be "pgbouncer"
- name: pgbouncer
image: my-pgbouncer:latest
resources:
@@ -648,9 +666,10 @@ spec:
### Deprecation of Automatic `PodMonitor` Creation
-!!!warning "Feature Deprecation Notice"
+:::warning[Feature Deprecation Notice]
The `.spec.monitoring.enablePodMonitor` field in the `Pooler` resource is
now deprecated and will be removed in a future version of the operator.
+:::
If you are currently using this feature, we strongly recommend you either
remove or set `.spec.monitoring.enablePodMonitor` to `false` and manually
diff --git a/website/versioned_docs/version-1.28/imagevolume_extensions.md b/website/versioned_docs/version-1.28/imagevolume_extensions.md
index c759b8e..6defa81 100644
--- a/website/versioned_docs/version-1.28/imagevolume_extensions.md
+++ b/website/versioned_docs/version-1.28/imagevolume_extensions.md
@@ -137,9 +137,17 @@ spec:
The `name` field is **mandatory** and **must be unique within the cluster**, as
it determines the mount path (`/extensions/foo` in this example). It must
-consist of *lowercase alphanumeric characters or hyphens (`-`)* and must start
+consist of *lowercase alphanumeric characters, underscores (`_`) or hyphens (`-`)* and must start
and end with an alphanumeric character.
+:::note
+Extension names containing underscores (e.g., `pg_ivm`) are converted to use
+hyphens (e.g., `pg-ivm`) for Kubernetes volume names to comply with RFC 1123
+DNS label requirements. Do not use extension names that become identical after
+sanitization (e.g., `pg_ivm` and `pg-ivm` both sanitize to `pg-ivm`). The
+webhook validation will prevent such conflicts.
+:::
+
The `image` stanza follows the [Kubernetes `ImageVolume` API](https://kubernetes.io/docs/tasks/configure-pod-container/image-volumes/).
The `reference` must point to a valid container registry path for the extension
image.
diff --git a/website/versioned_docs/version-1.28/installation_upgrade.md b/website/versioned_docs/version-1.28/installation_upgrade.md
index 7baba55..c664743 100644
--- a/website/versioned_docs/version-1.28/installation_upgrade.md
+++ b/website/versioned_docs/version-1.28/installation_upgrade.md
@@ -14,12 +14,12 @@ title: Installation and upgrades
The operator can be installed like any other resource in Kubernetes,
through a YAML manifest applied via `kubectl`.
-You can install the [latest operator manifest](https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.28/releases/cnpg-1.28.0.yaml)
+You can install the [latest operator manifest](https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.28/releases/cnpg-1.28.1.yaml)
for this minor release as follows:
```sh
kubectl apply --server-side -f \
- https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.28/releases/cnpg-1.28.0.yaml
+ https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.28/releases/cnpg-1.28.1.yaml
```
You can verify that with:
diff --git a/website/versioned_docs/version-1.28/kubectl-plugin.md b/website/versioned_docs/version-1.28/kubectl-plugin.md
index 26521a9..25f07a7 100644
--- a/website/versioned_docs/version-1.28/kubectl-plugin.md
+++ b/website/versioned_docs/version-1.28/kubectl-plugin.md
@@ -38,11 +38,11 @@ them in your systems.
#### Debian packages
-For example, let's install the 1.28.0 release of the plugin, for an Intel based
+For example, let's install the 1.28.1 release of the plugin, for an Intel based
64 bit server. First, we download the right `.deb` file.
```sh
-wget https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.28.0/kubectl-cnpg_1.28.0_linux_x86_64.deb \
+wget https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.28.1/kubectl-cnpg_1.28.1_linux_x86_64.deb \
--output-document kube-plugin.deb
```
@@ -53,17 +53,17 @@ $ sudo dpkg -i kube-plugin.deb
Selecting previously unselected package cnpg.
(Reading database ... 6688 files and directories currently installed.)
Preparing to unpack kube-plugin.deb ...
-Unpacking cnpg (1.28.0) ...
-Setting up cnpg (1.28.0) ...
+Unpacking cnpg (1.28.1) ...
+Setting up cnpg (1.28.1) ...
```
#### RPM packages
-As in the example for `.rpm` packages, let's install the 1.28.0 release for an
+As in the example for `.rpm` packages, let's install the 1.28.1 release for an
Intel 64 bit machine. Note the `--output` flag to provide a file name.
```sh
-curl -L https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.28.0/kubectl-cnpg_1.28.0_linux_x86_64.rpm \
+curl -L https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v1.28.1/kubectl-cnpg_1.28.1_linux_x86_64.rpm \
--output kube-plugin.rpm
```
@@ -77,7 +77,7 @@ Dependencies resolved.
Package Architecture Version Repository Size
====================================================================================================
Installing:
- cnpg x86_64 1.28.0 @commandline 20 M
+ cnpg x86_64 1.28.1 @commandline 20 M
Transaction Summary
====================================================================================================
@@ -306,9 +306,9 @@ sandbox-3 0/604DE38 0/604DE38 0/604DE38 0/604DE38 00:00:00 00:00:00 00
Instances status
Name Current LSN Replication role Status QoS Manager Version Node
---- ----------- ---------------- ------ --- --------------- ----
-sandbox-1 0/604DE38 Primary OK BestEffort 1.28.0 k8s-eu-worker
-sandbox-2 0/604DE38 Standby (async) OK BestEffort 1.28.0 k8s-eu-worker2
-sandbox-3 0/604DE38 Standby (async) OK BestEffort 1.28.0 k8s-eu-worker
+sandbox-1 0/604DE38 Primary OK BestEffort 1.28.1 k8s-eu-worker
+sandbox-2 0/604DE38 Standby (async) OK BestEffort 1.28.1 k8s-eu-worker2
+sandbox-3 0/604DE38 Standby (async) OK BestEffort 1.28.1 k8s-eu-worker
```
If you require more detailed status information, use the `--verbose` option (or
@@ -362,9 +362,9 @@ sandbox-primary primary 1 1 1
Instances status
Name Current LSN Replication role Status QoS Manager Version Node
---- ----------- ---------------- ------ --- --------------- ----
-sandbox-1 0/6053720 Primary OK BestEffort 1.28.0 k8s-eu-worker
-sandbox-2 0/6053720 Standby (async) OK BestEffort 1.28.0 k8s-eu-worker2
-sandbox-3 0/6053720 Standby (async) OK BestEffort 1.28.0 k8s-eu-worker
+sandbox-1 0/6053720 Primary OK BestEffort 1.28.1 k8s-eu-worker
+sandbox-2 0/6053720 Standby (async) OK BestEffort 1.28.1 k8s-eu-worker2
+sandbox-3 0/6053720 Standby (async) OK BestEffort 1.28.1 k8s-eu-worker
```
With an additional `-v` (e.g. `kubectl cnpg status sandbox -v -v`), you can
@@ -640,12 +640,12 @@ Archive: report_operator_.zip
```output
====== Beginning of Previous Log =====
-2023-03-28T12:56:41.251711811Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.28.0","build":{"Version":"1.28.0+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
+2023-03-28T12:56:41.251711811Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.28.1","build":{"Version":"1.28.1+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
2023-03-28T12:56:41.251851909Z {"level":"info","ts":"2023-03-28T12:56:41Z","logger":"setup","msg":"Starting pprof HTTP server","addr":"0.0.0.0:6060"}
====== End of Previous Log =====
-2023-03-28T12:57:09.854306024Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.28.0","build":{"Version":"1.28.0+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
+2023-03-28T12:57:09.854306024Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.28.1","build":{"Version":"1.28.1+dev107","Commit":"cc9bab17","Date":"2023-03-28"}}
2023-03-28T12:57:09.854363943Z {"level":"info","ts":"2023-03-28T12:57:09Z","logger":"setup","msg":"Starting pprof HTTP server","addr":"0.0.0.0:6060"}
```
diff --git a/website/versioned_docs/version-1.28/monitoring.md b/website/versioned_docs/version-1.28/monitoring.md
index e780ee2..ad0a2e7 100644
--- a/website/versioned_docs/version-1.28/monitoring.md
+++ b/website/versioned_docs/version-1.28/monitoring.md
@@ -118,9 +118,10 @@ spec:
#### Deprecation of Automatic `PodMonitor` Creation
-!!!warning "Feature Deprecation Notice"
+:::warning[Feature Deprecation Notice]
The `.spec.monitoring.enablePodMonitor` field in the `Cluster` resource is
now deprecated and will be removed in a future version of the operator.
+:::
If you are currently using this feature, we strongly recommend you either
remove or set `.spec.monitoring.enablePodMonitor` to `false` and manually
diff --git a/website/versioned_docs/version-1.28/operator_conf.md b/website/versioned_docs/version-1.28/operator_conf.md
index 3580088..b97290f 100644
--- a/website/versioned_docs/version-1.28/operator_conf.md
+++ b/website/versioned_docs/version-1.28/operator_conf.md
@@ -48,8 +48,9 @@ Name | Description
`CERTIFICATE_DURATION` | Determines the lifetime of the generated certificates in days. Default is 90.
`CLUSTERS_ROLLOUT_DELAY` | The duration (in seconds) to wait between the roll-outs of different clusters during an operator upgrade. This setting controls the timing of upgrades across clusters, spreading them out to reduce system impact. The default value is `0` which means no delay between PostgreSQL cluster upgrades.
`CREATE_ANY_SERVICE` | When set to `true`, will create `-any` service for the cluster. Default is `false`
+`DRAIN_TAINTS` | Specifies the taint keys that should be interpreted as indicators of node drain. By default, it includes the taints commonly applied by [kubectl](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/), [Cluster Autoscaler](https://github.com/kubernetes/autoscaler), and [Karpenter](https://github.com/aws/karpenter-provider-aws): `node.kubernetes.io/unschedulable`, `ToBeDeletedByClusterAutoscaler`, `karpenter.sh/disrupted`, `karpenter.sh/disruption`.
`ENABLE_INSTANCE_MANAGER_INPLACE_UPDATES` | When set to `true`, enables in-place updates of the instance manager after an update of the operator, avoiding rolling updates of the cluster (default `false`)
-`EXPIRING_CHECK_THRESHOLD` | Determines the threshold, in days, for identifying a certificate as expiring. Default is 7.
+`EXPIRING_CHECK_THRESHOLD` | Determines the threshold, in days, for identifying a certificate as expiring. Default is 7.
`INCLUDE_PLUGINS` | A comma-separated list of plugins to be always included in the Cluster's reconciliation.
`INHERITED_ANNOTATIONS` | List of annotation names that, when defined in a `Cluster` metadata, will be inherited by all the generated resources, including pods
`INHERITED_LABELS` | List of label names that, when defined in a `Cluster` metadata, will be inherited by all the generated resources, including pods
@@ -63,7 +64,7 @@ Name | Description
`POSTGRES_IMAGE_NAME` | The name of the PostgreSQL image used by default for new clusters. Defaults to the version specified in the operator.
`PULL_SECRET_NAME` | Name of an additional pull secret to be defined in the operator's namespace and to be used to download images
`STANDBY_TCP_USER_TIMEOUT` | Defines the [`TCP_USER_TIMEOUT` socket option](https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-TCP-USER-TIMEOUT) in milliseconds for replication connections from standby instances to the primary. Default is 5000 (5 seconds). Set to `0` to use the system's default.
-`DRAIN_TAINTS` | Specifies the taint keys that should be interpreted as indicators of node drain. By default, it includes the taints commonly applied by [kubectl](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/), [Cluster Autoscaler](https://github.com/kubernetes/autoscaler), and [Karpenter](https://github.com/aws/karpenter-provider-aws): `node.kubernetes.io/unschedulable`, `ToBeDeletedByClusterAutoscaler`, `karpenter.sh/disrupted`, `karpenter.sh/disruption`.
+`WATCH_NAMESPACE` | Specifies the namespace(s) where the operator should watch for resources. Multiple namespaces can be specified separated by commas. If not set, the operator watches all namespaces (cluster-wide mode).
Values in `INHERITED_ANNOTATIONS` and `INHERITED_LABELS` support path-like wildcards. For example, the value `example.com/*` will match
both the value `example.com/one` and `example.com/two`.
diff --git a/website/versioned_docs/version-1.28/postgres_upgrades.md b/website/versioned_docs/version-1.28/postgres_upgrades.md
index 590181e..b193783 100644
--- a/website/versioned_docs/version-1.28/postgres_upgrades.md
+++ b/website/versioned_docs/version-1.28/postgres_upgrades.md
@@ -135,9 +135,10 @@ If the upgrade is successful, CloudNativePG:
:::warning
Re-cloning replicas can be time-consuming, especially for very large
databases. Plan accordingly to accommodate potential delays. After completing
- the upgrade, it is strongly recommended to take a full backup. Existing backup
- data (namely base backups and WAL files) is only available for the previous
- minor PostgreSQL release.
+ the upgrade, take a new base backup as soon as possible. Pre-upgrade backups
+ and WAL files cannot be used for point-in-time recovery (PITR) across major
+ version boundaries. See [Backup and WAL Archive Considerations](#backup-and-wal-archive-considerations)
+ for more details.
:::
:::warning
@@ -156,6 +157,71 @@ automatically decide the rollback.
Ensure you monitor the process closely and take corrective action if needed.
:::
+### Backup and WAL Archive Considerations
+
+When performing a major upgrade, `pg_upgrade` creates a new database system
+with a new *System ID* and resets the PostgreSQL timeline to 1. This has
+implications for backup and WAL archiving:
+
+- **Timeline file conflicts**: New timeline 1 files may overwrite timeline 1
+ files from the original cluster.
+- **Mixed version archives**: Without intervention, the archive will contain
+ WAL files and backups from both PostgreSQL versions.
+
+:::warning
+Point-in-time recovery (PITR) is not supported across major PostgreSQL version
+boundaries. You cannot use pre-upgrade backups to recover to a point in time
+after the upgrade. Take a new base backup as soon as possible after upgrading
+to establish a recovery baseline for the new major version.
+:::
+
+How backup systems handle major upgrades depends on the plugin implementation.
+Some plugins may automatically manage archive separation during upgrades, while
+others require manual configuration to use different archive paths for each
+major version. Consult your backup plugin documentation for its specific
+behavior during major upgrades.
+
+#### Example: Manual archive path separation with the Barman Cloud plugin
+
+The Barman Cloud plugin does not automatically separate archives during major
+upgrades. To preserve pre-upgrade backups and keep archives clean, change the
+`serverName` parameter when you trigger the upgrade.
+
+Before upgrade (PostgreSQL 16):
+
+```yaml
+spec:
+ imageName: ghcr.io/cloudnative-pg/postgresql:16-minimal-trixie
+ plugins:
+ - name: plugin-barman-cloud
+ enabled: true
+ parameters:
+ destinationPath: s3://my-bucket/
+ serverName: cluster-example-pg16
+```
+
+To trigger the upgrade, change both `imageName` and `serverName` together:
+
+```yaml
+spec:
+ imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
+ plugins:
+ - name: plugin-barman-cloud
+ enabled: true
+ parameters:
+ destinationPath: s3://my-bucket/
+ serverName: cluster-example-pg17
+```
+
+With this configuration, the old archive at `cluster-example-pg16` remains
+intact for pre-upgrade recovery, while the upgraded cluster writes to
+`cluster-example-pg17`.
+
+:::info
+The deprecated in-tree `barmanObjectStore` implementation also requires manual
+`serverName` changes to separate archives during major upgrades.
+:::
+
### Example: Performing a Major Upgrade
Consider the following PostgreSQL cluster running version 16:
diff --git a/website/versioned_docs/version-1.28/recovery.md b/website/versioned_docs/version-1.28/recovery.md
index 6240c00..94253e0 100644
--- a/website/versioned_docs/version-1.28/recovery.md
+++ b/website/versioned_docs/version-1.28/recovery.md
@@ -367,7 +367,7 @@ spec:
kind: VolumeSnapshot
apiGroup: snapshot.storage.k8s.io
recoveryTarget:
- targetTime: "2023-07-06T08:00:39"
+ targetTime: "2023-07-06T08:00:39Z"
externalClusters:
- name: origin
plugin:
@@ -405,9 +405,21 @@ Here are the recovery target criteria you can use:
targetTime
: Time stamp up to which recovery proceeds, expressed in
- [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339) format.
+ [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339) format, or as a
+ [timestamp](https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-RECOVERY-TARGET-TIME).
(The precise stopping point is also influenced by the `exclusive` option.)
+:::note
+ Timestamps without an explicit timezone suffix
+ (e.g., `2023-07-06 08:00:39`) are interpreted as UTC.
+:::
+
+:::warning
+ Always specify an explicit timezone in your timestamp to avoid ambiguity.
+ For example, use `2023-07-06T08:00:39Z` or `2023-07-06T08:00:39+02:00`
+ instead of `2023-07-06 08:00:39`.
+:::
+
:::warning
PostgreSQL recovery will stop when it encounters the first transaction that
occurs after the specified time. If no such transaction exists after the
@@ -623,4 +635,4 @@ data.
cluster. However, this is strongly discouraged unless you are highly
familiar with PostgreSQL's recovery process. Skipping the check incorrectly can
lead to severe data loss. Use with caution and only in expert scenarios.
-:::
\ No newline at end of file
+:::
diff --git a/website/versioned_docs/version-1.28/release_notes/old/v1.18.md b/website/versioned_docs/version-1.28/release_notes/old/v1.18.md
index db56530..7ca7145 100644
--- a/website/versioned_docs/version-1.28/release_notes/old/v1.18.md
+++ b/website/versioned_docs/version-1.28/release_notes/old/v1.18.md
@@ -68,7 +68,7 @@ Fixes:
CloudNativePG is dropping support for PostgreSQL 10, as PostgreSQL 10
reached End-of-Life (EOL) in November 2022. Versions 11 and newer are
supported. Please plan your migration to PostgreSQL 15 as soon as possible.
- Refer to ["Importing Postgres databases"](https://cloudnative-pg.io/documentation/current/database_import/)
+ Refer to ["Importing Postgres databases"](https://cloudnative-pg.io/docs/devel/database_import/)
for more information on PostgreSQL major offline upgrades.
:::
diff --git a/website/versioned_docs/version-1.28/release_notes/old/v1.19.md b/website/versioned_docs/version-1.28/release_notes/old/v1.19.md
index 9683e29..88adcfa 100644
--- a/website/versioned_docs/version-1.28/release_notes/old/v1.19.md
+++ b/website/versioned_docs/version-1.28/release_notes/old/v1.19.md
@@ -292,7 +292,7 @@ Important announcements:
- PostgreSQL version 10 is no longer supported as it has reached its EOL.
Versions 11 and newer are supported. Please plan your migration to
PostgreSQL 15 as soon as possible. Refer to
- ["Importing Postgres databases"](https://cloudnative-pg.io/documentation/current/database_import/)
+ ["Importing Postgres databases"](https://cloudnative-pg.io/docs/devel/database_import/)
for more information on PostgreSQL major offline upgrades.
Features:
diff --git a/website/versioned_docs/version-1.28/release_notes/v1.27.md b/website/versioned_docs/version-1.28/release_notes/v1.27.md
index f4d44bd..d691936 100644
--- a/website/versioned_docs/version-1.28/release_notes/v1.27.md
+++ b/website/versioned_docs/version-1.28/release_notes/v1.27.md
@@ -11,6 +11,119 @@ For a complete list of changes, please refer to the
[commits](https://github.com/cloudnative-pg/cloudnative-pg/commits/release-1.27)
on the release branch in GitHub.
+## Version 1.27.3
+
+**Release date:** Feb 5, 2026
+
+### Enhancements
+
+- Added support for Azure's `DefaultAzureCredential` authentication mechanism
+ for backup and recovery operations. This can be enabled by setting
+ `azureCredentials.useDefaultAzureCredentials: true` in the backup
+ configuration, simplifying authentication in Azure environments without
+ requiring explicit storage account keys or SAS tokens.
+ ([#9468](https://github.com/cloudnative-pg/cloudnative-pg/pull/9468))
+
+- Added support for PostgreSQL extension names containing underscores (e.g.,
+ `pg_ivm`, `pg_stat_statements`). Extension names with underscores are
+ automatically sanitized to use hyphens for Kubernetes volume names while
+ preserving the original name in mount paths. Webhook validation prevents
+ naming conflicts after sanitization. Contributed by @shusaan.
+ ([#9386](https://github.com/cloudnative-pg/cloudnative-pg/pull/9386))
+
+### Fixes
+
+- Fixed a critical issue where the `TimelineID` in the cluster status was not
+ reset to 1 after a major version upgrade. Because `pg_upgrade` initializes a
+ new timeline, keeping the old ID (e.g., timeline 2) caused replicas to attempt
+ to restore incompatible history files from object storage, leading to fatal
+ "requested timeline is not a child of this server's history" errors.
+ ([#9830](https://github.com/cloudnative-pg/cloudnative-pg/pull/9830))
+
+- Fixed a bug where replicas could enter a crash-loop by attempting to download
+ timeline history files from future timelines. This occurred when stale files
+ remained in the WAL archive from a previous cluster life, and replicas would
+ incorrectly try to fetch them during recovery.
+ ([#9650](https://github.com/cloudnative-pg/cloudnative-pg/pull/9650))
+
+- Fixed a race condition in `replica_cluster` setups during designated primary
+ transitions, preventing transient "no primary" states in the replica cluster.
+ ([#9601](https://github.com/cloudnative-pg/cloudnative-pg/pull/9601))
+
+- The backup controller now uses the unique instance session ID to detect
+ instance manager restarts. This prevents the operator from incorrectly
+ assuming a backup is still progressing if the underlying container has crashed
+ and restarted, which previously led to orphaned backup objects.
+ ([#9370](https://github.com/cloudnative-pg/cloudnative-pg/pull/9370))
+
+- Fixed a validation gap in Azure object store configurations where the
+ `storageAccount` was not required when using explicit credentials (such as a
+ storage key or SAS token). The operator now enforces that a storage account
+ name is provided in these cases and that `connectionString` is mutually
+ exclusive with other authentication parameters.
+ ([#9604](https://github.com/cloudnative-pg/cloudnative-pg/pull/9604))
+
+- Optimized the deletion path so the operator begins cleaning up resources
+ immediately when a cluster is marked for deletion. This significantly reduces
+ the time a cluster remains in `Terminating` status while waiting for internal
+ reconciliation loops.
+ ([#9555](https://github.com/cloudnative-pg/cloudnative-pg/pull/9555))
+
+- Fixed an issue where replication slots were not properly dropped from
+ replicas when the feature was disabled or the cluster was reconfigured.
+ This ensures that unused slots do not cause WAL build-up on the primary.
+ ([#9381](https://github.com/cloudnative-pg/cloudnative-pg/pull/9381))
+
+- Fixed an issue where `imagePullSecrets` were not added to the `ServiceAccount`
+ created for the `Pooler`. Previously, these secrets were applied to the
+ Deployment but not the SA, which caused image pull failures in restricted
+ environments using certain security policies.
+ ([#9427](https://github.com/cloudnative-pg/cloudnative-pg/pull/9427))
+
+- Added a check to verify ownership before the operator deletes a `PodMonitor`.
+ This prevents the operator from accidentally deleting manually managed
+ monitoring resources that happen to share a name with expected CNPG
+ resources. Contributed by @juliamertz.
+ ([#9340](https://github.com/cloudnative-pg/cloudnative-pg/pull/9340))
+
+- Fixed a bug where `pg_stat_archiver` metrics would continue to report stale
+ data on standby instances after a switchover. The exporter now skips these
+ metrics on standbys, as PostgreSQL only provides valid archiver stats on the
+ primary.
+ ([#9411](https://github.com/cloudnative-pg/cloudnative-pg/pull/9411))
+
+- Clarified the interpretation of timestamp formats for recovery `targetTime`.
+ Timestamps provided without an explicit timezone are now consistently
+ interpreted as UTC. Contributed by @pchovelon.
+ ([#8937](https://github.com/cloudnative-pg/cloudnative-pg/pull/8937))
+
+- Fixed backup status updates to prevent "resource has been modified" errors
+ during concurrent updates.
+ ([#9551](https://github.com/cloudnative-pg/cloudnative-pg/pull/9551))
+
+- Fixed event reporting to use the correct pod name when a backup pod is not
+ found.
+ ([#9552](https://github.com/cloudnative-pg/cloudnative-pg/pull/9552))
+
+- Improved performance of scheduled backup operations for clusters with a very
+ high number of historical backups.
+ ([#9489](https://github.com/cloudnative-pg/cloudnative-pg/pull/9489))
+
+- Fixed error handling when removing finalizers on `Database` objects.
+ ([#9431](https://github.com/cloudnative-pg/cloudnative-pg/pull/9431))
+
+- `cnpg` plugin:
+
+ - Updated the `status` command to display "Disabled" when the
+ `skipWalArchiving` annotation is present on a cluster. This replaces
+ confusing "starting up" or "unknown" states when WAL archiving is
+ intentionally bypassed.
+ ([#9709](https://github.com/cloudnative-pg/cloudnative-pg/pull/9709))
+
+ - Fixed the `logs --follow` command to continue polling for new pods instead
+ of exiting prematurely when all current log streams complete.
+ ([#9599](https://github.com/cloudnative-pg/cloudnative-pg/pull/9599))
+
## Version 1.27.2
**Release date:** Dec 9, 2025
diff --git a/website/versioned_docs/version-1.28/release_notes/v1.28.md b/website/versioned_docs/version-1.28/release_notes/v1.28.md
index 4ea6432..fd2cbe4 100644
--- a/website/versioned_docs/version-1.28/release_notes/v1.28.md
+++ b/website/versioned_docs/version-1.28/release_notes/v1.28.md
@@ -11,6 +11,148 @@ For a complete list of changes, please refer to the
[commits](https://github.com/cloudnative-pg/cloudnative-pg/commits/release-1.28)
on the release branch in GitHub.
+
+
+## Version 1.28.1
+
+**Release date:** Feb 5, 2026
+
+### Enhancements
+
+- Added support for Azure's `DefaultAzureCredential` authentication mechanism
+ for backup and recovery operations. This can be enabled by setting
+ `azureCredentials.useDefaultAzureCredentials: true` in the backup
+ configuration, simplifying authentication in Azure environments without
+ requiring explicit storage account keys or SAS tokens.
+ ([#9468](https://github.com/cloudnative-pg/cloudnative-pg/pull/9468))
+
+- Added support for PostgreSQL extension names containing underscores (e.g.,
+ `pg_ivm`, `pg_stat_statements`). Extension names with underscores are
+ automatically sanitized to use hyphens for Kubernetes volume names while
+ preserving the original name in mount paths. Webhook validation prevents
+ naming conflicts after sanitization. Contributed by @shusaan.
+ ([#9386](https://github.com/cloudnative-pg/cloudnative-pg/pull/9386))
+
+### Fixes
+
+- Fixed a critical issue where the `TimelineID` in the cluster status was not
+ reset to 1 after a major version upgrade. Because `pg_upgrade` initializes a
+ new timeline, keeping the old ID (e.g., timeline 2) caused replicas to attempt
+ to restore incompatible history files from object storage, leading to fatal
+ "requested timeline is not a child of this server's history" errors.
+ ([#9830](https://github.com/cloudnative-pg/cloudnative-pg/pull/9830))
+
+- Fixed an issue where stale TLS status fields in the `Pooler` were not cleared
+ after being removed from the specification. This was particularly critical
+ when upgrading to v1.28.0, where the `ServerTLS` field was repurposed, causing
+ PgBouncer to use incorrect certificates and resulting in "unsupported
+ certificate" errors that blocked all application connectivity.
+ The operator now explicitly clears `ServerCA`, `ClientCA`, `ClientTLS`, and
+ `ServerTLS` status fields when they are no longer configured.
+ ([#9397](https://github.com/cloudnative-pg/cloudnative-pg/pull/9397))
+
+- Fixed a bug where replicas could enter a crash-loop by attempting to download
+ timeline history files from future timelines. This occurred when stale files
+ remained in the WAL archive from a previous cluster life, and replicas would
+ incorrectly try to fetch them during recovery.
+ ([#9650](https://github.com/cloudnative-pg/cloudnative-pg/pull/9650))
+
+- Fixed a race condition in `replica_cluster` setups during designated primary
+ transitions, preventing transient "no primary" states in the replica cluster.
+ ([#9601](https://github.com/cloudnative-pg/cloudnative-pg/pull/9601))
+
+- The backup controller now uses the unique instance session ID to detect
+ instance manager restarts. This prevents the operator from incorrectly
+ assuming a backup is still progressing if the underlying container has crashed
+ and restarted, which previously led to orphaned backup objects.
+ ([#9370](https://github.com/cloudnative-pg/cloudnative-pg/pull/9370))
+
+- Fixed a validation gap in Azure object store configurations where the
+ `storageAccount` was not required when using explicit credentials (such as a
+ storage key or SAS token). The operator now enforces that a storage account
+ name is provided in these cases and that `connectionString` is mutually
+ exclusive with other authentication parameters.
+ ([#9604](https://github.com/cloudnative-pg/cloudnative-pg/pull/9604))
+
+- Optimized the deletion path so the operator begins cleaning up resources
+ immediately when a cluster is marked for deletion. This significantly reduces
+ the time a cluster remains in `Terminating` status while waiting for internal
+ reconciliation loops.
+ ([#9555](https://github.com/cloudnative-pg/cloudnative-pg/pull/9555))
+
+- Fixed an issue where replication slots were not properly dropped from
+ replicas when the feature was disabled or the cluster was reconfigured.
+ This ensures that unused slots do not cause WAL build-up on the primary.
+ ([#9381](https://github.com/cloudnative-pg/cloudnative-pg/pull/9381))
+
+- Fixed an issue where `imagePullSecrets` were not added to the `ServiceAccount`
+ created for the `Pooler`. Previously, these secrets were applied to the
+ Deployment but not the SA, which caused image pull failures in restricted
+ environments using certain security policies.
+ ([#9427](https://github.com/cloudnative-pg/cloudnative-pg/pull/9427))
+
+- Added a check to verify ownership before the operator deletes a `PodMonitor`.
+ This prevents the operator from accidentally deleting manually managed
+ monitoring resources that happen to share a name with expected CNPG
+ resources. Contributed by @juliamertz.
+ ([#9340](https://github.com/cloudnative-pg/cloudnative-pg/pull/9340))
+
+- Fixed a bug where `pg_stat_archiver` metrics would continue to report stale
+ data on standby instances after a switchover. The exporter now skips these
+ metrics on standbys, as PostgreSQL only provides valid archiver stats on the
+ primary.
+ ([#9411](https://github.com/cloudnative-pg/cloudnative-pg/pull/9411))
+
+- Clarified the interpretation of timestamp formats for recovery `targetTime`.
+ Timestamps provided without an explicit timezone are now consistently
+ interpreted as UTC. Contributed by @pchovelon.
+ ([#8937](https://github.com/cloudnative-pg/cloudnative-pg/pull/8937))
+
+- Fixed backup status updates to prevent "resource has been modified" errors
+ during concurrent updates.
+ ([#9551](https://github.com/cloudnative-pg/cloudnative-pg/pull/9551))
+
+- Fixed event reporting to use the correct pod name when a backup pod is not
+ found.
+ ([#9552](https://github.com/cloudnative-pg/cloudnative-pg/pull/9552))
+
+- Improved performance of scheduled backup operations for clusters with a very
+ high number of historical backups.
+ ([#9489](https://github.com/cloudnative-pg/cloudnative-pg/pull/9489))
+
+- Fixed error handling when removing finalizers on `Database` objects.
+ ([#9431](https://github.com/cloudnative-pg/cloudnative-pg/pull/9431))
+
+- `cnpg` plugin:
+
+ - Updated the `status` command to display "Disabled" when the
+ `skipWalArchiving` annotation is present on a cluster. This replaces
+ confusing "starting up" or "unknown" states when WAL archiving is
+ intentionally bypassed.
+ ([#9709](https://github.com/cloudnative-pg/cloudnative-pg/pull/9709))
+
+ - Fixed the `logs --follow` command to continue polling for new pods instead
+ of exiting prematurely when all current log streams complete.
+ ([#9599](https://github.com/cloudnative-pg/cloudnative-pg/pull/9599))
+
## Version 1.28.0
**Release date:** Dec 9, 2025
diff --git a/website/versioned_docs/version-1.28/samples/k9s/plugins.yml b/website/versioned_docs/version-1.28/samples/k9s/plugins.yml
index b51ad07..3a84485 100644
--- a/website/versioned_docs/version-1.28/samples/k9s/plugins.yml
+++ b/website/versioned_docs/version-1.28/samples/k9s/plugins.yml
@@ -1,5 +1,5 @@
# Move/add to $XDG_CONFIG_HOME/k9s/plugins.yaml
-# Requires the cnpg kubectl plugin. See https://cloudnative-pg.io/documentation/current/kubectl-plugin/
+# Requires the cnpg kubectl plugin. See https://cloudnative-pg.io/docs/devel/kubectl-plugin/
#
# Cluster actions:
# b Request a new physical backup
@@ -131,4 +131,4 @@ plugins:
background: false
args:
- -c
- - "kubectl cnpg status $NAME -n $NAMESPACE --context \"$CONTEXT\" --verbose 2>&1 | less -R"
\ No newline at end of file
+ - "kubectl cnpg status $NAME -n $NAMESPACE --context \"$CONTEXT\" --verbose 2>&1 | less -R"