EDB CloudNativePG Cluster 1.28.0-rc1 release notes v1.28.0-rc1

Suggest edits

This documentation covers the upcoming release of EDB Postgres® AI for CloudNativePG™ Cluster; you may want to read the docs for the current version

Released: 7 November 2025

This release includes the following:

Highlights

We've consolidated our private container registry into a single location. This change simplifies access and deployment. Starting with v1.28.0, any customer attempting an operator upgrade, MUST configure the new unified repository pull secret! For details and instructions, follow the Central Migration Guide.

Features

Description Addresses

Description	Addresses
Quorum-Based Failover Promoted to Stable Promoted the quorum-based failover feature, introduced experimentally in 1.27.0, to a stable API. This data-driven failover mechanism is now configured via the `spec.postgresql.synchronous.failoverQuorum` field, graduating from the previous `alpha.k8s.enterprisedb.io/failoverQuorum` annotation.	#8589
Declarative Foreign Data Management Introduced comprehensive declarative management for Foreign Data Wrappers (FDW) by extending the `Database` CRD. This feature adds the `.spec.fdws` and `.spec.servers` fields, allowing you to manage FDW extensions and their corresponding foreign servers directly from the `Database` resource. This work was implemented by Ying Zhu (@EdwinaZhu) as part of the LFX Mentorship Program 2025 Term 2.	#7942, #8401

Quorum-Based Failover Promoted to Stable

Promoted the quorum-based failover feature, introduced experimentally in 1.27.0, to a stable API. This data-driven failover mechanism is now configured via the spec.postgresql.synchronous.failoverQuorum field, graduating from the previous alpha.k8s.enterprisedb.io/failoverQuorum annotation.

#8589

Declarative Foreign Data Management

Introduced comprehensive declarative management for Foreign Data Wrappers (FDW) by extending the Database CRD. This feature adds the .spec.fdws and .spec.servers fields, allowing you to manage FDW extensions and their corresponding foreign servers directly from the Database resource. This work was implemented by Ying Zhu (@EdwinaZhu) as part of the LFX Mentorship Program 2025 Term 2.

#7942, #8401

Enhancements

Description	Addresses
Enabled simultaneous image and configuration changes allowing you to update the container image (including PostgreSQL version or extensions) and PostgreSQL configuration settings in the same operation. The operator first applies the image change, followed by the configuration changes in a subsequent rollout, ensuring safe and consistent cluster updates.	#8115
Introduced `securityContext` at the pod level and `containerSecurityContext`for individual containers (including `postgres`, `init`, and sidecars). This provides granular control over security settings, replacing the previous cluster-wide `postgres` and `operator` user settings. Contributed by @x0ddf.	#6614
Adopted standard Kubernetes recommended labels (e.g., `app.kubernetes.io/name`) for all resources generated by EDB Postgres for Kubernetes (Clusters, Backups, Poolers, etc.). Contributed by @JefeDavis.	#8087
Introduced a new caching layer for user-defined monitoring queries to reduce load on the PostgreSQL database.	#8003
Introduced the `alpha.k8s.enterprisedb.io/unrecoverable=true` annotation for replica pods. When applied, this annotation instructs the operator to permanently delete the instance by removing its Pod and PVCs, after which it will recreate the replica from the primary.	#8178
Enhanced PgBouncer integration by automatically setting `auth_dbname` to the `pgbouncer` database, simplifying auth setup.	#8671
Allowed providing stage-specific `pg_restore` options during database import. (Stage-specific options are `preRestore`, `postRestore`, `dataRestore`.) Contributed by @hanshal101.	#7690
Added the PostgreSQL `majorVersion` to the `Backup` object's status for easier identification and management.	#8464

Security Fixes

Description	Addresses
Allowed providing fine-grained custom TLS configurations for PgBouncer The `Pooler` CRD was extended with `clientTLSSecret`, `clientCASecret`,`serverTLSSecret`, and `serverCASecret` fields under `.spec.pgbouncer`. These fields enable users to supply their own certificates for both client-to-pooler and pooler-to-server connections, taking precedence over the operator-generated certificates.	#8692
Added optional TLS support for the operator's metrics server (port 8080) This feature is opt-in and enabled by setting the `METRICS_CERT_DIR`environment variable, which instructs the operator to look for `tls.crt` and`tls.key` files in the specified directory. When unset, the server continues to use HTTP for backward compatibility.	#8997
Enabled `cnp_report_operator` to work with minimal permissions by making only the operator deployment required All other resources (pods, secrets, config maps, events, webhooks, and OLM data) are now optional and collected on a best-efforts basis. The command gracefully handles permission errors for those resources by logging clear warnings and continuing report generation with available data, rather than failing completely. This enables least-privileged access, where users may have limited, namespace-scoped permissions.	#8982

Bug Fixes

Description	Addresses
Fixed the `CREATE PUBLICATION` SQL generation for multi-table publications to be backward-compatible with PostgreSQL 13+. The previously generated syntax was only valid for PostgreSQL 15+ and caused syntax errors on older versions.	#8888
Fixed backup failures in complex pod definitions by reliably selecting the `postgres` container by name instead of by index.	#8964
`cnp` plugin: Fixed bugs in `cnp report` log collection, especially when fetching previous logs. The collector now correctly fetches previous and current logs in separate requests and gracefully handles missing previous logs (e.g., on containers with no restart history), ensuring current logs are always collected.	#8992

← Prev

EDB CloudNativePG Cluster release notes

↑ Up