EDB CloudNativePG Cluster 1.25.7 release notes v1.29.0
Released: 2 April 2026
This release of EDB CloudNativePG Cluster is built on the final community release of the 1.25.x series of CloudNativePG. EDB will continue providing LTS releases in the 1.25.x series according to our Long-Term Support policy.
EDB CloudNativePG Cluster 1.25 reaches End-of-Life in June 2026.
Users are encouraged to start planning their upgrade to a newer minor version before that date.
This release of EDB CloudNativePG Cluster includes the following:
Enhancements
| Description | Addresses |
|---|---|
Improved the | #9571 |
Improved role management by verifying the instance is the primary before each reconciliation cycle...avoiding unnecessary reconciliation attempts and spurious error messages on read-only replicas. | #9971 |
| The operator now honors the `primaryUpdateMethod` when adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. | #9720 |
Security Fixes
| Description | Addresses |
|---|---|
| Security best practices integration**: integrated the OpenSSF baseline scanner and added a `SECURITY-INSIGHTS.yaml` file to the repository to align with industry-standard security reporting. | #10054, #10062 |
SLSA provenance and SBOMs**: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images.Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. | #10048, #10074 |
| Password leak prevention**: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. | #9950 |
Changes
| Description | Addresses |
|---|---|
| Updated the default PostgreSQL version to 18.3 (image `18.3-standard-ubi9`). | #10090 |
Bug Fixes
| Description | Addresses |
|---|---|
Fixed an issue where replicas would get stuck in a | #10192 |
| Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by @ermakov-oleg. | #9977 |
| Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. | #9952 |
Fixed webhook validation of bootstrap recovery sources to accept external clusters configured with | #10268 |
| When hibernating a non-healthy cluster, the operator now reports a `WaitingForHealthy` condition, making the deferred hibernation state visible | #10193 |
Fixed fencing to work correctly even when the target pod does not exist.Fencing operates on a cluster-level annotation and should not depend on pod existence; instance name validation is now performed only in the | #10035 |
| Fixed the cluster and pooler service reconcilers to correctly handle changes to all spec fields when using the patch update strategy. The reconciler now uses RFC 7386 JSON Merge Patching, preventing cloud-provider-set fields (such as `loadBalancerClass`) from being inadvertently removed. | #10190, #10311 |
| Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. | #10285 |
Fixed the timeline history file validation to also apply to plugin-based WAL restore.Previously, the protection introduced in#9650 only covered in-tree restores, allowing plugins to bypass the check and download future timeline history files, causing timeline mismatch errors on replicas. | #9849 |
| The cnp plugin now correctly propagates ImagePullSecrets to the `pgbench` Job pod template. | #10174 |
- On this page
- Enhancements
- Security Fixes
- Changes
- Bug Fixes