Update Helm release postgresql to v18.7.0#3329
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Contributor
Triage: YELLOW -- possible breakage, reviewer requestedQuick summaryMinor chart version bump (18.6.9 → 18.7.0) within the Bitnami PostgreSQL 18.x series. The underlying PostgreSQL engine version ( Updates table
Required actions
Update summary
|
| Surface | Value |
|---|---|
| Chart dependency | bitnami/postgresql 18.6.9 → 18.7.0 (sub-chart of k8s/kellnr) |
| PostgreSQL engine version | 18.4.0 (unchanged across both chart versions) |
| Architecture | standalone |
| TLS | tls.enabled: false (default; not overridden) |
| Auth | auth.existingSecret: database-secrets (SealedSecret); keys password (user) and postgres-password (admin) |
auth.enablePostgresUser |
false |
auth.username / auth.database |
kellnr / kellnr |
primary.initdb.password |
not set |
backup.enabled |
not set (default false); custom backup CronJob used instead |
passwordUpdateJob.enabled |
not set (default false) |
metrics.enabled |
not set (default false) |
| Node affinity | cloud.google.com/gke-provisioning: standard (GKE standard nodes only — no ARM/rpi5) |
| PVC mount path | /bitnami/postgresql (chart default) |
| Service | kellnr-postgresql:5432 (ClusterIP) |
| Kellnr connection | postgres.address: kellnr-postgresql, port 5432, user kellnr, db kellnr, password from database-secrets key password |
| Backup CronJob | Custom (k8s/kellnr/templates/backup.yaml), uses postgres:17.10 image directly — independent of this chart bump |
Cluster fit
- Architectures required by cluster: amd64 only for this workload (nodeSelector
cloud.google.com/gke-provisioning: standardpins to GKE standard nodes; no rpi5/arm64 nodes in scope) - Architectures supported by new version: Bitnami BSI images support amd64 and arm64; amd64 confirmed present. No architecture regression noted in 18.7.0 release notes.
- Kubernetes API versions used in manifest sources: StatefulSet
apps/v1(stable), Servicev1(stable) — no deprecated APIs - Minimum K8s version stated by dep: Kubernetes 1.23+ (stated in chart README); GKE standard nodes run well above this
- Peer dependency check: No cert-manager, Prometheus Operator, or mesh dependencies activated by this chart's values configuration.
common@2.40.0dependency is unchanged from 18.6.9.
Gaps
- Chart template diff not rendered: The two documented changes in the 18.7.0 upgrade notes were cross-referenced against the deployment fingerprint directly from the upstream README. The raw
templates/diff between 18.6.9 and 18.7.0 was not fetched from the Bitnami charts source repository. Given that both documented changes are gated on features this deployment does not use, and the appVersion is unchanged, the risk of an undocumented template-level breaking change is assessed as low — but cannot be fully excluded without rendering. - BSI image registry access: Architecture manifest list for the specific
bitnami/postgresql:18.4.0BSI image tag was not verified from the registry directly (BSI images require authentication). Assessed as low risk given GKE amd64-only node selector and no architecture regression noted in release notes. - Changelog completeness: The Bitnami BSI 18.x chart series does not publish a machine-readable changelog on Artifact Hub (
has_changelog: false). The upgrade notes embedded in the chart README are the only authoritative source; these were read in full.
Upstream changelog
I now have all the information I need. The CHANGELOG.md confirms the chart version numbering (the CHANGELOG uses a different versioning scheme — the 18.x series is the BSI chart series, while the CHANGELOG shows a separate version track). The key finding is the "To 18.7.0" section in the README which is the official upgrade guide. Let me compile the structured output.
Key findings:
- 18.6.9 → 18.7.0 is a minor version bump (18.x.y → 18.x+1.0) within the BSI chart series
- The README has an explicit "To 18.7.0" upgrade section documenting two behavior changes
appVersionremains18.4.0— no PostgreSQL engine version change- No intermediate versions between 18.6.9 and 18.7.0 (it's a direct jump)
has_changelog: falseon Artifact Hub (the CHANGELOG.md in the repo uses a different version track, not the 18.x BSI series)- New parameter:
tls.sslMode(configurable, defaults toverify-ca)
postgresql (Bitnami Helm Chart) 18.6.9 → 18.7.0
Summary
- Artifact type: Helm Chart (OCI-based, Bitnami Secure Images series)
- Input format: SemVer chart version (Bitnami BSI chart series)
- Resolved references: Chart version
18.6.9→18.7.0; both haveappVersion: 18.4.0(no PostgreSQL engine version change) - Versions in range:
18.6.9,18.7.0(no intermediate versions) - Source repo: Bitnami charts repository (postgresql chart)
- Primary sources used:
- README.md "Upgrading → To 18.7.0" section from the upstream Bitnami charts repository
- Artifact Hub API: https://artifacthub.io/api/v1/packages/helm/bitnami/postgresql?version=18.7.0
- CHANGELOG.md from the upstream Bitnami charts repository
- Versioning scheme: Bitnami BSI chart versioning —
18.x.ywhere18tracks the BSI image series (not PostgreSQL engine version). Minor bumps (18.6.x→18.7.0) indicate notable chart-level changes; patch bumps are routine dependency/image updates. - Major version boundary crossed: No (18.6.x → 18.7.x, same major)
- Confidence: high — maintainer-authored upgrade guide in README explicitly covers this version with two documented behavior changes
Breaking Changes
TLS-enabled deployments: backup CronJob and password-update Job now enforce TLS via PGSSLMODE
- What changed: When
tls.enabled=true, the backup CronJob and password-update Job now setPGSSLMODEto enforce TLS connections; the SSL mode defaults toverify-caand is configurable via the newtls.sslModevalue. - Affects: Config key
tls.sslMode(new, defaultverify-ca); runtime behavior ofbackup.cronjobandpasswordUpdateJobwhentls.enabled=true - Migration: If you use
tls.enabled=trueand your backup or password-update jobs previously connected without TLS enforcement, they will now require a valid CA-verifiable certificate. Ifverify-cais too strict for your setup, settls.sslModeto a less restrictive value (e.g.,require). No action needed if you don't usetls.enabled=true. - Source: Upstream Bitnami charts README "Upgrading → To 18.7.0" section
- Confidence: documented
- Introduced in: 18.7.0
primary.initdb.password now stored in Secret and injected via secretKeyRef instead of plaintext env value:
- What changed: When
primary.initdb.passwordis set, the credential is now stored in the chart-managed Secret and injected into the init container viasecretKeyRefrather than as a plaintextvalue:in the pod spec. - Affects: Config key
primary.initdb.password; pod spec of the primary StatefulSet init container - Migration: No action required for existing deployments — the README explicitly states "No action required for existing deployments." New deployments will automatically use the more secure injection path.
- Source: Upstream Bitnami charts README "Upgrading → To 18.7.0" section
- Confidence: documented
- Introduced in: 18.7.0
Other Notable Changes
- New value
tls.sslModeadded (default:verify-ca): controls the SSL mode used by the backup CronJob and password-update Job whentls.enabled=true. (README parameters table) appVersionunchanged at18.4.0— no PostgreSQL engine upgrade in this chart bump.commondependency remains at2.40.0— no dependency version change from 18.6.9.contains_security_updates: falseper Artifact Hub metadata.
Deprecations Introduced
None found.
Gaps and Caveats
- The CHANGELOG.md in the upstream Bitnami charts repository uses a different version numbering scheme (currently at
17.x) that does not correspond to the18.xBSI chart series published on Artifact Hub. The18.xseries changelog is not tracked in that file; the README "Upgrading" section is the sole official source for18.7.0changes. - No migration guide beyond the two bullet points in the README "To 18.7.0" section was found. The section is terse but covers the full scope of documented changes.
- The TLS
PGSSLMODEchange is documented as a behavior change for the backup CronJob and password-update Job only — it does not affect the main PostgreSQL StatefulSet TLS configuration.
Provenance
RESEARCH_FAILED: provenance researcher could not complete.
Reason: Prompt error: CompletionError: ProviderError: {"error":{"message":"{\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"prompt is too long: 205503 tokens > 200000 maximum\"},\"request_id\":\"req_011Cbdhh2RE1pLh8cNUqJ6kS\"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=['claude-haiku-4-5-fallback']\nError doing the fallback: {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"prompt is too long: 205335 tokens > 200000 maximum\"},\"request_id\":\"req_011Cbdhh6Je2aKkbD2aF5rNw\"}"
The categorizer must treat this as an unverified signal and downgrade the verdict accordingly (do not assume safety).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
18.6.9→18.7.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Configuration
📅 Schedule: (in timezone America/Los_Angeles)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.