CrunchyData · jmckulk · May 15, 2025 · May 15, 2025 · May 15, 2025
diff --git a/helm/install/Chart.yaml b/helm/install/Chart.yaml
@@ -4,5 +4,5 @@ description: Installer for PGO, the open source Postgres Operator from Crunchy D
 
 type: application
 # The version below should match the version on the PostgresCluster CRD
-version: 5.8.1
-appVersion: 5.8.1
+version: 5.8.2
+appVersion: 5.8.2
diff --git a/helm/install/crds/postgres-operator.crunchydata.com_crunchybridgeclusters.yaml b/helm/install/crds/postgres-operator.crunchydata.com_crunchybridgeclusters.yaml
@@ -5,7 +5,7 @@ metadata:
     controller-gen.kubebuilder.io/version: v0.17.2
   name: crunchybridgeclusters.postgres-operator.crunchydata.com
   labels:
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 spec:
   group: postgres-operator.crunchydata.com
   names:

diff --git a/helm/install/crds/postgres-operator.crunchydata.com_pgadmins.yaml b/helm/install/crds/postgres-operator.crunchydata.com_pgadmins.yaml
@@ -5,7 +5,7 @@ metadata:
     controller-gen.kubebuilder.io/version: v0.17.2
   name: pgadmins.postgres-operator.crunchydata.com
   labels:
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 spec:
   group: postgres-operator.crunchydata.com
   names:

diff --git a/helm/install/crds/postgres-operator.crunchydata.com_pgupgrades.yaml b/helm/install/crds/postgres-operator.crunchydata.com_pgupgrades.yaml
@@ -5,7 +5,7 @@ metadata:
     controller-gen.kubebuilder.io/version: v0.17.2
   name: pgupgrades.postgres-operator.crunchydata.com
   labels:
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 spec:
   group: postgres-operator.crunchydata.com
   names:

diff --git a/helm/install/crds/postgres-operator.crunchydata.com_postgresclusters.yaml b/helm/install/crds/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -5,7 +5,7 @@ metadata:
     controller-gen.kubebuilder.io/version: v0.17.2
   name: postgresclusters.postgres-operator.crunchydata.com
   labels:
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 spec:
   group: postgres-operator.crunchydata.com
   names:
@@ -41,9 +41,19 @@ spec:
               description: PostgresClusterSpec defines the desired state of PostgresCluster
               properties:
                 authentication:
+                  description: Authentication settings for the PostgreSQL server
                   properties:
                     rules:
-                      description: 'More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html'
+                      description: |-
+                        Postgres compares every new connection to these rules in the order they are
+                        defined. The first rule that matches determines if and how the connection
+                        must then authenticate. Connections that match no rules are disconnected.
+
+                        When this is omitted or empty, Postgres accepts encrypted connections to any
+                        database from users that have a password. To refuse all network connections,
+                        set this to one rule that matches "host" connections to the "reject" method.
+
+                        More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
                       items:
                         properties:
                           connection:
@@ -78,6 +88,7 @@ spec:
                             description: |-
                               The authentication method to use when a connection matches this rule.
                               The special value "reject" refuses connections that match this rule.
+
                               More info: https://www.postgresql.org/docs/current/auth-methods.html
                             maxLength: 20
                             minLength: 1
@@ -92,6 +103,7 @@ spec:
                                 - type: integer
                                 - type: string
                               x-kubernetes-int-or-string: true
+                            description: Additional settings for this rule or its authentication method.
                             maxProperties: 20
                             type: object
                             x-kubernetes-map-type: atomic
@@ -108,9 +120,15 @@ spec:
                         x-kubernetes-map-type: atomic
                         x-kubernetes-validations:
                           - message: '"hba" cannot be combined with other fields'
-                            rule: 'has(self.hba) ? !has(self.connection) && !has(self.databases) && !has(self.method) && !has(self.options) && !has(self.users) : true'
+                            rule: '[has(self.hba), has(self.connection) || has(self.databases) || has(self.method) || has(self.options) || has(self.users)].exists_one(b,b)'
                           - message: '"connection" and "method" are required'
-                            rule: 'has(self.hba) ? true : has(self.connection) && has(self.method)'
+                            rule: has(self.hba) || (has(self.connection) && has(self.method))
+                          - message: the "ldap" method requires an "ldapbasedn", "ldapprefix", or "ldapsuffix" option
+                            rule: has(self.hba) || self.method != "ldap" || (has(self.options) && ["ldapbasedn","ldapprefix","ldapsuffix"].exists(k, k in self.options))
+                          - message: cannot use "ldapbasedn", "ldapbinddn", "ldapbindpasswd", "ldapsearchattribute", or "ldapsearchfilter" options with "ldapprefix" or "ldapsuffix" options
+                            rule: has(self.hba) || self.method != "ldap" || !has(self.options) || [["ldapprefix","ldapsuffix"], ["ldapbasedn","ldapbinddn","ldapbindpasswd","ldapsearchattribute","ldapsearchfilter"]].exists_one(a, a.exists(k, k in self.options))
+                          - message: the "radius" method requires "radiusservers" and "radiussecrets" options
+                            rule: has(self.hba) || self.method != "radius" || (has(self.options) && ["radiusservers","radiussecrets"].all(k, k in self.options))
                       maxItems: 10
                       type: array
                       x-kubernetes-list-type: atomic
@@ -4211,6 +4229,7 @@ spec:
                       type: object
                   type: object
                 config:
+                  description: General configuration of the PostgreSQL server
                   properties:
                     files:
                       description: Files to mount under "/etc/postgres".
@@ -6291,8 +6310,7 @@ spec:
                         - stanza
                       type: object
                       x-kubernetes-validations:
-                        - fieldPath: .repo
-                          message: Only S3, GCS or Azure repos can be used as a pgBackRest data source.
+                        - message: Only S3, GCS or Azure repos can be used as a pgBackRest data source.
                           rule: '!has(self.repo.volume)'
                     postgresCluster:
                       description: |-

diff --git a/helm/install/values.yaml b/helm/install/values.yaml
@@ -2,34 +2,34 @@
 # controllerImages are used to run the operator's controllers.
 # The cluster image defined below runs the PostgresCluster and PGUpgrade controllers.
 controllerImages:
-  cluster: registry.developers.crunchydata.com/crunchydata/postgres-operator:ubi9-5.8.1-0
+  cluster: registry.developers.crunchydata.com/crunchydata/postgres-operator:ubi9-5.8.2-0
 
 # relatedImages are used when an image is omitted from PostgresCluster, PGAdmin or PGUpgrade specs.
 relatedImages:
   postgres_17:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi9-17.4-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi9-17.5-2520
   postgres_17_gis_3.5:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi9-17.4-3.5-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi9-17.5-3.5-2520
   postgres_17_gis_3.4:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi9-17.4-3.4-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi9-17.5-3.4-2520
   postgres_16:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi9-16.8-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi9-16.9-2520
   postgres_16_gis_3.4:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi9-16.8-3.4-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi9-16.9-3.4-2520
   postgres_16_gis_3.3:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi9-16.8-3.3-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi9-16.9-3.3-2520
   pgbackrest:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi9-2.54.2-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi9-2.54.2-2520
   pgbouncer:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi9-1.24-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi9-1.24-2520
   pgexporter:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi9-0.17.1-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi9-0.17.1-2520
   pgupgrade:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:ubi9-17.4-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:ubi9-17.5-2520
   standalone_pgadmin:
-    image: registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi9-9.2-2516
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi9-9.2-2520
   collector:
-    image: registry.developers.crunchydata.com/crunchydata/postgres-operator:ubi9-5.8.1-0
+    image: registry.developers.crunchydata.com/crunchydata/postgres-operator:ubi9-5.8.2-0
 
 # singleNamespace controls where PGO watches for PostgresClusters. When false,
 # PGO watches for and responds to PostgresClusters in all namespaces. When true,
@@ -89,7 +89,7 @@ resources:
 #     value: "true"
 
 # tolerations allows you to define pod tolerations for the operator pods.
-tolerations: []
+# tolerations: []
 
 # affinity allows you to define pod affinity and anti-affinity rules for the operator pods.
-affinity: {}
+# affinity: {}
diff --git a/kustomize/install/components/images-by-tag/kustomization.yaml b/kustomize/install/components/images-by-tag/kustomization.yaml
@@ -2,37 +2,37 @@ kind: Component
 images:
 - name: image-pgadmin
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4
-  newTag: ubi9-9.2-2516
+  newTag: ubi9-9.2-2520
 - name: image-pgbackrest
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest
-  newTag: ubi9-2.54.2-2516
+  newTag: ubi9-2.54.2-2520
 - name: image-pgbouncer
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer
-  newTag: ubi9-1.24-2516
+  newTag: ubi9-1.24-2520
 - name: image-postgres-exporter
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter
-  newTag: ubi9-0.17.1-2516
+  newTag: ubi9-0.17.1-2520
 - name: image-postgres-operator-5.8
   newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
-  newTag: ubi9-5.8.1-0
+  newTag: ubi9-5.8.2-0
 - name: image-crunchy-postgres-16
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-postgres
-  newTag: ubi9-16.8-2516
+  newTag: ubi9-16.9-2520
 - name: image-crunchy-postgres-17
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-postgres
-  newTag: ubi9-17.4-2516
+  newTag: ubi9-17.5-2520
 - name: image-crunchy-upgrade
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-upgrade
-  newTag: ubi9-17.4-2516
+  newTag: ubi9-17.5-2520
 - name: image-crunchy-postgres-16-gis-3.3
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis
-  newTag: ubi9-16.8-3.3-2516
+  newTag: ubi9-16.9-3.3-2520
 - name: image-crunchy-postgres-16-gis-3.4
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis
-  newTag: ubi9-16.8-3.4-2516
+  newTag: ubi9-16.9-3.4-2520
 - name: image-crunchy-postgres-17-gis-3.4
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis
-  newTag: ubi9-17.4-3.4-2516
+  newTag: ubi9-17.5-3.4-2520
 - name: image-crunchy-postgres-17-gis-3.5
   newName: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis
-  newTag: ubi9-17.4-3.5-2516
+  newTag: ubi9-17.5-3.5-2520
diff --git a/kustomize/install/crd/bases/postgres-operator.crunchydata.com_crunchybridgeclusters.yaml b/kustomize/install/crd/bases/postgres-operator.crunchydata.com_crunchybridgeclusters.yaml
@@ -5,7 +5,7 @@ metadata:
     controller-gen.kubebuilder.io/version: v0.17.2
   name: crunchybridgeclusters.postgres-operator.crunchydata.com
   labels:
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 spec:
   group: postgres-operator.crunchydata.com
   names:

diff --git a/kustomize/install/crd/bases/postgres-operator.crunchydata.com_pgadmins.yaml b/kustomize/install/crd/bases/postgres-operator.crunchydata.com_pgadmins.yaml
@@ -5,7 +5,7 @@ metadata:
     controller-gen.kubebuilder.io/version: v0.17.2
   name: pgadmins.postgres-operator.crunchydata.com
   labels:
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 spec:
   group: postgres-operator.crunchydata.com
   names:

diff --git a/kustomize/install/crd/bases/postgres-operator.crunchydata.com_pgupgrades.yaml b/kustomize/install/crd/bases/postgres-operator.crunchydata.com_pgupgrades.yaml
@@ -5,7 +5,7 @@ metadata:
     controller-gen.kubebuilder.io/version: v0.17.2
   name: pgupgrades.postgres-operator.crunchydata.com
   labels:
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 spec:
   group: postgres-operator.crunchydata.com
   names:

diff --git a/kustomize/install/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml b/kustomize/install/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -5,7 +5,7 @@ metadata:
     controller-gen.kubebuilder.io/version: v0.17.2
   name: postgresclusters.postgres-operator.crunchydata.com
   labels:
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 spec:
   group: postgres-operator.crunchydata.com
   names:
@@ -41,9 +41,19 @@ spec:
               description: PostgresClusterSpec defines the desired state of PostgresCluster
               properties:
                 authentication:
+                  description: Authentication settings for the PostgreSQL server
                   properties:
                     rules:
-                      description: 'More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html'
+                      description: |-
+                        Postgres compares every new connection to these rules in the order they are
+                        defined. The first rule that matches determines if and how the connection
+                        must then authenticate. Connections that match no rules are disconnected.
+
+                        When this is omitted or empty, Postgres accepts encrypted connections to any
+                        database from users that have a password. To refuse all network connections,
+                        set this to one rule that matches "host" connections to the "reject" method.
+
+                        More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
                       items:
                         properties:
                           connection:
@@ -78,6 +88,7 @@ spec:
                             description: |-
                               The authentication method to use when a connection matches this rule.
                               The special value "reject" refuses connections that match this rule.
+
                               More info: https://www.postgresql.org/docs/current/auth-methods.html
                             maxLength: 20
                             minLength: 1
@@ -92,6 +103,7 @@ spec:
                                 - type: integer
                                 - type: string
                               x-kubernetes-int-or-string: true
+                            description: Additional settings for this rule or its authentication method.
                             maxProperties: 20
                             type: object
                             x-kubernetes-map-type: atomic
@@ -108,9 +120,15 @@ spec:
                         x-kubernetes-map-type: atomic
                         x-kubernetes-validations:
                           - message: '"hba" cannot be combined with other fields'
-                            rule: 'has(self.hba) ? !has(self.connection) && !has(self.databases) && !has(self.method) && !has(self.options) && !has(self.users) : true'
+                            rule: '[has(self.hba), has(self.connection) || has(self.databases) || has(self.method) || has(self.options) || has(self.users)].exists_one(b,b)'
                           - message: '"connection" and "method" are required'
-                            rule: 'has(self.hba) ? true : has(self.connection) && has(self.method)'
+                            rule: has(self.hba) || (has(self.connection) && has(self.method))
+                          - message: the "ldap" method requires an "ldapbasedn", "ldapprefix", or "ldapsuffix" option
+                            rule: has(self.hba) || self.method != "ldap" || (has(self.options) && ["ldapbasedn","ldapprefix","ldapsuffix"].exists(k, k in self.options))
+                          - message: cannot use "ldapbasedn", "ldapbinddn", "ldapbindpasswd", "ldapsearchattribute", or "ldapsearchfilter" options with "ldapprefix" or "ldapsuffix" options
+                            rule: has(self.hba) || self.method != "ldap" || !has(self.options) || [["ldapprefix","ldapsuffix"], ["ldapbasedn","ldapbinddn","ldapbindpasswd","ldapsearchattribute","ldapsearchfilter"]].exists_one(a, a.exists(k, k in self.options))
+                          - message: the "radius" method requires "radiusservers" and "radiussecrets" options
+                            rule: has(self.hba) || self.method != "radius" || (has(self.options) && ["radiusservers","radiussecrets"].all(k, k in self.options))
                       maxItems: 10
                       type: array
                       x-kubernetes-list-type: atomic
@@ -4211,6 +4229,7 @@ spec:
                       type: object
                   type: object
                 config:
+                  description: General configuration of the PostgreSQL server
                   properties:
                     files:
                       description: Files to mount under "/etc/postgres".
@@ -6291,8 +6310,7 @@ spec:
                         - stanza
                       type: object
                       x-kubernetes-validations:
-                        - fieldPath: .repo
-                          message: Only S3, GCS or Azure repos can be used as a pgBackRest data source.
+                        - message: Only S3, GCS or Azure repos can be used as a pgBackRest data source.
                           rule: '!has(self.repo.volume)'
                     postgresCluster:
                       description: |-

diff --git a/kustomize/install/default/kustomization.yaml b/kustomize/install/default/kustomization.yaml
@@ -7,7 +7,7 @@ labels:
   includeTemplates: true
   pairs:
     app.kubernetes.io/name: pgo
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 - includeSelectors: true
   includeTemplates: true
   pairs:

diff --git a/kustomize/install/singlenamespace/kustomization.yaml b/kustomize/install/singlenamespace/kustomization.yaml
@@ -7,7 +7,7 @@ labels:
   includeTemplates: true
   pairs:
     app.kubernetes.io/name: pgo
-    app.kubernetes.io/version: 5.8.1
+    app.kubernetes.io/version: 5.8.2
 - includeSelectors: true
   includeTemplates: true
   pairs: