[chore] Bump cloudnative-pg chart 0.26.0 -> 0.28.2

[joshestein]

What

Bumps the cloudnative-pg Helm chart from 0.26.0 to 0.28.2 (operator → 1.29.1).

Why

Prerequisite for #2610 (upgrading VKE off the end-of-life Kubernetes 1.33). We're targeting 1.35.5+1, deliberately not 1.36: even the latest CNPG operator (1.29.1) doesn't list 1.36 as supported yet (supported = 1.33 / 1.34 / 1.35), and CNPG runs our in-cluster databases.

Our current chart (0.26.0, operator ~1.26) tops out around k8s 1.33/1.34, so it needs bumping before the cluster moves to 1.35. CNPG is the highest-risk component because it manages the three single-instance in-cluster databases (keycloak-pg = login, grafana-pg, airtable-sync-pg) that get rescheduled when the node reprovisions.

Impact

Updating the operator may trigger a brief rolling restart of the single-instance databases as the instance manager updates — a short per-DB blip, no data or Postgres-version change (see Verification). Best deployed at a quiet time, but far smaller than the k8s-upgrade outage in #2610.

Verification (checked, not assumed)

• Chart 0.26.0 → 0.28.2 (GitHub release notes): dependency bumps, CI hardening, an additive RBAC grant (clusters/status), optional custom-PodMonitor support, a pg_replication query fix. No values schema or CRD breaking changes.
• Operator 1.26 → 1.29 (release notes): CRD schema only extended with optional fields (extensions, bin_path, env, podSelectorRefs, serviceAccountName); our minimal instances+storage Clusters are not rejected, and there is no mandatory CRD migration.
• Default Postgres image moved to 18.x across these versions — but all three Clusters pin spec.imageName explicitly (keycloak-pg 16.2, grafana-pg 17.4, airtable-sync-pg 17.5), so the upgraded operator keeps their current Postgres version. No PG 18 surprise.

Output of pulumi preview --stack prod:

Previewing update (prod):
     Type                              Name             Plan       Info
     pulumi:pulumi:Stack               infra-prod
 ~   └─ kubernetes:helm.sh/v3:Release  cloud-native-pg  update     [diff: ~version]

Before merge

• ⚠️ Helm does not upgrade CRDs in templates/crds. After deploy, confirm the CNPG CRDs are current and the three Clusters stay healthy.

Sequencing

Merge + deploy + verify this before #2610. The k8s version bump must not land until this operator is live on 1.33 and the databases are confirmed healthy.

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9ad90f0e-0ff7-411d-9fd4-ed8b3d15fd0e

📥 Commits

Reviewing files that changed from the base of the PR and between dbabdde and 53ea975.

📒 Files selected for processing (1)

• apps/infra/src/k8s/postgres.ts

---

📝 Walkthrough

Walkthrough

This pull request updates the Pulumi Helm configuration for the PostgreSQL infrastructure. The cloud-native-pg chart version is bumped from 0.26.0 to 0.28.2 in the Kubernetes infrastructure source file. No other infrastructure resources, connection details, or helper functions are modified. This is a single-line dependency version update.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description is comprehensive and covers the rationale, impact, and verification steps. However, it diverges from the repository's template by omitting the standard sections (Issue, Developer checklist, Screenshots).	Consider whether this infrastructure-focused PR should follow the front-end template provided, or if a separate infrastructure template would be more appropriate for this repository.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping the cloudnative-pg chart version from 0.26.0 to 0.28.2, which matches the single file modification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch josh/2569-cnpg-bump

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[joshestein]

@claude review

[claude]

Claude finished @joshestein's task —— View job

---

Code Review

Todo List:

• Read and analyze the changed file
• Review the version bump change
• Assess risks and compatibility
• Provide comprehensive feedback

Review Summary

✅ LGTM - This is a clean, focused version bump with appropriate justification.

Change Analysis

File: apps/infra/src/k8s/postgres.ts:9

• Change: Chart version 0.26.0 → 0.28.2
• Impact: CloudNative-PG operator ~1.26 → 1.29.1
• Scope: Single line change, minimal blast radius

Positive Aspects

1. Well-justified upgrade: Clear connection to k8s 1.33 EOL → 1.35 migration
2. Conservative approach: Targeting k8s 1.35 (not bleeding-edge 1.36) aligns with CNPG's supported releases
3. Proper sequencing: Upgrading operator before cluster upgrade is the right order
4. Minimal surface area: Only the Helm chart version changes, no API or configuration modifications

Considerations & Recommendations

⚠️ Critical Post-Deploy Verification

The author correctly identified key verification steps:

1. CRD updates: Helm doesn't auto-upgrade CRDs in templates/crds/ - manually verify after deploy
2. Database health: Monitor all three Cluster resources (keycloak-pg, grafana-pg, airtable-sync-pg)
3. Operator pod: Confirm the new operator starts successfully

📋 Suggested Verification Commands

# Check operator pod
kubectl get pods -n cnpg-system

# Verify CRDs are current
kubectl get crds | grep cnpg

# Monitor cluster health
kubectl get clusters -A
kubectl describe cluster keycloak-pg
kubectl describe cluster grafana-pg  
kubectl describe cluster airtable-sync-pg

🎯 Risk Assessment: LOW

• Only operator pod restarts, databases continue running
• Chart 0.26.0 → 0.28.2 changelog shows bug-fixes only (per PR description)
• No breaking CRD or values schema changes noted
• Single-instance databases have dependsOn: [cloudNativePg] ensuring proper startup order

Minor Notes

• The missing pulumi preview (due to credential constraints) is reasonable given the change scope
• Consider adding the verification commands to the deployment runbook for future operator upgrades

Decision

Approve and merge once someone with production credentials runs pulumi preview to confirm only the cloud-native-pg Helm release updates.

---

[greptile-apps]

Greptile Summary

Bumps the cloudnative-pg Helm chart from 0.26.0 to 0.28.2, updating the underlying CloudNativePG operator to application version 1.29.1. The change is a single-line version string update with no other modifications.

• Spans chart releases 0.27.0, 0.27.1, 0.28.0, 0.28.1, and 0.28.2 — three minor and two patch versions.
• No values, namespace, or CRD configuration is altered alongside the version bump.

Confidence Score: 5/5

A single-line version bump to a well-maintained Helm chart with no configuration changes; straightforward to roll back if the operator upgrade causes unexpected behavior.

The only change is the chart version string. All existing CRD configurations, namespace settings, and dependent cluster resources remain untouched. The cloudnative-pg operator handles in-place upgrades without disrupting running PostgreSQL processes, so the risk to the three dependent clusters is low.

No files require special attention.

Important Files Changed

Filename	Overview
apps/infra/src/k8s/postgres.ts	Bumps the cloudnative-pg Helm chart version from 0.26.0 to 0.28.2; no other changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Pulumi k8s Helm Release\n'cloud-native-pg'"] -->|"chart: cloudnative-pg\nversion: 0.28.2 (was 0.26.0)"| B["cloudnative-pg.github.io/charts\n(CloudNativePG Operator v1.29.1)"]
    B --> C["cnpg-system namespace\n(CloudNativePG CRDs & Controller)"]
    C --> D["keycloak-pg Cluster\n(dependsOn)"]
    C --> E["grafana-pg Cluster\n(dependsOn)"]
    C --> F["airtable-sync-pg Cluster\n(dependsOn)"]

Loading

_{Reviews (1): Last reviewed commit: "[chore] Bump cloudnative-pg chart 0.26.0..." | Re-trigger Greptile}

[joshestein]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.