chore: add system images to docker-bake.hcl (#282)

This change extends the bake build process by introducing the system image flavour. The system image is derived from the existing standard image and includes Barman Cloud support. Closes #283 Closes #286 Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com> Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com> Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com> Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com> Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Co-authored-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
2025-09-08 12:07:22 +02:00
parent 3ea082111e
commit fdc8010750
6 changed files with 173 additions and 67 deletions
--- a/.github/workflows/bake.yml
+++ b/.github/workflows/bake.yml
@@ -0,0 +1,53 @@
 name: Bake Images
 on:
  schedule:
    # Build images once a week, on Mondays
    - cron: 0 8 * * 1
  workflow_dispatch:
    inputs:
      environment:
        type: choice
        options:
          - testing
          - production
        default: testing
        description: "Choose the environment to bake the target for"
 permissions: {}
 jobs:
  get_versions:
    name: Get PostgreSQL versions
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    outputs:
      versions: ${{ steps.get_versions.outputs.versions }}
    steps:
      - name: Checkout Code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
      - name: Get supported PostgreSQL versions
        id: get_versions
        run: |
          VERSIONS="$(sed -n '/postgreSQLVersions = \[/,/\]/ s/.*"\(.*\)\..*".*/\"\1\"/p' docker-bake.hcl | xargs echo | tr ' ' ',')"
          echo "PostgreSQL versions: [$VERSIONS]"
          echo "versions=[$VERSIONS]" >> "$GITHUB_OUTPUT"
  Bake:
    name: Bake
    needs: get_versions
    permissions:
      packages: write
      contents: read
      id-token: write
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        version: ${{ fromJson(needs.get_versions.outputs.versions) }}
    uses: ./.github/workflows/bake_targets.yml
    with:
      environment: ${{ github.event.inputs.environment }}
      postgresql_version: ${{ matrix.version }}
--- a/.github/workflows/bake_targets.yml
+++ b/.github/workflows/bake_targets.yml
@@ -1,33 +1,28 @@
-name: Bake images
+name: Build target images
 on:
-  schedule:
+  workflow_call:
    - cron: 0 8 * * 1
  workflow_dispatch:
    inputs:
      environment:
-        type: choice
+        description: "The environment to build for"
-        options:
+        required: true
-          - testing
+        type: string
-          - production
+        default: "testing"
-        default: testing
+      postgresql_version:
-        description: "Choose the environment to bake the images for"
+        description: "The PostgreSQL major version to bake"
-      target:
+        required: true
        type: string
        default: ""
        description: "A comma separated list of targets to build. If empty, all targets will be built."
-permissions: read-all
+permissions: {}
 jobs:
  # Start by building images for testing. We want to run security checks before pushing those to production.
  testbuild:
-    name: Build for testing
+    # Start by building images for testing. We want to run security checks before pushing those to production.
-    runs-on: ubuntu-latest
+    name: PostgreSQL ${{ inputs.postgresql_version }}
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      packages: write
      security-events: write
      # Required by the cosign step
      id-token: write
    outputs:
@@ -37,6 +32,19 @@ jobs:
      - name: Checkout Code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
      - name: List targets
        id: targets
        uses: docker/bake-action/subaction/matrix@v6
        with:
          target: "default"
      - name: Filter by versions
        id: extract_targets
        run: |
          target=$(echo '${{ steps.targets.outputs.matrix }}' | jq -r '.[] | .[] | select(match("${{ inputs.postgresql_version }}"))' | xargs echo | sed 's/ /,/g')
          echo "Targets for PostgreSQL ${{ inputs.postgresql_version }}: $target"
          echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
      - name: Log in to the GitHub Container registry
        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
        with:
@@ -63,7 +71,7 @@ jobs:
          revision: ${{ github.sha }}
        with:
          push: true
-          targets: ${{ github.event.inputs.target }}
+          targets: ${{ steps.extract_targets.outputs.filtered_targets }}
      # Get a list of the images that were built and pushed. We only care about a single tag for each image.
      - name: Generated images
@@ -86,6 +94,10 @@ jobs:
  security:
    name: Security checks
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read
      security-events: write
    needs:
      - testbuild
    strategy:
@@ -107,6 +119,9 @@ jobs:
        with:
          image: ${{ matrix.image }}
          exit-code: '1'
          failure-threshold: WARN
          accept-keywords: key
          accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
      - name: Snyk
        uses: snyk/actions/docker@master
--- a/BUILD.md
+++ b/BUILD.md
@@ -73,10 +73,10 @@ docker buildx bake --push
 If you want to limit the build to a specific combination, you can specify the
 target in the `VERSION-TYPE-BASE` format. For example, to build an image for
-PostgreSQL 17 with the `minimal` format on the `bookworm` base image:
+PostgreSQL 17 with the `minimal` format on the `trixie` base image:
 ```bash
-docker buildx bake --push postgresql-17-minimal-bookworm
+docker buildx bake --push postgresql-17-minimal-trixie
 ```
 You can also limit the build to a single platform, for example AMD64, with:
@@ -90,7 +90,7 @@ The two can be mixed as well:
 ```bash
 docker buildx bake --push \
  --set "*.platform=linux/amd64" \
-  postgresql-17-minimal-bookworm
+  postgresql-17-minimal-trixie
 ```
 ## The Distribution Registry
--- a/22
+++ b/22
@@ -29,3 +29,25 @@ RUN apt-get update && \
    rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
 USER 26
 FROM standard AS system
 ARG BARMAN_VERSION
 # We need to break the system packages to install barman-cloud in bookworm and later
 ENV PIP_BREAK_SYSTEM_PACKAGES=1
 USER root
 RUN apt-get update && \
 	apt-get install -y --no-install-recommends \
 		# We require build-essential and python3-dev to build lz4 on arm64 since there isn't a pre-compiled wheel available
 		build-essential python3-dev \
 		python3-pip \
 		python3-psycopg2 \
 		python3-setuptools \
 	&& \
 	pip3 install --no-cache-dir barman[cloud,azure,snappy,google,zstandard,lz4]==${BARMAN_VERSION} && \
 	apt-get remove -y --purge --autoremove build-essential python3-dev && \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
 	rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
 USER 26
--- a/README.md
+++ b/README.md
@@ -1,13 +1,12 @@
 [![CloudNativePG](./logo/cloudnativepg.png)](https://cloudnative-pg.io/)
-> **IMPORTANT:** As of January 2025, we have transitioned to a new image build
+> **IMPORTANT:** Starting in August 2025, the [Official Postgres Image](https://hub.docker.com/_/postgres),
-> process (see issue [#132](https://github.com/cloudnative-pg/postgres-containers/issues/132)
+> maintained by the [PostgreSQL Docker Community](https://github.com/docker-library/postgres),
-> for details). Previously, the images were based on the
+> has discontinued support for Debian `bullseye`.
-> [Official Postgres image](https://hub.docker.com/_/postgres), maintained by the
+> In response, the CloudNativePG project has completed the transition to the
-> [PostgreSQL Docker Community](https://github.com/docker-library/postgres),
+> new `bake`-based build process for all `system` images. We now build directly
-> and included Barman Cloud built from source.
+> on top of the official Debian slim images, fully detaching from the official
-> This legacy approach, referred to as `system` images, will remain available
+> Postgres image. Additional changes are planned as part of epic #287.
 > for backward compatibility but is planned for a future deprecation.
 ---
@@ -23,31 +22,52 @@ within Kubernetes environments.
 ## Key Features
-The CNPG PostgreSQL Container Images:
+CloudNativePG PostgreSQL container images:
- Are based on Debian Linux `stable` and `oldstable`
+- Are built on top of **Debian Linux** (`stable` and `oldstable`).
- Support **multi-architecture builds**, including `linux/amd64` and
+- Provide **multi-architecture support**, including `linux/amd64` and
  `linux/arm64`.
- Include **build attestations**, such as Software Bills of Materials (SBOMs)
+- Ship with **build attestations**, such as Software Bills of Materials (SBOMs)
  and provenance metadata.
- Are published on the
+- Are published in the [CloudNativePG GitHub Container Registry](https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql).
-  [CloudNativePG GitHub Container Registry](https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql).
+- Are **automatically rebuilt every week** (on Mondays) to remain up to date
- Are **automatically rebuilt weekly** (every Monday) to ensure they remain
+  with the latest upstream security and bug fixes.
-  up-to-date.
+
 ## Debian Releases
 CloudNativePG PostgreSQL container images are based on the official `stable`
 and `oldstable` Debian releases, maintained and supported by the
 [Debian Project](https://www.debian.org/releases/).
 The table below summarises the support lifecycle of relevant Debian versions,
 including End-of-Life (EOL) and Long-Term Support (LTS) dates.
 | Name                      | Version | Release Date |     EOL    |     LTS    |   Status   |
 | ------------------------- | :-----: | :----------: | :--------: | :--------: | :--------- |
 | Trixie (`stable`)         |    13   |  2025-08-09  | 2028-08-09 | 2030-06-30 | Supported  |
 | Bookworm (`oldstable`)    |    12   |  2023-06-10  | 2026-06-10 | 2028-06-30 | Supported  |
 | Bullseye (`oldoldstable`) |    11   |  2021-08-14  | 2024-08-14 | 2026-08-31 | Deprecated |
 > **IMPORTANT:** The CloudNativePG project provides full support for
 > Debian-based images until each release reaches its official End-of-Life
 > (EOL). After EOL and until the start of Long-Term Support (LTS), images for the
 > deprecated releases, such as `oldoldstable`, are maintained on a
 > **best-effort basis**. If discontinuation becomes necessary before the LTS
 > date, a minimum **three-month advance notice** will be posted on this page.
 ## Image Types
-We currently build and support two primary types of PostgreSQL images:
+We currently provide and maintain three main types of PostgreSQL images:
- [`minimal`](#minimal-images)
+* [`minimal`](#minimal-images)
- [`standard`](#standard-images)
+* [`standard`](#standard-images)
 * [`system`](#system-images) (*deprecated*)
-Both `minimal` and `standard` images are intended to be used with backup
+Both `minimal` and `standard` images are designed to work with backup plugins
-plugins, such as [Barman Cloud](https://github.com/cloudnative-pg/plugin-barman-cloud).
+such as [Barman Cloud](https://github.com/cloudnative-pg/plugin-barman-cloud).
-> **Note:** for backward compatibility, we also maintain the
+The `system` images, built on top of the `standard` ones, also include the
-> [`system`](#system-images) image type. Switching from `system` images to
+Barman Cloud binaries.
 > `minimal` or `standard` images on an existing cluster is not supported.
 ### Minimal Images
@@ -57,7 +77,7 @@ They use the [APT PostgreSQL packages](https://wiki.postgresql.org/wiki/Apt)
 maintained by the PostgreSQL Global Development Group (PGDG).
 These images are identified by the inclusion of `minimal` in their tag names,
-for example: `17.2-minimal-bookworm`.
+for example: `17.6-minimal-trixie`.
 ### Standard Images
@@ -70,33 +90,23 @@ following additional features:
 - All Locales
 Standard images are identifiable by the `standard` tag in their names, such as:
-`17.2-standard-bookworm`.
+`17.6-standard-trixie`.
 > **Note:** Standard images are designed to offer functionality equivalent to
 > the legacy `system` images when used with CloudNativePG. To achieve parity,
 > you must use the [Barman Cloud Plugin](https://github.com/cloudnative-pg/plugin-barman-cloud)
 > as a replacement for the native Barman Cloud support in `system` images.
-### System Images
+### System Images (deprecated)
-System images are based on the [Official Postgres image](https://hub.docker.com/_/postgres),
+Starting from September 2025, system images are based on the `standard` image
-maintained by the
+and include Barman Cloud binaries.
 [PostgreSQL Docker Community](https://github.com/docker-library/postgres).
 These images include additional software to extend PostgreSQL functionality:
- Barman Cloud
+> **IMPORTANT:** The `system` images are deprecated and will be removed once
- PGAudit
+> in-core support for Barman Cloud in CloudNativePG is phased out. While you
- Postgres Failover Slots
+> can still use them as long as in-core Barman Cloud remains available, you
- pgvector
+> should plan to migrate to either a `minimal` or `standard` image together
-
+> with the Barman Cloud plugin—or adopt another supported backup solution.
 The [`Debian`](Debian) folder contains image catalogs, which can be used as:
 - [`ClusterImageCatalog`](https://cloudnative-pg.io/documentation/current/image_catalog/)
 - [`ImageCatalog`](https://cloudnative-pg.io/documentation/current/image_catalog/)
 > **Deprecation Notice:** System images and the associated Debian-based image
 > catalogs will be deprecated in future releases of CloudNativePG and
 > eventually removed. Users are encouraged to migrate to `minimal` or
 > `standard` images for new clusters as soon as feasible.
 ## Build Attestations
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -29,6 +29,10 @@ postgreSQLVersions = [
  "17.6"
 ]
 // Barman version to build
 # renovate: datasource=github-releases depName=EnterpriseDB/barman versioning=loose
 barmanVersion = "3.14.0"
 extensions = [
  "pgaudit",
  "pgvector",
@@ -39,7 +43,8 @@ target "default" {
  matrix = {
    tgt = [
      "minimal",
-      "standard"
+      "standard",
      "system"
    ]
    pgVersion = postgreSQLVersions
    base = [
@@ -69,6 +74,7 @@ target "default" {
    PG_MAJOR = "${getMajor(pgVersion)}"
    BASE = "${base}"
    EXTENSIONS = "${getExtensionsString(pgVersion, extensions)}"
    BARMAN_VERSION = "${barmanVersion}"
  }
  attest = [
    "type=provenance,mode=max",