marko/cnpg-postgres-containers
1
0
Fork 0
forked from repo-mirrors/cnpg-postgres-containers
Code Pull Requests Actions Activity

chore: add system images to docker-bake.hcl (#282)

Browse Source 
This change extends the bake build process by introducing the system image flavour.
The system image is derived from the existing standard image and includes Barman Cloud support.

Closes #283
Closes #286

Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Co-authored-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
This commit is contained in:
Jonathan Gonzalez V.
2025-09-08 12:07:22 +02:00
committed by GitHub
parent 3ea082111e
commit fdc8010750
6 changed files with 173 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
.github/workflows/bake.yml vendored Normal file
View File

@@ -0,0 +1,53 @@
name: Bake Images
on:
schedule:
# Build images once a week, on Mondays
- cron: 0 8 * * 1
workflow_dispatch:
inputs:
environment:
type: choice
options:
- testing
- production
default: testing
description: "Choose the environment to bake the target for"
permissions: {}
jobs:
get_versions:
name: Get PostgreSQL versions
runs-on: ubuntu-24.04
permissions:
contents: read
outputs:
versions: ${{ steps.get_versions.outputs.versions }}
steps:
- name: Checkout Code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Get supported PostgreSQL versions
id: get_versions
run: |
VERSIONS="$(sed -n '/postgreSQLVersions = \[/,/\]/ s/.*"\(.*\)\..*".*/\"\1\"/p' docker-bake.hcl | xargs echo | tr ' ' ',')"
echo "PostgreSQL versions: [$VERSIONS]"
echo "versions=[$VERSIONS]" >> "$GITHUB_OUTPUT"
Bake:
name: Bake
needs: get_versions
permissions:
packages: write
contents: read
id-token: write
security-events: write
strategy:
fail-fast: false
matrix:
version: ${{ fromJson(needs.get_versions.outputs.versions) }}
uses: ./.github/workflows/bake_targets.yml
with:
environment: ${{ github.event.inputs.environment }}
postgresql_version: ${{ matrix.version }}

53
.github/workflows/bake.yaml → .github/workflows/bake_targets.yml vendored
View File

@@ -1,33 +1,28 @@
name: Bake images
name: Build target images
on:
schedule:
- cron: 0 8 * * 1
workflow_dispatch:
workflow_call:
inputs:
environment:
type: choice
options:
- testing
- production
default: testing
description: "Choose the environment to bake the images for"
target:
description: "The environment to build for"
required: true
type: string
default: "testing"
postgresql_version:
description: "The PostgreSQL major version to bake"
required: true
type: string
default: ""
description: "A comma separated list of targets to build. If empty, all targets will be built."
permissions: read-all
permissions: {}
jobs:
# Start by building images for testing. We want to run security checks before pushing those to production.
testbuild:
name: Build for testing
runs-on: ubuntu-latest
# Start by building images for testing. We want to run security checks before pushing those to production.
name: PostgreSQL ${{ inputs.postgresql_version }}
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
security-events: write
# Required by the cosign step
id-token: write
outputs:
@@ -37,6 +32,19 @@ jobs:
- name: Checkout Code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: List targets
id: targets
uses: docker/bake-action/subaction/matrix@v6
with:
target: "default"
- name: Filter by versions
id: extract_targets
run: |
target=$(echo '${{ steps.targets.outputs.matrix }}' | jq -r '.[] | .[] | select(match("${{ inputs.postgresql_version }}"))' | xargs echo | sed 's/ /,/g')
echo "Targets for PostgreSQL ${{ inputs.postgresql_version }}: $target"
echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
- name: Log in to the GitHub Container registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
with:
@@ -63,7 +71,7 @@ jobs:
revision: ${{ github.sha }}
with:
push: true
targets: ${{ github.event.inputs.target }}
targets: ${{ steps.extract_targets.outputs.filtered_targets }}
# Get a list of the images that were built and pushed. We only care about a single tag for each image.
- name: Generated images
@@ -86,6 +94,10 @@ jobs:
security:
name: Security checks
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
needs:
- testbuild
strategy:
@@ -107,6 +119,9 @@ jobs:
with:
image: ${{ matrix.image }}
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
- name: Snyk
uses: snyk/actions/docker@master

6
BUILD.md
View File

@@ -73,10 +73,10 @@ docker buildx bake --push
If you want to limit the build to a specific combination, you can specify the
target in the `VERSION-TYPE-BASE` format. For example, to build an image for
PostgreSQL 17 with the `minimal` format on the `bookworm` base image:
PostgreSQL 17 with the `minimal` format on the `trixie` base image:
```bash
docker buildx bake --push postgresql-17-minimal-bookworm
docker buildx bake --push postgresql-17-minimal-trixie
```
You can also limit the build to a single platform, for example AMD64, with:
@@ -90,7 +90,7 @@ The two can be mixed as well:
```bash
docker buildx bake --push \
--set "*.platform=linux/amd64" \
postgresql-17-minimal-bookworm
postgresql-17-minimal-trixie
```
## The Distribution Registry

22
Dockerfile
View File

@@ -29,3 +29,25 @@ RUN apt-get update && \
rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
USER 26
FROM standard AS system
ARG BARMAN_VERSION
# We need to break the system packages to install barman-cloud in bookworm and later
ENV PIP_BREAK_SYSTEM_PACKAGES=1
USER root
RUN apt-get update && \
apt-get install -y --no-install-recommends \
# We require build-essential and python3-dev to build lz4 on arm64 since there isn't a pre-compiled wheel available
build-essential python3-dev \
python3-pip \
python3-psycopg2 \
python3-setuptools \
&& \
pip3 install --no-cache-dir barman[cloud,azure,snappy,google,zstandard,lz4]==${BARMAN_VERSION} && \
apt-get remove -y --purge --autoremove build-essential python3-dev && \
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
USER 26

98
README.md
View File

@@ -1,13 +1,12 @@
[![CloudNativePG](./logo/cloudnativepg.png)](https://cloudnative-pg.io/)
> **IMPORTANT:** As of January 2025, we have transitioned to a new image build
> process (see issue [#132](https://github.com/cloudnative-pg/postgres-containers/issues/132)
> for details). Previously, the images were based on the
> [Official Postgres image](https://hub.docker.com/_/postgres), maintained by the
> [PostgreSQL Docker Community](https://github.com/docker-library/postgres),
> and included Barman Cloud built from source.
> This legacy approach, referred to as `system` images, will remain available
> for backward compatibility but is planned for a future deprecation.
> **IMPORTANT:** Starting in August 2025, the [Official Postgres Image](https://hub.docker.com/_/postgres),
> maintained by the [PostgreSQL Docker Community](https://github.com/docker-library/postgres),
> has discontinued support for Debian `bullseye`.
> In response, the CloudNativePG project has completed the transition to the
> new `bake`-based build process for all `system` images. We now build directly
> on top of the official Debian slim images, fully detaching from the official
> Postgres image. Additional changes are planned as part of epic #287.
---
@@ -23,31 +22,52 @@ within Kubernetes environments.
## Key Features
The CNPG PostgreSQL Container Images:
CloudNativePG PostgreSQL container images:
- Are based on Debian Linux `stable` and `oldstable`
- Support **multi-architecture builds**, including `linux/amd64` and
- Are built on top of **Debian Linux** (`stable` and `oldstable`).
- Provide **multi-architecture support**, including `linux/amd64` and
`linux/arm64`.
- Include **build attestations**, such as Software Bills of Materials (SBOMs)
- Ship with **build attestations**, such as Software Bills of Materials (SBOMs)
and provenance metadata.
- Are published on the
[CloudNativePG GitHub Container Registry](https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql).
- Are **automatically rebuilt weekly** (every Monday) to ensure they remain
up-to-date.
- Are published in the [CloudNativePG GitHub Container Registry](https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql).
- Are **automatically rebuilt every week** (on Mondays) to remain up to date
with the latest upstream security and bug fixes.
## Debian Releases
CloudNativePG PostgreSQL container images are based on the official `stable`
and `oldstable` Debian releases, maintained and supported by the
[Debian Project](https://www.debian.org/releases/).
The table below summarises the support lifecycle of relevant Debian versions,
including End-of-Life (EOL) and Long-Term Support (LTS) dates.
| Name | Version | Release Date | EOL | LTS | Status |
| ------------------------- | :-----: | :----------: | :--------: | :--------: | :--------- |
| Trixie (`stable`) | 13 | 2025-08-09 | 2028-08-09 | 2030-06-30 | Supported |
| Bookworm (`oldstable`) | 12 | 2023-06-10 | 2026-06-10 | 2028-06-30 | Supported |
| Bullseye (`oldoldstable`) | 11 | 2021-08-14 | 2024-08-14 | 2026-08-31 | Deprecated |
> **IMPORTANT:** The CloudNativePG project provides full support for
> Debian-based images until each release reaches its official End-of-Life
> (EOL). After EOL and until the start of Long-Term Support (LTS), images for the
> deprecated releases, such as `oldoldstable`, are maintained on a
> **best-effort basis**. If discontinuation becomes necessary before the LTS
> date, a minimum **three-month advance notice** will be posted on this page.
## Image Types
We currently build and support two primary types of PostgreSQL images:
We currently provide and maintain three main types of PostgreSQL images:
- [`minimal`](#minimal-images)
- [`standard`](#standard-images)
* [`minimal`](#minimal-images)
* [`standard`](#standard-images)
* [`system`](#system-images) (*deprecated*)
Both `minimal` and `standard` images are intended to be used with backup
plugins, such as [Barman Cloud](https://github.com/cloudnative-pg/plugin-barman-cloud).
Both `minimal` and `standard` images are designed to work with backup plugins
such as [Barman Cloud](https://github.com/cloudnative-pg/plugin-barman-cloud).
> **Note:** for backward compatibility, we also maintain the
> [`system`](#system-images) image type. Switching from `system` images to
> `minimal` or `standard` images on an existing cluster is not supported.
The `system` images, built on top of the `standard` ones, also include the
Barman Cloud binaries.
### Minimal Images
@@ -57,7 +77,7 @@ They use the [APT PostgreSQL packages](https://wiki.postgresql.org/wiki/Apt)
maintained by the PostgreSQL Global Development Group (PGDG).
These images are identified by the inclusion of `minimal` in their tag names,
for example: `17.2-minimal-bookworm`.
for example: `17.6-minimal-trixie`.
### Standard Images
@@ -70,33 +90,23 @@ following additional features:
- All Locales
Standard images are identifiable by the `standard` tag in their names, such as:
`17.2-standard-bookworm`.
`17.6-standard-trixie`.
> **Note:** Standard images are designed to offer functionality equivalent to
> the legacy `system` images when used with CloudNativePG. To achieve parity,
> you must use the [Barman Cloud Plugin](https://github.com/cloudnative-pg/plugin-barman-cloud)
> as a replacement for the native Barman Cloud support in `system` images.
### System Images
### System Images (deprecated)
System images are based on the [Official Postgres image](https://hub.docker.com/_/postgres),
maintained by the
[PostgreSQL Docker Community](https://github.com/docker-library/postgres).
These images include additional software to extend PostgreSQL functionality:
Starting from September 2025, system images are based on the `standard` image
and include Barman Cloud binaries.
- Barman Cloud
- PGAudit
- Postgres Failover Slots
- pgvector
The [`Debian`](Debian) folder contains image catalogs, which can be used as:
- [`ClusterImageCatalog`](https://cloudnative-pg.io/documentation/current/image_catalog/)
- [`ImageCatalog`](https://cloudnative-pg.io/documentation/current/image_catalog/)
> **Deprecation Notice:** System images and the associated Debian-based image
> catalogs will be deprecated in future releases of CloudNativePG and
> eventually removed. Users are encouraged to migrate to `minimal` or
> `standard` images for new clusters as soon as feasible.
> **IMPORTANT:** The `system` images are deprecated and will be removed once
> in-core support for Barman Cloud in CloudNativePG is phased out. While you
> can still use them as long as in-core Barman Cloud remains available, you
> should plan to migrate to either a `minimal` or `standard` image together
> with the Barman Cloud plugin—or adopt another supported backup solution.
## Build Attestations

8
docker-bake.hcl
View File

@@ -29,6 +29,10 @@ postgreSQLVersions = [
"17.6"
]
// Barman version to build
# renovate: datasource=github-releases depName=EnterpriseDB/barman versioning=loose
barmanVersion = "3.14.0"
extensions = [
"pgaudit",
"pgvector",
@@ -39,7 +43,8 @@ target "default" {
matrix = {
tgt = [
"minimal",
"standard"
"standard",
"system"
]
pgVersion = postgreSQLVersions
base = [
@@ -69,6 +74,7 @@ target "default" {
PG_MAJOR = "${getMajor(pgVersion)}"
BASE = "${base}"
EXTENSIONS = "${getExtensionsString(pgVersion, extensions)}"
BARMAN_VERSION = "${barmanVersion}"
}
attest = [
"type=provenance,mode=max",