cloudnative-pg · mnencia · Sep 8, 2025 · Sep 2, 2025 · Sep 2, 2025 · Sep 4, 2025
@@ -0,0 +1,53 @@
+name: Bake Images
+
+on:
+  schedule:
+    # Build images once a week, on Mondays
+    - cron: 0 8 * * 1
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        options:
+          - testing
+          - production
+        default: testing
+        description: "Choose the environment to bake the target for"
+
+permissions: {}
+
+jobs:
+  get_versions:
+    name: Get PostgreSQL versions
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    outputs:
+      versions: ${{ steps.get_versions.outputs.versions }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Get supported PostgreSQL versions
+        id: get_versions
+        run: |
+          VERSIONS="$(sed -n '/postgreSQLVersions = \[/,/\]/ s/.*"\(.*\)\..*".*/\"\1\"/p' docker-bake.hcl | xargs echo | tr ' ' ',')"
+          echo "PostgreSQL versions: [$VERSIONS]"
+          echo "versions=[$VERSIONS]" >> "$GITHUB_OUTPUT"
+
+  Bake:
+    name: Bake
+    needs: get_versions
+    permissions:
+      packages: write
+      contents: read
+      id-token: write
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        version: ${{ fromJson(needs.get_versions.outputs.versions) }}
+    uses: ./.github/workflows/bake_targets.yml
+    with:
+      environment: ${{ github.event.inputs.environment }}
+      postgresql_version: ${{ matrix.version }}
@@ -1,33 +1,28 @@
-name: Bake images
+name: Build target images
 
 on:
-  schedule:
-    - cron: 0 8 * * 1
-  workflow_dispatch:
+  workflow_call:
     inputs:
       environment:
-        type: choice
-        options:
-          - testing
-          - production
-        default: testing
-        description: "Choose the environment to bake the images for"
-      target:
+        description: "The environment to build for"
+        required: true
+        type: string
+        default: "testing"
+      postgresql_version:
+        description: "The PostgreSQL major version to bake"
+        required: true
         type: string
-        default: ""
-        description: "A comma separated list of targets to build. If empty, all targets will be built."
 
-permissions: read-all
+permissions: {}
 
 jobs:
-  # Start by building images for testing. We want to run security checks before pushing those to production.
   testbuild:
-    name: Build for testing
-    runs-on: ubuntu-latest
+    # Start by building images for testing. We want to run security checks before pushing those to production.
+    name: PostgreSQL ${{ inputs.postgresql_version }}
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
-      security-events: write
       # Required by the cosign step
       id-token: write
     outputs:
@@ -37,6 +32,19 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
+      - name: List targets
+        id: targets
+        uses: docker/bake-action/subaction/matrix@v6
+        with:
+          target: "default"
+
+      - name: Filter by versions
+        id: extract_targets
+        run: |
+          target=$(echo '${{ steps.targets.outputs.matrix }}' | jq -r '.[] | .[] | select(match("${{ inputs.postgresql_version }}"))' | xargs echo | sed 's/ /,/g')
+          echo "Targets for PostgreSQL ${{ inputs.postgresql_version }}: $target"
+          echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
+
       - name: Log in to the GitHub Container registry
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
         with:
@@ -63,7 +71,7 @@ jobs:
           revision: ${{ github.sha }}
         with:
           push: true
-          targets: ${{ github.event.inputs.target }}
+          targets: ${{ steps.extract_targets.outputs.filtered_targets }}
 
       # Get a list of the images that were built and pushed. We only care about a single tag for each image.
       - name: Generated images
@@ -86,6 +94,10 @@ jobs:
   security:
     name: Security checks
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
     needs:
       - testbuild
     strategy:
@@ -107,6 +119,9 @@ jobs:
         with:
           image: ${{ matrix.image }}
           exit-code: '1'
+          failure-threshold: WARN
+          accept-keywords: key
+          accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
 
       - name: Snyk
         uses: snyk/actions/docker@master

@@ -73,10 +73,10 @@ docker buildx bake --push
 
 If you want to limit the build to a specific combination, you can specify the
 target in the `VERSION-TYPE-BASE` format. For example, to build an image for
-PostgreSQL 17 with the `minimal` format on the `bookworm` base image:
+PostgreSQL 17 with the `minimal` format on the `trixie` base image:
 
 ```bash
-docker buildx bake --push postgresql-17-minimal-bookworm
+docker buildx bake --push postgresql-17-minimal-trixie
 ```
 
 You can also limit the build to a single platform, for example AMD64, with:
@@ -90,7 +90,7 @@ The two can be mixed as well:
 ```bash
 docker buildx bake --push \
   --set "*.platform=linux/amd64" \
-  postgresql-17-minimal-bookworm
+  postgresql-17-minimal-trixie
 ```
 
 ## The Distribution Registry

@@ -29,3 +29,25 @@ RUN apt-get update && \
     rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
 
 USER 26
+
+FROM standard AS system
+ARG BARMAN_VERSION
+
+# We need to break the system packages to install barman-cloud in bookworm and later
+ENV PIP_BREAK_SYSTEM_PACKAGES=1
+
+USER root
+RUN apt-get update && \
+	apt-get install -y --no-install-recommends \
+		# We require build-essential and python3-dev to build lz4 on arm64 since there isn't a pre-compiled wheel available
+		build-essential python3-dev \
+		python3-pip \
+		python3-psycopg2 \
+		python3-setuptools \
+	&& \
+	pip3 install --no-cache-dir barman[cloud,azure,snappy,google,zstandard,lz4]==${BARMAN_VERSION} && \
+	apt-get remove -y --purge --autoremove build-essential python3-dev && \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
+	rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
+
+USER 26
@@ -1,13 +1,12 @@
 [![CloudNativePG](./logo/cloudnativepg.png)](https://cloudnative-pg.io/)
 
-> **IMPORTANT:** As of January 2025, we have transitioned to a new image build
-> process (see issue [#132](https://github.com/cloudnative-pg/postgres-containers/issues/132)
-> for details). Previously, the images were based on the
-> [Official Postgres image](https://hub.docker.com/_/postgres), maintained by the
-> [PostgreSQL Docker Community](https://github.com/docker-library/postgres),
-> and included Barman Cloud built from source.
-> This legacy approach, referred to as `system` images, will remain available
-> for backward compatibility but is planned for a future deprecation.
+> **IMPORTANT:** Starting in August 2025, the [Official Postgres Image](https://hub.docker.com/_/postgres),
+> maintained by the [PostgreSQL Docker Community](https://github.com/docker-library/postgres),
+> has discontinued support for Debian `bullseye`.
+> In response, the CloudNativePG project has completed the transition to the
+> new `bake`-based build process for all `system` images. We now build directly
+> on top of the official Debian slim images, fully detaching from the official
+> Postgres image. Additional changes are planned as part of epic #287.
 
 ---
 
@@ -23,31 +22,52 @@ within Kubernetes environments.
 
 ## Key Features
 
-The CNPG PostgreSQL Container Images:
+CloudNativePG PostgreSQL container images:
 
-- Are based on Debian Linux `stable` and `oldstable`
-- Support **multi-architecture builds**, including `linux/amd64` and
+- Are built on top of **Debian Linux** (`stable` and `oldstable`).
+- Provide **multi-architecture support**, including `linux/amd64` and
   `linux/arm64`.
-- Include **build attestations**, such as Software Bills of Materials (SBOMs)
+- Ship with **build attestations**, such as Software Bills of Materials (SBOMs)
   and provenance metadata.
-- Are published on the
-  [CloudNativePG GitHub Container Registry](https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql).
-- Are **automatically rebuilt weekly** (every Monday) to ensure they remain
-  up-to-date.
+- Are published in the [CloudNativePG GitHub Container Registry](https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql).
+- Are **automatically rebuilt every week** (on Mondays) to remain up to date
+  with the latest upstream security and bug fixes.
+
+## Debian Releases
+
+CloudNativePG PostgreSQL container images are based on the official `stable`
+and `oldstable` Debian releases, maintained and supported by the
+[Debian Project](https://www.debian.org/releases/).
+
+The table below summarises the support lifecycle of relevant Debian versions,
+including End-of-Life (EOL) and Long-Term Support (LTS) dates.
+
+| Name                      | Version | Release Date |     EOL    |     LTS    |   Status   |
+| ------------------------- | :-----: | :----------: | :--------: | :--------: | :--------- |
+| Trixie (`stable`)         |    13   |  2025-08-09  | 2028-08-09 | 2030-06-30 | Supported  |
+| Bookworm (`oldstable`)    |    12   |  2023-06-10  | 2026-06-10 | 2028-06-30 | Supported  |
+| Bullseye (`oldoldstable`) |    11   |  2021-08-14  | 2024-08-14 | 2026-08-31 | Deprecated |
+
+> **IMPORTANT:** The CloudNativePG project provides full support for
+> Debian-based images until each release reaches its official End-of-Life
+> (EOL). After EOL and until the start of Long-Term Support (LTS), images for the
+> deprecated releases, such as `oldoldstable`, are maintained on a
+> **best-effort basis**. If discontinuation becomes necessary before the LTS
+> date, a minimum **three-month advance notice** will be posted on this page.
 
 ## Image Types
 
-We currently build and support two primary types of PostgreSQL images:
+We currently provide and maintain three main types of PostgreSQL images:
 
-- [`minimal`](#minimal-images)
-- [`standard`](#standard-images)
+* [`minimal`](#minimal-images)
+* [`standard`](#standard-images)
+* [`system`](#system-images) (*deprecated*)
 
-Both `minimal` and `standard` images are intended to be used with backup
-plugins, such as [Barman Cloud](https://github.com/cloudnative-pg/plugin-barman-cloud).
+Both `minimal` and `standard` images are designed to work with backup plugins
+such as [Barman Cloud](https://github.com/cloudnative-pg/plugin-barman-cloud).
 
-> **Note:** for backward compatibility, we also maintain the
-> [`system`](#system-images) image type. Switching from `system` images to
-> `minimal` or `standard` images on an existing cluster is not supported.
+The `system` images, built on top of the `standard` ones, also include the
+Barman Cloud binaries.
 
 ### Minimal Images
 
@@ -57,7 +77,7 @@ They use the [APT PostgreSQL packages](https://wiki.postgresql.org/wiki/Apt)
 maintained by the PostgreSQL Global Development Group (PGDG).
 
 These images are identified by the inclusion of `minimal` in their tag names,
-for example: `17.2-minimal-bookworm`.
+for example: `17.6-minimal-trixie`.
 
 ### Standard Images
 
@@ -70,33 +90,23 @@ following additional features:
 - All Locales
 
 Standard images are identifiable by the `standard` tag in their names, such as:
-`17.2-standard-bookworm`.
+`17.6-standard-trixie`.
 
 > **Note:** Standard images are designed to offer functionality equivalent to
 > the legacy `system` images when used with CloudNativePG. To achieve parity,
 > you must use the [Barman Cloud Plugin](https://github.com/cloudnative-pg/plugin-barman-cloud)
 > as a replacement for the native Barman Cloud support in `system` images.
 
-### System Images
-
-System images are based on the [Official Postgres image](https://hub.docker.com/_/postgres),
-maintained by the
-[PostgreSQL Docker Community](https://github.com/docker-library/postgres).
-These images include additional software to extend PostgreSQL functionality:
-
-- Barman Cloud
-- PGAudit
-- Postgres Failover Slots
-- pgvector
+### System Images (deprecated)
 
-The [`Debian`](Debian) folder contains image catalogs, which can be used as:
-- [`ClusterImageCatalog`](https://cloudnative-pg.io/documentation/current/image_catalog/)
-- [`ImageCatalog`](https://cloudnative-pg.io/documentation/current/image_catalog/)
+Starting from September 2025, system images are based on the `standard` image
+and include Barman Cloud binaries.
 
-> **Deprecation Notice:** System images and the associated Debian-based image
-> catalogs will be deprecated in future releases of CloudNativePG and
-> eventually removed. Users are encouraged to migrate to `minimal` or
-> `standard` images for new clusters as soon as feasible.
+> **IMPORTANT:** The `system` images are deprecated and will be removed once
+> in-core support for Barman Cloud in CloudNativePG is phased out. While you
+> can still use them as long as in-core Barman Cloud remains available, you
+> should plan to migrate to either a `minimal` or `standard` image together
+> with the Barman Cloud plugin—or adopt another supported backup solution.
 
 ## Build Attestations
 

@@ -29,6 +29,10 @@ postgreSQLVersions = [
   "17.6"
 ]
 
+// Barman version to build
+# renovate: datasource=github-releases depName=EnterpriseDB/barman versioning=loose
+barmanVersion = "3.14.0"
+
 extensions = [
   "pgaudit",
   "pgvector",
@@ -39,7 +43,8 @@ target "default" {
   matrix = {
     tgt = [
       "minimal",
-      "standard"
+      "standard",
+      "system"
     ]
     pgVersion = postgreSQLVersions
     base = [
@@ -69,6 +74,7 @@ target "default" {
     PG_MAJOR = "${getMajor(pgVersion)}"
     BASE = "${base}"
     EXTENSIONS = "${getExtensionsString(pgVersion, extensions)}"
+    BARMAN_VERSION = "${barmanVersion}"
   }
   attest = [
     "type=provenance,mode=max",