feat: generate Debian (12) Bookworm images (#62)

Add Debian 12 images and the related ClusterImageCatalog
---------

Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com>
Co-authored-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Co-authored-by: Francesco Canovai <francesco.canovai@enterprisedb.com>

.github/generate-strategy.sh

@@ -13,6 +13,9 @@ declare -A aliases=(
 	[16]='latest'
 )
 
+# Define the current default distribution
+DEFAULT_DISTRO="bullseye"
+
 GITHUB_ACTIONS=${GITHUB_ACTIONS:-false}
 
 cd "$(dirname "$(readlink -f "${BASH_SOURCE[0]}/..")")"
@@ -39,37 +42,54 @@ join() {
 	echo "${out#$sep}"
 }
 
-entries=()
-for version in "${debian_versions[@]}"; do
-
-	# Read versions from the definition file
-	versionFile="${version}/.versions.json"
-	postgresImageVersion=$(jq -r '.POSTGRES_IMAGE_VERSION | split("-") | .[0]' "${versionFile}")
-	releaseVersion=$(jq -r '.IMAGE_RELEASE_VERSION' "${versionFile}")
-
-	# Initial aliases are "major version", "optional alias", "full version with release"
-	# i.e. "14", "latest", "14.2-1", "14.2-debian","14.2"
-	fullTag="${postgresImageVersion}-${releaseVersion}"
-	versionAliases=(
-			"${version}"
-			${aliases[$version]:+"${aliases[$version]}"}
-			"${fullTag}"
-			"${postgresImageVersion}"
-	)
-	# Add all the version prefixes between full version and major version
-	# i.e "13.2"
-	while [ "$postgresImageVersion" != "$version" ] && [ "${postgresImageVersion%[.-]*}" != "$postgresImageVersion" ]; do
-		versionAliases+=("$postgresImageVersion-debian")
-		postgresImageVersion="${postgresImageVersion%[.-]*}"
+generator() {
+	local os="$1"; shift
+	local distro="$1"; shift
+
+	cd "${BASE_DIRECTORY}"/"${os}"/
+	for version in "${debian_versions[@]}"; do
+
+		# Read versions from the definition file
+		versionDir="${version}/${distro}"
+		versionFile="${versionDir}/.versions.json"
+		postgresImageVersion=$(jq -r '.POSTGRES_IMAGE_VERSION | split("-") | .[0]' "${versionFile}")
+		releaseVersion=$(jq -r '.IMAGE_RELEASE_VERSION' "${versionFile}")
+
+		# Setting distribution tags: "major version", "full version", "full version with release"
+		# i.e. "14-bullseye", "14.2-bullseye", "14.2-1-bullseye"
+		fullTag="${postgresImageVersion}-${releaseVersion}-${distro}"
+		versionAliases=(
+				"${version}-${distro}"
+				"${postgresImageVersion}-${distro}"
+				"${fullTag}"
+			)
+
+		# Additional aliases in case we are running in the default distro
+		# i.e. "14", "14.2", "14.2-1", "latest"
+		if [ "${distro}" == "${DEFAULT_DISTRO}" ]; then
+			versionAliases+=(
+				"$version"
+				"${postgresImageVersion}"
+				"${postgresImageVersion}-${releaseVersion}"
+				${aliases[$version]:+"${aliases[$version]}"}
+			)
+		fi
+
+		# Supported platforms for container images
+		platforms="linux/amd64,linux/arm64"
+
+		# Build the json entry
+		entries+=(
+			"{\"name\": \"Debian ${version} - ${distro}\", \"platforms\": \"$platforms\", \"dir\": \"$os/$versionDir\", \"file\": \"$os/$versionDir/Dockerfile\", \"distro\": \"$distro\", \"version\": \"$version\", \"tags\": [\"$(join "\", \"" "${versionAliases[@]}")\"], \"fullTag\": \"${fullTag}\"}"
+		)
 	done
-    # Support platform for container images
-	platforms="linux/amd64,linux/arm64"
+}
 
-	# Build the json entry
-	entries+=(
-		"{\"name\": \"Debian ${postgresImageVersion}\", \"platforms\": \"$platforms\", \"dir\": \"Debian/$version\", \"file\": \"Debian/$version/Dockerfile\", \"version\": \"$version\", \"tags\": [\"$(join "\", \"" "${versionAliases[@]}")\"], \"fullTag\": \"${fullTag}\"}"
-	)
-done
+entries=()
+
+# Debian
+generator "Debian" "bullseye"
+generator "Debian" "bookworm"
 
 # Build the strategy as a JSON object
 strategy="{\"fail-fast\": false, \"matrix\": {\"include\": [$(join ', ' "${entries[@]}")]}}"

.github/workflows/build.yml

@@ -6,11 +6,13 @@ on:
       - main
     paths-ignore:
       - Debian/ClusterImageCatalog.yaml
+      - Debian/ClusterImageCatalog-bookworm.yaml
   workflow_dispatch:
 
 env:
   IMAGE_STAGING: "ghcr.io/${{ github.repository_owner }}/postgresql-testing"
   IMAGE_RELEASE: "ghcr.io/${{ github.repository_owner }}/postgresql"
+  DEFAULT_DISTRO: "bullseye"
 
 jobs:
   generate-jobs:
@@ -87,7 +89,7 @@ jobs:
         exit-code: '1'
         failure-threshold: WARN
         accept-keywords: key
-        accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key,usr/lib/python3.9/site-packages/azure/core/settings.py
+        accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key,usr/lib/python3.9/site-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py
 
     - name: Run Snyk to check Docker image for vulnerabilities
       uses: snyk/actions/docker@master
@@ -136,13 +138,13 @@ jobs:
               }
             ]
           }
-        }' > ${{ matrix.version }}.yaml
+        }' > ${{ matrix.version }}-${{ matrix.distro }}.yaml
 
     - name: Upload artifact
       uses: actions/upload-artifact@v4
       with:
-        name: ${{ matrix.version }}-clusterimagecatalog
-        path: ${{ matrix.version }}.yaml
+        name: ${{ matrix.version }}-${{ matrix.distro }}-clusterimagecatalog
+        path: ${{ matrix.version }}-${{ matrix.distro }}.yaml
 
   image-catalog:
     name: Generate ClusterImageCatalog
@@ -163,8 +165,10 @@ jobs:
 
       - name: Update ClusterImageCatalog
         run: |
-          yq eval-all '. as $item ireduce ({}; . *+ $item )' clusterimagecatalog/*.yaml > Debian/ClusterImageCatalog.yaml
-          cat Debian/ClusterImageCatalog.yaml
+          yq eval-all '. as $item ireduce ({}; . *+ $item )' clusterimagecatalog/*-bullseye.yaml > Debian/ClusterImageCatalog-bullseye.yaml
+          yq eval-all '. as $item ireduce ({}; . *+ $item )' clusterimagecatalog/*-bookworm.yaml > Debian/ClusterImageCatalog-bookworm.yaml
+          ln -f -s ClusterImageCatalog-${DEFAULT_DISTRO}.yaml Debian/ClusterImageCatalog.yaml
+          cat Debian/ClusterImageCatalog.yaml Debian/ClusterImageCatalog-bullseye.yaml Debian/ClusterImageCatalog-bookworm.yaml
 
       - name: Temporarily disable "include administrators" branch protection
         if: ${{ always() && github.ref == 'refs/heads/main' }}
@@ -182,7 +186,7 @@ jobs:
           author_name: CloudNativePG Automated Updates
           author_email: noreply@cnpg.com
           message: 'Automatic ClusterImageCatalog update'
-          add: 'Debian/ClusterImageCatalog.yaml'
+          add: 'Debian/ClusterImageCatalog*.yaml'
 
       - name: Enable "include administrators" branch protection
         uses: benjefferies/branch-protection-bot@v1.1.2

.github/workflows/update.yml

@@ -5,9 +5,6 @@ on:
     - cron: 0 0 * * *
   workflow_dispatch:
 
-env:
-  PYTHON_VERSION: "3.9"
-
 defaults:
   run:
     shell: 'bash -Eeuo pipefail -x {0}'
@@ -20,9 +17,27 @@ jobs:
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.REPO_GHA_PAT }}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+
+      - name: Run update script
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 15
+          max_attempts: 3
+          command: |
+            # pip-tools provides pip-compile used by update.sh
+            pip3 install --upgrade pip-tools pip
+            export PATH=$HOME/.local/bin:$PATH
+            echo "Updating Debian bullseye images"
+            ./Debian/update.sh -d bullseye
+
       - uses: actions/setup-python@v5
         with:
-          python-version: ${{ env.PYTHON_VERSION }}
+          python-version: 3.11
+
       - name: Run update script
         uses: nick-fields/retry@v3
         with:
@@ -32,12 +47,14 @@ jobs:
             # pip-tools provides pip-compile used by update.sh
             pip3 install --upgrade pip-tools pip
             export PATH=$HOME/.local/bin:$PATH
-            echo "Updating Debian images"
-            ./Debian/update.sh
+            echo "Updating Debian bookworm images"
+            ./Debian/update.sh -d bookworm
+
       - name: Diff
         run: |
           git status
           git diff
+
       - name: Temporarily disable "include administrators" branch protection
         if: ${{ always() && github.ref == 'refs/heads/main' }}
         id: disable_include_admins
@@ -46,11 +63,13 @@ jobs:
           access_token: ${{ secrets.REPO_GHA_PAT }}
           branch: main
           enforce_admins: false
+
       - uses: EndBug/add-and-commit@v9
         with:
           author_name: CloudNativePG Automated Updates
           author_email: noreply@cnpg.com
           message: 'Daily automatic update'
+
       - name: Enable "include administrators" branch protection
         uses: benjefferies/branch-protection-bot@v1.1.2
         if: ${{ always() && github.ref == 'refs/heads/main' }}

Debian/11/bookworm/.versions.json

@@ -0,0 +1,6 @@
+{
+  "BARMAN_VERSION": "3.10.0",
+  "IMAGE_RELEASE_VERSION": "1",
+  "POSTGRES_IMAGE_LAST_UPDATED": "2023-12-09T21:08:14.632431Z",
+  "POSTGRES_IMAGE_VERSION": "11.22-bookworm"
+}

Debian/11/bookworm/Dockerfile

@@ -0,0 +1,57 @@
+# vim:set ft=dockerfile:
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+FROM postgres:11.22-bookworm
+
+# Do not split the description, otherwise we will see a blank space in the labels
+LABEL name="PostgreSQL Container Images" \
+      vendor="The CloudNativePG Contributors" \
+      version="${PG_VERSION}" \
+      release="1" \
+      summary="PostgreSQL Container images." \
+      description="This Docker image contains PostgreSQL and Barman Cloud based on Postgres 11.22-bookworm."
+
+LABEL org.opencontainers.image.description="This Docker image contains PostgreSQL and Barman Cloud based on Postgres 11.22-bookworm."
+
+COPY requirements.txt /
+
+# Install additional extensions
+RUN set -xe; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		"postgresql-${PG_MAJOR}-pgaudit" \
+		"postgresql-${PG_MAJOR}-pgvector" \
+		"postgresql-${PG_MAJOR}-pg-failover-slots" \
+	; \
+	rm -fr /tmp/* ; \
+	rm -rf /var/lib/apt/lists/*;
+
+# Install barman-cloud
+RUN set -xe; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		python3-pip \
+		python3-psycopg2 \
+		python3-setuptools \
+	; \
+	pip3 install --break-system-packages --upgrade pip; \
+# TODO: Remove --no-deps once https://github.com/pypa/pip/issues/9644 is solved
+	pip3 install --break-system-packages --no-deps -r requirements.txt; \
+	rm -rf /var/lib/apt/lists/*;
+
+# Change the uid of postgres to 26
+RUN usermod -u 26 postgres
+USER 26