Merge a9d8dbba6e into 064eac2199

.github/workflows/barman-base-image.yml

@@ -1,38 +0,0 @@
-name: Barman Base Image
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * 0"
-  push:
-    branches:
-      - main
-    paths:
-      - 'containers/sidecar-requirements.txt'
-
-permissions: read-all
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Install QEMU static binaries
-        uses: docker/setup-qemu-action@v3
-      - name: Install Task
-        uses: arduino/setup-task@v2
-      - name: Install Dagger
-        env:
-          # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.10
-        run: |
-          curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
-      - name: Publish a barman-base
-        env:
-          REGISTRY_USER: ${{ github.actor }}
-          REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          task publish-barman-base

Taskfile.yml

@@ -381,34 +381,6 @@ tasks:
         build --dir . --file containers/Dockerfile.sidecar --platform linux/amd64 --platform linux/arm64
         publish --ref {{.SIDECAR_IMAGE_NAME}} --tags {{.IMAGE_VERSION}}
 
-  publish-barman-base:
-    desc: Build and publish a barman-cloud base container image
-    vars:
-      BARMAN_BASE_IMAGE_NAME: ghcr.io/{{.GITHUB_REPOSITORY}}-base{{if not (hasPrefix "refs/heads/main" .GITHUB_REF)}}-testing{{end}}
-      BARMAN_VERSION:
-        sh: grep "^barman" containers/sidecar-requirements.in | sed -E 's/.*==([^ ]+)/\1/'
-      BUILD_DATE:
-        sh: date +"%Y%m%d%H%M"
-    requires:
-      # We expect this to run in a GitHub workflow, so we put a few GitHub-specific vars here
-      # to prevent running this task locally by accident.
-      vars:
-        - CI
-        - GITHUB_REPOSITORY
-        - GITHUB_REF
-        - GITHUB_REF_NAME
-        - REGISTRY_USER
-        - REGISTRY_PASSWORD
-    env:
-      # renovate: datasource=git-refs depName=docker lookupName=https://github.com/purpleclay/daggerverse currentValue=main
-      DAGGER_DOCKER_SHA: ee12c1a4a2630e194ec20c5a9959183e3a78c192
-    cmds:
-      - >
-        dagger call -m github.com/purpleclay/daggerverse/docker@${DAGGER_DOCKER_SHA}
-        --registry ghcr.io --username $REGISTRY_USER --password env:REGISTRY_PASSWORD
-        build --dir . --file containers/Dockerfile.barmanbase --platform linux/amd64 --platform linux/arm64
-        publish --ref {{.BARMAN_BASE_IMAGE_NAME}} --tags "{{.BARMAN_VERSION}}-{{.BUILD_DATE}}"
-
   controller-gen:
     desc: Run controller-gen
     run: once

containers/Dockerfile.barmanbase

@@ -1,7 +0,0 @@
-FROM python:3.13-slim-bookworm
-COPY containers/sidecar-requirements.txt .
-RUN apt-get update && \
-    apt-get install -y postgresql-common build-essential && \
-    /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \
-    apt-get install -y libpq-dev && \
-    pip install -r sidecar-requirements.txt

containers/Dockerfile.sidecar

@@ -2,7 +2,7 @@
 # The container needs to provide and build two components:
 # * barman-cloud
 # * instance plugin
-# Both components are built before going into a distroless container
+# Both components are built before going into the final container
 
 # Build the manager binary
 FROM --platform=$BUILDPLATFORM golang:1.25.6 AS gobuilder
@@ -33,19 +33,30 @@ COPY ../internal/ internal/
 RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build \
     CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/manager/main.go
 
-# Use plugin-barman-cloud-base to get the dependencies.
-# pip will build everything inside /usr, so we copy every file into a new
-# destination that will then be copied into the distroless container
-FROM ghcr.io/cloudnative-pg/plugin-barman-cloud-base:3.17.0-202601131704 AS pythonbuilder
-# Prepare a new /usr/ directory with the files we'll need in the final image
-RUN mkdir /new-usr/ && \
-    cp -r --parents /usr/local/lib/ /usr/lib/*-linux-gnu/ /usr/local/bin/ \
-    /new-usr/
+# Build wheel files for Python dependencies
+FROM python:3.13-slim-trixie AS pythonbuilder
+WORKDIR /build
 
-# Joint process
-# Now we put everything that was build from the origin into our
-# distroless container
-FROM gcr.io/distroless/python3-debian12:nonroot
+# Install build dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        postgresql-common \
+        build-essential && \
+    /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \
+    apt-get install -y --no-install-recommends \
+        libpq-dev \
+        liblz4-dev \
+        libsnappy-dev
+
+# Copy requirements
+COPY containers/sidecar-requirements.txt .
+
+# Build wheels with pip cache mount
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip wheel --wheel-dir=/wheels -r sidecar-requirements.txt
+
+# Final sidecar image
+FROM python:3.13-slim-trixie
 
 ENV SUMMARY="CloudNativePG Barman plugin" \
     DESCRIPTION="Container image that provides the barman-cloud sidecar"
@@ -60,7 +71,26 @@ LABEL summary="$SUMMARY" \
       version="" \
       release="1"
 
-COPY --from=pythonbuilder /new-usr/* /usr/
+# Install runtime dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        postgresql-common && \
+    /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \
+    apt-get install -y --no-install-recommends \
+        libpq5 \
+        liblz4-1 \
+        libsnappy1v5 && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install wheels using bind mount (wheels not included in final layers)
+# and ensure all Python bytecode is freshly compiled with correct timestamps
+RUN --mount=type=bind,from=pythonbuilder,source=/wheels,target=/wheels \
+    pip install --no-cache-dir /wheels/*.whl && \
+    python -m compileall -q
+
+# Copy Go manager binary
 COPY --from=gobuilder /workspace/manager /manager
+
 USER 26:26
 ENTRYPOINT ["/manager"]

renovate.json5

@@ -79,12 +79,6 @@
     enabled: false,
   },
   packageRules: [
-    {
-      matchPackageNames: [
-       'ghcr.io/cloudnative-pg/plugin-barman-cloud-base',
-      ],
-      versioning: 'loose',
-    },
     {
       matchDatasources: [
         'go',