# syntax=docker/dockerfile:1
FROM supabase/postgres:15.8.1.085

# Install WAL-G v3.0.5. This image IS the backup tooling now (both compose
# and k8s): wal-g runs co-located with PGDATA in this container for continuous
# WAL archiving, base backups, and restore — no separate backup image.
# Earlier v3.0.3 URL 404'd in 2026-04-26 (alpine variant retired upstream),
# and curl without --fail piped a 404 HTML body into tar which surfaced
# as "not in gzip format" instead of an honest HTTP error. --fail makes
# curl exit non-zero on 4xx/5xx so the failure is unmistakable.
#
# Build target MUST match the base image's glibc: supabase/postgres:15.8.1.085
# is Ubuntu 20.04 (glibc 2.31). The ubuntu-22.04 wal-g build is linked against
# glibc 2.35 and dies at runtime with `version 'GLIBC_2.3{2,3,4}' not found`
# — which breaks BOTH base backups and WAL archiving (the archive_command
# shells out to wal-g), and is invisible at deploy time because we only assert
# archive_mode=on, never that wal-g actually runs. The ubuntu-20.04 build links
# against glibc 2.31 and runs on this base. (RCA 2026-05-30: e2e k8s/k8s-ha
# backup step — wal-g exited 1 with the GLIBC error inside the db pod.)
#
# Single RUN with `apt-get purge -y --auto-remove curl` collapses the
# install + cleanup into one layer so the curl binary doesn't end up
# in the published image (saving ~5MB and reducing attack surface).
RUN apt-get update && apt-get install -y --no-install-recommends \
        curl \
        ca-certificates \
    && curl -fL https://github.com/wal-g/wal-g/releases/download/v3.0.5/wal-g-pg-ubuntu-20.04-amd64.tar.gz | tar -xz \
    && mv wal-g-pg-ubuntu-20.04-amd64 /usr/local/bin/wal-g \
    && chmod +x /usr/local/bin/wal-g \
    && apt-get purge -y --auto-remove curl \
    && rm -rf /var/lib/apt/lists/*

# The supabase image already has many configurations.
# We will enable archiving via environment variables or a custom config snippet if needed.
