Skip to content

deploy: switch runtime to Red Hat Hardened core-runtime image#821

Open
jangel97 wants to merge 1 commit into
redhat-developer:mainfrom
jangel97:hardened-go-image
Open

deploy: switch runtime to Red Hat Hardened core-runtime image#821
jangel97 wants to merge 1 commit into
redhat-developer:mainfrom
jangel97:hardened-go-image

Conversation

@jangel97
Copy link
Copy Markdown
Contributor

@jangel97 jangel97 commented Jun 1, 2026

Summary

  • Switch runtime from ubi9/ubi (230 MB) to hi/core-runtime (58 MB) — a distroless-like image with minimal CVE surface
  • Move Pulumi plugin installation from runtime stage to build stage
  • Copy only compiled binaries (mapt, pulumi) and pre-installed plugins into the runtime image
  • No Go toolchain or package manager in the final image

Changes

  • oci/Containerfile — multi-stage build with plugin install in build stage, pinned hi/core-runtime digest

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 1, 2026
edited
Loading

Review Change Stack

Warning

Review limit reached

@jangel97, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 53 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: aee54e90-da71-4bf0-aea3-82b6edeb9946

📥 Commits

Reviewing files that changed from the base of the PR and between a289bc4 and 4fb3e51.

📒 Files selected for processing (1)
  • oci/Containerfile
📝 Walkthrough

Walkthrough

The Containerfile is refactored into a multi-stage build: the builder stage now explicitly uses strict Bash options and improves Pulumi CLI extraction; plugin installation is configured with a dedicated PULUMI_HOME directory and prepended PATH; the new runtime stage uses a lightweight hi/core-runtime base image, copies preinstalled plugins, and switches to a non-root user.

Changes

Container Multi-Stage Build Optimization

Layer / File(s) Summary
Builder stage environment and Pulumi extraction
oci/Containerfile		 Builder stage header now uses Bash with strict options (set -euo pipefail); Pulumi CLI tarball is extracted with failure-fast curl and clean termination before plugin installation begins.
Plugin installation environment configuration
oci/Containerfile		 Plugin installation phase sets PULUMI_HOME to /opt/pulumi-plugins and prepends /workspace/pulumi to PATH in the builder stage, then creates the plugin directory and begins downloading the first plugin archive.
Multi-stage runtime image with plugin copy
oci/Containerfile		 New second FROM stage based on hi/core-runtime base image copies compiled binaries and preinstalled plugins into /opt/mapt/run, configures runtime environment variables, adjusts ownership and permissions, switches to non-root user 65532, and preserves existing ENTRYPOINT/CMD.

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: switching the container runtime from ubi9 to Red Hat's hardened core-runtime image, which aligns with the primary objective of the PR.
Description check ✅ Passed The description is well-related to the changeset, covering the key improvements (image size reduction, CVE surface reduction, multi-stage build, plugin installation timing) and explicitly references the modified file.
Docstring Coverage ✅ Passed Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@jangel97 jangel97 marked this pull request as draft June 1, 2026 17:12
@jangel97 jangel97 force-pushed the hardened-go-image branch 2 times, most recently from 00d6227 to a289bc4 Compare June 2, 2026 13:34
@jangel97 jangel97 marked this pull request as ready for review June 2, 2026 14:50
@jangel97
deploy: switch runtime to Red Hat Hardened core-runtime image
4fb3e51 
Multi-stage build: move Pulumi plugin installation from runtime to build
stage, then copy binaries + plugins into hi/core-runtime (58 MB glibc base,
minimal CVE surface). Runtime only needs the compiled mapt binary, pulumi
CLI, and pre-installed plugins — no Go toolchain or package manager needed.
@jangel97 jangel97 force-pushed the hardened-go-image branch from a289bc4 to 4fb3e51 Compare June 2, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jangel97