deploy: switch runtime to Red Hat Hardened core-runtime image

[jangel97]

Summary

• Switch runtime from ubi9/ubi (230 MB) to hi/core-runtime (58 MB) — a distroless-like image with minimal CVE surface
• Move Pulumi plugin installation from runtime stage to build stage
• Copy only compiled binaries (mapt, pulumi) and pre-installed plugins into the runtime image
• No Go toolchain or package manager in the final image

Changes

• oci/Containerfile — multi-stage build with plugin install in build stage, pinned hi/core-runtime digest

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated container runtime base image and configuration
  • Enhanced container security with stricter build practices and non-root user execution
  • Improved build efficiency through optimized plugin installation and path management

Walkthrough

The Containerfile is refactored into a multi-stage build: the builder stage now explicitly uses strict Bash options and improves Pulumi CLI extraction; plugin installation is configured with a dedicated PULUMI_HOME directory and prepended PATH; the new runtime stage uses a lightweight hi/core-runtime base image, copies preinstalled plugins, and switches to a non-root user.

Changes

Container Multi-Stage Build Optimization

Layer / File(s)	Summary
Builder stage environment and Pulumi extraction oci/Containerfile	Builder stage header now uses Bash with strict options (set -euo pipefail); Pulumi CLI tarball is downloaded with curl -fSL and extracted during the build before plugin installation.
Plugin installation environment configuration oci/Containerfile	Plugin installation phase sets PULUMI_HOME to /opt/pulumi-plugins, prepends /workspace/pulumi to PATH, creates the plugin directory, and begins downloading the first Pulumi resource plugin.
Multi-stage runtime image with plugin copy oci/Containerfile	New runtime stage based on hi/core-runtime copies compiled binaries and preinstalled plugins into /opt/mapt/run, sets runtime PULUMI_HOME and WORKDIR, fixes ownership/permissions, briefly runs as USER 0 for setup then switches to USER 65532, and preserves ENTRYPOINT/CMD.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: switching the runtime base image from ubi9/ubi to Red Hat's hardened hi/core-runtime image.
Description check	✅ Passed	The description provides comprehensive context about the rationale (reduced CVE surface, smaller image size) and key architectural changes to the multi-stage build process.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[adrianriobo]

LGTM

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

oci/Containerfile (1)

61-69: ARCH_N looks unused in this repo; remove or derive from TARGETARCH only if mapt needs it
ARCH_N is only defined in oci/Containerfile (ENV ... ARCH_N=x86_64) and there are no other in-repo (non-vendor) consumers of ARCH_N. Either drop the env var from the runtime stage, or switch to a TARGETARCH-derived value if the mapt binary contract requires it.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@oci/Containerfile` around lines 61 - 69, The ENV variable ARCH_N is unused;
either remove it from the runtime Containerfile stage or derive it from the
build ARG TARGETARCH if the mapt binary requires an architecture-specific value.
Locate the ENV line setting "ARCH_N=x86_64" and either delete that token from
the ENV block or replace it with a TARGETARCH-derived assignment (e.g., map
TARGETARCH values to the expected ARCH_N value) so the runtime image only
exposes ARCH_N when genuinely required by mapt or other runtime components.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@oci/Containerfile`:
- Line 66: The Dockerfile/Containerfile currently bakes the Pulumi passphrase
into image metadata via the ENV PULUMI_CONFIG_PASSPHRASE declaration; remove
this ENV line and stop hardcoding the secret, and instead inject the passphrase
at runtime from a secret store or orchestration secret (e.g., environment
secret, Kubernetes Secret, Docker secret, or a managed Pulumi secrets provider).
Specifically, delete or comment out the ENV PULUMI_CONFIG_PASSPHRASE
"passphrase" entry and ensure your runtime startup/entrypoint logic (where
Pulumi is invoked) reads PULUMI_CONFIG_PASSPHRASE from the environment provided
by the orchestrator or a mounted secret, or switch to a managed Pulumi secrets
provider and update the Pulumi client initialization accordingly.
- Around line 18-19: The Pulumi archive is downloaded and immediately extracted
(curl -> pulumicli.tar.gz then tar -xzvf) without integrity verification; update
the Dockerfile steps around the PULUMI_URL download to also fetch or use a
trusted checksum/signature (e.g., ${PULUMI_URL}.sha256 or an env var
PULUMI_SHA256 / PULUMI_ASC), verify the downloaded pulumicli.tar.gz with
sha256sum or signature verification and fail the build if verification fails,
then proceed to tar -xzvf only after successful verification; apply the same
change to the other asset download/extract sequence at the other occurrence
(lines with tar -xzvf for the second asset).

---

Nitpick comments:
In `@oci/Containerfile`:
- Around line 61-69: The ENV variable ARCH_N is unused; either remove it from
the runtime Containerfile stage or derive it from the build ARG TARGETARCH if
the mapt binary requires an architecture-specific value. Locate the ENV line
setting "ARCH_N=x86_64" and either delete that token from the ENV block or
replace it with a TARGETARCH-derived assignment (e.g., map TARGETARCH values to
the expected ARCH_N value) so the runtime image only exposes ARCH_N when
genuinely required by mapt or other runtime components.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 36a45a44-1761-4052-9d53-481eb53341fd

📥 Commits

Reviewing files that changed from the base of the PR and between a289bc4 and 1b10956.

📒 Files selected for processing (1)

• oci/Containerfile