From 338db5dcda3941594578ffc986468d420426e464 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Wed, 15 Apr 2026 23:20:46 +0200
Subject: [PATCH] fix: forward runtime base image to provisioned tenant servers

CAMELEER_SERVER_RUNTIME_BASEIMAGE was never set on provisioned
per-tenant server containers, causing them to fall back to the
server's hardcoded default. Added CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE
as a configurable property that gets forwarded during provisioning.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.dev.yml                                           | 1 +
 installer/install.ps1                                            | 1 +
 installer/install.sh                                             | 1 +
 installer/templates/.env.example                                 | 1 +
 installer/templates/docker-compose.saas.yml                      | 1 +
 .../cameleer/saas/provisioning/DockerTenantProvisioner.java      | 1 +
 .../cameleer/saas/provisioning/ProvisioningProperties.java       | 1 +
 src/main/resources/application.yml                               | 1 +
 8 files changed, 8 insertions(+)

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 3e3a361..b5a8f55 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -28,6 +28,7 @@ services:
       CAMELEER_SAAS_PROVISIONING_PUBLICPROTOCOL: ${PUBLIC_PROTOCOL:-https}
       CAMELEER_SAAS_PROVISIONING_SERVERIMAGE: gitea.siegeln.net/cameleer/cameleer-server:${VERSION:-latest}
       CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE: gitea.siegeln.net/cameleer/cameleer-server-ui:${VERSION:-latest}
+      CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE: gitea.siegeln.net/cameleer/cameleer-runtime-base:${VERSION:-latest}
       CAMELEER_SAAS_PROVISIONING_NETWORKNAME: cameleer-saas_cameleer
       CAMELEER_SAAS_PROVISIONING_TRAEFIKNETWORK: cameleer-traefik
 
diff --git a/installer/install.ps1 b/installer/install.ps1
index a669193..70d96ca 100644
--- a/installer/install.ps1
+++ b/installer/install.ps1
@@ -667,6 +667,7 @@ DOCKER_GID=$gid
 # Provisioning images
 CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=${REGISTRY}/cameleer-server:$($c.Version)
 CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=${REGISTRY}/cameleer-server-ui:$($c.Version)
+CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=${REGISTRY}/cameleer-runtime-base:$($c.Version)
 "@
         $content += $provisioningBlock
         $composeFile = 'docker-compose.yml;docker-compose.saas.yml'
diff --git a/installer/install.sh b/installer/install.sh
index f106c27..7027cfa 100644
--- a/installer/install.sh
+++ b/installer/install.sh
@@ -676,6 +676,7 @@ DOCKER_GID=$(stat -c '%g' "${DOCKER_SOCKET}" 2>/dev/null || echo "0")
 # Provisioning images
 CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=${REGISTRY}/cameleer-server:${VERSION}
 CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=${REGISTRY}/cameleer-server-ui:${VERSION}
+CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=${REGISTRY}/cameleer-runtime-base:${VERSION}
 
 # Compose file assembly
 COMPOSE_FILE=docker-compose.yml:docker-compose.saas.yml$([ "$TLS_MODE" = "custom" ] && echo ":docker-compose.tls.yml")$([ -n "$MONITORING_NETWORK" ] && echo ":docker-compose.monitoring.yml")
diff --git a/installer/templates/.env.example b/installer/templates/.env.example
index 4833cda..2863bca 100644
--- a/installer/templates/.env.example
+++ b/installer/templates/.env.example
@@ -79,6 +79,7 @@ DOCKER_GID=0
 # ============================================================
 # CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=gitea.siegeln.net/cameleer/cameleer-server:latest
 # CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=gitea.siegeln.net/cameleer/cameleer-server-ui:latest
+# CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=gitea.siegeln.net/cameleer/cameleer-runtime-base:latest
 
 # ============================================================
 # Monitoring (optional)
diff --git a/installer/templates/docker-compose.saas.yml b/installer/templates/docker-compose.saas.yml
index a568760..af5d06e 100644
--- a/installer/templates/docker-compose.saas.yml
+++ b/installer/templates/docker-compose.saas.yml
@@ -79,6 +79,7 @@ services:
       CAMELEER_SAAS_PROVISIONING_CLICKHOUSEPASSWORD: ${CLICKHOUSE_PASSWORD}
       CAMELEER_SAAS_PROVISIONING_SERVERIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERIMAGE:-gitea.siegeln.net/cameleer/cameleer-server:latest}
       CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE:-gitea.siegeln.net/cameleer/cameleer-server-ui:latest}
+      CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE: ${CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE:-gitea.siegeln.net/cameleer/cameleer-runtime-base:latest}
     labels:
       - traefik.enable=true
       - traefik.http.routers.saas.rule=PathPrefix(`/platform`)
diff --git a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
index 0e25588..1008d38 100644
--- a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
+++ b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
@@ -231,6 +231,7 @@ public class DockerTenantProvisioner implements TenantProvisioner {
             // Apps deployed by this server join the tenant network (isolated)
             "CAMELEER_SERVER_RUNTIME_DOCKERNETWORK=" + tenantNetwork,
             "CAMELEER_SERVER_RUNTIME_JARDOCKERVOLUME=cameleer-jars-" + slug,
+            "CAMELEER_SERVER_RUNTIME_BASEIMAGE=" + props.runtimeBaseImage(),
             "CAMELEER_SERVER_SECURITY_INFRASTRUCTUREENDPOINTS=false"
         ));
         // If no CA bundle exists, fall back to TLS skip for OIDC (self-signed dev)
diff --git a/src/main/java/net/siegeln/cameleer/saas/provisioning/ProvisioningProperties.java b/src/main/java/net/siegeln/cameleer/saas/provisioning/ProvisioningProperties.java
index 8873a4c..7e18df6 100644
--- a/src/main/java/net/siegeln/cameleer/saas/provisioning/ProvisioningProperties.java
+++ b/src/main/java/net/siegeln/cameleer/saas/provisioning/ProvisioningProperties.java
@@ -6,6 +6,7 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
 public record ProvisioningProperties(
     String serverImage,
     String serverUiImage,
+    String runtimeBaseImage,
     String networkName,
     String traefikNetwork,
     String publicHost,
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index b8771e1..21b58aa 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -45,6 +45,7 @@ cameleer:
     provisioning:
       serverimage: ${CAMELEER_SAAS_PROVISIONING_SERVERIMAGE:gitea.siegeln.net/cameleer/cameleer-server:latest}
       serveruiimage: ${CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE:gitea.siegeln.net/cameleer/cameleer-server-ui:latest}
+      runtimebaseimage: ${CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE:gitea.siegeln.net/cameleer/cameleer-runtime-base:latest}
       networkname: ${CAMELEER_SAAS_PROVISIONING_NETWORKNAME:cameleer-saas_cameleer}
       traefiknetwork: ${CAMELEER_SAAS_PROVISIONING_TRAEFIKNETWORK:cameleer-traefik}
       publichost: ${CAMELEER_SAAS_PROVISIONING_PUBLICHOST:localhost}