From 5f210b76a9707a91d4c9114cc71a8cf493954c2a Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 28 Apr 2026 09:32:49 +0200
Subject: [PATCH] harden: swap runtime base to Chainguard JRE, remove dead
 ENTRYPOINT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace eclipse-temurin:21-jre-alpine (musl) with cgr.dev/chainguard/jre:openjdk-21
(Wolfi/glibc, daily CVE refresh, signed images + SBOM). Remove the dead ENTRYPOINT
block — DeploymentExecutor overrides it at container creation anyway.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/runtime-base/Dockerfile | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/docker/runtime-base/Dockerfile b/docker/runtime-base/Dockerfile
index b5148d6..f48daa8 100644
--- a/docker/runtime-base/Dockerfile
+++ b/docker/runtime-base/Dockerfile
@@ -1,19 +1,17 @@
-FROM eclipse-temurin:21-jre-alpine
+# Wolfi-based JRE, glibc, daily-rebuilt with near-zero baseline CVEs,
+# signed images + SBOM published, non-root by default. Pin by digest in
+# production overlays.
+FROM cgr.dev/chainguard/jre:openjdk-21
+
 WORKDIR /app
 
-# Agent JAR and log appender JAR are copied during CI build from Gitea Maven registry
+# Agent + log appender are baked in; tenant JAR is delivered at deploy
+# time by cameleer-runtime-loader into the RO-mounted /app/jars volume.
 COPY agent.jar /app/agent.jar
 COPY cameleer-log-appender.jar /app/cameleer-log-appender.jar
 
-ENTRYPOINT exec java \
-  -Dcameleer.export.type=${CAMELEER_EXPORT_TYPE:-HTTP} \
-  -Dcameleer.export.endpoint=${CAMELEER_SERVER_URL} \
-  -Dcameleer.agent.name=${HOSTNAME} \
-  -Dcameleer.agent.application=${CAMELEER_APPLICATION_ID:-default} \
-  -Dcameleer.agent.environment=${CAMELEER_ENVIRONMENT_ID:-default} \
-  -Dcameleer.routeControl.enabled=${CAMELEER_ROUTE_CONTROL_ENABLED:-false} \
-  -Dcameleer.replay.enabled=${CAMELEER_REPLAY_ENABLED:-false} \
-  -Dcameleer.health.enabled=true \
-  -Dcameleer.health.port=9464 \
-  -javaagent:/app/agent.jar \
-  -jar /app/app.jar
+# No ENTRYPOINT here. cameleer-server's DeploymentExecutor builds the
+# per-runtime-type entrypoint (spring-boot/quarkus: -jar; plain-java:
+# -cp + main; native: exec) and overrides via withCmd("sh","-c",...).
+# Setting one here only creates drift between this image and the actual
+# runtime command.