Consider migrating Connectors SaaS images to hardened base images

[team-connectors-int-automation]

Summary

The Connectors SaaS bundle currently uses eclipse-temurin:21.0.10_7-jre as the base image, while the Self-Managed (SM) bundle uses a hardened image (reg.mini.dev/1212/openjre-base:v21.0.10-dev). This discrepancy means the SaaS images may require handling more CVEs compared to the hardened SM images.

Context

• Affected versions: 8.6, 8.7, 8.8, and main branch
• Current base images:
  • SaaS: eclipse-temurin:21.0.10_7-jre
  • SM: reg.mini.dev/1212/openjre-base:v21.0.10-dev (hardened)
• Why SM uses hardened images: Infrastructure team introduced hardened images for SM to meet customer requirements (addressing Medium severity vulnerabilities within 10–12 days, as per product-hub#3101)
• Why SaaS hasn't migrated yet: Opportunity cost — effort required for compatibility verification, implementation, and testing has been deprioritized in favor of other SM-related work

Proposed Solution

Migrate the SaaS Connectors bundle to use the same hardened base images as SM. The changes should be relatively straightforward based on PR #5870.

Suggested approach:

1. Apply the changes to the 8.9 release first
2. Monitor for any compatibility issues
3. Decide after ~1 month whether to backport to earlier versions (8.6, 8.7, 8.8)

Additional Notes

• The main challenge is verifying compatibility rather than the implementation itself
• Using hardened images would reduce CVE handling burden for the SaaS bundle
• Infrastructure team may eventually roll this out, but timeline is uncertain
• Related Dockerfiles:
  • 8.6 SaaS bundle
  • 8.7 SaaS bundle
  • 8.8 SaaS bundle

[ztefanie]

Already done for 8.9 but should be done for previous versions as well