@@ -16,20 +16,9 @@ RUN unset VERSION \
1616 && if [ "$TARGETARCH" = "arm64" ]; then export PULUMI_URL="${PULUMI_BASE_URL}-linux-arm64.tar.gz" ; fi \
1717 && echo ${PULUMI_URL} \
1818 && curl -L ${PULUMI_URL} -o pulumicli.tar.gz \
19- && tar -xzvf pulumicli.tar.gz
19+ && tar -xzvf pulumicli.tar.gz
2020
21- FROM registry.access.redhat.com/ubi9/go-toolset@sha256:1c1259373e6feb4b57de490452379c40888cf6e876154cd2ace17eae9c64a7ea
22- ARG TARGETARCH
23- LABEL org.opencontainers.image.authors="Redhat Developer"
24-
25- COPY --from=builder /workspace/out/mapt /workspace/pulumi/pulumi /usr/local/bin/
26-
27- ENV PULUMI_CONFIG_PASSPHRASE "passphrase"
28-
29- ENV AWS_SDK_LOAD_CONFIG=1 \
30- ARCH_N=x86_64
31-
32- # Pulumi plugins
21+ # Pulumi plugins — installed in build stage, copied into runtime
3322# renovate: datasource=github-releases depName=pulumi/pulumi-aws
3423ARG PULUMI_AWS_VERSION=v7.30.0
3524# renovate: datasource=github-releases depName=pulumi/pulumi-awsx
@@ -50,10 +39,9 @@ ARG PULUMI_GITLAB_VERSION=v9.11.0
5039ARG PULUMI_IBMCLOUD_VERSION=v0.0.12
5140ENV IBMCLOUD_PLUGIN_URL https://github.com/mapt-oss/pulumi-ibmcloud/releases/download/${PULUMI_IBMCLOUD_VERSION}/pulumi-resource-ibmcloud-${PULUMI_IBMCLOUD_VERSION}-linux-${TARGETARCH}.tar.gz
5241
53- ENV PULUMI_HOME "/opt/mapt/run"
54- WORKDIR ${PULUMI_HOME}
55-
56- RUN mkdir -p /opt/mapt/run \
42+ ENV PULUMI_HOME "/opt/pulumi-plugins"
43+ ENV PATH="/workspace/pulumi:${PATH}"
44+ RUN mkdir -p ${PULUMI_HOME} \
5745 && curl -L ${IBMCLOUD_PLUGIN_URL} -o pulumi-resource-ibmcloud.tar.gz \
5846 && tar -xzvf pulumi-resource-ibmcloud.tar.gz \
5947 && pulumi plugin install resource ibmcloud ${PULUMI_IBMCLOUD_VERSION} --file pulumi-resource-ibmcloud \
@@ -65,11 +53,28 @@ RUN mkdir -p /opt/mapt/run \
6553 && pulumi plugin install resource random ${PULUMI_RANDOM_VERSION} \
6654 && pulumi plugin install resource awsx ${PULUMI_AWSX_VERSION} \
6755 && pulumi plugin install resource aws-native ${PULUMI_AWS_NATIVE_VERSION} \
68- && pulumi plugin install resource gitlab ${PULUMI_GITLAB_VERSION} \
69- && chown -R 1001:0 /opt/mapt/run \
56+ && pulumi plugin install resource gitlab ${PULUMI_GITLAB_VERSION}
57+
58+ # Stage 2: Red Hat Hardened minimal runtime (glibc + coreutils, no toolchain)
59+ FROM registry.access.redhat.com/hi/core-runtime@sha256:c58439d153bf82ed9c4b4936a14091ce6e15fcd5dc8ca8ba9e0fbb113daa6a5f
60+ USER 0
61+ ARG TARGETARCH
62+ LABEL org.opencontainers.image.authors="Redhat Developer"
63+
64+ COPY --from=builder /workspace/out/mapt /workspace/pulumi/pulumi /usr/local/bin/
65+
66+ ENV PULUMI_CONFIG_PASSPHRASE "passphrase"
67+
68+ ENV AWS_SDK_LOAD_CONFIG=1 \
69+ ARCH_N=x86_64
70+
71+ ENV PULUMI_HOME "/opt/mapt/run"
72+ WORKDIR ${PULUMI_HOME}
73+
74+ COPY --from=builder /opt/pulumi-plugins/ /opt/mapt/run/
75+ RUN chown -R 65532:0 /opt/mapt/run \
7076 && chmod -R ug+rwx /opt/mapt/run
7177
72- USER 1001
78+ USER 65532
7379ENTRYPOINT ["mapt" ]
7480CMD ["-h" ]
75-
0 commit comments