Add hardened UBI 9 minimal image variant
What does this MR do?
Publishes a hardened UBI 9 Minimal variant of the Duo Workflow default image as a peer container image (workflow-generic-image-hardened) alongside the existing workflow-generic-image, reusing the existing multi-arch Kaniko release pipeline.
Refs gitlab-org/gitlab#598547.
Credit to Falko Sieverding (@fsieverding) for the prototype in gl-demo-ultimate-fsieverding/dap-image-hardened.
Note: SRT (sandbox runtime) is not currently included in this image and is not installed at runtime.
Acceptance criteria addressed
This MR addresses only the following AC from #598547:
✅ Hardened image variant published to a stable, documented path- Registry path:
registry.gitlab.com/gitlab-org/duo-workflow/default-docker-image/workflow-generic-image-hardened - Per-commit:
…/workflow-generic-image-hardened:<short-sha>(per-arch suffixes-amd64,-arm64) - Per-release:
…/workflow-generic-image-hardened:<git-tag> - Multi-arch manifest:
linux/amd64,linux/arm64 - Documented in
README.md
- Registry path:
Changes
Dockerfile.hardened(new) — UBI 9 Minimal base; installs git 2.47.x, git-lfs, Node.js 20, npm,@gitlab/duo-cli, glab; non-root user UID 1001 (duo-runner)..gitlab-ci.yml— adds a parallel hardened build/release matrix mirroring the existing jobs.README.md— documents both images, runtime inventory, GitLab 18.10+ requirement, and thesafe.directorymechanism.
How to verify
- Check the container created by the pipeline of this MR: https://gitlab.com/gitlab-org/duo-workflow/default-docker-image/container_registry/11346369
- Add it to a project's
.gitlab/duo/agent-config.yml:
image: registry.gitlab.com/gitlab-org/duo-workflow/default-docker-image/workflow-generic-image-hardened:<VERSION>- Start a workflow, confirm it uses the new image and finishes successfully.
Edited by Andras Herczeg