Pinning of OpenJDK runtime image

[devtobi]

refarch-apigateway and the integration services provide a Dockerfile to build the image.
Currently registry.access.redhat.com/ubi9/openjdk-21-runtime:latest is used.

Would it be better to pin the image version to a specific tag like registry.access.redhat.com/ubi9/openjdk-21-runtime:1.20? (note that the tag version has nothing to do with the JDKversion)

This would lead to a deterministic build process of our container images. The image updates can be handled via Renovate.
However RedHat themself suggest to always use the latest image, as those will contain the newest security patches. Old images might suffer from increasing amount of CVEs. On the other hand if RedHat releases a new latest image with new CVEs we will use that for our image builds and vulnerability might increase.

@simonhir @DanielOber @darenegade @FabianWilms What do you think about this? Please provide your opinion. ;)

[FabianWilms]

Version pinning with renovate 👍

[devtobi]

We decided to Pin OpenJDK runtime images as Renovate bot pins Docker image versions using the SHA digest anyways (for security reasons). To make version bumps suggested by Renovate more transparent, we will use a specific version tag from now on. This discussion will be closed.