ADR-003: Webapp E2E Container Standard
Purpose: For contributors and platform engineers, explains the decision to standardize on the distroless runtime image for webapp end-to-end testing.
Status
Accepted
Context
The webapp E2E testing workflow requires a Podman-based container build with a local Kanidm container dependency. The build produces two runtime images:
- A Red Hat UBI runtime image (full OS, shell available)
- A distroless runtime image (minimal, no shell)
Both images must pass a login smoke test against Kanidm. The question is which image to use as the default for E2E workflows.
Decision
Standardize on the distroless runtime image (localhost/opencenter-baseui-e2e:distroless) for E2E by default. UBI remains available as a supported fallback for debugging workflows.
Analysis
Comparison from scripts/podman/analyze-webapp-e2e-images.sh:
| Image | Size (MiB) | Layers | Shell Available | Login Smoke Test | Startup |
|---|---|---|---|---|---|
| UBI | 603.85 | 4 | yes | pass | 1s |
| Distroless | 136.04 | 20 | no | pass | 1s |
Distroless is 78% smaller with identical functional behavior.
Rationale
- Minimizes runtime footprint and attack surface
- Passes the login smoke test identically to UBI
- Fewer OS-level components reduce vulnerability exposure
- Aligns with container security best practices
Consequences
Positive:
- Smaller default runtime image (136 MiB vs 604 MiB)
- Reduced attack surface for E2E test containers
- Reproducible comparison path using the analysis script
Trade-offs:
- Distroless has no shell, making interactive debugging harder
- Troubleshooting may require switching to UBI: set
WEBAPP_E2E_IMAGE=localhost/opencenter-baseui-e2e:ubi
Implementation
- Root
Containerfilewith targets:runtime-ubi,runtime-distroless - Build script:
scripts/podman/build-webapp-e2e-images.sh - Analysis script:
scripts/podman/analyze-webapp-e2e-images.sh - E2E test:
tests/e2e/kanidm-podman-webapp.e2e.test.ts