From 05bb32d525e8d54190bca97a810797d84cda945b Mon Sep 17 00:00:00 2001
From: Charlie Le <charlie_le@apple.com>
Date: Mon, 22 Jun 2026 17:05:37 -0700
Subject: [PATCH] Use distroless base image for runtime container images

Switch the cortex, query-tee, thanosconvert, and test-exporter runtime
images from alpine:3.23 to gcr.io/distroless/static-debian12. The binaries
are fully static (CGO_ENABLED=0, netgo), so they have no shell or libc
dependency at runtime. CA certificates are bundled in the distroless image,
so the apk ca-certificates install is dropped. The image continues to run as
root (uid 0) so the default HTTP listen port 80 keeps binding.

Signed-off-by: Charlie Le <charlie_le@apple.com>
---
 CHANGELOG.md                 | 1 +
 cmd/cortex/Dockerfile        | 4 ++--
 cmd/query-tee/Dockerfile     | 4 ++--
 cmd/test-exporter/Dockerfile | 4 ++--
 cmd/thanosconvert/Dockerfile | 4 ++--
 5 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3319c6d2659..4149926e7c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,7 @@
 * [ENHANCEMENT] Metrics Helper: Add native histogram support for aggregating and merging, including dual-format histogram handling that exposes both native and classic bucket formats. #7359
 * [ENHANCEMENT] Cache: Add per-tenant TTL configuration for query results cache to control cache expiration on a per-tenant basis with separate TTLs for regular and out-of-order data. #7357
 * [ENHANCEMENT] Update build image and Go version to 1.26. #7437
+* [ENHANCEMENT] Upgraded container base images from `alpine:3.23` to `gcr.io/distroless/static-debian12`, reducing image size and attack surface. #7637
 * [ENHANCEMENT] Query Scheduler: Add `cortex_query_scheduler_tracked_requests` metric to track the current number of requests held by the scheduler. #7355
 * [ENHANCEMENT] Compactor: Prevent partition compaction to compact any blocks marked for deletion. #7391
 * [ENHANCEMENT] Distributor: Optimize memory allocations by reusing the existing capacity of these pooled slices in the Prometheus Remote Write 2.0 path. #7392
diff --git a/cmd/cortex/Dockerfile b/cmd/cortex/Dockerfile
index dd0f81fe9ac..812ac42b70b 100644
--- a/cmd/cortex/Dockerfile
+++ b/cmd/cortex/Dockerfile
@@ -1,7 +1,7 @@
-FROM       alpine:3.23
+ARG        BASEIMG=gcr.io/distroless/static-debian12:latest
+FROM       ${BASEIMG}
 ARG TARGETARCH
 
-RUN        apk add --no-cache ca-certificates
 COPY       migrations /migrations/
 COPY       cortex-$TARGETARCH /bin/cortex
 EXPOSE     80
diff --git a/cmd/query-tee/Dockerfile b/cmd/query-tee/Dockerfile
index da1ddeda265..c09edda9ab9 100644
--- a/cmd/query-tee/Dockerfile
+++ b/cmd/query-tee/Dockerfile
@@ -1,7 +1,7 @@
-FROM       alpine:3.23
+ARG        BASEIMG=gcr.io/distroless/static-debian12:latest
+FROM       ${BASEIMG}
 ARG TARGETARCH
 
-RUN        apk add --no-cache ca-certificates
 COPY       query-tee-$TARGETARCH /query-tee
 ENTRYPOINT ["/query-tee"]
 
diff --git a/cmd/test-exporter/Dockerfile b/cmd/test-exporter/Dockerfile
index c6cd51145d4..afd639a80d7 100644
--- a/cmd/test-exporter/Dockerfile
+++ b/cmd/test-exporter/Dockerfile
@@ -1,6 +1,6 @@
-FROM       alpine:3.23
+ARG        BASEIMG=gcr.io/distroless/static-debian12:latest
+FROM       ${BASEIMG}
 ARG TARGETARCH
-RUN        apk add --no-cache ca-certificates
 COPY       test-exporter-$TARGETARCH /test-exporter
 ENTRYPOINT ["/test-exporter"]
 
diff --git a/cmd/thanosconvert/Dockerfile b/cmd/thanosconvert/Dockerfile
index fe775c3c549..3412a924625 100644
--- a/cmd/thanosconvert/Dockerfile
+++ b/cmd/thanosconvert/Dockerfile
@@ -1,6 +1,6 @@
-FROM       alpine:3.23
+ARG        BASEIMG=gcr.io/distroless/static-debian12:latest
+FROM       ${BASEIMG}
 ARG TARGETARCH
-RUN        apk add --no-cache ca-certificates
 COPY       thanosconvert-$TARGETARCH /thanosconvert
 ENTRYPOINT ["/thanosconvert"]