Removing JDWP in Production Container Images

Question

I'm working to evolve our production environment, and have stumbled into a interesting situation.

We package our microservices into containers, and have several different deployment environments - trunk (for development), integration (for test and verification), and production.

Recently, I've been working to slim down our containers, shifting to alpine base images, and am working to make things more consistent across all of our services. One thing that we've started doing is to use custom-built JREs that only contain the modules necessary to run the application code.

While using JLink to build the JREs to include in the base images, I configured it to not include the jdk.jdwp.agent module, as it isn't needed in production. In my thoughts (correct me if I'm wrong in my thinking here), this reduces both the attack surface (by having less things in production) and the size of the image.

The challenge here is that when we use this base image, we can no longer debug code in our trunk environment during development, which is obviously very useful.

My questions comes down to the following:

• Am I being overly cautious to remove jdwp from the JRE in the base image, and hobbling our development team unnecessarily (premature optimization?)
• If this is the right approach, how do we address it to get remote debugging back to the trunk environment? I have a separate base image that includes the full JDK with debug support, but if we use that for trunk and not production, we're not developing / deploying with a consistent configuration. Is that a bad idea?