From 7cd48d0ab09dcf6489c821bce2a053e622c79011 Mon Sep 17 00:00:00 2001 From: Appu Date: Thu, 14 Sep 2023 12:31:35 -0400 Subject: [PATCH 1/2] Disabled CGO in builds Update to debian12-static, we do not need libssl or libc from base Disable cgo in Makefile and goreleaser Signed-off-by: Appu Goundan --- .goreleaser.yml | 3 ++- .ko.yaml | 11 +++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index a0881b2c3..9a55fb619 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -2,9 +2,10 @@ project_name: fulcio env: - GO111MODULE=on - - CGO_ENABLED=1 - DOCKER_CLI_EXPERIMENTAL=enabled - COSIGN_YES=true +# If you need support for the the "createca" command, you must enable CGO + - CGO_ENABLED=0 # Prevents parallel builds from stepping on eachothers toes downloading modules before: diff --git a/.ko.yaml b/.ko.yaml index 398f20bd2..26ce2f1d7 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -1,12 +1,11 @@ -defaultBaseImage: gcr.io/distroless/base-debian10 +defaultBaseImage: gcr.io/distroless/static-debian12 builds: - main: . env: - - CGO_ENABLED=1 -# If you are deploying from M1, you can use this (uncomment below, and -# comment out above), though it does remove the support for the "createca" command. -# But at least you can deploy it from M1 using this. -# - CGO_ENABLED=0 + - CGO_ENABLED=0 +# If you need support for the the "createca" command, you must enable +# CGO and use a base image with gblic (base instead of static) +# - CGO_ENABLED=1 flags: - -trimpath - -tags From a795dec2ab5089c62e90c6832b7958a145e7d58c Mon Sep 17 00:00:00 2001 From: Hayden B Date: Tue, 19 Sep 2023 13:15:32 -0700 Subject: [PATCH 2/2] Use nonroot image --- .ko.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ko.yaml b/.ko.yaml index 26ce2f1d7..7ad86b50d 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -1,4 +1,4 @@ -defaultBaseImage: gcr.io/distroless/static-debian12 +defaultBaseImage: gcr.io/distroless/static-debian12:nonroot builds: - main: . env: