Bump libgit2 dependencies to debian bookworm

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>

.github/actions/run-tests/Dockerfile

@@ -3,7 +3,7 @@ ARG GO_VERSION=1.17.5
 ARG XX_VERSION=1.1.0
 
 ARG LIBGIT2_IMG=ghcr.io/fluxcd/golang-with-libgit2
-ARG LIBGIT2_TAG=libgit2-1.1.1-2
+ARG LIBGIT2_TAG=libgit2-1.1.1-3
 
 FROM tonistiigi/xx:${XX_VERSION} AS xx
 FROM ${LIBGIT2_IMG}:${LIBGIT2_TAG} as libgit2

Dockerfile

@@ -3,7 +3,7 @@ ARG GO_VERSION=1.17
 ARG XX_VERSION=1.1.0
 
 ARG LIBGIT2_IMG=ghcr.io/fluxcd/golang-with-libgit2
-ARG LIBGIT2_TAG=libgit2-1.1.1-2
+ARG LIBGIT2_TAG=libgit2-1.1.1-3
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 FROM ${LIBGIT2_IMG}:${LIBGIT2_TAG} as libgit2
@@ -16,6 +16,15 @@ FROM go-${TARGETOS} AS build-base-bullseye
 
 # Copy the build utilities
 COPY --from=xx / /
+
+# Align golang base image with bookworm. 
+# TODO: Replace this with a golang bookworm variant, once that is released.
+RUN echo "deb http://deb.debian.org/debian bookworm main" > /etc/apt/sources.list.d/bookworm.list \
+	&& echo "deb-src http://deb.debian.org/debian bookworm main" /etc/apt/sources.list.d/bookworm.list \
+	&& xx-apt update \
+	&& xx-apt -t bookworm upgrade -y \
+	&& xx-apt -t bookworm install -y curl
+
 COPY --from=libgit2 /Makefile /libgit2/
 
 # Install the libgit2 build dependencies
@@ -28,9 +37,6 @@ FROM build-base-${BASE_VARIANT} as libgit2-bullseye
 
 ARG TARGETPLATFORM
 
-# build libgit2 in release mode
-ARG BUILD_TYPE=Release
-
 # First build libgit2 statically, this ensures that all its dependencies
 # will be statically available as well.
 ARG BUILD_SHARED_LIBS=OFF
@@ -39,6 +45,8 @@ RUN FLAGS=$(xx-clang --print-cmake-defines) make -C /libgit2 libgit2
 # Rebuild libgit2 this time to generate the shared libraries.
 ARG BUILD_SHARED_LIBS=ON
 RUN FLAGS=$(xx-clang --print-cmake-defines) make -C /libgit2 libgit2
+# Logs glibc version used at built time. The final image must be compatible with it.
+RUN ldd --version ldd > /libgit2/built-on-glibc-version
 
 
 FROM libgit2-${BASE_VARIANT} as build
@@ -70,20 +78,25 @@ ARG TARGETPLATFORM
 # Others (such as libc, librt, libdl and libpthread) are resolved at run-time.
 # To decrease the likelihood of such dependencies being out of sync, the base build image
 # should be aligned with the target (i.e. same debian variant).
-RUN xx-go build \
-        -ldflags "-s -w -extldflags \"/usr/lib/$(xx-info triple)/libssh2.a /usr/lib/$(xx-info triple)/libssl.a /usr/lib/$(xx-info triple)/libcrypto.a /usr/lib/$(xx-info triple)/libz.a -Wl,--unresolved-symbols=ignore-in-object-files -Wl,-allow-shlib-undefined -static\"" \
-        -tags 'netgo,osusergo,static_build' -o source-controller -trimpath main.go;
+RUN FLAGS=$(pkg-config --static --libs --cflags libssh2 libgit2 libssl libcrypto zlib openssl) \
+	xx-go build \
+        -ldflags "-s -w -extldflags \"/usr/lib/$(xx-info triple)/libssh2.a /usr/lib/$(xx-info triple)/libssl.a /usr/lib/$(xx-info triple)/libcrypto.a /usr/lib/$(xx-info triple)/libz.a -Wl,--unresolved-symbols=ignore-in-object-files -Wl,-allow-shlib-undefined ${FLAGS} -static\"" \
+        -tags 'netgo,osusergo,static_build' \
+        -o source-controller -trimpath main.go;
 
-# Cannot use distroless/static due to lingering dependencies on libnss.
-FROM gcr.io/distroless/base-debian11 as controller
+# The target image must aligned with apt sources used for libgit2.
+FROM debian:bookworm-slim as controller
 
 # Link repo to the GitHub Container Registry image
 LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller"
 
+ARG TARGETPLATFORM
+RUN apt update && apt install -y ca-certificates
+
 # Copy over binary from build
 COPY --from=build /workspace/source-controller /usr/local/bin/
+COPY --from=libgit2-bullseye /libgit2/built-on-glibc-version /
 COPY ATTRIBUTIONS.md /
 
-# leverages nonroot available in gcr.io/distroless/base-debian11
-USER nonroot
+USER 65534:65534
 ENTRYPOINT [ "source-controller" ]

Makefile

@@ -4,7 +4,7 @@ TAG ?= latest
 
 # Base image used to build the Go binary
 LIBGIT2_IMG ?= ghcr.io/fluxcd/golang-with-libgit2
-LIBGIT2_TAG ?= libgit2-1.1.1-2
+LIBGIT2_TAG ?= libgit2-1.1.1-3
 
 # Allows for defining additional Docker buildx arguments,
 # e.g. '--push'.

hack/ci/e2e.sh

@@ -54,7 +54,10 @@ function cleanup(){
 }
 trap cleanup EXIT
 
+# Wait for nodes to be ready and pods to be running
 kubectl wait node "${KIND_CLUSTER_NAME}-control-plane" --for=condition=ready --timeout=2m
+kubectl wait --for=condition=ready -n kube-system -l k8s-app=kube-dns pod
+kubectl wait --for=condition=ready -n local-path-storage -l app=local-path-provisioner pod
 
 echo "Build, load image into kind and deploy controller"
 make docker-build IMG="${IMG}" TAG="${TAG}" BUILD_PLATFORMS="${BUILD_PLATFORM}" BUILD_ARGS=--load

hack/update-attributions.sh

@@ -19,7 +19,7 @@ https://github.com/libssh2/libssh2/
 
 No changes were made to its original source code. 
 
-Copyright notice (https://raw.githubusercontent.com/libssh2/libssh2/main/COPYING):
+Copyright notice (https://raw.githubusercontent.com/libssh2/libssh2/master/COPYING):
 
 $(curl --max-time 5 -L https://raw.githubusercontent.com/libssh2/libssh2/master/COPYING)