From 67965f8771e937d11d0e85277939f9e413d8b58d Mon Sep 17 00:00:00 2001
From: Diogo Souza <diogo.souza@suse.com>
Date: Thu, 11 Jun 2026 21:15:57 -0300
Subject: [PATCH 1/2] cve bumps and building bins locally

---
 hack/make/deps.mk  | 14 +++-------
 package/Dockerfile | 65 ++++++++++++++++++++++++++++++++--------------
 2 files changed, 48 insertions(+), 31 deletions(-)

diff --git a/hack/make/deps.mk b/hack/make/deps.mk
index 0eb1d89..1159e93 100644
--- a/hack/make/deps.mk
+++ b/hack/make/deps.mk
@@ -3,20 +3,12 @@ HELM_SUM_arm64 := 1f8de130dfbd04de64978e7b852a7a547be1404956a366608276d2520b6786
 HELM_SUM_amd64 := 97dbeb971be4ac4b27e3839976d9564c0fb35c6f3b1da89dd1e292d236af4096
 
 # renovate-local: kubectl-amd64
-KUBECTL_VERSION := v1.36.0
-# renovate-local: kubectl-arm64=v1.36.0
-KUBECTL_SUM_arm64 := 9f9d9c44a7b5264515ac9da5991584e2395bd50662e651132337e7b4d0c56f8f
-# renovate-local: kubectl-amd64=v1.36.0
-KUBECTL_SUM_amd64 := 123d8c8844f46b1244c547fffb3c17180c0c26dac9890589fe7e67763298748e
+KUBECTL_VERSION := v1.36.1
 
 # renovate: datasource=github-release-attachments depName=derailed/k9s
 K9S_VERSION := v0.50.18
-# renovate: datasource=github-release-attachments depName=derailed/k9s digestVersion=v0.50.18
-K9S_SUM_arm64 := d3dcc051d6be26ee911c00f583412802ebe203a189e51bc079332cb410c83b38
-# renovate: datasource=github-release-attachments depName=derailed/k9s digestVersion=v0.50.18
-K9S_SUM_amd64 := 0b697ed4aa80997f7de4deeed6f1fba73df191b28bf691b1f28d2f45fa2a9e9b
 
 # Reduces the code duplication on Makefile by keeping all args into a single variable.
 IMAGE_ARGS := --build-arg HELM_VERSION=$(HELM_VERSION) --build-arg HELM_SUM_arm64=$(HELM_SUM_arm64) --build-arg HELM_SUM_amd64=$(HELM_SUM_amd64) \
-			  --build-arg KUBECTL_VERSION=$(KUBECTL_VERSION) --build-arg KUBECTL_SUM_arm64=$(KUBECTL_SUM_arm64) --build-arg KUBECTL_SUM_amd64=$(KUBECTL_SUM_amd64) \
-			  --build-arg K9S_VERSION=$(K9S_VERSION) --build-arg K9S_SUM_arm64=$(K9S_SUM_arm64) --build-arg K9S_SUM_amd64=$(K9S_SUM_amd64)
+			  --build-arg KUBECTL_VERSION=$(KUBECTL_VERSION) \
+			  --build-arg K9S_VERSION=$(K9S_VERSION)
diff --git a/package/Dockerfile b/package/Dockerfile
index 855215f..3e4685d 100644
--- a/package/Dockerfile
+++ b/package/Dockerfile
@@ -1,23 +1,53 @@
-ARG BCI_VERSION=15.7
+ARG BCI_VERSION=16.0
+ARG GO_IMAGE=rancher/hardened-build-base:v1.26.4b1
 FROM registry.suse.com/bci/bci-busybox:${BCI_VERSION} AS final
 
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS kubectl
+
+ARG KUBECTL_VERSION
+ADD https://github.com/kubernetes/kubernetes/archive/refs/tags/${KUBECTL_VERSION}.tar.gz /src.tar.gz
+RUN mkdir /src && tar -xzf /src.tar.gz -C /src --strip-components=1 && rm /src.tar.gz
+
+COPY --from=xx / /
+ARG TARGETPLATFORM
+RUN xx-go --wrap
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    cd /src && \
+    KUBE_GIT_VERSION=${KUBECTL_VERSION} \
+    KUBE_GIT_COMMIT=unknown \
+    KUBE_GIT_TREE_STATE=clean \
+    KUBE_BUILD_PLATFORMS=$(xx-info os)/$(xx-info arch) \
+    GOFLAGS="-tags=providerless" \
+    CGO_ENABLED=0 \
+    make WHAT=cmd/kubectl && \
+    cp /src/_output/local/bin/$(xx-info os)/$(xx-info arch)/kubectl /kubectl
+RUN xx-verify --static /kubectl
+
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS k9s
+
+ARG K9S_VERSION
+ADD https://github.com/derailed/k9s/archive/refs/tags/${K9S_VERSION}.tar.gz /src.tar.gz
+RUN mkdir /src && tar -xzf /src.tar.gz -C /src --strip-components=1 && rm /src.tar.gz
+
+COPY --from=xx / /
+ARG TARGETPLATFORM
+RUN xx-go --wrap
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    cd /src && \
+    CGO_ENABLED=0 go build -trimpath \
+      -ldflags="-s -w -X github.com/derailed/k9s/cmd.version=${K9S_VERSION}" \
+      -o /k9s .
+RUN xx-verify --static /k9s
+
 FROM --platform=$BUILDPLATFORM registry.suse.com/bci/bci-base:${BCI_VERSION} AS build
 RUN zypper -n install curl gzip tar
 
 # Define build arguments
-ARG KUBECTL_VERSION KUBECTL_SUM_arm64 KUBECTL_SUM_amd64 \
-    HELM_VERSION HELM_SUM_arm64 HELM_SUM_amd64 \
-    K9S_VERSION K9S_SUM_arm64 K9S_SUM_amd64
+ARG HELM_VERSION HELM_SUM_arm64 HELM_SUM_amd64
 
 ARG TARGETARCH
-# Stage kubectl into build
-ADD --chown=root:root --chmod=0755 \
-    "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" \
-    /kubectl
-
-ENV KUBECTL_SUM="KUBECTL_SUM_${TARGETARCH}"
-RUN echo "${!KUBECTL_SUM}  /kubectl" | sha256sum -c -
-
 # Stage helm into build
 ADD "https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz" \
     /tmp/helm.tar.gz
@@ -25,13 +55,6 @@ ENV HELM_SUM="HELM_SUM_${TARGETARCH}"
 RUN echo "${!HELM_SUM}  /tmp/helm.tar.gz" | sha256sum -c - && \
     tar -xvzf /tmp/helm.tar.gz --strip-components=1 -C / "linux-${TARGETARCH}/helm"
 
-# Stage k9s into build
-ADD "https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_Linux_${TARGETARCH}.tar.gz" \
-    /tmp/k9s.tar.gz
-ENV K9S_SUM="K9S_SUM_${TARGETARCH}"
-RUN echo "${!K9S_SUM}  /tmp/k9s.tar.gz" | sha256sum -c - && \
-    tar -xvzf /tmp/k9s.tar.gz -C / k9s
-
 FROM registry.suse.com/bci/bci-base:${BCI_VERSION} AS zypper
 
 # Creates the based dir for the target image, and hydrates it with the
@@ -66,7 +89,9 @@ RUN echo 'shell:x:1000:1000:shell,,,:/home/shell:/bin/bash' > /chroot/etc/passwd
 FROM scratch
 
 COPY --from=zypper /chroot /
-COPY --chown=root:root --chmod=0755 --from=build /kubectl /helm /k9s /usr/local/bin/
+COPY --chown=root:root --chmod=0755 --from=kubectl /kubectl /usr/local/bin/
+COPY --chown=root:root --chmod=0755 --from=build /helm /usr/local/bin/
+COPY --chown=root:root --chmod=0755 --from=k9s /k9s /usr/local/bin/
 COPY --chown=root:root --chmod=0755 package/helm-cmd package/welcome package/kustomize /usr/local/bin/
 
 USER 1000

From 34a1aad4b15e5be3a78e861a76bfba965f06e2f7 Mon Sep 17 00:00:00 2001
From: Diogo Souza <diogo.souza@suse.com>
Date: Thu, 11 Jun 2026 21:26:55 -0300
Subject: [PATCH 2/2] update k9s

---
 hack/make/deps.mk  | 2 +-
 package/Dockerfile | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hack/make/deps.mk b/hack/make/deps.mk
index 1159e93..b3a2bca 100644
--- a/hack/make/deps.mk
+++ b/hack/make/deps.mk
@@ -6,7 +6,7 @@ HELM_SUM_amd64 := 97dbeb971be4ac4b27e3839976d9564c0fb35c6f3b1da89dd1e292d236af40
 KUBECTL_VERSION := v1.36.1
 
 # renovate: datasource=github-release-attachments depName=derailed/k9s
-K9S_VERSION := v0.50.18
+K9S_VERSION := v0.51.0
 
 # Reduces the code duplication on Makefile by keeping all args into a single variable.
 IMAGE_ARGS := --build-arg HELM_VERSION=$(HELM_VERSION) --build-arg HELM_SUM_arm64=$(HELM_SUM_arm64) --build-arg HELM_SUM_amd64=$(HELM_SUM_amd64) \
diff --git a/package/Dockerfile b/package/Dockerfile
index 3e4685d..5d13270 100644
--- a/package/Dockerfile
+++ b/package/Dockerfile
@@ -2,6 +2,9 @@ ARG BCI_VERSION=16.0
 ARG GO_IMAGE=rancher/hardened-build-base:v1.26.4b1
 FROM registry.suse.com/bci/bci-busybox:${BCI_VERSION} AS final
 
+# Image that provides cross compilation tooling.
+FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.6.1 AS xx
+
 FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS kubectl
 
 ARG KUBECTL_VERSION