From 8ed31517ff8f1de1e2fb35dd5e817c4df2457bd8 Mon Sep 17 00:00:00 2001
From: Pushkar Joglekar <pjoglekar@vmware.com>
Date: Tue, 31 Aug 2021 13:21:08 -0700
Subject: [PATCH] Bump conformance images to use debian:buster-v1.9.0

- Debian base used was older (v2.1.3)  missing multiple fixed CVEs
- Minor update to distroless debian image name to explicitly point
  to debian 10
- Debian base image now points to buster-1.9.0
---
 build/dependencies.yaml         |  2 ++
 test/conformance/image/Makefile | 13 ++++++-------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/build/dependencies.yaml b/build/dependencies.yaml
index cd9589610bf..dee87cd4b8a 100644
--- a/build/dependencies.yaml
+++ b/build/dependencies.yaml
@@ -132,6 +132,8 @@ dependencies:
       match: BASEIMAGE\?\=k8s\.gcr\.io\/build-image\/debian-base-ppc64le:[a-zA-Z]+\-v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)
     - path: cluster/images/etcd/Makefile
       match: BASEIMAGE\?\=k8s\.gcr\.io\/build-image\/debian-base-s390x:[a-zA-Z]+\-v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)
+    - path: test/conformance/image/Makefile
+      match: BASE_IMAGE_VERSION\?=
 
   - name: "k8s.gcr.io/debian-iptables: dependents"
     version: buster-v1.6.6
diff --git a/test/conformance/image/Makefile b/test/conformance/image/Makefile
index 4931049a98d..bb74dc8dc7b 100644
--- a/test/conformance/image/Makefile
+++ b/test/conformance/image/Makefile
@@ -33,14 +33,13 @@ CLUSTER_DIR?=$(shell pwd)/../../../cluster/
 
 # This is defined in root Makefile, but some build contexts do not refer to them
 KUBE_BASE_IMAGE_REGISTRY?=k8s.gcr.io
+BASE_IMAGE_VERSION?=buster-v1.9.0
+BASEIMAGE?=${KUBE_BASE_IMAGE_REGISTRY}/build-image/debian-base-${ARCH}:${BASE_IMAGE_VERSION}
 
-ifeq ($(ARCH),amd64)
-    BASEIMAGE?=${KUBE_BASE_IMAGE_REGISTRY}/build-image/debian-base:v2.1.3
-else
-    BASEIMAGE?=${KUBE_BASE_IMAGE_REGISTRY}/build-image/debian-base-${ARCH}:v2.1.3
-endif
-
-RUNNERIMAGE?=gcr.io/distroless/base:latest
+# Keep debian releases (e.g. debian 10 == buster) consistent 
+# between BASE_IMAGE_VERSION and DISTROLESS_IMAGE images
+DISTROLESS_IMAGE?=base-debian10
+RUNNERIMAGE?=gcr.io/distroless/${DISTROLESS_IMAGE}:latest
 
 TEMP_DIR:=$(shell mktemp -d -t conformance-XXXXXX)