Note that statically linked go binaries work in a docker image from scratch. This can be created with a multi-stage build where the builder image uses whatever OS you prefer, with any required packages. A build line such as
RUN CGO_ENABLED=0 go build -o mybin -ldflags '-extldflags "-static"' -tags timetzdata
And the second stage like
FROM scratch
COPY --from=app-builder mybin mybin
ENTRYPOINT ["/mybin"]
The builder can create users and groups, and the final image can import necessary certs like so:
