linkerd2/Dockerfile.proxy at main · linkerd/linkerd2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
ARG BUILDPLATFORM=linux/amd64
ARG RUNTIME_IMAGE="cr.l5d.io/linkerd/proxy-runtime:latest"
ARG TARGETARCH

# Precompile key slow-to-build dependencies
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS go-deps
WORKDIR /linkerd-build
COPY go.mod go.sum ./
COPY bin/install-deps bin/
RUN go mod download
ARG TARGETARCH
RUN ./bin/install-deps $TARGETARCH

FROM --platform=$BUILDPLATFORM debian:bookworm-slim AS fetch
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y curl jq && \
    rm -rf /var/lib/apt/lists/*
WORKDIR /build
COPY bin/fetch-proxy bin/fetch-proxy
COPY bin/scurl bin/scurl
ARG TARGETARCH
ARG LINKERD2_PROXY_REPO="linkerd/linkerd2-proxy"
ARG LINKERD2_PROXY_VERSION=""
RUN --mount=type=secret,id=github \
    export GITHUB_TOKEN_FILE=/run/secrets/github; \
    proxy=$(bin/fetch-proxy "$LINKERD2_PROXY_VERSION" "$TARGETARCH"); \
    mv "$proxy" linkerd2-proxy
RUN echo "$LINKERD2_PROXY_VERSION" > proxy-version
ARG LINKERD_AWAIT_VERSION=v0.3.2
RUN bin/scurl -o linkerd-await https://github.com/linkerd/linkerd-await/releases/download/release%2F${LINKERD_AWAIT_VERSION}/linkerd-await-${LINKERD_AWAIT_VERSION}-${TARGETARCH} && chmod +x linkerd-await
ARG LINKERD_VALIDATOR_VERSION=v0.1.8
RUN bin/scurl -O https://github.com/linkerd/linkerd2-proxy-init/releases/download/validator%2F${LINKERD_VALIDATOR_VERSION}/linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH}-linux.tgz
RUN tar -zxvf linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH}-linux.tgz && mv linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH}-linux/linkerd-network-validator .

## compile proxy-identity agent
FROM go-deps AS golang
WORKDIR /linkerd-build
COPY pkg/util pkg/util
COPY pkg/flags pkg/flags
COPY pkg/tls pkg/tls
COPY pkg/version pkg/version
ARG TARGETARCH
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -mod=readonly ./pkg/...
COPY proxy-identity proxy-identity
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /out/proxy-identity -mod=readonly -ldflags "-s -w" ./proxy-identity

## build proxy-init
FROM --platform=$BUILDPLATFORM golang:1.25.8-alpine AS proxy-init
WORKDIR /build
ARG PROXY_INIT_REPO="linkerd/linkerd2-proxy-init"
ARG PROXY_INIT_REF="proxy-init/v2.4.7"
RUN apk add --no-cache ca-certificates git
RUN --mount=type=secret,id=github \
    export GITHUB_TOKEN_FILE=/run/secrets/github; \
    git init --initial-branch=main . && \
    git remote add origin https://github.com/${PROXY_INIT_REPO}.git && \
    git fetch --depth 1 origin ${PROXY_INIT_REF} && \
    git checkout --detach FETCH_HEAD
RUN go mod download
ARG TARGETARCH
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on \
    go build -o /out/linkerd2-proxy-init -mod=readonly -ldflags "-s -w" -v ./proxy-init

FROM $RUNTIME_IMAGE-$TARGETARCH AS runtime
LABEL org.opencontainers.image.source=https://github.com/linkerd/linkerd2

COPY --from=proxy-init /out/linkerd2-proxy-init /usr/lib/linkerd/linkerd2-proxy-init
# Set sys caps for iptables utilities and proxy-init
USER root
RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-legacy-multi"]
RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-nft-multi"]
RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/lib/linkerd/linkerd2-proxy-init"]
USER 65534

COPY --from=fetch /build/target/proxy/LICENSE /usr/lib/linkerd/LICENSE
COPY --from=fetch /build/proxy-version /usr/lib/linkerd/linkerd2-proxy-version.txt
COPY --from=fetch /build/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy
COPY --from=fetch /build/linkerd-await /usr/lib/linkerd/linkerd-await
COPY --from=fetch /build/linkerd-network-validator /usr/lib/linkerd/linkerd2-network-validator
COPY --from=golang /out/proxy-identity /usr/lib/linkerd/linkerd2-proxy-identity
COPY --from=debian:bookworm-slim /bin/sleep /bin/sleep
ARG LINKERD_VERSION
ENV LINKERD_CONTAINER_VERSION_OVERRIDE=${LINKERD_VERSION}
ENV LINKERD2_PROXY_LOG=warn,linkerd=info
ENV LINKERD2_PROXY_LOG_FORMAT=plain
ENTRYPOINT ["/usr/lib/linkerd/linkerd2-proxy-identity"]