feat(proxy, proxy-init): Combine proxy and proxy-init and use minimal base image

.github/actions/docker-build/action.yml

@@ -28,11 +28,15 @@ runs:
     - uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124
     - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
     - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+      with:
+        driver-opts: network=host
     - env:
         DOCKER_REGISTRY: ${{ inputs.docker-registry }}
         DOCKER_TARGET: ${{ inputs.docker-target }}
         DOCKER_PUSH: ${{ inputs.docker-push }}
         TAG: ${{ inputs.tag }}
+        RUNTIME_IMAGE: localhost:5000/linkerd/proxy-runtime:${{ inputs.tag }}
+        PUSH_RUNTIME_IMAGE: true
       shell: bash
       run: bin/docker-build-${{ inputs.component }}
 

.github/workflows/integration.yml

@@ -80,6 +80,11 @@ jobs:
     needs: meta
     if: needs.meta.outputs.changed == 'true'
     runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}
+    services:
+      registry:
+        image: registry:3
+        ports:
+          - 5000:5000
     strategy:
       matrix:
         component:

.github/workflows/release.yml

@@ -37,6 +37,11 @@ jobs:
       contents: read
       packages: write # for docker/login-action
       id-token: write # for cosign
+    services:
+      registry:
+        image: registry:3
+        ports:
+          - 5000:5000
     strategy:
       matrix:
         component:

Dockerfile-proxy → Dockerfile.proxy

@@ -1,5 +1,6 @@
-ARG RUNTIME_IMAGE=gcr.io/distroless/cc-debian12
 ARG BUILDPLATFORM=linux/amd64
+ARG RUNTIME_IMAGE="cr.l5d.io/linkerd/proxy-runtime:latest"
+ARG TARGETARCH
 
 # Precompile key slow-to-build dependencies
 FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS go-deps
@@ -43,8 +44,33 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -mod=readonly ./pkg/...
 COPY proxy-identity proxy-identity
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /out/proxy-identity -mod=readonly -ldflags "-s -w" ./proxy-identity
 
-FROM $RUNTIME_IMAGE AS runtime
+## build proxy-init
+FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v48-go AS proxy-init
+WORKDIR /build
+ARG PROXY_INIT_REPO="linkerd/linkerd2-proxy-init"
+ARG PROXY_INIT_REF="proxy-init/v2.4.3"
+RUN --mount=type=secret,id=github \
+    export GITHUB_TOKEN_FILE=/run/secrets/github; \
+    git init --initial-branch=main . && \
+    git remote add origin https://github.com/${PROXY_INIT_REPO}.git && \
+    git fetch --depth 1 origin ${PROXY_INIT_REF} && \
+    git checkout --detach FETCH_HEAD
+RUN go mod download
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on \
+    go build -o /out/linkerd2-proxy-init -mod=readonly -ldflags "-s -w" -v ./proxy-init
+
+FROM $RUNTIME_IMAGE-$TARGETARCH AS runtime
 LABEL org.opencontainers.image.source=https://github.com/linkerd/linkerd2
+
+COPY --from=proxy-init /out/linkerd2-proxy-init /usr/lib/linkerd/linkerd2-proxy-init
+# Set sys caps for iptables utilities and proxy-init
+USER root
+RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-legacy-multi"]
+RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-nft-multi"]
+RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/lib/linkerd/linkerd2-proxy-init"]
+USER 65534
+
 COPY --from=fetch /build/target/proxy/LICENSE /usr/lib/linkerd/LICENSE
 COPY --from=fetch /build/proxy-version /usr/lib/linkerd/linkerd2-proxy-version.txt
 COPY --from=fetch /build/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy

bin/docker-build-proxy

@@ -2,6 +2,8 @@
 
 set -eu
 
+apko_version=v0.30.13
+
 if [ $# -ne 0 ]; then
     echo "no arguments allowed for ${0##*/}, given: $*" >&2
     exit 64
@@ -14,8 +16,11 @@ rootdir=$( cd "$bindir"/.. && pwd )
 . "$bindir"/_docker.sh
 # shellcheck source=_tag.sh
 . "$bindir"/_tag.sh
+# shellcheck source=_os.sh
+. "$bindir"/_os.sh
 
-dockerfile=$rootdir/Dockerfile-proxy
+dockerfile=$rootdir/Dockerfile.proxy
+runtime_image="${RUNTIME_IMAGE:-"cr.l5d.io/linkerd/proxy-runtime:${TAG:-$(head_root_tag)}"}"
 
 get_extra_options() {
     options=
@@ -25,9 +30,22 @@ get_extra_options() {
     echo "$options"
 }
 
+# Build proxy base image with apko
+go install chainguard.dev/apko@$apko_version
+export PATH=$PATH:$(go env GOPATH)/bin
+# Add --local flag unless PUSH_RUNTIME_IMAGE is set
+apko build "$rootdir/proxy-runtime.yml" "$runtime_image" "$rootdir/proxy-runtime.tar"
+docker load < "$rootdir/proxy-runtime.tar"
+if [[ -n "${PUSH_RUNTIME_IMAGE:-}" ]]; then
+    for arch in "arm64" "amd64"; do
+        docker push "$runtime_image-$arch"
+    done
+fi
+
 # We want wordsplit for the extra options here:
 # shellcheck disable=SC2046
 docker_build proxy "${TAG:-$(head_root_tag)}" "$dockerfile" \
+  --build-arg RUNTIME_IMAGE="$runtime_image" \
   --build-arg LINKERD_VERSION="${TAG:-$(head_root_tag)}" \
   --build-arg LINKERD2_PROXY_REPO="${LINKERD2_PROXY_REPO:-linkerd/linkerd2-proxy}" \
   --build-arg LINKERD2_PROXY_VERSION="${LINKERD2_PROXY_VERSION:-$(cat .proxy-version)}" \

charts/linkerd-control-plane/values.yaml

@@ -349,14 +349,6 @@ proxyInit:
   # -- Log format (`plain` or `json`) for the proxy-init
   # @default -- plain
   logFormat: ""
-  image:
-    # -- Docker image for the proxy-init container
-    name: cr.l5d.io/linkerd/proxy-init
-    # -- Pull policy for the proxy-init container image
-    # @default -- imagePullPolicy
-    pullPolicy: ""
-    # -- Tag for the proxy-init container image
-    version: v2.4.3
   # -- Changes the default value for the nf_conntrack_tcp_timeout_close_wait
   # kernel parameter. If used, runAsRoot needs to be true.
   closeWaitTimeoutSecs: 0

charts/partials/templates/_proxy-init.tpl

@@ -46,8 +46,9 @@ args:
 - --subnets-to-ignore
 - {{ .Values.proxyInit.skipSubnets | quote }}
 {{- end }}
-image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}}
-imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}}
+image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}}
+command: ["/usr/lib/linkerd/linkerd2-proxy-init"]
+imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}}
 name: linkerd-init
 {{ include "partials.resources" .Values.proxy.resources }}
 securityContext:

cli/cmd/doc.go

@@ -128,14 +128,6 @@ func generateAnnotationsDocs() []annotationDoc {
 			Name:        k8s.ProxyImagePullPolicyAnnotation,
 			Description: "Docker image pull policy",
 		},
-		{
-			Name:        k8s.ProxyInitImageAnnotation,
-			Description: "Linkerd init container image name",
-		},
-		{
-			Name:        k8s.ProxyInitImageVersionAnnotation,
-			Description: "Linkerd init container image version",
-		},
 		{
 			Name:        k8s.DebugImageAnnotation,
 			Description: "Linkerd debug container image name",

cli/cmd/inject.go

@@ -417,17 +417,10 @@ func getOverrideAnnotations(values *linkerd2.Values, base *linkerd2.Values) map[
 	if proxy.Image.Name != baseProxy.Image.Name {
 		overrideAnnotations[k8s.ProxyImageAnnotation] = proxy.Image.Name
 	}
-	if values.ProxyInit.Image.Name != base.ProxyInit.Image.Name {
-		overrideAnnotations[k8s.ProxyInitImageAnnotation] = values.ProxyInit.Image.Name
-	}
 	if values.DebugContainer.Image.Name != base.DebugContainer.Image.Name {
 		overrideAnnotations[k8s.DebugImageAnnotation] = values.DebugContainer.Image.Name
 	}
 
-	if values.ProxyInit.Image.Version != base.ProxyInit.Image.Version {
-		overrideAnnotations[k8s.ProxyInitImageVersionAnnotation] = values.ProxyInit.Image.Version
-	}
-
 	if values.DebugContainer.Image.Version != base.DebugContainer.Image.Version {
 		overrideAnnotations[k8s.DebugImageVersionAnnotation] = values.DebugContainer.Image.Version
 	}

cli/cmd/inject_test.go

@@ -782,30 +782,6 @@ func TestProxyImageAnnotations(t *testing.T) {
 	diffOverrides(t, expectedOverrides, overrides)
 }
 
-func TestProxyInitImageAnnotations(t *testing.T) {
-	baseValues, err := linkerd2.NewValues()
-	if err != nil {
-		t.Fatal(err)
-	}
-	values, err := baseValues.DeepCopy()
-	if err != nil {
-		t.Fatal(err)
-	}
-	values.ProxyInit.Image = &linkerd2.Image{
-		Name:    "my.registry/linkerd/proxy-init",
-		Version: "test-proxy-init-version",
-	}
-
-	expectedOverrides := map[string]string{
-		k8s.ProxyInitImageAnnotation:        "my.registry/linkerd/proxy-init",
-		k8s.ProxyInitImageVersionAnnotation: "test-proxy-init-version",
-	}
-
-	overrides := getOverrideAnnotations(values, baseValues)
-
-	diffOverrides(t, expectedOverrides, overrides)
-}
-
 func TestNoAnnotations(t *testing.T) {
 	baseValues, err := linkerd2.NewValues()
 	if err != nil {

cli/cmd/install_helm_test.go

@@ -113,11 +113,6 @@ func testRenderHelm(t *testing.T, linkerd2Chart *chart.Chart, additionalValues m
      "version":"test-proxy-version"
     }
    },
-   "proxyInit":{
-    "image":{
-     "version":"test-proxy-init-version"
-    }
-   },
   "identity":{
     "issuer":{
       "tls":{

cli/cmd/install_test.go

@@ -151,12 +151,7 @@ func TestRender(t *testing.T) {
 			},
 		},
 		ProxyInit: &charts.ProxyInit{
-			IptablesMode: "legacy",
-			Image: &charts.Image{
-				Name:       "ProxyInitImageName",
-				PullPolicy: "ImagePullPolicy",
-				Version:    "ProxyInitVersion",
-			},
+			IptablesMode:        "legacy",
 			IgnoreOutboundPorts: "443",
 			XTMountPath: &charts.VolumeMountPath{
 				MountPath: "/run",

cli/cmd/options.go

@@ -253,23 +253,10 @@ func makeProxyFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) {
 				return nil
 			}),
 
-		flag.NewStringFlag(proxyFlags, "init-image", defaults.ProxyInit.Image.Name, "Linkerd init container image name",
-			func(values *l5dcharts.Values, value string) error {
-				values.ProxyInit.Image.Name = value
-				return nil
-			}),
-
-		flag.NewStringFlag(proxyFlags, "init-image-version", defaults.ProxyInit.Image.Version,
-			"Linkerd init container image version", func(values *l5dcharts.Values, value string) error {
-				values.ProxyInit.Image.Version = value
-				return nil
-			}),
-
 		flag.NewStringFlag(proxyFlags, "image-pull-policy", defaults.ImagePullPolicy,
 			"Docker image pull policy", func(values *l5dcharts.Values, value string) error {
 				values.ImagePullPolicy = value
 				values.Proxy.Image.PullPolicy = value
-				values.ProxyInit.Image.PullPolicy = value
 				values.DebugContainer.Image.PullPolicy = value
 				return nil
 			}),
@@ -409,7 +396,6 @@ func makeProxyFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) {
 			values.ControllerImage = cmd.RegistryOverride(values.ControllerImage, value)
 			values.DebugContainer.Image.Name = cmd.RegistryOverride(values.DebugContainer.Image.Name, value)
 			values.Proxy.Image.Name = cmd.RegistryOverride(values.Proxy.Image.Name, value)
-			values.ProxyInit.Image.Name = cmd.RegistryOverride(values.ProxyInit.Image.Name, value)
 			return nil
 		})
 	if reg := os.Getenv(flagspkg.EnvOverrideDockerRegistry); reg != "" {
@@ -430,8 +416,6 @@ func makeProxyFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) {
 		proxyFlags.MarkHidden("proxy-image")
 		proxyFlags.MarkHidden("proxy-version")
 		proxyFlags.MarkHidden("image-pull-policy")
-		proxyFlags.MarkHidden("init-image")
-		proxyFlags.MarkHidden("init-image-version")
 	}
 
 	return flags, proxyFlags
@@ -573,10 +557,6 @@ func validateProxyValues(values *l5dcharts.Values) error {
 		return fmt.Errorf("%s is not a valid version", values.Proxy.Image.Version)
 	}
 
-	if !alphaNumDashDot.MatchString(values.ProxyInit.Image.Version) {
-		return fmt.Errorf("%s is not a valid version", values.ProxyInit.Image.Version)
-	}
-
 	if values.ImagePullPolicy != "Always" && values.ImagePullPolicy != "IfNotPresent" && values.ImagePullPolicy != "Never" {
 		return fmt.Errorf("--image-pull-policy must be one of: Always, IfNotPresent, Never")
 	}

cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml

@@ -218,7 +218,9 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.4.3
+        command:
+        - /usr/lib/linkerd/linkerd2-proxy-init
+        image: cr.l5d.io/linkerd/proxy:install-proxy-version
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         securityContext:

cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml

@@ -218,7 +218,9 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.4.3
+        command:
+        - /usr/lib/linkerd/linkerd2-proxy-init
+        image: cr.l5d.io/linkerd/proxy:install-proxy-version
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         securityContext:
@@ -472,7 +474,9 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.4.3
+        command:
+        - /usr/lib/linkerd/linkerd2-proxy-init
+        image: cr.l5d.io/linkerd/proxy:install-proxy-version
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         securityContext:

cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml

@@ -218,7 +218,9 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.4.3
+        command:
+        - /usr/lib/linkerd/linkerd2-proxy-init
+        image: cr.l5d.io/linkerd/proxy:install-proxy-version
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         securityContext: