ARG RUNTIME_IMAGE=gcr.io/distroless/cc-debian12
ARG BUILDPLATFORM=linux/amd64

# Precompile key slow-to-build dependencies
FROM --platform=$BUILDPLATFORM golang:1.22-alpine as go-deps
WORKDIR /linkerd-build
COPY go.mod go.sum ./
COPY bin/install-deps bin/
RUN go mod download
ARG TARGETARCH
RUN ./bin/install-deps $TARGETARCH

FROM --platform=$BUILDPLATFORM debian:bookworm-slim as fetch
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y curl jq && \
    rm -rf /var/lib/apt/lists/*
WORKDIR /build
COPY bin/fetch-proxy bin/fetch-proxy
COPY bin/scurl bin/scurl
ARG TARGETARCH
ARG LINKERD2_PROXY_REPO="linkerd/linkerd2-proxy"
ARG LINKERD2_PROXY_VERSION=""
RUN --mount=type=secret,id=github \
    export GITHUB_TOKEN_FILE=/run/secrets/github; \
    proxy=$(bin/fetch-proxy "$LINKERD2_PROXY_VERSION" "$TARGETARCH"); \
    mv "$proxy" linkerd2-proxy
RUN echo "$LINKERD2_PROXY_VERSION" > proxy-version
ARG LINKERD_AWAIT_VERSION=v0.2.9
RUN bin/scurl -o linkerd-await https://github.com/linkerd/linkerd-await/releases/download/release%2F${LINKERD_AWAIT_VERSION}/linkerd-await-${LINKERD_AWAIT_VERSION}-${TARGETARCH} && chmod +x linkerd-await
ARG LINKERD_VALIDATOR_VERSION=v0.1.2
RUN bin/scurl -O https://github.com/linkerd/linkerd2-proxy-init/releases/download/validator%2F${LINKERD_VALIDATOR_VERSION}/linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH}.tgz
RUN tar -zxvf linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH}.tgz && mv linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH}/linkerd-network-validator .

## compile proxy-identity agent
FROM go-deps as golang
WORKDIR /linkerd-build
COPY pkg/util pkg/util
COPY pkg/flags pkg/flags
COPY pkg/tls pkg/tls
COPY pkg/version pkg/version
ARG TARGETARCH
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -mod=readonly ./pkg/...
COPY proxy-identity proxy-identity
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /out/proxy-identity -mod=readonly -ldflags "-s -w" ./proxy-identity

FROM $RUNTIME_IMAGE as runtime
COPY --from=fetch /build/target/proxy/LICENSE /usr/lib/linkerd/LICENSE
COPY --from=fetch /build/proxy-version /usr/lib/linkerd/linkerd2-proxy-version.txt
COPY --from=fetch /build/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy
COPY --from=fetch /build/linkerd-await /usr/lib/linkerd/linkerd-await
COPY --from=fetch /build/linkerd-network-validator /usr/lib/linkerd/linkerd2-network-validator
COPY --from=golang /out/proxy-identity /usr/lib/linkerd/linkerd2-proxy-identity
COPY --from=debian:bookworm-slim /bin/sleep /bin/sleep
ARG LINKERD_VERSION
ENV LINKERD_CONTAINER_VERSION_OVERRIDE=${LINKERD_VERSION}
ENV LINKERD2_PROXY_LOG=warn,linkerd=info
ENV LINKERD2_PROXY_LOG_FORMAT=plain
ENTRYPOINT ["/usr/lib/linkerd/linkerd2-proxy-identity"]