ARG BASE_REGISTRY=registry1.dsop.io
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8
ARG BASE_TAG=8.4

# Updated by Renovate
ARG version="1.7.8"

FROM istio/proxyv2:${version} AS base

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

# Copy Envoy bootstrap templates used by pilot-agent
COPY --from=base /var/lib/istio/envoy/envoy_bootstrap_tmpl.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
COPY --from=base /var/lib/istio/envoy/gcp_envoy_bootstrap_tmpl.json /var/lib/istio/envoy/gcp_envoy_bootstrap_tmpl.json

COPY --from=base /sbin/xtables-multi /sbin/iptables* /sbin/ip6tables* /sbin/ip /sbin/
COPY --from=base /usr/lib/x86_64-linux-gnu/xtables/ /usr/lib/x86_64-linux-gnu/xtables
COPY --from=base /usr/lib/x86_64-linux-gnu/ /usr/lib/x86_64-linux-gnu
COPY --from=base /etc/iproute2 /etc/iproute2

WORKDIR /

# Environment variable indicating the exact proxy sha - for debugging or version-specific configs
# Iron Bank cannot provide a meaningful SHA here, set it to a placeholder value
ENV ISTIO_META_ISTIO_PROXY_SHA=isto-proxy:ironbank
# Environment variable indicating the exact build, for debugging
ENV ISTIO_META_ISTIO_VERSION=${version}


# Install Envoy.
COPY --from=base /usr/local/bin/envoy /usr/local/bin/envoy
COPY --from=base /usr/local/bin/pilot-agent /usr/local/bin/pilot-agent
COPY --from=base /var/lib/istio/envoy/envoy_policy.yaml.tmpl /var/lib/istio/envoy/envoy_policy.yaml.tmpl
COPY --from=base /etc/istio/extensions/stats-filter.wasm /etc/istio/extensions/stats-filter.wasm
COPY --from=base /etc/istio/extensions/metadata-exchange-filter.wasm /etc/istio/extensions/metadata-exchange-filter.wasm

RUN useradd -u 1337 istio-proxy && \
    chown -R 1337 /var/lib/istio && \
    chown -R 1337 /etc/istio && \
    dnf update -y && \
    dnf clean all && \
    rm -rf /var/cache/dnf/

EXPOSE 443
###############################################################
# Run as non-root user
USER istio-proxy
###############################################################
ENTRYPOINT ["/usr/local/bin/pilot-agent"]