Skip to content

fix: proxy-init and policy-container images have been removed #4333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cratelyn merged 2 commits into from
Dec 5, 2025
Merged

fix: proxy-init and policy-container images have been removed #4333

cratelyn merged 2 commits into from
Dec 5, 2025

Conversation

@cratelyn
Copy link
Member

@cratelyn cratelyn commented Dec 4, 2025
edited
Loading

in linkerd/linkerd2#14577, we combined the proxy and proxy-init image. in linkerd/linkerd2#14348, we removed the policy-controller image. this branch aims to address these breaking changes, and restore CI builds in this repository.

besides just combining images, #14577 included some breaking changes to the helm charts, specifically in how we configure the control plane. this has affected us, because we do not use the production-oriented ghcr.io/linkerd/proxy image when running the linkerd-install test, or running a local cluster via the commands provided in the justfile.

we use a development-oriented image provided here so that we can attach a shell to the proxy container during development, and run various networking utilities to e.g. diagnose bugs.

this caused us some problems because #14577 removed the helm configuration surface used to configure an image for the proxy-init container. thus, pods would run the development image from the proxy repo, rather than the 'ghcr.io/linkerd/proxy' image that i've attempted to specify in the justfile.

Init Containers:                                                                                                                                                
  linkerd-init:                                                                                                                                                 
    Container ID:    containerd://bfe539d4686401676687f3526c43611b90bf794c300c0c9797582a57ce13196d                                                              
    Image:           localhost/linkerd/proxy:kate.init-image-is-combined.c374b8d8c                                                                              
    Image ID:        sha256:e6bd21b9afa12fdac81f8b3df6c3ba035015a162165afbbba5cc26f729a49f9f                                                                    
    Port:            <none>                                                                                                                                     
    Host Port:       <none>                                                                                                                                     
    SeccompProfile:  RuntimeDefault                                                                                                                             
    Command:                                                                                                                                                    
      /usr/lib/linkerd/linkerd2-proxy-init

if i understand correctly, there are two ways to remediate this: (1) copy the same changes involving setcap commands over to that development dockerfile (i also found that this required setting the user to root for things to work), or (2) revert parts of #14577 and reintroduce these settings to the control plane chart, instead defaulting to the cr.l5d.io/linkerd/proxy image.

my understanding is that (2) would be unfortunate because we are actively trying to get away from having to maintain too much init-related configuration surface, as it introduces a significant maintenance burden in the control plane.

this branch updates the no-longer-recent edge release used in our development image, and then updates the images used in our justfile.

changes from linkerd/linkerd2#14577 are additionally introduced here, so that the proxy image also functions as a workable init container image.

@cratelyn
chore(Dockerfile): update LINKERD2_IMAGE edge version
c374b8d 
Signed-off-by: katelyn martin <kate@buoyant.io>
@cratelyn
fix: address upstream changes to proxy-init image
5a4bd11 
Signed-off-by: katelyn martin <kate@buoyant.io>
@cratelyn cratelyn self-assigned this Dec 4, 2025
@cratelyn cratelyn changed the title kate/init image is combined fix: address upstream changes to proxy-init image Dec 4, 2025
@cratelyn cratelyn mentioned this pull request Dec 4, 2025
Merged
@cratelyn cratelyn requested a review from adleong December 4, 2025 20:21
@cratelyn cratelyn marked this pull request as ready for review December 4, 2025 20:21
@cratelyn cratelyn requested a review from a team as a code owner December 4, 2025 20:21
cratelyn
cratelyn commented Dec 4, 2025
View reviewed changes
Dockerfile
# Use an arbitrary ~recent edge release image to get the proxy
# identity-initializing and linkerd-await wrappers.
ARG LINKERD2_IMAGE=ghcr.io/linkerd/proxy:edge-23.11.2
ARG LINKERD2_IMAGE=ghcr.io/linkerd/proxy:edge-25.11.3
Copy link
Member Author

@cratelyn cratelyn Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would pointing this at :latest be even better? this drifted more than two years out of date. luckily there was only one other breaking change to spot and fix, but i'd like for this repo to not get so far out of step with the linkerd2 repo again.

Copy link
Collaborator

@sfleen sfleen Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updating to latest would at least give us signal that something broke, but it would be tricky to debug and would break CI without a source PR to trace it back to.

We've run into this kind of problem enough that it makes me think we should set up something like Renovate that can do custom dependency updates like these.

Copy link
Collaborator

@sfleen sfleen Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine to leave this as a pinned version for now while we sort out better custom dependency management for cases like these

cratelyn
cratelyn commented Dec 4, 2025
View reviewed changes
@cratelyn cratelyn changed the title fix: address upstream changes to proxy-init image fix: proxy-init and policy-container images have been removed Dec 4, 2025
@cratelyn cratelyn mentioned this pull request Dec 4, 2025
Open
@cratelyn cratelyn merged commit 703c7db into main Dec 5, 2025
18 checks passed
@cratelyn cratelyn deleted the kate/init-image-is-combined branch December 5, 2025 17:43
@cratelyn cratelyn mentioned this pull request Dec 5, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adleong adleong adleong approved these changes

@sfleen sfleen sfleen approved these changes

Assignees

@cratelyn cratelyn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cratelyn @adleong @sfleen