# Copyright (c) 2026 Tigera, Inc. All rights reserved.

ARG CALICO_BASE
ARG ISTIO_VERSION
ARG UBI_IMAGE

FROM istio/proxyv2:${ISTIO_VERSION} AS proxyv2

FROM ${UBI_IMAGE} AS builder

# pilot agent generates config files in /etc/istio/proxy (envoy-rev.json etc)
RUN mkdir -p /rootfs/etc/istio/proxy && chown 10001:10001 /rootfs/etc/istio/proxy

FROM scratch AS source

ARG TARGETARCH

COPY --from=builder /rootfs /

# Copy the envoy binary built from upstream vendor
# pilot-agent expects the envoy binary to be located at /usr/local/bin/envoy as it is hardcoded in the source code
COPY --from=proxyv2 /usr/local/bin/envoy /usr/local/bin/envoy
COPY bin/pilot-agent-${TARGETARCH} /usr/bin/pilot-agent
COPY istio/tools/packaging/common/envoy_bootstrap.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json

COPY bin/LICENSE /LICENSE

FROM ${CALICO_BASE}

ARG GIT_VERSION=unknown

# OCP Certification labels
LABEL description="Istio proxyv2 (Envoy) component from github.com/istio/proxy with Calico patches"
LABEL maintainer="maintainers@tigera.io"
LABEL name="Calico Istio Proxyv2"
LABEL release="1"
LABEL summary="Envoy-based proxy component for Calico's Istio service mesh integration"
LABEL vendor="Project Calico"
LABEL version="${GIT_VERSION}"

LABEL org.opencontainers.image.description="Istio proxyv2 (Envoy) from github.com/istio/proxy with Calico patches"
LABEL org.opencontainers.image.authors="maintainers@tigera.io"
LABEL org.opencontainers.image.source="https://github.com/projectcalico/calico"
LABEL org.opencontainers.image.title="Envoy-based proxy for Calico's Istio integration"
LABEL org.opencontainers.image.vendor="Project Calico"
LABEL org.opencontainers.image.version="${GIT_VERSION}"
LABEL org.opencontainers.image.licenses="Apache-2.0"

COPY --from=source / /

USER 10001:10001

# Envoy default ports for Istio
EXPOSE 15000 15001 15006 15020 15021 15090

ENTRYPOINT ["/usr/bin/pilot-agent"]
