fold run-proxy.sh funtionality into proxy-dentity (#6228)

A docker image with a shell is required to run the identity helper which is undesirable. 

The logic for the identity helper shell script docker entry point has been moved into proxy-identity/main.go and the docker file has been updated to reflect the removal of the run-proxy.sh script

Fixes #6172

Signed-off-by: Taylor Skinner <tskinn12@gmail.com>

Dockerfile-proxy

@@ -1,4 +1,4 @@
-ARG RUNTIME_IMAGE=debian:buster-20210208-slim
+ARG RUNTIME_IMAGE=gcr.io/distroless/cc:nonroot
 ARG BUILDPLATFORM=linux/amd64
 
 # Precompile key slow-to-build dependencies
@@ -10,8 +10,7 @@ RUN go mod download
 ARG TARGETARCH
 RUN ./bin/install-deps $TARGETARCH
 
-FROM --platform=$BUILDPLATFORM $RUNTIME_IMAGE as fetch
+FROM --platform=$BUILDPLATFORM curlimages/curl:7.76.1 as fetch
-RUN apt-get update && apt-get install -y ca-certificates curl jq
 WORKDIR /build
 COPY bin/fetch-proxy bin/fetch-proxy
 COPY .proxy-version proxy-version
@@ -38,9 +37,8 @@ COPY --from=fetch /build/proxy-version /usr/lib/linkerd/linkerd2-proxy-version.t
 COPY --from=fetch /build/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy
 COPY --from=fetch /build/linkerd-await /usr/lib/linkerd/linkerd-await
 COPY --from=golang /out/proxy-identity /usr/lib/linkerd/linkerd2-proxy-identity
-COPY proxy-identity/run-proxy.sh /usr/bin/linkerd2-proxy-run
 ARG LINKERD_VERSION
 ENV LINKERD_CONTAINER_VERSION_OVERRIDE=${LINKERD_VERSION}
 ENV LINKERD2_PROXY_LOG=warn,linkerd=info
 ENV LINKERD2_PROXY_LOG_FORMAT=plain
-ENTRYPOINT ["/usr/bin/linkerd2-proxy-run"]
+ENTRYPOINT ["/usr/lib/linkerd/linkerd2-proxy-identity"]

proxy-identity/main.go

@@ -6,36 +6,33 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"errors"
-	"flag"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"syscall"
 
-	"github.com/linkerd/linkerd2/pkg/flags"
 	"github.com/linkerd/linkerd2/pkg/tls"
 	log "github.com/sirupsen/logrus"
 )
 
 const (
+	envDir          = "LINKERD2_PROXY_IDENTITY_DIR"
 	envDisabled     = "LINKERD2_PROXY_IDENTITY_DISABLED"
+	envLocalName    = "LINKERD2_PROXY_IDENTITY_LOCAL_NAME"
 	envTrustAnchors = "LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS"
 )
 
 func main() {
-	cmd := flag.NewFlagSet("public-api", flag.ExitOnError)
+	defer runProxy()
-
-	name := cmd.String("name", "", "identity name")
-	dir := cmd.String("dir", "", "directory under which credentials are written")
-
-	flags.ConfigureAndParse(cmd, os.Args[1:])
 
 	if os.Getenv(envDisabled) != "" {
 		log.Debug("Identity disabled.")
-		os.Exit(0)
+		return
 	}
 
-	keyPath, csrPath, err := checkEndEntityDir(*dir)
+	dir := os.Getenv(envDir)
+	keyPath, csrPath, err := checkEndEntityDir(dir)
 	if err != nil {
 		log.Fatalf("Invalid end-entity directory: %s", err)
 	}
@@ -49,7 +46,8 @@ func main() {
 		log.Fatal(err.Error())
 	}
 
-	if _, err := generateAndStoreCSR(csrPath, *name, key); err != nil {
+	name := os.Getenv(envLocalName)
+	if _, err := generateAndStoreCSR(csrPath, name, key); err != nil {
 		log.Fatal(err.Error())
 	}
 }
@@ -146,3 +144,10 @@ func generateAndStoreCSR(p, id string, key *ecdsa.PrivateKey) ([]byte, error) {
 
 	return csrb, nil
 }
+
+func runProxy() {
+	err := syscall.Exec("/usr/lib/linkerd/linkerd2-proxy", []string{}, os.Environ())
+	if err != nil {
+		log.Fatalf("Failed to run proxy: %s", err)
+	}
+}

proxy-identity/run-proxy.sh

@@ -1,10 +0,0 @@
-#!/usr/bin/env sh
-set -eu
-
-if [ -z "${LINKERD2_PROXY_IDENTITY_DISABLED:-}" ]; then
-    /usr/lib/linkerd/linkerd2-proxy-identity \
-        -dir "$LINKERD2_PROXY_IDENTITY_DIR" \
-        -name "$LINKERD2_PROXY_IDENTITY_LOCAL_NAME"
-fi
-
-exec /usr/lib/linkerd/linkerd2-proxy