For compatibility with stretch, we need to use/build an older (Ubuntu 16.04 based) version of the image.
Upstream switched to Ubuntu 18.04 (which uses libc 2.27 and is incompatible with stretch) with https://github.com/envoyproxy/envoy-build-tools/commit/3cbc11e373

The last stretch compatible upstream image is envoyproxy/envoy-build-ubuntu:0c4a26daea3897a16368a11cebb4595516416679 but that now needs sudo added as well (new build-time dependency since 1.15.x).

We should have a way to persist as least the Dockerfile and scripts needed to rebuild the image for our needs. I would suggest we mirror https://github.com/envoyproxy/envoy-build-tools to gerrit and patch whatever needs patching in a separate branch there. Then add some documentation on how to build the build-image locally on the builder host to wikitech (https://wikitech.wikimedia.org/wiki/Envoy).
We should not push that image to our registry as that would probably require us to rebuild the base images as well etc., kubernetes nodes would be able to pull the image and what not.

Any objections/additions or better ideas?

See also:

• https://wikitech.wikimedia.org/wiki/Envoy
• https://github.com/envoyproxy/envoy-build-tools
• https://gerrit.wikimedia.org/r/c/operations/debs/envoyproxy/+/632479