fix(cli): improved support for native sidecar servers in linkerd check --proxy (#14779)

(Extracted from #14566)

The "opaque ports are properly annotated" check had a bug where it only
validated regular containers, missing ports in init containers (native
sidecars). This meant mismatched annotations between pods and services
could go undetected when the port belonged to an init container.

When a service had the opaque-ports annotation but the corresponding pod
did not, the check would incorrectly pass if the port was defined in an
init container instead of a regular container.

This commit extends the check to validate ports in both regular containers
and init containers, ensuring consistent opaque-ports annotations across
pods and services regardless of where the port is defined.

Author: alpeb

pkg/healthcheck/healthcheck.go

@@ -2492,7 +2492,7 @@ func misconfiguredOpaqueAnnotation(service *corev1.Service, pod *corev1.Pod) err
 func checkPodPorts(service *corev1.Service, pod *corev1.Pod, podPorts []string, port int) error {
 	for _, sp := range service.Spec.Ports {
 		if int(sp.Port) == port {
-			for _, c := range pod.Spec.Containers {
+			for _, c := range append(pod.Spec.InitContainers, pod.Spec.Containers...) {
 				for _, cp := range c.Ports {
 					if cp.ContainerPort == sp.TargetPort.IntVal || cp.Name == sp.TargetPort.StrVal {
 						// The pod exposes a container port that would be
@@ -2544,7 +2544,7 @@ func checkServiceNamePorts(service *corev1.Service, pod *corev1.Pod, port int, s
 			// port to check.
 			continue
 		}
-		for _, c := range pod.Spec.Containers {
+		for _, c := range append(pod.Spec.InitContainers, pod.Spec.Containers...) {
 			for _, cp := range c.Ports {
 				if int(cp.ContainerPort) == port {
 					// This is the containerPort that maps to the opaque port

pkg/healthcheck/healthcheck_test.go

@@ -2973,6 +2973,62 @@ subsets:
 			},
 			expected: nil,
 		},
+		{
+			resources: []string{`
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc
+  namespace: test-ns
+  annotations:
+    config.linkerd.io/opaque-ports: "9200"
+spec:
+  selector:
+    app: test
+  ports:
+  - name: test
+    port: 9200
+    targetPort: 9200
+`,
+				`
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+  namespace: test-ns
+  labels:
+    app: test
+spec:
+  initContainers:
+  - name: test
+    image: test
+    restartPolicy: Always
+    ports:
+    - name: test
+      containerPort: 9200
+`,
+				`
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: svc
+  namespace: test-ns
+subsets:
+- addresses:
+  - ip: 10.244.3.12
+    nodeName: nod
+    targetRef:
+      kind: Pod
+      name: pod
+      namespace: test-ns
+  ports:
+  - name: test
+    port: 9200
+    protocol: TCP
+`,
+			},
+			expected: fmt.Errorf("\t* service svc expects target port 9200 to be opaque; add it to pod pod config.linkerd.io/opaque-ports annotation"),
+		},
 	}
 
 	for i, tc := range testCases {