Set bind capability on Envoy binary

Dockerfile

@@ -8,6 +8,18 @@
 # prebuilt binaries in any other form.
 FROM envoyproxy/envoy-distroless:v1.25.9 as envoy-binary
 
+# Modify the envoy binary to be able to bind to privileged ports (< 1024)
+FROM alpine:latest AS envoy-setcap
+
+ARG BIN_NAME
+ARG TARGETARCH
+ARG TARGETOS
+
+COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/
+
+RUN apk add libcap
+RUN setcap cap_net_bind_service+ep /usr/local/bin/envoy
+
 # go-discover builds the discover binary (which we don't currently publish
 # either).
 FROM golang:1.20.7-alpine as go-discover
@@ -40,7 +52,7 @@ LABEL name=${BIN_NAME}\
       description="Consul dataplane manages the proxy that runs within the data plane layer of Consul Service Mesh."
 
 COPY --from=go-discover /go/bin/discover /usr/local/bin/
-COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/
+COPY --from=envoy-setcap /usr/local/bin/envoy /usr/local/bin/
 COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/
 
@@ -80,7 +92,7 @@ RUN groupadd --gid 1000 $PRODUCT_NAME && \
 
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/
 COPY --from=go-discover /go/bin/discover /usr/local/bin/
-COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/envoy
+COPY --from=envoy-setcap /usr/local/bin/envoy /usr/local/bin/envoy
 COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/
 COPY LICENSE /licenses/copyright.txt