build(controller)!: eliminate policy-controller image (#14348)

Long ago, the policy-controller image shipped with a distroless base image, but
we have since been able to remove all runtime dependencies and ship with a
scratch image. There's no reason to manage this binary seperately from the rest
of the controller.

This change moves the controller/Dockerfile to Dockerfile.controller, and it is
updated to subsume the policy-controller/Dockerfile.

This should *not* impact users, except to reduce the overhead of extra image
pulls.

BREAKING CHANGE: with this change, we no longer ship a seperate
policy-controller image.

Author: olix0r

.github/workflows/integration.yml

@@ -102,7 +102,6 @@ jobs:
       matrix:
         component:
           - controller
-          - policy-controller
           - proxy
     timeout-minutes: 20
     steps:
@@ -216,7 +215,6 @@ jobs:
       - run: just policy-test-build
       - run: just k3d-k8s='${{ matrix.k8s }}' k3d-create
       - run: docker load <image-archives/controller.tar
-      - run: docker load <image-archives/policy-controller.tar
       - run: docker load <image-archives/proxy.tar
       - run: docker image ls
       - run: just linkerd-tag='${{ needs.meta.outputs.tag }}' linkerd-exec="$HOME/linkerd" linkerd-install
@@ -368,7 +366,7 @@ jobs:
           bin/scurl -v "https://raw.githubusercontent.com/k3d-io/k3d/${K3D_VERSION}/install.sh" | bash
       - name: Load docker images
         run: |
-          for img in controller policy-controller proxy; do
+          for img in controller proxy; do
             docker load <"image-archives/${img}.tar"
           done
       - run: docker image ls

.github/workflows/release.yml

@@ -42,14 +42,12 @@ jobs:
         component:
           - cli-bin
           - controller
-          - policy-controller
           - debug
           - jaeger-webhook
           - metrics-api
           - proxy
           - tap
           - web
-    # policy-controller docker builds have occasionally hit a 30-minute timeout.
     timeout-minutes: 45
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

policy-controller/Dockerfile renamed to Dockerfile.controller

@@ -1,4 +1,27 @@
-FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v47-rust-musl AS controller
+# Precompile key slow-to-build dependencies
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS go-deps
+WORKDIR /linkerd-build
+COPY go.mod go.sum ./
+COPY bin/install-deps bin/
+RUN go mod download
+ARG TARGETARCH
+RUN ./bin/install-deps $TARGETARCH
+
+## compile controller service
+FROM go-deps AS golang
+WORKDIR /linkerd-build
+COPY controller/gen controller/gen
+COPY pkg pkg
+COPY charts charts
+COPY controller controller
+COPY charts/patch charts/patch
+COPY charts/partials charts/partials
+COPY multicluster multicluster
+
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /out/controller -tags prod -mod=readonly -ldflags "-s -w" ./controller/cmd
+
+FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v47-rust-musl AS policy
 ARG BUILD_TYPE="release"
 WORKDIR /build
 RUN mkdir -p target/bin
@@ -24,9 +47,17 @@ RUN --mount=type=cache,target=target \
         *) echo "unsupported architecture: $TARGETARCH" >&2; exit 1 ;; \
     esac) && \
     just-cargo CFLAGS_aarch64_unknown_linux_musl="" profile=$BUILD_TYPE target=$target build --package=linkerd-policy-controller && \
-    mv "target/$target/$BUILD_TYPE/linkerd-policy-controller" /tmp/
+    mkdir /out && mv "target/$target/$BUILD_TYPE/linkerd-policy-controller" /out/
 
-FROM scratch AS runtime
+## package runtime
+FROM scratch
 LABEL org.opencontainers.image.source=https://github.com/linkerd/linkerd2
-COPY --from=controller /tmp/linkerd-policy-controller /bin/
-ENTRYPOINT ["/bin/linkerd-policy-controller"]
+COPY LICENSE /linkerd/LICENSE
+COPY --from=golang /out/controller /controller
+COPY --from=policy /out/linkerd-policy-controller /
+# for heartbeat (https://versioncheck.linkerd.io/version.json)
+COPY --from=golang /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+ARG LINKERD_VERSION
+ENV LINKERD_CONTAINER_VERSION_OVERRIDE=${LINKERD_VERSION}
+ENTRYPOINT ["/controller"]

bin/_docker.sh

@@ -33,7 +33,6 @@ export SUPPORTED_ARCHS=${SUPPORTED_ARCHS:-linux/amd64,linux/arm64}
 export DOCKER_IMAGES=(${DOCKER_IMAGES:-
     cli-bin
     controller
-    policy-controller
     metrics-api
     debug
     proxy

bin/_test-helpers.sh

@@ -17,7 +17,7 @@ export external_resource_test_names=(external-resources)
 # TODO(alpeb): add test cni-calico-deep-dual-stack
 export dual_stack_test_names=(deep-dual-stack)
 export all_test_names=(cluster-domain cni-calico-deep multicluster "${default_test_names[*]}" "${external_resource_test_names[*]}" "${dual_stack_test_names[*]}")
-images_load_default=(proxy controller policy-controller web metrics-api tap)
+images_load_default=(proxy controller web metrics-api tap)
 
 tests_usage() {
   progname=${0##*/}

bin/docker-build

@@ -11,7 +11,6 @@ bindir=$( cd "${0%/*}" && pwd )
 
 "$bindir"/docker-build-proxy
 "$bindir"/docker-build-controller
-"$bindir"/docker-build-policy-controller
 "$bindir"/docker-build-web
 "$bindir"/docker-build-debug
 if [ -z "${LINKERD_LOCAL_BUILD_CLI:-}" ]; then

bin/docker-build-controller

@@ -15,5 +15,4 @@ rootdir=$( cd "$bindir"/.. && pwd )
 # shellcheck source=_tag.sh
 . "$bindir"/_tag.sh
 
-dockerfile=$rootdir/controller/Dockerfile
-docker_build controller "${TAG:-$(head_root_tag)}" "$dockerfile" --build-arg LINKERD_VERSION="${TAG:-$(head_root_tag)}"
+docker_build controller "${TAG:-$(head_root_tag)}" "$rootdir/Dockerfile.controller" --build-arg LINKERD_VERSION="${TAG:-$(head_root_tag)}"

bin/docker-build-policy-controller

@@ -337,7 +337,8 @@ spec:
         - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
           name: kube-api-access
           readOnly: true
-      - args:
+      - command: ["/linkerd-policy-controller"]
+        args:
         - --admin-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9990
         - --control-plane-namespace={{.Release.Namespace}}
         - --grpc-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:8090
@@ -361,8 +362,8 @@ spec:
         {{- range .Values.policyController.experimentalArgs }}
         - {{ . }}
         {{- end }}
-        image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}}
-        imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}}
+        image: {{ .Values.controllerImage }}:{{ .Values.controllerImageVersion | default .Values.linkerdVersion }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
         livenessProbe:
           httpGet:
             path: /live

charts/linkerd-control-plane/templates/destination.yaml

@@ -80,15 +80,7 @@ runtimeClassName: ""
 
 # policy controller configuration
 policyController:
-  image:
-    # -- Docker image for the policy controller
-    name: cr.l5d.io/linkerd/policy-controller
-    # -- Pull policy for the policy controller container image
-    # @default -- imagePullPolicy
-    pullPolicy: ""
-    # -- Tag for the policy controller container image
-    # @default -- linkerdVersion
-    version: ""
+  # `image` has been removed.
 
   # -- Log level for the policy controller
   logLevel: info