facilitator: remove OpenSSL dependency #737
Conversation
We now configure `kube` to use `rustls`, removing our dependency on any native TLS implementation which ends up pulling in OpenSSL. This means we no longer need to install `openssl-dev` when building the `facilitator` Docker image, nor do we need to play special games to statically link it on Alpine. We still end up depending on [`openssl-probe`](https://crates.io/crates/openssl-probe), but that crate doesn't actually link OpenSSL and so is harmless. This commit also separates the `prio-facilitator` Dockerfile so that we copy just the compiled binary from the builder container into the image we run, which cuts down image size by ~500 MB. Closes #451
With these changes, a I still need to test this in both GKE and EKS to make sure that the changes to the |
Codecov Report
@@ Coverage Diff @@
## main #737 +/- ##
=======================================
Coverage 57.50% 57.50%
=======================================
Files 34 34
Lines 5817 5817
=======================================
Hits 3345 3345
Misses 2434 2434
Partials 38 38
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
This is such an exciting change!! |
Woo this is great! Incidentally should we maybe switch to release builds of facilitator now? |
I gave this a whirl in my dev cluster and unfortunately it doesn't work: #451 (comment) Hopefully someday upstream will integrate the changes we need to do this. In the meantime, I'm going to close this, since I highly doubt it'll merge cleanly by the time that happens. |
This commit restores some of the changes from #737 in order to emit smaller container images. - build `facilitator` with release profile - build binary in a builder container based on `rust:alpine`, then ship a smaller image based on `alpine` containing just the statically linked binary We can't remove the OpenSSL dependency until kube-rs/kube-rs/597 is released, but this change takes our image size down to ~30 MB from >2 GB. Related to #451
This commit restores some of the changes from #737 in order to emit smaller container images. - build `facilitator` with release profile - build binary in a builder container based on `rust:alpine`, then ship a smaller image based on `alpine` containing just the statically linked binary We can't remove the OpenSSL dependency until kube-rs/kube-rs/597 is released, but this change takes our image size down to ~30 MB from >2 GB. Related to #451
We now configure
kube
to userustls
, removing our dependency on anynative TLS implementation which ends up pulling in OpenSSL. This means
we no longer need to install
openssl-dev
when building thefacilitator
Docker image, nor do we need to play special games tostatically link it on Alpine.
We still end up depending on
openssl-probe
, but thatcrate doesn't actually link OpenSSL and so is harmless.
This commit also separates the
prio-facilitator
Dockerfile so that wecopy just the compiled binary from the builder container into the image
we run, which cuts down image size by ~500 MB.
Closes #451