Skip to content
This repository has been archived by the owner on Jul 21, 2023. It is now read-only.

facilitator: remove OpenSSL dependency #737

Closed
wants to merge 2 commits into from
Closed

facilitator: remove OpenSSL dependency #737

wants to merge 2 commits into from

Conversation

tgeoghegan
Copy link
Collaborator

We now configure kube to use rustls, removing our dependency on any
native TLS implementation which ends up pulling in OpenSSL. This means
we no longer need to install openssl-dev when building the
facilitator Docker image, nor do we need to play special games to
statically link it on Alpine.

We still end up depending on
openssl-probe, but that
crate doesn't actually link OpenSSL and so is harmless.

This commit also separates the prio-facilitator Dockerfile so that we
copy just the compiled binary from the builder container into the image
we run, which cuts down image size by ~500 MB.

Closes #451

@tgeoghegan
facilitator: remove OpenSSL dependency
afa9d56 
We now configure `kube` to use `rustls`, removing our dependency on any
native TLS implementation which ends up pulling in OpenSSL. This means
we no longer need to install `openssl-dev` when building the
`facilitator` Docker image, nor do we need to play special games to
statically link it on Alpine.

We still end up depending on
[`openssl-probe`](https://crates.io/crates/openssl-probe), but that
crate doesn't actually link OpenSSL and so is harmless.

This commit also separates the `prio-facilitator` Dockerfile so that we
copy just the compiled binary from the builder container into the image
we run, which cuts down image size by ~500 MB.

Closes #451
@tgeoghegan
Copy link
Collaborator Author

With these changes, a prio-facilitator image tarball (podman save --format oci-archive letsencrypt/prio-facilitator) is ~240 MB, down from 791 MB. The vast majority of that is from not including intermediate build products (facilitator/target) in the final image.

I still need to test this in both GKE and EKS to make sure that the changes to the prio-facilitator image content don't somehow break DNS or something.

@codecov-commenter
Copy link

codecov-commenter commented Jun 16, 2021
edited

Codecov Report

Merging #737 (c71dacc) into main (42ff45e) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #737   +/-   ##
=======================================
  Coverage   57.50%   57.50%           
=======================================
  Files          34       34           
  Lines        5817     5817           
=======================================
  Hits         3345     3345           
  Misses       2434     2434           
  Partials       38       38
Flag Coverage Δ
deploy_operator_tests 76.78% <ø> (ø)
deploy_tool_tests ∅ <ø> (∅)
facilitator_tests 61.62% <ø> (ø)
manifest_updater_tests 6.81% <ø> (ø)
task_replayer_tests ∅ <ø> (∅)
workflow_manager_tests 38.89% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 42ff45e...c71dacc. Read the comment docs.

@aaomidi
Copy link
Contributor

aaomidi commented Jun 16, 2021

This is such an exciting change!!

@jsha
Copy link
Contributor

jsha commented Jun 17, 2021

Woo this is great! Incidentally should we maybe switch to release builds of facilitator now?

@tgeoghegan
Copy link
Collaborator Author

I gave this a whirl in my dev cluster and unfortunately it doesn't work: #451 (comment)

Hopefully someday upstream will integrate the changes we need to do this. In the meantime, I'm going to close this, since I highly doubt it'll merge cleanly by the time that happens.

@tgeoghegan tgeoghegan closed this Jun 21, 2021
tgeoghegan added a commit that referenced this pull request Aug 2, 2021
@tgeoghegan
facilitator: smaller container image
6b7affd 
This commit restores some of the changes from #737 in order to emit
smaller container images.
 - build `facilitator` with release profile
 - build binary in a builder container based on `rust:alpine`, then ship
   a smaller image based on `alpine` containing just the statically
   linked binary

We can't remove the OpenSSL dependency until kube-rs/kube-rs/597 is
released, but this change takes our image size down to ~30 MB from >2
GB.

Related to #451
@tgeoghegan tgeoghegan mentioned this pull request Aug 2, 2021
Merged
tgeoghegan added a commit that referenced this pull request Aug 2, 2021
@tgeoghegan
facilitator: smaller container image
1ebc372 
This commit restores some of the changes from #737 in order to emit
smaller container images.
 - build `facilitator` with release profile
 - build binary in a builder container based on `rust:alpine`, then ship
   a smaller image based on `alpine` containing just the statically
   linked binary

We can't remove the OpenSSL dependency until kube-rs/kube-rs/597 is
released, but this change takes our image size down to ~30 MB from >2
GB.

Related to #451
@tgeoghegan tgeoghegan deleted the timg/kube-no-openssl branch October 12, 2022 19:23
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@aaomidi aaomidi aaomidi approved these changes

@ezekiel ezekiel Awaiting requested review from ezekiel

@jsha jsha Awaiting requested review from jsha

@jcjones jcjones Awaiting requested review from jcjones

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove OpenSSL dependency in facilitator
4 participants
@tgeoghegan @codecov-commenter @aaomidi @jsha