Remove OpenSSL dependency in facilitator #451
Comments
|
AFAICT
|
We now configure `kube` to use `rustls`, removing our dependency on any native TLS implementation which ends up pulling in OpenSSL. This means we no longer need to install `openssl-dev` when building the `facilitator` Docker image, nor do we need to play special games to statically link it on Alpine. We still end up depending on [`openssl-probe`](https://crates.io/crates/openssl-probe), but that crate doesn't actually link OpenSSL and so is harmless. This commit also separates the `prio-facilitator` Dockerfile so that we copy just the compiled binary from the builder container into the image we run, which cuts down image size by ~500 MB. Closes #451
|
While I was able to configure the |
|
Branch timg/kube-no-openssl has changes that accomplished this in June 2021, which some future PR could be based on. |
|
The blocking |
This commit restores some of the changes from #737 in order to emit smaller container images. - build `facilitator` with release profile - build binary in a builder container based on `rust:alpine`, then ship a smaller image based on `alpine` containing just the statically linked binary We can't remove the OpenSSL dependency until kube-rs/kube-rs/597 is released, but this change takes our image size down to ~30 MB from >2 GB. Related to #451
This commit restores some of the changes from #737 in order to emit smaller container images. - build `facilitator` with release profile - build binary in a builder container based on `rust:alpine`, then ship a smaller image based on `alpine` containing just the statically linked binary We can't remove the OpenSSL dependency until kube-rs/kube-rs/597 is released, but this change takes our image size down to ~30 MB from >2 GB. Related to #451
|
|
The
facilitatorDockerfile currently has to play some games to install OpenSSL and statically link it. If I remember right, this was necessary to enable Prometheus push support. We no longer push metrics fromfacilitator(we instead have a more conventional scrape endpoint, and it doesn't use TLS because it is only exposed within the cluster), and have disabled thepushfeature on theprometheuscreate, so we should check whether it still needs OpenSSL at all. If not, we can simplify our Dockerfile and reduce image size a good bit. If we still do need OpenSSL, we should look into upstreaming a change toprometheusso it can userustlsinstead of OpenSSL.The text was updated successfully, but these errors were encountered: