Skip to content
This repository has been archived by the owner on Jul 21, 2023. It is now read-only.

Remove OpenSSL dependency in facilitator #451

Closed
tgeoghegan opened this issue Mar 1, 2021 · 5 comments
Closed

Remove OpenSSL dependency in facilitator #451

tgeoghegan opened this issue Mar 1, 2021 · 5 comments

Comments

@tgeoghegan
Copy link
Contributor

tgeoghegan commented Mar 1, 2021

The facilitator Dockerfile currently has to play some games to install OpenSSL and statically link it. If I remember right, this was necessary to enable Prometheus push support. We no longer push metrics from facilitator (we instead have a more conventional scrape endpoint, and it doesn't use TLS because it is only exposed within the cluster), and have disabled the push feature on the prometheus create, so we should check whether it still needs OpenSSL at all. If not, we can simplify our Dockerfile and reduce image size a good bit. If we still do need OpenSSL, we should look into upstreaming a change to prometheus so it can use rustls instead of OpenSSL.

@tgeoghegan
Copy link
Contributor Author

AFAICT prometheus no longer pulls in openssl, which is great! It looks like the only reason we pull in crate openssl via the kube dependency, and we should be able to configure it to use rustls (though the kube authors note some caveats, which might only apply to macOS).

rustls-native-certs pulls in openssl-probe, but it doesn't look like that uses the OpenSSL library (I'm guessing it just checks for a CA cert bundle installed by OpenSSL) so that should be harmless.

tgeoghegan added a commit that referenced this issue Jun 16, 2021
We now configure `kube` to use `rustls`, removing our dependency on any
native TLS implementation which ends up pulling in OpenSSL. This means
we no longer need to install `openssl-dev` when building the
`facilitator` Docker image, nor do we need to play special games to
statically link it on Alpine.

We still end up depending on
[`openssl-probe`](https://crates.io/crates/openssl-probe), but that
crate doesn't actually link OpenSSL and so is harmless.

This commit also separates the `prio-facilitator` Dockerfile so that we
copy just the compiled binary from the builder container into the image
we run, which cuts down image size by ~500 MB.

Closes #451
@tgeoghegan
Copy link
Contributor Author

While I was able to configure the kube dependency to use rustls, we sadly can't use this: we connect to the Kubernetes API server from within the cluster by IP, and kube+rustls don't support that.

@tgeoghegan
Copy link
Contributor Author

Branch timg/kube-no-openssl has changes that accomplished this in June 2021, which some future PR could be based on.

@tgeoghegan
Copy link
Contributor Author

The blocking kube-rs issue has been fixed, so hopefully we can drop the OpenSSL dependency once a new kube crate gets released!

tgeoghegan added a commit that referenced this issue Aug 2, 2021
This commit restores some of the changes from #737 in order to emit
smaller container images.
 - build `facilitator` with release profile
 - build binary in a builder container based on `rust:alpine`, then ship
   a smaller image based on `alpine` containing just the statically
   linked binary

We can't remove the OpenSSL dependency until kube-rs/kube-rs/597 is
released, but this change takes our image size down to ~30 MB from >2
GB.

Related to #451
tgeoghegan added a commit that referenced this issue Aug 2, 2021
This commit restores some of the changes from #737 in order to emit
smaller container images.
 - build `facilitator` with release profile
 - build binary in a builder container based on `rust:alpine`, then ship
   a smaller image based on `alpine` containing just the statically
   linked binary

We can't remove the OpenSSL dependency until kube-rs/kube-rs/597 is
released, but this change takes our image size down to ~30 MB from >2
GB.

Related to #451
@tgeoghegan
Copy link
Contributor Author

kube-rs 0.59.0 has what we need, and the crate is available, too. Once we take that (not sure why dependabot hasn't made a PR yet, the crate was published 18 days ago), we can scrub the OpenSSL stuff from the facilitator Dockerfile.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant