Remove unified image

From now on, we will only publish the new "split" images
(e.g., antrea/antrea-agent-ubuntu and antrea/antrea-controller-ubuntu).

For antrea-io#4832

Signed-off-by: Antonin Bas <[email protected]>

.github/workflows/build.yml

@@ -50,10 +50,8 @@ jobs:
       run: |
         echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
         ./hack/build-antrea-linux-all.sh --pull --push-base-images
-        docker tag antrea/antrea-ubuntu:latest antrea/antrea-ubuntu-amd64:latest
         docker tag antrea/antrea-controller-ubuntu:latest antrea/antrea-controller-ubuntu-amd64:latest
         docker tag antrea/antrea-agent-ubuntu:latest antrea/antrea-agent-ubuntu-amd64:latest
-        docker push antrea/antrea-ubuntu-amd64:latest
         docker push antrea/antrea-controller-ubuntu-amd64:latest
         docker push antrea/antrea-agent-ubuntu-amd64:latest
     - name: Trigger Antrea arm builds and multi-arch manifest update
@@ -96,7 +94,6 @@ jobs:
       run: |
         echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
         ./hack/build-antrea-linux-all.sh --pull --push-base-images --distro ubi
-        docker push antrea/antrea-ubi:latest
         docker push antrea/antrea-agent-ubi:latest
         docker push antrea/antrea-controller-ubi:latest
 

.github/workflows/build_tag.yml

@@ -34,10 +34,8 @@ jobs:
       run: |
         ./hack/build-antrea-linux-all.sh --pull
         echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-        docker tag antrea/antrea-ubuntu:"${VERSION}" antrea/antrea-ubuntu-amd64:"${VERSION}"
         docker tag antrea/antrea-agent-ubuntu:"${VERSION}" antrea/antrea-agent-ubuntu-amd64:"${VERSION}"
         docker tag antrea/antrea-controller-ubuntu:"${VERSION}" antrea/antrea-controller-ubuntu-amd64:"${VERSION}"
-        docker push antrea/antrea-ubuntu-amd64:"${VERSION}"
         docker push antrea/antrea-agent-ubuntu-amd64:"${VERSION}"
         docker push antrea/antrea-controller-ubuntu-amd64:"${VERSION}"
     - name: Trigger Antrea arm builds and multi-arch manifest update
@@ -64,7 +62,6 @@ jobs:
         run: |
           ./hack/build-antrea-linux-all.sh --pull --distro ubi
           echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-          docker push antrea/antrea-ubi:"${VERSION}"
           docker push antrea/antrea-agent-ubi:"${VERSION}"
           docker push antrea/antrea-controller-ubi:"${VERSION}"
 

.github/workflows/conformance.yml

@@ -74,6 +74,8 @@ jobs:
           sudo mv kind /usr/local/bin
       - name: Create K8s cluster
         run: |
+          # If an image does not exist (unified vs split), a warning will be printed, but the script
+          # execution will not fail.
           images=()
           images+=(antrea/antrea-controller-${{ inputs.antrea-image-distro }}:${{ steps.check-release.outputs.image-tag }})
           images+=(antrea/antrea-agent-${{ inputs.antrea-image-distro }}:${{ steps.check-release.outputs.image-tag }})

.github/workflows/trivy_scan.yml

@@ -18,7 +18,6 @@ jobs:
     if: github.repository == 'antrea-io/antrea'
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
     - name: Find greatest Antrea version
       id: find-antrea-greatest-version
       env:
@@ -32,33 +31,56 @@ jobs:
     - name: Pull Antrea Docker images
       id: pull
       run: |
-        docker pull antrea/antrea-ubuntu:latest
-        docker pull antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
-    - name: Run Trivy vulnerability scanner on latest Antrea Docker image
+        docker pull antrea/antrea-agent-ubuntu:latest
+        docker pull antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
+        docker pull antrea/antrea-controller-ubuntu:latest
+        docker pull antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
+    - name: Run Trivy vulnerability scanner on latest antrea-agent Docker image
       if: ${{ always() && steps.pull.conclusion == 'success' }}
       uses: aquasecurity/[email protected]
       # we cannot use .trivy.yml as we need to override some config parameters
       # and that is not supported by aquasecurity/trivy-action
       with:
         scan-type: 'image'
-        image-ref: 'antrea/antrea-ubuntu:latest'
+        image-ref: 'antrea/antrea-agent-ubuntu:latest'
         exit-code: '1'
         ignore-unfixed: true
         severity: 'CRITICAL,HIGH'
-        # whereabouts project doesn't upgrade dependencies frequently
-        skip-files: '/opt/cni/bin/whereabouts'
         format: 'table'
         output: 'trivy.latest.txt'
-    - name: Run Trivy vulnerability scanner on Antrea Docker image for latest released version
+    - name: Run Trivy vulnerability scanner on latest antrea-controller Docker image
+      if: ${{ always() && steps.pull.conclusion == 'success' }}
+      uses: aquasecurity/[email protected]
+      # we cannot use .trivy.yml as we need to override some config parameters
+      # and that is not supported by aquasecurity/trivy-action
+      with:
+        scan-type: 'image'
+        image-ref: 'antrea/antrea-controller-ubuntu:latest'
+        exit-code: '1'
+        ignore-unfixed: true
+        severity: 'CRITICAL,HIGH'
+        format: 'table'
+        output: 'trivy.latest.txt'
+    - name: Run Trivy vulnerability scanner on antrea-agent Docker image for latest released version
+      if: ${{ always() && steps.pull.conclusion == 'success' }}
+      uses: aquasecurity/[email protected]
+      with:
+        scan-type: 'image'
+        image-ref: 'antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
+        exit-code: '1'
+        ignore-unfixed: true
+        severity: 'CRITICAL,HIGH'
+        format: 'table'
+        output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
+    - name: Run Trivy vulnerability scanner on antrea-controller Docker image for latest released version
       if: ${{ always() && steps.pull.conclusion == 'success' }}
       uses: aquasecurity/[email protected]
       with:
         scan-type: 'image'
-        image-ref: 'antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
+        image-ref: 'antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
         exit-code: '1'
         ignore-unfixed: true
         severity: 'CRITICAL,HIGH'
-        skip-files: '/opt/cni/bin/whereabouts'
         format: 'table'
         output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
     - name: Upload Trivy scan reports

.github/workflows/trivy_scan_before_release.yml

@@ -1,4 +1,4 @@
-name: Scan Antrea Docker image for vulnerabilities before release
+name: Scan Antrea Docker images for vulnerabilities before release
 
 on:
   pull_request:
@@ -14,12 +14,6 @@ jobs:
     - name: Build Antrea Docker image
       run: |
         ./hack/build-antrea-linux-all.sh --pull
-    - name: Run Trivy vulnerability scanner on Antrea unified Docker image
-      uses: aquasecurity/[email protected]
-      with:
-        scan-type: 'image'
-        image-ref: 'antrea/antrea-ubuntu:latest'
-        trivy-config: '.trivy.yml'
     - name: Run Trivy vulnerability scanner on the antrea-agent Docker image
       uses: aquasecurity/[email protected]
       with:

Makefile

@@ -335,11 +335,17 @@ mockgen:
 
 ### Docker images ###
 
+# This target is for development only. It assumes that "make bin" has been run previously and will
+# copy the local binaries to the Docker image, instead of building the binaries inside the image as
+# part of the Docker build.
+
 .PHONY: ubuntu
 ubuntu:
-	@echo "===> Building antrea/antrea-ubuntu Docker image <==="
-	docker build -t antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.ubuntu $(DOCKER_BUILD_ARGS) .
-	docker tag antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-ubuntu
+	@echo "===> Building antrea/antrea-agent-ubuntu and antrea/antrea-controller-ubuntu development Docker images <==="
+	docker build -t antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.agent.ubuntu $(DOCKER_BUILD_ARGS) .
+	docker tag antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-agent-ubuntu
+	docker build -t antrea/antrea-controller-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.controller.ubuntu $(DOCKER_BUILD_ARGS) .
+	docker tag antrea/antrea-controller-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-controller-ubuntu
 
 .PHONY: build-controller-ubuntu
 build-controller-ubuntu:
@@ -353,19 +359,14 @@ build-agent-ubuntu:
 	docker build -t antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.agent.ubuntu $(DOCKER_BUILD_ARGS) .
 	docker tag antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-agent-ubuntu
 
-# Build bins in a golang container, and build the antrea-ubuntu Docker image.
+# These 2 targets are here for "backwards-compatibility". They will build the agent and controller
+# images for the requested distribution.
+
 .PHONY: build-ubuntu
-build-ubuntu:
-	@echo "===> Building Antrea bins and antrea/antrea-ubuntu Docker image <==="
-	docker build -t antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.ubuntu $(DOCKER_BUILD_ARGS) .
-	docker tag antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-ubuntu
+build-ubuntu: build-agent-ubuntu build-controller-ubuntu
 
-# Build bins in a golang container, and build the antrea-ubi Docker image.
 .PHONY: build-ubi
-build-ubi:
-	@echo "===> Building Antrea bins and antrea/antrea-ubi Docker image <==="
-	docker build -t antrea/antrea-ubi:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.ubi $(DOCKER_BUILD_ARGS) .
-	docker tag antrea/antrea-ubi:$(DOCKER_IMG_VERSION) antrea/antrea-ubi
+build-ubi: build-agent-ubi build-controller-ubi
 
 .PHONY: build-agent-ubi
 build-agent-ubi:
@@ -386,10 +387,7 @@ build-windows:
 	docker tag antrea/antrea-windows:$(DOCKER_IMG_VERSION) antrea/antrea-windows
 
 .PHONY: build-ubuntu-coverage
-build-ubuntu-coverage:
-	@echo "===> Building Antrea bins and antrea/antrea-ubuntu-coverage Docker image <==="
-	docker build -t antrea/antrea-ubuntu-coverage:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.coverage $(DOCKER_BUILD_ARGS) .
-	docker tag antrea/antrea-ubuntu-coverage:$(DOCKER_IMG_VERSION) antrea/antrea-ubuntu-coverage
+build-ubuntu-coverage: build-controller-ubuntu-coverage build-agent-ubuntu-coverage
 
 .PHONY: build-controller-ubuntu-coverage
 build-controller-ubuntu-coverage:

ci/jenkins/test-vmc.sh

@@ -457,22 +457,36 @@ function deliver_antrea {
     fi
 
     echo "====== Pulling old Antrea images ======"
-    if [[ ${DOCKER_REGISTRY} != "" ]]; then
-        docker pull ${DOCKER_REGISTRY}/antrea/antrea-ubuntu:$OLD_ANTREA_VERSION
+    # Old Antrea versions can either use a unified image (pre v1.15) or split images.
+    local old_agent_image=""
+    if version_lt "$OLD_ANTREA_VERSION" v1.15; then
+        if [[ ${DOCKER_REGISTRY} != "" ]]; then
+            docker pull ${DOCKER_REGISTRY}/antrea/antrea-ubuntu:$OLD_ANTREA_VERSION
+            docker tag ${DOCKER_REGISTRY}/antrea/antrea-ubuntu:$OLD_ANTREA_VERSION antrea/antrea-ubuntu:$OLD_ANTREA_VERSION
+        else
+            docker pull antrea/antrea-ubuntu:$OLD_ANTREA_VERSION
+        fi
+        old_agent_image="antrea/antrea-ubuntu:$OLD_ANTREA_VERSION"
+        agent_image="docker.io/antrea/antrea-ubuntu"
     else
-        docker pull antrea/antrea-ubuntu:$OLD_ANTREA_VERSION
+        if [[ ${DOCKER_REGISTRY} != "" ]]; then
+            docker pull ${DOCKER_REGISTRY}/antrea/antrea-agent-ubuntu:$OLD_ANTREA_VERSION
+            docker tag ${DOCKER_REGISTRY}/antrea/antrea-agent-ubuntu:$OLD_ANTREA_VERSION antrea/antrea-ubuntu:$OLD_ANTREA_VERSION
+        else
+            docker pull antrea/antrea-agent-ubuntu:$OLD_ANTREA_VERSION
+        fi
+        old_agent_image="antrea/antrea-agent-ubuntu:$OLD_ANTREA_VERSION"
     fi
 
     echo "====== Delivering old Antrea images to all the Nodes ======"
-    docker save -o antrea-ubuntu-old.tar antrea/antrea-ubuntu:$OLD_ANTREA_VERSION
+    docker save -o antrea-ubuntu-old.tar $old_agent_image
     node_num=$(kubectl get nodes --no-headers=true | wc -l)
-    antrea_image="antrea-ubuntu"
     for i in "${!IPs[@]}"
     do
         # We want old-versioned Antrea agents to be more than half in cluster
         if [[ $i -ge $((${node_num}/2)) ]]; then
             # Tag old image to latest if we want Antrea agent to be old-versioned
-            copy_image antrea-ubuntu-old.tar docker.io/antrea/antrea-ubuntu ${IPs[$i]} $OLD_ANTREA_VERSION false
+            copy_image antrea-ubuntu-old.tar docker.io/antrea/antrea-agent-ubuntu ${IPs[$i]} $OLD_ANTREA_VERSION false
         fi
     done
 }

docs/antctl.md

@@ -42,10 +42,11 @@ running in three different modes:
 
 ## Installation
 
-The antctl binary is included in the Antrea Docker image
-(`antrea/antrea-ubuntu`) which means that there is no need to install anything
-to connect to the Antrea Agent. Simply exec into the antrea-agent container for
-the appropriate antrea-agent Pod and run `antctl`:
+The antctl binary is included in the Antrea Docker images
+(`antrea/antrea-agent-ubuntu`, `antrea/antrea-controller-ubuntu`) which means
+that there is no need to install anything to connect to the Antrea Agent. Simply
+exec into the antrea-agent container for the appropriate antrea-agent Pod and
+run `antctl`:
 
 ```bash
 kubectl exec -it ANTREA-AGENT_POD_NAME -n kube-system -c antrea-agent -- bash

docs/getting-started.md

@@ -103,8 +103,9 @@ If you want to add Windows Nodes to your cluster, please refer to these
 Starting with v1.0, Antrea supports arm64 and arm/v7 Nodes. The installation
 instructions do not change when some (or all) Linux Nodes in a cluster use an
 ARM architecture: the same deployment YAML can be used, as the
-`antrea/antrea-ubuntu` Docker image is actually a manifest list with support for
-the amd64, arm64 and arm/v7 architectures.
+`antrea/antrea-agent-ubuntu` and `antrea/antrea-controller-ubuntu` Docker images
+are actually manifest lists with support for the amd64, arm64 and arm/v7
+architectures.
 
 Note that while we do run a subset of the Kubernetes conformance tests on both
 the arm/v7 and arm64 Docker images (using [k3s](https://k3s.io/) as the

docs/maintainers/antrea-docker-image.md

@@ -1,18 +1,20 @@
 # Antrea Docker image
 
-The main Antrea Docker image, `antrea/antrea-ubuntu`, is a multi-arch image. The
-`antrea/antrea-ubuntu` manifest is a list of three manifests:
-`antrea/antrea-ubuntu-amd64`, `antrea/antrea-ubuntu-arm64` and
-`antrea/antrea-ubuntu-arm`. Of these three manifests, only the first one is
-built and uploaded to Dockerhub by Github workflows defined in the
+The main Antrea Docker images (`antrea/antrea-agent-ubuntu` and
+`antrea/antrea-controller-ubuntu`) are multi-arch images. For example, the
+`antrea/antrea-agent-ubuntu` manifest is a list of three manifests:
+`antrea/antrea-agent-ubuntu-amd64`, `antrea/antrea-agent-ubuntu-arm64` and
+`antrea/antrea-agent-ubuntu-arm`. Of these three manifests, only the first one
+is built and uploaded to Dockerhub by Github workflows defined in the
 `antrea-io/antrea` repositories. The other two are built and uploaded by Github
 workflows defined in a private repository (`vmware-tanzu/antrea-build-infra`),
 to which only the project maintainers have access. These workflows are triggered
 every time the `main` branch of `antrea-io/antrea` is updated, as well as every
 time a new Antrea Github release is created. They build the
-`antrea/antrea-ubuntu-arm64` and `antrea/antrea-ubuntu-arm` Docker images on
-native arm64 workers, then create the `antrea/antrea-ubuntu` multi-arch manifest
-and push it to Dockerhub. They are also in charge of testing the images in a
+`antrea/antrea-agent-ubuntu-arm64` and `antrea/antrea-agent-ubuntu-arm` Docker
+images on native arm64 workers, then create the `antrea/antrea-agent-ubuntu`
+multi-arch manifest and push it to Dockerhub. The same goes for the controller
+images. They are also in charge of testing the images in a
 [K3s](https://github.com/k3s-io/k3s) cluster.
 
 ## Why do we use a private repository?
@@ -37,3 +39,6 @@ for a public repository. We believe Github will address the issue eventually and
 provide safeguards to enable using self-hosted runners with public
 repositories, at which point we will migrate workflows from this repository to
 the main Antrea repository.
+
+In the future, we may switch over to ARM hosted Github runners provided by the
+CNCF.

hack/build-antrea-linux-all.sh

@@ -161,16 +161,13 @@ if [ "$DISTRO" == "ubuntu" ]; then
     if $COVERAGE; then
         make build-controller-ubuntu-coverage
         make build-agent-ubuntu-coverage
-        make build-ubuntu-coverage
     else
         make build-controller-ubuntu
         make build-agent-ubuntu
-        make build-ubuntu
     fi
 elif [ "$DISTRO" == "ubi" ]; then
     make build-controller-ubi
     make build-agent-ubi
-    make build-ubi
 fi
 
 popd > /dev/null