Remove unified image

.github/workflows/build.yml

@@ -50,10 +50,8 @@ jobs:
       run: |
         echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
         ./hack/build-antrea-linux-all.sh --pull --push-base-images
-        docker tag antrea/antrea-ubuntu:latest antrea/antrea-ubuntu-amd64:latest
         docker tag antrea/antrea-controller-ubuntu:latest antrea/antrea-controller-ubuntu-amd64:latest
         docker tag antrea/antrea-agent-ubuntu:latest antrea/antrea-agent-ubuntu-amd64:latest
-        docker push antrea/antrea-ubuntu-amd64:latest
         docker push antrea/antrea-controller-ubuntu-amd64:latest
         docker push antrea/antrea-agent-ubuntu-amd64:latest
     - name: Trigger Antrea arm builds and multi-arch manifest update
@@ -96,7 +94,6 @@ jobs:
       run: |
         echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
         ./hack/build-antrea-linux-all.sh --pull --push-base-images --distro ubi
-        docker push antrea/antrea-ubi:latest
         docker push antrea/antrea-agent-ubi:latest
         docker push antrea/antrea-controller-ubi:latest
 

.github/workflows/build_tag.yml

@@ -34,10 +34,8 @@ jobs:
       run: |
         ./hack/build-antrea-linux-all.sh --pull
         echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-        docker tag antrea/antrea-ubuntu:"${VERSION}" antrea/antrea-ubuntu-amd64:"${VERSION}"
         docker tag antrea/antrea-agent-ubuntu:"${VERSION}" antrea/antrea-agent-ubuntu-amd64:"${VERSION}"
         docker tag antrea/antrea-controller-ubuntu:"${VERSION}" antrea/antrea-controller-ubuntu-amd64:"${VERSION}"
-        docker push antrea/antrea-ubuntu-amd64:"${VERSION}"
         docker push antrea/antrea-agent-ubuntu-amd64:"${VERSION}"
         docker push antrea/antrea-controller-ubuntu-amd64:"${VERSION}"
     - name: Trigger Antrea arm builds and multi-arch manifest update
@@ -64,7 +62,6 @@ jobs:
         run: |
           ./hack/build-antrea-linux-all.sh --pull --distro ubi
           echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-          docker push antrea/antrea-ubi:"${VERSION}"
           docker push antrea/antrea-agent-ubi:"${VERSION}"
           docker push antrea/antrea-controller-ubi:"${VERSION}"
 

.github/workflows/conformance.yml

@@ -74,6 +74,8 @@ jobs:
           sudo mv kind /usr/local/bin
       - name: Create K8s cluster
         run: |
+          # If an image does not exist (unified vs split), a warning will be printed, but the script
+          # execution will not fail.
           images=()
           images+=(antrea/antrea-controller-${{ inputs.antrea-image-distro }}:${{ steps.check-release.outputs.image-tag }})
           images+=(antrea/antrea-agent-${{ inputs.antrea-image-distro }}:${{ steps.check-release.outputs.image-tag }})

.github/workflows/trivy_scan.yml

@@ -18,7 +18,6 @@ jobs:
     if: github.repository == 'antrea-io/antrea'
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
     - name: Find greatest Antrea version
       id: find-antrea-greatest-version
       env:
@@ -32,33 +31,56 @@ jobs:
     - name: Pull Antrea Docker images
       id: pull
       run: |
-        docker pull antrea/antrea-ubuntu:latest
-        docker pull antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
-    - name: Run Trivy vulnerability scanner on latest Antrea Docker image
+        docker pull antrea/antrea-agent-ubuntu:latest
+        docker pull antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
+        docker pull antrea/antrea-controller-ubuntu:latest
+        docker pull antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
+    - name: Run Trivy vulnerability scanner on latest antrea-agent Docker image
       if: ${{ always() && steps.pull.conclusion == 'success' }}
       uses: aquasecurity/trivy-action@0.19.0
       # we cannot use .trivy.yml as we need to override some config parameters
       # and that is not supported by aquasecurity/trivy-action
       with:
         scan-type: 'image'
-        image-ref: 'antrea/antrea-ubuntu:latest'
+        image-ref: 'antrea/antrea-agent-ubuntu:latest'
         exit-code: '1'
         ignore-unfixed: true
         severity: 'CRITICAL,HIGH'
-        # whereabouts project doesn't upgrade dependencies frequently
-        skip-files: '/opt/cni/bin/whereabouts'
         format: 'table'
         output: 'trivy.latest.txt'
-    - name: Run Trivy vulnerability scanner on Antrea Docker image for latest released version
+    - name: Run Trivy vulnerability scanner on latest antrea-controller Docker image
+      if: ${{ always() && steps.pull.conclusion == 'success' }}
+      uses: aquasecurity/trivy-action@0.19.0
+      # we cannot use .trivy.yml as we need to override some config parameters
+      # and that is not supported by aquasecurity/trivy-action
+      with:
+        scan-type: 'image'
+        image-ref: 'antrea/antrea-controller-ubuntu:latest'
+        exit-code: '1'
+        ignore-unfixed: true
+        severity: 'CRITICAL,HIGH'
+        format: 'table'
+        output: 'trivy.latest.txt'
+    - name: Run Trivy vulnerability scanner on antrea-agent Docker image for latest released version
+      if: ${{ always() && steps.pull.conclusion == 'success' }}
+      uses: aquasecurity/trivy-action@0.19.0
+      with:
+        scan-type: 'image'
+        image-ref: 'antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
+        exit-code: '1'
+        ignore-unfixed: true
+        severity: 'CRITICAL,HIGH'
+        format: 'table'
+        output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
+    - name: Run Trivy vulnerability scanner on antrea-controller Docker image for latest released version
       if: ${{ always() && steps.pull.conclusion == 'success' }}
       uses: aquasecurity/trivy-action@0.19.0
       with:
         scan-type: 'image'
-        image-ref: 'antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
+        image-ref: 'antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
         exit-code: '1'
         ignore-unfixed: true
         severity: 'CRITICAL,HIGH'
-        skip-files: '/opt/cni/bin/whereabouts'
         format: 'table'
         output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
     - name: Upload Trivy scan reports

.github/workflows/trivy_scan_before_release.yml

@@ -1,4 +1,4 @@
-name: Scan Antrea Docker image for vulnerabilities before release
+name: Scan Antrea Docker images for vulnerabilities before release
 
 on:
   pull_request:
@@ -14,12 +14,6 @@ jobs:
     - name: Build Antrea Docker image
       run: |
         ./hack/build-antrea-linux-all.sh --pull
-    - name: Run Trivy vulnerability scanner on Antrea unified Docker image
-      uses: aquasecurity/trivy-action@0.19.0
-      with:
-        scan-type: 'image'
-        image-ref: 'antrea/antrea-ubuntu:latest'
-        trivy-config: '.trivy.yml'
     - name: Run Trivy vulnerability scanner on the antrea-agent Docker image
       uses: aquasecurity/trivy-action@0.19.0
       with:

Makefile

@@ -335,11 +335,17 @@ mockgen:
 
 ### Docker images ###
 
+# This target is for development only. It assumes that "make bin" has been run previously and will
+# copy the local binaries to the Docker image, instead of building the binaries inside the image as
+# part of the Docker build.
+
 .PHONY: ubuntu
 ubuntu:
-	@echo "===> Building antrea/antrea-ubuntu Docker image <==="
-	docker build -t antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.ubuntu $(DOCKER_BUILD_ARGS) .
-	docker tag antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-ubuntu
+	@echo "===> Building antrea/antrea-agent-ubuntu and antrea/antrea-controller-ubuntu development Docker images <==="
+	docker build -t antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.agent.ubuntu $(DOCKER_BUILD_ARGS) .
+	docker tag antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-agent-ubuntu
+	docker build -t antrea/antrea-controller-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.controller.ubuntu $(DOCKER_BUILD_ARGS) .
+	docker tag antrea/antrea-controller-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-controller-ubuntu
 
 .PHONY: build-controller-ubuntu
 build-controller-ubuntu:
@@ -353,19 +359,14 @@ build-agent-ubuntu:
 	docker build -t antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.agent.ubuntu $(DOCKER_BUILD_ARGS) .
 	docker tag antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-agent-ubuntu
 
-# Build bins in a golang container, and build the antrea-ubuntu Docker image.
+# These 2 targets are here for "backwards-compatibility". They will build the agent and controller
+# images for the requested distribution.
+
 .PHONY: build-ubuntu
-build-ubuntu:
-	@echo "===> Building Antrea bins and antrea/antrea-ubuntu Docker image <==="
-	docker build -t antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.ubuntu $(DOCKER_BUILD_ARGS) .
-	docker tag antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-ubuntu
+build-ubuntu: build-agent-ubuntu build-controller-ubuntu
 
-# Build bins in a golang container, and build the antrea-ubi Docker image.
 .PHONY: build-ubi
-build-ubi:
-	@echo "===> Building Antrea bins and antrea/antrea-ubi Docker image <==="
-	docker build -t antrea/antrea-ubi:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.ubi $(DOCKER_BUILD_ARGS) .
-	docker tag antrea/antrea-ubi:$(DOCKER_IMG_VERSION) antrea/antrea-ubi
+build-ubi: build-agent-ubi build-controller-ubi
 
 .PHONY: build-agent-ubi
 build-agent-ubi:
@@ -386,10 +387,7 @@ build-windows:
 	docker tag antrea/antrea-windows:$(DOCKER_IMG_VERSION) antrea/antrea-windows
 
 .PHONY: build-ubuntu-coverage
-build-ubuntu-coverage:
-	@echo "===> Building Antrea bins and antrea/antrea-ubuntu-coverage Docker image <==="
-	docker build -t antrea/antrea-ubuntu-coverage:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.coverage $(DOCKER_BUILD_ARGS) .
-	docker tag antrea/antrea-ubuntu-coverage:$(DOCKER_IMG_VERSION) antrea/antrea-ubuntu-coverage
+build-ubuntu-coverage: build-controller-ubuntu-coverage build-agent-ubuntu-coverage
 
 .PHONY: build-controller-ubuntu-coverage
 build-controller-ubuntu-coverage:

build/images/Dockerfile.ubuntu → build/images/Dockerfile.agent.ubuntu

@@ -1,4 +1,4 @@
-# Copyright 2022 Antrea Authors
+# Copyright 2024 Antrea Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,9 +16,11 @@ ARG BUILD_TAG
 FROM antrea/base-ubuntu:${BUILD_TAG}
 
 LABEL maintainer="Antrea <projectantrea-dev@googlegroups.com>"
-LABEL description="The Docker image to deploy the Antrea CNI."
+LABEL description="The development Docker image to deploy the antrea-agent."
 
 USER root
 
 COPY build/images/scripts/* /usr/local/bin/
-COPY bin/* /usr/local/bin/
+COPY bin/antrea-agent /usr/local/bin/
+COPY bin/antrea-cni /usr/local/bin/
+COPY bin/antctl /usr/local/bin/

build/images/Dockerfile.controller.ubuntu

@@ -0,0 +1,23 @@
+# Copyright 2024 Antrea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:22.04
+
+LABEL maintainer="Antrea <projectantrea-dev@googlegroups.com>"
+LABEL description="The development Docker image to deploy the antrea-controller."
+
+USER root
+
+COPY bin/antrea-controller /usr/local/bin/
+COPY bin/antctl /usr/local/bin/