Modify workflows, ci and manifest scripts for split images

.github/workflows/conformance.yml

@@ -65,7 +65,8 @@ jobs:
           sudo mv kind /usr/local/bin
       - name: Create K8s cluster
         run: |
-          # The command also loads local antrea/antrea-ubuntu:latest into Nodes if it exists.
+          # The command also loads local antrea/antrea-agent-ubuntu:latest and antrea/antrea-controller-ubuntu:latest
+          # into Nodes if they exist.
           ./ci/kind/kind-setup.sh create kind \
             --k8s-version "${{ inputs.k8s-version }}"
       - name: Install Antrea

.github/workflows/kind.yml

@@ -41,7 +41,7 @@ jobs:
       run: |
         ./hack/build-antrea-linux-all.sh --pull --coverage
     - name: Save Antrea image to tarball
-      run:  docker save -o antrea-ubuntu.tar antrea/antrea-ubuntu-coverage:latest
+      run:  docker save -o antrea-ubuntu.tar antrea/antrea-agent-ubuntu-coverage:latest antrea/antrea-controller-ubuntu-coverage:latest
     - name: Upload Antrea image for subsequent jobs
       uses: actions/upload-artifact@v4
       with:
@@ -488,7 +488,8 @@ jobs:
     - name: Load Antrea image
       run: |
         docker load -i antrea-ubuntu.tar
-        docker tag antrea/antrea-ubuntu-coverage:latest antrea/antrea-ubuntu:latest
+        docker tag antrea/antrea-agent-ubuntu-coverage:latest antrea/antrea-agent-ubuntu:latest
+        docker tag antrea/antrea-controller-ubuntu-coverage:latest antrea/antrea-controller-ubuntu:latest
     - name: Install Kind
       run: |
         KIND_VERSION=$(head -n1 ./ci/kind/version)
@@ -533,7 +534,8 @@ jobs:
       - name: Load Antrea image
         run: |
           docker load -i antrea-ubuntu.tar
-          docker tag antrea/antrea-ubuntu-coverage:latest antrea/antrea-ubuntu:latest
+          docker tag antrea/antrea-agent-ubuntu-coverage:latest antrea/antrea-agent-ubuntu:latest
+          docker tag antrea/antrea-controller-ubuntu-coverage:latest antrea/antrea-controller-ubuntu:latest
       - name: Install Kind
         run: |
           KIND_VERSION=$(head -n1 ./ci/kind/version)
@@ -578,7 +580,8 @@ jobs:
       - name: Load Antrea image
         run: |
           docker load -i antrea-ubuntu.tar
-          docker tag antrea/antrea-ubuntu-coverage:latest antrea/antrea-ubuntu:latest
+          docker tag antrea/antrea-agent-ubuntu-coverage:latest antrea/antrea-agent-ubuntu:latest
+          docker tag antrea/antrea-controller-ubuntu-coverage:latest antrea/antrea-controller-ubuntu:latest
       - name: Install Kind
         run: |
           KIND_VERSION=$(head -n1 ./ci/kind/version)
@@ -623,7 +626,8 @@ jobs:
       - name: Load Antrea image
         run: |
           docker load -i antrea-ubuntu.tar
-          docker tag antrea/antrea-ubuntu-coverage:latest antrea/antrea-ubuntu:latest
+          docker tag antrea/antrea-agent-ubuntu-coverage:latest antrea/antrea-agent-ubuntu:latest
+          docker tag antrea/antrea-controller-ubuntu-coverage:latest antrea/antrea-controller-ubuntu:latest
       - name: Install Kind
         run: |
           KIND_VERSION=$(head -n1 ./ci/kind/version)
@@ -668,7 +672,8 @@ jobs:
       - name: Load Antrea image
         run: |
           docker load -i antrea-ubuntu.tar
-          docker tag antrea/antrea-ubuntu-coverage:latest antrea/antrea-ubuntu:latest
+          docker tag antrea/antrea-agent-ubuntu-coverage:latest antrea/antrea-agent-ubuntu:latest
+          docker tag antrea/antrea-controller-ubuntu-coverage:latest antrea/antrea-controller-ubuntu:latest
       - name: Install Kind
         run: |
           KIND_VERSION=$(head -n1 ./ci/kind/version)
@@ -710,7 +715,8 @@ jobs:
       - name: Load Antrea image
         run: |
           docker load -i antrea-ubuntu.tar
-          docker tag antrea/antrea-ubuntu-coverage:latest antrea/antrea-ubuntu:latest
+          docker tag antrea/antrea-agent-ubuntu-coverage:latest antrea/antrea-agent-ubuntu:latest
+          docker tag antrea/antrea-controller-ubuntu-coverage:latest antrea/antrea-controller-ubuntu:latest
       - name: Install Kind
         run: |
           KIND_VERSION=$(head -n1 ./ci/kind/version)

.github/workflows/trivy_scan_before_release.yml

@@ -14,9 +14,21 @@ jobs:
     - name: Build Antrea Docker image
       run: |
         ./hack/build-antrea-linux-all.sh --pull
-    - name: Run Trivy vulnerability scanner on Antrea Docker image
+    - name: Run Trivy vulnerability scanner on Antrea unified Docker image
       uses: aquasecurity/trivy-action@0.16.1
       with:
         scan-type: 'image'
         image-ref: 'antrea/antrea-ubuntu:latest'
         trivy-config: '.trivy.yml'
+    - name: Run Trivy vulnerability scanner on the antrea-agent Docker image
+      uses: aquasecurity/trivy-action@0.16.1
+      with:
+        scan-type: 'image'
+        image-ref: 'antrea/antrea-agent-ubuntu:latest'
+        trivy-config: '.trivy.yml'
+    - name: Run Trivy vulnerability scanner on the antrea-controller Docker image
+      uses: aquasecurity/trivy-action@0.16.1
+      with:
+        scan-type: 'image'
+        image-ref: 'antrea/antrea-controller-ubuntu:latest'
+        trivy-config: '.trivy.yml'

build/charts/antrea/README.md

@@ -52,6 +52,7 @@ Kubernetes: `>= 1.16.0-0`
 | agent.priorityClassName | string | `"system-node-critical"` | Prority class to use for the antrea-agent Pods. |
 | agent.tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","operator":"Exists"},{"effect":"NoExecute","operator":"Exists"}]` | Tolerations for the antrea-agent Pods. |
 | agent.updateStrategy | object | `{"type":"RollingUpdate"}` | Update strategy for the antrea-agent DaemonSet. |
+| agentImage | object | `{"pullPolicy":"IfNotPresent","repository":"antrea/antrea-agent-ubuntu","tag":""}` | Container image to use for the antrea-agent component. |
 | antreaProxy.defaultLoadBalancerMode | string | `"nat"` | Determines how external traffic is processed when it's load balanced across Nodes by default. It must be one of "nat" or "dsr". |
 | antreaProxy.enable | bool | `true` | To disable AntreaProxy, set this to false. |
 | antreaProxy.nodePortAddresses | list | `[]` | String array of values which specifies the host IPv4/IPv6 addresses for NodePort. By default, all host addresses are used. |
@@ -82,6 +83,7 @@ Kubernetes: `>= 1.16.0-0`
 | controller.priorityClassName | string | `"system-cluster-critical"` | Prority class to use for the antrea-controller Pod. |
 | controller.selfSignedCert | bool | `true` | Indicates whether to use auto-generated self-signed TLS certificates. If false, a Secret named "antrea-controller-tls" must be provided with the following keys: ca.crt, tls.crt, tls.key. |
 | controller.tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":0}]` | Tolerations for the antrea-controller Pod. |
+| controllerImage | object | `{"pullPolicy":"IfNotPresent","repository":"antrea/antrea-controller-ubuntu","tag":""}` | Container image to use for the antrea-controller component. |
 | defaultMTU | int | `0` | Default MTU to use for the host gateway interface and the network interface of each Pod. By default, antrea-agent will discover the MTU of the Node's primary interface and adjust it to accommodate for tunnel encapsulation overhead if applicable. |
 | disableTXChecksumOffload | bool | `false` | Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. It affects Pods running on Linux Nodes only. |
 | dnsServerOverride | string | `""` | Address of DNS server, to override the kube-dns Service. It's used to resolve hostnames in a FQDN policy. |
@@ -95,7 +97,7 @@ Kubernetes: `>= 1.16.0-0`
 | flowExporter.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. |
 | flowExporter.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |
 | hostGateway | string | `"antrea-gw0"` | Name of the interface antrea-agent will create and use for host <-> Pod communication. |
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"antrea/antrea-ubuntu","tag":""}` | Container image to use for Antrea components. |
+| image | object | `{}` | Container image to use for Antrea components. DEPRECATED: use agentImage and controllerImage instead. |
 | ipsec.authenticationMode | string | `"psk"` | The authentication mode to use for IPsec. Must be one of "psk" or "cert". |
 | ipsec.csrSigner.autoApprove | bool | `true` | Enable auto approval of Antrea signer for IPsec certificates. |
 | ipsec.csrSigner.selfSignedCA | bool | `true` | Whether or not to use auto-generated self-signed CA. |

build/charts/antrea/templates/_helpers.tpl

@@ -18,8 +18,56 @@
 {{- end }}
 {{- end -}}
 
-{{- define "antreaImage" -}}
+{{- define "antreaAgentImageTag" -}}
+{{- if .Values.agentImage.tag }}
+{{- .Values.agentImage.tag -}}
+{{- else if eq .Chart.AppVersion "latest" }}
+{{- print "latest" -}}
+{{- else }}
+{{- print "v" .Chart.AppVersion -}}
+{{- end }}
+{{- end -}}
+
+{{- define "antreaControllerImageTag" -}}
+{{- if .Values.controllerImage.tag }}
+{{- .Values.controllerImage.tag -}}
+{{- else if eq .Chart.AppVersion "latest" }}
+{{- print "latest" -}}
+{{- else }}
+{{- print "v" .Chart.AppVersion -}}
+{{- end }}
+{{- end -}}
+
+{{- define "antreaControllerImage" -}}
+{{- if .Values.image }}
 {{- print .Values.image.repository ":" (include "antreaImageTag" .) -}}
+{{- else }}
+{{- print .Values.controllerImage.repository ":" (include "antreaControllerImageTag" .) -}}
+{{- end }}
+{{- end -}}
+
+{{- define "antreaAgentImage" -}}
+{{- if .Values.image }}
+{{- print .Values.image.repository ":" (include "antreaImageTag" .) -}}
+{{- else }}
+{{- print .Values.agentImage.repository ":" (include "antreaAgentImageTag" .) -}}
+{{- end }}
+{{- end -}}
+
+{{- define "antreaAgentImagePullPolicy" -}}
+{{- if .Values.image }}
+{{- print .Values.image.pullPolicy -}}
+{{- else }}
+{{- print .Values.agentImage.pullPolicy -}}
+{{- end }}
+{{- end -}}
+
+{{- define "antreaControllerImagePullPolicy" -}}
+{{- if .Values.image }}
+{{- print .Values.image.pullPolicy -}}
+{{- else }}
+{{- print .Values.controllerImage.pullPolicy -}}
+{{- end }}
 {{- end -}}
 
 {{- define "validateValues" -}}

build/charts/antrea/templates/agent/daemonset.yaml

@@ -71,8 +71,8 @@ spec:
       containers:
       {{- end }}
         - name: install-cni
-          image: {{ include "antreaImage" . | quote }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: {{ include "antreaAgentImage" . | quote }}
+          imagePullPolicy: {{ include "antreaAgentImagePullPolicy" . }}
           resources: {{- .Values.agent.installCNI.resources | toYaml | nindent 12 }}
           {{- if eq .Values.trafficEncapMode "networkPolicyOnly" }}
           command: ["install_cni_chaining"]
@@ -127,8 +127,8 @@ spec:
       containers:
       {{- end }}
         - name: antrea-agent
-          image: {{ include "antreaImage" . | quote }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: {{ include "antreaAgentImage" . | quote }}
+          imagePullPolicy: {{ include "antreaAgentImagePullPolicy" . }}
           {{- if ((.Values.testing).coverage) }}
           command: ["/bin/sh"]
           args: ["-c", "sleep 2; antrea-agent-coverage -test.run=TestBincoverRunMain -test.coverprofile=antrea-agent.cov.out -args-file=/agent-arg-file; while true; do sleep 5 & wait $!; done"]
@@ -257,8 +257,8 @@ spec:
           {{- toYaml . | trim | nindent 10 }}
           {{- end }}
         - name: antrea-ovs
-          image: {{ include "antreaImage" . | quote }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: {{ include "antreaAgentImage" . | quote }}
+          imagePullPolicy: {{ include "antreaAgentImagePullPolicy" . }}
           resources: {{- .Values.agent.antreaOVS.resources | toYaml | nindent 12 }}
           command: ["start_ovs"]
           args:
@@ -313,8 +313,8 @@ spec:
             subPath: openvswitch
         {{- if eq .Values.trafficEncryptionMode "ipsec" }}
         - name: antrea-ipsec
-          image: {{ include "antreaImage" . | quote }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: {{ include "antreaAgentImage" . | quote }}
+          imagePullPolicy: {{ include "antreaAgentImagePullPolicy" . }}
           resources: {{- .Values.agent.antreaIPsec.resources | toYaml | nindent 12 }}
           command: ["start_ovs_ipsec"]
           livenessProbe:

build/charts/antrea/templates/controller/deployment.yaml

@@ -60,8 +60,8 @@ spec:
       serviceAccountName: antrea-controller
       containers:
         - name: antrea-controller
-          image: {{ include "antreaImage" . | quote }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: {{ include "antreaControllerImage" . | quote }}
+          imagePullPolicy: {{ include "antreaControllerImagePullPolicy" . }}
           resources: {{- .Values.controller.antreaController.resources | toYaml | nindent 12 }}
           {{- if ((.Values.testing).coverage) }}
           command: ["/bin/sh"]

build/charts/antrea/values.yaml

@@ -1,6 +1,14 @@
 # -- Container image to use for Antrea components.
-image:
-  repository: "antrea/antrea-ubuntu"
+# DEPRECATED: use agentImage and controllerImage instead.
+image: {}
+# -- Container image to use for the antrea-agent component.
+agentImage:
+  repository: "antrea/antrea-agent-ubuntu"
+  pullPolicy: "IfNotPresent"
+  tag: ""
+# -- Container image to use for the antrea-controller component.
+controllerImage:
+  repository: "antrea/antrea-controller-ubuntu"
   pullPolicy: "IfNotPresent"
   tag: ""
 

build/yamls/antrea-aks.yml

@@ -6952,7 +6952,7 @@ spec:
       initContainers:
       containers:
         - name: install-cni
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-agent-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           resources:
             requests:
@@ -6985,7 +6985,7 @@ spec:
           - name: host-var-run-antrea
             mountPath: /var/run/antrea
         - name: antrea-agent
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-agent-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           command: ["antrea-agent"]
           # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
@@ -7076,7 +7076,7 @@ spec:
           - name: xtables-lock
             mountPath: /run/xtables.lock
         - name: antrea-ovs
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-agent-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           resources:
             requests:
@@ -7192,7 +7192,7 @@ spec:
       serviceAccountName: antrea-controller
       containers:
         - name: antrea-controller
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-controller-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           resources:
             requests:

build/yamls/antrea-eks.yml

@@ -6951,7 +6951,7 @@ spec:
       initContainers:
       containers:
         - name: install-cni
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-agent-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           resources:
             requests:
@@ -6984,7 +6984,7 @@ spec:
           - name: host-var-run-antrea
             mountPath: /var/run/antrea
         - name: antrea-agent
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-agent-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           command: ["antrea-agent"]
           # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
@@ -7077,7 +7077,7 @@ spec:
           - name: xtables-lock
             mountPath: /run/xtables.lock
         - name: antrea-ovs
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-agent-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           resources:
             requests:
@@ -7193,7 +7193,7 @@ spec:
       serviceAccountName: antrea-controller
       containers:
         - name: antrea-controller
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-controller-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           resources:
             requests:

build/yamls/antrea-gke.yml

@@ -6950,7 +6950,7 @@ spec:
       serviceAccountName: antrea-agent
       initContainers:
         - name: install-cni
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-agent-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           resources:
             requests:
@@ -6983,7 +6983,7 @@ spec:
             mountPath: /var/run/antrea
       containers:
         - name: antrea-agent
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-agent-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           command: ["antrea-agent"]
           # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
@@ -7074,7 +7074,7 @@ spec:
           - name: xtables-lock
             mountPath: /run/xtables.lock
         - name: antrea-ovs
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-agent-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           resources:
             requests:
@@ -7190,7 +7190,7 @@ spec:
       serviceAccountName: antrea-controller
       containers:
         - name: antrea-controller
-          image: "antrea/antrea-ubuntu:latest"
+          image: "antrea/antrea-controller-ubuntu:latest"
           imagePullPolicy: IfNotPresent
           resources:
             requests: