[Windows] Use hpc to build Agent images

1. Use Windows hpc as the base image to store Antrea binary and OVS files
2. Use doocker buildx to build Windows image on Linux base environment
3. Modify OVS init container to install redist files
4. Place openssl dll files into OVS binary directory instead of Windows system
   path
5. Remove original windows-base image, and download CNI file in agent image

Using the hpc base image and buildx on a fresh env, the time to build Windows
related images and push to remote registry is as follows,
1. windows-ovs: 31.6s
2. antrea-windows: 232s

Signed-off-by: Wenying Dong <wenyingd@vmware.com>

.github/workflows/build.yml

@@ -119,21 +119,22 @@ jobs:
   build-windows:
     needs: check-changes
     if: ${{ needs.check-changes.outputs.has_changes == 'yes' || github.event_name == 'push' }}
-    runs-on: [windows-2019]
+    runs-on: [ubuntu-latest]
     steps:
     - uses: actions/checkout@v4
       with:
         show-progress: false
     - name: Build Antrea Windows Docker image
-      run: make build-windows
+      if: ${{ github.repository != 'antrea-io/antrea' || github.event_name != 'push' || github.ref != 'refs/heads/main' }}
+      run: ./hack/build-antrea-windows-all.sh --pull
     - name: Push Antrea Windows Docker image to registry
       if: ${{ github.repository == 'antrea-io/antrea' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
       env:
         DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
       run: |
         echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-        docker push antrea/antrea-windows:latest
+        ./hack/build-antrea-windows-all.sh --pull --push --push-base-images
       shell: bash
 
   build-antrea-mc-controller:

.github/workflows/build_tag.yml

@@ -66,7 +66,7 @@ jobs:
           docker push antrea/antrea-controller-ubi:"${VERSION}"
 
   build-windows:
-    runs-on: [windows-2019]
+    runs-on: [ubuntu-latest]
     needs: get-version
     steps:
     - uses: actions/checkout@v4
@@ -78,9 +78,8 @@ jobs:
         DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
         VERSION: ${{ needs.get-version.outputs.version }}
       run: |
-        make build-windows
         echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-        docker push antrea/antrea-windows:"${VERSION}"
+        ./hack/build-antrea-windows-all.sh --pull --push
       shell: bash
 
   build-antrea-mc-controller:

Makefile

@@ -19,11 +19,7 @@ ANTCTL_BINARY_NAME ?= antctl
 OVS_VERSION        := $(shell head -n 1 build/images/deps/ovs-version)
 GO_VERSION         := $(shell head -n 1 build/images/deps/go-version)
 CNI_BINARIES_VERSION := $(shell head -n 1 build/images/deps/cni-binaries-version)
-NANOSERVER_VERSION := $(shell head -n 1 build/images/deps/nanoserver-version)
 BUILD_TAG          := $(shell build/images/build-tag.sh)
-WIN_BUILD_TAG      := $(shell echo $(GO_VERSION) $(CNI_BINARIES_VERSION) $(NANOSERVER_VERSION)|md5sum|head -c 10)
-WIN_OVS_VERSION	   := $(shell head -n 1 build/images/deps/ovs-version-windows)
-WIN_BUILD_OVS_TAG  := $(NANOSERVER_VERSION)-$(WIN_OVS_VERSION)
 GIT_HOOKS          := $(shell find hack/git_client_side_hooks -type f -print)
 DOCKER_NETWORK     ?= default
 TRIVY_TARGET_IMAGE ?=
@@ -39,15 +35,9 @@ endif
 ifneq ($(NO_CACHE),)
 	DOCKER_BUILD_ARGS += --no-cache
 endif
-WIN_BUILD_ARGS := DOCKER_BUILD_ARGS
 DOCKER_BUILD_ARGS += --build-arg OVS_VERSION=$(OVS_VERSION)
 DOCKER_BUILD_ARGS += --build-arg GO_VERSION=$(GO_VERSION)
 DOCKER_BUILD_ARGS += --build-arg BUILD_TAG=$(BUILD_TAG)
-WIN_BUILD_ARGS := --build-arg GO_VERSION=$(GO_VERSION)
-WIN_BUILD_ARGS += --build-arg CNI_BINARIES_VERSION=$(CNI_BINARIES_VERSION)
-WIN_BUILD_ARGS += --build-arg NANOSERVER_VERSION=$(NANOSERVER_VERSION)
-WIN_BUILD_ARGS += --build-arg WIN_BUILD_TAG=$(WIN_BUILD_TAG)
-WIN_BUILD_ARGS += --build-arg WIN_BUILD_OVS_TAG=$(WIN_BUILD_OVS_TAG)
 
 export CGO_ENABLED
 
@@ -62,6 +52,14 @@ UNAME_S := $(shell uname -s)
 USERID  := $(shell id -u)
 GRPID   := $(shell id -g)
 
+WINDOWS_BUILD_OPTIONS :=
+ifeq ($(NO_PULL),)
+	WINDOWS_BUILD_OPTIONS += --pull
+endif
+ifeq ($(RELEASE_STATUS),released)
+	WINDOWS_BUILD_OPTIONS += --agent-tag ${DOCKER_IMG_VERSION}
+endif
+
 .PHONY: install-hooks
 install-hooks:
 	@echo "===> Copying Antrea git hooks to local <==="
@@ -383,8 +381,12 @@ build-controller-ubi:
 .PHONY: build-windows
 build-windows:
 	@echo "===> Building Antrea bins and antrea/antrea-windows Docker image <==="
-	docker build -t antrea/antrea-windows:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.windows --network $(DOCKER_NETWORK) $(WIN_BUILD_ARGS) .
-	docker tag antrea/antrea-windows:$(DOCKER_IMG_VERSION) antrea/antrea-windows
+	$(CURDIR)/build/images/build-windows.sh ${WINDOWS_BUILD_OPTIONS}
+
+.PHONY: build-and-push-windows
+build-and-push-windows:
+	@echo "===> Building Antrea bins and antrea/antrea-windows Docker image and pushing to registry <==="
+	$(CURDIR)/build/images/build-windows.sh --push ${WINDOWS_BUILD_OPTIONS}
 
 .PHONY: build-ubuntu-coverage
 build-ubuntu-coverage: build-controller-ubuntu-coverage build-agent-ubuntu-coverage

build/images/Dockerfile.build.windows

@@ -12,45 +12,40 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-ARG WIN_BUILD_TAG
-ARG NANOSERVER_VERSION
-ARG WIN_BUILD_OVS_TAG
+ARG GO_VERSION
+ARG OVS_VERSION
 
-FROM antrea/base-windows:${WIN_BUILD_TAG} as antrea-build-windows
+FROM --platform=linux/amd64 golang:${GO_VERSION} as antrea-build-windows
+ARG CNI_BINARIES_VERSION
+ENV CNI_PLUGINS="./host-local.exe"
 
 WORKDIR /antrea
 
-COPY go.mod /antrea/go.mod
+ADD https://github.com/containernetworking/plugins/releases/download/${CNI_BINARIES_VERSION}/cni-plugins-windows-amd64-${CNI_BINARIES_VERSION}.tgz cni-plugins-windows-amd64.tgz
+RUN mkdir -p /go/k/antrea/cni && \
+    tar -xzf cni-plugins-windows-amd64.tgz -C /go/k/antrea/cni ${CNI_PLUGINS} && \
+    rm cni-plugins-windows-amd64.tgz
 
-RUN go mod download
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+    --mount=type=bind,source=go.sum,target=go.sum \
+    --mount=type=bind,source=go.mod,target=go.mod \
+    go mod download
 
 COPY . /antrea
 
-RUN sh -c 'make windows-bin'
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+    --mount=type=cache,target=/root/.cache/go-build/ \
+    make windows-bin
 
-FROM antrea/windows-ovs:${WIN_BUILD_OVS_TAG} as windows-ovs
+RUN mkdir -p /go/k/antrea/bin && \
+    cp /antrea/bin/antrea-agent.exe /go/k/antrea/bin/ && \
+    cp /antrea/bin/antctl.exe /go/k/antrea/bin/ && \
+    cp /antrea/bin/antrea-cni.exe /go/k/antrea/cni/antrea.exe
 
-FROM mcr.microsoft.com/powershell:lts-nanoserver-${NANOSERVER_VERSION}
-SHELL ["pwsh", "-NoLogo", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
+FROM antrea/windows-ovs:${OVS_VERSION} as antrea-ovs
 
-LABEL maintainer="Antrea <projectantrea-dev@googlegroups.com>"
-LABEL description="A Docker image to deploy the Antrea CNI."
+FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0
+COPY --from=antrea-build-windows /go/k /k
+COPY --from=antrea-ovs /openvswitch /openvswitch
 
-USER ContainerAdministrator
-
-RUN mkdir -Force C:\k\antrea\bin
-COPY --from=antrea-build-windows  /opt/cni/bin /k/antrea/cni
-COPY --from=antrea-build-windows  /antrea/build/images/scripts/Install-WindowsCNI.ps1 /k/antrea/
-COPY --from=antrea-build-windows  /antrea/bin/antrea-agent.exe /k/antrea/bin/
-COPY --from=antrea-build-windows  /antrea/bin/antctl.exe /k/antrea/bin/antctl.exe
-COPY --from=antrea-build-windows  /antrea/bin/antrea-cni.exe /k/antrea/cni/antrea.exe
-
-RUN mkdir C:\k\antrea\utils
-COPY --from=antrea-build-windows /wins/wins.exe /k/antrea/utils/wins.exe
-
-COPY --from=windows-ovs /Windows/System32/vcruntime140.dll /Windows/System32/
-COPY --from=windows-ovs /Windows/System32/libeay32.dll /Windows/System32/
-COPY --from=windows-ovs /Windows/System32/ssleay32.dll /Windows/System32/
-
-RUN mkdir C:\openvswitch
-COPY --from=windows-ovs /openvswitch /openvswitch/
+ENV PATH="C:\Windows\system32;C:\Windows;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\wbem;"

build/images/build-utils.sh

@@ -41,3 +41,39 @@ function check_docker_build_driver() {
     fi
     return 0
 }
+
+function switch_windows_buildx() {
+    local windows_buildx_name="windows-img-builder"
+    original_buildx_instance=$(docker buildx inspect | grep '^Name:' | awk '{print $2}' | head -n 1)
+    if [ "$original_buildx_instance" = "${windows_buildx_name}" ]; then
+        return
+    fi
+    trap 'docker buildx use --default ${original_buildx_instance}' EXIT
+    set +e
+    docker buildx ls | grep "${windows_buildx_name}" > /dev/null 2>&1
+    if [ $? -eq 0 ] ; then
+        docker buildx use --builder windows/amd64 "${windows_buildx_name}"
+    else
+        docker buildx create --name "${windows_buildx_name}" --use --platform windows/amd64
+    fi
+    set -e
+}
+
+function docker_build_and_push_windows() {
+    local image="$1"
+    local dockerfile="$2"
+    local build_args="$3"
+    local build_tag="$4"
+    local push=$5
+    local pull_option="$6"
+
+    switch_windows_buildx
+    if $push; then
+        output="type=registry"
+    else
+        local_file=$(echo "${image}" | awk -F'/' '{print $NF}')
+        output="type=docker,dest=./${local_file}.tar"
+    fi
+
+    docker buildx build --platform windows/amd64 -o ${output} -t ${image}:${build_tag} ${pull_option} ${build_args} -f $dockerfile .
+}