linkerd · olix0r · Aug 13, 2025 · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025
@@ -102,7 +102,6 @@ jobs:
       matrix:
         component:
           - controller
-          - policy-controller
           - proxy
     timeout-minutes: 20
     steps:
@@ -216,7 +215,6 @@ jobs:
       - run: just policy-test-build
       - run: just k3d-k8s='${{ matrix.k8s }}' k3d-create
       - run: docker load <image-archives/controller.tar
-      - run: docker load <image-archives/policy-controller.tar
       - run: docker load <image-archives/proxy.tar
       - run: docker image ls
       - run: just linkerd-tag='${{ needs.meta.outputs.tag }}' linkerd-exec="$HOME/linkerd" linkerd-install
@@ -368,7 +366,7 @@ jobs:
           bin/scurl -v "https://raw.githubusercontent.com/k3d-io/k3d/${K3D_VERSION}/install.sh" | bash
       - name: Load docker images
         run: |
-          for img in controller policy-controller proxy; do
+          for img in controller proxy; do
             docker load <"image-archives/${img}.tar"
           done
       - run: docker image ls

@@ -40,14 +40,12 @@ jobs:
         component:
           - cli-bin
           - controller
-          - policy-controller
           - debug
           - jaeger-webhook
           - metrics-api
           - proxy
           - tap
           - web
-    # policy-controller docker builds have occasionally hit a 30-minute timeout.
     timeout-minutes: 45
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

@@ -1,4 +1,27 @@
-FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v47-rust-musl AS controller
+# Precompile key slow-to-build dependencies
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS go-deps
+WORKDIR /linkerd-build
+COPY go.mod go.sum ./
+COPY bin/install-deps bin/
+RUN go mod download
+ARG TARGETARCH
+RUN ./bin/install-deps $TARGETARCH
+
+## compile controller service
+FROM go-deps AS golang
+WORKDIR /linkerd-build
+COPY controller/gen controller/gen
+COPY pkg pkg
+COPY charts charts
+COPY controller controller
+COPY charts/patch charts/patch
+COPY charts/partials charts/partials
+COPY multicluster multicluster
+
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /out/controller -tags prod -mod=readonly -ldflags "-s -w" ./controller/cmd
+
+FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v47-rust-musl AS policy
 ARG BUILD_TYPE="release"
 WORKDIR /build
 RUN mkdir -p target/bin
@@ -24,9 +47,17 @@ RUN --mount=type=cache,target=target \
         *) echo "unsupported architecture: $TARGETARCH" >&2; exit 1 ;; \
     esac) && \
     just-cargo CFLAGS_aarch64_unknown_linux_musl="" profile=$BUILD_TYPE target=$target build --package=linkerd-policy-controller && \
-    mv "target/$target/$BUILD_TYPE/linkerd-policy-controller" /tmp/
+    mkdir /out && mv "target/$target/$BUILD_TYPE/linkerd-policy-controller" /out/
 
-FROM scratch AS runtime
+## package runtime
+FROM scratch
 LABEL org.opencontainers.image.source=https://github.com/linkerd/linkerd2
-COPY --from=controller /tmp/linkerd-policy-controller /bin/
-ENTRYPOINT ["/bin/linkerd-policy-controller"]
+COPY LICENSE /linkerd/LICENSE
+COPY --from=golang /out/controller /controller
+COPY --from=policy /out/linkerd-policy-controller /
+# for heartbeat (https://versioncheck.linkerd.io/version.json)
+COPY --from=golang /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+ARG LINKERD_VERSION
+ENV LINKERD_CONTAINER_VERSION_OVERRIDE=${LINKERD_VERSION}
+ENTRYPOINT ["/controller"]
@@ -33,7 +33,6 @@ export SUPPORTED_ARCHS=${SUPPORTED_ARCHS:-linux/amd64,linux/arm64}
 export DOCKER_IMAGES=(${DOCKER_IMAGES:-
     cli-bin
     controller
-    policy-controller
     metrics-api
     debug
     proxy

@@ -17,7 +17,7 @@ export external_resource_test_names=(external-resources)
 # TODO(alpeb): add test cni-calico-deep-dual-stack
 export dual_stack_test_names=(deep-dual-stack)
 export all_test_names=(cluster-domain cni-calico-deep multicluster "${default_test_names[*]}" "${external_resource_test_names[*]}" "${dual_stack_test_names[*]}")
-images_load_default=(proxy controller policy-controller web metrics-api tap)
+images_load_default=(proxy controller web metrics-api tap)
 
 tests_usage() {
   progname=${0##*/}

@@ -11,7 +11,6 @@ bindir=$( cd "${0%/*}" && pwd )
 
 "$bindir"/docker-build-proxy
 "$bindir"/docker-build-controller
-"$bindir"/docker-build-policy-controller
 "$bindir"/docker-build-web
 "$bindir"/docker-build-debug
 if [ -z "${LINKERD_LOCAL_BUILD_CLI:-}" ]; then

@@ -15,5 +15,4 @@ rootdir=$( cd "$bindir"/.. && pwd )
 # shellcheck source=_tag.sh
 . "$bindir"/_tag.sh
 
-dockerfile=$rootdir/controller/Dockerfile
-docker_build controller "${TAG:-$(head_root_tag)}" "$dockerfile" --build-arg LINKERD_VERSION="${TAG:-$(head_root_tag)}"
+docker_build controller "${TAG:-$(head_root_tag)}" "$rootdir/Dockerfile.controller" --build-arg LINKERD_VERSION="${TAG:-$(head_root_tag)}"
@@ -337,7 +337,8 @@ spec:
         - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
           name: kube-api-access
           readOnly: true
-      - args:
+      - command: ["/linkerd-policy-controller"]
+        args:
         - --admin-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9990
         - --control-plane-namespace={{.Release.Namespace}}
         - --grpc-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:8090
@@ -361,8 +362,8 @@ spec:
         {{- range .Values.policyController.experimentalArgs }}
         - {{ . }}
         {{- end }}
-        image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}}
-        imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}}
+        image: {{ .Values.controllerImage }}:{{ .Values.controllerImageVersion | default .Values.linkerdVersion }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
         livenessProbe:
           httpGet:
             path: /live

@@ -80,15 +80,7 @@ runtimeClassName: ""
 
 # policy controller configuration
 policyController:
-  image:
-    # -- Docker image for the policy controller
-    name: cr.l5d.io/linkerd/policy-controller
-    # -- Pull policy for the policy controller container image
-    # @default -- imagePullPolicy
-    pullPolicy: ""
-    # -- Tag for the policy controller container image
-    # @default -- linkerdVersion
-    version: ""
+  # `image` has been removed.
 
   # -- Log level for the policy controller
   logLevel: info

@@ -68,11 +68,6 @@ func TestRender(t *testing.T) {
 		PodLabels:               map[string]string{},
 		PriorityClassName:       "PriorityClassName",
 		PolicyController: &charts.PolicyController{
-			Image: &charts.Image{
-				Name:       "PolicyControllerImageName",
-				PullPolicy: "ImagePullPolicy",
-				Version:    "PolicyControllerVersion",
-			},
 			LogLevel: "log-level",
 			Resources: &charts.Resources{
 				CPU: charts.Constraints{
@@ -546,7 +541,6 @@ func testInstallValues() (*charts.Values, error) {
 	values.Proxy.Image.Version = installProxyVersion
 	values.DebugContainer.Image.Version = installDebugVersion
 	values.LinkerdVersion = installControlPlaneVersion
-	values.PolicyController.Image.Version = installControlPlaneVersion
 	values.HeartbeatSchedule = fakeHeartbeatSchedule()
 
 	identityCert, err := os.ReadFile(filepath.Join("testdata", "valid-crt.pem"))

@@ -421,7 +421,6 @@ func makeProxyFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) {
 		fmt.Sprintf("Docker registry to pull images from ($%s)", flagspkg.EnvOverrideDockerRegistry),
 		func(values *l5dcharts.Values, value string) error {
 			values.ControllerImage = cmd.RegistryOverride(values.ControllerImage, value)
-			values.PolicyController.Image.Name = cmd.RegistryOverride(values.PolicyController.Image.Name, value)
 			values.DebugContainer.Image.Name = cmd.RegistryOverride(values.DebugContainer.Image.Name, value)
 			values.Proxy.Image.Name = cmd.RegistryOverride(values.Proxy.Image.Name, value)
 			values.ProxyInit.Image.Name = cmd.RegistryOverride(values.ProxyInit.Image.Name, value)