Add build image for windows boringcrypto executable.

.drone/drone.yml

@@ -34,6 +34,40 @@ volumes:
   name: docker
 ---
 kind: pipeline
+name: Create Linux build image for boringcrypto
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - export IMAGE_TAG=${DRONE_TAG##build-image/v}-boringcrypto
+  - docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
+  - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+  - docker buildx create --name multiarch --driver docker-container --use
+  - docker buildx build --push --platform linux/amd64,linux/arm64 -t grafana/agent-build-image:$IMAGE_TAG
+    ./build-image/boringcrypto
+  environment:
+    DOCKER_LOGIN:
+      from_secret: docker_login
+    DOCKER_PASSWORD:
+      from_secret: docker_password
+  image: docker
+  name: Build
+  volumes:
+  - name: docker
+    path: /var/run/docker.sock
+trigger:
+  event:
+  - tag
+  ref:
+  - refs/tags/build-image/v*
+type: docker
+volumes:
+- host:
+    path: /var/run/docker.sock
+  name: docker
+---
+kind: pipeline
 name: Create Windows build image
 platform:
   arch: amd64
@@ -1317,6 +1351,6 @@ kind: secret
 name: updater_private_key
 ---
 kind: signature
-hmac: a77b4f7b2708cc4417edd42fae39c307abcaec2c4f0f6176212665133bd20d5d
+hmac: d66a28c3489b7a19b64e82590630ceed4fc71789a76b3da8564c2aae604253ad
 
 ...

.drone/pipelines/build_images.jsonnet

@@ -40,6 +40,29 @@ local locals = {
       host: { path: '/var/run/docker.sock' },
     }],
   },
+  pipelines.linux('Create Linux build image for boringcrypto') {
+    trigger: locals.on_build_image_tag,
+    steps: [{
+      name: 'Build',
+      image: 'docker',
+      volumes: [{
+        name: 'docker',
+        path: '/var/run/docker.sock',
+      }],
+      environment: locals.docker_environment,
+      commands: [
+        'export IMAGE_TAG=${DRONE_TAG##build-image/v}-boringcrypto',
+        'docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD',
+        'docker run --rm --privileged multiarch/qemu-user-static --reset -p yes',
+        'docker buildx create --name multiarch --driver docker-container --use',
+        'docker buildx build --push --platform linux/amd64,linux/arm64 -t grafana/agent-build-image:$IMAGE_TAG ./build-image/boringcrypto',
+      ],
+    }],
+    volumes: [{
+      name: 'docker',
+      host: { path: '/var/run/docker.sock' },
+    }],
+   },
 
   pipelines.windows('Create Windows build image') {
     trigger: locals.on_build_image_tag,

.drone/util/build_image.jsonnet

@@ -3,4 +3,5 @@
 
   linux: 'grafana/agent-build-image:%s' % version,
   windows: 'grafana/agent-build-image:%s-windows' % version,
+  boringcrypto: 'grafana/agent-build-image:%s-boringcrypto' % version,
 }

build-image/boringcrypto/Dockerfile

@@ -0,0 +1,107 @@
+# syntax=docker/dockerfile:1.4
+
+# NOTE: The main difference in this file vs the parent Dockerfile is using mcr.microsoft.com/oss/go/microsoft/golang:1.22-bullseye which is a microsoft
+# fork of go that allows using windows crypto instead of boring crypto. Details at https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips
+
+# NOTE: This Dockerfile can only be built using BuildKit. BuildKit is used by
+# default when running `docker buildx build` or when DOCKER_BUILDKIT=1 is set
+# in environment variables.
+
+#
+# Dependencies
+#
+# We retrieve many of our dependencies by using various smaller containers.
+#
+
+# Dependency: golangci-lint (for linting)
+FROM alpine as golangci
+RUN wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.54.2
+
+# Dependency: docker (for building images)
+FROM alpine:3.17 as docker
+RUN apk add --no-cache docker-cli docker-cli-buildx
+
+# Dependency: helm
+FROM alpine:3.17 as helm
+RUN apk add --no-cache helm
+
+# Dependency: Go and Go dependencies
+FROM mcr.microsoft.com/oss/go/microsoft/golang:1.22-bullseye as golang
+
+# Keep in sync with cmd/grafana-agent-operator/DEVELOPERS.md
+ENV CONTROLLER_GEN_VERSION v0.9.2
+
+RUN go install sigs.k8s.io/controller-tools/cmd/controller-gen@$CONTROLLER_GEN_VERSION \
+ && go install github.com/mitchellh/[email protected]                                         \
+ && go install github.com/tcnksm/[email protected]                                           \
+ && go install github.com/grafana/tanka/cmd/[email protected]                                 \
+ && go install github.com/jsonnet-bundler/jsonnet-bundler/cmd/[email protected]                \
+ && go install github.com/google/go-jsonnet/cmd/[email protected]                        \
+ && go install github.com/golang/protobuf/[email protected]                         \
+ && go install github.com/gogo/protobuf/[email protected]                    \
+ && go install github.com/gogo/protobuf/gogoproto/[email protected]                           \
+ && go install github.com/ahmetb/[email protected] \
+ && go install github.com/norwoodj/helm-docs/cmd/[email protected]
+
+#
+# Final image
+#
+
+# rfratto/viceroy contains C cross compilers can be used for our Cgo
+# dependencies.
+FROM rfratto/viceroy:v0.4.0
+
+# Install NodeJS LTS. This is needed because the most recent version of NodeJS
+# from official Debian packages is v12, and we need LTS version v16.
+#
+# This must be done before installing other dependencies, otherwise nodesource
+# will fail on installing NodeJS for all platforms instead of just our host
+# platform.
+# Source: https://github.com/nodesource/distributions#installation-instructions
+RUN <<EOF
+  apt-get update && apt-get install -qy ca-certificates curl gnupg && mkdir -p /etc/apt/keyrings
+  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_16.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list
+
+  apt-get update && apt-get install -qy nodejs
+  rm -rf /var/lib/apt/lists/*
+EOF
+
+# Install Yarn.
+#
+# See https://yarnpkg.com/getting-started/install#nodejs-1610
+RUN corepack enable
+
+# Install other dependencies.
+#
+# NOTE(rfratto): musl is installed so the Docker binaries from alpine work
+# properly.
+RUN apt-get update                                \
+ && apt-get install -qy                           \
+      build-essential file zip unzip gettext git  \
+      musl libsystemd-dev nsis                    \
+      rpm ruby ruby-dev rubygems                  \
+      protobuf-compiler libprotobuf-dev yamllint  \
+ && gem install --no-document fpm                 \
+ && rm -rf /var/lib/apt/lists/*
+
+COPY --from=golangci /bin/golangci-lint              /usr/local/bin
+COPY --from=docker   /usr/bin/docker                 /usr/bin/docker
+COPY --from=docker   /usr/libexec/docker/cli-plugins /usr/libexec/docker/cli-plugins
+COPY --from=helm     /usr/bin/helm                   /usr/bin/helm
+COPY --from=golang   /usr/local/go                   /usr/local/go
+COPY --from=golang   /go/bin                         /go/bin
+
+# Git tries to prevent misuse of repositories (CVE-2022-24765), but we don't
+# care about this for build containers, where it's expected that the repository
+# will be accessed by other users (the root user of the build container).
+#
+# Disable that safety check.
+RUN git config --global --add safe.directory \*
+
+# Set CC to viceroycc to ensure that the cross compilers are used for all C
+# compilation.
+ENV CC viceroycc
+
+ENV GOPATH /go
+ENV PATH /usr/local/go/bin:/go/bin:$PATH