Skip to content

Commit

Permalink
Enable linux boringcrypto builds (#796)
Browse files Browse the repository at this point in the history
* git checkin changes for crypto

* Check in changes to support windows cngcrypto

* Disable cngcrypto containers

* Fix changelog message.

* Remove windows messages

* Remove generate-winmanifest

* Remove more windows specific code

* rollback to how it was before

* rollback to how it was before

* Update CHANGELOG.md

Co-authored-by: Robert Fratto <[email protected]>

* Remove reference to CNGCrypto

---------

Co-authored-by: Robert Fratto <[email protected]>
  • Loading branch information
mattdurham and rfratto authored May 9, 2024
1 parent 9348743 commit ead12a0
Show file tree
Hide file tree
Showing 6 changed files with 75 additions and 115 deletions.
105 changes: 35 additions & 70 deletions .drone/drone.yml
Original file line number Diff line number Diff line change
Expand Up @@ -354,6 +354,40 @@ trigger:
type: docker
---
kind: pipeline
name: Build alloy (Linux amd64 boringcrypto)
platform:
arch: amd64
os: linux
steps:
- commands:
- make generate-ui
- GO_TAGS="builtinassets promtail_journal_enabled" GOOS=linux GOARCH=amd64 GOARM=
GOEXPERIMENT=boringcrypto make alloy
image: grafana/alloy-build-image:v0.1.1-boringcrypto
name: Build
trigger:
event:
- pull_request
type: docker
---
kind: pipeline
name: Build alloy (Linux arm64 boringcrypto)
platform:
arch: amd64
os: linux
steps:
- commands:
- make generate-ui
- GO_TAGS="builtinassets promtail_journal_enabled" GOOS=linux GOARCH=arm64 GOARM=
GOEXPERIMENT=boringcrypto make alloy
image: grafana/alloy-build-image:v0.1.1-boringcrypto
name: Build
trigger:
event:
- pull_request
type: docker
---
kind: pipeline
name: Publish Linux alloy-devel container
platform:
arch: amd64
Expand Down Expand Up @@ -474,40 +508,6 @@ volumes:
name: docker
---
kind: pipeline
name: Publish Windows alloy-devel-cngcrypto container
platform:
arch: amd64
os: windows
version: "1809"
steps:
- commands:
- '& "C:/Program Files/git/bin/bash.exe" -c ''mkdir -p $HOME/.docker'''
- '& "C:/Program Files/git/bin/bash.exe" -c ''printenv GCR_CREDS > $HOME/.docker/config.json'''
- '& "C:/Program Files/git/bin/bash.exe" -c ''docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD'''
- '& "C:/Program Files/git/bin/bash.exe" -c ''./tools/ci/docker-containers-windows
alloy-devel-cngcrypto'''
environment:
DOCKER_LOGIN:
from_secret: docker_login
DOCKER_PASSWORD:
from_secret: docker_password
GCR_CREDS:
from_secret: gcr_admin
image: grafana/alloy-build-image:v0.1.1-windows
name: Build containers
volumes:
- name: docker
path: //./pipe/docker_engine/
trigger:
ref:
- refs/heads/main
type: docker
volumes:
- host:
path: //./pipe/docker_engine/
name: docker
---
kind: pipeline
name: Publish Linux alloy container
platform:
arch: amd64
Expand Down Expand Up @@ -627,40 +627,6 @@ volumes:
path: //./pipe/docker_engine/
name: docker
---
kind: pipeline
name: Publish Windows alloy-cngcrypto container
platform:
arch: amd64
os: windows
version: "1809"
steps:
- commands:
- '& "C:/Program Files/git/bin/bash.exe" -c ''mkdir -p $HOME/.docker'''
- '& "C:/Program Files/git/bin/bash.exe" -c ''printenv GCR_CREDS > $HOME/.docker/config.json'''
- '& "C:/Program Files/git/bin/bash.exe" -c ''docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD'''
- '& "C:/Program Files/git/bin/bash.exe" -c ''./tools/ci/docker-containers-windows
alloy-cngcrypto'''
environment:
DOCKER_LOGIN:
from_secret: docker_login
DOCKER_PASSWORD:
from_secret: docker_password
GCR_CREDS:
from_secret: gcr_admin
image: grafana/alloy-build-image:v0.1.1-windows
name: Build containers
volumes:
- name: docker
path: //./pipe/docker_engine/
trigger:
ref:
- refs/tags/v*
type: docker
volumes:
- host:
path: //./pipe/docker_engine/
name: docker
---
depends_on:
- Publish Linux alloy-devel container
- Publish Linux alloy-devel-boringcrypto container
Expand Down Expand Up @@ -712,7 +678,6 @@ depends_on:
- Publish Linux alloy container
- Publish Linux alloy-boringcrypto container
- Publish Windows alloy container
- Publish Windows alloy-cngcrypto container
image_pull_secrets:
- dockerconfigjson
kind: pipeline
Expand Down Expand Up @@ -870,6 +835,6 @@ kind: secret
name: updater_private_key
---
kind: signature
hmac: 014e46cefcbc28d6d6b5221c2bb477dd9f48bfb6c2fbbf0344e1d1ffef458ca4
hmac: edfc9eabaa8e7af503b548fca203b5e7491258cbf778e172db3fc0cdd23ac3d4

...
13 changes: 12 additions & 1 deletion .drone/pipelines/crosscompile.jsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,16 @@ local os_arch_tuples = [
local targets = [
'alloy',
];
local targets_boringcrypto = [
'alloy',
];


local os_arch_types_boringcrypto = [
// Linux boringcrypto
{ name: 'Linux amd64 boringcrypto', os: 'linux', arch: 'amd64', experiment: 'boringcrypto' },
{ name: 'Linux arm64 boringcrypto', os: 'linux', arch: 'arm64', experiment: 'boringcrypto' },
];

local build_environments(targets, tuples, image) = std.flatMap(function(target) (
std.map(function(platform) (
Expand Down Expand Up @@ -63,4 +73,5 @@ local build_environments(targets, tuples, image) = std.flatMap(function(target)
), tuples)
), targets);

build_environments(targets, os_arch_tuples, build_image.linux)
build_environments(targets, os_arch_tuples, build_image.linux) +
build_environments(targets_boringcrypto, os_arch_types_boringcrypto, build_image.boringcrypto)
1 change: 0 additions & 1 deletion .drone/pipelines/publish.jsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ local linux_containers = [
];
local windows_containers = [
{ devel: 'alloy-devel', release: 'alloy' },
{ devel: 'alloy-devel-cngcrypto', release: 'alloy-cngcrypto' },
];

local linux_containers_dev_jobs = std.map(function(container) (
Expand Down
7 changes: 3 additions & 4 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,9 @@ v1.1.0-rc.0

- (_Public preview_) Add support for setting GOMEMLIMIT based on cgroup setting. (@mattdurham)

- (_Public preview_) Introduce `boringcrypto` and `cngcrypto` Docker images.
These Docker images are tagged with the `-boringcrypto` (for Linux) and
`-cngcrypto` (for Windows) suffixes. `boringcrypto` support is only available
on AMD64 and ARM64, while `cngcrypto` support is only available on AMD64.
- (_Public preview_) Introduce BoringCrypto Docker images.
The BoringCrypto image is tagged with the `-boringcrypto` suffix and
is only available on AMD64 and ARM64 Linux containers.
(@rfratto, @mattdurham)

- (_Public preview_) Introduce `boringcrypto` release assets. BoringCrypto
Expand Down
14 changes: 0 additions & 14 deletions docs/sources/get-started/install/docker.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,20 +89,6 @@ Make sure you pass `--server.http.listen-addr=0.0.0.0:12345` as an argument as s
If you don't pass this argument, the [debugging UI][UI] won't be available outside of the Docker container.
{{< /admonition >}}

### CNGCrypto images

{{< admonition type="note" >}}
CNGCrypto support is in _Public preview_ and is only available on AMD64 platforms.
{{< /admonition >}}

CNGCrypto images are published with every release starting with version
1.1:

* The latest CNGCrypto image is published as `grafana/alloy:nanoserver-1809-cngcrypto`.
* A specific version of the CNGCrypto image is published as
`grafana/alloy:<VERSION>-nanoserver-1809-cngcrypto`, such as
`grafana/alloy:v1.1.0-nanoserver-1809-cngcrypto`.

## Verify

To verify that {{< param "PRODUCT_NAME" >}} is running successfully, navigate to <http://localhost:12345> and make sure the {{< param "PRODUCT_NAME" >}} [UI][] loads without error.
Expand Down
50 changes: 25 additions & 25 deletions docs/sources/reference/config-blocks/http.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,36 +88,36 @@ The `cipher_suites` argument determines what cipher suites to use.
If you don't provide cipher suite, a default list is used.
The set of cipher suites specified may be from the following:

| Cipher | Allowed in BoringCrypto/CNGCrypto builds |
| ----------------------------------------------- | ---------------------------------------- |
| `TLS_RSA_WITH_AES_128_CBC_SHA` | no |
| `TLS_RSA_WITH_AES_256_CBC_SHA` | no |
| `TLS_RSA_WITH_AES_128_GCM_SHA256` | yes |
| `TLS_RSA_WITH_AES_256_GCM_SHA384` | yes |
| `TLS_AES_128_GCM_SHA256` | no |
| `TLS_AES_256_GCM_SHA384` | no |
| `TLS_CHACHA20_POLY1305_SHA256` | no |
| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` | no |
| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` | no |
| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` | no |
| `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` | no |
| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` | yes |
| `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` | yes |
| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` | yes |
| `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` | yes |
| `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` | no |
| `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | no |
| Cipher | Allowed in BoringCrypto builds |
| ----------------------------------------------- | ------------------------------ |
| `TLS_RSA_WITH_AES_128_CBC_SHA` | no |
| `TLS_RSA_WITH_AES_256_CBC_SHA` | no |
| `TLS_RSA_WITH_AES_128_GCM_SHA256` | yes |
| `TLS_RSA_WITH_AES_256_GCM_SHA384` | yes |
| `TLS_AES_128_GCM_SHA256` | no |
| `TLS_AES_256_GCM_SHA384` | no |
| `TLS_CHACHA20_POLY1305_SHA256` | no |
| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` | no |
| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` | no |
| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` | no |
| `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` | no |
| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` | yes |
| `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` | yes |
| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` | yes |
| `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` | yes |
| `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` | no |
| `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | no |

The `curve_preferences` argument determines the set of elliptic curves to prefer during a handshake in preference order.
If not provided, a default list is used.
The set of elliptic curves specified may be from the following:

| Curve | Allowed in BoringCrypto/CNGCrypto builds |
| ----------- | ---------------------------------------- |
| `CurveP256` | yes |
| `CurveP384` | yes |
| `CurveP521` | yes |
| `X25519` | no |
| Curve | Allowed in BoringCrypto builds |
| ----------- | ------------------------------ |
| `CurveP256` | yes |
| `CurveP384` | yes |
| `CurveP521` | yes |
| `X25519` | no |

The `min_version` and `max_version` arguments determine the oldest and newest TLS version that's acceptable from clients.
If you don't provide the min and max TLS version, a default value is used.
Expand Down

0 comments on commit ead12a0

Please sign in to comment.