diff --git a/.drone/drone.yml b/.drone/drone.yml index b110e802ca..eb3acdf8dd 100644 --- a/.drone/drone.yml +++ b/.drone/drone.yml @@ -354,6 +354,40 @@ trigger: type: docker --- kind: pipeline +name: Build alloy (Linux amd64 boringcrypto) +platform: + arch: amd64 + os: linux +steps: +- commands: + - make generate-ui + - GO_TAGS="builtinassets promtail_journal_enabled" GOOS=linux GOARCH=amd64 GOARM= + GOEXPERIMENT=boringcrypto make alloy + image: grafana/alloy-build-image:v0.1.1-boringcrypto + name: Build +trigger: + event: + - pull_request +type: docker +--- +kind: pipeline +name: Build alloy (Linux arm64 boringcrypto) +platform: + arch: amd64 + os: linux +steps: +- commands: + - make generate-ui + - GO_TAGS="builtinassets promtail_journal_enabled" GOOS=linux GOARCH=arm64 GOARM= + GOEXPERIMENT=boringcrypto make alloy + image: grafana/alloy-build-image:v0.1.1-boringcrypto + name: Build +trigger: + event: + - pull_request +type: docker +--- +kind: pipeline name: Publish Linux alloy-devel container platform: arch: amd64 @@ -474,40 +508,6 @@ volumes: name: docker --- kind: pipeline -name: Publish Windows alloy-devel-cngcrypto container -platform: - arch: amd64 - os: windows - version: "1809" -steps: -- commands: - - '& "C:/Program Files/git/bin/bash.exe" -c ''mkdir -p $HOME/.docker''' - - '& "C:/Program Files/git/bin/bash.exe" -c ''printenv GCR_CREDS > $HOME/.docker/config.json''' - - '& "C:/Program Files/git/bin/bash.exe" -c ''docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD''' - - '& "C:/Program Files/git/bin/bash.exe" -c ''./tools/ci/docker-containers-windows - alloy-devel-cngcrypto''' - environment: - DOCKER_LOGIN: - from_secret: docker_login - DOCKER_PASSWORD: - from_secret: docker_password - GCR_CREDS: - from_secret: gcr_admin - image: grafana/alloy-build-image:v0.1.1-windows - name: Build containers - volumes: - - name: docker - path: //./pipe/docker_engine/ -trigger: - ref: - - refs/heads/main -type: docker -volumes: -- host: - path: //./pipe/docker_engine/ - name: docker ---- -kind: pipeline name: Publish Linux alloy container platform: arch: amd64 @@ -627,40 +627,6 @@ volumes: path: //./pipe/docker_engine/ name: docker --- -kind: pipeline -name: Publish Windows alloy-cngcrypto container -platform: - arch: amd64 - os: windows - version: "1809" -steps: -- commands: - - '& "C:/Program Files/git/bin/bash.exe" -c ''mkdir -p $HOME/.docker''' - - '& "C:/Program Files/git/bin/bash.exe" -c ''printenv GCR_CREDS > $HOME/.docker/config.json''' - - '& "C:/Program Files/git/bin/bash.exe" -c ''docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD''' - - '& "C:/Program Files/git/bin/bash.exe" -c ''./tools/ci/docker-containers-windows - alloy-cngcrypto''' - environment: - DOCKER_LOGIN: - from_secret: docker_login - DOCKER_PASSWORD: - from_secret: docker_password - GCR_CREDS: - from_secret: gcr_admin - image: grafana/alloy-build-image:v0.1.1-windows - name: Build containers - volumes: - - name: docker - path: //./pipe/docker_engine/ -trigger: - ref: - - refs/tags/v* -type: docker -volumes: -- host: - path: //./pipe/docker_engine/ - name: docker ---- depends_on: - Publish Linux alloy-devel container - Publish Linux alloy-devel-boringcrypto container @@ -712,7 +678,6 @@ depends_on: - Publish Linux alloy container - Publish Linux alloy-boringcrypto container - Publish Windows alloy container -- Publish Windows alloy-cngcrypto container image_pull_secrets: - dockerconfigjson kind: pipeline @@ -870,6 +835,6 @@ kind: secret name: updater_private_key --- kind: signature -hmac: 014e46cefcbc28d6d6b5221c2bb477dd9f48bfb6c2fbbf0344e1d1ffef458ca4 +hmac: edfc9eabaa8e7af503b548fca203b5e7491258cbf778e172db3fc0cdd23ac3d4 ... diff --git a/.drone/pipelines/crosscompile.jsonnet b/.drone/pipelines/crosscompile.jsonnet index cb00270e5a..e480992153 100644 --- a/.drone/pipelines/crosscompile.jsonnet +++ b/.drone/pipelines/crosscompile.jsonnet @@ -31,6 +31,16 @@ local os_arch_tuples = [ local targets = [ 'alloy', ]; +local targets_boringcrypto = [ + 'alloy', +]; + + +local os_arch_types_boringcrypto = [ + // Linux boringcrypto + { name: 'Linux amd64 boringcrypto', os: 'linux', arch: 'amd64', experiment: 'boringcrypto' }, + { name: 'Linux arm64 boringcrypto', os: 'linux', arch: 'arm64', experiment: 'boringcrypto' }, +]; local build_environments(targets, tuples, image) = std.flatMap(function(target) ( std.map(function(platform) ( @@ -63,4 +73,5 @@ local build_environments(targets, tuples, image) = std.flatMap(function(target) ), tuples) ), targets); -build_environments(targets, os_arch_tuples, build_image.linux) +build_environments(targets, os_arch_tuples, build_image.linux) + +build_environments(targets_boringcrypto, os_arch_types_boringcrypto, build_image.boringcrypto) diff --git a/.drone/pipelines/publish.jsonnet b/.drone/pipelines/publish.jsonnet index e51725eda6..5662826647 100644 --- a/.drone/pipelines/publish.jsonnet +++ b/.drone/pipelines/publish.jsonnet @@ -12,7 +12,6 @@ local linux_containers = [ ]; local windows_containers = [ { devel: 'alloy-devel', release: 'alloy' }, - { devel: 'alloy-devel-cngcrypto', release: 'alloy-cngcrypto' }, ]; local linux_containers_dev_jobs = std.map(function(container) ( diff --git a/CHANGELOG.md b/CHANGELOG.md index b749f40b95..369d6aafd7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,10 +17,9 @@ v1.1.0-rc.0 - (_Public preview_) Add support for setting GOMEMLIMIT based on cgroup setting. (@mattdurham) -- (_Public preview_) Introduce `boringcrypto` and `cngcrypto` Docker images. - These Docker images are tagged with the `-boringcrypto` (for Linux) and - `-cngcrypto` (for Windows) suffixes. `boringcrypto` support is only available - on AMD64 and ARM64, while `cngcrypto` support is only available on AMD64. +- (_Public preview_) Introduce BoringCrypto Docker images. + The BoringCrypto image is tagged with the `-boringcrypto` suffix and + is only available on AMD64 and ARM64 Linux containers. (@rfratto, @mattdurham) - (_Public preview_) Introduce `boringcrypto` release assets. BoringCrypto diff --git a/docs/sources/get-started/install/docker.md b/docs/sources/get-started/install/docker.md index 34404a8802..98bbb03a4f 100644 --- a/docs/sources/get-started/install/docker.md +++ b/docs/sources/get-started/install/docker.md @@ -89,20 +89,6 @@ Make sure you pass `--server.http.listen-addr=0.0.0.0:12345` as an argument as s If you don't pass this argument, the [debugging UI][UI] won't be available outside of the Docker container. {{< /admonition >}} -### CNGCrypto images - -{{< admonition type="note" >}} -CNGCrypto support is in _Public preview_ and is only available on AMD64 platforms. -{{< /admonition >}} - -CNGCrypto images are published with every release starting with version -1.1: - -* The latest CNGCrypto image is published as `grafana/alloy:nanoserver-1809-cngcrypto`. -* A specific version of the CNGCrypto image is published as - `grafana/alloy:-nanoserver-1809-cngcrypto`, such as - `grafana/alloy:v1.1.0-nanoserver-1809-cngcrypto`. - ## Verify To verify that {{< param "PRODUCT_NAME" >}} is running successfully, navigate to and make sure the {{< param "PRODUCT_NAME" >}} [UI][] loads without error. diff --git a/docs/sources/reference/config-blocks/http.md b/docs/sources/reference/config-blocks/http.md index 18b6ae4d0e..a53be921dd 100644 --- a/docs/sources/reference/config-blocks/http.md +++ b/docs/sources/reference/config-blocks/http.md @@ -88,36 +88,36 @@ The `cipher_suites` argument determines what cipher suites to use. If you don't provide cipher suite, a default list is used. The set of cipher suites specified may be from the following: -| Cipher | Allowed in BoringCrypto/CNGCrypto builds | -| ----------------------------------------------- | ---------------------------------------- | -| `TLS_RSA_WITH_AES_128_CBC_SHA` | no | -| `TLS_RSA_WITH_AES_256_CBC_SHA` | no | -| `TLS_RSA_WITH_AES_128_GCM_SHA256` | yes | -| `TLS_RSA_WITH_AES_256_GCM_SHA384` | yes | -| `TLS_AES_128_GCM_SHA256` | no | -| `TLS_AES_256_GCM_SHA384` | no | -| `TLS_CHACHA20_POLY1305_SHA256` | no | -| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` | no | -| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` | no | -| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` | no | -| `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` | no | -| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` | yes | -| `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` | yes | -| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` | yes | -| `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` | yes | -| `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` | no | -| `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | no | +| Cipher | Allowed in BoringCrypto builds | +| ----------------------------------------------- | ------------------------------ | +| `TLS_RSA_WITH_AES_128_CBC_SHA` | no | +| `TLS_RSA_WITH_AES_256_CBC_SHA` | no | +| `TLS_RSA_WITH_AES_128_GCM_SHA256` | yes | +| `TLS_RSA_WITH_AES_256_GCM_SHA384` | yes | +| `TLS_AES_128_GCM_SHA256` | no | +| `TLS_AES_256_GCM_SHA384` | no | +| `TLS_CHACHA20_POLY1305_SHA256` | no | +| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` | no | +| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` | no | +| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` | no | +| `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` | no | +| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` | yes | +| `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` | yes | +| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` | yes | +| `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` | yes | +| `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` | no | +| `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | no | The `curve_preferences` argument determines the set of elliptic curves to prefer during a handshake in preference order. If not provided, a default list is used. The set of elliptic curves specified may be from the following: -| Curve | Allowed in BoringCrypto/CNGCrypto builds | -| ----------- | ---------------------------------------- | -| `CurveP256` | yes | -| `CurveP384` | yes | -| `CurveP521` | yes | -| `X25519` | no | +| Curve | Allowed in BoringCrypto builds | +| ----------- | ------------------------------ | +| `CurveP256` | yes | +| `CurveP384` | yes | +| `CurveP521` | yes | +| `X25519` | no | The `min_version` and `max_version` arguments determine the oldest and newest TLS version that's acceptable from clients. If you don't provide the min and max TLS version, a default value is used.