Enable linux boringcrypto builds

.drone/drone.yml

@@ -354,6 +354,40 @@ trigger:
 type: docker
 ---
 kind: pipeline
+name: Build alloy (Linux amd64 boringcrypto)
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - make generate-ui
+  - GO_TAGS="builtinassets promtail_journal_enabled" GOOS=linux GOARCH=amd64 GOARM=
+    GOEXPERIMENT=boringcrypto make alloy
+  image: grafana/alloy-build-image:v0.1.1-boringcrypto
+  name: Build
+trigger:
+  event:
+  - pull_request
+type: docker
+---
+kind: pipeline
+name: Build alloy (Linux arm64 boringcrypto)
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - make generate-ui
+  - GO_TAGS="builtinassets promtail_journal_enabled" GOOS=linux GOARCH=arm64 GOARM=
+    GOEXPERIMENT=boringcrypto make alloy
+  image: grafana/alloy-build-image:v0.1.1-boringcrypto
+  name: Build
+trigger:
+  event:
+  - pull_request
+type: docker
+---
+kind: pipeline
 name: Publish Linux alloy-devel container
 platform:
   arch: amd64
@@ -474,40 +508,6 @@ volumes:
   name: docker
 ---
 kind: pipeline
-name: Publish Windows alloy-devel-cngcrypto container
-platform:
-  arch: amd64
-  os: windows
-  version: "1809"
-steps:
-- commands:
-  - '& "C:/Program Files/git/bin/bash.exe" -c ''mkdir -p $HOME/.docker'''
-  - '& "C:/Program Files/git/bin/bash.exe" -c ''printenv GCR_CREDS > $HOME/.docker/config.json'''
-  - '& "C:/Program Files/git/bin/bash.exe" -c ''docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD'''
-  - '& "C:/Program Files/git/bin/bash.exe" -c ''./tools/ci/docker-containers-windows
-    alloy-devel-cngcrypto'''
-  environment:
-    DOCKER_LOGIN:
-      from_secret: docker_login
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    GCR_CREDS:
-      from_secret: gcr_admin
-  image: grafana/alloy-build-image:v0.1.1-windows
-  name: Build containers
-  volumes:
-  - name: docker
-    path: //./pipe/docker_engine/
-trigger:
-  ref:
-  - refs/heads/main
-type: docker
-volumes:
-- host:
-    path: //./pipe/docker_engine/
-  name: docker
----
-kind: pipeline
 name: Publish Linux alloy container
 platform:
   arch: amd64
@@ -627,40 +627,6 @@ volumes:
     path: //./pipe/docker_engine/
   name: docker
 ---
-kind: pipeline
-name: Publish Windows alloy-cngcrypto container
-platform:
-  arch: amd64
-  os: windows
-  version: "1809"
-steps:
-- commands:
-  - '& "C:/Program Files/git/bin/bash.exe" -c ''mkdir -p $HOME/.docker'''
-  - '& "C:/Program Files/git/bin/bash.exe" -c ''printenv GCR_CREDS > $HOME/.docker/config.json'''
-  - '& "C:/Program Files/git/bin/bash.exe" -c ''docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD'''
-  - '& "C:/Program Files/git/bin/bash.exe" -c ''./tools/ci/docker-containers-windows
-    alloy-cngcrypto'''
-  environment:
-    DOCKER_LOGIN:
-      from_secret: docker_login
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    GCR_CREDS:
-      from_secret: gcr_admin
-  image: grafana/alloy-build-image:v0.1.1-windows
-  name: Build containers
-  volumes:
-  - name: docker
-    path: //./pipe/docker_engine/
-trigger:
-  ref:
-  - refs/tags/v*
-type: docker
-volumes:
-- host:
-    path: //./pipe/docker_engine/
-  name: docker
----
 depends_on:
 - Publish Linux alloy-devel container
 - Publish Linux alloy-devel-boringcrypto container
@@ -712,7 +678,6 @@ depends_on:
 - Publish Linux alloy container
 - Publish Linux alloy-boringcrypto container
 - Publish Windows alloy container
-- Publish Windows alloy-cngcrypto container
 image_pull_secrets:
 - dockerconfigjson
 kind: pipeline
@@ -870,6 +835,6 @@ kind: secret
 name: updater_private_key
 ---
 kind: signature
-hmac: 014e46cefcbc28d6d6b5221c2bb477dd9f48bfb6c2fbbf0344e1d1ffef458ca4
+hmac: edfc9eabaa8e7af503b548fca203b5e7491258cbf778e172db3fc0cdd23ac3d4
 
 ...

.drone/pipelines/crosscompile.jsonnet

@@ -31,6 +31,16 @@ local os_arch_tuples = [
 local targets = [
   'alloy',
 ];
+local targets_boringcrypto = [
+  'alloy',
+];
+
+
+local os_arch_types_boringcrypto = [
+  // Linux boringcrypto
+  { name: 'Linux amd64 boringcrypto', os: 'linux', arch: 'amd64', experiment: 'boringcrypto' },
+  { name: 'Linux arm64 boringcrypto', os: 'linux', arch: 'arm64', experiment: 'boringcrypto' },
+];
 
 local build_environments(targets, tuples, image) = std.flatMap(function(target) (
   std.map(function(platform) (
@@ -63,4 +73,5 @@ local build_environments(targets, tuples, image) = std.flatMap(function(target)
   ), tuples)
 ), targets);
 
-build_environments(targets, os_arch_tuples, build_image.linux)
+build_environments(targets, os_arch_tuples, build_image.linux) +
+build_environments(targets_boringcrypto, os_arch_types_boringcrypto, build_image.boringcrypto)

.drone/pipelines/publish.jsonnet

@@ -12,7 +12,6 @@ local linux_containers = [
 ];
 local windows_containers = [
   { devel: 'alloy-devel', release: 'alloy' },
-  { devel: 'alloy-devel-cngcrypto', release: 'alloy-cngcrypto' },
 ];
 
 local linux_containers_dev_jobs = std.map(function(container) (

CHANGELOG.md

@@ -17,10 +17,9 @@ v1.1.0-rc.0
 
 - (_Public preview_) Add support for setting GOMEMLIMIT based on cgroup setting. (@mattdurham)
 
-- (_Public preview_) Introduce `boringcrypto` and `cngcrypto` Docker images.
-  These Docker images are tagged with the `-boringcrypto` (for Linux) and
-  `-cngcrypto` (for Windows) suffixes. `boringcrypto` support is only available
-  on AMD64 and ARM64, while `cngcrypto` support is only available on AMD64.
+- (_Public preview_) Introduce BoringCrypto Docker images.
+  The BoringCrypto image is tagged with the `-boringcrypto` suffix and 
+  is only available on AMD64 and ARM64 Linux containers.
   (@rfratto, @mattdurham)
 
 - (_Public preview_) Introduce `boringcrypto` release assets. BoringCrypto

docs/sources/get-started/install/docker.md

@@ -89,20 +89,6 @@ Make sure you pass `--server.http.listen-addr=0.0.0.0:12345` as an argument as s
 If you don't pass this argument, the [debugging UI][UI] won't be available outside of the Docker container.
 {{< /admonition >}}
 
-### CNGCrypto images
-
-{{< admonition type="note" >}}
-CNGCrypto support is in _Public preview_ and is only available on AMD64 platforms.
-{{< /admonition >}}
-
-CNGCrypto images are published with every release starting with version
-1.1:
-
-* The latest CNGCrypto image is published as `grafana/alloy:nanoserver-1809-cngcrypto`.
-* A specific version of the CNGCrypto image is published as
-  `grafana/alloy:<VERSION>-nanoserver-1809-cngcrypto`, such as
-  `grafana/alloy:v1.1.0-nanoserver-1809-cngcrypto`.
-
 ## Verify
 
 To verify that {{< param "PRODUCT_NAME" >}} is running successfully, navigate to <http://localhost:12345> and make sure the {{< param "PRODUCT_NAME" >}} [UI][] loads without error.

docs/sources/reference/config-blocks/http.md

@@ -88,36 +88,36 @@ The `cipher_suites` argument determines what cipher suites to use.
 If you don't provide cipher suite, a default list is used.
 The set of cipher suites specified may be from the following:
 
-| Cipher                                          | Allowed in BoringCrypto/CNGCrypto builds |
-| ----------------------------------------------- | ---------------------------------------- |
-| `TLS_RSA_WITH_AES_128_CBC_SHA`                  | no                                       |
-| `TLS_RSA_WITH_AES_256_CBC_SHA`                  | no                                       |
-| `TLS_RSA_WITH_AES_128_GCM_SHA256`               | yes                                      |
-| `TLS_RSA_WITH_AES_256_GCM_SHA384`               | yes                                      |
-| `TLS_AES_128_GCM_SHA256`                        | no                                       |
-| `TLS_AES_256_GCM_SHA384`                        | no                                       |
-| `TLS_CHACHA20_POLY1305_SHA256`                  | no                                       |
-| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`          | no                                       |
-| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`          | no                                       |
-| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`            | no                                       |
-| `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`            | no                                       |
-| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`       | yes                                      |
-| `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`       | yes                                      |
-| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`         | yes                                      |
-| `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`         | yes                                      |
-| `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`   | no                                       |
-| `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | no                                       |
+| Cipher                                          | Allowed in BoringCrypto builds |
+| ----------------------------------------------- | --------------------------------------- |
+| `TLS_RSA_WITH_AES_128_CBC_SHA`                  | no                                      |
+| `TLS_RSA_WITH_AES_256_CBC_SHA`                  | no                                      |
+| `TLS_RSA_WITH_AES_128_GCM_SHA256`               | yes                                     |
+| `TLS_RSA_WITH_AES_256_GCM_SHA384`               | yes                                     |
+| `TLS_AES_128_GCM_SHA256`                        | no                                      |
+| `TLS_AES_256_GCM_SHA384`                        | no                                      |
+| `TLS_CHACHA20_POLY1305_SHA256`                  | no                                      |
+| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`          | no                                      |
+| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`          | no                                      |
+| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`            | no                                      |
+| `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`            | no                                      |
+| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`       | yes                                     |
+| `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`       | yes                                     |
+| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`         | yes                                     |
+| `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`         | yes                                     |
+| `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`   | no                                      |
+| `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | no                                      |
 
 The `curve_preferences` argument determines the set of elliptic curves to prefer during a handshake in preference order.
 If not provided, a default list is used.
 The set of elliptic curves specified may be from the following:
 
-| Curve       | Allowed in BoringCrypto/CNGCrypto builds |
-| ----------- | ---------------------------------------- |
-| `CurveP256` | yes                                      |
-| `CurveP384` | yes                                      |
-| `CurveP521` | yes                                      |
-| `X25519`    | no                                       |
+| Curve       | Allowed in BoringCrypto builds |
+| ----------- | --------------------------------------- |
+| `CurveP256` | yes                                     |
+| `CurveP384` | yes                                     |
+| `CurveP521` | yes                                     |
+| `X25519`    | no                                      |
 
 The `min_version` and `max_version` arguments determine the oldest and newest TLS version that's acceptable from clients.
 If you don't provide the min and max TLS version, a default value is used.