Add boringcrypto image

[dimitarvdimitrov]

This adds a boringcrypto image

• builds and pushes amd64/arm64 boringcrypto image upon make publish-images
  • images are pushed to grafana/rollout-operator-boringcrypto
  • also build the binary in an alpine container as opposed to a Debian. This means that the binary is linked against musl instead of glibc and running alpine with glibc may come with problems
• runs unit and integration tests with boringcrypto

[dimitarvdimitrov]

The CI is failing the same bug that @andyasp encountered here #70 (comment)

[aknuds1]

See questions.

[aknuds1]

Please see comments

[dimitarvdimitrov]

thanks for the reviews @aknuds1, I think I addressed all of the issues. Sorry for the state of this PR; I should have reviewed it on my own a few times before opening.

[aknuds1]

LGTM, modulo a couple of newline nits.

[dimitarvdimitrov]

I pushed a commit to pin the go version so we can see a passing CI. After that I'll undo the pin and merge on failing CI

[dimitarvdimitrov]

I had to make some adjustment to the PR. As of now this is the amd4 binary built from this PR using the commit where CI tests ran - 7a0770d

$ file /tmp/rollout-operator
/tmp/rollout-operator: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=GpWoX651AkwtQPsrgVNx/nuEX87cG0CpHr_FAQAlZ/WGnquJfCp-utqUX_5FNc/eePK3vlRL3Hn65mybSiG, with debug_info, not stripped

and includes boringcrypto & FIPS symbols as opposed to standard library symbols

$ go tool nm /tmp/rollout-operator | grep FIPS
  461b80 t BORINGSSL_FIPS_abort
  45da80 t FIPS_mode_set
  45da90 t FIPS_read_counter
  401490 T _cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
  45da70 t _goboringcrypto_FIPS_mode
  65bd40 T crypto/internal/boring._Cfunc__goboringcrypto_FIPS_mode.abi0
 2a89888 D crypto/internal/boring._cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
  5eadc0 T crypto/internal/boring/sig.FIPSOnly.abi0
 2a8ae30 D crypto/tls.defaultCipherSuitesFIPS
 2a8aeb0 D crypto/tls.defaultFIPSCurvePreferences

The tests pass on 7a0770d with the go version pinned to 1.20.5. I reverted the pin in f4ef221 that's why the branch is now failing CI. The failing CI is due to a bugfix in docker which hasn't reached us yet (see #70 (comment))

[aknuds1]

Please see questions, otherwise good to go I think?

[aknuds1]

LGTM

[aknuds1]

LGTM, although you should remove the gcompat package in Alpine.

[dimitarvdimitrov]

commands ran on the image from 617719f

file /bin/rollout-operator
/bin/rollout-operator: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, Go BuildID=QhjtoKw-eV539V2keY8t/JMinCisYZsWEMlAzPP4y/VTEVI2hm4Ymq6TZTkxhX/fQgtBavrsbgLnofGYkki, with debug_info, not stripped

ldd /bin/rollout-operator
	/lib/ld-musl-x86_64.so.1 (0x7f1839c4f000)
	libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f1839c4f000)

go tool nm /tmp/rollout-operator | grep -E 'sig.FIPSOnly|sig.BoringCrypto|sig.StandardCrypto'
  5ebda0 T crypto/internal/boring/sig.BoringCrypto.abi0
  5ebdc0 T crypto/internal/boring/sig.FIPSOnly.abi0

[aknuds1]

For context, @dimitarvdimitrov and I decided to not statically link the boringcrypto based rollout-operator, since it leads to warnings during the link stage about implicit libc dependencies at runtime (also glibc static linking is discouraged). The dynamically linked image should work perfectly within the Docker image, as it just links to Alpine's musl (libc) library.

[andyasp]

Minor comments, nice job!