OpenSSL as bazel dependency

.bazelrc

@@ -538,7 +538,7 @@ common:bes-envoy-engflow --bes_timeout=3600s
 common:bes-envoy-engflow --bes_upload_mode=fully_async
 common:bes-envoy-engflow --nolegacy_important_outputs
 common:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com
-common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://quay.io/jwendell/envoy-build-ubuntu@sha256:3eb12d3f8639ec7c6202c57c62db5fdf9e8abae1c74d9ec165b259407ab3c022
+common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
 common:rbe-envoy-engflow --jobs=200
 common:rbe-envoy-engflow --define=engflow_rbe=true
 

.github/workflows/envoy-openssl.yml

@@ -32,5 +32,3 @@ jobs:
         ENVOY_RBE: 1
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         ENVOY_STDLIB: libstdc++
-        IMAGE_NAME: quay.io/jwendell/envoy-build-ubuntu
-        IMAGE_ID: openssl-cb86d91cf406995012e330ab58830e6ee10240cb

bazel/envoy_test.bzl

@@ -86,6 +86,7 @@ def envoy_cc_fuzz_test(
         size = "medium",
         deps = [],
         tags = [],
+        env = {},
         **kwargs):
     exec_properties = exec_properties | select({
         repository + "//bazel:engflow_rbe_x86_64": {"Pool": rbe_pool} if rbe_pool else {},
@@ -113,6 +114,11 @@ def envoy_cc_fuzz_test(
         **kwargs
     )
 
+    real_env = dict(env)
+    real_env.update({
+        "LD_LIBRARY_PATH": "/build/bazel_root/base/execroot/envoy/bazel-out/k8-fastbuild/bin/external/openssl/openssl/lib64",
+    })
+
     native.cc_test(
         name = name,
         copts = envoy_copts("@envoy", test = True),
@@ -140,6 +146,7 @@ def envoy_cc_fuzz_test(
         }),
         size = size,
         tags = ["fuzz_target"] + tags,
+        env = real_env,
     )
 
     fuzzing_decoration(
@@ -178,6 +185,12 @@ def envoy_cc_test(
         repository + "//bazel:engflow_rbe_x86_64": {"Pool": rbe_pool} if rbe_pool else {},
         "//conditions:default": {},
     })
+
+    real_env = dict(env)
+    real_env.update({
+        "LD_LIBRARY_PATH": "/build/bazel_root/base/execroot/envoy/bazel-out/k8-fastbuild/bin/external/openssl/openssl/lib64",
+    })
+
     native.cc_test(
         name = name,
         srcs = srcs,
@@ -200,7 +213,7 @@ def envoy_cc_test(
         shard_count = shard_count,
         size = size,
         flaky = flaky,
-        env = env,
+        env = real_env,
         exec_properties = exec_properties,
     )
 
@@ -288,20 +301,28 @@ def envoy_benchmark_test(
         data = [],
         rbe_pool = None,
         exec_properties = {},
+        env = {},
         tags = [],
         repository = "",
         **kargs):
     exec_properties = exec_properties | select({
         repository + "//bazel:engflow_rbe_x86_64": {"Pool": rbe_pool} if rbe_pool else {},
         "//conditions:default": {},
     })
+
+    real_env = dict(env)
+    real_env.update({
+        "LD_LIBRARY_PATH": "/build/bazel_root/base/execroot/envoy/bazel-out/k8-fastbuild/bin/external/openssl/openssl/lib64",
+    })
+
     native.sh_test(
         name = name,
         srcs = [repository + "//bazel:test_for_benchmark_wrapper.sh"],
         data = [":" + benchmark_binary] + data,
         exec_properties = exec_properties,
         args = ["%s/%s" % (native.package_name(), benchmark_binary)],
         tags = tags + ["nocoverage"],
+        env = real_env,
         **kargs
     )
 
@@ -341,6 +362,7 @@ def envoy_sh_test(
         coverage = True,
         cc_binary = [],
         tags = [],
+        env = {},
         **kargs):
     if coverage:
         if cc_binary == []:
@@ -358,16 +380,22 @@ def envoy_sh_test(
             srcs = [test_runner_cc],
             data = srcs + data + cc_binary,
             tags = tags,
+            env = env,
             deps = ["//test/test_common:environment_lib"] + cc_binary,
             **kargs
         )
 
     else:
+        real_env = dict(env)
+        real_env.update({
+            "LD_LIBRARY_PATH": "/build/bazel_root/base/execroot/envoy/bazel-out/k8-fastbuild/bin/external/openssl/openssl/lib64",
+        })
         native.sh_test(
             name = name,
             srcs = ["//bazel:sh_test_wrapper.sh"],
             data = srcs + data + cc_binary,
             args = srcs,
             tags = tags + ["nocoverage"],
+            env = real_env,
             **kargs
         )

bazel/external/openssl.BUILD

@@ -0,0 +1,51 @@
+load("@rules_foreign_cc//foreign_cc:configure.bzl", "configure_make")
+#load("@envoy//bazel:envoy_build_system.bzl", "envoy_cc_library")
+
+licenses(["notice"])  # Apache 2
+
+filegroup(
+    name = "all",
+    srcs = glob(["**"]),
+)
+
+configure_make(
+    name = "openssl",
+    lib_source = ":all",
+    lib_name = "openssl",
+    configure_in_place = True,
+    configure_command = "Configure",
+    targets = ["build_sw", "install_sw"],
+    args = ["-j"],
+    out_lib_dir = "lib64",
+    out_shared_libs = ["libssl.so.3", "libcrypto.so.3"],
+    out_include_dir = "include",
+    visibility = ["//visibility:public"],
+)
+
+cc_library(
+    name = "libs",
+    deps = [":openssl"],
+    srcs = [":openssl"],
+    linkstatic = True,
+    visibility = ["//visibility:public"],
+)
+
+# envoy_cc_library(
+#     name = "libs",
+#     deps = [":openssl"],
+#     repository = "@envoy",
+#     rbe_pool = "6gig",
+#     visibility = ["//visibility:public"],
+#     srcs = [":openssl"],
+#     data = [":openssl"],
+#     alwayslink = True,
+# )
+
+# envoy_cc_library(
+#     name = "crypto",
+#     deps = [":openssl"],
+#     repository = "@envoy",
+#     rbe_pool = "6gig",
+#     visibility = ["//visibility:public"],
+#     srcs = [":openssl"],
+# )

bazel/rbe/toolchains/configs/linux/clang/config/BUILD

@@ -42,7 +42,7 @@ platform(
         "@bazel_tools//tools/cpp:clang",
     ],
     exec_properties = {
-        "container-image": "docker://quay.io/jwendell/envoy-build-ubuntu@sha256:3eb12d3f8639ec7c6202c57c62db5fdf9e8abae1c74d9ec165b259407ab3c022",
+        "container-image": "docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2",
         "OSFamily": "Linux",
     },
     parents = ["@local_config_platform//:host"],

bazel/rbe/toolchains/configs/linux/clang_libcxx/config/BUILD

@@ -42,7 +42,7 @@ platform(
         "@bazel_tools//tools/cpp:clang",
     ],
     exec_properties = {
-        "container-image": "docker://quay.io/jwendell/envoy-build-ubuntu@sha256:3eb12d3f8639ec7c6202c57c62db5fdf9e8abae1c74d9ec165b259407ab3c022",
+        "container-image": "docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2",
         "OSFamily": "Linux",
     },
     parents = ["@local_config_platform//:host"],

bazel/rbe/toolchains/configs/linux/gcc/config/BUILD

@@ -42,7 +42,7 @@ platform(
         "@bazel_tools//tools/cpp:clang",
     ],
     exec_properties = {
-        "container-image": "docker://quay.io/jwendell/envoy-build-ubuntu@sha256:3eb12d3f8639ec7c6202c57c62db5fdf9e8abae1c74d9ec165b259407ab3c022",
+        "container-image": "docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2",
         "OSFamily": "Linux",
     },
     parents = ["@local_config_platform//:host"],

bazel/repositories.bzl

@@ -134,6 +134,8 @@ def envoy_dependencies(skip_targets = []):
     # Setup external Bazel rules
     _foreign_cc_dependencies()
 
+    _openssl()
+
     # Binding to an alias pointing to the bssl-compat layer
     native.bind(
         name = "ssl",
@@ -276,6 +278,12 @@ def _boringssl_fips():
         build_file = "@envoy//bazel/external:boringssl_fips.BUILD",
     )
 
+def _openssl():
+    external_http_archive(
+        name = "openssl",
+        build_file = "@envoy//bazel/external:openssl.BUILD",
+    )
+
 def _com_github_openhistogram_libcircllhist():
     external_http_archive(
         name = "com_github_openhistogram_libcircllhist",

bazel/repository_locations.bzl

@@ -163,6 +163,20 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         release_date = "2022-06-13",
         cpe = "cpe:2.3:a:google:boringssl:*",
     ),
+    openssl = dict(
+        project_name = "OpenSSL",
+        project_desc = "TLS/SSL and crypto library",
+        project_url = "https://github.com/openssl/openssl",
+        version = "3.0.16",
+        sha256 = "57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86",
+        strip_prefix = "openssl-{version}",
+        urls = ["https://github.com/openssl/openssl/releases/download/openssl-{version}/openssl-{version}.tar.gz"],
+        use_category = ["controlplane", "dataplane_core"],
+        release_date = "2025-02-11",
+        cpe = "cpe:2.3:a:openssl:openssl:*",
+        license = "Apache-2.0",
+        license_url = "https://github.com/openssl/openssl/blob/openssl-{version}/LICENSE.txt",
+    ),
     aspect_bazel_lib = dict(
         project_name = "Aspect Bazel helpers",
         project_desc = "Base Starlark libraries and basic Bazel rules which are useful for constructing rulesets and BUILD files",

bssl-compat/BUILD

@@ -7,15 +7,52 @@ filegroup(
 
 licenses(["notice"])  # Apache 2
 
+genrule(
+    name = "openssl_root_dir",
+    srcs = ["@openssl//:openssl"],
+    outs = ["openssl_root_dir.txt"],
+    cmd = """
+        set -e
+        OPENSSL_FILE=$$(find $(locations @openssl//:openssl) -name libssl.so.3 | head -n1)
+        OPENSSL_DIR=$$(dirname "$$OPENSSL_FILE")
+        EXEC_ROOT=$$(pwd | sed 's#/bazel-out/.*##')
+        echo $${EXEC_ROOT}/$${OPENSSL_DIR%/lib64} > $@
+    """,
+)
+
 cmake(
-    name = "bssl-compat",
+    name = "bssl-compat-cmake",
     lib_source = ":srcs",
     out_shared_libs = [],
     out_static_libs = ["libbssl-compat.a"],
-    visibility = ["//visibility:public"],
+    includes = ["include"],
     generate_crosstool_file = False,
 
-    build_args = [ "-j" ]
+    cache_entries = {"CMAKE_BUILD_TYPE": "Bazel"},
+    generate_args = ["-GNinja"],
+
+    build_args = [ "-j" ],
+    data = ["@openssl//:openssl", ":openssl_root_dir"],
+    env = {
+        "OPENSSL_ROOT_FILE": "$(location :openssl_root_dir)",
+    },
+)
+
+filegroup(
+    name = "bssl_includes",
+    srcs = glob([":bssl-compat-cmake/include/**/*.h"]),
+    visibility = ["//visibility:private"],
+)
+
+cc_library(
+    name = "bssl-compat",
+    #srcs = [":bssl-compat-cmake/lib/libbssl-compat.a"],
+    #srcs = [":bssl-compat-cmake"],
+    linkstatic = True,
+    includes = [":bssl-compat-cmake/include"],
+    hdrs = [":bssl_includes"],
+    deps = [":bssl-compat-cmake"],
+    data = ["@openssl//:libs"],
 )
 
 alias(

bssl-compat/CMakeLists.txt

@@ -7,9 +7,6 @@ if(POLICY CMP0135)
   cmake_policy(SET CMP0135 NEW)
 endif()
 
-set(OPENSSL_URL      https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.13.tar.gz)
-set(OPENSSL_URL_HASH e74504ed7035295ec7062b1da16c15b57ff2a03cd2064a28d8c39458cacc45fc)
-
 set(CMAKE_C_STANDARD 11)
 set(CMAKE_CXX_STANDARD 17)
 

bssl-compat/cmake/openssl.cmake

@@ -1,23 +1,23 @@
+if(DEFINED ENV{OPENSSL_ROOT_FILE})
+    set(_openssl_root_file "$ENV{EXT_BUILD_ROOT}/$ENV{OPENSSL_ROOT_FILE}")
+    message(STATUS "Reading OPENSSL_ROOT_DIR from file ${_openssl_root_file}")
+    file(READ "${_openssl_root_file}" _openssl_root_raw)
+    string(STRIP "${_openssl_root_raw}" OPENSSL_ROOT_DIR)
+    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include")
+    set(OPENSSL_SSL_LIBRARY "${OPENSSL_ROOT_DIR}/lib64/libssl.so.3")
+    set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_ROOT_DIR}/lib64/libcrypto.so.3")
+    message(STATUS "Using OpenSSL from ${OPENSSL_ROOT_DIR}")
+endif()
+
 find_package(OpenSSL 3.0 COMPONENTS Crypto SSL)
 
+message(STATUS "OpenSSL include dir: ${OPENSSL_INCLUDE_DIR}")
+message(STATUS "OpenSSL libraries: ${OPENSSL_LIBRARIES}")
+
 if(OpenSSL_FOUND)
     add_custom_target(OpenSSL)
     get_filename_component(OPENSSL_LIBRARY_DIR ${OPENSSL_CRYPTO_LIBRARY} DIRECTORY)
     message(STATUS "Found OpenSSL ${OPENSSL_VERSION} (${OPENSSL_LIBRARY_DIR})")
 else()
-    message(STATUS "Building OpenSSL (${OPENSSL_URL})")
-    include(ExternalProject)
-    set(OPENSSL_SOURCE_DIR ${CMAKE_CURRENT_BINARY_DIR}/openssl/source)
-    set(OPENSSL_CONFIG_CMD ${OPENSSL_SOURCE_DIR}/config)
-    set(OPENSSL_INSTALL_DIR ${CMAKE_CURRENT_BINARY_DIR}/openssl/install)
-    set(OPENSSL_INCLUDE_DIR ${OPENSSL_INSTALL_DIR}/include)
-    set(OPENSSL_LIBRARY_DIR ${OPENSSL_INSTALL_DIR}/lib)
-    ExternalProject_Add(OpenSSL
-        URL ${OPENSSL_URL}
-        URL_HASH SHA256=${OPENSSL_URL_HASH}
-        SOURCE_DIR ${OPENSSL_SOURCE_DIR}
-        CONFIGURE_COMMAND ${OPENSSL_CONFIG_CMD} --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
-        TEST_COMMAND ""
-        INSTALL_COMMAND make install_sw
-    )
+    message(FATAL_ERROR "OpenSSL 3.0 not found. Aborting.")
 endif()