OSSM-5001 Vendored envoy

Signed-off-by: Ted Poole <tpoole@redhat.com>
envoyproxy · Dec 13, 2023 · de50633 · de50633
1 parent b5c6d09
commit de50633
Show file tree

Hide file tree

Showing 10,255 changed files with 1,457,641 additions and 95 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -1,3 +1,3 @@
-import %workspace%/envoy/.bazelrc
+import %workspace%/vendor/envoy/.bazelrc
+import %workspace%/vendor.bazelrc
 build --@envoy//bazel:http3=False
-try-import %workspace%/user.bazelrc
diff --git a/.bazelversion b/.bazelversion
@@ -1 +1 @@
-envoy/.bazelversion
+vendor/envoy/.bazelversion
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -19,7 +19,7 @@ jobs:
         submodules: 'true'
 
     - name: Prerequisites
-      run: sudo apt install -y libclang-13-dev kcov
+      run: sudo apt install -y libclang-14-dev kcov
 
     - name: Configure
       run: cmake -B ${{github.workspace}}/build -S ${{github.workspace}}/bssl-compat -DCMAKE_BUILD_TYPE=RelWithDebInfo

diff --git a/.gitignore b/.gitignore
@@ -2,7 +2,6 @@
 BROWSE
 /build*
 /build_*
-build
 *.bzlc
 .cache
 .classpath
@@ -35,4 +34,5 @@ cscope.*
 *~
 .cproject
 user.bazelrc
-log*
+log
+log.*
diff --git a/WORKSPACE b/WORKSPACE
@@ -12,37 +12,8 @@ http_archive(
 load("@rules_foreign_cc//foreign_cc:repositories.bzl", "rules_foreign_cc_dependencies")
 rules_foreign_cc_dependencies(register_default_tools = False, register_built_tools = False)
 
-local_repository(
-    name = "bssl-compat",
-    path = "bssl-compat",
-)
-
-# NOTE: Whenever the version of envoy is changed here, the files under the top
-# level envoy directory must also be re-copied from the new envoy version.
-load("//:bazel/http_archive_with_overwrites.bzl", "http_archive_with_overwrites")
-http_archive_with_overwrites(
-    name = "envoy",
-    url = "https://github.com/envoyproxy/envoy/archive/refs/tags/v1.26.3.zip",
-    sha256 = "8d4c99886ae0698c52fdf64b30603354010d2ca991e85fbef5082010ef6110ad",
-    strip_prefix = "envoy-1.26.3",
-    patch_args = [ "-p1" ],
-    patches = [
-        "//patch/envoy:bazel/repositories_extra.bzl.patch",
-        "//patch/envoy:bazel/repositories.bzl.patch",
-        "//patch/envoy:source/common/quic/BUILD.patch",
-        "//patch/envoy:source/extensions/extensions_build_config.bzl.patch",
-        "//patch/envoy:source/extensions/transport_sockets/tls/io_handle_bio.cc.patch",
-        "//patch/envoy:source/extensions/transport_sockets/tls/ocsp/asn1_utility.cc.patch",
-        "//patch/envoy:source/extensions/transport_sockets/tls/utility.cc.patch",
-    ],
-    overwrites = [
-        # "//patch/envoy:source/extensions/transport_sockets/tls/context_impl.cc",
-        # "//patch/envoy:source/extensions/transport_sockets/tls/context_impl.h",
-    ],
-    repo_mapping = {
-        "@boringssl": "@bssl-compat",
-    },
-)
+load("//:bazel/envoy_openssl_repositories.bzl", "envoy_openssl_repositories")
+envoy_openssl_repositories(download = True)
 
 load("@envoy//bazel:api_binding.bzl", "envoy_api_binding")
 

diff --git a/bazel/envoy_openssl_repositories.bzl b/bazel/envoy_openssl_repositories.bzl
@@ -0,0 +1,80 @@
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+load("@bazel_tools//tools/build_defs/repo:utils.bzl", "patch", "workspace_and_buildfile")
+
+# Do not edit these values directly. To update the version
+# of envoy to be used, please run the update-envoy.sh script.
+ENVOY_ORG = "envoyproxy"
+ENVOY_REPO = "envoy"
+ENVOY_BRANCH = "v1.26.6"
+ENVOY_COMMIT = "c2919e90b0e63ad78602122d6c2c3e2c0df1e0fc"
+ENVOY_SHA256 = "358df10deb5de6f6a02fae4994d9269672ae8eb6d9cd66bdba349bef7843d14a"
+
+
+def _bssl_compat_repository_impl(ctx):
+    ctx.symlink(ctx.path(Label("//:bssl-compat/WORKSPACE")).dirname, "")
+
+_bssl_compat_repository = repository_rule(
+    implementation = _bssl_compat_repository_impl,
+    local = True,
+)
+
+
+def _vendored_envoy_impl(ctx):
+    ctx.symlink(ctx.path(Label("//:vendor/envoy/BUILD")).dirname, "")
+
+_vendored_envoy = repository_rule(
+    implementation = _vendored_envoy_impl,
+    local = True,
+)
+
+
+def _downloaded_envoy_impl(ctx):
+    ctx.download_and_extract(
+        url = "https://github.com/" + ENVOY_ORG + "/" + ENVOY_REPO + "/archive/" + ENVOY_COMMIT + ".tar.gz",
+        sha256 = ENVOY_SHA256,
+        stripPrefix = ENVOY_REPO + "-" + ENVOY_COMMIT,
+    )
+    patch(ctx)
+    for f in ctx.attr.overwrites:
+        ctx.file(Label(f).name, content = ctx.read(f),)
+
+_downloaded_envoy = repository_rule(
+    implementation = _downloaded_envoy_impl,
+    attrs = {
+        "patches": attr.label_list(),
+        "patch_args": attr.string_list(default = ["-p1"]),
+        "overwrites": attr.label_list(),
+    },
+)
+
+
+# Sets up the @bssl-compat and @envoy repositories, ensuring that
+# the @envoy repository uses @bssl-compat instead of @boringssl
+def envoy_openssl_repositories(download = False):
+    _bssl_compat_repository(
+        name = "bssl-compat",
+    )
+
+    if download:
+        _downloaded_envoy(
+            name = "envoy",
+            patches = [
+                "//patch/envoy:bazel/repositories_extra.bzl.patch",
+                "//patch/envoy:bazel/repositories.bzl.patch",
+                "//patch/envoy:source/common/quic/BUILD.patch",
+                "//patch/envoy:source/extensions/extensions_build_config.bzl.patch",
+                "//patch/envoy:source/extensions/transport_sockets/tls/io_handle_bio.cc.patch",
+                "//patch/envoy:source/extensions/transport_sockets/tls/ocsp/asn1_utility.cc.patch",
+                "//patch/envoy:source/extensions/transport_sockets/tls/utility.cc.patch",
+            ],
+            overwrites = [
+                # "//patch/envoy:source/extensions/transport_sockets/tls/context_impl.cc",
+                # "//patch/envoy:source/extensions/transport_sockets/tls/context_impl.h",
+            ],
+            repo_mapping = { "@boringssl": "@bssl-compat" }
+        )
+    else:
+        _vendored_envoy(
+            name = "envoy",
+            repo_mapping = { "@boringssl": "@bssl-compat" }
+        )
diff --git a/bazel/get_workspace_status b/bazel/get_workspace_status
@@ -1 +1 @@
-../envoy/bazel/get_workspace_status
+../vendor/envoy/bazel/get_workspace_status
diff --git a/bazel/http_archive_with_overwrites.bzl b/bazel/http_archive_with_overwrites.bzl
diff --git a/bazel/platform_mappings b/bazel/platform_mappings
@@ -1 +1 @@
-../envoy/bazel/platform_mappings
+../vendor/envoy/bazel/platform_mappings
diff --git a/bssl-compat/BUILD b/bssl-compat/BUILD
@@ -15,7 +15,8 @@ cmake(
     visibility = ["//visibility:public"],
     generate_crosstool_file = False,
     tags = ["requires-network"],
-    env = { "GOCACHE" : "/tmp" }
+    env = { "GOCACHE" : "/tmp" },
+    build_args = [ "-j" ]
 )
 
 alias(

diff --git a/envoy/.bazelversion b/envoy/.bazelversion
diff --git a/envoy/README.md b/envoy/README.md
diff --git a/patch/envoy/source/common/quic/BUILD.patch b/patch/envoy/source/common/quic/BUILD.patch
@@ -1,14 +1,14 @@
 --- a/source/common/quic/BUILD
 +++ b/source/common/quic/BUILD
-@@ -3,6 +3,7 @@ load(
+@@ -7,6 +7,7 @@
      "envoy_cc_library",
      "envoy_package",
      "envoy_select_enable_http_datagrams",
 +    "envoy_select_enable_http3",
  )
- load(
-     "@envoy_build_config//:extensions_build_config.bzl",
-@@ -73,11 +74,12 @@ envoy_cc_library(
+
+ licenses(["notice"])  # Apache 2
+@@ -73,11 +74,12 @@
      hdrs = ["quic_stat_names.h"],
      tags = ["nofips"],
      deps = [
@@ -19,7 +19,7 @@
          "@com_github_google_quiche//:quic_core_error_codes_lib",
          "@com_github_google_quiche//:quic_core_types_lib",
 -    ],
-+    ])
++    ]),
  )
 
- envoy_cc_library(
+ envoy_cc_library(
diff --git a/run-build-container.sh b/run-build-container.sh
@@ -7,7 +7,7 @@ ENVOY_OPENSSL_DIR="$(cd "$(dirname "$0")" && pwd)"
 TMP_DIR="$(mktemp -d)"
 trap 'rm -rf -- "$TMP_DIR"' EXIT
 
-DOCKER_IMAGE=$(sed -n 's/^build:docker-sandbox --experimental_docker_image=//p' "${ENVOY_OPENSSL_DIR}/envoy/.bazelrc")
+DOCKER_IMAGE=$(sed -n 's/^build:docker-sandbox --experimental_docker_image=//p' "${ENVOY_OPENSSL_DIR}/vendor/envoy/.bazelrc")
 if [[ -z "${DOCKER_IMAGE}" ]]; then
 	echo "Failed to determine builder docker image"
 	exit 1
@@ -20,7 +20,7 @@ cat << 'EOF' > "${TMP_DIR}/entrypoint.sh"
     sudo chown -R "$(id -u):$(id -g)" $HOME
     export BAZELRC_FILE=$HOME/.bazelrc
 
-    /source/envoy/bazel/setup_clang.sh /opt/llvm # Writes to $BAZELRC_FILE
+    /source/vendor/envoy/bazel/setup_clang.sh /opt/llvm # Writes to $BAZELRC_FILE
 
     # See https://github.com/envoyproxy/envoy/blob/main/bazel/README.md#config-flag-choices
     echo "build --config=clang" >> $BAZELRC_FILE
@@ -55,6 +55,9 @@ cat << EOF > "${TMP_DIR}/Dockerfile"
     RUN tar -C /usr/local -xzf /tmp/go1.19.11.linux-amd64.tar.gz && rm /tmp/go1.19.11.linux-amd64.tar.gz
     ENV PATH=/usr/local/go/bin:\$PATH
 
+    ADD entrypoint.sh /entrypoint.sh
+    RUN chmod 755 /entrypoint.sh
+
     ENV HOME=/build
     RUN groupadd --gid $(id -g) $(id -u -n)
     RUN useradd -s /bin/bash --uid $(id -u) --gid $(id -g) -m $(id -u -n) -G pcap -d ${HOME}
@@ -67,11 +70,10 @@ cat << EOF > "${TMP_DIR}/Dockerfile"
     VOLUME /build
     VOLUME /source
 
-    ADD --chmod=755 entrypoint.sh /entrypoint.sh
     ENTRYPOINT /entrypoint.sh
 EOF
 
-DOCKER_BUILDKIT=1 docker build --pull --iidfile "${TMP_DIR}/iid" "${TMP_DIR}"
+docker build --pull --iidfile "${TMP_DIR}/iid" "${TMP_DIR}"
 
 mkdir -p "${ENVOY_OPENSSL_DIR}/build-volume"
 

diff --git a/update-envoy.sh b/update-envoy.sh
@@ -0,0 +1,86 @@
+#!/bin/bash
+
+set -euo pipefail
+set -x
+
+SCRATCHDIR="$(mktemp -d)"
+trap 'rm -rf -- "${SCRATCHDIR}" &> /dev/null' EXIT
+
+ENVOY_ORG="${ENVOY_ORG:-envoyproxy}"
+ENVOY_REPO="${ENVOY_REPO:-envoy}"
+ENVOY_BRANCH="${ENVOY_BRANCH:-}"
+
+WORKSPACE="$(cd "$(dirname "$0")" & pwd)"
+VENDOR_DIR="${WORKSPACE}/vendor"
+VENDOR_BAZELRC="${WORKSPACE}/vendor.bazelrc"
+OUTPUT_BASE="${SCRATCHDIR}/output"
+
+# If ${ENVOY_BRANCH} is blank then work out what branch
+# of the envoy-openssl repository we are on, and use that.
+if [[ -z "${ENVOY_BRANCH}" ]]; then
+  ENVOY_BRANCH="$(cd "${WORKSPACE}" && git symbolic-ref --quiet --short HEAD)"
+fi
+
+# If ${ENVOY_BRANCH} has been specified by the caller, or worked out by us,
+# then update the constants in bazel/envoy_openssl_repositories.bzl
+if [[ "${ENVOY_BRANCH}" != "skip" ]]; then
+  # Download the envoy branch
+  cd "${SCRATCHDIR}"
+  echo "Fetching ${ENVOY_ORG}/${ENVOY_REPO}[${ENVOY_BRANCH}]"
+  git clone --depth=1 -b "${ENVOY_BRANCH}" "https://github.com/${ENVOY_ORG}/${ENVOY_REPO}.git"
+
+  # Get the commit id
+  cd "${ENVOY_REPO}"
+  ENVOY_COMMIT=$(git rev-parse HEAD)
+
+  # Get the SHA256
+  cd "${SCRATCHDIR}"
+  curl -sfLO "https://github.com/${ENVOY_ORG}/${ENVOY_REPO}/archive/${ENVOY_COMMIT}.tar.gz"
+  ENVOY_SHA256=$(sha256sum "${ENVOY_COMMIT}.tar.gz" | awk '{print $1}')
+
+  # Update the envoy org, repo, commit & sha256 valuse in envoy_openssl_repositories.bzl
+  sed -i "s|^ENVOY_ORG = .*|ENVOY_ORG = \"${ENVOY_ORG}\"|" "${WORKSPACE}/bazel/envoy_openssl_repositories.bzl"
+  sed -i "s|^ENVOY_REPO = .*|ENVOY_REPO = \"${ENVOY_REPO}\"|" "${WORKSPACE}/bazel/envoy_openssl_repositories.bzl"
+  sed -i "s|^ENVOY_BRANCH = .*|ENVOY_BRANCH = \"${ENVOY_BRANCH}\"|" "${WORKSPACE}/bazel/envoy_openssl_repositories.bzl"
+  sed -i "s|^ENVOY_COMMIT = .*|ENVOY_COMMIT = \"${ENVOY_COMMIT}\"|" "${WORKSPACE}/bazel/envoy_openssl_repositories.bzl"
+  sed -i "s|^ENVOY_SHA256 = .*|ENVOY_SHA256 = \"${ENVOY_SHA256}\"|" "${WORKSPACE}/bazel/envoy_openssl_repositories.bzl"
+fi
+
+
+# Work out what bazel cache options to use
+BAZEL_CACHE_FLAGS=""
+if [[ -n ${BAZEL_REMOTE_CACHE} ]]; then
+  BAZEL_CACHE_FLAGS="--remote_cache=${BAZEL_REMOTE_CACHE}"
+  if [[ -n ${BAZEL_EXPERIMENTAL_REMOTE_DOWNLOADER} ]]; then
+    BAZEL_CACHE_FLAGS+=" --experimental_remote_downloader=${BAZEL_EXPERIMENTAL_REMOTE_DOWNLOADER}"
+  fi
+elif [[ -n ${BAZEL_DISK_CACHE} ]]; then
+  BAZEL_CACHE_FLAGS+="--disk_cache=${BAZEL_DISK_CACHE}"
+fi
+
+# Empty the vendor bazelrc file so bazel will always fetch envoy
+: > "${VENDOR_BAZELRC}"
+
+# Use build --nobuild, rather than fetch, because it honours configuration options
+cd "${WORKSPACE}"
+bazel --output_base="${OUTPUT_BASE}" build --nobuild ${BAZEL_CACHE_FLAGS} @envoy//:envoy
+
+# Copy the fetched & patched envoy directory to the ${VENDOR_DIR}
+rm -r "${VENDOR_DIR}/envoy"
+cp -rL "${OUTPUT_BASE}/external/envoy" "${VENDOR_DIR}/envoy"
+
+# Remove stuff that we don't need to vendor
+find "${VENDOR_DIR}" -name .git -type d -print0 | xargs -0 -r rm -rf
+find "${VENDOR_DIR}" -name .gitignore -type f -delete
+find "${VENDOR_DIR}" -name __pycache__ -type d -print0 | xargs -0 -r rm -rf
+find "${VENDOR_DIR}" -name '*.pyc' -delete
+
+# Reintate the vendored envoy repository mapping
+echo "build --override_repository=envoy=%workspace%/vendor/envoy" > "${VENDOR_BAZELRC}"
+
+
+echo
+echo "========================================"
+echo "Done. Inspect the result with git status"
+echo "========================================"
+echo
diff --git a/vendor.bazelrc b/vendor.bazelrc
@@ -0,0 +1 @@
+build --override_repository=envoy=%workspace%/vendor/envoy