Jump to: navigation, search

Service mesh

This page explains the process building and packaging of the following service mesh components:

  • envoy-proxy
  • istio-proxy - We can drop it for now until we want to package the full Istio! cilium-proxy used to require istio-proxy to build, but it does not anymore
  • cilium-proxy

Package structure

envoy-proxy is a package in the devel:kubic project which contains sources and specs for:

istio-proxy and cilium-proxy packages are links to the envoy-proxy package. This is done to build those three projects all together, because they depend on sources of each other.


Packaging of those projects has several problems which make it non-trivial.


Bazel is the buildsystem which is designed for building software with bundled libraries. Usually the most of C and C++ projects using Bazel are downloading all libraries from Github or any other public provides which host tarballs based on git repositories.

That approach stands in contradiction with openSUSE packaging which uses shared libraries and *-devel packages for bulding C and C++ software.

To make Bazel more compatible with our approach, there is a project called bazel-workspaces which contains "fake" workspaces for Bazel, which tell to link libraries dynamically, instead of bundling. This is achieved by custom BUILD files like:

    name = "gperftools",
    hdrs = glob(["thirdparty_build/include/gperftools/**/*.h"]),
    copts = [],
    linkopts = ["-ltcmalloc", "-lprofiler"],
    visibility = ["//visibility:public"],
    linkstatic = False,

Which tells Bazel to:

  • look for headers in /usr/include/gperftools, recursively in all possible subdirectories
  • link and

There is an RPM package available for bazel-workspaces which installs those files in /usr/share/bazel-workspaces.

Let's assume that you want to build a project using Bazel, which has a dependency on gperftools with the name com_github_gperftools_gperftools (that's a commonly used one). To use the shared library from gperftools-devel package, use the --override_repository option like:

bazel build \
    --override_repository="com_github_gperftools_gperftools=/usr/share/bazel-workspaces" \

Using OpenSSL instead of BoringSSL

Upstream Envoy uses BoringSSL as the library for certification features. BoringSSL is Google's fork of OpenSSL. Its README says:

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

That's why we don't want to package BoringSSL and we are going to patch all sources to use OpenSSL instead.

We achieve that by the following projects from Maistra - OpenShift service mesh:

Building with OpenSSL on local environment

It's the best if all the repositories mentioned above are cloned in one directory (let's assume ~/repos):

git clone
git clone
git clone
git clone
git clone istio-proxy
git clone
git clone cilium-proxy

Which after cloning all repos has the tree like i.e.:

- repos/
|- jwt_verify_lib/
|- jwt-verify-lib-openssl/
|- envoy/
|- envoy-openssl/
|- istio-proxy/
|- istio-proxy-openssl/
|- cilium-proxy/

Then each *-openssl repository has a file The syntax of that script is:

./ [path-to-repository-to-patch] SSL

So, for the each repo, you need to do

cd jwt-verify-lib-openssl
./ ../jwt_verify_lib SSL

cd envoy-openssl
./ ../envoy SSL

cd istio-proxy-openssl
./ ../istio-proxy SSL

Then you can build each of repos:

cd jwt_verify_lib
bazel build //...

cd envoy
bazel build \
    --override_repository="com_github_google_jwt_verify=$HOME/repos/jwt_verify_lib" \
    --copt="-DENVOY_SSL_VERSION=\"OpenSSL_1_1_1\"" \

cd istio-proxy
bazel build \
    --override_repository="com_github_google_jwt_verify=$HOME/repos/jwt_verify_lib" \
    --override_repository="envoy=$HOME/repos/envoy" \
    --copt="-DENVOY_SSL_VERSION=\"OpenSSL_1_1_1\"" \

The last one might still not build, but it's not a blocking issue for now.

Building with OpenSSL on OBS