This page explains the process building and packaging of the following service mesh components:
- istio-proxy - We can drop it for now until we want to package the full Istio! cilium-proxy used to require istio-proxy to build, but it does not anymore
envoy-proxy is a package in the devel:kubic project which contains sources and specs for:
- istio-proxy - we can drop it now
istio-proxy and cilium-proxy packages are links to the envoy-proxy package. This is done to build those three projects all together, because they depend on sources of each other.
Packaging of those projects has several problems which make it non-trivial.
Bazel is the buildsystem which is designed for building software with bundled libraries. Usually the most of C and C++ projects using Bazel are downloading all libraries from Github or any other public provides which host tarballs based on git repositories.
That approach stands in contradiction with openSUSE packaging which uses shared libraries and
*-devel packages for bulding C and C++ software.
To make Bazel more compatible with our approach, there is a project called bazel-workspaces which contains "fake" workspaces for Bazel, which tell to link libraries dynamically, instead of bundling. This is achieved by custom
BUILD files like:
cc_library( name = "gperftools", hdrs = glob(["thirdparty_build/include/gperftools/**/*.h"]), copts = , linkopts = ["-ltcmalloc", "-lprofiler"], visibility = ["//visibility:public"], linkstatic = False, )
Which tells Bazel to:
- look for headers in
/usr/include/gperftools, recursively in all possible subdirectories
There is an RPM package available for bazel-workspaces which installs those files in
Let's assume that you want to build a project using Bazel, which has a dependency on
gperftools with the name
com_github_gperftools_gperftools (that's a commonly used one). To use the shared library from
gperftools-devel package, use the
--override_repository option like:
bazel build \ --override_repository="com_github_gperftools_gperftools=/usr/share/bazel-workspaces" \ //...
Using OpenSSL instead of BoringSSL
Upstream Envoy uses BoringSSL as the library for certification features. BoringSSL is Google's fork of OpenSSL. Its README says:
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
That's why we don't want to package BoringSSL and we are going to patch all sources to use OpenSSL instead.
We achieve that by the following projects from Maistra - OpenShift service mesh:
- bssl_wrapper – a library which translates BoringSSL calls to OpenSSL calls
- OpenSSL-cbs – a library which provides Crypto ByteString (CBS) functionality for OpenSSL – BoringSSL’s feature
- jwt-verify-lib-openssl, envoy-openssl, istio-proxy-openssl – set of patches and modules which make jwt_verify_lib, Envoy and Istio build with OpenSSL, using the two projects above
Building with OpenSSL on local environment
It's the best if all the repositories mentioned above are cloned in one directory (let's assume
git clone email@example.com:google/jwt_verify_lib.git git clone firstname.lastname@example.org:Maistra/jwt-verify-lib-openssl.git git clone email@example.com:envoyproxy/envoy.git git clone firstname.lastname@example.org:kubic-project/envoy-openssl.git git clone email@example.com:istio/proxy.git istio-proxy git clone firstname.lastname@example.org:Maistra/istio-proxy-openssl.git git clone email@example.com:cilium/proxy.git cilium-proxy
Which after cloning all repos has the tree like i.e.:
- repos/ |- jwt_verify_lib/ |- jwt-verify-lib-openssl/ |- envoy/ |- envoy-openssl/ |- istio-proxy/ |- istio-proxy-openssl/ |- cilium-proxy/ [...]
Then each *-openssl repository has a file
openssl.sh. The syntax of that script is:
./openssl.sh [path-to-repository-to-patch] SSL
So, for the each repo, you need to do
cd jwt-verify-lib-openssl ./openssl.sh ../jwt_verify_lib SSL
cd envoy-openssl ./openssl.sh ../envoy SSL
cd istio-proxy-openssl ./openssl.sh ../istio-proxy SSL
Then you can build each of repos:
cd jwt_verify_lib bazel build //...
cd envoy bazel build \ --override_repository="com_github_google_jwt_verify=$HOME/repos/jwt_verify_lib" \ --copt="-DENVOY_SSL_VERSION=\"OpenSSL_1_1_1\"" \ //source/exe:envoy-static
cd istio-proxy bazel build \ --override_repository="com_github_google_jwt_verify=$HOME/repos/jwt_verify_lib" \ --override_repository="envoy=$HOME/repos/envoy" \ --copt="-DENVOY_SSL_VERSION=\"OpenSSL_1_1_1\"" \ //...
The last one might still not build, but it's not a blocking issue for now.