envoy icon indicating copy to clipboard operation
envoy copied to clipboard
verified publisher icon envoyproxy

bazel: support select() for cache_entries in envoy_cmake

Open wdauchy opened this issue 1 month ago • 2 comments

Commit Message: Allow envoy_cmake to accept cache_entries as either a dict or a select() statement. This enables conditional CMake cache entries based on build configuration, which is required for FIPS builds where different library paths must be used for FIPS vs non-FIPS builds.

When cache_entries is a dict (the common case), the function continues to merge default_cache_entries and wrap the result in a select() for debug builds. When cache_entries is already a select(), it is passed through directly to avoid nested select() statements, which Bazel does not support.

This change enables targets like ipp-crypto to use selects.with_or() to conditionally set OPENSSL_CRYPTO_LIBRARY based on whether the build is FIPS-compliant (using libcrypto.a) or non-FIPS (using libcrypto_internal.a).

Additional Description:

without this patch the build fails with:

-- Found OpenSSL: /build/.cache/bazel/_bazel_envoybuild/5510e63bd001cefa746eb005f1949cb5/sandbox/processwrapper-sandbox/6607/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.ext_build_deps/lib/libcrypto_internal.a (found version "")
-- Configuring done (6.3s)
CMake Error at src/CMakeLists.txt:235 (target_link_libraries):
  Target "crypto_mb_s" links to:
    OpenSSL::Crypto
  but the target was not found.  Possible reasons include:
    * There is a typo in the target name.
    * A find_package call is missing for an IMPORTED target.
    * An ALIAS target is missing.
CMake Error at src/CMakeLists.txt:273 (target_link_libraries):
  Target "crypto_mb" links to:
    OpenSSL::Crypto
  but the target was not found.  Possible reasons include:
    * There is a typo in the target name.
    * A find_package call is missing for an IMPORTED target.
    * An ALIAS target is missing.
-- Generating done (0.4s)

Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional API Considerations:]

wdauchy avatar Dec 08 '25 11:12 wdauchy

As a reminder, PRs marked as draft will not be automatically assigned reviewers, or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

:cat:

Caused by: https://github.com/envoyproxy/envoy/pull/42461 was opened by wdauchy.

see: more, trace.

repokitteh-read-only[bot] avatar Dec 08 '25 11:12 repokitteh-read-only[bot]

@phlax is it something you may review?

wdauchy avatar Dec 08 '25 11:12 wdauchy

im still wondering whether the name inconsistency this address might be an issue elsewhere - but defo out of scope for this pr

I agree it is a bit weird. we can work together to address other issues

wdauchy avatar Dec 12 '25 10:12 wdauchy

/retest transients

phlax avatar Dec 12 '25 10:12 phlax

/retest transients

wdauchy avatar Dec 12 '25 11:12 wdauchy