From a235e0a0138c1dd4561559c121b80021bdd53981 Mon Sep 17 00:00:00 2001 From: Ioannis Kavvadias Date: Mon, 9 Dec 2024 18:07:18 +0000 Subject: [PATCH] bazel: update target for openssl executable Previous solutions was a workaround and would potentially use system's openssl libraries and config data. Replacing it with foreign_cc:runnable_binary which is properly aware of the executable dependencies. --- bazel/cert.bzl | 23 ++++++++++++++++++++--- bazel/thirdparty/openssl.BUILD | 25 +++++++++++++------------ 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/bazel/cert.bzl b/bazel/cert.bzl index 367348c8031d..062172f5d1f5 100644 --- a/bazel/cert.bzl +++ b/bazel/cert.bzl @@ -4,13 +4,19 @@ This module contains functions to generate a simple CA load("@bazel_skylib//rules:run_binary.bzl", "run_binary") +openssl_env = { + "OPENSSL_CONF": "$(execpath @openssl//:openssl_data)/openssl.cnf", +} + # buildifier: disable=function-docstring-args def _redpanda_private_key(name, certificate): private_key = certificate + ".key" run_binary( name = name + "_key_gen", - srcs = [], + srcs = [ + "@openssl//:openssl_data", + ], outs = [private_key], args = [ "ecparam", @@ -21,6 +27,7 @@ def _redpanda_private_key(name, certificate): "-out", "$(execpath :{})".format(private_key), ], + env = openssl_env, tool = "@openssl//:openssl_exe", ) @@ -44,7 +51,10 @@ def redpanda_selfsigned_cert(name, certificate, common_name, visibility = None): run_binary( name = name + "_crt_gen", - srcs = [private_key], + srcs = [ + private_key, + "@openssl//:openssl_data", + ], outs = [cert], args = [ "req", @@ -60,6 +70,7 @@ def redpanda_selfsigned_cert(name, certificate, common_name, visibility = None): "-addext", "subjectAltName = IP:127.0.0.1", ], + env = openssl_env, tool = "@openssl//:openssl_exe", ) @@ -90,7 +101,10 @@ def redpanda_signed_cert(name, certificate, common_name, ca, serial_number, visi run_binary( name = name + "_csr_gen", - srcs = [private_key], + srcs = [ + private_key, + "@openssl//:openssl_data", + ], outs = [csr], args = [ "req", @@ -103,6 +117,7 @@ def redpanda_signed_cert(name, certificate, common_name, ca, serial_number, visi "-subj", subj, ], + env = openssl_env, tool = "@openssl//:openssl_exe", ) @@ -115,6 +130,7 @@ def redpanda_signed_cert(name, certificate, common_name, ca, serial_number, visi ca_cert, ca_private_key, csr, + "@openssl//:openssl_data", ], outs = [cert], args = [ @@ -134,6 +150,7 @@ def redpanda_signed_cert(name, certificate, common_name, ca, serial_number, visi "-out", "$(execpath :{})".format(cert), ], + env = openssl_env, tool = "@openssl//:openssl_exe", ) diff --git a/bazel/thirdparty/openssl.BUILD b/bazel/thirdparty/openssl.BUILD index 80f8f6eebbe0..40da3ef6e841 100644 --- a/bazel/thirdparty/openssl.BUILD +++ b/bazel/thirdparty/openssl.BUILD @@ -1,7 +1,6 @@ load("@bazel_skylib//rules:common_settings.bzl", "int_flag", "string_flag") -load("@bazel_skylib//rules:copy_file.bzl", "copy_file") load("@bazel_skylib//rules:select_file.bzl", "select_file") -load("@rules_foreign_cc//foreign_cc:defs.bzl", "configure_make") +load("@rules_foreign_cc//foreign_cc:defs.bzl", "configure_make", "runnable_binary") # Make this build faster by setting `build --@openssl//:build_jobs=16` in user.bazelrc # if you have the cores to spare. @@ -60,6 +59,9 @@ configure_make( out_binaries = [ "openssl", ], + out_data_dirs = [ + "ssl", + ], out_shared_libs = [ "libssl.so.3", "libcrypto.so.3", @@ -77,18 +79,17 @@ filegroup( ) select_file( - name = "openssl_exe_file", + name = "openssl_data", srcs = ":openssl", - subpath = "bin/openssl", -) - -copy_file( - name = "openssl_exe", - src = ":openssl_exe_file", - out = "openssl.exe", - allow_symlink = True, - is_executable = True, + subpath = "ssl", visibility = [ "//visibility:public", ], ) + +runnable_binary( + name = "openssl_exe", + binary = "openssl", + foreign_cc_target = ":openssl", + visibility = ["//visibility:public"], +)