bazel: support select() for cache_entries in envoy_cmake#42461
Merged
phlax merged 2 commits intoenvoyproxy:mainfrom Dec 12, 2025
Merged
bazel: support select() for cache_entries in envoy_cmake#42461phlax merged 2 commits intoenvoyproxy:mainfrom
phlax merged 2 commits intoenvoyproxy:mainfrom
Conversation
Contributor
Author
|
@phlax is it something you may review? |
phlax
reviewed
Dec 8, 2025
| # FIPS builds (both not_ppc and ppc) use libcrypto.a/libssl.a | ||
| ( | ||
| "//bazel:boringssl_fips_not_ppc", | ||
| "//bazel:boringssl_fips_ppc", |
Member
There was a problem hiding this comment.
do we need a with_or here? porobably it would be cleaner to just have //bazel:boringssl_fips that was arch agnostic
Member
There was a problem hiding this comment.
could you address this please - there is no need for the with_or just use the constraint i posted above
Contributor
Author
There was a problem hiding this comment.
right, thanks for the reminder
now fixed
Allow envoy_cmake to accept cache_entries as either a dict or a select()
statement. This enables conditional CMake cache entries based on build
configuration, which is required for FIPS builds where different library
paths must be used for FIPS vs non-FIPS builds.
When cache_entries is a dict (the common case), the function continues
to merge default_cache_entries and wrap the result in a select() for
debug builds. When cache_entries is already a select(), it is passed
through directly to avoid nested select() statements, which Bazel does
not support.
without this patch the build fails with:
```
-- Found OpenSSL: /build/.cache/bazel/_bazel_envoybuild/5510e63bd001cefa746eb005f1949cb5/sandbox/processwrapper-sandbox/6607/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.ext_build_deps/lib/libcrypto_internal.a (found version "")
-- Configuring done (6.3s)
CMake Error at src/CMakeLists.txt:235 (target_link_libraries):
Target "crypto_mb_s" links to:
OpenSSL::Crypto
but the target was not found. Possible reasons include:
* There is a typo in the target name.
* A find_package call is missing for an IMPORTED target.
* An ALIAS target is missing.
CMake Error at src/CMakeLists.txt:273 (target_link_libraries):
Target "crypto_mb" links to:
OpenSSL::Crypto
but the target was not found. Possible reasons include:
* There is a typo in the target name.
* A find_package call is missing for an IMPORTED target.
* An ALIAS target is missing.
-- Generating done (0.4s)
```
Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
phlax
reviewed
Dec 12, 2025
Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
Contributor
Author
I agree it is a bit weird. we can work together to address other issues |
Member
|
/retest transients |
1 similar comment
Contributor
Author
|
/retest transients |
MayorFaj
pushed a commit
to MayorFaj/envoy
that referenced
this pull request
Dec 15, 2025
…42461) Allow envoy_cmake to accept cache_entries as either a dict or a select() statement. This enables conditional CMake cache entries based on build configuration, which is required for FIPS builds where different library paths must be used for FIPS vs non-FIPS builds. When cache_entries is a dict (the common case), the function continues to merge default_cache_entries and wrap the result in a select() for debug builds. When cache_entries is already a select(), it is passed through directly to avoid nested select() statements, which Bazel does not support. This change enables targets like ipp-crypto to use selects.with_or() to conditionally set OPENSSL_CRYPTO_LIBRARY based on whether the build is FIPS-compliant (using libcrypto.a) or non-FIPS (using libcrypto_internal.a). without this patch the build fails with: ``` -- Found OpenSSL: /build/.cache/bazel/_bazel_envoybuild/5510e63bd001cefa746eb005f1949cb5/sandbox/processwrapper-sandbox/6607/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.ext_build_deps/lib/libcrypto_internal.a (found version "") -- Configuring done (6.3s) CMake Error at src/CMakeLists.txt:235 (target_link_libraries): Target "crypto_mb_s" links to: OpenSSL::Crypto but the target was not found. Possible reasons include: * There is a typo in the target name. * A find_package call is missing for an IMPORTED target. * An ALIAS target is missing. CMake Error at src/CMakeLists.txt:273 (target_link_libraries): Target "crypto_mb" links to: OpenSSL::Crypto but the target was not found. Possible reasons include: * There is a typo in the target name. * A find_package call is missing for an IMPORTED target. * An ALIAS target is missing. -- Generating done (0.4s) ``` Signed-off-by: William Dauchy <william.dauchy@datadoghq.com> Signed-off-by: MayorFaj <mayorfaj@gmail.com>
grnmeira
pushed a commit
to grnmeira/envoy
that referenced
this pull request
Mar 20, 2026
…42461) Allow envoy_cmake to accept cache_entries as either a dict or a select() statement. This enables conditional CMake cache entries based on build configuration, which is required for FIPS builds where different library paths must be used for FIPS vs non-FIPS builds. When cache_entries is a dict (the common case), the function continues to merge default_cache_entries and wrap the result in a select() for debug builds. When cache_entries is already a select(), it is passed through directly to avoid nested select() statements, which Bazel does not support. This change enables targets like ipp-crypto to use selects.with_or() to conditionally set OPENSSL_CRYPTO_LIBRARY based on whether the build is FIPS-compliant (using libcrypto.a) or non-FIPS (using libcrypto_internal.a). without this patch the build fails with: ``` -- Found OpenSSL: /build/.cache/bazel/_bazel_envoybuild/5510e63bd001cefa746eb005f1949cb5/sandbox/processwrapper-sandbox/6607/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.ext_build_deps/lib/libcrypto_internal.a (found version "") -- Configuring done (6.3s) CMake Error at src/CMakeLists.txt:235 (target_link_libraries): Target "crypto_mb_s" links to: OpenSSL::Crypto but the target was not found. Possible reasons include: * There is a typo in the target name. * A find_package call is missing for an IMPORTED target. * An ALIAS target is missing. CMake Error at src/CMakeLists.txt:273 (target_link_libraries): Target "crypto_mb" links to: OpenSSL::Crypto but the target was not found. Possible reasons include: * There is a typo in the target name. * A find_package call is missing for an IMPORTED target. * An ALIAS target is missing. -- Generating done (0.4s) ``` Signed-off-by: William Dauchy <william.dauchy@datadoghq.com> Signed-off-by: Gustavo <grnmeira@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message:
Allow envoy_cmake to accept cache_entries as either a dict or a select() statement. This enables conditional CMake cache entries based on build configuration, which is required for FIPS builds where different library paths must be used for FIPS vs non-FIPS builds.
When cache_entries is a dict (the common case), the function continues to merge default_cache_entries and wrap the result in a select() for debug builds. When cache_entries is already a select(), it is passed through directly to avoid nested select() statements, which Bazel does not support.
This change enables targets like ipp-crypto to use selects.with_or() to
conditionally set OPENSSL_CRYPTO_LIBRARY based on whether the build is
FIPS-compliant (using libcrypto.a) or non-FIPS (using libcrypto_internal.a).
Additional Description:
without this patch the build fails with:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]