Skip to content

DNM - OpenSSL in main #422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jwendell wants to merge 7 commits into from
Closed

DNM - OpenSSL in main #422

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7eabf54
Add bssl-compat: BoringSSL compatibility layer for OpenSSL
jwendell Oct 22, 2025
7188fc0
Configure Bazel build system for OpenSSL and multi-architecture support
jwendell Oct 22, 2025
527429d
Adapt Envoy source code for OpenSSL compatibility
jwendell Oct 22, 2025
dda667a
Add CI/CD automation and update documentation for envoy-openssl
jwendell Oct 22, 2025
91188f9
Add missing OpenSSL functions
jwendell Oct 30, 2025
75278ca
Ability to build both SSL variants
jwendell Oct 23, 2025
dbe14bc
Convert bssl-compat build from CMake to Bazel
tedjpoole Nov 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
4 changes: 4 additions & 0 deletions .bazelrc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -485,3 +485,7 @@ try-import %workspace%/repo.bazelrc
try-import %workspace%/clang.bazelrc
try-import %workspace%/user.bazelrc
try-import %workspace%/local_tsan.bazelrc

# OpenSSL-specific configuration (use with --config=openssl)
# To use the default BoringSSL backend, simply don't specify this config
try-import %workspace%/openssl/openssl.bazelrc
103 changes: 0 additions & 103 deletions .github/dependabot.yml
View file
Open in desktop

This file was deleted.

70 changes: 70 additions & 0 deletions .github/workflows/envoy-openssl-auto-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: Auto-merge Bot PRs

on:
workflow_run:
workflows: ["OpenSSL testing"]
types:
- completed

permissions:
pull-requests: write
contents: write

jobs:
enable-auto-merge:
if: |
github.repository == 'envoyproxy/envoy-openssl'
&& github.event.workflow_run.conclusion == 'success'
&& github.event.workflow_run.repository.full_name == github.repository
runs-on: ubuntu-latest

steps:
- name: Get PR info
id: pr
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const prs = context.payload.workflow_run.pull_requests;
if (prs.length === 0) {
core.notice("No pull request associated with this workflow_run (likely from a fork). Skipping workflow.");
// Explicitly set a flag so next steps can check
core.setOutput("skip", "true");
return;
}
const prNumber = prs[0].number;
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: prNumber
});
core.setOutput("pr_number", pr.number);
core.setOutput("pr_author", pr.user.login);
core.setOutput("labels", pr.labels.map(l => l.name).join(","));

- name: Print info
if: ${{ steps.pr.outputs.skip != 'true' }}
run: |
echo "PR author: ${{ steps.pr.outputs.pr_author }}"
echo "Labels: ${{ steps.pr.outputs.labels }}"
if [[ "${{ steps.pr.outputs.pr_author }}" != "update-openssl-envoy[bot]" ]]; then
echo "::notice title=Skip reason::PR author is not update-openssl-envoy[bot]"
fi
if [[ "${{ steps.pr.outputs.labels }}" != *"auto-merge"* ]]; then
echo "::notice title=Skip reason::Label 'auto-merge' not found"
fi

- name: Merge PR
if: ${{ steps.pr.outputs.skip != 'true' && contains(steps.pr.outputs.labels, 'auto-merge') && steps.pr.outputs.pr_author == 'update-openssl-envoy[bot]' }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const prNumber = parseInt('${{ steps.pr.outputs.pr_number }}');
await github.rest.pulls.merge({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: prNumber,
merge_method: 'merge'
});
core.notice(`✅ PR #${prNumber} merged automatically.`);
58 changes: 58 additions & 0 deletions .github/workflows/envoy-openssl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: OpenSSL testing

permissions:
contents: read

on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}


jobs:
openssl:
runs-on: ubuntu-24.04
timeout-minutes: 180
permissions:
contents: read
packages: read
if: >-
${{ github.repository == 'envoyproxy/envoy-openssl' }}
steps:
- name: Free disk space
uses: envoyproxy/toolshed/gh-actions/[email protected]
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: |
./ci/run_envoy_docker.sh './ci/do_ci.sh gcc @bssl-compat//test/... //test/...'
env:
BAZEL_BUILD_EXTRA_OPTIONS: >-
--config=remote-envoy-engflow
--config=bes-envoy-engflow
--config=remote-ci
--config=openssl
ENVOY_RBE: 1
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

boringssl:
runs-on: ubuntu-24.04
timeout-minutes: 180
permissions:
contents: read
packages: read
if: >-
${{ github.repository == 'envoyproxy/envoy-openssl' }}
steps:
- name: Free disk space
uses: envoyproxy/toolshed/gh-actions/[email protected]
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: |
./ci/run_envoy_docker.sh './ci/do_ci.sh dev //test/...'
env:
BAZEL_BUILD_EXTRA_OPTIONS: >-
--config=remote-envoy-engflow
--config=bes-envoy-engflow
--config=remote-ci
ENVOY_RBE: 1
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
54 changes: 54 additions & 0 deletions .github/workflows/envoy-sync-scheduled.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Sync from Upstream (Scheduled)

permissions:
contents: read

on:
schedule:
- cron: "0 */6 * * *"
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}

jobs:
sync:
if: github.repository == 'envoyproxy/envoy-openssl'
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
branch_name:
- release/v1.32
- release/v1.34
- release/v1.35
steps:
- id: appauth
uses: envoyproxy/toolshed/gh-actions/[email protected]
with:
key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }}
app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }}

# Checkout the branch we're merging into
- name: "Checkout ${{ github.repository }}[${{ matrix.branch_name }}]"
uses: actions/checkout@v4
with:
token: ${{ steps.appauth.outputs.token }}
ref: ${{ matrix.branch_name }}
fetch-depth: 0

# Configure the git user info on the repository
- run: git config user.name "${{ github.actor }}"
- run: git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"

# Checkout & run the script from the default branch
- name: 'Checkout ci/envoy-sync-receive.sh'
uses: actions/checkout@v4
with:
ref: ${{ github.event.repository.default_branch }}
sparse-checkout: 'ci/envoy-sync-receive.sh'
sparse-checkout-cone-mode: false
path: '.script'
- run: .script/ci/envoy-sync-receive.sh ${{ matrix.branch_name }}
env:
GH_TOKEN: ${{ steps.appauth.outputs.token }}
Empty file added .gitmodules
View file
Open in desktop
Empty file.
4 changes: 4 additions & 0 deletions CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -450,3 +450,7 @@ extensions/upstreams/tcp @ggreenway @mattklein123
/contrib/tap_sinks/ @coolg92003 @yiyibaoguo
/contrib/peak_ewma/filters/http/ @rroblak @UNOWNED
/contrib/peak_ewma/load_balancing_policies/ @rroblak @UNOWNED

# OpenSSL FIXME: Maybe create another group "owners"?
/bssl-compat/ @envoyproxy/envoy-openssl-sync
/openssl/ @envoyproxy/envoy-openssl-sync
Loading