Skip to content

Commit

Permalink
build: marking extensions as extension-only visible by default (envoy…
Browse files Browse the repository at this point in the history
…proxy#12337)

Risk Level: medium (of build breakage)
Testing: n/a
Docs Changes: n/a
Release Notes: n/a
Part of envoyproxy#9953

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Signed-off-by: chaoqinli <chaoqinli@google.com>
  • Loading branch information
alyssawilk authored and chaoqinli committed Aug 7, 2020
1 parent 29b13ba commit e30a45e
Show file tree
Hide file tree
Showing 159 changed files with 586 additions and 315 deletions.
30 changes: 30 additions & 0 deletions BUILD
Original file line number Diff line number Diff line change
@@ -1,6 +1,36 @@
load(
"@envoy_build_config//:extensions_build_config.bzl",
"ADDITIONAL_VISIBILITY",
)

licenses(["notice"]) # Apache 2

exports_files([
"VERSION",
".clang-format",
])

# These two definitions exist to help reduce Envoy upstream core code depending on extensions.
# To avoid visibility problems, one can extend ADDITIONAL_VISIBILITY in source/extensions/extensions_build_config.bzl
#
# TODO(#9953) //test/config_test:__pkg__ should probably be split up and removed.
# TODO(#9953) the config fuzz tests should be moved somewhere local and //test/config_test and //test/server removed.
package_group(
name = "extension_config",
packages = [
"//source/exe",
"//source/extensions/...",
"//test/config_test",
"//test/extensions/...",
"//test/server",
"//test/server/config_validation",
] + ADDITIONAL_VISIBILITY,
)

package_group(
name = "extension_library",
packages = [
"//source/extensions/...",
"//test/extensions/...",
] + ADDITIONAL_VISIBILITY,
)
11 changes: 11 additions & 0 deletions bazel/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -611,6 +611,17 @@ local_repository(
...
```

## Extra extensions

If you are building your own Envoy extensions or custom Envoy builds and encounter visibility
problems with, you may need to adjust the default visibility rules.
By default, Envoy extensions are set up to only be visible to code within the
[//source/extensions](../source/extensions/), or the Envoy server target. To adjust this,
add any additional targets you need to `ADDITIONAL_VISIBILITY` in
[extensions_build_config.bzl](../source/extensions/extensions_build_config.bzl).
See the instructions above about how to create your own custom version of
[extensions_build_config.bzl](../source/extensions/extensions_build_config.bzl).

# Release builds

Release builds should be built in `opt` mode, processed with `strip` and have a
Expand Down
3 changes: 3 additions & 0 deletions bazel/envoy_build_system.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ load(
def envoy_package():
native.package(default_visibility = ["//visibility:public"])

def envoy_extension_package():
native.package(default_visibility = ["//:extension_library"])

# A genrule variant that can output a directory. This is useful when doing things like
# generating a fuzz corpus mechanically.
def _envoy_directory_genrule_impl(ctx):
Expand Down
3 changes: 2 additions & 1 deletion bazel/envoy_library.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -70,12 +70,13 @@ def envoy_cc_extension(
undocumented = False,
status = "stable",
tags = [],
visibility = ["//:extension_config"],
**kwargs):
if security_posture not in EXTENSION_SECURITY_POSTURES:
fail("Unknown extension security posture: " + security_posture)
if status not in EXTENSION_STATUS_VALUES:
fail("Unknown extension status: " + status)
envoy_cc_library(name, tags = tags, **kwargs)
envoy_cc_library(name, tags = tags, visibility = visibility, **kwargs)

# Envoy C++ library targets should be specified with this function.
def envoy_cc_library(
Expand Down
2 changes: 2 additions & 0 deletions docs/root/version_history/current.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ Incompatible Behavior Changes
-----------------------------
*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*

* build: added visibility rules for upstream. If these cause visibility related breakage, see notes in //BUILD.

Minor Behavior Changes
----------------------
*Changes that may cause incompatibilities for some users, but should not for most*
Expand Down
6 changes: 4 additions & 2 deletions source/extensions/access_loggers/BUILD
Original file line number Diff line number Diff line change
@@ -1,16 +1,18 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "well_known_names",
hdrs = ["well_known_names.h"],
# well known names files are public as long as they exist.
visibility = ["//visibility:public"],
deps = [
"//source/common/singleton:const_singleton",
],
Expand Down
4 changes: 2 additions & 2 deletions source/extensions/access_loggers/common/BUILD
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

# Base class for implementations of AccessLog::Instance.

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "access_log_base",
Expand Down
11 changes: 9 additions & 2 deletions source/extensions/access_loggers/file/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,22 @@ load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_extension",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

# Access log implementation that writes to a file.
# Public docs: docs/root/configuration/access_log.rst

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "file_access_log_lib",
srcs = ["file_access_log_impl.cc"],
hdrs = ["file_access_log_impl.h"],
# The file based access logger is core code.
visibility = ["//visibility:public"],
deps = [
"//source/extensions/access_loggers/common:access_log_base",
],
Expand All @@ -26,6 +28,11 @@ envoy_cc_extension(
srcs = ["config.cc"],
hdrs = ["config.h"],
security_posture = "robust_to_untrusted_downstream",
# TODO(#9953) determine if this is core or should be cleaned up.
visibility = [
"//:extension_config",
"//test:__subpackages__",
],
deps = [
":file_access_log_lib",
"//include/envoy/registry",
Expand Down
16 changes: 14 additions & 2 deletions source/extensions/access_loggers/grpc/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@ load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_extension",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

# Access log implementation that writes to a gRPC service.
# Public docs: TODO(rodaine): Docs needed.

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "config_utils",
Expand Down Expand Up @@ -98,6 +98,12 @@ envoy_cc_extension(
srcs = ["http_config.cc"],
hdrs = ["http_config.h"],
security_posture = "robust_to_untrusted_downstream",
# TODO(#9953) clean up.
visibility = [
"//:extension_config",
"//test/common/access_log:__subpackages__",
"//test/integration:__subpackages__",
],
deps = [
":config_utils",
"//include/envoy/server:access_log_config_interface",
Expand All @@ -115,6 +121,12 @@ envoy_cc_extension(
srcs = ["tcp_config.cc"],
hdrs = ["tcp_config.h"],
security_posture = "robust_to_untrusted_downstream",
# TODO(#9953) clean up.
visibility = [
"//:extension_config",
"//test/common/access_log:__subpackages__",
"//test/integration:__subpackages__",
],
deps = [
":config_utils",
"//include/envoy/server:access_log_config_interface",
Expand Down
6 changes: 4 additions & 2 deletions source/extensions/clusters/BUILD
Original file line number Diff line number Diff line change
@@ -1,16 +1,18 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "well_known_names",
hdrs = ["well_known_names.h"],
# well known names files are public as long as they exist.
visibility = ["//visibility:public"],
deps = [
"//source/common/config:well_known_names",
"//source/common/singleton:const_singleton",
Expand Down
4 changes: 2 additions & 2 deletions source/extensions/clusters/aggregate/BUILD
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_extension",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_extension(
name = "cluster",
Expand Down
4 changes: 2 additions & 2 deletions source/extensions/clusters/dynamic_forward_proxy/BUILD
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_extension",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_extension(
name = "cluster",
Expand Down
4 changes: 2 additions & 2 deletions source/extensions/clusters/redis/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@ load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_extension",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "crc16_lib",
Expand Down
6 changes: 4 additions & 2 deletions source/extensions/common/BUILD
Original file line number Diff line number Diff line change
@@ -1,16 +1,18 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "utility_lib",
hdrs = ["utility.h"],
# Legacy. TODO(#9953) clean up.
visibility = ["//visibility:public"],
deps = [
"//include/envoy/runtime:runtime_interface",
"//source/common/common:documentation_url_lib",
Expand Down
4 changes: 2 additions & 2 deletions source/extensions/common/aws/BUILD
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "signer_interface",
Expand Down
10 changes: 8 additions & 2 deletions source/extensions/common/crypto/BUILD
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_extension",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_extension(
name = "utility_lib",
Expand All @@ -23,6 +23,12 @@ envoy_cc_extension(
],
security_posture = "unknown",
undocumented = True,
# Legacy test use. TODO(#9953) clean up.
visibility = [
"//:extension_config",
"//test/common/config:__subpackages__",
"//test/common/crypto:__subpackages__",
],
deps = [
"//include/envoy/buffer:buffer_interface",
"//source/common/common:assert_lib",
Expand Down
4 changes: 2 additions & 2 deletions source/extensions/common/dynamic_forward_proxy/BUILD
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "dns_cache_interface",
Expand Down
6 changes: 4 additions & 2 deletions source/extensions/common/proxy_protocol/BUILD
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "proxy_protocol_header_lib",
srcs = ["proxy_protocol_header.cc"],
hdrs = ["proxy_protocol_header.h"],
# This is used by the router, so considered core code.
visibility = ["//visibility:public"],
deps = [
"//include/envoy/buffer:buffer_interface",
"//include/envoy/network:address_interface",
Expand Down
4 changes: 2 additions & 2 deletions source/extensions/common/redis/BUILD
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_library",
"envoy_package",
"envoy_extension_package",
)

licenses(["notice"]) # Apache 2
Expand All @@ -10,7 +10,7 @@ licenses(["notice"]) # Apache 2
# clusters.
# Public docs: docs/root/configuration/network_filters/redis_proxy_filter.rst

envoy_package()
envoy_extension_package()

envoy_cc_library(
name = "cluster_refresh_manager_interface",
Expand Down
Loading

0 comments on commit e30a45e

Please sign in to comment.