dynamically link kong to system openssl (#39663)

kranurag7 · EyeCantCU · jamonation · web-flow · commit 0ebc953d6a66 · 2025-01-18T01:26:07.000+05:30
links to system openssl.

```bash
$ scanelf /usr/local/ -R  | awk '{print $2}' | xargs ldd | grep -E 'libssl|libcrypto'
ldd: ./FILE: No such file or directory
        libssl.so.3 =&gt; /usr/lib/libssl.so.3 (0x00007c626fcbd000)
        libcrypto.so.3 =&gt; /usr/lib/libcrypto.so.3 (0x00007c626f600000)
        libssl.so.3 =&gt; /usr/lib/libssl.so.3 (0x00007a43aab8d000)
        libcrypto.so.3 =&gt; /usr/lib/libcrypto.so.3 (0x00007a43aa600000)
        libssl.so.3 =&gt; /usr/lib/libssl.so.3 (0x00007bd661c20000)
        libcrypto.so.3 =&gt; /usr/lib/libcrypto.so.3 (0x00007bd661600000)
```

---------

Signed-off-by: kranurag7 &lt;81210977+kranurag7@users.noreply.github.com&gt;
Co-authored-by: RJ Trujillo &lt;rj.sampson@chainguard.dev&gt;
Co-authored-by: Jamon Camisso &lt;jamonation@users.noreply.github.com&gt;
diff --git a/kong.yaml b/kong.yaml
@@ -1,7 +1,7 @@
 package:
   name: kong
   version: 3.9.0
-  epoch: 1
+  epoch: 2
   description: "The Kong Gateway - an API Gateway built on Nginx and OpenResty"
   copyright:
     - license: Apache-2.0
@@ -47,9 +47,11 @@ pipeline:
 
   - uses: patch
     with:
-      patches: http-archive.patch
+      patches: http-archive.patch openssl.patch
 
   - runs: |
+      # remove openssl directory given we want to build against our system openssl.
+      rm -r build/openresty/openssl
       # Set up environment variables
       export PATH=$PATH:$HOME/.cargo/bin
       export JAVA_HOME=/usr/lib/jvm/java-21-openjdk
@@ -82,4 +84,6 @@ update:
 test:
   pipeline:
     - runs: |
-        kong version
+        kong version | grep -i ${{package.version}}
+        kong prepare --v 2>/dev/null | grep -i "preparing nginx"
+        kong roar | grep -i "Monolith destroyer"
diff --git a/kong/openssl.patch b/kong/openssl.patch
@@ -0,0 +1,122 @@
+diff --git a/build/BUILD.bazel b/build/BUILD.bazel
+index b83f4f4..42aa986 100644
+--- a/build/BUILD.bazel
++++ b/build/BUILD.bazel
+@@ -10,7 +10,6 @@ exports_files([
+ # C libraries
+ 
+ clib_deps = [
+-    "@openssl",
+     "@libexpat",
+     "@snappy",
+     "@ada",
+@@ -21,7 +20,7 @@ clib_deps = [
+         name = "install-%s" % get_workspace_name(k),
+         src = k,
+         # only install openssl headers
+-        exclude = [] if k in ("@openssl",) else ["include"],
++        exclude = ["include"],
+         prefix = "kong/lib" if k in ("@passwdqc", "@snappy", "@ada") else "kong",
+         strip_path = "snappy" if k == "@snappy" else "ada" if k == "@ada" else "",
+     )
+@@ -47,7 +46,6 @@ kong_rules_group(
+ kong_rules_group(
+     name = "cacheable-targets",
+     propagates = [
+-        "@openssl",
+         "@libexpat",
+         "@atc_router",
+         "@simdjson_ffi",
+@@ -73,7 +71,6 @@ kong_install(
+     prefix = "openresty",
+     deps = [
+         ":install-openresty-luajit",
+-        ":install-openssl",
+     ],
+ )
+ 
+diff --git a/build/luarocks/BUILD.luarocks.bazel b/build/luarocks/BUILD.luarocks.bazel
+index b23ad96..d9dda79 100644
+--- a/build/luarocks/BUILD.luarocks.bazel
++++ b/build/luarocks/BUILD.luarocks.bazel
+@@ -40,7 +40,6 @@ kong_template_genrule(
+     name = "luarocks_exec",
+     srcs = [
+         "@libexpat",
+-        "@openssl",
+     ] + select({
+         "@kong//:any-cross": ["@cross_deps_libyaml//:libyaml"],
+         "//conditions:default": [
+diff --git a/build/luarocks/templates/luarocks_exec.sh b/build/luarocks/templates/luarocks_exec.sh
+index 10515f8..f8cc445 100644
+--- a/build/luarocks/templates/luarocks_exec.sh
++++ b/build/luarocks/templates/luarocks_exec.sh
+@@ -3,7 +3,6 @@
+ # template variables starts
+ libexpat_path="{{@@libexpat//:libexpat}}"
+ libxml2_path="invalid"
+-openssl_path="{{@@openssl//:openssl}}"
+ luarocks_host_path="{{@@luarocks//:luarocks_host}}"
+ luajit_path="{{@@openresty//:luajit}}"
+ kongrocks_path="invalid"
+@@ -27,7 +26,6 @@ ROCKS_CONFIG=$(readlink -f "$ROCKS_DIR/../luarocks_config.lua")
+ 
+ EXPAT_DIR=$root_path/$libexpat_path
+ LIBXML2_DIR=$root_path/$libxml2_path
+-OPENSSL_DIR=$root_path/$openssl_path
+ 
+ # The Bazel rules doesn't export the `libexpat.so` file,
+ # it only exports something like `libexpat.so.1.6.0`,
+@@ -115,8 +113,6 @@ fi
+ # some distros has BINPRM_BUF_SIZE smaller than the shebang generated,
+ # which is usually more than 160 bytes
+ $host_luajit $root_path/$LUAROCKS_HOST/bin/luarocks \$private_rocks_args \$@ \\
+-    OPENSSL_DIR=$OPENSSL_DIR \\
+-    CRYPTO_DIR=$OPENSSL_DIR \\
+     EXPAT_DIR=$EXPAT_DIR \\
+     LIBXML2_DIR=$LIBXML2_DIR \\
+     YAML_DIR=$YAML_DIR
+diff --git a/build/openresty/BUILD.openresty.bazel b/build/openresty/BUILD.openresty.bazel
+index 81ad172..157f6b7 100644
+--- a/build/openresty/BUILD.openresty.bazel
++++ b/build/openresty/BUILD.openresty.bazel
+@@ -147,10 +147,8 @@ CONFIGURE_OPTIONS = [
+     "--without-http_rds_csv_module",
+     "--with-luajit=$$EXT_BUILD_DEPS/luajit",
+     "--with-cc-opt=\"-I$$EXT_BUILD_DEPS/pcre/include\"",
+-    "--with-cc-opt=\"-I$$EXT_BUILD_DEPS/openssl/include\"",
+     "--with-cc-opt=\"-I$$EXT_BUILD_DEPS/luajit/include\"",
+     "--with-ld-opt=\"-L$$EXT_BUILD_DEPS/pcre/lib\"",
+-    "--with-ld-opt=\"-L$$EXT_BUILD_DEPS/openssl/lib\"",
+     "--with-ld-opt=\"-L$$EXT_BUILD_DEPS/luajit/lib\"",
+     "--with-ld-opt=\"-L$$EXT_BUILD_DEPS/lib\"",
+     # Here let's try not having --disable-new-dtags; --disable-new-dtags creates rpath instead of runpath
+@@ -326,7 +324,6 @@ configure_make(
+     visibility = ["//visibility:public"],
+     deps = [
+         "@openresty//:luajit",
+-        "@openssl",
+         "@pcre",
+     ] + select({
+         "@kong//:any-cross": [
+diff --git a/build/openresty/repositories.bzl b/build/openresty/repositories.bzl
+index f4cafe9..6ced994 100644
+--- a/build/openresty/repositories.bzl
++++ b/build/openresty/repositories.bzl
+@@ -7,7 +7,6 @@ load("//build:build_system.bzl", "git_or_local_repository")
+ load("//build/openresty/ada:ada_repositories.bzl", "ada_repositories")
+ load("//build/openresty/atc_router:atc_router_repositories.bzl", "atc_router_repositories")
+ load("//build/openresty/brotli:brotli_repositories.bzl", "brotli_repositories")
+-load("//build/openresty/openssl:openssl_repositories.bzl", "openssl_repositories")
+ load("//build/openresty/pcre:pcre_repositories.bzl", "pcre_repositories")
+ load("//build/openresty/simdjson_ffi:simdjson_ffi_repositories.bzl", "simdjson_ffi_repositories")
+ load("//build/openresty/snappy:snappy_repositories.bzl", "snappy_repositories")
+@@ -31,7 +30,6 @@ filegroup(
+ 
+ def openresty_repositories():
+     pcre_repositories()
+-    openssl_repositories()
+     simdjson_ffi_repositories()
+     atc_router_repositories()
+     wasmx_repositories()
+
