build: marking extensions as extension-only visible by default (envoyproxy#12337)

Risk Level: medium (of build breakage)
Testing: n/a
Docs Changes: n/a
Release Notes: n/a
Part of envoyproxy#9953

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

Author: alyssawilk

BUILD

@@ -1,6 +1,36 @@
+load(
+    "@envoy_build_config//:extensions_build_config.bzl",
+    "ADDITIONAL_VISIBILITY",
+)
+
 licenses(["notice"])  # Apache 2
 
 exports_files([
     "VERSION",
     ".clang-format",
 ])
+
+# These two definitions exist to help reduce Envoy upstream core code depending on extensions.
+# To avoid visibility problems, one can extend ADDITIONAL_VISIBILITY in source/extensions/extensions_build_config.bzl
+#
+# TODO(#9953) //test/config_test:__pkg__ should probably be split up and removed.
+# TODO(#9953) the config fuzz tests should be moved somewhere local and //test/config_test and //test/server removed.
+package_group(
+    name = "extension_config",
+    packages = [
+        "//source/exe",
+        "//source/extensions/...",
+        "//test/config_test",
+        "//test/extensions/...",
+        "//test/server",
+        "//test/server/config_validation",
+    ] + ADDITIONAL_VISIBILITY,
+)
+
+package_group(
+    name = "extension_library",
+    packages = [
+        "//source/extensions/...",
+        "//test/extensions/...",
+    ] + ADDITIONAL_VISIBILITY,
+)

bazel/README.md

@@ -611,6 +611,17 @@ local_repository(
 ...
 ```
 
+## Extra extensions
+
+If you are building your own Envoy extensions or custom Envoy builds and encounter visibility
+problems with, you may need to adjust the default visibility rules.
+By default, Envoy extensions are set up to only be visible to code within the
+[//source/extensions](../source/extensions/), or the Envoy server target. To adjust this,
+add any additional targets you need to `ADDITIONAL_VISIBILITY` in
+[extensions_build_config.bzl](../source/extensions/extensions_build_config.bzl).
+See the instructions above about how to create your own custom version of
+[extensions_build_config.bzl](../source/extensions/extensions_build_config.bzl).
+
 # Release builds
 
 Release builds should be built in `opt` mode, processed with `strip` and have a

bazel/envoy_build_system.bzl

@@ -36,6 +36,9 @@ load(
 def envoy_package():
     native.package(default_visibility = ["//visibility:public"])
 
+def envoy_extension_package():
+    native.package(default_visibility = ["//:extension_library"])
+
 # A genrule variant that can output a directory. This is useful when doing things like
 # generating a fuzz corpus mechanically.
 def _envoy_directory_genrule_impl(ctx):

bazel/envoy_library.bzl

@@ -70,12 +70,13 @@ def envoy_cc_extension(
         undocumented = False,
         status = "stable",
         tags = [],
+        visibility = ["//:extension_config"],
         **kwargs):
     if security_posture not in EXTENSION_SECURITY_POSTURES:
         fail("Unknown extension security posture: " + security_posture)
     if status not in EXTENSION_STATUS_VALUES:
         fail("Unknown extension status: " + status)
-    envoy_cc_library(name, tags = tags, **kwargs)
+    envoy_cc_library(name, tags = tags, visibility = visibility, **kwargs)
 
 # Envoy C++ library targets should be specified with this function.
 def envoy_cc_library(

docs/root/version_history/current.rst

@@ -5,6 +5,8 @@ Incompatible Behavior Changes
 -----------------------------
 *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 
+* build: added visibility rules for upstream. If these cause visibility related breakage, see notes in //BUILD.
+
 Minor Behavior Changes
 ----------------------
 *Changes that may cause incompatibilities for some users, but should not for most*

source/extensions/access_loggers/BUILD

@@ -1,16 +1,18 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "well_known_names",
     hdrs = ["well_known_names.h"],
+    # well known names files are public as long as they exist.
+    visibility = ["//visibility:public"],
     deps = [
         "//source/common/singleton:const_singleton",
     ],

source/extensions/access_loggers/common/BUILD

@@ -1,14 +1,14 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
 # Base class for implementations of AccessLog::Instance.
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "access_log_base",

source/extensions/access_loggers/file/BUILD

@@ -2,20 +2,22 @@ load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_extension",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
 # Access log implementation that writes to a file.
 # Public docs: docs/root/configuration/access_log.rst
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "file_access_log_lib",
     srcs = ["file_access_log_impl.cc"],
     hdrs = ["file_access_log_impl.h"],
+    # The file based access logger is core code.
+    visibility = ["//visibility:public"],
     deps = [
         "//source/extensions/access_loggers/common:access_log_base",
     ],
@@ -26,6 +28,11 @@ envoy_cc_extension(
     srcs = ["config.cc"],
     hdrs = ["config.h"],
     security_posture = "robust_to_untrusted_downstream",
+    # TODO(#9953) determine if this is core or should be cleaned up.
+    visibility = [
+        "//:extension_config",
+        "//test:__subpackages__",
+    ],
     deps = [
         ":file_access_log_lib",
         "//include/envoy/registry",

source/extensions/access_loggers/grpc/BUILD

@@ -2,15 +2,15 @@ load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_extension",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
 # Access log implementation that writes to a gRPC service.
 # Public docs: TODO(rodaine): Docs needed.
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "config_utils",
@@ -98,6 +98,12 @@ envoy_cc_extension(
     srcs = ["http_config.cc"],
     hdrs = ["http_config.h"],
     security_posture = "robust_to_untrusted_downstream",
+    # TODO(#9953) clean up.
+    visibility = [
+        "//:extension_config",
+        "//test/common/access_log:__subpackages__",
+        "//test/integration:__subpackages__",
+    ],
     deps = [
         ":config_utils",
         "//include/envoy/server:access_log_config_interface",
@@ -115,6 +121,12 @@ envoy_cc_extension(
     srcs = ["tcp_config.cc"],
     hdrs = ["tcp_config.h"],
     security_posture = "robust_to_untrusted_downstream",
+    # TODO(#9953) clean up.
+    visibility = [
+        "//:extension_config",
+        "//test/common/access_log:__subpackages__",
+        "//test/integration:__subpackages__",
+    ],
     deps = [
         ":config_utils",
         "//include/envoy/server:access_log_config_interface",

source/extensions/clusters/BUILD

@@ -1,16 +1,18 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "well_known_names",
     hdrs = ["well_known_names.h"],
+    # well known names files are public as long as they exist.
+    visibility = ["//visibility:public"],
     deps = [
         "//source/common/config:well_known_names",
         "//source/common/singleton:const_singleton",

source/extensions/clusters/aggregate/BUILD

@@ -1,12 +1,12 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_extension",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_extension(
     name = "cluster",

source/extensions/clusters/dynamic_forward_proxy/BUILD

@@ -1,12 +1,12 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_extension",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_extension(
     name = "cluster",

source/extensions/clusters/redis/BUILD

@@ -2,12 +2,12 @@ load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_extension",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "crc16_lib",

source/extensions/common/BUILD

@@ -1,16 +1,18 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "utility_lib",
     hdrs = ["utility.h"],
+    # Legacy.  TODO(#9953) clean up.
+    visibility = ["//visibility:public"],
     deps = [
         "//include/envoy/runtime:runtime_interface",
         "//source/common/common:documentation_url_lib",

source/extensions/common/aws/BUILD

@@ -1,12 +1,12 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "signer_interface",

source/extensions/common/crypto/BUILD

@@ -1,12 +1,12 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_extension",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_extension(
     name = "utility_lib",
@@ -23,6 +23,12 @@ envoy_cc_extension(
     ],
     security_posture = "unknown",
     undocumented = True,
+    # Legacy test use. TODO(#9953) clean up.
+    visibility = [
+        "//:extension_config",
+        "//test/common/config:__subpackages__",
+        "//test/common/crypto:__subpackages__",
+    ],
     deps = [
         "//include/envoy/buffer:buffer_interface",
         "//source/common/common:assert_lib",

source/extensions/common/dynamic_forward_proxy/BUILD

@@ -1,12 +1,12 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "dns_cache_interface",

source/extensions/common/proxy_protocol/BUILD

@@ -1,17 +1,19 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "proxy_protocol_header_lib",
     srcs = ["proxy_protocol_header.cc"],
     hdrs = ["proxy_protocol_header.h"],
+    # This is used by the router, so considered core code.
+    visibility = ["//visibility:public"],
     deps = [
         "//include/envoy/buffer:buffer_interface",
         "//include/envoy/network:address_interface",

source/extensions/common/redis/BUILD

@@ -1,7 +1,7 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
-    "envoy_package",
+    "envoy_extension_package",
 )
 
 licenses(["notice"])  # Apache 2
@@ -10,7 +10,7 @@ licenses(["notice"])  # Apache 2
 # clusters.
 # Public docs: docs/root/configuration/network_filters/redis_proxy_filter.rst
 
-envoy_package()
+envoy_extension_package()
 
 envoy_cc_library(
     name = "cluster_refresh_manager_interface",