From 4a4ab726826779bb312bd10918f5020c54c33175 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Mon, 27 Apr 2026 15:13:07 +0200 Subject: [PATCH 01/20] First commit for AWS-LC --- ci/pipeline.yml | 37 ++++++++++++- ci/scripts/autobump-dependencies.py | 16 ++++++ ci/scripts/functions-ci.sh | 6 +++ ci/scripts/shipit | 82 +++++++++++++++++++++++++++++ packages/haproxy/packaging | 38 ++++++++++++- 5 files changed, 177 insertions(+), 2 deletions(-) diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 9b805502..09236ca3 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -6,6 +6,7 @@ groups: - unit-tests - unit-tests-pr - acceptance-tests + - acceptance-tests-awslc - acceptance-tests-pr - rc - shipit @@ -149,6 +150,40 @@ jobs: icon_url: "((slack.icon))" text: "((slack.fail_url)) haproxy-boshrelease : acceptance tests failed" + - name: acceptance-tests-awslc + public: true + serial: true + plan: + - do: + - in_parallel: + - { get: git, trigger: true, passed: [unit-tests] } + - { get: stemcell } + - { get: stemcell-jammy } + - get: haproxy-boshrelease-testflight + - task: acceptance-tests-awslc + privileged: true + timeout: 4h + image: haproxy-boshrelease-testflight + config: + platform: linux + inputs: + - { name: git } + - { name: stemcell } + - { name: stemcell-jammy } + run: + path: ./git/ci/scripts/acceptance-tests + args: [] + params: + REPO_ROOT: git + HAPROXY_AWSLC: "true" + on_failure: + put: notify + params: + channel: "#haproxy-boshrelease" + username: ci-bot + icon_url: "((slack.icon))" + text: "((slack.fail_url)) haproxy-boshrelease : acceptance tests (AWS-LC) failed" + - name: acceptance-tests-pr public: true serial: true @@ -300,7 +335,7 @@ jobs: name: gh/name tag: gh/tag body: gh/notes.md - globs: [gh/artifacts/*, gh/artifacts-patched/*] + globs: [gh/artifacts/*, gh/artifacts-patched/*, gh/artifacts-awslc/*, gh/artifacts-awslc-patched/*] - put: notify params: channel: "#haproxy-boshrelease" diff --git a/ci/scripts/autobump-dependencies.py b/ci/scripts/autobump-dependencies.py index 3034eee1..38fe2527 100755 --- a/ci/scripts/autobump-dependencies.py +++ b/ci/scripts/autobump-dependencies.py @@ -24,6 +24,8 @@ LUA_VERSION = "5.4" PCRE_VERSION = "10" HATOP_VERSION = "0" +AWS_LC_VERSION = "1" +CMAKE_VERSION = "3.31" # Required Environment Vars BLOBSTORE_SECRET_ACCESS_KEY = os.environ["GCP_SERVICE_KEY"] @@ -501,6 +503,20 @@ def main() -> None: tagname_prefix="v", filename_suffix="", ), + GithubDependency( + "aws-lc", + "AWS_LC_VERSION", + AWS_LC_VERSION, + "https://github.com/aws/aws-lc", + tagname_prefix="v", + ), + GithubDependency( + "cmake", + "CMAKE_VERSION", + CMAKE_VERSION, + "https://github.com/Kitware/CMake", + tagname_prefix="v", + ), ] write_private_yaml() diff --git a/ci/scripts/functions-ci.sh b/ci/scripts/functions-ci.sh index fa8e5465..9c87b311 100755 --- a/ci/scripts/functions-ci.sh +++ b/ci/scripts/functions-ci.sh @@ -54,6 +54,12 @@ function bosh_release() { echo "----- Creating candidate BOSH release..." bosh -n reset-release # in case dev_releases/ is in repo accidentally + if [ "${HAPROXY_AWSLC:-}" == "true" ]; then + echo "----- Adding AWS-LC blobs to haproxy package spec..." + echo "- haproxy/aws-lc-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec + fi + bosh create-release --force bosh upload-release --rebase release_final_version=$(spruce json dev_releases/*/index.yml | jq -r ".builds[].version" | sed -e "s%+.*%%") diff --git a/ci/scripts/shipit b/ci/scripts/shipit index 636b7b51..39f38071 100755 --- a/ci/scripts/shipit +++ b/ci/scripts/shipit @@ -76,6 +76,8 @@ LUA_VERSION=$(version LUA_VERSION) SOCAT_VERSION=$(version SOCAT_VERSION) PCRE_VERSION=$(version PCRE_VERSION) KEEPALIVED_VERSION=$(version KEEPALIVED_VERSION keepalived) +AWS_LC_VERSION=$(version AWS_LC_VERSION) +CMAKE_VERSION=$(version CMAKE_VERSION) VERSION="${VERSION_TO_CREATE}+${HAPROXY_VERSION}" @@ -133,6 +135,8 @@ The following versions of upstream components are included in this haproxy-boshr | Lua | \`${LUA_VERSION}\` | | PCRE | \`${PCRE_VERSION}\` | | socat | \`${SOCAT_VERSION}\` | +| AWS-LC | \`${AWS_LC_VERSION}\` | +| cmake | \`${CMAKE_VERSION}\` | ### Deployment \`\`\`yaml @@ -180,6 +184,32 @@ pushd "${REPO_ROOT}" # Undo changes to repo from creating dev release git clean -df git reset --hard + + # --- AWS-LC variant (unpatched) --- + echo "- haproxy/aws-lc-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec + + bosh -n create-release --force --version "${VERSION}-awslc" \ + --tarball "../${RELEASE_NAME}-${VERSION}-awslc.tgz" + + # Undo changes to repo from creating dev release + git clean -df + git reset --hard + + # --- AWS-LC + Patched variant --- + echo "- haproxy/patches.tar.gz" >> packages/haproxy/spec + echo "- haproxy/aws-lc-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec + tar -czvf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz + bosh upload-blobs + + bosh -n create-release --force --version "${VERSION}-awslc-patched" \ + --tarball "../${RELEASE_NAME}-${VERSION}-awslc-patched.tgz" + + # Undo changes to repo from creating dev release + git clean -df + git reset --hard popd mkdir -p "${RELEASE_ROOT}/artifacts-patched" @@ -208,6 +238,58 @@ releases: \`\`\` EOF +mkdir -p "${RELEASE_ROOT}/artifacts-awslc" +mv "${RELEASE_NAME}-${VERSION}-awslc.tgz" "${RELEASE_ROOT}/artifacts-awslc" + +AWSLC_RELEASE_TGZ=${RELEASE_ROOT}/artifacts-awslc/${RELEASE_NAME}-${VERSION}-awslc.tgz +# shellcheck disable=SC2155 +export AWSLC_SHA1=$(sha1sum "${AWSLC_RELEASE_TGZ}" | head -n1 | awk '{print $1}') +echo "AWSLC_SHA1=${AWSLC_SHA1}" +# shellcheck disable=SC2155 +export AWSLC_SHA256=$(sha256sum "${AWSLC_RELEASE_TGZ}" | head -n1 | awk '{print $1}') +echo "AWSLC_SHA256=${AWSLC_SHA256}" + +cat >> "${RELEASE_ROOT}/notes.md" <> "${RELEASE_ROOT}/notes.md" </dev/null 2>&1; then + echo "Building cmake..." + tar xzf haproxy/cmake-${CMAKE_VERSION}.tar.gz + pushd cmake-${CMAKE_VERSION} + ./bootstrap --prefix=${BOSH_INSTALL_TARGET} --parallel=$(nproc) + make -j$(nproc) + make install + popd + export PATH=${BOSH_INSTALL_TARGET}/bin:$PATH + + echo "Building AWS-LC..." + tar xzf haproxy/aws-lc-v${AWS_LC_VERSION}.tar.gz + pushd aws-lc-${AWS_LC_VERSION} + mkdir -p build && cd build + cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DBUILD_SHARED_LIBS=0 \ + -DDISABLE_GO=1 \ + -DDISABLE_PERL=1 \ + -DBUILD_TESTING=0 \ + -DCMAKE_INSTALL_PREFIX=${BOSH_INSTALL_TARGET} \ + .. + make -j$(nproc) + make install + popd + + SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=${BOSH_INSTALL_TARGET}/include SSL_LIB=${BOSH_INSTALL_TARGET}/lib" +else + SSL_MAKE_FLAGS="USE_OPENSSL=1" +fi + echo "Unpacking HAproxy..." tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz pushd haproxy-${HAPROXY_VERSION} @@ -60,7 +96,7 @@ pushd haproxy-${HAPROXY_VERSION} fi echo "Installing HAproxy..." - make TARGET=linux-glibc USE_PROMEX=1 USE_OPENSSL=1 USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include cp haproxy ${BOSH_INSTALL_TARGET}/bin/ chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy popd From 9fdffe3945f4208680fe517c2317cf066ac90383 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Tue, 28 Apr 2026 07:35:04 +0000 Subject: [PATCH 02/20] Add aws-lc and cmake blobs --- config/blobs.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/blobs.yml b/config/blobs.yml index 96ebea1c..5374f8bc 100644 --- a/config/blobs.yml +++ b/config/blobs.yml @@ -1,3 +1,9 @@ +haproxy/aws-lc-v1.72.0.tar.gz: + size: 145266600 + sha: sha256:f214c0e06e043c4f18b836059ccb5ecbed781173e8eed106839ee2dd4f4cc157 +haproxy/cmake-3.31.6.tar.gz: + size: 11710589 + sha: sha256:653427f0f5014750aafff22727fb2aa60c6c732ca91808cfb78ce22ddd9e55f0 haproxy/haproxy-3.2.19.tar.gz: size: 5152214 object_id: 74c810ac-6fa7-401e-4bd3-05471c6d5ed0 From 6a5499af3f00b6c93aa9e7b9d82b26987de11968 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Tue, 28 Apr 2026 08:29:37 +0000 Subject: [PATCH 03/20] Add blobs for FIPS-AWS-LC --- config/blobs.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/blobs.yml b/config/blobs.yml index 5374f8bc..ef7ecbb0 100644 --- a/config/blobs.yml +++ b/config/blobs.yml @@ -1,3 +1,6 @@ +haproxy/aws-lc-fips-3.3.0.tar.gz: + size: 117102202 + sha: sha256:c137191845248c31251972f37a18381db10e579ebc205ebabb464d6f8abb759f haproxy/aws-lc-v1.72.0.tar.gz: size: 145266600 sha: sha256:f214c0e06e043c4f18b836059ccb5ecbed781173e8eed106839ee2dd4f4cc157 From 269c23632a224c402ee15df4855db97a986d35ca Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Tue, 28 Apr 2026 13:48:35 +0200 Subject: [PATCH 04/20] Add AWS-LC FIPS code --- ci/pipeline.yml | 37 ++++++++++- ci/scripts/autobump-dependencies.py | 96 +++++++++++++++++++++++++++++ ci/scripts/functions-ci.sh | 7 ++- ci/scripts/shipit | 84 +++++++++++++++++++++++++ packages/haproxy/packaging | 44 ++++++++++++- 5 files changed, 263 insertions(+), 5 deletions(-) diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 09236ca3..ce9a14a6 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -7,6 +7,7 @@ groups: - unit-tests-pr - acceptance-tests - acceptance-tests-awslc + - acceptance-tests-awslc-fips - acceptance-tests-pr - rc - shipit @@ -184,6 +185,40 @@ jobs: icon_url: "((slack.icon))" text: "((slack.fail_url)) haproxy-boshrelease : acceptance tests (AWS-LC) failed" + - name: acceptance-tests-awslc-fips + public: true + serial: true + plan: + - do: + - in_parallel: + - { get: git, trigger: true, passed: [unit-tests] } + - { get: stemcell } + - { get: stemcell-jammy } + - get: haproxy-boshrelease-testflight + - task: acceptance-tests-awslc-fips + privileged: true + timeout: 4h + image: haproxy-boshrelease-testflight + config: + platform: linux + inputs: + - { name: git } + - { name: stemcell } + - { name: stemcell-jammy } + run: + path: ./git/ci/scripts/acceptance-tests + args: [] + params: + REPO_ROOT: git + HAPROXY_AWSLC_FIPS: "true" + on_failure: + put: notify + params: + channel: "#haproxy-boshrelease" + username: ci-bot + icon_url: "((slack.icon))" + text: "((slack.fail_url)) haproxy-boshrelease : acceptance tests (AWS-LC FIPS) failed" + - name: acceptance-tests-pr public: true serial: true @@ -335,7 +370,7 @@ jobs: name: gh/name tag: gh/tag body: gh/notes.md - globs: [gh/artifacts/*, gh/artifacts-patched/*, gh/artifacts-awslc/*, gh/artifacts-awslc-patched/*] + globs: [gh/artifacts/*, gh/artifacts-patched/*, gh/artifacts-awslc/*, gh/artifacts-awslc-patched/*, gh/artifacts-awslc-fips/*, gh/artifacts-awslc-fips-patched/*] - put: notify params: channel: "#haproxy-boshrelease" diff --git a/ci/scripts/autobump-dependencies.py b/ci/scripts/autobump-dependencies.py index 38fe2527..442e59ec 100755 --- a/ci/scripts/autobump-dependencies.py +++ b/ci/scripts/autobump-dependencies.py @@ -26,6 +26,8 @@ HATOP_VERSION = "0" AWS_LC_VERSION = "1" CMAKE_VERSION = "3.31" +AWS_LC_FIPS_VERSION = "3" +GOLANG_VERSION = "1.26" # Required Environment Vars BLOBSTORE_SECRET_ACCESS_KEY = os.environ["GCP_SERVICE_KEY"] @@ -335,6 +337,87 @@ def get_release_notes(self) -> str: return f"Make sure to check the [CHANGELOG]({self.changelog_url}) for any breaking changes." +@dataclass +class GolangDependency(Dependency): + """ + Handles Go toolchain downloads from go.dev/dl/. + Go binaries are named go1.X.Y.linux-amd64.tar.gz but stored as golang-X.Y.Z.tar.gz in blobs. + """ + + def fetch_latest_release(self) -> Release: + data = requests.get(self.root_url) + html = BeautifulSoup(data.text, "html.parser") + + versions = [] + links = [link for link in html.select("a") if "href" in link.attrs] + + pattern = rf"go({self.pinned_version}(?:\.[0-9]+)*)\.linux-amd64\.tar\.gz" + + for link in links: + match = re.search(pattern, link.attrs["href"]) + if match: + ver = version.parse(match.group(1)) + url = requests.compat.urljoin(self.root_url, link.attrs["href"]) + versions.append( + Release( + f"golang-{match.group(1)}", + url, + f"golang-{match.group(1)}.tar.gz", + ver, + ) + ) + + if versions: + return sorted(versions, key=lambda r: r.version, reverse=True)[0] + + raise Exception(f"Failed to get latest {self.name} version from {self.root_url}") + + def get_release_notes(self) -> str: + return f"Make sure to check the [CHANGELOG](https://go.dev/doc/devel/release) for any breaking changes." + + +@dataclass +class GithubArchiveDependency(Dependency): + """ + For GitHub repos where releases don't have downloadable assets, + so we use the archive tarball URL instead. + """ + + tagname_prefix: str = "" + + def fetch_latest_release(self) -> Release: + repo_org_and_name = self.root_url.lstrip("https://github.com/") + repo = gh.get_repo(repo_org_and_name) + releases = repo.get_releases() + + latest_release = None + latest_version = version.parse("0.0.0") + + for rel in releases: + if rel.prerelease: + continue + current_raw = rel.tag_name.lstrip(self.tagname_prefix) + current_version = version.parse(current_raw) + if latest_version < current_version and current_raw.startswith(self.pinned_version): + latest_version = current_version + tag = rel.tag_name + url = f"{self.root_url}/archive/refs/tags/{tag}.tar.gz" + latest_release = Release( + rel.title, + url, + f"{self.name}-{str(current_version)}.tar.gz", + current_version, + ) + + if latest_version == version.parse("0.0.0") or latest_release is None: + raise Exception(f"No release found for '{self.root_url}'") + + return latest_release + + def get_release_notes(self) -> str: + return f"Make sure to check the [CHANGELOG]({self.root_url}/releases) for any breaking changes." + + @dataclass class HaproxyDependency(Dependency): def __post_init__(self): @@ -510,6 +593,13 @@ def main() -> None: "https://github.com/aws/aws-lc", tagname_prefix="v", ), + GithubArchiveDependency( + "aws-lc-fips", + "AWS_LC_FIPS_VERSION", + AWS_LC_FIPS_VERSION, + "https://github.com/aws/aws-lc", + tagname_prefix="AWS-LC-FIPS-", + ), GithubDependency( "cmake", "CMAKE_VERSION", @@ -517,6 +607,12 @@ def main() -> None: "https://github.com/Kitware/CMake", tagname_prefix="v", ), + GolangDependency( + "golang", + "GOLANG_VERSION", + GOLANG_VERSION, + "https://go.dev/dl/", + ), ] write_private_yaml() diff --git a/ci/scripts/functions-ci.sh b/ci/scripts/functions-ci.sh index 9c87b311..6cefb668 100755 --- a/ci/scripts/functions-ci.sh +++ b/ci/scripts/functions-ci.sh @@ -54,7 +54,12 @@ function bosh_release() { echo "----- Creating candidate BOSH release..." bosh -n reset-release # in case dev_releases/ is in repo accidentally - if [ "${HAPROXY_AWSLC:-}" == "true" ]; then + if [ "${HAPROXY_AWSLC_FIPS:-}" == "true" ]; then + echo "----- Adding AWS-LC FIPS blobs to haproxy package spec..." + echo "- haproxy/aws-lc-fips-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/golang-*.tar.gz" >> packages/haproxy/spec + elif [ "${HAPROXY_AWSLC:-}" == "true" ]; then echo "----- Adding AWS-LC blobs to haproxy package spec..." echo "- haproxy/aws-lc-*.tar.gz" >> packages/haproxy/spec echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec diff --git a/ci/scripts/shipit b/ci/scripts/shipit index 39f38071..aca2bb9d 100755 --- a/ci/scripts/shipit +++ b/ci/scripts/shipit @@ -78,6 +78,8 @@ PCRE_VERSION=$(version PCRE_VERSION) KEEPALIVED_VERSION=$(version KEEPALIVED_VERSION keepalived) AWS_LC_VERSION=$(version AWS_LC_VERSION) CMAKE_VERSION=$(version CMAKE_VERSION) +AWS_LC_FIPS_VERSION=$(version AWS_LC_FIPS_VERSION) +GOLANG_VERSION=$(version GOLANG_VERSION) VERSION="${VERSION_TO_CREATE}+${HAPROXY_VERSION}" @@ -136,7 +138,9 @@ The following versions of upstream components are included in this haproxy-boshr | PCRE | \`${PCRE_VERSION}\` | | socat | \`${SOCAT_VERSION}\` | | AWS-LC | \`${AWS_LC_VERSION}\` | +| AWS-LC FIPS | \`${AWS_LC_FIPS_VERSION}\` | | cmake | \`${CMAKE_VERSION}\` | +| Go | \`${GOLANG_VERSION}\` | ### Deployment \`\`\`yaml @@ -210,6 +214,34 @@ pushd "${REPO_ROOT}" # Undo changes to repo from creating dev release git clean -df git reset --hard + + # --- AWS-LC FIPS variant (unpatched) --- + echo "- haproxy/aws-lc-fips-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/golang-*.tar.gz" >> packages/haproxy/spec + + bosh -n create-release --force --version "${VERSION}-awslc-fips" \ + --tarball "../${RELEASE_NAME}-${VERSION}-awslc-fips.tgz" + + # Undo changes to repo from creating dev release + git clean -df + git reset --hard + + # --- AWS-LC FIPS + Patched variant --- + echo "- haproxy/patches.tar.gz" >> packages/haproxy/spec + echo "- haproxy/aws-lc-fips-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/golang-*.tar.gz" >> packages/haproxy/spec + tar -czvf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz + bosh upload-blobs + + bosh -n create-release --force --version "${VERSION}-awslc-fips-patched" \ + --tarball "../${RELEASE_NAME}-${VERSION}-awslc-fips-patched.tgz" + + # Undo changes to repo from creating dev release + git clean -df + git reset --hard popd mkdir -p "${RELEASE_ROOT}/artifacts-patched" @@ -290,6 +322,58 @@ releases: \`\`\` EOF +mkdir -p "${RELEASE_ROOT}/artifacts-awslc-fips" +mv "${RELEASE_NAME}-${VERSION}-awslc-fips.tgz" "${RELEASE_ROOT}/artifacts-awslc-fips" + +AWSLC_FIPS_RELEASE_TGZ=${RELEASE_ROOT}/artifacts-awslc-fips/${RELEASE_NAME}-${VERSION}-awslc-fips.tgz +# shellcheck disable=SC2155 +export AWSLC_FIPS_SHA1=$(sha1sum "${AWSLC_FIPS_RELEASE_TGZ}" | head -n1 | awk '{print $1}') +echo "AWSLC_FIPS_SHA1=${AWSLC_FIPS_SHA1}" +# shellcheck disable=SC2155 +export AWSLC_FIPS_SHA256=$(sha256sum "${AWSLC_FIPS_RELEASE_TGZ}" | head -n1 | awk '{print $1}') +echo "AWSLC_FIPS_SHA256=${AWSLC_FIPS_SHA256}" + +cat >> "${RELEASE_ROOT}/notes.md" <> "${RELEASE_ROOT}/notes.md" </dev/null 2>&1; then +# If an AWS-LC FIPS source tarball is present, build with FIPS support. +# If a non-FIPS AWS-LC source tarball is present, build without FIPS. +# Otherwise, use system OpenSSL. +if ls haproxy/aws-lc-fips-*.tar.gz 1>/dev/null 2>&1; then + # --- AWS-LC FIPS build --- + echo "Installing Go toolchain..." + tar xzf haproxy/golang-${GOLANG_VERSION}.tar.gz -C ${BOSH_INSTALL_TARGET} + export GOROOT=${BOSH_INSTALL_TARGET}/go + export PATH=${GOROOT}/bin:$PATH + + echo "Building cmake..." + tar xzf haproxy/cmake-${CMAKE_VERSION}.tar.gz + pushd cmake-${CMAKE_VERSION} + ./bootstrap --prefix=${BOSH_INSTALL_TARGET} --parallel=$(nproc) + make -j$(nproc) + make install + popd + export PATH=${BOSH_INSTALL_TARGET}/bin:$PATH + + echo "Building AWS-LC (FIPS)..." + tar xzf haproxy/aws-lc-fips-${AWS_LC_FIPS_VERSION}.tar.gz + pushd aws-lc-AWS-LC-FIPS-${AWS_LC_FIPS_VERSION} + mkdir -p build && cd build + cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DFIPS=1 \ + -DBUILD_SHARED_LIBS=0 \ + -DBUILD_TESTING=0 \ + -DCMAKE_INSTALL_PREFIX=${BOSH_INSTALL_TARGET} \ + .. + make -j$(nproc) + make install + popd + + SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=${BOSH_INSTALL_TARGET}/include SSL_LIB=${BOSH_INSTALL_TARGET}/lib" + +elif ls haproxy/aws-lc-*.tar.gz 1>/dev/null 2>&1; then + # --- AWS-LC non-FIPS build --- echo "Building cmake..." tar xzf haproxy/cmake-${CMAKE_VERSION}.tar.gz pushd cmake-${CMAKE_VERSION} @@ -71,7 +107,9 @@ if ls haproxy/aws-lc-*.tar.gz 1>/dev/null 2>&1; then popd SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=${BOSH_INSTALL_TARGET}/include SSL_LIB=${BOSH_INSTALL_TARGET}/lib" + else + # --- System OpenSSL --- SSL_MAKE_FLAGS="USE_OPENSSL=1" fi From ef952172123abf8e45eb1944707d0c5128c22f29 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Tue, 28 Apr 2026 14:57:23 +0200 Subject: [PATCH 05/20] Fix FIPS build: set GOPATH and GOCACHE for Go toolchain BOSH compilation VMs don't set $HOME, causing Go to fail with "build cache is required, but could not be located". --- packages/haproxy/packaging | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/haproxy/packaging b/packages/haproxy/packaging index 09cc425e..2ead2095 100644 --- a/packages/haproxy/packaging +++ b/packages/haproxy/packaging @@ -53,6 +53,8 @@ if ls haproxy/aws-lc-fips-*.tar.gz 1>/dev/null 2>&1; then echo "Installing Go toolchain..." tar xzf haproxy/golang-${GOLANG_VERSION}.tar.gz -C ${BOSH_INSTALL_TARGET} export GOROOT=${BOSH_INSTALL_TARGET}/go + export GOPATH=${BOSH_INSTALL_TARGET}/gopath + export GOCACHE=${BOSH_INSTALL_TARGET}/gocache export PATH=${GOROOT}/bin:$PATH echo "Building cmake..." From b2a62e89d5f34b35da24b720c16cce5a13c5a838 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Tue, 5 May 2026 15:49:50 +0200 Subject: [PATCH 06/20] Fix non-FIPS AWS-LC blob glob to exclude FIPS tarball The glob 'haproxy/aws-lc-*.tar.gz' matched both aws-lc-v1.72.0.tar.gz and aws-lc-fips-3.3.0.tar.gz, causing the non-FIPS variant to include the FIPS blob and take the wrong build path. Narrowed to 'aws-lc-v*'. --- ci/scripts/functions-ci.sh | 2 +- ci/scripts/shipit | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/scripts/functions-ci.sh b/ci/scripts/functions-ci.sh index 6cefb668..e3bdce39 100755 --- a/ci/scripts/functions-ci.sh +++ b/ci/scripts/functions-ci.sh @@ -61,7 +61,7 @@ function bosh_release() { echo "- haproxy/golang-*.tar.gz" >> packages/haproxy/spec elif [ "${HAPROXY_AWSLC:-}" == "true" ]; then echo "----- Adding AWS-LC blobs to haproxy package spec..." - echo "- haproxy/aws-lc-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/aws-lc-v*.tar.gz" >> packages/haproxy/spec echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec fi diff --git a/ci/scripts/shipit b/ci/scripts/shipit index aca2bb9d..a3bd475c 100755 --- a/ci/scripts/shipit +++ b/ci/scripts/shipit @@ -190,7 +190,7 @@ pushd "${REPO_ROOT}" git reset --hard # --- AWS-LC variant (unpatched) --- - echo "- haproxy/aws-lc-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/aws-lc-v*.tar.gz" >> packages/haproxy/spec echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec bosh -n create-release --force --version "${VERSION}-awslc" \ @@ -202,7 +202,7 @@ pushd "${REPO_ROOT}" # --- AWS-LC + Patched variant --- echo "- haproxy/patches.tar.gz" >> packages/haproxy/spec - echo "- haproxy/aws-lc-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/aws-lc-v*.tar.gz" >> packages/haproxy/spec echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec tar -czvf haproxy-patches.tar.gz haproxy-patches bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz From 3aaaf5e9dbf5fab297b21168c75650162d78aeb0 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Tue, 5 May 2026 14:39:55 +0000 Subject: [PATCH 07/20] Upload blobs --- config/blobs.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config/blobs.yml b/config/blobs.yml index ef7ecbb0..746154c5 100644 --- a/config/blobs.yml +++ b/config/blobs.yml @@ -1,12 +1,19 @@ haproxy/aws-lc-fips-3.3.0.tar.gz: size: 117102202 + object_id: 68d8fb56-d66c-46e7-425c-fe94a6b240e2 sha: sha256:c137191845248c31251972f37a18381db10e579ebc205ebabb464d6f8abb759f haproxy/aws-lc-v1.72.0.tar.gz: size: 145266600 + object_id: a1438c0e-62b7-4d71-736a-663927ad2342 sha: sha256:f214c0e06e043c4f18b836059ccb5ecbed781173e8eed106839ee2dd4f4cc157 haproxy/cmake-3.31.6.tar.gz: size: 11710589 + object_id: 59c88eb0-ae6a-43dd-7262-c59ffb28b0a4 sha: sha256:653427f0f5014750aafff22727fb2aa60c6c732ca91808cfb78ce22ddd9e55f0 +haproxy/golang-1.26.2.tar.gz: + size: 66798306 + object_id: 03f22328-ba02-4ad7-7c8b-fd4b442c7579 + sha: sha256:990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282 haproxy/haproxy-3.2.19.tar.gz: size: 5152214 object_id: 74c810ac-6fa7-401e-4bd3-05471c6d5ed0 From b10ec53b7e66fe736378bbe396a9afbc312a9273 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Tue, 5 May 2026 17:56:20 +0200 Subject: [PATCH 08/20] Implement multi-package build --- ci/pipeline.yml | 2 +- ci/scripts/functions-ci.sh | 7 +++- ci/scripts/shipit | 45 ++++++++++++++++++++++ config/blobs.yml | 3 ++ jobs/haproxy/spec | 5 +++ jobs/haproxy/templates/haproxy_wrapper.erb | 8 +++- jobs/haproxy/templates/pre-start.erb | 9 ++++- 7 files changed, 74 insertions(+), 5 deletions(-) diff --git a/ci/pipeline.yml b/ci/pipeline.yml index ce9a14a6..18c051f4 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -370,7 +370,7 @@ jobs: name: gh/name tag: gh/tag body: gh/notes.md - globs: [gh/artifacts/*, gh/artifacts-patched/*, gh/artifacts-awslc/*, gh/artifacts-awslc-patched/*, gh/artifacts-awslc-fips/*, gh/artifacts-awslc-fips-patched/*] + globs: [gh/artifacts/*, gh/artifacts-patched/*, gh/artifacts-awslc/*, gh/artifacts-awslc-patched/*, gh/artifacts-awslc-fips/*, gh/artifacts-awslc-fips-patched/*, gh/artifacts-multi/*] - put: notify params: channel: "#haproxy-boshrelease" diff --git a/ci/scripts/functions-ci.sh b/ci/scripts/functions-ci.sh index e3bdce39..1cdcf3f7 100755 --- a/ci/scripts/functions-ci.sh +++ b/ci/scripts/functions-ci.sh @@ -54,7 +54,12 @@ function bosh_release() { echo "----- Creating candidate BOSH release..." bosh -n reset-release # in case dev_releases/ is in repo accidentally - if [ "${HAPROXY_AWSLC_FIPS:-}" == "true" ]; then + if [ "${HAPROXY_MULTI:-}" == "true" ]; then + echo "----- Building multi release (all variants, property-driven selection)..." + sed -i 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec + tar -czvf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz + elif [ "${HAPROXY_AWSLC_FIPS:-}" == "true" ]; then echo "----- Adding AWS-LC FIPS blobs to haproxy package spec..." echo "- haproxy/aws-lc-fips-*.tar.gz" >> packages/haproxy/spec echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec diff --git a/ci/scripts/shipit b/ci/scripts/shipit index a3bd475c..ef190d1a 100755 --- a/ci/scripts/shipit +++ b/ci/scripts/shipit @@ -242,6 +242,22 @@ pushd "${REPO_ROOT}" # Undo changes to repo from creating dev release git clean -df git reset --hard + + # --- Multi release (all variants, property-driven selection) --- + # Modify job spec to list all variant packages + sed -i 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec + + # Include patches blob for patched variant packages + tar -czvf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz + bosh upload-blobs + + bosh -n create-release --force --version "${VERSION}-multi" \ + --tarball "../${RELEASE_NAME}-${VERSION}-multi.tgz" + + # Undo changes to repo from creating dev release + git clean -df + git reset --hard popd mkdir -p "${RELEASE_ROOT}/artifacts-patched" @@ -374,6 +390,35 @@ releases: \`\`\` EOF +mkdir -p "${RELEASE_ROOT}/artifacts-multi" +mv "${RELEASE_NAME}-${VERSION}-multi.tgz" "${RELEASE_ROOT}/artifacts-multi" + +MULTI_RELEASE_TGZ=${RELEASE_ROOT}/artifacts-multi/${RELEASE_NAME}-${VERSION}-multi.tgz +# shellcheck disable=SC2155 +export MULTI_SHA1=$(sha1sum "${MULTI_RELEASE_TGZ}" | head -n1 | awk '{print $1}') +echo "MULTI_SHA1=${MULTI_SHA1}" +# shellcheck disable=SC2155 +export MULTI_SHA256=$(sha256sum "${MULTI_RELEASE_TGZ}" | head -n1 | awk '{print $1}') +echo "MULTI_SHA256=${MULTI_SHA256}" + +cat >> "${RELEASE_ROOT}/notes.md" < +export PATH=$PATH:/var/vcap/packages/<%= package_dir %>/bin:/var/vcap/packages/ttar/bin CONFIG=/var/vcap/jobs/haproxy/config/haproxy.config PID_FILE=/var/vcap/sys/run/haproxy/haproxy.pid DRAIN_LOCK=/var/vcap/sys/run/haproxy/drain.lock diff --git a/jobs/haproxy/templates/pre-start.erb b/jobs/haproxy/templates/pre-start.erb index b511c8c8..b392e0ea 100644 --- a/jobs/haproxy/templates/pre-start.erb +++ b/jobs/haproxy/templates/pre-start.erb @@ -13,12 +13,17 @@ if [ ! -e /usr/bin/python ] && [ -e /usr/bin/python3 ]; then sudo ln -s /usr/bin/python3 /usr/bin/python fi +<% + ssl_variant = p("ha_proxy.ssl_variant", "openssl") + haproxy_package = "haproxy-#{ssl_variant}" + package_dir = File.directory?("/var/vcap/packages/#{haproxy_package}") ? haproxy_package : "haproxy" +%> if [ ! -e /usr/local/bin/hatop ]; then - sudo ln -s /var/vcap/packages/haproxy/hatop-wrapper /usr/local/bin/hatop + sudo ln -s /var/vcap/packages/<%= package_dir %>/hatop-wrapper /usr/local/bin/hatop fi if [ ! -e /usr/local/bin/socat ]; then - sudo ln -s /var/vcap/packages/haproxy/bin/socat /usr/local/bin/socat + sudo ln -s /var/vcap/packages/<%= package_dir %>/bin/socat /usr/local/bin/socat fi <%- if_p("ha_proxy.pre_start_script") do |script| -%> From 57dbcaa9bd885ab2b5174bef7a20863bcccaf22e Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 6 May 2026 12:28:16 +0200 Subject: [PATCH 09/20] Add dev-build script --- scripts/dev-build.sh | 170 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 170 insertions(+) create mode 100755 scripts/dev-build.sh diff --git a/scripts/dev-build.sh b/scripts/dev-build.sh new file mode 100755 index 00000000..4a648ebd --- /dev/null +++ b/scripts/dev-build.sh @@ -0,0 +1,170 @@ +#!/usr/bin/env bash +# +# dev-build.sh +# +# Builds HAProxy release variants locally and uploads them to the BOSH director. +# +# Usage: ./dev-build.sh [--upload-only] [version] [output_dir] [variant...] +# +# Variants: +# openssl, openssl-patched, awslc, awslc-patched, awslc-fips, awslc-fips-patched, multi +# +# If no variants are specified, all 7 are built. +# +# Prerequisites: +# - All blobs present locally (bosh add-blob done for aws-lc, cmake, golang, aws-lc-fips) +# - haproxy-patches/ directory exists with .patch files +# + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +cd "$SCRIPT_DIR" + +UPLOAD_ONLY=false +if [[ "${1:-}" == "--upload-only" ]]; then + UPLOAD_ONLY=true + shift +fi + +VERSION="${1:-dev}" +OUTPUT_DIR="${2:-./dev-releases}" +shift 2 2>/dev/null || true + +VARIANTS=("$@") +if [[ ${#VARIANTS[@]} -eq 0 ]]; then + VARIANTS=(openssl openssl-patched multi) +fi + +should_build() { + local variant="$1" + for v in "${VARIANTS[@]}"; do + [[ "$v" == "$variant" ]] && return 0 + done + return 1 +} + +mkdir -p "$OUTPUT_DIR" + +if [[ "$UPLOAD_ONLY" == false ]]; then + +SPEC_FILE="packages/haproxy/spec" +SPEC_ORIG=$(cat "$SPEC_FILE") +JOB_SPEC_FILE="jobs/haproxy/spec" +JOB_SPEC_ORIG=$(cat "$JOB_SPEC_FILE") + +cleanup() { + echo "$SPEC_ORIG" > "$SPEC_FILE" + echo "$JOB_SPEC_ORIG" > "$JOB_SPEC_FILE" + rm -f haproxy-patches.tar.gz +} +trap cleanup EXIT + +reset_spec() { + echo "$SPEC_ORIG" > "$SPEC_FILE" + echo "$JOB_SPEC_ORIG" > "$JOB_SPEC_FILE" + rm -f haproxy-patches.tar.gz +} + +add_patches() { + echo "- haproxy/patches.tar.gz" >> "$SPEC_FILE" + tar -czf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz +} + +build_release() { + local variant="$1" + local version="$VERSION" + [[ -n "$variant" ]] && version="${VERSION}-${variant}" + local tarball="$OUTPUT_DIR/haproxy-${version}.tgz" + + echo "" + echo "========================================" + echo " Building: haproxy (version: $version)" + echo "========================================" + echo "" + + bosh -n create-release --force \ + --name "haproxy" \ + --version "$version" \ + --tarball "$tarball" + + echo " -> $tarball" +} + +# --- 1. OpenSSL (base) --- +if should_build openssl; then + reset_spec + build_release "" +fi + +# --- 2. OpenSSL + Patched --- +if should_build openssl-patched; then + reset_spec + add_patches + build_release "patched" +fi + +# --- 3. AWS-LC --- +if should_build awslc; then + reset_spec + echo "- haproxy/aws-lc-v*.tar.gz" >> "$SPEC_FILE" + echo "- haproxy/cmake-*.tar.gz" >> "$SPEC_FILE" + build_release "awslc" +fi + +# --- 4. AWS-LC + Patched --- +if should_build awslc-patched; then + reset_spec + add_patches + echo "- haproxy/aws-lc-v*.tar.gz" >> "$SPEC_FILE" + echo "- haproxy/cmake-*.tar.gz" >> "$SPEC_FILE" + build_release "awslc-patched" +fi + +# --- 5. AWS-LC FIPS --- +if should_build awslc-fips; then + reset_spec + echo "- haproxy/aws-lc-fips-*.tar.gz" >> "$SPEC_FILE" + echo "- haproxy/cmake-*.tar.gz" >> "$SPEC_FILE" + echo "- haproxy/golang-*.tar.gz" >> "$SPEC_FILE" + build_release "awslc-fips" +fi + +# --- 6. AWS-LC FIPS + Patched --- +if should_build awslc-fips-patched; then + reset_spec + add_patches + echo "- haproxy/aws-lc-fips-*.tar.gz" >> "$SPEC_FILE" + echo "- haproxy/cmake-*.tar.gz" >> "$SPEC_FILE" + echo "- haproxy/golang-*.tar.gz" >> "$SPEC_FILE" + build_release "awslc-fips-patched" +fi + +# --- 7. Multi (all variants, property-driven selection) --- +if should_build multi; then + reset_spec + # Modify job spec: replace '- haproxy' package with all variant packages + sed -i.bak 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' "$JOB_SPEC_FILE" + rm -f "${JOB_SPEC_FILE}.bak" + # Include patches blob for patched variant packages + add_patches + build_release "multi" +fi + +fi # UPLOAD_ONLY + +# --- Upload all releases --- +echo "" +echo "========================================" +echo " Uploading releases to BOSH director" +echo "========================================" +echo "" + +for tgz in "$OUTPUT_DIR"/haproxy-"${VERSION}"*.tgz; do + echo "Uploading: $tgz" + bosh upload-release "$tgz" --fix +done + +echo "" +echo "Done." From 0f9ddc822d48de750bd0064ece46b39c6836b225 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 6 May 2026 12:45:26 +0200 Subject: [PATCH 10/20] Minor fix --- scripts/dev-build.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/dev-build.sh b/scripts/dev-build.sh index 4a648ebd..09a052c2 100755 --- a/scripts/dev-build.sh +++ b/scripts/dev-build.sh @@ -19,7 +19,7 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -cd "$SCRIPT_DIR" +cd "$SCRIPT_DIR/.." UPLOAD_ONLY=false if [[ "${1:-}" == "--upload-only" ]]; then @@ -33,7 +33,7 @@ shift 2 2>/dev/null || true VARIANTS=("$@") if [[ ${#VARIANTS[@]} -eq 0 ]]; then - VARIANTS=(openssl openssl-patched multi) + VARIANTS=(openssl openssl-patched awslc awslc-patched awslc-fips awslc-fips-patched multi) fi should_build() { From 0672ae97a0bede7dcf4874e108cbd3c87c9bf3e2 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 6 May 2026 12:51:14 +0200 Subject: [PATCH 11/20] Add packages required to build the multi-release --- packages/aws-lc-fips/packaging | 29 +++++++++ packages/aws-lc-fips/spec | 7 +++ packages/aws-lc/packaging | 19 ++++++ packages/aws-lc/spec | 6 ++ packages/cmake/packaging | 10 +++ packages/cmake/spec | 4 ++ packages/haproxy-awslc-fips-patched/packaging | 61 +++++++++++++++++++ packages/haproxy-awslc-fips-patched/spec | 12 ++++ packages/haproxy-awslc-fips/packaging | 51 ++++++++++++++++ packages/haproxy-awslc-fips/spec | 11 ++++ packages/haproxy-awslc-patched/packaging | 61 +++++++++++++++++++ packages/haproxy-awslc-patched/spec | 12 ++++ packages/haproxy-awslc/packaging | 51 ++++++++++++++++ packages/haproxy-awslc/spec | 11 ++++ packages/haproxy-openssl-patched/packaging | 61 +++++++++++++++++++ packages/haproxy-openssl-patched/spec | 10 +++ packages/haproxy-openssl/packaging | 51 ++++++++++++++++ packages/haproxy-openssl/spec | 9 +++ 18 files changed, 476 insertions(+) create mode 100644 packages/aws-lc-fips/packaging create mode 100644 packages/aws-lc-fips/spec create mode 100644 packages/aws-lc/packaging create mode 100644 packages/aws-lc/spec create mode 100644 packages/cmake/packaging create mode 100644 packages/cmake/spec create mode 100644 packages/haproxy-awslc-fips-patched/packaging create mode 100644 packages/haproxy-awslc-fips-patched/spec create mode 100644 packages/haproxy-awslc-fips/packaging create mode 100644 packages/haproxy-awslc-fips/spec create mode 100644 packages/haproxy-awslc-patched/packaging create mode 100644 packages/haproxy-awslc-patched/spec create mode 100644 packages/haproxy-awslc/packaging create mode 100644 packages/haproxy-awslc/spec create mode 100644 packages/haproxy-openssl-patched/packaging create mode 100644 packages/haproxy-openssl-patched/spec create mode 100644 packages/haproxy-openssl/packaging create mode 100644 packages/haproxy-openssl/spec diff --git a/packages/aws-lc-fips/packaging b/packages/aws-lc-fips/packaging new file mode 100644 index 00000000..4a7b537b --- /dev/null +++ b/packages/aws-lc-fips/packaging @@ -0,0 +1,29 @@ +set -euxo pipefail + +AWS_LC_FIPS_VERSION=3.3.0 # https://github.com/aws/aws-lc/archive/refs/tags/AWS-LC-FIPS-3.3.0.tar.gz +GOLANG_VERSION=1.26.2 # https://go.dev/dl/go1.26.2.linux-amd64.tar.gz + +export PATH=/var/vcap/packages/cmake/bin:$PATH + +# Install Go toolchain (required for FIPS delocate/inject_hash) +tar xzf haproxy/golang-${GOLANG_VERSION}.tar.gz -C ${BOSH_INSTALL_TARGET} +export GOROOT=${BOSH_INSTALL_TARGET}/go +export GOPATH=${BOSH_INSTALL_TARGET}/gopath +export GOCACHE=${BOSH_INSTALL_TARGET}/gocache +export PATH=${GOROOT}/bin:$PATH + +tar xzf haproxy/aws-lc-fips-${AWS_LC_FIPS_VERSION}.tar.gz +pushd aws-lc-AWS-LC-FIPS-${AWS_LC_FIPS_VERSION} + mkdir -p build && cd build + cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DFIPS=1 \ + -DBUILD_SHARED_LIBS=0 \ + -DBUILD_TESTING=0 \ + -DCMAKE_INSTALL_PREFIX=${BOSH_INSTALL_TARGET} \ + .. + make -j$(nproc) + make install +popd + +# Clean up Go toolchain to save disk space +rm -rf ${BOSH_INSTALL_TARGET}/go ${BOSH_INSTALL_TARGET}/gopath ${BOSH_INSTALL_TARGET}/gocache diff --git a/packages/aws-lc-fips/spec b/packages/aws-lc-fips/spec new file mode 100644 index 00000000..fd42fa04 --- /dev/null +++ b/packages/aws-lc-fips/spec @@ -0,0 +1,7 @@ +--- +name: aws-lc-fips +dependencies: +- cmake +files: +- haproxy/aws-lc-fips-*.tar.gz +- haproxy/golang-*.tar.gz diff --git a/packages/aws-lc/packaging b/packages/aws-lc/packaging new file mode 100644 index 00000000..5adf981c --- /dev/null +++ b/packages/aws-lc/packaging @@ -0,0 +1,19 @@ +set -euxo pipefail + +AWS_LC_VERSION=1.72.0 # https://github.com/aws/aws-lc/archive/refs/tags/v1.72.0.tar.gz + +export PATH=/var/vcap/packages/cmake/bin:$PATH + +tar xzf haproxy/aws-lc-v${AWS_LC_VERSION}.tar.gz +pushd aws-lc-${AWS_LC_VERSION} + mkdir -p build && cd build + cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DBUILD_SHARED_LIBS=0 \ + -DDISABLE_GO=1 \ + -DDISABLE_PERL=1 \ + -DBUILD_TESTING=0 \ + -DCMAKE_INSTALL_PREFIX=${BOSH_INSTALL_TARGET} \ + .. + make -j$(nproc) + make install +popd diff --git a/packages/aws-lc/spec b/packages/aws-lc/spec new file mode 100644 index 00000000..819be13a --- /dev/null +++ b/packages/aws-lc/spec @@ -0,0 +1,6 @@ +--- +name: aws-lc +dependencies: +- cmake +files: +- haproxy/aws-lc-v*.tar.gz diff --git a/packages/cmake/packaging b/packages/cmake/packaging new file mode 100644 index 00000000..f8109bf6 --- /dev/null +++ b/packages/cmake/packaging @@ -0,0 +1,10 @@ +set -euxo pipefail + +CMAKE_VERSION=3.31.6 # https://github.com/Kitware/CMake/releases/download/v3.31.6/cmake-3.31.6.tar.gz + +tar xzf haproxy/cmake-${CMAKE_VERSION}.tar.gz +pushd cmake-${CMAKE_VERSION} + ./bootstrap --prefix=${BOSH_INSTALL_TARGET} --parallel=$(nproc) + make -j$(nproc) + make install +popd diff --git a/packages/cmake/spec b/packages/cmake/spec new file mode 100644 index 00000000..42a6f956 --- /dev/null +++ b/packages/cmake/spec @@ -0,0 +1,4 @@ +--- +name: cmake +files: +- haproxy/cmake-*.tar.gz diff --git a/packages/haproxy-awslc-fips-patched/packaging b/packages/haproxy-awslc-fips-patched/packaging new file mode 100644 index 00000000..a778f30f --- /dev/null +++ b/packages/haproxy-awslc-fips-patched/packaging @@ -0,0 +1,61 @@ +set -euxo pipefail + +LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz +PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz +SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz +HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz +HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop + +mkdir ${BOSH_INSTALL_TARGET}/bin + +echo "Extracting lua..." +tar xzf haproxy/lua-${LUA_VERSION}.tar.gz +pushd lua-${LUA_VERSION} + make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} +popd + +echo "Extracting pcre..." +tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz +pushd pcre2-${PCRE_VERSION} + ./configure \ + --enable-jit \ + --prefix ${BOSH_INSTALL_TARGET} + make + make install +popd + +echo "Installing socat..." +tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz +pushd socat-${SOCAT_VERSION} + ./configure + make + cp socat ${BOSH_INSTALL_TARGET}/bin + chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat +popd + +SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=/var/vcap/packages/aws-lc-fips/include SSL_LIB=/var/vcap/packages/aws-lc-fips/lib" + +echo "Unpacking HAproxy..." +tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz +pushd haproxy-${HAPROXY_VERSION} + mkdir -p ${BOSH_INSTALL_TARGET}/applied-patches + tar xf ../haproxy/patches.tar.gz + + for patchfile in haproxy-patches/*.patch; do + echo "Applying patch file ${patchfile}" + patch -F 0 -p0 < ${patchfile} + cp ${patchfile} ${BOSH_INSTALL_TARGET}/applied-patches + done + rm -r haproxy-patches + + echo "Installing HAproxy..." + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + cp haproxy ${BOSH_INSTALL_TARGET}/bin/ + chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy +popd + +echo "Installing hatop..." +cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop +chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop +cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ +chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages/haproxy-awslc-fips-patched/spec b/packages/haproxy-awslc-fips-patched/spec new file mode 100644 index 00000000..7a7cd3d7 --- /dev/null +++ b/packages/haproxy-awslc-fips-patched/spec @@ -0,0 +1,12 @@ +--- +name: haproxy-awslc-fips-patched +dependencies: +- aws-lc-fips +files: +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- haproxy/patches.tar.gz +- hatop-wrapper diff --git a/packages/haproxy-awslc-fips/packaging b/packages/haproxy-awslc-fips/packaging new file mode 100644 index 00000000..c0c9daff --- /dev/null +++ b/packages/haproxy-awslc-fips/packaging @@ -0,0 +1,51 @@ +set -euxo pipefail + +LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz +PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz +SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz +HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz +HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop + +mkdir ${BOSH_INSTALL_TARGET}/bin + +echo "Extracting lua..." +tar xzf haproxy/lua-${LUA_VERSION}.tar.gz +pushd lua-${LUA_VERSION} + make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} +popd + +echo "Extracting pcre..." +tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz +pushd pcre2-${PCRE_VERSION} + ./configure \ + --enable-jit \ + --prefix ${BOSH_INSTALL_TARGET} + make + make install +popd + +echo "Installing socat..." +tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz +pushd socat-${SOCAT_VERSION} + ./configure + make + cp socat ${BOSH_INSTALL_TARGET}/bin + chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat +popd + +SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=/var/vcap/packages/aws-lc-fips/include SSL_LIB=/var/vcap/packages/aws-lc-fips/lib" + +echo "Unpacking HAproxy..." +tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz +pushd haproxy-${HAPROXY_VERSION} + echo "Installing HAproxy..." + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + cp haproxy ${BOSH_INSTALL_TARGET}/bin/ + chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy +popd + +echo "Installing hatop..." +cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop +chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop +cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ +chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages/haproxy-awslc-fips/spec b/packages/haproxy-awslc-fips/spec new file mode 100644 index 00000000..ae1138b8 --- /dev/null +++ b/packages/haproxy-awslc-fips/spec @@ -0,0 +1,11 @@ +--- +name: haproxy-awslc-fips +dependencies: +- aws-lc-fips +files: +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- hatop-wrapper diff --git a/packages/haproxy-awslc-patched/packaging b/packages/haproxy-awslc-patched/packaging new file mode 100644 index 00000000..c29af677 --- /dev/null +++ b/packages/haproxy-awslc-patched/packaging @@ -0,0 +1,61 @@ +set -euxo pipefail + +LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz +PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz +SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz +HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz +HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop + +mkdir ${BOSH_INSTALL_TARGET}/bin + +echo "Extracting lua..." +tar xzf haproxy/lua-${LUA_VERSION}.tar.gz +pushd lua-${LUA_VERSION} + make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} +popd + +echo "Extracting pcre..." +tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz +pushd pcre2-${PCRE_VERSION} + ./configure \ + --enable-jit \ + --prefix ${BOSH_INSTALL_TARGET} + make + make install +popd + +echo "Installing socat..." +tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz +pushd socat-${SOCAT_VERSION} + ./configure + make + cp socat ${BOSH_INSTALL_TARGET}/bin + chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat +popd + +SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=/var/vcap/packages/aws-lc/include SSL_LIB=/var/vcap/packages/aws-lc/lib" + +echo "Unpacking HAproxy..." +tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz +pushd haproxy-${HAPROXY_VERSION} + mkdir -p ${BOSH_INSTALL_TARGET}/applied-patches + tar xf ../haproxy/patches.tar.gz + + for patchfile in haproxy-patches/*.patch; do + echo "Applying patch file ${patchfile}" + patch -F 0 -p0 < ${patchfile} + cp ${patchfile} ${BOSH_INSTALL_TARGET}/applied-patches + done + rm -r haproxy-patches + + echo "Installing HAproxy..." + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + cp haproxy ${BOSH_INSTALL_TARGET}/bin/ + chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy +popd + +echo "Installing hatop..." +cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop +chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop +cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ +chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages/haproxy-awslc-patched/spec b/packages/haproxy-awslc-patched/spec new file mode 100644 index 00000000..4372e0d4 --- /dev/null +++ b/packages/haproxy-awslc-patched/spec @@ -0,0 +1,12 @@ +--- +name: haproxy-awslc-patched +dependencies: +- aws-lc +files: +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- haproxy/patches.tar.gz +- hatop-wrapper diff --git a/packages/haproxy-awslc/packaging b/packages/haproxy-awslc/packaging new file mode 100644 index 00000000..73b80581 --- /dev/null +++ b/packages/haproxy-awslc/packaging @@ -0,0 +1,51 @@ +set -euxo pipefail + +LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz +PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz +SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz +HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz +HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop + +mkdir ${BOSH_INSTALL_TARGET}/bin + +echo "Extracting lua..." +tar xzf haproxy/lua-${LUA_VERSION}.tar.gz +pushd lua-${LUA_VERSION} + make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} +popd + +echo "Extracting pcre..." +tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz +pushd pcre2-${PCRE_VERSION} + ./configure \ + --enable-jit \ + --prefix ${BOSH_INSTALL_TARGET} + make + make install +popd + +echo "Installing socat..." +tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz +pushd socat-${SOCAT_VERSION} + ./configure + make + cp socat ${BOSH_INSTALL_TARGET}/bin + chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat +popd + +SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=/var/vcap/packages/aws-lc/include SSL_LIB=/var/vcap/packages/aws-lc/lib" + +echo "Unpacking HAproxy..." +tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz +pushd haproxy-${HAPROXY_VERSION} + echo "Installing HAproxy..." + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + cp haproxy ${BOSH_INSTALL_TARGET}/bin/ + chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy +popd + +echo "Installing hatop..." +cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop +chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop +cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ +chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages/haproxy-awslc/spec b/packages/haproxy-awslc/spec new file mode 100644 index 00000000..0c1444b0 --- /dev/null +++ b/packages/haproxy-awslc/spec @@ -0,0 +1,11 @@ +--- +name: haproxy-awslc +dependencies: +- aws-lc +files: +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- hatop-wrapper diff --git a/packages/haproxy-openssl-patched/packaging b/packages/haproxy-openssl-patched/packaging new file mode 100644 index 00000000..a4dc28c8 --- /dev/null +++ b/packages/haproxy-openssl-patched/packaging @@ -0,0 +1,61 @@ +set -euxo pipefail + +LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz +PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz +SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz +HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz +HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop + +mkdir ${BOSH_INSTALL_TARGET}/bin + +echo "Extracting lua..." +tar xzf haproxy/lua-${LUA_VERSION}.tar.gz +pushd lua-${LUA_VERSION} + make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} +popd + +echo "Extracting pcre..." +tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz +pushd pcre2-${PCRE_VERSION} + ./configure \ + --enable-jit \ + --prefix ${BOSH_INSTALL_TARGET} + make + make install +popd + +echo "Installing socat..." +tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz +pushd socat-${SOCAT_VERSION} + ./configure + make + cp socat ${BOSH_INSTALL_TARGET}/bin + chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat +popd + +SSL_MAKE_FLAGS="USE_OPENSSL=1" + +echo "Unpacking HAproxy..." +tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz +pushd haproxy-${HAPROXY_VERSION} + mkdir -p ${BOSH_INSTALL_TARGET}/applied-patches + tar xf ../haproxy/patches.tar.gz + + for patchfile in haproxy-patches/*.patch; do + echo "Applying patch file ${patchfile}" + patch -F 0 -p0 < ${patchfile} + cp ${patchfile} ${BOSH_INSTALL_TARGET}/applied-patches + done + rm -r haproxy-patches + + echo "Installing HAproxy..." + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + cp haproxy ${BOSH_INSTALL_TARGET}/bin/ + chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy +popd + +echo "Installing hatop..." +cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop +chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop +cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ +chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages/haproxy-openssl-patched/spec b/packages/haproxy-openssl-patched/spec new file mode 100644 index 00000000..39a37282 --- /dev/null +++ b/packages/haproxy-openssl-patched/spec @@ -0,0 +1,10 @@ +--- +name: haproxy-openssl-patched +files: +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- haproxy/patches.tar.gz +- hatop-wrapper diff --git a/packages/haproxy-openssl/packaging b/packages/haproxy-openssl/packaging new file mode 100644 index 00000000..baceb70a --- /dev/null +++ b/packages/haproxy-openssl/packaging @@ -0,0 +1,51 @@ +set -euxo pipefail + +LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz +PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz +SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz +HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz +HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop + +mkdir ${BOSH_INSTALL_TARGET}/bin + +echo "Extracting lua..." +tar xzf haproxy/lua-${LUA_VERSION}.tar.gz +pushd lua-${LUA_VERSION} + make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} +popd + +echo "Extracting pcre..." +tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz +pushd pcre2-${PCRE_VERSION} + ./configure \ + --enable-jit \ + --prefix ${BOSH_INSTALL_TARGET} + make + make install +popd + +echo "Installing socat..." +tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz +pushd socat-${SOCAT_VERSION} + ./configure + make + cp socat ${BOSH_INSTALL_TARGET}/bin + chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat +popd + +SSL_MAKE_FLAGS="USE_OPENSSL=1" + +echo "Unpacking HAproxy..." +tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz +pushd haproxy-${HAPROXY_VERSION} + echo "Installing HAproxy..." + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + cp haproxy ${BOSH_INSTALL_TARGET}/bin/ + chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy +popd + +echo "Installing hatop..." +cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop +chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop +cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ +chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages/haproxy-openssl/spec b/packages/haproxy-openssl/spec new file mode 100644 index 00000000..d02f5f2e --- /dev/null +++ b/packages/haproxy-openssl/spec @@ -0,0 +1,9 @@ +--- +name: haproxy-openssl +files: +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- hatop-wrapper From 321a76300e162b272938d5ca500b57b7365e260e Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 6 May 2026 12:59:32 +0200 Subject: [PATCH 12/20] Minor fix --- scripts/dev-build.sh | 60 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 49 insertions(+), 11 deletions(-) diff --git a/scripts/dev-build.sh b/scripts/dev-build.sh index 09a052c2..1c6e0960 100755 --- a/scripts/dev-build.sh +++ b/scripts/dev-build.sh @@ -4,13 +4,20 @@ # # Builds HAProxy release variants locally and uploads them to the BOSH director. # -# Usage: ./dev-build.sh [--upload-only] [version] [output_dir] [variant...] +# Usage: ./scripts/dev-build.sh [--upload-only] [--version VERSION] [--output-dir DIR] [variant...] # # Variants: # openssl, openssl-patched, awslc, awslc-patched, awslc-fips, awslc-fips-patched, multi # # If no variants are specified, all 7 are built. # +# Examples: +# ./scripts/dev-build.sh # build all 7, version=dev +# ./scripts/dev-build.sh multi # build only multi, version=dev +# ./scripts/dev-build.sh --version 1.0 multi # build only multi, version=1.0 +# ./scripts/dev-build.sh awslc awslc-fips # build awslc and awslc-fips +# ./scripts/dev-build.sh --upload-only # upload previously built releases +# # Prerequisites: # - All blobs present locally (bosh add-blob done for aws-lc, cmake, golang, aws-lc-fips) # - haproxy-patches/ directory exists with .patch files @@ -21,19 +28,50 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" cd "$SCRIPT_DIR/.." -UPLOAD_ONLY=false -if [[ "${1:-}" == "--upload-only" ]]; then - UPLOAD_ONLY=true - shift -fi +ALL_VARIANTS=(openssl openssl-patched awslc awslc-patched awslc-fips awslc-fips-patched multi) -VERSION="${1:-dev}" -OUTPUT_DIR="${2:-./dev-releases}" -shift 2 2>/dev/null || true +is_variant() { + local arg="$1" + for v in "${ALL_VARIANTS[@]}"; do + [[ "$v" == "$arg" ]] && return 0 + done + return 1 +} + +UPLOAD_ONLY=false +VERSION="dev" +OUTPUT_DIR="./dev-releases" +VARIANTS=() + +while [[ $# -gt 0 ]]; do + case "$1" in + --upload-only) + UPLOAD_ONLY=true + shift + ;; + --version) + VERSION="$2" + shift 2 + ;; + --output-dir) + OUTPUT_DIR="$2" + shift 2 + ;; + *) + if is_variant "$1"; then + VARIANTS+=("$1") + else + echo "Unknown argument: $1" >&2 + echo "Valid variants: ${ALL_VARIANTS[*]}" >&2 + exit 1 + fi + shift + ;; + esac +done -VARIANTS=("$@") if [[ ${#VARIANTS[@]} -eq 0 ]]; then - VARIANTS=(openssl openssl-patched awslc awslc-patched awslc-fips awslc-fips-patched multi) + VARIANTS=("${ALL_VARIANTS[@]}") fi should_build() { From 8f2ab0c7f943c442cfca9e8c59fcd5a65b4ccf1f Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 6 May 2026 13:09:44 +0200 Subject: [PATCH 13/20] Fix dev-build.sh: argument parsing, patches blob, and cd path --- scripts/dev-build.sh | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/scripts/dev-build.sh b/scripts/dev-build.sh index 1c6e0960..813b7a55 100755 --- a/scripts/dev-build.sh +++ b/scripts/dev-build.sh @@ -101,15 +101,17 @@ trap cleanup EXIT reset_spec() { echo "$SPEC_ORIG" > "$SPEC_FILE" echo "$JOB_SPEC_ORIG" > "$JOB_SPEC_FILE" - rm -f haproxy-patches.tar.gz } -add_patches() { +add_patches_to_spec() { echo "- haproxy/patches.tar.gz" >> "$SPEC_FILE" - tar -czf haproxy-patches.tar.gz haproxy-patches - bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz } +# Always create and register the patches blob upfront. +# The patched variant packages (which are always present in packages/) reference it. +tar -czf haproxy-patches.tar.gz haproxy-patches +bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz + build_release() { local variant="$1" local version="$VERSION" @@ -139,7 +141,7 @@ fi # --- 2. OpenSSL + Patched --- if should_build openssl-patched; then reset_spec - add_patches + add_patches_to_spec build_release "patched" fi @@ -154,7 +156,7 @@ fi # --- 4. AWS-LC + Patched --- if should_build awslc-patched; then reset_spec - add_patches + add_patches_to_spec echo "- haproxy/aws-lc-v*.tar.gz" >> "$SPEC_FILE" echo "- haproxy/cmake-*.tar.gz" >> "$SPEC_FILE" build_release "awslc-patched" @@ -172,7 +174,7 @@ fi # --- 6. AWS-LC FIPS + Patched --- if should_build awslc-fips-patched; then reset_spec - add_patches + add_patches_to_spec echo "- haproxy/aws-lc-fips-*.tar.gz" >> "$SPEC_FILE" echo "- haproxy/cmake-*.tar.gz" >> "$SPEC_FILE" echo "- haproxy/golang-*.tar.gz" >> "$SPEC_FILE" @@ -186,7 +188,7 @@ if should_build multi; then sed -i.bak 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' "$JOB_SPEC_FILE" rm -f "${JOB_SPEC_FILE}.bak" # Include patches blob for patched variant packages - add_patches + add_patches_to_spec build_release "multi" fi From 41fbdd998d4297dc1632957338aaf85a17c8ff5b Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 6 May 2026 14:13:01 +0200 Subject: [PATCH 14/20] Move variant packages to packages-multi/ to fix release tarball bloat Individual releases now only include the base haproxy package; multi build copies variant packages in dynamically. --- ci/scripts/functions-ci.sh | 3 +- ci/scripts/shipit | 39 ++++++++----------- .../aws-lc-fips/packaging | 0 {packages => packages-multi}/aws-lc-fips/spec | 0 {packages => packages-multi}/aws-lc/packaging | 0 {packages => packages-multi}/aws-lc/spec | 0 {packages => packages-multi}/cmake/packaging | 0 {packages => packages-multi}/cmake/spec | 0 .../haproxy-awslc-fips-patched/packaging | 0 .../haproxy-awslc-fips-patched/spec | 0 .../haproxy-awslc-fips/packaging | 0 .../haproxy-awslc-fips/spec | 0 .../haproxy-awslc-patched/packaging | 0 .../haproxy-awslc-patched/spec | 0 .../haproxy-awslc/packaging | 0 .../haproxy-awslc/spec | 0 .../haproxy-openssl-patched/packaging | 0 .../haproxy-openssl-patched/spec | 0 .../haproxy-openssl/packaging | 0 .../haproxy-openssl/spec | 0 scripts/dev-build.sh | 29 ++++++++++---- 21 files changed, 39 insertions(+), 32 deletions(-) rename {packages => packages-multi}/aws-lc-fips/packaging (100%) rename {packages => packages-multi}/aws-lc-fips/spec (100%) rename {packages => packages-multi}/aws-lc/packaging (100%) rename {packages => packages-multi}/aws-lc/spec (100%) rename {packages => packages-multi}/cmake/packaging (100%) rename {packages => packages-multi}/cmake/spec (100%) rename {packages => packages-multi}/haproxy-awslc-fips-patched/packaging (100%) rename {packages => packages-multi}/haproxy-awslc-fips-patched/spec (100%) rename {packages => packages-multi}/haproxy-awslc-fips/packaging (100%) rename {packages => packages-multi}/haproxy-awslc-fips/spec (100%) rename {packages => packages-multi}/haproxy-awslc-patched/packaging (100%) rename {packages => packages-multi}/haproxy-awslc-patched/spec (100%) rename {packages => packages-multi}/haproxy-awslc/packaging (100%) rename {packages => packages-multi}/haproxy-awslc/spec (100%) rename {packages => packages-multi}/haproxy-openssl-patched/packaging (100%) rename {packages => packages-multi}/haproxy-openssl-patched/spec (100%) rename {packages => packages-multi}/haproxy-openssl/packaging (100%) rename {packages => packages-multi}/haproxy-openssl/spec (100%) diff --git a/ci/scripts/functions-ci.sh b/ci/scripts/functions-ci.sh index 1cdcf3f7..3ec9e1b4 100755 --- a/ci/scripts/functions-ci.sh +++ b/ci/scripts/functions-ci.sh @@ -56,9 +56,10 @@ function bosh_release() { if [ "${HAPROXY_MULTI:-}" == "true" ]; then echo "----- Building multi release (all variants, property-driven selection)..." - sed -i 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec + cp -r packages-multi/* packages/ tar -czvf haproxy-patches.tar.gz haproxy-patches bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz + sed -i 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec elif [ "${HAPROXY_AWSLC_FIPS:-}" == "true" ]; then echo "----- Adding AWS-LC FIPS blobs to haproxy package spec..." echo "- haproxy/aws-lc-fips-*.tar.gz" >> packages/haproxy/spec diff --git a/ci/scripts/shipit b/ci/scripts/shipit index ef190d1a..48e6407d 100755 --- a/ci/scripts/shipit +++ b/ci/scripts/shipit @@ -63,6 +63,11 @@ header "Pulling in any git submodules..." git submodule update --init --recursive --force cd - +ensure_patches_blob() { + tar -czvf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz +} + version() { # extract the version variable $1 from the packaging script $2 (default 'haproxy') pattern='s/VERSION=(.*)(\s?#.*)/\1/p' @@ -85,6 +90,9 @@ VERSION="${VERSION_TO_CREATE}+${HAPROXY_VERSION}" cd "${REPO_ROOT}" header "Create final release..." + +bosh upload-blobs + bosh -n create-release --final --version "${VERSION}" bosh -n create-release "releases/${RELEASE_NAME}/${RELEASE_NAME}-${VERSION}.yml" \ --tarball "releases/${RELEASE_NAME}/${RELEASE_NAME}-${VERSION}.tgz" @@ -176,16 +184,14 @@ pushd "${REPO_ROOT}" git status git commit -m "release v${VERSION}" - # After creating a final release we will also create a dev release patches from haproxy-patches directory - echo "- haproxy/patches.tar.gz" >> packages/haproxy/spec - tar -czvf haproxy-patches.tar.gz haproxy-patches - bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz - bosh upload-blobs + # Create additional release variants. + # --- OpenSSL + Patched --- + ensure_patches_blob + echo "- haproxy/patches.tar.gz" >> packages/haproxy/spec bosh -n create-release --force --version "${VERSION}-patched" \ --tarball "../${RELEASE_NAME}-${VERSION}-patched.tgz" - # Undo changes to repo from creating dev release git clean -df git reset --hard @@ -196,22 +202,18 @@ pushd "${REPO_ROOT}" bosh -n create-release --force --version "${VERSION}-awslc" \ --tarball "../${RELEASE_NAME}-${VERSION}-awslc.tgz" - # Undo changes to repo from creating dev release git clean -df git reset --hard # --- AWS-LC + Patched variant --- + ensure_patches_blob echo "- haproxy/patches.tar.gz" >> packages/haproxy/spec echo "- haproxy/aws-lc-v*.tar.gz" >> packages/haproxy/spec echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec - tar -czvf haproxy-patches.tar.gz haproxy-patches - bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz - bosh upload-blobs bosh -n create-release --force --version "${VERSION}-awslc-patched" \ --tarball "../${RELEASE_NAME}-${VERSION}-awslc-patched.tgz" - # Undo changes to repo from creating dev release git clean -df git reset --hard @@ -223,39 +225,30 @@ pushd "${REPO_ROOT}" bosh -n create-release --force --version "${VERSION}-awslc-fips" \ --tarball "../${RELEASE_NAME}-${VERSION}-awslc-fips.tgz" - # Undo changes to repo from creating dev release git clean -df git reset --hard # --- AWS-LC FIPS + Patched variant --- + ensure_patches_blob echo "- haproxy/patches.tar.gz" >> packages/haproxy/spec echo "- haproxy/aws-lc-fips-*.tar.gz" >> packages/haproxy/spec echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec echo "- haproxy/golang-*.tar.gz" >> packages/haproxy/spec - tar -czvf haproxy-patches.tar.gz haproxy-patches - bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz - bosh upload-blobs bosh -n create-release --force --version "${VERSION}-awslc-fips-patched" \ --tarball "../${RELEASE_NAME}-${VERSION}-awslc-fips-patched.tgz" - # Undo changes to repo from creating dev release git clean -df git reset --hard # --- Multi release (all variants, property-driven selection) --- - # Modify job spec to list all variant packages + cp -r packages-multi/* packages/ + ensure_patches_blob sed -i 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec - # Include patches blob for patched variant packages - tar -czvf haproxy-patches.tar.gz haproxy-patches - bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz - bosh upload-blobs - bosh -n create-release --force --version "${VERSION}-multi" \ --tarball "../${RELEASE_NAME}-${VERSION}-multi.tgz" - # Undo changes to repo from creating dev release git clean -df git reset --hard popd diff --git a/packages/aws-lc-fips/packaging b/packages-multi/aws-lc-fips/packaging similarity index 100% rename from packages/aws-lc-fips/packaging rename to packages-multi/aws-lc-fips/packaging diff --git a/packages/aws-lc-fips/spec b/packages-multi/aws-lc-fips/spec similarity index 100% rename from packages/aws-lc-fips/spec rename to packages-multi/aws-lc-fips/spec diff --git a/packages/aws-lc/packaging b/packages-multi/aws-lc/packaging similarity index 100% rename from packages/aws-lc/packaging rename to packages-multi/aws-lc/packaging diff --git a/packages/aws-lc/spec b/packages-multi/aws-lc/spec similarity index 100% rename from packages/aws-lc/spec rename to packages-multi/aws-lc/spec diff --git a/packages/cmake/packaging b/packages-multi/cmake/packaging similarity index 100% rename from packages/cmake/packaging rename to packages-multi/cmake/packaging diff --git a/packages/cmake/spec b/packages-multi/cmake/spec similarity index 100% rename from packages/cmake/spec rename to packages-multi/cmake/spec diff --git a/packages/haproxy-awslc-fips-patched/packaging b/packages-multi/haproxy-awslc-fips-patched/packaging similarity index 100% rename from packages/haproxy-awslc-fips-patched/packaging rename to packages-multi/haproxy-awslc-fips-patched/packaging diff --git a/packages/haproxy-awslc-fips-patched/spec b/packages-multi/haproxy-awslc-fips-patched/spec similarity index 100% rename from packages/haproxy-awslc-fips-patched/spec rename to packages-multi/haproxy-awslc-fips-patched/spec diff --git a/packages/haproxy-awslc-fips/packaging b/packages-multi/haproxy-awslc-fips/packaging similarity index 100% rename from packages/haproxy-awslc-fips/packaging rename to packages-multi/haproxy-awslc-fips/packaging diff --git a/packages/haproxy-awslc-fips/spec b/packages-multi/haproxy-awslc-fips/spec similarity index 100% rename from packages/haproxy-awslc-fips/spec rename to packages-multi/haproxy-awslc-fips/spec diff --git a/packages/haproxy-awslc-patched/packaging b/packages-multi/haproxy-awslc-patched/packaging similarity index 100% rename from packages/haproxy-awslc-patched/packaging rename to packages-multi/haproxy-awslc-patched/packaging diff --git a/packages/haproxy-awslc-patched/spec b/packages-multi/haproxy-awslc-patched/spec similarity index 100% rename from packages/haproxy-awslc-patched/spec rename to packages-multi/haproxy-awslc-patched/spec diff --git a/packages/haproxy-awslc/packaging b/packages-multi/haproxy-awslc/packaging similarity index 100% rename from packages/haproxy-awslc/packaging rename to packages-multi/haproxy-awslc/packaging diff --git a/packages/haproxy-awslc/spec b/packages-multi/haproxy-awslc/spec similarity index 100% rename from packages/haproxy-awslc/spec rename to packages-multi/haproxy-awslc/spec diff --git a/packages/haproxy-openssl-patched/packaging b/packages-multi/haproxy-openssl-patched/packaging similarity index 100% rename from packages/haproxy-openssl-patched/packaging rename to packages-multi/haproxy-openssl-patched/packaging diff --git a/packages/haproxy-openssl-patched/spec b/packages-multi/haproxy-openssl-patched/spec similarity index 100% rename from packages/haproxy-openssl-patched/spec rename to packages-multi/haproxy-openssl-patched/spec diff --git a/packages/haproxy-openssl/packaging b/packages-multi/haproxy-openssl/packaging similarity index 100% rename from packages/haproxy-openssl/packaging rename to packages-multi/haproxy-openssl/packaging diff --git a/packages/haproxy-openssl/spec b/packages-multi/haproxy-openssl/spec similarity index 100% rename from packages/haproxy-openssl/spec rename to packages-multi/haproxy-openssl/spec diff --git a/scripts/dev-build.sh b/scripts/dev-build.sh index 813b7a55..f95e1790 100755 --- a/scripts/dev-build.sh +++ b/scripts/dev-build.sh @@ -91,9 +91,20 @@ SPEC_ORIG=$(cat "$SPEC_FILE") JOB_SPEC_FILE="jobs/haproxy/spec" JOB_SPEC_ORIG=$(cat "$JOB_SPEC_FILE") +copy_multi_packages() { + cp -r packages-multi/* packages/ +} + +remove_multi_packages() { + for dir in packages-multi/*/; do + rm -rf "packages/$(basename "$dir")" + done +} + cleanup() { echo "$SPEC_ORIG" > "$SPEC_FILE" echo "$JOB_SPEC_ORIG" > "$JOB_SPEC_FILE" + remove_multi_packages rm -f haproxy-patches.tar.gz } trap cleanup EXIT @@ -107,11 +118,6 @@ add_patches_to_spec() { echo "- haproxy/patches.tar.gz" >> "$SPEC_FILE" } -# Always create and register the patches blob upfront. -# The patched variant packages (which are always present in packages/) reference it. -tar -czf haproxy-patches.tar.gz haproxy-patches -bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz - build_release() { local variant="$1" local version="$VERSION" @@ -142,6 +148,8 @@ fi if should_build openssl-patched; then reset_spec add_patches_to_spec + tar -czf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz build_release "patched" fi @@ -159,6 +167,8 @@ if should_build awslc-patched; then add_patches_to_spec echo "- haproxy/aws-lc-v*.tar.gz" >> "$SPEC_FILE" echo "- haproxy/cmake-*.tar.gz" >> "$SPEC_FILE" + tar -czf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz build_release "awslc-patched" fi @@ -178,18 +188,21 @@ if should_build awslc-fips-patched; then echo "- haproxy/aws-lc-fips-*.tar.gz" >> "$SPEC_FILE" echo "- haproxy/cmake-*.tar.gz" >> "$SPEC_FILE" echo "- haproxy/golang-*.tar.gz" >> "$SPEC_FILE" + tar -czf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz build_release "awslc-fips-patched" fi # --- 7. Multi (all variants, property-driven selection) --- if should_build multi; then reset_spec - # Modify job spec: replace '- haproxy' package with all variant packages + copy_multi_packages + tar -czf haproxy-patches.tar.gz haproxy-patches + bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz sed -i.bak 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' "$JOB_SPEC_FILE" rm -f "${JOB_SPEC_FILE}.bak" - # Include patches blob for patched variant packages - add_patches_to_spec build_release "multi" + remove_multi_packages fi fi # UPLOAD_ONLY From a686955ad6d29fd60ffd4e56209b02a008b4ef72 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 6 May 2026 15:44:18 +0200 Subject: [PATCH 15/20] Fix multi release startup: move package detection from ERB to bash ERB templates are rendered on the BOSH director where /var/vcap/packages/ doesn't exist, so File.directory? always returned false. Move the check to bash which runs on the VM at runtime. --- jobs/haproxy/templates/haproxy_wrapper.erb | 14 +++++++------- jobs/haproxy/templates/pre-start.erb | 15 ++++++++------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/jobs/haproxy/templates/haproxy_wrapper.erb b/jobs/haproxy/templates/haproxy_wrapper.erb index 4193be1a..4148bc83 100755 --- a/jobs/haproxy/templates/haproxy_wrapper.erb +++ b/jobs/haproxy/templates/haproxy_wrapper.erb @@ -3,13 +3,13 @@ set -e -<% - ssl_variant = p("ha_proxy.ssl_variant", "openssl") - haproxy_package = "haproxy-#{ssl_variant}" - # Fall back to legacy 'haproxy' package if variant packages are not present (non-multi release) - package_dir = File.directory?("/var/vcap/packages/#{haproxy_package}") ? haproxy_package : "haproxy" -%> -export PATH=$PATH:/var/vcap/packages/<%= package_dir %>/bin:/var/vcap/packages/ttar/bin +<% ssl_variant = p("ha_proxy.ssl_variant", "openssl") %> +if [ -d "/var/vcap/packages/haproxy-<%= ssl_variant %>" ]; then + HAPROXY_PKG="/var/vcap/packages/haproxy-<%= ssl_variant %>" +else + HAPROXY_PKG="/var/vcap/packages/haproxy" +fi +export PATH=$PATH:${HAPROXY_PKG}/bin:/var/vcap/packages/ttar/bin CONFIG=/var/vcap/jobs/haproxy/config/haproxy.config PID_FILE=/var/vcap/sys/run/haproxy/haproxy.pid DRAIN_LOCK=/var/vcap/sys/run/haproxy/drain.lock diff --git a/jobs/haproxy/templates/pre-start.erb b/jobs/haproxy/templates/pre-start.erb index b392e0ea..1fb21f6b 100644 --- a/jobs/haproxy/templates/pre-start.erb +++ b/jobs/haproxy/templates/pre-start.erb @@ -13,17 +13,18 @@ if [ ! -e /usr/bin/python ] && [ -e /usr/bin/python3 ]; then sudo ln -s /usr/bin/python3 /usr/bin/python fi -<% - ssl_variant = p("ha_proxy.ssl_variant", "openssl") - haproxy_package = "haproxy-#{ssl_variant}" - package_dir = File.directory?("/var/vcap/packages/#{haproxy_package}") ? haproxy_package : "haproxy" -%> +<% ssl_variant = p("ha_proxy.ssl_variant", "openssl") %> +if [ -d "/var/vcap/packages/haproxy-<%= ssl_variant %>" ]; then + HAPROXY_PKG="/var/vcap/packages/haproxy-<%= ssl_variant %>" +else + HAPROXY_PKG="/var/vcap/packages/haproxy" +fi if [ ! -e /usr/local/bin/hatop ]; then - sudo ln -s /var/vcap/packages/<%= package_dir %>/hatop-wrapper /usr/local/bin/hatop + sudo ln -s ${HAPROXY_PKG}/hatop-wrapper /usr/local/bin/hatop fi if [ ! -e /usr/local/bin/socat ]; then - sudo ln -s /var/vcap/packages/<%= package_dir %>/bin/socat /usr/local/bin/socat + sudo ln -s ${HAPROXY_PKG}/bin/socat /usr/local/bin/socat fi <%- if_p("ha_proxy.pre_start_script") do |script| -%> From 0af48e790d0ee490c608b17b6d4e1451bc213fba Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 6 May 2026 16:37:09 +0200 Subject: [PATCH 16/20] Extract haproxy-deps shared package and centralize version definitions Compiles lua, pcre2, socat, and hatop once instead of 6 times; all variant packages now depend on haproxy-deps. Version constants moved to src/haproxy-versions.sh and sourced everywhere. --- ci/scripts/autobump-dependencies.py | 42 ++++++++++++------ ci/scripts/functions-ci.sh | 2 +- ci/scripts/shipit | 13 +++--- jobs/haproxy/templates/pre-start.erb | 17 +++----- packages-multi/aws-lc-fips/packaging | 3 +- packages-multi/aws-lc-fips/spec | 1 + packages-multi/aws-lc/packaging | 2 +- packages-multi/aws-lc/spec | 1 + packages-multi/cmake/packaging | 2 +- packages-multi/cmake/spec | 1 + .../haproxy-awslc-fips-patched/packaging | 43 +++---------------- .../haproxy-awslc-fips-patched/spec | 7 +-- packages-multi/haproxy-awslc-fips/packaging | 43 +++---------------- packages-multi/haproxy-awslc-fips/spec | 7 +-- .../haproxy-awslc-patched/packaging | 43 +++---------------- packages-multi/haproxy-awslc-patched/spec | 7 +-- packages-multi/haproxy-awslc/packaging | 43 +++---------------- packages-multi/haproxy-awslc/spec | 7 +-- packages-multi/haproxy-deps/packaging | 36 ++++++++++++++++ packages-multi/haproxy-deps/spec | 9 ++++ .../haproxy-openssl-patched/packaging | 43 +++---------------- packages-multi/haproxy-openssl-patched/spec | 8 ++-- packages-multi/haproxy-openssl/packaging | 43 +++---------------- packages-multi/haproxy-openssl/spec | 8 ++-- packages/haproxy/packaging | 16 +------ packages/haproxy/spec | 1 + scripts/dev-build.sh | 2 +- src/haproxy-versions.sh | 13 ++++++ 28 files changed, 161 insertions(+), 302 deletions(-) create mode 100644 packages-multi/haproxy-deps/packaging create mode 100644 packages-multi/haproxy-deps/spec create mode 100644 src/haproxy-versions.sh diff --git a/ci/scripts/autobump-dependencies.py b/ci/scripts/autobump-dependencies.py index 442e59ec..e4aacd52 100755 --- a/ci/scripts/autobump-dependencies.py +++ b/ci/scripts/autobump-dependencies.py @@ -40,6 +40,7 @@ # Other Global Variables BLOBS_PATH = "config/blobs.yml" +VERSIONS_PATH = "src/haproxy-versions.sh" PACKAGING_PATH = "packages/{}/packaging" @@ -118,18 +119,23 @@ class Dependency: def pr_branch(self): return f"{self.name}-auto-bump-{PR_BASE}" + @property + def versions_file(self) -> str: + if self.package == "haproxy": + return VERSIONS_PATH + return PACKAGING_PATH.format(self.package) + @property def current_version(self) -> version.Version: """ - Fetches the current version of the release from the packaging file if not already known. + Fetches the current version of the release from the versions file if not already known. (Should always be identical to the version in blobs.yml) """ if self._current_version: return self._current_version - with open(PACKAGING_PATH.format(self.package), "r") as packaging_file: - for line in packaging_file.readlines(): + with open(self.versions_file, "r") as versions_file: + for line in versions_file.readlines(): if line.startswith(self.version_var_name): - # Regex: expecting e.g. "RELEASE_VERSION=1.2.3 # http://release.org/download". extracting Semver Group rgx = rf"{self.version_var_name}=((?:[0-9]+\.){{1,3}}[0-9]+)\s+#.*$" match = re.match(rgx, line) if match: @@ -159,8 +165,11 @@ def get_release_notes(self) -> str: """ raise NotImplementedError + def blob_filename(self, ver) -> str: + return f"{self.name}-{ver}.tar.gz" + def remove_current_blob(self): - current_blob_path = f"{self.package}/{self.name}-{self.current_version}.tar.gz" + current_blob_path = f"{self.package}/{self.blob_filename(self.current_version)}" if self._check_blob_exists(current_blob_path): BoshHelper.remove_blob(current_blob_path) else: @@ -176,17 +185,17 @@ def _check_blob_exists(self, blob_path) -> bool: def update_packaging_file(self): """ - Writes the new dependency version and download-url into packages/haproxy/packaging + Writes the new dependency version and download-url into the versions file. """ - with open(PACKAGING_PATH.format(self.package), "r") as packaging_file: + with open(self.versions_file, "r") as f: replacement = "" - for line in packaging_file.readlines(): + for line in f.readlines(): if line.startswith(self.version_var_name): line = f"{self.version_var_name}={self.latest_release.version} # {self.latest_release.url}\n" replacement += line - with open(PACKAGING_PATH.format(self.package), "w") as packaging_file_write: - packaging_file_write.write(replacement) + with open(self.versions_file, "w") as f: + f.write(replacement) def open_pr_exists(self) -> bool: prs_exist = False @@ -212,7 +221,7 @@ def create_pr(self): self._update_file( self.remote_repo, - PACKAGING_PATH.format(self.package), + self.versions_file, self.pr_branch, f"Bump {self.name} version to {self.latest_release.version}", ) @@ -259,6 +268,10 @@ class GithubDependency(Dependency): tagname_prefix: str = "" filename_suffix: str = ".tar.gz" + blob_version_prefix: str = "" + + def blob_filename(self, ver) -> str: + return f"{self.name}-{self.blob_version_prefix}{ver}{self.filename_suffix}" def fetch_latest_release(self) -> Release: repo_org_and_name = self.root_url.lstrip("https://github.com/") @@ -285,7 +298,7 @@ def get_release_download_url(rel): latest_release = Release( rel.title, get_release_download_url(rel), - f"{self.name}-{str(current_version)}{self.filename_suffix}", + self.blob_filename(current_version), current_version, ) @@ -362,7 +375,7 @@ def fetch_latest_release(self) -> Release: Release( f"golang-{match.group(1)}", url, - f"golang-{match.group(1)}.tar.gz", + self.blob_filename(ver), ver, ) ) @@ -405,7 +418,7 @@ def fetch_latest_release(self) -> Release: latest_release = Release( rel.title, url, - f"{self.name}-{str(current_version)}.tar.gz", + self.blob_filename(current_version), current_version, ) @@ -592,6 +605,7 @@ def main() -> None: AWS_LC_VERSION, "https://github.com/aws/aws-lc", tagname_prefix="v", + blob_version_prefix="v", ), GithubArchiveDependency( "aws-lc-fips", diff --git a/ci/scripts/functions-ci.sh b/ci/scripts/functions-ci.sh index 3ec9e1b4..d39ef87e 100755 --- a/ci/scripts/functions-ci.sh +++ b/ci/scripts/functions-ci.sh @@ -59,7 +59,7 @@ function bosh_release() { cp -r packages-multi/* packages/ tar -czvf haproxy-patches.tar.gz haproxy-patches bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz - sed -i 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec + sed -i 's/^- haproxy$/- haproxy-deps\n- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec elif [ "${HAPROXY_AWSLC_FIPS:-}" == "true" ]; then echo "----- Adding AWS-LC FIPS blobs to haproxy package spec..." echo "- haproxy/aws-lc-fips-*.tar.gz" >> packages/haproxy/spec diff --git a/ci/scripts/shipit b/ci/scripts/shipit index 48e6407d..c395d1c4 100755 --- a/ci/scripts/shipit +++ b/ci/scripts/shipit @@ -69,11 +69,14 @@ ensure_patches_blob() { } version() { - # extract the version variable $1 from the packaging script $2 (default 'haproxy') pattern='s/VERSION=(.*)(\s?#.*)/\1/p' - package=${2:-haproxy} - # extract version and remove all spaces - sed -n -E "${pattern//VERSION/${1:?}}" "${REPO_ROOT}/packages/${package}/packaging" | sed 's/ *//g' + package=${2:-} + if [[ -n "${package}" ]]; then + source_file="${REPO_ROOT}/packages/${package}/packaging" + else + source_file="${REPO_ROOT}/src/haproxy-versions.sh" + fi + sed -n -E "${pattern//VERSION/${1:?}}" "${source_file}" | sed 's/ *//g' } HAPROXY_VERSION=$(version HAPROXY_VERSION) @@ -244,7 +247,7 @@ pushd "${REPO_ROOT}" # --- Multi release (all variants, property-driven selection) --- cp -r packages-multi/* packages/ ensure_patches_blob - sed -i 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec + sed -i 's/^- haproxy$/- haproxy-deps\n- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec bosh -n create-release --force --version "${VERSION}-multi" \ --tarball "../${RELEASE_NAME}-${VERSION}-multi.tgz" diff --git a/jobs/haproxy/templates/pre-start.erb b/jobs/haproxy/templates/pre-start.erb index 1fb21f6b..e532ed3f 100644 --- a/jobs/haproxy/templates/pre-start.erb +++ b/jobs/haproxy/templates/pre-start.erb @@ -14,18 +14,15 @@ if [ ! -e /usr/bin/python ] && [ -e /usr/bin/python3 ]; then fi <% ssl_variant = p("ha_proxy.ssl_variant", "openssl") %> -if [ -d "/var/vcap/packages/haproxy-<%= ssl_variant %>" ]; then - HAPROXY_PKG="/var/vcap/packages/haproxy-<%= ssl_variant %>" +if [ -d "/var/vcap/packages/haproxy-deps" ]; then + DEPS_PKG="/var/vcap/packages/haproxy-deps" +elif [ -d "/var/vcap/packages/haproxy-<%= ssl_variant %>" ]; then + DEPS_PKG="/var/vcap/packages/haproxy-<%= ssl_variant %>" else - HAPROXY_PKG="/var/vcap/packages/haproxy" -fi -if [ ! -e /usr/local/bin/hatop ]; then - sudo ln -s ${HAPROXY_PKG}/hatop-wrapper /usr/local/bin/hatop -fi - -if [ ! -e /usr/local/bin/socat ]; then - sudo ln -s ${HAPROXY_PKG}/bin/socat /usr/local/bin/socat + DEPS_PKG="/var/vcap/packages/haproxy" fi +sudo ln -sf ${DEPS_PKG}/hatop-wrapper /usr/local/bin/hatop +sudo ln -sf ${DEPS_PKG}/bin/socat /usr/local/bin/socat <%- if_p("ha_proxy.pre_start_script") do |script| -%> # ha_proxy.pre_start_script {{{ diff --git a/packages-multi/aws-lc-fips/packaging b/packages-multi/aws-lc-fips/packaging index 4a7b537b..333f6b4a 100644 --- a/packages-multi/aws-lc-fips/packaging +++ b/packages-multi/aws-lc-fips/packaging @@ -1,7 +1,6 @@ set -euxo pipefail -AWS_LC_FIPS_VERSION=3.3.0 # https://github.com/aws/aws-lc/archive/refs/tags/AWS-LC-FIPS-3.3.0.tar.gz -GOLANG_VERSION=1.26.2 # https://go.dev/dl/go1.26.2.linux-amd64.tar.gz +source haproxy-versions.sh export PATH=/var/vcap/packages/cmake/bin:$PATH diff --git a/packages-multi/aws-lc-fips/spec b/packages-multi/aws-lc-fips/spec index fd42fa04..dfc376cc 100644 --- a/packages-multi/aws-lc-fips/spec +++ b/packages-multi/aws-lc-fips/spec @@ -5,3 +5,4 @@ dependencies: files: - haproxy/aws-lc-fips-*.tar.gz - haproxy/golang-*.tar.gz +- haproxy-versions.sh diff --git a/packages-multi/aws-lc/packaging b/packages-multi/aws-lc/packaging index 5adf981c..8d213c98 100644 --- a/packages-multi/aws-lc/packaging +++ b/packages-multi/aws-lc/packaging @@ -1,6 +1,6 @@ set -euxo pipefail -AWS_LC_VERSION=1.72.0 # https://github.com/aws/aws-lc/archive/refs/tags/v1.72.0.tar.gz +source haproxy-versions.sh export PATH=/var/vcap/packages/cmake/bin:$PATH diff --git a/packages-multi/aws-lc/spec b/packages-multi/aws-lc/spec index 819be13a..70a17e5a 100644 --- a/packages-multi/aws-lc/spec +++ b/packages-multi/aws-lc/spec @@ -4,3 +4,4 @@ dependencies: - cmake files: - haproxy/aws-lc-v*.tar.gz +- haproxy-versions.sh diff --git a/packages-multi/cmake/packaging b/packages-multi/cmake/packaging index f8109bf6..9350b1f6 100644 --- a/packages-multi/cmake/packaging +++ b/packages-multi/cmake/packaging @@ -1,6 +1,6 @@ set -euxo pipefail -CMAKE_VERSION=3.31.6 # https://github.com/Kitware/CMake/releases/download/v3.31.6/cmake-3.31.6.tar.gz +source haproxy-versions.sh tar xzf haproxy/cmake-${CMAKE_VERSION}.tar.gz pushd cmake-${CMAKE_VERSION} diff --git a/packages-multi/cmake/spec b/packages-multi/cmake/spec index 42a6f956..667d68d0 100644 --- a/packages-multi/cmake/spec +++ b/packages-multi/cmake/spec @@ -2,3 +2,4 @@ name: cmake files: - haproxy/cmake-*.tar.gz +- haproxy-versions.sh diff --git a/packages-multi/haproxy-awslc-fips-patched/packaging b/packages-multi/haproxy-awslc-fips-patched/packaging index a778f30f..fefdbdc1 100644 --- a/packages-multi/haproxy-awslc-fips-patched/packaging +++ b/packages-multi/haproxy-awslc-fips-patched/packaging @@ -1,38 +1,10 @@ set -euxo pipefail -LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz -PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz -SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz -HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz -HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop +source haproxy-versions.sh +DEPS_DIR=/var/vcap/packages/haproxy-deps mkdir ${BOSH_INSTALL_TARGET}/bin -echo "Extracting lua..." -tar xzf haproxy/lua-${LUA_VERSION}.tar.gz -pushd lua-${LUA_VERSION} - make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} -popd - -echo "Extracting pcre..." -tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz -pushd pcre2-${PCRE_VERSION} - ./configure \ - --enable-jit \ - --prefix ${BOSH_INSTALL_TARGET} - make - make install -popd - -echo "Installing socat..." -tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz -pushd socat-${SOCAT_VERSION} - ./configure - make - cp socat ${BOSH_INSTALL_TARGET}/bin - chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat -popd - SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=/var/vcap/packages/aws-lc-fips/include SSL_LIB=/var/vcap/packages/aws-lc-fips/lib" echo "Unpacking HAproxy..." @@ -49,13 +21,10 @@ pushd haproxy-${HAPROXY_VERSION} rm -r haproxy-patches echo "Installing HAproxy..." - make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} \ + USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 \ + PCRE2DIR=${DEPS_DIR} \ + USE_LUA=1 LUA_LIB=${DEPS_DIR}/lib LUA_INC=${DEPS_DIR}/include cp haproxy ${BOSH_INSTALL_TARGET}/bin/ chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy popd - -echo "Installing hatop..." -cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop -chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop -cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ -chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages-multi/haproxy-awslc-fips-patched/spec b/packages-multi/haproxy-awslc-fips-patched/spec index 7a7cd3d7..0ae6c9ac 100644 --- a/packages-multi/haproxy-awslc-fips-patched/spec +++ b/packages-multi/haproxy-awslc-fips-patched/spec @@ -1,12 +1,9 @@ --- name: haproxy-awslc-fips-patched dependencies: +- haproxy-deps - aws-lc-fips files: - haproxy/haproxy-*.tar.gz -- haproxy/pcre2-*.tar.gz -- haproxy/socat-*.tar.gz -- haproxy/lua-*.tar.gz -- haproxy/hatop-* - haproxy/patches.tar.gz -- hatop-wrapper +- haproxy-versions.sh diff --git a/packages-multi/haproxy-awslc-fips/packaging b/packages-multi/haproxy-awslc-fips/packaging index c0c9daff..c1696406 100644 --- a/packages-multi/haproxy-awslc-fips/packaging +++ b/packages-multi/haproxy-awslc-fips/packaging @@ -1,51 +1,20 @@ set -euxo pipefail -LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz -PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz -SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz -HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz -HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop +source haproxy-versions.sh +DEPS_DIR=/var/vcap/packages/haproxy-deps mkdir ${BOSH_INSTALL_TARGET}/bin -echo "Extracting lua..." -tar xzf haproxy/lua-${LUA_VERSION}.tar.gz -pushd lua-${LUA_VERSION} - make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} -popd - -echo "Extracting pcre..." -tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz -pushd pcre2-${PCRE_VERSION} - ./configure \ - --enable-jit \ - --prefix ${BOSH_INSTALL_TARGET} - make - make install -popd - -echo "Installing socat..." -tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz -pushd socat-${SOCAT_VERSION} - ./configure - make - cp socat ${BOSH_INSTALL_TARGET}/bin - chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat -popd - SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=/var/vcap/packages/aws-lc-fips/include SSL_LIB=/var/vcap/packages/aws-lc-fips/lib" echo "Unpacking HAproxy..." tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz pushd haproxy-${HAPROXY_VERSION} echo "Installing HAproxy..." - make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} \ + USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 \ + PCRE2DIR=${DEPS_DIR} \ + USE_LUA=1 LUA_LIB=${DEPS_DIR}/lib LUA_INC=${DEPS_DIR}/include cp haproxy ${BOSH_INSTALL_TARGET}/bin/ chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy popd - -echo "Installing hatop..." -cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop -chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop -cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ -chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages-multi/haproxy-awslc-fips/spec b/packages-multi/haproxy-awslc-fips/spec index ae1138b8..93f0b9a0 100644 --- a/packages-multi/haproxy-awslc-fips/spec +++ b/packages-multi/haproxy-awslc-fips/spec @@ -1,11 +1,8 @@ --- name: haproxy-awslc-fips dependencies: +- haproxy-deps - aws-lc-fips files: - haproxy/haproxy-*.tar.gz -- haproxy/pcre2-*.tar.gz -- haproxy/socat-*.tar.gz -- haproxy/lua-*.tar.gz -- haproxy/hatop-* -- hatop-wrapper +- haproxy-versions.sh diff --git a/packages-multi/haproxy-awslc-patched/packaging b/packages-multi/haproxy-awslc-patched/packaging index c29af677..3d2d0c30 100644 --- a/packages-multi/haproxy-awslc-patched/packaging +++ b/packages-multi/haproxy-awslc-patched/packaging @@ -1,38 +1,10 @@ set -euxo pipefail -LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz -PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz -SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz -HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz -HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop +source haproxy-versions.sh +DEPS_DIR=/var/vcap/packages/haproxy-deps mkdir ${BOSH_INSTALL_TARGET}/bin -echo "Extracting lua..." -tar xzf haproxy/lua-${LUA_VERSION}.tar.gz -pushd lua-${LUA_VERSION} - make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} -popd - -echo "Extracting pcre..." -tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz -pushd pcre2-${PCRE_VERSION} - ./configure \ - --enable-jit \ - --prefix ${BOSH_INSTALL_TARGET} - make - make install -popd - -echo "Installing socat..." -tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz -pushd socat-${SOCAT_VERSION} - ./configure - make - cp socat ${BOSH_INSTALL_TARGET}/bin - chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat -popd - SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=/var/vcap/packages/aws-lc/include SSL_LIB=/var/vcap/packages/aws-lc/lib" echo "Unpacking HAproxy..." @@ -49,13 +21,10 @@ pushd haproxy-${HAPROXY_VERSION} rm -r haproxy-patches echo "Installing HAproxy..." - make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} \ + USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 \ + PCRE2DIR=${DEPS_DIR} \ + USE_LUA=1 LUA_LIB=${DEPS_DIR}/lib LUA_INC=${DEPS_DIR}/include cp haproxy ${BOSH_INSTALL_TARGET}/bin/ chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy popd - -echo "Installing hatop..." -cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop -chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop -cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ -chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages-multi/haproxy-awslc-patched/spec b/packages-multi/haproxy-awslc-patched/spec index 4372e0d4..d2e14e89 100644 --- a/packages-multi/haproxy-awslc-patched/spec +++ b/packages-multi/haproxy-awslc-patched/spec @@ -1,12 +1,9 @@ --- name: haproxy-awslc-patched dependencies: +- haproxy-deps - aws-lc files: - haproxy/haproxy-*.tar.gz -- haproxy/pcre2-*.tar.gz -- haproxy/socat-*.tar.gz -- haproxy/lua-*.tar.gz -- haproxy/hatop-* - haproxy/patches.tar.gz -- hatop-wrapper +- haproxy-versions.sh diff --git a/packages-multi/haproxy-awslc/packaging b/packages-multi/haproxy-awslc/packaging index 73b80581..52eb95a3 100644 --- a/packages-multi/haproxy-awslc/packaging +++ b/packages-multi/haproxy-awslc/packaging @@ -1,51 +1,20 @@ set -euxo pipefail -LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz -PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz -SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz -HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz -HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop +source haproxy-versions.sh +DEPS_DIR=/var/vcap/packages/haproxy-deps mkdir ${BOSH_INSTALL_TARGET}/bin -echo "Extracting lua..." -tar xzf haproxy/lua-${LUA_VERSION}.tar.gz -pushd lua-${LUA_VERSION} - make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} -popd - -echo "Extracting pcre..." -tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz -pushd pcre2-${PCRE_VERSION} - ./configure \ - --enable-jit \ - --prefix ${BOSH_INSTALL_TARGET} - make - make install -popd - -echo "Installing socat..." -tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz -pushd socat-${SOCAT_VERSION} - ./configure - make - cp socat ${BOSH_INSTALL_TARGET}/bin - chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat -popd - SSL_MAKE_FLAGS="USE_OPENSSL_AWSLC=1 SSL_INC=/var/vcap/packages/aws-lc/include SSL_LIB=/var/vcap/packages/aws-lc/lib" echo "Unpacking HAproxy..." tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz pushd haproxy-${HAPROXY_VERSION} echo "Installing HAproxy..." - make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} \ + USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 \ + PCRE2DIR=${DEPS_DIR} \ + USE_LUA=1 LUA_LIB=${DEPS_DIR}/lib LUA_INC=${DEPS_DIR}/include cp haproxy ${BOSH_INSTALL_TARGET}/bin/ chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy popd - -echo "Installing hatop..." -cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop -chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop -cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ -chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages-multi/haproxy-awslc/spec b/packages-multi/haproxy-awslc/spec index 0c1444b0..8610fdae 100644 --- a/packages-multi/haproxy-awslc/spec +++ b/packages-multi/haproxy-awslc/spec @@ -1,11 +1,8 @@ --- name: haproxy-awslc dependencies: +- haproxy-deps - aws-lc files: - haproxy/haproxy-*.tar.gz -- haproxy/pcre2-*.tar.gz -- haproxy/socat-*.tar.gz -- haproxy/lua-*.tar.gz -- haproxy/hatop-* -- hatop-wrapper +- haproxy-versions.sh diff --git a/packages-multi/haproxy-deps/packaging b/packages-multi/haproxy-deps/packaging new file mode 100644 index 00000000..6c2ac876 --- /dev/null +++ b/packages-multi/haproxy-deps/packaging @@ -0,0 +1,36 @@ +set -euxo pipefail + +source haproxy-versions.sh + +mkdir ${BOSH_INSTALL_TARGET}/bin + +echo "Extracting lua..." +tar xzf haproxy/lua-${LUA_VERSION}.tar.gz +pushd lua-${LUA_VERSION} + make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} +popd + +echo "Extracting pcre..." +tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz +pushd pcre2-${PCRE_VERSION} + ./configure \ + --enable-jit \ + --prefix ${BOSH_INSTALL_TARGET} + make + make install +popd + +echo "Installing socat..." +tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz +pushd socat-${SOCAT_VERSION} + ./configure + make + cp socat ${BOSH_INSTALL_TARGET}/bin + chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat +popd + +echo "Installing hatop..." +cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop +chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop +cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ +chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages-multi/haproxy-deps/spec b/packages-multi/haproxy-deps/spec new file mode 100644 index 00000000..b1bf0b68 --- /dev/null +++ b/packages-multi/haproxy-deps/spec @@ -0,0 +1,9 @@ +--- +name: haproxy-deps +files: +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- hatop-wrapper +- haproxy-versions.sh diff --git a/packages-multi/haproxy-openssl-patched/packaging b/packages-multi/haproxy-openssl-patched/packaging index a4dc28c8..e1ed3468 100644 --- a/packages-multi/haproxy-openssl-patched/packaging +++ b/packages-multi/haproxy-openssl-patched/packaging @@ -1,38 +1,10 @@ set -euxo pipefail -LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz -PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz -SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz -HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz -HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop +source haproxy-versions.sh +DEPS_DIR=/var/vcap/packages/haproxy-deps mkdir ${BOSH_INSTALL_TARGET}/bin -echo "Extracting lua..." -tar xzf haproxy/lua-${LUA_VERSION}.tar.gz -pushd lua-${LUA_VERSION} - make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} -popd - -echo "Extracting pcre..." -tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz -pushd pcre2-${PCRE_VERSION} - ./configure \ - --enable-jit \ - --prefix ${BOSH_INSTALL_TARGET} - make - make install -popd - -echo "Installing socat..." -tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz -pushd socat-${SOCAT_VERSION} - ./configure - make - cp socat ${BOSH_INSTALL_TARGET}/bin - chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat -popd - SSL_MAKE_FLAGS="USE_OPENSSL=1" echo "Unpacking HAproxy..." @@ -49,13 +21,10 @@ pushd haproxy-${HAPROXY_VERSION} rm -r haproxy-patches echo "Installing HAproxy..." - make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} \ + USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 \ + PCRE2DIR=${DEPS_DIR} \ + USE_LUA=1 LUA_LIB=${DEPS_DIR}/lib LUA_INC=${DEPS_DIR}/include cp haproxy ${BOSH_INSTALL_TARGET}/bin/ chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy popd - -echo "Installing hatop..." -cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop -chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop -cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ -chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages-multi/haproxy-openssl-patched/spec b/packages-multi/haproxy-openssl-patched/spec index 39a37282..70daa39c 100644 --- a/packages-multi/haproxy-openssl-patched/spec +++ b/packages-multi/haproxy-openssl-patched/spec @@ -1,10 +1,8 @@ --- name: haproxy-openssl-patched +dependencies: +- haproxy-deps files: - haproxy/haproxy-*.tar.gz -- haproxy/pcre2-*.tar.gz -- haproxy/socat-*.tar.gz -- haproxy/lua-*.tar.gz -- haproxy/hatop-* - haproxy/patches.tar.gz -- hatop-wrapper +- haproxy-versions.sh diff --git a/packages-multi/haproxy-openssl/packaging b/packages-multi/haproxy-openssl/packaging index baceb70a..9034f50a 100644 --- a/packages-multi/haproxy-openssl/packaging +++ b/packages-multi/haproxy-openssl/packaging @@ -1,51 +1,20 @@ set -euxo pipefail -LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz -PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz -SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz -HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz -HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop +source haproxy-versions.sh +DEPS_DIR=/var/vcap/packages/haproxy-deps mkdir ${BOSH_INSTALL_TARGET}/bin -echo "Extracting lua..." -tar xzf haproxy/lua-${LUA_VERSION}.tar.gz -pushd lua-${LUA_VERSION} - make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} -popd - -echo "Extracting pcre..." -tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz -pushd pcre2-${PCRE_VERSION} - ./configure \ - --enable-jit \ - --prefix ${BOSH_INSTALL_TARGET} - make - make install -popd - -echo "Installing socat..." -tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz -pushd socat-${SOCAT_VERSION} - ./configure - make - cp socat ${BOSH_INSTALL_TARGET}/bin - chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat -popd - SSL_MAKE_FLAGS="USE_OPENSSL=1" echo "Unpacking HAproxy..." tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz pushd haproxy-${HAPROXY_VERSION} echo "Installing HAproxy..." - make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include + make TARGET=linux-glibc USE_PROMEX=1 ${SSL_MAKE_FLAGS} \ + USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 \ + PCRE2DIR=${DEPS_DIR} \ + USE_LUA=1 LUA_LIB=${DEPS_DIR}/lib LUA_INC=${DEPS_DIR}/include cp haproxy ${BOSH_INSTALL_TARGET}/bin/ chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy popd - -echo "Installing hatop..." -cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop -chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop -cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ -chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages-multi/haproxy-openssl/spec b/packages-multi/haproxy-openssl/spec index d02f5f2e..2fe7bd5a 100644 --- a/packages-multi/haproxy-openssl/spec +++ b/packages-multi/haproxy-openssl/spec @@ -1,9 +1,7 @@ --- name: haproxy-openssl +dependencies: +- haproxy-deps files: - haproxy/haproxy-*.tar.gz -- haproxy/pcre2-*.tar.gz -- haproxy/socat-*.tar.gz -- haproxy/lua-*.tar.gz -- haproxy/hatop-* -- hatop-wrapper +- haproxy-versions.sh diff --git a/packages/haproxy/packaging b/packages/haproxy/packaging index 2ead2095..d3b78ff4 100644 --- a/packages/haproxy/packaging +++ b/packages/haproxy/packaging @@ -1,21 +1,7 @@ # abort script on failures set -euxo pipefail - -LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz - -PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz - -SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz - -HAPROXY_VERSION=3.2.19 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.19.tar.gz - -HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop - -AWS_LC_VERSION=1.72.0 # https://github.com/aws/aws-lc/archive/refs/tags/v1.72.0.tar.gz -AWS_LC_FIPS_VERSION=3.3.0 # https://github.com/aws/aws-lc/archive/refs/tags/AWS-LC-FIPS-3.3.0.tar.gz -CMAKE_VERSION=3.31.6 # https://github.com/Kitware/CMake/releases/download/v3.31.6/cmake-3.31.6.tar.gz -GOLANG_VERSION=1.26.2 # https://go.dev/dl/go1.26.2.linux-amd64.tar.gz +source haproxy-versions.sh mkdir ${BOSH_INSTALL_TARGET}/bin diff --git a/packages/haproxy/spec b/packages/haproxy/spec index 65c27799..5609fbd5 100644 --- a/packages/haproxy/spec +++ b/packages/haproxy/spec @@ -7,3 +7,4 @@ files: - haproxy/lua-*.tar.gz - haproxy/hatop-* - hatop-wrapper +- haproxy-versions.sh diff --git a/scripts/dev-build.sh b/scripts/dev-build.sh index f95e1790..bd1dc5da 100755 --- a/scripts/dev-build.sh +++ b/scripts/dev-build.sh @@ -199,7 +199,7 @@ if should_build multi; then copy_multi_packages tar -czf haproxy-patches.tar.gz haproxy-patches bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz - sed -i.bak 's/^- haproxy$/- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' "$JOB_SPEC_FILE" + sed -i.bak 's/^- haproxy$/- haproxy-deps\n- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' "$JOB_SPEC_FILE" rm -f "${JOB_SPEC_FILE}.bak" build_release "multi" remove_multi_packages diff --git a/src/haproxy-versions.sh b/src/haproxy-versions.sh new file mode 100644 index 00000000..b9c416a0 --- /dev/null +++ b/src/haproxy-versions.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +# Shared version definitions for all HAProxy packages. +# Sourced by packaging scripts in packages/ and packages-multi/. + +HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz +LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz +PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz +SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz +HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop +AWS_LC_VERSION=1.72.0 # https://github.com/aws/aws-lc/archive/refs/tags/v1.72.0.tar.gz +AWS_LC_FIPS_VERSION=3.3.0 # https://github.com/aws/aws-lc/archive/refs/tags/AWS-LC-FIPS-3.3.0.tar.gz +CMAKE_VERSION=3.31.6 # https://github.com/Kitware/CMake/releases/download/v3.31.6/cmake-3.31.6.tar.gz +GOLANG_VERSION=1.26.2 # https://go.dev/dl/go1.26.2.linux-amd64.tar.gz From 0b29f15cc921b3f97227d8680b24e38ea5996eb8 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 20 May 2026 14:27:49 +0200 Subject: [PATCH 17/20] Mention dev-build script in README --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 4da0389a..907d9dd6 100644 --- a/README.md +++ b/README.md @@ -81,3 +81,20 @@ Unit/RSpec tests can also be debugged/stepped through when needed. See for examp ### Acceptance Tests See [acceptance-tests README](/acceptance-tests/README.md). + +### Local Dev Builds + +`scripts/dev-build.sh` builds release tarballs for any combination of the seven variants +(`openssl`, `openssl-patched`, `awslc`, `awslc-patched`, `awslc-fips`, `awslc-fips-patched`, `multi`) +and uploads them to the targeted BOSH director. Useful for iterating on packaging changes +without going through CI. + +```bash +./scripts/dev-build.sh # build all 7 variants, version=dev +./scripts/dev-build.sh multi # build only the multi release +./scripts/dev-build.sh awslc awslc-fips # build a subset +./scripts/dev-build.sh --version 1.0 multi # custom version tag +./scripts/dev-build.sh --upload-only # re-upload previously built tarballs +``` + +Tarballs are written to `./dev-releases/` and uploaded with `bosh upload-release --fix`. From 10cd751f9b5cda0ea009a74695ffff95df75dd95 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 20 May 2026 15:31:59 +0200 Subject: [PATCH 18/20] Replace HAPROXY_AWSLC/HAPROXY_AWSLC_FIPS/HAPROXY_MULTI with single VARIANT env var --- acceptance-tests/README.md | 17 ++++++++ acceptance-tests/run-local.sh | 4 +- ci/pipeline.yml | 4 +- ci/scripts/functions-ci.sh | 78 +++++++++++++++++++++++++++++------ 4 files changed, 86 insertions(+), 17 deletions(-) diff --git a/acceptance-tests/README.md b/acceptance-tests/README.md index c8ff20c3..ee4475d5 100644 --- a/acceptance-tests/README.md +++ b/acceptance-tests/README.md @@ -12,6 +12,23 @@ cd acceptance-tests ./run-local.sh ``` +### TLS Backend Variant + +By default the tests run against HAProxy linked to the system OpenSSL from the stemcell. To exercise a different TLS backend, set the `VARIANT` environment variable: + +```shell +VARIANT=awslc ./run-local.sh # AWS-LC, non-FIPS +VARIANT=awslc-fips ./run-local.sh # AWS-LC FIPS +VARIANT=patched ./run-local.sh # system OpenSSL + HAProxy patches +VARIANT=awslc-patched ./run-local.sh # AWS-LC + patches +VARIANT=awslc-fips-patched ./run-local.sh # AWS-LC FIPS + patches +VARIANT=multi ./run-local.sh # multi release (all binaries bundled) +``` + +A single invocation runs the suite **once** against the chosen variant — `run-local.sh` is not a matrix runner. To cover several variants, invoke it once per variant in a shell loop. Each run rebuilds the BOSH release from scratch, and AWS-LC variants compile the library inside the BOSH compilation VM, so a full sweep takes hours rather than minutes. + +When using `-k` (keep BOSH running, see below) the cached state belongs to whichever variant ran last — switching `VARIANT` inside a kept container is not supported. Stop the container between variants, or run without `-k`. + ### Running on Docker for Mac Acceptance tests cannot be run on Mac with arm64 architecture: diff --git a/acceptance-tests/run-local.sh b/acceptance-tests/run-local.sh index 1cb4b70a..4c4c3fc6 100755 --- a/acceptance-tests/run-local.sh +++ b/acceptance-tests/run-local.sh @@ -94,9 +94,9 @@ if [ -n "$KEEP_RUNNING" ] ; then echo echo "*** KEEP_RUNNING enabled. Please clean up docker scratch after removing containers: ${DOCKER_SCRATCH}" echo - docker run --privileged -v "$REPO_DIR":/repo -v "${DOCKER_SCRATCH}":/scratch/docker -e REPO_ROOT=/repo -e FOCUS="${FOCUS}" -e PARALLELISM="${PARALLELISM}" -e KEEP_RUNNING="${KEEP_RUNNING}" haproxy-boshrelease-testflight bash -c "cd /repo/ci/scripts && ./acceptance-tests ; sleep infinity" + docker run --privileged -v "$REPO_DIR":/repo -v "${DOCKER_SCRATCH}":/scratch/docker -e REPO_ROOT=/repo -e FOCUS="${FOCUS}" -e PARALLELISM="${PARALLELISM}" -e KEEP_RUNNING="${KEEP_RUNNING}" -e VARIANT="${VARIANT:-}" haproxy-boshrelease-testflight bash -c "cd /repo/ci/scripts && ./acceptance-tests ; sleep infinity" else - docker run --rm --privileged -v "$REPO_DIR":/repo -v "${DOCKER_SCRATCH}":/scratch/docker -e REPO_ROOT=/repo -e KEEP_RUNNING="" -e PARALLELISM="${PARALLELISM}" haproxy-boshrelease-testflight bash -c "cd /repo/ci/scripts && ./acceptance-tests" + docker run --rm --privileged -v "$REPO_DIR":/repo -v "${DOCKER_SCRATCH}":/scratch/docker -e REPO_ROOT=/repo -e KEEP_RUNNING="" -e PARALLELISM="${PARALLELISM}" -e VARIANT="${VARIANT:-}" haproxy-boshrelease-testflight bash -c "cd /repo/ci/scripts && ./acceptance-tests" echo "Cleaning up docker scratch: ${DOCKER_SCRATCH}" sudo rm -rf "${DOCKER_SCRATCH}" fi diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 18c051f4..b46a4aef 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -176,7 +176,7 @@ jobs: args: [] params: REPO_ROOT: git - HAPROXY_AWSLC: "true" + VARIANT: awslc on_failure: put: notify params: @@ -210,7 +210,7 @@ jobs: args: [] params: REPO_ROOT: git - HAPROXY_AWSLC_FIPS: "true" + VARIANT: awslc-fips on_failure: put: notify params: diff --git a/ci/scripts/functions-ci.sh b/ci/scripts/functions-ci.sh index d39ef87e..4d7eb356 100755 --- a/ci/scripts/functions-ci.sh +++ b/ci/scripts/functions-ci.sh @@ -54,21 +54,73 @@ function bosh_release() { echo "----- Creating candidate BOSH release..." bosh -n reset-release # in case dev_releases/ is in repo accidentally - if [ "${HAPROXY_MULTI:-}" == "true" ]; then - echo "----- Building multi release (all variants, property-driven selection)..." - cp -r packages-multi/* packages/ + local variant="${VARIANT:-}" + local add_patches=false + local base="" + + case "$variant" in + ""|openssl) + base="openssl" + ;; + patched) + base="openssl" + add_patches=true + ;; + awslc) + base="awslc" + ;; + awslc-patched) + base="awslc" + add_patches=true + ;; + awslc-fips) + base="awslc-fips" + ;; + awslc-fips-patched) + base="awslc-fips" + add_patches=true + ;; + multi) + base="multi" + ;; + *) + echo "ERROR: unknown VARIANT '$variant' (valid: '', patched, awslc, awslc-patched, awslc-fips, awslc-fips-patched, multi)" >&2 + return 1 + ;; + esac + + echo "----- VARIANT='${variant}' -> base='${base}', patched=${add_patches}" + + case "$base" in + openssl) + ;; + awslc) + echo "----- Adding AWS-LC blobs to haproxy package spec..." + echo "- haproxy/aws-lc-v*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec + ;; + awslc-fips) + echo "----- Adding AWS-LC FIPS blobs to haproxy package spec..." + echo "- haproxy/aws-lc-fips-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec + echo "- haproxy/golang-*.tar.gz" >> packages/haproxy/spec + ;; + multi) + echo "----- Building multi release (all variants, property-driven selection)..." + cp -r packages-multi/* packages/ + sed -i 's/^- haproxy$/- haproxy-deps\n- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec + # multi always bundles the patched binaries, so the patches blob is required + add_patches=true + ;; + esac + + if [ "$add_patches" == "true" ]; then + echo "----- Adding HAProxy patches blob..." tar -czvf haproxy-patches.tar.gz haproxy-patches bosh add-blob haproxy-patches.tar.gz haproxy/patches.tar.gz - sed -i 's/^- haproxy$/- haproxy-deps\n- haproxy-openssl\n- haproxy-openssl-patched\n- haproxy-awslc\n- haproxy-awslc-patched\n- haproxy-awslc-fips\n- haproxy-awslc-fips-patched/' jobs/haproxy/spec - elif [ "${HAPROXY_AWSLC_FIPS:-}" == "true" ]; then - echo "----- Adding AWS-LC FIPS blobs to haproxy package spec..." - echo "- haproxy/aws-lc-fips-*.tar.gz" >> packages/haproxy/spec - echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec - echo "- haproxy/golang-*.tar.gz" >> packages/haproxy/spec - elif [ "${HAPROXY_AWSLC:-}" == "true" ]; then - echo "----- Adding AWS-LC blobs to haproxy package spec..." - echo "- haproxy/aws-lc-v*.tar.gz" >> packages/haproxy/spec - echo "- haproxy/cmake-*.tar.gz" >> packages/haproxy/spec + if [ "$base" != "multi" ]; then + echo "- haproxy/patches.tar.gz" >> packages/haproxy/spec + fi fi bosh create-release --force From 5f4da9c1680624e2328c1042372d20342d862e20 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 20 May 2026 15:38:32 +0200 Subject: [PATCH 19/20] Bump HAProxy to 3.2.19 --- config/blobs.yml | 3 --- src/haproxy-versions.sh | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/config/blobs.yml b/config/blobs.yml index ba4463d7..746154c5 100644 --- a/config/blobs.yml +++ b/config/blobs.yml @@ -26,9 +26,6 @@ haproxy/lua-5.4.8.tar.gz: size: 374332 object_id: 11cb896a-5089-432c-7652-fb5504bd13ff sha: sha256:4f18ddae154e793e46eeab727c59ef1c0c0c2b744e7b94219710d76f530629ae -haproxy/patches.tar.gz: - size: 1009 - sha: sha256:2369508362be682d749171f3875105e2e7b0dfe6f33dbefcaef5d07bddecb7f8 haproxy/pcre2-10.47.tar.gz: size: 2792969 object_id: 37761873-8904-4a27-4b0c-df645dffd609 diff --git a/src/haproxy-versions.sh b/src/haproxy-versions.sh index b9c416a0..50f1dc61 100644 --- a/src/haproxy-versions.sh +++ b/src/haproxy-versions.sh @@ -2,7 +2,7 @@ # Shared version definitions for all HAProxy packages. # Sourced by packaging scripts in packages/ and packages-multi/. -HAPROXY_VERSION=3.2.16 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.16.tar.gz +HAPROXY_VERSION=3.2.19 # https://www.haproxy.org/download/3.2/src/haproxy-3.2.19.tar.gz LUA_VERSION=5.4.8 # https://www.lua.org/ftp/lua-5.4.8.tar.gz PCRE_VERSION=10.47 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/pcre2-10.47.tar.gz SOCAT_VERSION=1.8.1.1 # http://www.dest-unreach.org/socat/download/socat-1.8.1.1.tar.gz From 41e73e52cac5d37a170bd403f765c66718c33680 Mon Sep 17 00:00:00 2001 From: Clemens Hoffmann Date: Wed, 20 May 2026 16:17:47 +0200 Subject: [PATCH 20/20] Use timestamped versions in dev-build.sh --- scripts/dev-build.sh | 58 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 48 insertions(+), 10 deletions(-) diff --git a/scripts/dev-build.sh b/scripts/dev-build.sh index bd1dc5da..b195b059 100755 --- a/scripts/dev-build.sh +++ b/scripts/dev-build.sh @@ -4,19 +4,27 @@ # # Builds HAProxy release variants locally and uploads them to the BOSH director. # -# Usage: ./scripts/dev-build.sh [--upload-only] [--version VERSION] [--output-dir DIR] [variant...] +# Usage: ./scripts/dev-build.sh [--upload-only] [--version BASE] [--output-dir DIR] [variant...] # # Variants: # openssl, openssl-patched, awslc, awslc-patched, awslc-fips, awslc-fips-patched, multi # # If no variants are specified, all 7 are built. # +# Versioning: +# Each invocation produces release versions of the form +# +dev[-]. +# e.g. "16.9.0+dev.1779286286" (openssl), "16.9.0+dev-awslc.1779286286" (awslc). +# BASE defaults to the highest existing final release in releases/haproxy/ (or 0.0.0 if none), +# and can be overridden with --version. Each run uses a fresh timestamp, so previously +# built tarballs do not need to be deleted before rebuilding. +# # Examples: -# ./scripts/dev-build.sh # build all 7, version=dev -# ./scripts/dev-build.sh multi # build only multi, version=dev -# ./scripts/dev-build.sh --version 1.0 multi # build only multi, version=1.0 +# ./scripts/dev-build.sh # build all 7, BASE=highest final release +# ./scripts/dev-build.sh multi # build only multi +# ./scripts/dev-build.sh --version 17.0.0 multi # override BASE # ./scripts/dev-build.sh awslc awslc-fips # build awslc and awslc-fips -# ./scripts/dev-build.sh --upload-only # upload previously built releases +# ./scripts/dev-build.sh --upload-only # upload everything in dev-releases/ # # Prerequisites: # - All blobs present locally (bosh add-blob done for aws-lc, cmake, golang, aws-lc-fips) @@ -39,7 +47,7 @@ is_variant() { } UPLOAD_ONLY=false -VERSION="dev" +BASE_VERSION="" OUTPUT_DIR="./dev-releases" VARIANTS=() @@ -50,7 +58,7 @@ while [[ $# -gt 0 ]]; do shift ;; --version) - VERSION="$2" + BASE_VERSION="$2" shift 2 ;; --output-dir) @@ -74,6 +82,20 @@ if [[ ${#VARIANTS[@]} -eq 0 ]]; then VARIANTS=("${ALL_VARIANTS[@]}") fi +# Derive base version from the highest existing final release if --version not given. +# Final releases live in releases/haproxy/haproxy-[+meta].yml +if [[ -z "$BASE_VERSION" ]]; then + BASE_VERSION=$( + ls releases/haproxy/haproxy-*.yml 2>/dev/null \ + | sed 's|.*/haproxy-||;s|\.yml$||;s|+.*||' \ + | sort -V \ + | tail -1 + ) + BASE_VERSION="${BASE_VERSION:-0.0.0}" +fi + +TIMESTAMP=$(date +%s) + should_build() { local variant="$1" for v in "${VARIANTS[@]}"; do @@ -120,8 +142,9 @@ add_patches_to_spec() { build_release() { local variant="$1" - local version="$VERSION" - [[ -n "$variant" ]] && version="${VERSION}-${variant}" + local suffix="dev" + [[ -n "$variant" ]] && suffix="dev-${variant}" + local version="${BASE_VERSION}+${suffix}.${TIMESTAMP}" local tarball="$OUTPUT_DIR/haproxy-${version}.tgz" echo "" @@ -214,10 +237,25 @@ echo " Uploading releases to BOSH director" echo "========================================" echo "" -for tgz in "$OUTPUT_DIR"/haproxy-"${VERSION}"*.tgz; do +if [[ "$UPLOAD_ONLY" == true ]]; then + upload_glob="$OUTPUT_DIR/haproxy-*.tgz" +else + upload_glob="$OUTPUT_DIR/haproxy-*.${TIMESTAMP}.tgz" +fi + +shopt -s nullglob +uploaded=0 +for tgz in $upload_glob; do echo "Uploading: $tgz" bosh upload-release "$tgz" --fix + uploaded=$((uploaded + 1)) done +shopt -u nullglob + +if [[ $uploaded -eq 0 ]]; then + echo "No tarballs matching '$upload_glob' to upload." >&2 + exit 1 +fi echo "" echo "Done."