Configure Bazel build system for OpenSSL and multi-architecture support

This commit adapts the Bazel build configuration to support building Envoy
with OpenSSL instead of BoringSSL, and adds support for s390x and ppc64le
architectures.

Build system changes:
- Add bssl-compat as local_repository in WORKSPACE
- Configure OpenSSL as external dependency (bazel/external/openssl.BUILD)
- Disable QUIC/HTTP3 support (uses boringssl=fips mode to exclude QUIC)
- Add nofips tag filtering to exclude QUIC tests and code

Multi-architecture support:
- s390x patches: BoringSSL, Quiche, gRPC, proxy-wasm, rules_foreign_cc
- ppc64le patches: V8, luajit2 support
- Architecture-specific build flags for missing headers (hwcap.h)

Dependency patches:
- jwt_verify_lib: Handle OpenSSL opaque structures
- proxy_wasm_cpp_host: Remove hardcoded -lcrypto on s390x
- rules_foreign_cc: Build fixes for s390x
- rules_go: ppc64le build support

OpenSSL-specific configuration (openssl/bazelrc):
- Test environment limited to IPv4 only
- QUIC excluded via boringssl=fips define
- LLVM/Clang paths for bssl-compat prefixer tool

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Jonh Wendell <jwendell@redhat.com>

Author: jwendell

.bazelrc

@@ -599,3 +599,5 @@ try-import %workspace%/repo.bazelrc
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc
 try-import %workspace%/local_tsan.bazelrc
+
+import %workspace%/openssl/bazelrc

.gitmodules

@@ -1,5 +1,10 @@
 workspace(name = "envoy")
 
+local_repository(
+    name = "bssl-compat",
+    path = "bssl-compat",
+)
+
 load("//bazel:api_binding.bzl", "envoy_api_binding")
 
 envoy_api_binding()

WORKSPACE

@@ -547,25 +547,14 @@ config_setting(
 )
 
 # Alias pointing to the selected version of BoringSSL:
-# - BoringSSL FIPS from @boringssl_fips//:ssl,
-# - non-FIPS BoringSSL from @boringssl//:ssl.
-# - aws-lc from @aws_lc//:ssl
 alias(
     name = "boringssl",
-    actual = select({
-        "//bazel:boringssl_fips_ppc": "@aws_lc//:ssl",
-        "//bazel:boringssl_fips_not_ppc": "@boringssl_fips//:ssl",
-        "//conditions:default": "@boringssl//:ssl",
-    }),
+    actual = "@envoy//bssl-compat:ssl"
 )
 
 alias(
     name = "boringcrypto",
-    actual = select({
-        "//bazel:boringssl_fips_ppc": "@aws_lc//:crypto",
-        "//bazel:boringssl_fips_not_ppc": "@boringssl_fips//:crypto",
-        "//conditions:default": "@boringssl//:crypto",
-    }),
+    actual = "@envoy//bssl-compat:crypto"
 )
 
 config_setting(

bazel/BUILD

@@ -92,11 +92,14 @@ def envoy_contrib_package():
 def _envoy_directory_genrule_impl(ctx):
     tree = ctx.actions.declare_directory(ctx.attr.name + ".outputs")
     ctx.actions.run_shell(
-        inputs = ctx.files.srcs,
+        inputs = ctx.files.srcs + ctx.files._openssl_libs,
         tools = ctx.files.tools,
         outputs = [tree],
         command = "mkdir -p " + tree.path + " && " + ctx.expand_location(ctx.attr.cmd),
-        env = {"GENRULE_OUTPUT_DIR": tree.path},
+        env = {
+            "GENRULE_OUTPUT_DIR": tree.path,
+            "LD_LIBRARY_PATH": ":".join([f.dirname for f in ctx.files._openssl_libs]),
+        },
         use_default_shell_env = True,
         toolchain = None,
     )
@@ -108,6 +111,10 @@ envoy_directory_genrule = rule(
         "srcs": attr.label_list(),
         "cmd": attr.string(),
         "tools": attr.label_list(),
+        "_openssl_libs": attr.label(
+            default = Label("@openssl//:libs"),
+            allow_files = True,
+        ),
     },
 )
 

bazel/envoy_build_system.bzl

@@ -11,9 +11,11 @@ def envoy_cc_platform_dep(name):
         "//conditions:default": [name + "_posix"],
     })
 
+# When building on bssl-compat, ignore whether we are building with BoringSSL
+# in FIPS or non FIPS mode, and just pretend it's in the default non-FIPS mode.
 def envoy_select_boringssl(if_fips, default = None, if_disabled = None):
     return select({
-        "@envoy//bazel:boringssl_fips": if_fips,
+        "@envoy//bazel:boringssl_fips": default or [],
         "@envoy//bazel:boringssl_disabled": if_disabled or [],
         "//conditions:default": default or [],
     })

bazel/envoy_select.bzl

@@ -0,0 +1,42 @@
+load("@rules_foreign_cc//foreign_cc:configure.bzl", "configure_make")
+
+licenses(["notice"])  # Apache 2
+
+filegroup(
+    name = "all",
+    srcs = glob(["**"]),
+    visibility = ["//visibility:public"],
+)
+
+configure_make(
+    name = "openssl",
+    lib_source = ":all",
+    configure_in_place = True,
+    configure_command = "Configure",
+    configure_options = ["--libdir=lib"],
+    targets = ["build_sw", "install_sw"],
+    args = ["-j"],
+    out_lib_dir = "lib",
+    out_shared_libs = ["libssl.so.3", "libcrypto.so.3"],
+    visibility = ["//visibility:public"],
+)
+
+filegroup(
+    name = "libssl",
+    srcs = [":openssl"],
+    output_group = "libssl.so.3",
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "libcrypto",
+    srcs = [":openssl"],
+    output_group = "libcrypto.so.3",
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "libs",
+    srcs = [":libssl", ":libcrypto"],
+    visibility = ["//visibility:public"],
+)