This PR is a work in progress. Sending it to start get comments about whether the direction wise look good.

There are pending issues need to be done:

1. Build in Apple system.
2. get "blaze test ..." working
3. There are temporary code change in wasm.cc, dns_filter_resolver.h, and some config validation files. Need to address them.
   4)...

/assign @htuch @yanavlasov @jmarantz @adisuissa

This PR is still working in progress as mentioned above. However, I would like to send out this preliminary version out to get comments.
This way, in case there is direction wise issue in the approach, we can correct it earlier.

Thanks!

I think this PR also closes #17335.

/assign krajshiva

krajshiva cannot be assigned to this issue.

/wait

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
envoyproxy/api-shepherds assignee is @adisuissa
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

Ping when it's time again to take another look

/wait

I think this PR also closes #17335.

thanks!

I think we do? If you hard-code them into the build as we do with TLS it works. I had to do that when I made upstreams pluggable (https://github.com/envoyproxy/envoy/pull/13548/files#) but all the things have changed since then so not convinced a reference PR will be useful.

I guess when we do this:

https://github.com/envoyproxy/envoy/pull/17479/files#diff-33a9f1c9c5215b2ad3cfad885d23057b73805a1e2f5ce27fc3349e7079341016R10-R11

It doesn't work unless it's in the custom build config. I guess that's OK, and we can fix this on the EM side.

@yanjunxiang-google I think we should update this also? https://github.com/envoyproxy/envoy/blob/main/ci/osx-build-config/extensions_build_config.bzl

I think we do? If you hard-code them into the build as we do with TLS it works. I had to do that when I made upstreams pluggable (https://github.com/envoyproxy/envoy/pull/13548/files#) but all the things have changed since then so not convinced a reference PR will be useful.

We use the same mechanism to make DNS resolvers required as for TLS, by adding them to the _required_extensions here https://github.com/envoyproxy/envoy/pull/17479/files#diff-33a9f1c9c5215b2ad3cfad885d23057b73805a1e2f5ce27fc3349e7079341016R10-R11

so EM must be not using this mechanism.

@yanjunxiang-google I think we should update this also? https://github.com/envoyproxy/envoy/blob/main/ci/osx-build-config/extensions_build_config.bzl

I think this one should work fine, since it will add everything in _required_extensions.

so EM must be not using this mechanism.

It's using the same build system, so there must be something else going on? cc @keith

@yanjunxiang-google I think we should update this also? https://github.com/envoyproxy/envoy/blob/main/ci/osx-build-config/extensions_build_config.bzl

I think this one should work fine, since it will add everything in _required_extensions.

Ok, let me add this.

Ok, let me add this.

Per @yanavlasov maybe there is something else going on? I guess we need to get to the bottom of it. Either we should add it or we need to figure out a different build issue.

Ok, let me add this.

Per @yanavlasov maybe there is something else going on? I guess we need to get to the bottom of it. Either we should add it or we need to figure out a different build issue.

okay, sounds good.

Earlier stage of this PR, I had been hard-coding c-ares and apple DNS resolver extension into Envoy binary as below. This way, they are always compiled in (based on OS), and not gated by the extension_build_config.bzl (or any other .bzl) file. This should get the EM build pass. Is this the right direction to go?

diff --git a/source/common/event/BUILD b/source/common/event/BUILD
index f847b9dd6..08a979d1e 100644
--- a/source/common/event/BUILD
+++ b/source/common/event/BUILD
@@ -44,11 +44,11 @@ envoy_cc_library(
"//source/common/common:assert_lib",
"//source/common/common:thread_lib",
"//source/common/filesystem:watcher_lib",
'-' "//source/common/network:dns_lib",
"//source/common/network:connection_lib",
"//source/common/network:listener_lib",
'+' "//source/extensions/network/dns_resolver/cares:config",
] + select({
'-' "//bazel:apple": ["//source/common/network:apple_dns_lib"],
'+' "//bazel:apple": ["//source/extensions/network/dns_resolver/apple:config"],
"//conditions:default": [],
}),
)

Per @yanavlasov maybe there is something else going on? I guess we need to get to the bottom of it. Either we should add it or we need to figure out a different build issue.

I've just built linux envoy-static using ci/osx-build-config and did include cares DNS resolver. So i'm fairly confident that DNS resolvers are added by default and there is something in EM build that prevents it.

I just looked through the code, and I think the problem must have to do with the extension registry h/cc files that exist in EM to force registration. I think this is missing for apple.

IMO what you have is OK, and EM can add the new registry for the apple stuff, but can we make it fail in a more obvious way? For example, here:

https://github.com/envoyproxy/envoy/pull/17479/files#diff-45b2fec2b06ec0ddec48315ea6b40a3c76edd07b46df14233ccbbd498818adc9R37-R38

Instead of checking for null when you try to do a default setup, can you actually gate this on #ifdef __APPLE__ and just release assert if the extension is not available? This should work fine for OSX CI per the above discussion, then EM will fail in an obvious way and we can fix that.

wdyt? Should be a very small change.

cc @goaway

HI, @mattklein123 ,

If adding a check something like below is purely to flag the extension build file issue, then is it really worthwhile?

'#ifdef APPLE'
if envoy.restart_features.use_apple_api_for_dns_lookups == true &&
Config::Utility::getAndCheckFactoryByNameNetwork::DnsResolverFactory(std::string(AppleDnsResolver), true) == nullptr
RELEASE_ASSERT()

#endif

We have other means to easily spot this extension build file issue, e.g., check the bootstrapping logs:

[2021-10-14 18:06:35.672][1889399][info][main] [source/server/server.cc:371] statically linked extensions:
...
[2021-10-14 18:06:35.672][1889399][info][main] [source/server/server.cc:373] envoy.network.dns_resolver: envoy.network.dns_resolver.cares <<------ Is this dns_resolver extension (apple for macOS) show up in the log? If it's missing, then it's a problem.

and:
"Didn't find a registered implementation for name: 'envoy.network.dns_resolver.cares'"
<<-------This is very good indication of the extensions are not included correctly.

ccing @htuch for his opinion on adding back the "#ifdef APPLE".

thanks,
Yanjun

I don't want to actually check the logs, because it's going to fall back to c-ares in a non-obvious way.

All I'm saying to do is in the checkApple function do:

1. If not #ifdef apple just do nothing/return.
2. Otherwise pull the apple config and let it fail/crash if not there to indicate a build issue.

HI, @mattklein123 ,

Thanks for the comments. I modified checkUseAppleApiForDnsLookups() function to add the #ifdef APPLE, RELEASE_ASSERT() logic you mentioned.

PTAL.