build krb5 with bazel (#44326)

### What does this PR do?

Build krb5 with bazel

### Motivation

Migration of our 3rd party dependencies to bazel
https://datadoghq.atlassian.net/browse/ABLD-274

### Describe how you validated your changes

Local build for linux x86_64

### Additional Notes

This PR also contains a patch that can be seen as a PR upstream: bazel-contrib/rules_foreign_cc#1451

This will drop all the executables that we currently install:
```
bin/compile_et  
bin/gss-client  
bin/k5srvutil   
bin/kadmin      
bin/kdestroy    
bin/kinit       
bin/klist       
bin/kpasswd     
bin/krb5-config 
bin/ksu         
bin/kswitch     
bin/ktutil      
bin/kvno        
bin/sclient     
bin/sim_client  
bin/uuclient    
```
and
```
sbin/gss-server   
sbin/kadmin.local 
sbin/kadmind      
sbin/kdb5_util    
sbin/kprop        
sbin/kpropd       
sbin/kproplog     
sbin/krb5-send-pr 
sbin/krb5kdc      
sbin/sim_server   
sbin/sserver      
sbin/uuserver     
```

Co-authored-by: hugo.beauzee <[email protected]>

Author: chouquette

bazel/patches/rules_foreign_cc/0001-include-out_data_dirs-to-the-output-groups.patch

@@ -0,0 +1,42 @@
+From af72bc8c79be86e14b3b46bd1207c23365c988d7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Hugo=20Beauz=C3=A9e-Luyssen?= <[email protected]>
+Date: Thu, 27 Nov 2025 13:57:04 +0100
+Subject: [PATCH] include out_data_dirs to the output groups
+
+---
+ foreign_cc/private/framework.bzl | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/foreign_cc/private/framework.bzl b/foreign_cc/private/framework.bzl
+index eb7632d..fd354b7 100644
+--- a/foreign_cc/private/framework.bzl
++++ b/foreign_cc/private/framework.bzl
+@@ -598,7 +598,8 @@ def cc_external_rule_impl(ctx, attrs):
+         outputs.libraries.static_libraries +
+         outputs.libraries.shared_libraries +
+         ([outputs.out_include_dir] if outputs.out_include_dir else []) +
+-        ([outputs.out_pc_dir] if outputs.out_pc_dir else [])
++        ([outputs.out_pc_dir] if outputs.out_pc_dir else []) +
++        (outputs.data_dirs if outputs.data_dirs else [])
+     )
+     output_groups = _declare_output_groups(installdir_copy.file, output_groups)
+     wrapped_files = [
+@@ -849,6 +850,7 @@ _Outputs = provider(
+         out_binary_files = "Binary files, which will be created by the action",
+         libraries = "Library files, which will be created by the action",
+         out_pc_dir = "Directory with pkgconfig files (relative to install directory)",
++        data_dirs = "Directory containing additional files generated by the build",
+         declared_outputs = "All output files and directories of the action",
+     ),
+ )
+@@ -913,6 +915,7 @@ def _define_outputs(ctx, attrs, lib_name):
+         out_binary_files = out_binary_files,
+         libraries = libraries,
+         out_pc_dir = out_pc_dir,
++        data_dirs = out_data_dirs,
+         declared_outputs = declared_outputs,
+     )
+ 
+-- 
+2.43.0
+

deps/krb5/krb5.BUILD.bazel

@@ -0,0 +1,141 @@
+load("@@//bazel/rules:so_symlink.bzl", "so_symlink")
+load("@rules_license//rules:license.bzl", "license")
+load("@rules_foreign_cc//foreign_cc:defs.bzl", "configure_make")
+load("@rules_pkg//pkg:install.bzl", "pkg_install")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
+load("@rules_pkg//pkg:mappings.bzl", "strip_prefix")
+
+package(default_package_metadata = [":license"])
+
+license(
+    name = "license",
+    license_kinds = ["@rules_license//licenses/spdx:BSD-2-Clause"],
+    license_text = "NOTICE",
+    visibility = ["//visibility:public"],
+)
+
+filegroup(
+    name = "all_srcs",
+    srcs = glob(["src/**/*"])
+)
+
+SHARED_LIBS = {
+    'krb5/plugins/tls/k5tls.so': '',
+    'krb5/plugins/kdb/db2.so': '',
+    'krb5/plugins/preauth/test.so': '',
+    'krb5/plugins/preauth/spake.so': '',
+    'krb5/plugins/preauth/pkinit.so': '',
+    'krb5/plugins/preauth/otp.so': '',
+    'libcom_err.so': '3.0',
+    'libgssapi_krb5.so': '2.2',
+    'libgssrpc.so': '4.2',
+    'libk5crypto.so': '3.1',
+    'libkadm5clnt.so': '',
+    'libkadm5clnt_mit.so': '12.0',
+    'libkadm5srv.so': '',
+    'libkadm5srv_mit.so': '12.0',
+    'libkdb5.so': '10.0',
+    'libkrad.so': '0.0',
+    'libkrb5.so': '3.3',
+    'libkrb5support.so': '0.1',
+    'libverto.so': '0.0',
+}
+
+configure_make(
+    name = "krb5",
+    args = [
+        "-j 16",
+    ],
+    autoreconf = True,
+    configure_in_place = True,
+    configure_options = [
+        "--without-keyutils", # this would require additional deps/system deps, disable it
+        "--without-system-verto", # do not prefer libverto from the system, if installed
+        "--without-libedit", # we don't want to link with libraries outside of the install dir
+        "--disable-static",
+        "--with-crypto-impl=openssl",
+        "--with-tls-impl=openssl",
+        "--disable-nls",
+    ],
+    lib_source = ":all_srcs",
+    deps = [
+        "@openssl//:openssl",
+    ],
+    out_shared_libs = SHARED_LIBS.keys(),
+    out_data_dirs = ["lib/pkgconfig"],
+)
+
+# Unversioned lib handling:
+# Create a filegroup refering to configure_make's output_group
+# Expose this single file filegroup as a pkg_file target with a common `lib_$foo` name
+[
+    filegroup(
+        name = "_unversioned_lib_" + libname,
+        srcs = [":krb5"],
+        output_group = libname.rpartition('/')[2]
+    )
+    for (libname, libversion) in SHARED_LIBS.items() if not libversion
+]
+
+[
+    pkg_files(
+        name = "_lib_" + libname,
+        srcs = [":_unversioned_lib_" + libname],
+        prefix = "lib/" + libname.rpartition('/')[0],
+    )
+    for (libname, libversion) in SHARED_LIBS.items() if not libversion
+]
+
+# Now the same for versioned libs, except instead of an explicit pkg_file
+# we leverage the one created by so_symlink
+[
+    filegroup(
+        name = "_symlink_src_" + libname,
+        srcs = [":krb5"],
+        output_group = libname,
+    )
+    for (libname, libversion) in SHARED_LIBS.items() if libversion
+]
+
+[
+    so_symlink(
+        name = "_lib_" + libname,
+        src = "_symlink_src_" + libname,
+        libname = libname.removesuffix(".so"),
+        version = libversion,
+        # so_symlink already adds a lib/ folder
+        prefix = libname.rpartition('/')[0],
+    )
+    for (libname, libversion) in SHARED_LIBS.items() if libversion
+]
+
+filegroup(
+    name = "_pc_files",
+    srcs = [":krb5"],
+    output_group = "pkgconfig",
+)
+
+pkg_files(
+    name = "pc_files",
+    srcs = ["_pc_files"],
+    prefix = "lib/",
+)
+
+filegroup(
+    name = "_headers",
+    srcs = [":krb5"],
+    output_group = "include"
+)
+
+pkg_files(
+    name = "hdr_files",
+    srcs = [":_headers"],
+)
+
+pkg_install(
+    name = "install",
+    srcs = [
+        ":hdr_files",
+        ":pc_files",
+    ] + [":_lib_" + libname for libname in SHARED_LIBS.keys()],
+)

deps/repos.MODULE.bazel

@@ -57,6 +57,7 @@ single_version_override(
     patch_strip = 1,
     patches = [
         "//bazel/patches:rules_foreign_cc/0000-expose-pc-files.patch",
+        "//bazel/patches:rules_foreign_cc/0001-include-out_data_dirs-to-the-output-groups.patch",
     ],
 )
 
@@ -315,3 +316,13 @@ http_archive(
     },
 )
 
+http_archive(
+    name = "krb5",
+    url = "https://kerberos.org/dist/krb5/1.21/krb5-1.21.3.tar.gz",
+    sha256 = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35",
+    strip_prefix = "krb5-1.21.3",
+    files = {
+        "BUILD.bazel": "//deps:krb5/krb5.BUILD.bazel",
+    },
+)
+

omnibus/config/software/libkrb5.rb

@@ -1,33 +1,41 @@
 name "libkrb5"
 default_version "1.21.3"
 
-dependency "openssl3"
-
-version "1.21.3" do
-  source url: "https://kerberos.org/dist/krb5/1.21/krb5-1.21.3.tar.gz"
-  source sha256: "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35"
-end
-
-relative_path "krb5-#{version}/src"
-
-reconf_env = { "PATH" => "#{install_dir}/embedded/bin:#{ENV["PATH"]}" }
-
 build do
-  license "BSD-style"
-  license_file "https://raw.githubusercontent.com/krb5/krb5/master/NOTICE"
-
-  configure_options = ["--without-keyutils", # this would require additional deps/system deps, disable it
-         "--without-system-verto", # do not prefer libverto from the system, if installed
-         "--without-libedit", # we don't want to link with libraries outside of the install dir
-         "--disable-static"
+  pc_files = [
+    'gssrpc.pc',
+    'kadm-client.pc',
+    'kadm-server.pc',
+    'kdb.pc',
+    'krb5-gssapi.pc',
+    'krb5.pc',
+    'mit-krb5-gssapi.pc',
+    'mit-krb5.pc',
   ]
-  env = with_standard_compiler_flags(with_embedded_path)
-  configure(*configure_options, :env => env)
-  command "make -j #{workers}", :env => { "LD_RUN_PATH" => "#{install_dir}/embedded/lib" }
-  command "make install", :env => { "LD_RUN_PATH" => "#{install_dir}/embedded/lib" }
-
-  # FIXME: CONDA libs appear to confuse the health checker - manually checked file
-  # are properly linked. Must whitelist for build to succeed.
-  whitelist_file "#{install_dir}/embedded/lib/krb5/plugins/tls/k5tls.so"
-  whitelist_file "#{install_dir}/embedded/lib/krb5/plugins/preauth/pkinit.so"
+  lib_files = [
+    'krb5/plugins/tls/k5tls.so',
+    'krb5/plugins/kdb/db2.so',
+    'krb5/plugins/preauth/test.so',
+    'krb5/plugins/preauth/spake.so',
+    'krb5/plugins/preauth/pkinit.so',
+    'krb5/plugins/preauth/otp.so',
+    'libkadm5clnt_mit.so',
+    'libkrad.so',
+    'libverto.so',
+    'libk5crypto.so',
+    'libcom_err.so',
+    'libkadm5srv.so',
+    'libkrb5support.so',
+    'libgssrpc.so',
+    'libkrb5.so',
+    'libkadm5srv_mit.so',
+    'libkdb5.so',
+    'libgssapi_krb5.so',
+    'libkadm5clnt.so',
+  ]
+  command_on_repo_root "bazelisk run -- @krb5//:install --destdir='#{install_dir}/embedded'"
+  command_on_repo_root "bazelisk run -- //bazel/rules:replace_prefix --prefix '#{install_dir}/embedded' " \
+    + lib_files.map{ |l| "#{install_dir}/embedded/lib/#{l}" }.join(' ') \
+    + " " \
+    + pc_files.map{ |pc| "#{install_dir}/embedded/lib/pkgconfig/#{pc}" }.join(' ')
 end