Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding a callback based method to the secrets component #21090

Merged
merged 1 commit into from
Nov 29, 2023

Conversation

hush-hush
Copy link
Member

What does this PR do?

The secrets component can now notify the caller when resolving a secret.

This allows the config package to only overwrite the setting using secrets instead of the entire configuration which result in accurate configuration being sent through metadata.

Describe how to test/QA your changes

Check that the secrets feature works just like before:

  • resolving secrets in datadog.yaml and checks configuration
  • secrets command

Then also check that the metadata payload now doesn't sent the entire configuration as provided_configuration when secrets are enabled (datadog-agent diagnose show-metadata inventory-agent | jq -r '.agent_metadata.provided_configuration').

Reviewer's Checklist

  • If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
  • Use the major_change label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.
  • A release note has been added or the changelog/no-changelog label has been applied.
  • Changed code has automated tests for its functionality.
  • Adequate QA/testing plan information is provided if the qa/skip-qa label is not applied.
  • At least one team/.. label has been applied, indicating the team(s) that should QA this change.
  • If applicable, docs team has been notified or an issue has been opened on the documentation repo.
  • If applicable, the need-change/operator and need-change/helm labels have been applied.
  • If applicable, the k8s/<min-version> label, indicating the lowest Kubernetes version compatible with this feature.
  • If applicable, the config template has been updated.

@pr-commenter
Copy link

pr-commenter bot commented Nov 24, 2023

Bloop Bleep... Dogbot Here

Regression Detector Results

Run ID: 020140b5-b5ab-4f0e-8f94-1b337be54481
Baseline: 5b6ab7d
Comparison: 0b205f0
Total datadog-agent CPUs: 7

Explanation

A regression test is an integrated performance test for datadog-agent in a repeatable rig, with varying configuration for datadog-agent. What follows is a statistical summary of a brief datadog-agent run for each configuration across SHAs given above. The goal of these tests are to determine quickly if datadog-agent performance is changed and to what degree by a pull request.

Because a target's optimization goal performance in each experiment will vary somewhat each time it is run, we can only estimate mean differences in optimization goal relative to the baseline target. We express these differences as a percentage change relative to the baseline target, denoted "Δ mean %". These estimates are made to a precision that balances accuracy and cost control. We represent this precision as a 90.00% confidence interval denoted "Δ mean % CI": there is a 90.00% chance that the true value of "Δ mean %" is in that interval.

We decide whether a change in performance is a "regression" -- a change worth investigating further -- if both of the following two criteria are true:

  1. The estimated |Δ mean %| ≥ 5.00%. This criterion intends to answer the question "Does the estimated change in mean optimization goal performance have a meaningful impact on your customers?". We assume that when |Δ mean %| < 5.00%, the impact on your customers is not meaningful. We also assume that a performance change in optimization goal is worth investigating whether it is an increase or decrease, so long as the magnitude of the change is sufficiently large.

  2. Zero is not in the 90.00% confidence interval "Δ mean % CI" about "Δ mean %". This statement is equivalent to saying that there is at least a 90.00% chance that the mean difference in optimization goal is not zero. This criterion intends to answer the question, "Is there a statistically significant difference in mean optimization goal performance?". It also means there is no more than a 10.00% chance this criterion reports a statistically significant difference when the true difference in mean optimization goal is zero -- a "false positive". We assume you are willing to accept a 10.00% chance of inaccurately detecting a change in performance when no true difference exists.

The table below, if present, lists those experiments that have experienced a statistically significant change in mean optimization goal performance between baseline and comparison SHAs with 90.00% confidence OR have been detected as newly erratic. Negative values of "Δ mean %" mean that baseline is faster, whereas positive values of "Δ mean %" mean that comparison is faster. Results that do not exhibit more than a ±5.00% change in their mean optimization goal are discarded. An experiment is erratic if its coefficient of variation is greater than 0.1. The abbreviated table will be omitted if no interesting change is observed.

No interesting changes in experiment optimization goals with confidence ≥ 90.00% and |Δ mean %| ≥ 5.00%.

Fine details of change detection per experiment.
experiment goal Δ mean % Δ mean % CI confidence
file_to_blackhole egress throughput +0.16 [-0.85, +1.17] 20.60%
file_tree egress throughput +0.07 [-1.71, +1.85] 5.07%
tcp_dd_logs_filter_exclude ingress throughput +0.05 [-0.10, +0.21] 41.90%
trace_agent_msgpack ingress throughput +0.03 [-0.09, +0.16] 32.98%
dogstatsd_string_interner_8MiB_100k ingress throughput +0.01 [-0.05, +0.06] 19.08%
dogstatsd_string_interner_8MiB_100 ingress throughput +0.01 [-0.12, +0.13] 5.24%
dogstatsd_string_interner_8MiB_1k ingress throughput +0.00 [-0.10, +0.10] 2.09%
dogstatsd_string_interner_64MiB_1k ingress throughput +0.00 [-0.13, +0.13] 1.07%
dogstatsd_string_interner_64MiB_100 ingress throughput +0.00 [-0.14, +0.14] 0.20%
dogstatsd_string_interner_128MiB_100 ingress throughput -0.00 [-0.14, +0.14] 0.17%
dogstatsd_string_interner_128MiB_1k ingress throughput -0.00 [-0.14, +0.14] 1.43%
idle egress throughput -0.01 [-2.36, +2.34] 0.57%
dogstatsd_string_interner_8MiB_10k ingress throughput -0.01 [-0.06, +0.04] 28.17%
uds_dogstatsd_to_api ingress throughput -0.02 [-0.19, +0.15] 17.28%
dogstatsd_string_interner_8MiB_50k ingress throughput -0.02 [-0.08, +0.03] 50.08%
trace_agent_json ingress throughput -0.03 [-0.16, +0.10] 32.91%
otel_to_otel_logs ingress throughput -0.36 [-1.95, +1.22] 29.24%
tcp_syslog_to_blackhole ingress throughput -0.40 [-0.53, -0.27] 100.00%

Copy link
Contributor

@vickenty vickenty left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for AML files

Copy link
Member

@pgimalac pgimalac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I don't really understand what the code in walker.go does but since it was mostly just moved it's ok

comp/core/secrets/secretsimpl/walker.go Outdated Show resolved Hide resolved
Copy link
Contributor

@sgnn7 sgnn7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hush-hush Some of the code is above my head but I left some comments. Overall LGTM though.

Decrypt(data []byte, origin string) ([]byte, error)
// DecryptWithCallback resolves the secrets in the given yaml data calling the callback with the YAML path of
// the secret handle and its value
DecryptWithCallback(data []byte, origin string, callback DecryptCallback) error
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: This might be a semantic nit around naming but we're not really decrypting the secrets but resolving them afaiu so naming the methods accordingly would be good.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I suppose that the callback is not a "decrypt then run callback" that could be interpreted from current name so maybe wording it as ResolveViaCallback or ResolveThroughCallback would be more clear

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're not resolving using the callback, we're still using the secrets binary. I feel like ResolveViaCallback/ResolveThroughCallback implies otherwise.

Here we're letting the caller replace the handle with the secrets (ie: resolving with a callback).

Copy link
Member Author

@hush-hush hush-hush Nov 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did replace Decrypt with Resolve everywhere.

pkg/config/config.go Outdated Show resolved Hide resolved
comp/core/secrets/secretsimpl/secrets.go Outdated Show resolved Hide resolved
comp/core/secrets/secretsimpl/walker.go Outdated Show resolved Hide resolved
comp/core/secrets/secretsimpl/secrets_test.go Outdated Show resolved Hide resolved
comp/core/secrets/secretsimpl/secrets.go Outdated Show resolved Hide resolved
comp/core/secrets/secretsimpl/secrets.go Outdated Show resolved Hide resolved
comp/core/secrets/secretsimpl/secrets_mock.go Outdated Show resolved Hide resolved
comp/core/secrets/secretsimpl/secrets_mock.go Outdated Show resolved Hide resolved
The secrets component can now notify the caller when resolving a secret.

This allows the config package to only overwrite the setting using
secrets instead of the entire configuration.
@hush-hush hush-hush force-pushed the maxime/add-callback-method-secret branch from cd16cf1 to 0b205f0 Compare November 29, 2023 11:37
@hush-hush hush-hush merged commit 52816a0 into main Nov 29, 2023
156 of 158 checks passed
@hush-hush hush-hush deleted the maxime/add-callback-method-secret branch November 29, 2023 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants