[otel-agent] extension: require authentication token

[truthbk]

What does this PR do?

This PR ensures all requests to the flare/FA extension contain a valid authtoken to serve said requests.

Motivation

Prevent snooping by unauthorized guests.

Additional Notes

Possible Drawbacks / Trade-offs

This work requires the modularization of the comp/api/authtoken component, which adds to the proliferation of modules. :(

otel-agent must have access to the auth_token, while most of our deployments already account for this, it's important for the otel-agent to have accesso to the same access token created by the core agent at startup.

Describe how to test/QA your changes

[jackgopack4]

seeing the errors in the pipeline; instructions in https://github.com/DataDog/datadog-agent/blob/main/docs/dev/modules.md should help (I've been dealing with this with my ticket)

[pr-commenter]

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv create-vm --pipeline-id=45290071 --os-family=ubuntu

Note: This applies to commit e9c2531

[pr-commenter]

Regression Detector

Regression Detector Results

Run ID: a56a71c7-71b5-443e-b21e-1d455cc10d53 Metrics dashboard Target profiles

Baseline: e779286
Comparison: e9c2531

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	+0.95	[+0.21, +1.69]	1	Logs
➖	otel_to_otel_logs	ingress throughput	+0.71	[-0.11, +1.52]	1	Logs
➖	idle	memory utilization	+0.39	[+0.33, +0.45]	1	Logs
➖	idle_all_features	memory utilization	+0.19	[+0.11, +0.28]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	+0.14	[+0.09, +0.19]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.01, +0.01]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.00	[-0.09, +0.09]	1	Logs
➖	basic_py_check	% cpu utilization	-0.41	[-3.11, +2.28]	1	Logs
➖	file_tree	memory utilization	-1.74	[-1.84, -1.64]	1	Logs
➖	pycheck_lots_of_tags	% cpu utilization	-2.30	[-4.92, +0.33]	1	Logs

Bounds Checks

perf	experiment	bounds_check_name	replicates_passed
✅	idle	memory_usage	10/10

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

[jackgopack4]

Suggested change

	go 1.22.5
	go 1.22.0

[jackgopack4]

Looks good to me but want to make sure you run another inv -e tidy after making sure you're using go version 1.22.0 so as to not change the version of the root go.mod, and make sure the modules are listed as used_by_otel=True in modules.py

[ogaca-dd]

LGTM for files owned by ASC (after fixing jackgopack4 comment)

[jackgopack4]

looks like line 214 of modules.py needs a used_by_otel=True, just pushed a change to do that

[GustavoCaso]

@truthbk wondering if we need to increase the granularity with the module creation. Currently there are two implementations for authtoken.

Should we create a separate module out of each implementation? I believe that was the intended use of the different implementation folder layout.

[truthbk]

@GustavoCaso I'm not sure the question of having alternate implementations and alternate modules is the same one. I'm definitely OK with changing the granularity of this module (which is something I was already not thrilled about because, well, more modules) as you are requesting.

However, the compiler is perfectly capable of only introducing a single implementation if these are well decoupled, and if we want to avoid excessive module proliferation, which I think we do, we don't want to end up with a module for the component definition, a module for implementation A, a module for implementation B, and a module for the fx stuff.

At any rate, I hear you, as we've discussed over the past months the modularization of code we're seeing across the codebase is definitely not ideal.

[GustavoCaso]

@truthbk I here your concerns about the proliferation of Go modules.

I just find that there is a discrepancy between the components documentation and the approach taken in this PR.

In the component documentation we state that we should create different go modules for the interface, implementations and mocks https://datadoghq.dev/datadog-agent/components/creating-components/#go-module

[dustmop]

@GustavoCaso One important thing to note is that the authtoken module in question is still using the "classic" style of definition, not the new layout with def, impl, fx folders. Converting it to the new format could be done, but I'm not sure there's an immediate need to do so. As long as its using the classic style, there's not much benefit to increasing the module granularity as you're describing, since the definition of the component is in the root folder. Anything depending on it will also be pulling in both child folders with the implementations.

[GustavoCaso]

Thanks for the clarification @dustmop

@truthbk I was confused about the file hierarchy of the authtoken component 🤦. Please discard my comment

[truthbk]

/merge

[dd-devflow]

🚂 MergeQueue: pull request added to the queue

The median merge time in main is 24m.

Use /merge -c to cancel this operation!