[ASCII-2582] Add certificate generation and retrieval for IPC communications #31838
Conversation
github-actions
bot
added
medium review
Go Package Import DifferencesBaseline: 2491564
|
Test changes on VMUse this command from test-infra-definitions to manually test this PR changes on a VM: inv aws.create-vm --pipeline-id=50858196 --os-family=ubuntuNote: This applies to commit 2036141 |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
misteriaud
force-pushed
the
misteriaud/ASCII-2582-implement-IPC-cert/key-creation
branch
from
7d2f18a to
b6aa3e2
Compare
github-actions
bot
added
long review
misteriaud
changed the title
misteriaud
force-pushed
the
misteriaud/ASCII-2582-implement-IPC-cert/key-creation
branch
from
3e1db37 to
d1bd1c3
Compare
…generation Add configuration entry to set cert filepath
… the auth token is generated or retreive
misteriaud
force-pushed
the
misteriaud/ASCII-2582-implement-IPC-cert/key-creation
branch
from
d1bd1c3 to
853a60e
Compare
| "github.com/DataDog/datadog-agent/pkg/config/model" | ||
| "github.com/DataDog/datadog-agent/pkg/util/log" | ||
| ) | ||
|
|
||
| var ( | ||
| tokenLock sync.RWMutex | ||
| token string |
There was a problem hiding this comment.
I know it's a larger change that this PR is intending to fix, but it would be great if one day we could get rid of this global var. Perhaps instead this could be converted into a component?
There was a problem hiding this comment.
I completely agree ! The authtoken.Component already try to tackle this by wrapping it around.
The problem is that a lot of places in the code are relying on the auth_token, some in pkg.
The work involved in bringing the getter down to these points is quite big.
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: 2491564 Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | uds_dogstatsd_to_api_cpu | % cpu utilization | +2.08 | [+1.34, +2.81] | 1 | Logs |
| ➖ | otel_to_otel_logs | ingress throughput | +1.40 | [+0.72, +2.09] | 1 | Logs |
| ➖ | quality_gate_logs | % cpu utilization | +0.95 | [-2.04, +3.93] | 1 | Logs |
| ➖ | file_tree | memory utilization | +0.73 | [+0.59, +0.86] | 1 | Logs |
| ➖ | quality_gate_idle_all_features | memory utilization | +0.58 | [+0.46, +0.69] | 1 | Logs bounds checks dashboard |
| ➖ | file_to_blackhole_1000ms_latency | egress throughput | +0.43 | [-0.35, +1.21] | 1 | Logs |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | +0.23 | [+0.18, +0.29] | 1 | Logs |
| ➖ | file_to_blackhole_500ms_latency | egress throughput | +0.16 | [-0.62, +0.94] | 1 | Logs |
| ➖ | file_to_blackhole_100ms_latency | egress throughput | +0.05 | [-0.63, +0.72] | 1 | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | -0.00 | [-0.01, +0.01] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | -0.01 | [-0.10, +0.08] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency_linear_load | egress throughput | -0.02 | [-0.49, +0.45] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency | egress throughput | -0.03 | [-0.82, +0.75] | 1 | Logs |
| ➖ | file_to_blackhole_300ms_latency | egress throughput | -0.09 | [-0.72, +0.54] | 1 | Logs |
| ➖ | quality_gate_idle | memory utilization | -0.78 | [-0.82, -0.73] | 1 | Logs bounds checks dashboard |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | links |
|---|---|---|---|---|
| ✅ | file_to_blackhole_0ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_0ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_1000ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_1000ms_latency_linear_load | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_100ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_100ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_300ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_300ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_500ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_500ms_latency | memory_usage | 10/10 | |
| ✅ | quality_gate_idle | memory_usage | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_logs | lost_bytes | 10/10 | |
| ✅ | quality_gate_logs | memory_usage | 10/10 |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
CI Pass/Fail Decision
✅ Passed. All Quality Gates passed.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
|
/trigger-ci --variable RUN_ALL_BUILDS=true --variable RUN_KITCHEN_TESTS=true --variable RUN_E2E_TESTS=on --variable RUN_UNIT_TESTS=on --variable RUN_KMT_TESTS=on |
Devflow running:
|
|
/trigger-ci --variable RUN_ALL_BUILDS=true --variable RUN_KITCHEN_TESTS=true --variable RUN_E2E_TESTS=on --variable RUN_UNIT_TESTS=on --variable RUN_KMT_TESTS=on |
Devflow running:
|
misteriaud
added
changelog/no-changelog
qa/done
|
/merge |
Devflow running:
|
|
/merge -c |
|
/merge |
Devflow running:
|
dd-mergequeue
bot
deleted the
misteriaud/ASCII-2582-implement-IPC-cert/key-creation
branch
What does this PR do?
This PR introduce the generation of an IPC dedicated certificate and key pair, used to allow Agent API server to authenticate it. This generation/retrieval process takes places during the initialization of the auth_token.
The next steps are using this generated certificate in the different API servers:
Motivation
This PR is part of a plan to improve the security of the Agent's inter-process communication (IPC).
Describe how you validated your changes
Some unit tests have been added to cover the new generation/retrieval steps.
Additional Notes
The
comp/api/authtoken componenthas been updated to provide the IPC TLS configurations based on the generated certificate. The component's name should be updated in a subsequent pull request to better reflect its behavior.