[RC] Support configuring the core RC service with JWT auth

[ameske]

What does this PR do?

Private Action Runners are now leverging the core RC service in order to receive remote config updates. They require a different authentication scheme than Datadog API keys. This allows for the core service to be configured to use a JWT for authentication to the backend.

It is not configurable via the command line or an agent YAML file, as it is only used programmatically from within the Datadog Private Action Runner. There are no other use cases. Any attempt to leverage this and supply JWT's not generated by Private Action Runners and Workflow's backend will fail.

Motivation

Support authenticating Private Action Runners in RC's backend without requiring Private
Action Runners to also be configured with an API Key

Describe how you validated your changes

Manual testing in staging since RC is not directly part of the e2e test suite at this time.

Possible Drawbacks / Trade-offs

None

Additional Notes

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 498ac30c-cf36-4a4f-86fe-815b4478a56f

Baseline: 452a153
Comparison: 22e07c8
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	file_tree	memory utilization	+0.26	[+0.14, +0.38]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.20	[-0.57, +0.96]	1	Logs
➖	file_to_blackhole_0ms_latency_http2	egress throughput	+0.18	[-0.72, +1.08]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.12	[-0.74, +0.98]	1	Logs
➖	file_to_blackhole_300ms_latency	egress throughput	+0.08	[-0.55, +0.71]	1	Logs
➖	otel_to_otel_logs	ingress throughput	+0.06	[-0.61, +0.73]	1	Logs
➖	file_to_blackhole_1000ms_latency_linear_load	egress throughput	+0.02	[-0.45, +0.49]	1	Logs
➖	file_to_blackhole_0ms_latency_http1	egress throughput	+0.02	[-0.85, +0.89]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.01, +0.01]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.02	[-0.79, +0.75]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.02	[-0.11, +0.07]	1	Logs
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	-0.03	[-0.75, +0.69]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.12	[-0.91, +0.67]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	-0.39	[-0.43, -0.34]	1	Logs
➖	quality_gate_idle	memory utilization	-0.49	[-0.53, -0.45]	1	Logs bounds checks dashboard
➖	quality_gate_idle_all_features	memory utilization	-1.84	[-1.97, -1.72]	1	Logs bounds checks dashboard
➖	quality_gate_logs	% cpu utilization	-3.27	[-6.19, -0.35]	1	Logs

Bounds Checks: ❌ Failed

perf	experiment	bounds_check_name	replicates_passed	links
❌	file_to_blackhole_300ms_latency	lost_bytes	8/10
❌	file_to_blackhole_0ms_latency	lost_bytes	9/10
❌	file_to_blackhole_100ms_latency	lost_bytes	9/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http1	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http1	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http2	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http2	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency_linear_load	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_300ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10
✅	quality_gate_logs	memory_usage	10/10

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.

[agent-platform-auto-pr]

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv aws.create-vm --pipeline-id=51722209 --os-family=ubuntu

Note: This applies to commit 702fe2c

[agent-platform-auto-pr]

Uncompressed package size comparison

Comparison with ancestor d9804ca230f38740e2d2fdc003ee5de77c966283

Diff per package

package	diff	status	size	ancestor	threshold
datadog-iot-agent-aarch64-rpm	0.01MB	⚠️	108.88MB	108.87MB	10.00MB
datadog-iot-agent-arm64-deb	0.01MB	⚠️	108.81MB	108.80MB	10.00MB
datadog-agent-amd64-deb	0.00MB	✅	1187.96MB	1187.96MB	140.00MB
datadog-agent-x86_64-rpm	0.00MB	✅	1197.22MB	1197.22MB	140.00MB
datadog-agent-x86_64-suse	0.00MB	✅	1197.22MB	1197.22MB	140.00MB
datadog-agent-arm64-deb	0.00MB	✅	933.89MB	933.89MB	140.00MB
datadog-agent-aarch64-rpm	0.00MB	✅	943.14MB	943.13MB	140.00MB
datadog-iot-agent-x86_64-rpm	0.00MB	✅	113.41MB	113.41MB	10.00MB
datadog-iot-agent-x86_64-suse	0.00MB	✅	113.41MB	113.41MB	10.00MB
datadog-iot-agent-amd64-deb	0.00MB	✅	113.34MB	113.34MB	10.00MB
datadog-dogstatsd-amd64-deb	0.00MB	✅	78.57MB	78.57MB	10.00MB
datadog-dogstatsd-x86_64-rpm	0.00MB	✅	78.65MB	78.65MB	10.00MB
datadog-dogstatsd-x86_64-suse	0.00MB	✅	78.65MB	78.65MB	10.00MB
datadog-dogstatsd-arm64-deb	0.00MB	✅	55.77MB	55.77MB	10.00MB
datadog-heroku-agent-amd64-deb	0.00MB	✅	504.88MB	504.88MB	70.00MB

Decision

⚠️ Warning

[mellon85]

this is not threadsafe. UpdatePARJWT will update req.Header too.

https://play.golang.com/p/TWmOBaijsbF

I added a change to copy the contents instead

[mellon85]

/merge

[dd-devflow]

Devflow running: /merge

View all feedbacks in Devflow UI.

---

2024-12-23 09:49:36 UTC ℹ️ MergeQueue: waiting for PR to be ready

This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

---

2024-12-23 13:01:18 UTC ℹ️ MergeQueue: merge request added to the queue

The median merge time in main is 35m.

---

2024-12-23 13:34:25 UTC ℹ️ MergeQueue: This merge request was merged