contrib/envoyproxy: envoy external processing support

[e-n-0]

Motivation

This is the part 1 PR to support Envoy's External Processing.
You can find all related document for this implementation in Confluence ASM - GCP Services Extensions.
You can find the part 2 of this PR here.

What does this PR do?

This PR adds a new gRPC Interceptor (StreamServerInterceptor) to support the interception of ext_proc v3 calls to gRPC server. When the interceptor is applied, all messages of the external processing protocol are instrumented without returning an handle to the original server code. The implementation of a server using this instrumentation can be found in the part 2.

The implementation includes:

• Analysing synchronously HTTP Requests and Responses data (headers, ip, path, host, status code)
• Blocking requests (supporting blocking with content-type and redirect)
• Some refacto of existing code to handle more easily crafted requests without an actual valid http.Request object.

Tests

This PR includes unit testing in the envoy_tests.go, simulating scenarios of malicious or benign requests, validating span tags, security events and blocking results.

System-tests have been implemented on this PR. A new external-processing scenario has been added in the golang stage.

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code.
• If this interacts with the agent in a new way, a system test has been added.
• Add an appropriate team label so this PR gets put in the right place for the release notes.
• Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

Unsure? Have a question? Request a review!

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-12-11 11:03:14

Comparing candidate commit ee0cd57 in PR branch flavien/service-extensions with baseline commit a48a41e in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 0 unstable metrics.

[eliottness]

Thanks for contributing 🙏. Couple of requests:

• Normally you should not have to import any listener packages, nor to export functions from it.
• Could you link to a manual CI run from the System Tests workflow pointing on your system-tests branch where the workflow run is green ? You probably have to add your scenario in the workflow for it to run
• I suspect we need to add tests for the changes you did in the emitter/waf/actions package. Let's see if this would make sense to separate it in another PR
• Let's review together the code of envoy.go on fridayso we can structure it better

[eliottness]

Consolidated system-test run: https://github.com/DataDog/dd-trace-go/actions/runs/11797728094

[eliottness]

This required because of this if statement.

[datadog-datadog-prod-us1]

Datadog Report

Branch report: flavien/service-extensions
Commit report: d008bfb
Test service: dd-trace-go

✅ 0 Failed, 5110 Passed, 70 Skipped, 2m 52.72s Total Time

[rarguelloF]

Please add a godoc to the exported stuff 🙏 Also it would be great to briefly explain what this actually does, as it took me some time to figure out.

Suggested change

	func StreamServerInterceptor(opts ...grpctrace.Option) grpc.StreamServerInterceptor {
	// StreamServerInterceptor returns a new grpc.StreamServerInterceptor intended to be used with an envoyproxy grpc server.
	// It will use the regular grpc tracing package for all methods except from `envoy.service.ext_proc.v3.ExternalProcessor/Process` where it will [...]
	func StreamServerInterceptor(opts ...grpctrace.Option) grpc.StreamServerInterceptor {

(please feel free to modify the comment if I wrote anything incorrect, and add more context as you did in the PR description).

[rarguelloF]

Could you add a more "real-world" like example? similar to https://github.com/envoyproxy/go-control-plane/blob/main/examples/dyplomat/main.go#L43-L53

(currently this example is just a generic grpc server without any envoyproxy stuff)

[rarguelloF]

please add a godoc comment, or consider unexporting this function if this is not intended to be used directly.

[rarguelloF]

I find this pattern a little bit odd for an interceptor / middleware.

Since it seems this is pretty much specifically intended to override the behaviour of ext_procv3.ExternalProcessorServer.Process, have you considered exporting this functionality as an implementation of this interface instead of a middleware? This way, users could just do:

import envoytrace "gopkg.in/DataDog/dd-trace-go.v1/contrib/envoyproxy/go-control-plane"

// srv would be the user provided implementation of `ext_procv3.ExternalProcessorServer`
appsecBlockSrv := envoytrace.AppsecBlockingProcessorServer(srv) // internally you would call srv.Process() when the request is not blocked
ext_procv3.RegisterExternalProcessorServer(grpcServer, appsecBlockSrv)

[rarguelloF]

you can use s, ok := status.FromError(err) to do the assertion safely.

[rarguelloF]

this line is not necessary, the type asserted variable is already available in v

Suggested change

	r := req.Request.(*envoyextproc.ProcessingRequest_ResponseBody)
	r := v