contrib/envoyproxy: envoy external processing support

[e-n-0]

Motivation

This is the part 1 PR to support Envoy's External Processing.
You can find all related document for this implementation in Confluence ASM - GCP Services Extensions.
You can find the part 2 of this PR here.

What does this PR do?

This PR adds a new gRPC Interceptor (StreamServerInterceptor) to support the interception of ext_proc v3 calls to gRPC server. When the interceptor is applied, all messages of the external processing protocol are instrumented without returning an handle to the original server code. The implementation of a server using this instrumentation can be found in the part 2.

The implementation includes:

• Analysing synchronously HTTP Requests and Responses data (headers, ip, path, host, status code)
• Blocking requests (supporting blocking with content-type and redirect)
• Some refacto of existing code to handle more easily crafted requests without an actual valid http.Request object.

Tests

This PR includes unit testing in the envoy_tests.go, simulating scenarios of malicious or benign requests, validating span tags, security events and blocking results.

System-tests have been implemented on this PR. A new external-processing scenario has been added in the golang stage.

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code.
• If this interacts with the agent in a new way, a system test has been added.
• Add an appropriate team label so this PR gets put in the right place for the release notes.
• Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

Unsure? Have a question? Request a review!

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-12-16 13:53:07

Comparing candidate commit bece5b0 in PR branch flavien/service-extensions with baseline commit a8665eb in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 1 unstable metrics.

[datadog-datadog-prod-us1]

Datadog Report

Branch report: flavien/service-extensions
Commit report: 2cbd26c
Test service: dd-trace-go

✅ 0 Failed, 5112 Passed, 70 Skipped, 2m 53.79s Total Time

[rarguelloF]

Could you add a more "real-world" like example? similar to https://github.com/envoyproxy/go-control-plane/blob/main/examples/dyplomat/main.go#L43-L53

(currently this example is just a generic grpc server without any envoyproxy stuff)

[e-n-0]

I applied change in 22d7095
Tell me if that is looking good for you 😄

[rarguelloF]

I find this pattern a little bit odd for an interceptor / middleware.

Since it seems this is pretty much specifically intended to override the behaviour of ext_procv3.ExternalProcessorServer.Process, have you considered exporting this functionality as an implementation of this interface instead of a middleware? This way, users could just do:

import envoytrace "gopkg.in/DataDog/dd-trace-go.v1/contrib/envoyproxy/go-control-plane"

// srv would be the user provided implementation of `ext_procv3.ExternalProcessorServer`
appsecBlockSrv := envoytrace.AppsecBlockingProcessorServer(srv) // internally you would call srv.Process() when the request is not blocked
ext_procv3.RegisterExternalProcessorServer(grpcServer, appsecBlockSrv)

[e-n-0]

I changed it in 22d7095
Is that what you were thinking of?

[rarguelloF]

LGTM! thanks for your patience! 😄 @e-n-0

[darccio]

Approving this PR with some nits (only apply if you want).