chore(agent-data-plane): initialize TLS early on before spawning supervisor#1177
chore(agent-data-plane): initialize TLS early on before spawning supervisor#1177
Conversation
There was a problem hiding this comment.
Pull request overview
Exposes Rustls ServerConfig from the crate’s net module, likely to allow TLS configuration types to be referenced earlier/higher in the agent data-plane initialization flow.
Changes:
- Re-exported
rustls::ServerConfigfromlib/saluki-io/src/net/mod.rs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| pub mod util; | ||
|
|
||
| mod ipc; | ||
| pub use rustls::ServerConfig; |
There was a problem hiding this comment.
Re-exporting a third-party type (rustls::ServerConfig) from your public API couples this crate’s semver stability to Rustls’ public API and can make future Rustls upgrades breaking for downstream users. If this is only needed internally, prefer pub(crate) use rustls::ServerConfig;. If it must be public, consider introducing a crate-owned wrapper/type alias in a dedicated TLS module (e.g., net::tls) to better control your public surface area.
| pub use rustls::ServerConfig; | |
| pub(crate) use rustls::ServerConfig; |
There was a problem hiding this comment.
If users are going to depend on things like saluki-io, then the less we expose of third-party libraries the better. It depends on whether users are going to depend on saluki-io from outside this workspace. If so, then an audit of exposed third-party types might be useful.
There was a problem hiding this comment.
Yeah, realistically, we're only exposing this very specifically for IPC and allowing for a self-signed certificate.
I think it's fine for us to create our own wrapper types for the TLS configuration, and to support converting from those types into our type for users who really need the capability... but not exposing those external types ourselves.
I'm going to punt that to a follow-up PR if that's OK with you, though.
Binary Size Analysis (Agent Data Plane)Target: c8eb887 (baseline) vs a8a7bb9 (comparison) diff
|
| Module | File Size | Symbols |
|---|---|---|
agent_data_plane::internal::create_internal_supervisor |
+16.17 KiB | 1 |
saluki_app::memory::MemoryBoundsConfiguration |
-13.70 KiB | 1 |
agent_data_plane::cli::run |
+6.91 KiB | 1 |
agent_data_plane::internal::control_plane |
-4.36 KiB | 6 |
[Unmapped] |
-2.85 KiB | 1 |
core |
+1.55 KiB | 61 |
alloc |
+543 B | 111 |
saluki_env::helpers::remote_agent |
+377 B | 1 |
[sections] |
+317 B | 7 |
tokio |
-298 B | 1 |
saluki_io::net::addr |
+283 B | 1 |
matchit |
-279 B | 1 |
unicode_segmentation |
+72 B | 1 |
aho_corasick |
-28 B | 61 |
agent_data_plane::internal::remote_agent |
+25 B | 2 |
figment |
+3 B | 15 |
saluki_core::data_model::event |
+0 B | 2 |
hickory_proto |
+0 B | 18 |
rustls |
+0 B | 12 |
webpki |
+0 B | 2 |
Detailed Symbol Changes
FILE SIZE VM SIZE
-------------- --------------
[NEW] +58.8Ki [NEW] +58.6Ki _<agent_data_plane::internal::control_plane::PrivilegedApiWorker as saluki_core::runtime::supervisor::Supervisable>::initialize::_{{closure}}::hfdca77ab0ba5e8fd
[NEW] +16.2Ki [NEW] +16.0Ki agent_data_plane::internal::create_internal_supervisor::_{{closure}}::h78271acb3cbe53f3
[NEW] +10.6Ki [NEW] +10.5Ki <saluki_core::data_model::event::Event as core::clone::Clone>::clone.9839
+12% +6.91Ki +12% +6.91Ki agent_data_plane::cli::run::handle_run_command::_{{closure}}::h74e3039632156528
[NEW] +5.52Ki [NEW] +5.38Ki <hickory_proto::rr::record_data::RData as core::clone::Clone>::clone.8290
+0.2% +3.26Ki +0.5% +5.31Ki [472 Others]
[NEW] +5.13Ki [NEW] +5.00Ki <hickory_proto::rr::record_data::RData as core::clone::Clone>::clone.11066
[NEW] +4.71Ki [NEW] +4.59Ki <rustls::error::Error as core::clone::Clone>::clone.9817
[NEW] +4.71Ki [NEW] +4.59Ki <rustls::error::Error as core::clone::Clone>::clone.11081
[NEW] +3.83Ki [NEW] +3.71Ki <webpki::error::Error as core::fmt::Debug>::fmt.11259
[NEW] +3.66Ki [NEW] +3.54Ki <rustls::error::Error as core::fmt::Debug>::fmt.9446
[DEL] -3.57Ki [DEL] -3.45Ki <rustls::error::Error as core::fmt::Debug>::fmt.11079
[DEL] -3.66Ki [DEL] -3.54Ki <rustls::error::Error as core::fmt::Debug>::fmt.9443
[DEL] -3.83Ki [DEL] -3.71Ki <webpki::error::Error as core::fmt::Debug>::fmt.11256
[DEL] -4.71Ki [DEL] -4.59Ki <rustls::error::Error as core::clone::Clone>::clone.11078
[DEL] -4.71Ki [DEL] -4.59Ki <rustls::error::Error as core::clone::Clone>::clone.9814
[DEL] -5.13Ki [DEL] -5.00Ki <hickory_proto::rr::record_data::RData as core::clone::Clone>::clone.11063
[DEL] -5.52Ki [DEL] -5.38Ki <hickory_proto::rr::record_data::RData as core::clone::Clone>::clone.8287
[DEL] -10.6Ki [DEL] -10.5Ki <saluki_core::data_model::event::Event as core::clone::Clone>::clone.9836
[DEL] -13.7Ki [DEL] -13.6Ki saluki_app::memory::MemoryBoundsConfiguration::try_from_config::he8b8b5b249741757
[DEL] -63.1Ki [DEL] -62.9Ki _<agent_data_plane::internal::control_plane::PrivilegedApiWorker as saluki_core::runtime::supervisor::Supervisable>::initialize::_{{closure}}::hca7732702b66561d
+0.0% +4.71Ki +0.0% +6.86Ki TOTAL
Regression Detector (Agent Data Plane)Regression Detector ResultsRun ID: 295d971b-1dd9-4cd6-a196-451af6d62621 Baseline: c8eb887 Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | otlp_ingest_logs_5mb_cpu | % cpu utilization | +2.26 | [-2.88, +7.40] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_logs_5mb_throughput | ingress throughput | +0.02 | [-0.10, +0.14] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_logs_5mb_memory | memory utilization | -2.35 | [-2.73, -1.96] | 1 | (metrics) (profiles) (logs) |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | dsd_uds_10mb_3k_contexts_cpu | % cpu utilization | +8.92 | [-24.42, +42.25] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_100mb_3k_contexts_cpu | % cpu utilization | +3.83 | [-2.16, +9.83] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_logs_5mb_cpu | % cpu utilization | +2.26 | [-2.88, +7.40] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_metrics_5mb_cpu | % cpu utilization | +0.85 | [-6.88, +8.58] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_traces_ottl_filtering_5mb_cpu | % cpu utilization | +0.77 | [-1.75, +3.28] | 1 | (metrics) (profiles) (logs) |
| ➖ | quality_gates_rss_dsd_medium | memory utilization | +0.31 | [+0.12, +0.49] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_100mb_3k_contexts_memory | memory utilization | +0.24 | [+0.06, +0.43] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_traces_ottl_filtering_5mb_memory | memory utilization | +0.23 | [-0.11, +0.56] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_10mb_3k_contexts_memory | memory utilization | +0.22 | [+0.03, +0.41] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_500mb_3k_contexts_cpu | % cpu utilization | +0.16 | [-1.30, +1.61] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_512kb_3k_contexts_cpu | % cpu utilization | +0.12 | [-58.26, +58.51] | 1 | (metrics) (profiles) (logs) |
| ➖ | quality_gates_rss_dsd_heavy | memory utilization | +0.05 | [-0.09, +0.19] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_logs_5mb_throughput | ingress throughput | +0.02 | [-0.10, +0.14] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_100mb_3k_contexts_throughput | ingress throughput | +0.01 | [-0.05, +0.06] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_traces_ottl_filtering_5mb_throughput | ingress throughput | +0.00 | [-0.02, +0.02] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_traces_ottl_transform_5mb_throughput | ingress throughput | +0.00 | [-0.02, +0.02] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_metrics_5mb_throughput | ingress throughput | +0.00 | [-0.12, +0.12] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_1mb_3k_contexts_throughput | ingress throughput | -0.00 | [-0.06, +0.06] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_traces_5mb_throughput | ingress throughput | -0.00 | [-0.02, +0.02] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_512kb_3k_contexts_throughput | ingress throughput | -0.01 | [-0.06, +0.04] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_10mb_3k_contexts_throughput | ingress throughput | -0.01 | [-0.15, +0.12] | 1 | (metrics) (profiles) (logs) |
| ➖ | quality_gates_rss_dsd_ultraheavy | memory utilization | -0.04 | [-0.16, +0.08] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_traces_5mb_memory | memory utilization | -0.07 | [-0.33, +0.18] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_500mb_3k_contexts_memory | memory utilization | -0.12 | [-0.29, +0.05] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_1mb_3k_contexts_memory | memory utilization | -0.16 | [-0.33, +0.02] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_traces_ottl_transform_5mb_memory | memory utilization | -0.17 | [-0.42, +0.08] | 1 | (metrics) (profiles) (logs) |
| ➖ | quality_gates_rss_idle | memory utilization | -0.22 | [-0.25, -0.18] | 1 | (metrics) (profiles) (logs) |
| ➖ | quality_gates_rss_dsd_low | memory utilization | -0.28 | [-0.47, -0.08] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_metrics_5mb_memory | memory utilization | -0.29 | [-0.55, -0.03] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_512kb_3k_contexts_memory | memory utilization | -0.41 | [-0.58, -0.24] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_traces_5mb_cpu | % cpu utilization | -0.45 | [-2.73, +1.82] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_traces_ottl_transform_5mb_cpu | % cpu utilization | -1.25 | [-3.38, +0.88] | 1 | (metrics) (profiles) (logs) |
| ➖ | otlp_ingest_logs_5mb_memory | memory utilization | -2.35 | [-2.73, -1.96] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_1mb_3k_contexts_cpu | % cpu utilization | -3.26 | [-56.77, +50.25] | 1 | (metrics) (profiles) (logs) |
| ➖ | dsd_uds_500mb_3k_contexts_throughput | ingress throughput | -4.21 | [-4.36, -4.07] | 1 | (metrics) (profiles) (logs) |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | observed_value | links |
|---|---|---|---|---|---|
| ✅ | quality_gates_rss_dsd_heavy | memory_usage | 10/10 | 113.68MiB ≤ 140MiB | (metrics) (profiles) (logs) |
| ✅ | quality_gates_rss_dsd_low | memory_usage | 10/10 | 33.60MiB ≤ 50MiB | (metrics) (profiles) (logs) |
| ✅ | quality_gates_rss_dsd_medium | memory_usage | 10/10 | 53.14MiB ≤ 75MiB | (metrics) (profiles) (logs) |
| ✅ | quality_gates_rss_dsd_ultraheavy | memory_usage | 10/10 | 167.01MiB ≤ 200MiB | (metrics) (profiles) (logs) |
| ✅ | quality_gates_rss_idle | memory_usage | 10/10 | 21MiB ≤ 40MiB | (metrics) (profiles) (logs) |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
tobz
added
the
type/chore
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
a0e1d19 to
7ca8cbc
Compare
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
from
b284244 to
75a8e2c
Compare
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
7ca8cbc to
7c0a3b6
Compare
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
from
75a8e2c to
cc926a0
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
7c0a3b6 to
a4f5a2b
Compare
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
2 times, most recently
from
2eacb9c to
32b6e9b
Compare
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
a4f5a2b to
35cd34f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
from
32b6e9b to
999e501
Compare
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
35cd34f to
092d5cc
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
1503a76 to
1074624
Compare
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
from
800d4d5 to
863258d
Compare
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
from
863258d to
cb76711
Compare
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
1074624 to
6f8df24
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
6f8df24 to
ae24fcd
Compare
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
2 times, most recently
from
41ee86e to
2ebe651
Compare
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
ae24fcd to
a6bb0f6
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
from
2ebe651 to
7726dbc
Compare
tobz
force-pushed
the
tobz/supervisor-health-registry-worker
branch
from
a6bb0f6 to
66fb4b2
Compare
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
from
7726dbc to
3676bb3
Compare
tobz
force-pushed
the
tobz/control-plane-tls-early-init
branch
from
3676bb3 to
a8a7bb9
Compare
| dsd_stats_config, | ||
| ra_bootstrap, | ||
| ) | ||
| .await |
There was a problem hiding this comment.
If the shock is due to the number of arguments... I promise this will be getting better in subsequent PRs of this stack. 😅
There was a problem hiding this comment.
Ha, no I was shocked that an await was previously missing, although now I realize it was probably just because the signature changed to async.
| pub mod util; | ||
|
|
||
| mod ipc; | ||
| pub use rustls::ServerConfig; |
There was a problem hiding this comment.
If users are going to depend on things like saluki-io, then the less we expose of third-party libraries the better. It depends on whether users are going to depend on saluki-io from outside this workspace. If so, then an audit of exposed third-party types might be useful.
Summary
This PR moves the initialization of TLS primitives/configuration for the privileged API worker to occur earlier so that the process can fail fast if misconfigured.
Prior to this PR, we were initializing TLS primitives/configuration during the initialization of the worker, which could mean errors or delays during loading which might cause downstream issues in the supervisor. Instead, we want to do this once at process start and surface any of the resulting errors so that we can fail fast and loudly since there's not likely anything we can do about it.
Change Type
How did you test this PR?
Built and ran ADP and ensured it still properly initialized and ran the privileged API.
References
AGTMETRICS-393