Merge pull request moby#5432 from tonistiigi/otel-auth-update

tonistiigi · web-flow · commit 2be385c75978 · 2024-10-17T11:03:33.000-07:00
Better OTEL tracing for authprovider
diff --git a/session/auth/authprovider/authprovider.go b/session/auth/authprovider/authprovider.go
@@ -24,6 +24,7 @@ import (
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/auth"
 	"github.com/moby/buildkit/util/progress/progresswriter"
+	"github.com/moby/buildkit/util/tracing"
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/nacl/sign"
 	"google.golang.org/grpc"
@@ -73,7 +74,7 @@ func (ap *authProvider) Register(server *grpc.Server) {
 }
 
 func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequest) (rr *auth.FetchTokenResponse, err error) {
-	ac, err := ap.getAuthConfig(req.Host)
+	ac, err := ap.getAuthConfig(ctx, req.Host)
 	if err != nil {
 		return nil, err
 	}
@@ -83,7 +84,7 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 		return toTokenResponse(ac.RegistryToken, time.Time{}, 0), nil
 	}
 
-	creds, err := ap.credentials(req.Host)
+	creds, err := ap.credentials(ctx, req.Host)
 	if err != nil {
 		return nil, err
 	}
@@ -96,11 +97,11 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 		Secret:   creds.Secret,
 	}
 
-	httpClient := http.DefaultClient()
+	httpClient := tracing.DefaultClient
 	if tc, err := ap.tlsConfig(req.Host); err == nil && tc != nil {
 		transport := http.DefaultTransport()
 		transport.TLSClientConfig = tc
-		httpClient.Transport = transport
+		httpClient.Transport = tracing.NewTransport(transport)
 	}
 
 	if creds.Secret != "" {
@@ -186,8 +187,8 @@ func (ap *authProvider) tlsConfig(host string) (*tls.Config, error) {
 	return tc, nil
 }
 
-func (ap *authProvider) credentials(host string) (*auth.CredentialsResponse, error) {
-	ac, err := ap.getAuthConfig(host)
+func (ap *authProvider) credentials(ctx context.Context, host string) (*auth.CredentialsResponse, error) {
+	ac, err := ap.getAuthConfig(ctx, host)
 	if err != nil {
 		return nil, err
 	}
@@ -202,7 +203,7 @@ func (ap *authProvider) credentials(host string) (*auth.CredentialsResponse, err
 }
 
 func (ap *authProvider) Credentials(ctx context.Context, req *auth.CredentialsRequest) (*auth.CredentialsResponse, error) {
-	resp, err := ap.credentials(req.Host)
+	resp, err := ap.credentials(ctx, req.Host)
 	if err != nil || resp.Secret != "" {
 		ap.mu.Lock()
 		defer ap.mu.Unlock()
@@ -218,7 +219,7 @@ func (ap *authProvider) Credentials(ctx context.Context, req *auth.CredentialsRe
 }
 
 func (ap *authProvider) GetTokenAuthority(ctx context.Context, req *auth.GetTokenAuthorityRequest) (*auth.GetTokenAuthorityResponse, error) {
-	key, err := ap.getAuthorityKey(req.Host, req.Salt)
+	key, err := ap.getAuthorityKey(ctx, req.Host, req.Salt)
 	if err != nil {
 		return nil, err
 	}
@@ -227,7 +228,7 @@ func (ap *authProvider) GetTokenAuthority(ctx context.Context, req *auth.GetToke
 }
 
 func (ap *authProvider) VerifyTokenAuthority(ctx context.Context, req *auth.VerifyTokenAuthorityRequest) (*auth.VerifyTokenAuthorityResponse, error) {
-	key, err := ap.getAuthorityKey(req.Host, req.Salt)
+	key, err := ap.getAuthorityKey(ctx, req.Host, req.Salt)
 	if err != nil {
 		return nil, err
 	}
@@ -238,7 +239,7 @@ func (ap *authProvider) VerifyTokenAuthority(ctx context.Context, req *auth.Veri
 	return &auth.VerifyTokenAuthorityResponse{Signed: sign.Sign(nil, req.Payload, priv)}, nil
 }
 
-func (ap *authProvider) getAuthConfig(host string) (*types.AuthConfig, error) {
+func (ap *authProvider) getAuthConfig(ctx context.Context, host string) (*types.AuthConfig, error) {
 	ap.mu.Lock()
 	defer ap.mu.Unlock()
 
@@ -247,7 +248,9 @@ func (ap *authProvider) getAuthConfig(host string) (*types.AuthConfig, error) {
 	}
 
 	if _, exists := ap.authConfigCache[host]; !exists {
+		span, _ := tracing.StartSpan(ctx, fmt.Sprintf("load credentials for %s", host))
 		ac, err := ap.config.GetAuthConfig(host)
+		tracing.FinishWithError(span, err)
 		if err != nil {
 			return nil, err
 		}
@@ -257,12 +260,12 @@ func (ap *authProvider) getAuthConfig(host string) (*types.AuthConfig, error) {
 	return ap.authConfigCache[host], nil
 }
 
-func (ap *authProvider) getAuthorityKey(host string, salt []byte) (ed25519.PrivateKey, error) {
+func (ap *authProvider) getAuthorityKey(ctx context.Context, host string, salt []byte) (ed25519.PrivateKey, error) {
 	if v, err := strconv.ParseBool(os.Getenv("BUILDKIT_NO_CLIENT_TOKEN")); err == nil && v {
 		return nil, status.Errorf(codes.Unavailable, "client side tokens disabled")
 	}
 
-	creds, err := ap.credentials(host)
+	creds, err := ap.credentials(ctx, host)
 	if err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ import (`
`24`	`24`	`"github.com/moby/buildkit/session"`
`25`	`25`	`"github.com/moby/buildkit/session/auth"`
`26`	`26`	`"github.com/moby/buildkit/util/progress/progresswriter"`
	`27`	`+ "github.com/moby/buildkit/util/tracing"`
`27`	`28`	`"github.com/pkg/errors"`
`28`	`29`	`"golang.org/x/crypto/nacl/sign"`
`29`	`30`	`"google.golang.org/grpc"`
`@@ -73,7 +74,7 @@ func (ap authProvider) Register(server grpc.Server) {`
`73`	`74`	`}`
`74`	`75`
`75`	`76`	`func (ap authProvider) FetchToken(ctx context.Context, req auth.FetchTokenRequest) (rr *auth.FetchTokenResponse, err error) {`
`76`		`- ac, err := ap.getAuthConfig(req.Host)`
	`77`	`+ ac, err := ap.getAuthConfig(ctx, req.Host)`
`77`	`78`	`if err != nil {`
`78`	`79`	`return nil, err`
`79`	`80`	`}`
`@@ -83,7 +84,7 @@ func (ap authProvider) FetchToken(ctx context.Context, req auth.FetchTokenRequ`
`83`	`84`	`return toTokenResponse(ac.RegistryToken, time.Time{}, 0), nil`
`84`	`85`	`}`
`85`	`86`
`86`		`- creds, err := ap.credentials(req.Host)`
	`87`	`+ creds, err := ap.credentials(ctx, req.Host)`
`87`	`88`	`if err != nil {`
`88`	`89`	`return nil, err`
`89`	`90`	`}`
`@@ -96,11 +97,11 @@ func (ap authProvider) FetchToken(ctx context.Context, req auth.FetchTokenRequ`
`96`	`97`	`Secret: creds.Secret,`
`97`	`98`	`}`
`98`	`99`
`99`		`- httpClient := http.DefaultClient()`
	`100`	`+ httpClient := tracing.DefaultClient`
`100`	`101`	`if tc, err := ap.tlsConfig(req.Host); err == nil && tc != nil {`
`101`	`102`	`transport := http.DefaultTransport()`
`102`	`103`	`transport.TLSClientConfig = tc`
`103`		`- httpClient.Transport = transport`
	`104`	`+ httpClient.Transport = tracing.NewTransport(transport)`
`104`	`105`	`}`
`105`	`106`
`106`	`107`	`if creds.Secret != "" {`
`@@ -186,8 +187,8 @@ func (ap authProvider) tlsConfig(host string) (tls.Config, error) {`
`186`	`187`	`return tc, nil`
`187`	`188`	`}`
`188`	`189`
`189`		`-func (ap authProvider) credentials(host string) (auth.CredentialsResponse, error) {`
`190`		`- ac, err := ap.getAuthConfig(host)`
	`190`	`+func (ap authProvider) credentials(ctx context.Context, host string) (auth.CredentialsResponse, error) {`
	`191`	`+ ac, err := ap.getAuthConfig(ctx, host)`
`191`	`192`	`if err != nil {`
`192`	`193`	`return nil, err`
`193`	`194`	`}`
`@@ -202,7 +203,7 @@ func (ap authProvider) credentials(host string) (auth.CredentialsResponse, err`
`202`	`203`	`}`
`203`	`204`
`204`	`205`	`func (ap authProvider) Credentials(ctx context.Context, req auth.CredentialsRequest) (*auth.CredentialsResponse, error) {`
`205`		`- resp, err := ap.credentials(req.Host)`
	`206`	`+ resp, err := ap.credentials(ctx, req.Host)`
`206`	`207`	`if err != nil \|\| resp.Secret != "" {`
`207`	`208`	`ap.mu.Lock()`
`208`	`209`	`defer ap.mu.Unlock()`
`@@ -218,7 +219,7 @@ func (ap authProvider) Credentials(ctx context.Context, req auth.CredentialsRe`
`218`	`219`	`}`
`219`	`220`
`220`	`221`	`func (ap authProvider) GetTokenAuthority(ctx context.Context, req auth.GetTokenAuthorityRequest) (*auth.GetTokenAuthorityResponse, error) {`
`221`		`- key, err := ap.getAuthorityKey(req.Host, req.Salt)`
	`222`	`+ key, err := ap.getAuthorityKey(ctx, req.Host, req.Salt)`
`222`	`223`	`if err != nil {`
`223`	`224`	`return nil, err`
`224`	`225`	`}`
`@@ -227,7 +228,7 @@ func (ap authProvider) GetTokenAuthority(ctx context.Context, req auth.GetToke`
`227`	`228`	`}`
`228`	`229`
`229`	`230`	`func (ap authProvider) VerifyTokenAuthority(ctx context.Context, req auth.VerifyTokenAuthorityRequest) (*auth.VerifyTokenAuthorityResponse, error) {`
`230`		`- key, err := ap.getAuthorityKey(req.Host, req.Salt)`
	`231`	`+ key, err := ap.getAuthorityKey(ctx, req.Host, req.Salt)`
`231`	`232`	`if err != nil {`
`232`	`233`	`return nil, err`
`233`	`234`	`}`
`@@ -238,7 +239,7 @@ func (ap authProvider) VerifyTokenAuthority(ctx context.Context, req auth.Veri`
`238`	`239`	`return &auth.VerifyTokenAuthorityResponse{Signed: sign.Sign(nil, req.Payload, priv)}, nil`
`239`	`240`	`}`
`240`	`241`
`241`		`-func (ap authProvider) getAuthConfig(host string) (types.AuthConfig, error) {`
	`242`	`+func (ap authProvider) getAuthConfig(ctx context.Context, host string) (types.AuthConfig, error) {`
`242`	`243`	`ap.mu.Lock()`
`243`	`244`	`defer ap.mu.Unlock()`
`244`	`245`
`@@ -247,7 +248,9 @@ func (ap authProvider) getAuthConfig(host string) (types.AuthConfig, error) {`
`247`	`248`	`}`
`248`	`249`
`249`	`250`	`if _, exists := ap.authConfigCache[host]; !exists {`
	`251`	`+ span, _ := tracing.StartSpan(ctx, fmt.Sprintf("load credentials for %s", host))`
`250`	`252`	`ac, err := ap.config.GetAuthConfig(host)`
	`253`	`+ tracing.FinishWithError(span, err)`
`251`	`254`	`if err != nil {`
`252`	`255`	`return nil, err`
`253`	`256`	`}`
`@@ -257,12 +260,12 @@ func (ap authProvider) getAuthConfig(host string) (types.AuthConfig, error) {`
`257`	`260`	`return ap.authConfigCache[host], nil`
`258`	`261`	`}`
`259`	`262`
`260`		`-func (ap *authProvider) getAuthorityKey(host string, salt []byte) (ed25519.PrivateKey, error) {`
	`263`	`+func (ap *authProvider) getAuthorityKey(ctx context.Context, host string, salt []byte) (ed25519.PrivateKey, error) {`
`261`	`264`	`if v, err := strconv.ParseBool(os.Getenv("BUILDKIT_NO_CLIENT_TOKEN")); err == nil && v {`
`262`	`265`	`return nil, status.Errorf(codes.Unavailable, "client side tokens disabled")`
`263`	`266`	`}`
`264`	`267`
`265`		`- creds, err := ap.credentials(host)`
	`268`	`+ creds, err := ap.credentials(ctx, host)`
`266`	`269`	`if err != nil {`
`267`	`270`	`return nil, err`
`268`	`271`	`}`