authprovider: add OTEL spans for loading credentials

tonistiigi · tonistiigi · commit c4a9c39e6198 · 2024-10-16T20:52:09.000-07:00
Credential loading could take long depending on credentials storage.

Signed-off-by: Tonis Tiigi &lt;tonistiigi@gmail.com&gt;
diff --git a/session/auth/authprovider/authprovider.go b/session/auth/authprovider/authprovider.go
@@ -74,7 +74,7 @@ func (ap *authProvider) Register(server *grpc.Server) {
 }
 
 func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequest) (rr *auth.FetchTokenResponse, err error) {
-	ac, err := ap.getAuthConfig(req.Host)
+	ac, err := ap.getAuthConfig(ctx, req.Host)
 	if err != nil {
 		return nil, err
 	}
@@ -84,7 +84,7 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 		return toTokenResponse(ac.RegistryToken, time.Time{}, 0), nil
 	}
 
-	creds, err := ap.credentials(req.Host)
+	creds, err := ap.credentials(ctx, req.Host)
 	if err != nil {
 		return nil, err
 	}
@@ -187,8 +187,8 @@ func (ap *authProvider) tlsConfig(host string) (*tls.Config, error) {
 	return tc, nil
 }
 
-func (ap *authProvider) credentials(host string) (*auth.CredentialsResponse, error) {
-	ac, err := ap.getAuthConfig(host)
+func (ap *authProvider) credentials(ctx context.Context, host string) (*auth.CredentialsResponse, error) {
+	ac, err := ap.getAuthConfig(ctx, host)
 	if err != nil {
 		return nil, err
 	}
@@ -203,7 +203,7 @@ func (ap *authProvider) credentials(host string) (*auth.CredentialsResponse, err
 }
 
 func (ap *authProvider) Credentials(ctx context.Context, req *auth.CredentialsRequest) (*auth.CredentialsResponse, error) {
-	resp, err := ap.credentials(req.Host)
+	resp, err := ap.credentials(ctx, req.Host)
 	if err != nil || resp.Secret != "" {
 		ap.mu.Lock()
 		defer ap.mu.Unlock()
@@ -219,7 +219,7 @@ func (ap *authProvider) Credentials(ctx context.Context, req *auth.CredentialsRe
 }
 
 func (ap *authProvider) GetTokenAuthority(ctx context.Context, req *auth.GetTokenAuthorityRequest) (*auth.GetTokenAuthorityResponse, error) {
-	key, err := ap.getAuthorityKey(req.Host, req.Salt)
+	key, err := ap.getAuthorityKey(ctx, req.Host, req.Salt)
 	if err != nil {
 		return nil, err
 	}
@@ -228,7 +228,7 @@ func (ap *authProvider) GetTokenAuthority(ctx context.Context, req *auth.GetToke
 }
 
 func (ap *authProvider) VerifyTokenAuthority(ctx context.Context, req *auth.VerifyTokenAuthorityRequest) (*auth.VerifyTokenAuthorityResponse, error) {
-	key, err := ap.getAuthorityKey(req.Host, req.Salt)
+	key, err := ap.getAuthorityKey(ctx, req.Host, req.Salt)
 	if err != nil {
 		return nil, err
 	}
@@ -239,7 +239,7 @@ func (ap *authProvider) VerifyTokenAuthority(ctx context.Context, req *auth.Veri
 	return &auth.VerifyTokenAuthorityResponse{Signed: sign.Sign(nil, req.Payload, priv)}, nil
 }
 
-func (ap *authProvider) getAuthConfig(host string) (*types.AuthConfig, error) {
+func (ap *authProvider) getAuthConfig(ctx context.Context, host string) (*types.AuthConfig, error) {
 	ap.mu.Lock()
 	defer ap.mu.Unlock()
 
@@ -248,7 +248,9 @@ func (ap *authProvider) getAuthConfig(host string) (*types.AuthConfig, error) {
 	}
 
 	if _, exists := ap.authConfigCache[host]; !exists {
+		span, _ := tracing.StartSpan(ctx, fmt.Sprintf("load credentials for %s", host))
 		ac, err := ap.config.GetAuthConfig(host)
+		tracing.FinishWithError(span, err)
 		if err != nil {
 			return nil, err
 		}
@@ -258,12 +260,12 @@ func (ap *authProvider) getAuthConfig(host string) (*types.AuthConfig, error) {
 	return ap.authConfigCache[host], nil
 }
 
-func (ap *authProvider) getAuthorityKey(host string, salt []byte) (ed25519.PrivateKey, error) {
+func (ap *authProvider) getAuthorityKey(ctx context.Context, host string, salt []byte) (ed25519.PrivateKey, error) {
 	if v, err := strconv.ParseBool(os.Getenv("BUILDKIT_NO_CLIENT_TOKEN")); err == nil && v {
 		return nil, status.Errorf(codes.Unavailable, "client side tokens disabled")
 	}
 
-	creds, err := ap.credentials(host)
+	creds, err := ap.credentials(ctx, host)
 	if err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ func (ap authProvider) Register(server grpc.Server) {`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`func (ap authProvider) FetchToken(ctx context.Context, req auth.FetchTokenRequest) (rr *auth.FetchTokenResponse, err error) {`
`77`		`- ac, err := ap.getAuthConfig(req.Host)`
	`77`	`+ ac, err := ap.getAuthConfig(ctx, req.Host)`
`78`	`78`	`if err != nil {`
`79`	`79`	`return nil, err`
`80`	`80`	`}`
`@@ -84,7 +84,7 @@ func (ap authProvider) FetchToken(ctx context.Context, req auth.FetchTokenRequ`
`84`	`84`	`return toTokenResponse(ac.RegistryToken, time.Time{}, 0), nil`
`85`	`85`	`}`
`86`	`86`
`87`		`- creds, err := ap.credentials(req.Host)`
	`87`	`+ creds, err := ap.credentials(ctx, req.Host)`
`88`	`88`	`if err != nil {`
`89`	`89`	`return nil, err`
`90`	`90`	`}`
`@@ -187,8 +187,8 @@ func (ap authProvider) tlsConfig(host string) (tls.Config, error) {`
`187`	`187`	`return tc, nil`
`188`	`188`	`}`
`189`	`189`
`190`		`-func (ap authProvider) credentials(host string) (auth.CredentialsResponse, error) {`
`191`		`- ac, err := ap.getAuthConfig(host)`
	`190`	`+func (ap authProvider) credentials(ctx context.Context, host string) (auth.CredentialsResponse, error) {`
	`191`	`+ ac, err := ap.getAuthConfig(ctx, host)`
`192`	`192`	`if err != nil {`
`193`	`193`	`return nil, err`
`194`	`194`	`}`
`@@ -203,7 +203,7 @@ func (ap authProvider) credentials(host string) (auth.CredentialsResponse, err`
`203`	`203`	`}`
`204`	`204`
`205`	`205`	`func (ap authProvider) Credentials(ctx context.Context, req auth.CredentialsRequest) (*auth.CredentialsResponse, error) {`
`206`		`- resp, err := ap.credentials(req.Host)`
	`206`	`+ resp, err := ap.credentials(ctx, req.Host)`
`207`	`207`	`if err != nil \|\| resp.Secret != "" {`
`208`	`208`	`ap.mu.Lock()`
`209`	`209`	`defer ap.mu.Unlock()`
`@@ -219,7 +219,7 @@ func (ap authProvider) Credentials(ctx context.Context, req auth.CredentialsRe`
`219`	`219`	`}`
`220`	`220`
`221`	`221`	`func (ap authProvider) GetTokenAuthority(ctx context.Context, req auth.GetTokenAuthorityRequest) (*auth.GetTokenAuthorityResponse, error) {`
`222`		`- key, err := ap.getAuthorityKey(req.Host, req.Salt)`
	`222`	`+ key, err := ap.getAuthorityKey(ctx, req.Host, req.Salt)`
`223`	`223`	`if err != nil {`
`224`	`224`	`return nil, err`
`225`	`225`	`}`
`@@ -228,7 +228,7 @@ func (ap authProvider) GetTokenAuthority(ctx context.Context, req auth.GetToke`
`228`	`228`	`}`
`229`	`229`
`230`	`230`	`func (ap authProvider) VerifyTokenAuthority(ctx context.Context, req auth.VerifyTokenAuthorityRequest) (*auth.VerifyTokenAuthorityResponse, error) {`
`231`		`- key, err := ap.getAuthorityKey(req.Host, req.Salt)`
	`231`	`+ key, err := ap.getAuthorityKey(ctx, req.Host, req.Salt)`
`232`	`232`	`if err != nil {`
`233`	`233`	`return nil, err`
`234`	`234`	`}`
`@@ -239,7 +239,7 @@ func (ap authProvider) VerifyTokenAuthority(ctx context.Context, req auth.Veri`
`239`	`239`	`return &auth.VerifyTokenAuthorityResponse{Signed: sign.Sign(nil, req.Payload, priv)}, nil`
`240`	`240`	`}`
`241`	`241`
`242`		`-func (ap authProvider) getAuthConfig(host string) (types.AuthConfig, error) {`
	`242`	`+func (ap authProvider) getAuthConfig(ctx context.Context, host string) (types.AuthConfig, error) {`
`243`	`243`	`ap.mu.Lock()`
`244`	`244`	`defer ap.mu.Unlock()`
`245`	`245`
`@@ -248,7 +248,9 @@ func (ap authProvider) getAuthConfig(host string) (types.AuthConfig, error) {`
`248`	`248`	`}`
`249`	`249`
`250`	`250`	`if _, exists := ap.authConfigCache[host]; !exists {`
	`251`	`+ span, _ := tracing.StartSpan(ctx, fmt.Sprintf("load credentials for %s", host))`
`251`	`252`	`ac, err := ap.config.GetAuthConfig(host)`
	`253`	`+ tracing.FinishWithError(span, err)`
`252`	`254`	`if err != nil {`
`253`	`255`	`return nil, err`
`254`	`256`	`}`
`@@ -258,12 +260,12 @@ func (ap authProvider) getAuthConfig(host string) (types.AuthConfig, error) {`
`258`	`260`	`return ap.authConfigCache[host], nil`
`259`	`261`	`}`
`260`	`262`
`261`		`-func (ap *authProvider) getAuthorityKey(host string, salt []byte) (ed25519.PrivateKey, error) {`
	`263`	`+func (ap *authProvider) getAuthorityKey(ctx context.Context, host string, salt []byte) (ed25519.PrivateKey, error) {`
`262`	`264`	`if v, err := strconv.ParseBool(os.Getenv("BUILDKIT_NO_CLIENT_TOKEN")); err == nil && v {`
`263`	`265`	`return nil, status.Errorf(codes.Unavailable, "client side tokens disabled")`
`264`	`266`	`}`
`265`	`267`
`266`		`- creds, err := ap.credentials(host)`
	`268`	`+ creds, err := ap.credentials(ctx, host)`
`267`	`269`	`if err != nil {`
`268`	`270`	`return nil, err`
`269`	`271`	`}`