fix(serverless/appsec): language runtime proxy not started if no API Key is available

[RomainMuller]

What does this PR do?

This changes the no-op behavior to also start the AppSec language runtime API proxy to satisfy the function configuration; if AppSec would have started in normal conditions (with an API key).

Motivation

When no Datadog API key is available (either because it is not configured, or because it cannot be accessed/decrypted), the Serverless agent runs in "no-op" mode. However in this case, the language runtime proxy is never started, even though the function's configuration may require it. This is the case when Serverless AppSec is enabled, and not having the language runtime API proxy available results in the language runtime client retrying connection to the proxy endlessly until the invocation times out.

[pr-commenter[bot]]

Regression Detector

Regression Detector Results

Run ID: 78e77540-93af-43db-9f66-bc33e45d4d45 Metrics dashboard Target profiles

Baseline: 92104669590ea3d894a090d7d889563663be2ed3 Comparison: 5cf05f31baf51939419405d912038a88575d0530

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

| perf | experiment | goal | Δ mean % | Δ mean % CI | links | |------|----------------------------|--------------------|----------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ➖ | uds_dogstatsd_to_api_cpu | % cpu utilization | +1.55 | [+0.66, +2.44] | [Logs](https://app.datadoghq.com/logs?query=experiment%3Auds_dogstatsd_to_api_cpu%20run_id%3A78e77540-93af-43db-9f66-bc33e45d4d45&agg_m=count&agg_m_source=base&agg_q=%40span.url&agg_q_source=base&agg_t=count&fromUser=true&index=single-machine-performance-target-logs&messageDisplay=inline&refresh_mode=paused&storage=hot&stream_sort=time%2Cdesc&top_n=100&top_o=top&viz=stream&x_missing=true&from_ts=1719831654000&to_ts=1719843054000&live=false) | | ➖ | pycheck_1000_100byte_tags | % cpu utilization | +1.44 | [-3.35, +6.24] | [Logs](https://app.datadoghq.com/logs?query=experiment%3Apycheck_1000_100byte_tags%20run_id%3A78e77540-93af-43db-9f66-bc33e45d4d45&agg_m=count&agg_m_source=base&agg_q=%40span.url&agg_q_source=base&agg_t=count&fromUser=true&index=single-machine-performance-target-logs&messageDisplay=inline&refresh_mode=paused&storage=hot&stream_sort=time%2Cdesc&top_n=100&top_o=top&viz=stream&x_missing=true&from_ts=1719831654000&to_ts=1719843054000&live=false) | | ➖ | basic_py_check | % cpu utilization | +1.13 | [-1.47, +3.72] | [Logs](https://app.datadoghq.com/logs?query=experiment%3Abasic_py_check%20run_id%3A78e77540-93af-43db-9f66-bc33e45d4d45&agg_m=count&agg_m_source=base&agg_q=%40span.url&agg_q_source=base&agg_t=count&fromUser=true&index=single-machine-performance-target-logs&messageDisplay=inline&refresh_mode=paused&storage=hot&stream_sort=time%2Cdesc&top_n=100&top_o=top&viz=stream&x_missing=true&from_ts=1719831654000&to_ts=1719843054000&live=false) | | ➖ | uds_dogstatsd_to_api | ingress throughput | -0.00 | [-0.00, +0.00] | [Logs](https://app.datadoghq.com/logs?query=experiment%3Auds_dogstatsd_to_api%20run_id%3A78e77540-93af-43db-9f66-bc33e45d4d45&agg_m=count&agg_m_source=base&agg_q=%40span.url&agg_q_source=base&agg_t=count&fromUser=true&index=single-machine-performance-target-logs&messageDisplay=inline&refresh_mode=paused&storage=hot&stream_sort=time%2Cdesc&top_n=100&top_o=top&viz=stream&x_missing=true&from_ts=1719831654000&to_ts=1719843054000&live=false) | | ➖ | tcp_dd_logs_filter_exclude | ingress throughput | -0.00 | [-0.01, +0.01] | [Logs](https://app.datadoghq.com/logs?query=experiment%3Atcp_dd_logs_filter_exclude%20run_id%3A78e77540-93af-43db-9f66-bc33e45d4d45&agg_m=count&agg_m_source=base&agg_q=%40span.url&agg_q_source=base&agg_t=count&fromUser=true&index=single-machine-performance-target-logs&messageDisplay=inline&refresh_mode=paused&storage=hot&stream_sort=time%2Cdesc&top_n=100&top_o=top&viz=stream&x_missing=true&from_ts=1719831654000&to_ts=1719843054000&live=false) | | ➖ | file_tree | memory utilization | -0.12 | [-0.16, -0.08] | [Logs](https://app.datadoghq.com/logs?query=experiment%3Afile_tree%20run_id%3A78e77540-93af-43db-9f66-bc33e45d4d45&agg_m=count&agg_m_source=base&agg_q=%40span.url&agg_q_source=base&agg_t=count&fromUser=true&index=single-machine-performance-target-logs&messageDisplay=inline&refresh_mode=paused&storage=hot&stream_sort=time%2Cdesc&top_n=100&top_o=top&viz=stream&x_missing=true&from_ts=1719831654000&to_ts=1719843054000&live=false) | | ➖ | idle | memory utilization | -0.38 | [-0.41, -0.34] | [Logs](https://app.datadoghq.com/logs?query=experiment%3Aidle%20run_id%3A78e77540-93af-43db-9f66-bc33e45d4d45&agg_m=count&agg_m_source=base&agg_q=%40span.url&agg_q_source=base&agg_t=count&fromUser=true&index=single-machine-performance-target-logs&messageDisplay=inline&refresh_mode=paused&storage=hot&stream_sort=time%2Cdesc&top_n=100&top_o=top&viz=stream&x_missing=true&from_ts=1719831654000&to_ts=1719843054000&live=false) | | ➖ | tcp_syslog_to_blackhole | ingress throughput | -0.71 | [-13.60, +12.19] | [Logs](https://app.datadoghq.com/logs?query=experiment%3Atcp_syslog_to_blackhole%20run_id%3A78e77540-93af-43db-9f66-bc33e45d4d45&agg_m=count&agg_m_source=base&agg_q=%40span.url&agg_q_source=base&agg_t=count&fromUser=true&index=single-machine-performance-target-logs&messageDisplay=inline&refresh_mode=paused&storage=hot&stream_sort=time%2Cdesc&top_n=100&top_o=top&viz=stream&x_missing=true&from_ts=1719831654000&to_ts=1719843054000&live=false) | | ➖ | otel_to_otel_logs | ingress throughput | -0.92 | [-1.73, -0.11] | [Logs](https://app.datadoghq.com/logs?query=experiment%3Aotel_to_otel_logs%20run_id%3A78e77540-93af-43db-9f66-bc33e45d4d45&agg_m=count&agg_m_source=base&agg_q=%40span.url&agg_q_source=base&agg_t=count&fromUser=true&index=single-machine-performance-target-logs&messageDisplay=inline&refresh_mode=paused&storage=hot&stream_sort=time%2Cdesc&top_n=100&top_o=top&viz=stream&x_missing=true&from_ts=1719831654000&to_ts=1719843054000&live=false) |

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI". For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true: 1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look. 2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that *if our statistical model is accurate*, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants. 3. Its configuration does not mark it "erratic".

[github-actions[bot]]

Serverless Benchmark Results

BenchmarkStartEndInvocation comparison between 285b4b44b784345fb6fc968a0c5374ba1d3eaef3 and 5140210dd90c6bcc6b7b4a945b838ee16eaffe67.

tl;dr

Use these benchmarks as an insight tool during development. 1. Skim down the `vs base` column in each chart. If there is a `~`, then there was no statistically significant change to the benchmark. Otherwise, ensure the estimated percent change is either negative or very small. 2. The last row of each chart is the `geomean`. Ensure this percentage is either negative or very small.

What is this benchmarking?

The [`BenchmarkStartEndInvocation`](https://github.com/DataDog/datadog-agent/blob/main/pkg/serverless/daemon/routes_test.go) compares the amount of time it takes to call the `start-invocation` and `end-invocation` endpoints. For universal instrumentation languages (Dotnet, Golang, Java, Ruby), this represents the majority of the duration overhead added by our tracing layer. The benchmark is run using a large variety of lambda request payloads. In the charts below, there is one row for each event payload type.

How do I interpret these charts?

The charts below comes from [`benchstat`](https://pkg.go.dev/golang.org/x/perf/cmd/benchstat). They represent the statistical change in _duration (sec/op)_, _memory overhead (B/op)_, and _allocations (allocs/op)_. The benchstat docs explain how to interpret these charts. > Before the comparison table, we see common file-level configuration. If there are benchmarks with different configuration (for example, from different packages), benchstat will print separate tables for each configuration. > > The table then compares the two input files for each benchmark. It shows the median and 95% confidence interval summaries for each benchmark before and after the change, and an A/B comparison under "vs base". ... The p-value measures how likely it is that any differences were due to random chance (i.e., noise). The "~" means benchstat did not detect a statistically significant difference between the two inputs. ... > > Note that "statistically significant" is not the same as "large": with enough low-noise data, even very small changes can be distinguished from noise and considered statistically significant. It is, of course, generally easier to distinguish large changes from noise. > > Finally, the last row of the table shows the geometric mean of each column, giving an overall picture of how the benchmarks changed. Proportional changes in the geomean reflect proportional changes in the benchmarks. For example, given n benchmarks, if sec/op for one of them increases by a factor of 2, then the sec/op geomean will increase by a factor of ⁿ√2.

I need more help

First off, do not worry if the benchmarks are failing. They are not tests. The intention is for them to be a tool for you to use during development. If you would like a hand interpreting the results come chat with us in `#serverless-agent` in the internal DataDog slack or in `#serverless` in the [public DataDog slack](https://chat.datadoghq.com/). We're happy to help!

Benchmark stats

``` goos: linux goarch: amd64 pkg: github.com/DataDog/datadog-agent/pkg/serverless/daemon cpu: AMD EPYC 7763 64-Core Processor │ baseline/benchmark.log │ current/benchmark.log │ │ sec/op │ sec/op vs base │ api-gateway-appsec.json 90.29µ ± 3% 88.19µ ± 7% ~ (p=0.089 n=10) api-gateway-kong-appsec.json 72.84µ ± 6% 69.69µ ± 1% -4.33% (p=0.002 n=10) api-gateway-kong.json 70.44µ ± 1% 68.87µ ± 2% -2.22% (p=0.000 n=10) api-gateway-non-proxy-async.json 110.5µ ± 4% 109.6µ ± 1% -0.82% (p=0.023 n=10) api-gateway-non-proxy.json 112.7µ ± 3% 109.3µ ± 1% -2.98% (p=0.002 n=10) api-gateway-websocket-connect.json 75.16µ ± 1% 71.80µ ± 1% -4.47% (p=0.000 n=10) api-gateway-websocket-default.json 67.49µ ± 1% 65.05µ ± 1% -3.61% (p=0.000 n=10) api-gateway-websocket-disconnect.json 66.87µ ± 1% 65.02µ ± 2% -2.76% (p=0.000 n=10) api-gateway.json 121.4µ ± 1% 120.1µ ± 1% -1.11% (p=0.002 n=10) application-load-balancer.json 67.44µ ± 1% 65.62µ ± 2% -2.70% (p=0.001 n=10) cloudfront.json 51.12µ ± 1% 50.43µ ± 3% -1.34% (p=0.023 n=10) cloudwatch-events.json 41.71µ ± 1% 39.69µ ± 3% -4.84% (p=0.000 n=10) cloudwatch-logs.json 72.09µ ± 2% 70.61µ ± 2% -2.06% (p=0.009 n=10) custom.json 33.74µ ± 3% 32.55µ ± 2% -3.52% (p=0.003 n=10) dynamodb.json 100.25µ ± 1% 98.37µ ± 2% -1.87% (p=0.002 n=10) empty.json 31.94µ ± 3% 31.67µ ± 2% ~ (p=0.105 n=10) eventbridge-custom.json 45.04µ ± 2% 44.36µ ± 2% ~ (p=0.089 n=10) http-api.json 77.35µ ± 2% 76.14µ ± 2% ~ (p=0.315 n=10) kinesis-batch.json 74.79µ ± 1% 74.06µ ± 1% -0.98% (p=0.035 n=10) kinesis.json 56.46µ ± 2% 57.03µ ± 2% ~ (p=0.105 n=10) s3.json 62.35µ ± 2% 62.14µ ± 1% ~ (p=0.436 n=10) sns-batch.json 94.35µ ± 2% 94.21µ ± 1% ~ (p=0.529 n=10) sns.json 68.77µ ± 1% 68.26µ ± 2% ~ (p=0.075 n=10) snssqs.json 117.9µ ± 1% 118.0µ ± 2% ~ (p=0.971 n=10) snssqs_no_dd_context.json 102.6µ ± 1% 104.0µ ± 3% +1.29% (p=0.004 n=10) sqs-aws-header.json 58.59µ ± 1% 58.14µ ± 2% ~ (p=0.353 n=10) sqs-batch.json 98.57µ ± 2% 100.75µ ± 2% +2.22% (p=0.015 n=10) sqs.json 72.25µ ± 1% 73.64µ ± 2% +1.91% (p=0.023 n=10) sqs_no_dd_context.json 65.30µ ± 3% 67.05µ ± 3% ~ (p=0.066 n=10) geomean 71.18µ 70.22µ -1.35% │ baseline/benchmark.log │ current/benchmark.log │ │ B/op │ B/op vs base │ api-gateway-appsec.json 37.26Ki ± 0% 37.26Ki ± 0% ~ (p=0.780 n=10) api-gateway-kong-appsec.json 26.93Ki ± 0% 26.91Ki ± 0% ~ (p=0.210 n=10) api-gateway-kong.json 24.42Ki ± 0% 24.41Ki ± 0% ~ (p=0.168 n=10) api-gateway-non-proxy-async.json 48.03Ki ± 0% 48.03Ki ± 0% ~ (p=0.796 n=10) api-gateway-non-proxy.json 47.25Ki ± 0% 47.25Ki ± 0% ~ (p=0.781 n=10) api-gateway-websocket-connect.json 25.47Ki ± 0% 25.45Ki ± 0% ~ (p=0.072 n=10) api-gateway-websocket-default.json 21.36Ki ± 0% 21.36Ki ± 0% ~ (p=0.288 n=10) api-gateway-websocket-disconnect.json 21.15Ki ± 0% 21.15Ki ± 0% ~ (p=0.956 n=10) api-gateway.json 49.54Ki ± 0% 49.55Ki ± 0% ~ (p=0.670 n=10) application-load-balancer.json 22.33Ki ± 0% 22.33Ki ± 0% ~ (p=0.289 n=10) cloudfront.json 17.65Ki ± 0% 17.65Ki ± 0% ~ (p=0.170 n=10) cloudwatch-events.json 11.70Ki ± 0% 11.70Ki ± 0% ~ (p=0.425 n=10) cloudwatch-logs.json 53.38Ki ± 0% 53.38Ki ± 0% ~ (p=0.541 n=10) custom.json 9.730Ki ± 0% 9.728Ki ± 0% ~ (p=0.927 n=10) dynamodb.json 40.70Ki ± 0% 40.69Ki ± 0% ~ (p=0.566 n=10) empty.json 9.274Ki ± 0% 9.290Ki ± 0% ~ (p=0.093 n=10) eventbridge-custom.json 13.40Ki ± 0% 13.41Ki ± 0% ~ (p=0.279 n=10) http-api.json 23.73Ki ± 0% 23.73Ki ± 0% ~ (p=1.000 n=10) kinesis-batch.json 27.02Ki ± 0% 27.05Ki ± 0% ~ (p=0.128 n=10) kinesis.json 17.80Ki ± 0% 17.81Ki ± 0% ~ (p=0.699 n=10) s3.json 20.35Ki ± 0% 20.35Ki ± 0% ~ (p=0.971 n=10) sns-batch.json 38.65Ki ± 0% 38.66Ki ± 0% ~ (p=0.971 n=10) sns.json 24.03Ki ± 0% 24.02Ki ± 0% ~ (p=0.838 n=10) snssqs.json 50.73Ki ± 0% 50.72Ki ± 0% ~ (p=0.645 n=10) snssqs_no_dd_context.json 44.84Ki ± 0% 44.85Ki ± 0% ~ (p=0.469 n=10) sqs-aws-header.json 18.81Ki ± 1% 18.84Ki ± 0% ~ (p=0.853 n=10) sqs-batch.json 41.61Ki ± 0% 41.71Ki ± 0% +0.25% (p=0.023 n=10) sqs.json 25.53Ki ± 1% 25.65Ki ± 0% +0.49% (p=0.019 n=10) sqs_no_dd_context.json 20.69Ki ± 1% 20.71Ki ± 1% ~ (p=0.811 n=10) geomean 25.71Ki 25.72Ki +0.04% │ baseline/benchmark.log │ current/benchmark.log │ │ allocs/op │ allocs/op vs base │ api-gateway-appsec.json 629.5 ± 0% 629.5 ± 0% ~ (p=1.000 n=10) api-gateway-kong-appsec.json 488.0 ± 0% 488.0 ± 0% ~ (p=1.000 n=10) api-gateway-kong.json 466.0 ± 0% 466.0 ± 0% ~ (p=1.000 n=10) api-gateway-non-proxy-async.json 726.0 ± 0% 726.0 ± 0% ~ (p=1.000 n=10) api-gateway-non-proxy.json 716.0 ± 0% 716.0 ± 0% ~ (p=1.000 n=10) api-gateway-websocket-connect.json 454.0 ± 0% 453.0 ± 0% ~ (p=0.656 n=10) api-gateway-websocket-default.json 379.0 ± 0% 379.0 ± 0% ~ (p=1.000 n=10) api-gateway-websocket-disconnect.json 370.0 ± 0% 370.0 ± 0% ~ (p=1.000 n=10) api-gateway.json 791.0 ± 0% 791.0 ± 0% ~ (p=0.474 n=10) application-load-balancer.json 352.0 ± 0% 352.0 ± 0% ~ (p=1.000 n=10) ¹ cloudfront.json 284.0 ± 0% 284.0 ± 0% ~ (p=1.000 n=10) ¹ cloudwatch-events.json 220.0 ± 0% 220.0 ± 0% ~ (p=1.000 n=10) cloudwatch-logs.json 216.0 ± 0% 216.0 ± 0% ~ (p=1.000 n=10) custom.json 168.0 ± 1% 168.0 ± 1% ~ (p=1.000 n=10) dynamodb.json 589.0 ± 0% 589.0 ± 0% ~ (p=0.277 n=10) empty.json 159.5 ± 0% 160.0 ± 1% ~ (p=0.350 n=10) eventbridge-custom.json 253.5 ± 0% 254.0 ± 0% ~ (p=0.309 n=10) http-api.json 433.0 ± 0% 432.5 ± 0% ~ (p=0.478 n=10) kinesis-batch.json 390.5 ± 0% 391.0 ± 0% ~ (p=0.287 n=10) kinesis.json 285.0 ± 0% 285.0 ± 0% ~ (p=0.628 n=10) s3.json 358.0 ± 0% 358.0 ± 0% ~ (p=1.000 n=10) sns-batch.json 455.0 ± 0% 455.0 ± 0% ~ (p=1.000 n=10) sns.json 324.0 ± 1% 324.0 ± 0% ~ (p=0.751 n=10) snssqs.json 450.0 ± 0% 450.0 ± 1% ~ (p=0.622 n=10) snssqs_no_dd_context.json 400.0 ± 1% 400.0 ± 0% ~ (p=0.464 n=10) sqs-aws-header.json 273.5 ± 1% 274.0 ± 0% ~ (p=0.762 n=10) sqs-batch.json 503.0 ± 0% 505.0 ± 0% +0.40% (p=0.023 n=10) sqs.json 350.5 ± 1% 352.0 ± 0% +0.43% (p=0.015 n=10) sqs_no_dd_context.json 325.0 ± 1% 325.5 ± 1% ~ (p=0.869 n=10) geomean 376.8 377.0 +0.05% ¹ all samples are equal ```

[agent-platform-auto-pr[bot]]

[Fast Unit Tests Report]

On pipeline 37974079 (CI Visibility). The following jobs did not run any unit tests:

Jobs:

- tests_windows-x64

If you modified Go files and expected unit tests to run in these jobs, please double check the job logs. If you think tests should have been executed reach out to #agent-devx-help

[pr-commenter[bot]]

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv create-vm --pipeline-id=37974079 --os-family=ubuntu

Note: This applies to commit 5cf05f31

[RomainMuller]

/merge

[dd-devflow[bot]]

:steam_locomotive: MergeQueue: pull request added to the queue

The median merge time in main is 24m.

Use /merge -c to cancel this operation!