[APR-205] chore: consolidate TLS config generation and initialization

[tobz]

Context

In #196, we detailed how some of the configuration defaults for TLS can be suboptimal in terms of memory usage. This manifested itself as not only inefficient memory usage (duplication) but also misattributed memory usage, leading to certain components having to bear the usage burden because they happened to be spawned in a specific order that led to them being the first to initialize an HTTP client, and so on.

Solution

This PR introduces a small overhaul of how we centralize both TLS initialization as well as configuration. We're doing a few things here:

• new crate, saluki-tls, where all of this stuff now lives and can be depended on from various crates (saluki-app, saluki-io, etc)
• tailored methods for all process-wide initialization (cryptography provider and native certificate store loading from host)
• new TLS configuration builder, ClientTLSConfigBuilder, for creating a ClientConfig with saner defaults (smaller resumption cache, utilizes a shared root cert store, etc)
• enforcement of FIPS mode when building a client config

Overall, this tightens up our TLS usage by pushing users through a more opinionated configuration pathway while also giving us a place to expose more tunables as necessary, while still being able to validate that the resulting configuration is FIPS compliant. As well, and to the point of the original issue, this also not only reduces some duplicate allocations and memory usage, but now ensures that those allocations are properly attributed to the root allocation group as shared data, which improves the numbers for individual components in the topology.

Fixes #182. Fixes #196.

[pr-commenter[bot]]

Regression Detector (DogStatsD)

Regression Detector Results

Run ID: 691d34a5-7617-4c2f-b6fc-8102efb46850

Baseline: 7.52.0 Comparison: 7.52.1

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

| perf | experiment | goal | Δ mean % | Δ mean % CI | links | |------|----------------------------------------------|--------------------|----------|----------------|-------| | ➖ | dsd_uds_1mb_50k_contexts | ingress throughput | +0.03 | [-0.02, +0.09] | | | ➖ | dsd_uds_1mb_3k_contexts | ingress throughput | +0.00 | [-0.06, +0.06] | | | ➖ | dsd_uds_100mb_250k_contexts | ingress throughput | -0.00 | [-0.00, +0.00] | | | ➖ | dsd_uds_500mb_3k_contexts | ingress throughput | -0.00 | [-0.01, +0.00] | | | ➖ | dsd_uds_100mb_3k_contexts | ingress throughput | -0.00 | [-0.02, +0.01] | | | ➖ | dsd_uds_1mb_50k_contexts_memlimit | ingress throughput | -0.02 | [-0.09, +0.05] | | | ➖ | dsd_uds_10mb_3k_contexts | ingress throughput | -0.03 | [-0.07, +0.01] | | | ➖ | dsd_uds_512kb_3k_contexts | ingress throughput | -0.05 | [-0.15, +0.05] | | | ➖ | dsd_uds_100mb_3k_contexts_distributions_only | memory utilization | -0.63 | [-0.83, -0.43] | |

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI". For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true: 1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look. 2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that *if our statistical model is accurate*, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants. 3. Its configuration does not mark it "erratic".

[pr-commenter[bot]]

Regression Detector (Saluki)

Regression Detector Results

Run ID: 588bb15a-0e4d-44e9-88cf-ff188cae4f4e

Baseline: 73efdc152b0619ab48c6a0c60e21718438083f93 Comparison: e580118fb34b73f18dcc5a5d5141c233c96bf9c6

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

| perf | experiment | goal | Δ mean % | Δ mean % CI | links | |------|-------------------------------------------------|--------------------|----------|----------------|-------| | ➖ | dsd_uds_100mb_3k_contexts_distributions_only | memory utilization | +0.30 | [+0.15, +0.46] | | | ➖ | dsd_uds_500mb_3k_contexts | ingress throughput | +0.19 | [+0.09, +0.28] | | | ➖ | dsd_uds_100mb_250k_contexts | ingress throughput | +0.07 | [-0.19, +0.33] | | | ➖ | dsd_uds_1mb_50k_contexts | ingress throughput | +0.05 | [-0.04, +0.15] | | | ➖ | dsd_uds_512kb_3k_contexts | ingress throughput | +0.03 | [-0.10, +0.17] | | | ➖ | dsd_uds_1mb_3k_contexts | ingress throughput | +0.02 | [-0.19, +0.23] | | | ➖ | dsd_uds_100mb_3k_contexts | ingress throughput | +0.01 | [-0.00, +0.02] | | | ➖ | dsd_uds_50mb_10k_contexts_no_inlining | ingress throughput | +0.00 | [-0.00, +0.00] | | | ➖ | dsd_uds_50mb_10k_contexts_no_inlining_no_allocs | ingress throughput | -0.00 | [-0.04, +0.04] | | | ➖ | dsd_uds_10mb_3k_contexts | ingress throughput | -0.00 | [-0.17, +0.17] | | | ➖ | dsd_uds_1mb_50k_contexts_memlimit | ingress throughput | -0.29 | [-3.61, +3.03] | |

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI". For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true: 1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look. 2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that *if our statistical model is accurate*, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants. 3. Its configuration does not mark it "erratic".

[pr-commenter[bot]]

Regression Detector Links

Experiment Result Links

experiment	link(s)
dsd_uds_100mb_250k_contexts	[Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_100mb_3k_contexts	[Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_100mb_3k_contexts_distributions_only	[Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_10mb_3k_contexts	[Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_1mb_3k_contexts	[Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_1mb_50k_contexts	[Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_1mb_50k_contexts_memlimit	[Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_500mb_3k_contexts	[Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_512kb_3k_contexts	[Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_50mb_10k_contexts_no_inlining (ADP only)	[Profiling (ADP)] [SMP Dashboard]
dsd_uds_50mb_10k_contexts_no_inlining_no_allocs (ADP only)	[Profiling (ADP)] [SMP Dashboard]