Skip to content

feat(envoyproxy/serviceextensions): add Unix domain socket support#4463

Merged
eliottness merged 4 commits into
mainfrom
eliottness/uds-support-serviceextensions
Apr 8, 2026
Merged

feat(envoyproxy/serviceextensions): add Unix domain socket support#4463
eliottness merged 4 commits into
mainfrom
eliottness/uds-support-serviceextensions

Conversation

@eliottness

Copy link
Copy Markdown
Contributor

What does this PR do?

Adds support for Unix domain socket (UDS) as an alternative transport for the gRPC callout server in the ASM Service Extension. When DD_SERVICE_EXTENSION_UDS_PATH is set, the server binds to the specified socket path instead of listening on a TCP host:port.

Motivation

When running the Service Extension alongside a self-managed Envoy on the same host, a Unix domain socket avoids the need for TLS and reduces network overhead compared to a loopback TCP connection. This is useful for local Envoy deployments that are not operated through GCP Service Extensions.

Changes

  • Add extensionSocketPath string field to serviceExtensionConfig
  • Read DD_SERVICE_EXTENSION_UDS_PATH env var in loadConfig (empty = TCP mode, no change to existing behaviour)
  • In startGPRCSsl: use net.Listen("unix", path) when socket path is set; warn and skip TLS in UDS mode; defer socket file cleanup to cover all exit paths (clean shutdown and Serve errors); log a warning for unexpected errors when removing stale socket files before bind
  • Register DD_SERVICE_EXTENSION_UDS_PATH in internal/env/supported_configurations.json and regenerate supported_configurations.gen.go
  • Fix pre-existing test isolation bug: allKeys had wrong TLS env var names (_CERT/_KEY instead of _CERT_FILE/_KEY_FILE)
  • Document the new env var in README.md with an Envoy YAML config example

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • New code is free of linting errors. You can check this by running make lint locally.
  • New code doesn't break existing tests. You can check this by running make test locally.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • All generated files are up to date. You can check this by running make generate locally.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild. Make sure all nested modules are up to date by running make fix-modules locally.

@eliottness
eliottness requested review from a team as code owners February 23, 2026 08:52
@github-actions github-actions Bot added the apm:ecosystem contrib/* related feature requests or bugs label Feb 23, 2026
Comment thread contrib/envoyproxy/go-control-plane/cmd/serviceextensions/main.go Outdated
@codecov

codecov Bot commented Feb 23, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.75%. Comparing base (56e391d) to head (0cad2cc).

Additional details and impacted files

see 266 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pr-commenter

pr-commenter Bot commented Feb 23, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-04-08 10:07:55

Comparing candidate commit 0cad2cc in PR branch eliottness/uds-support-serviceextensions with baseline commit 56e391d in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 216 metrics, 8 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@eliottness

Copy link
Copy Markdown
Contributor Author

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Feb 23, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-02-23 12:26:41 UTC ℹ️ Start processing command /merge


2026-02-23 12:26:48 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.


2026-02-23 16:34:15 UTC ⚠️ MergeQueue: This merge request was unqueued

devflow unqueued this merge request: It did not become mergeable within the expected time

@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Mar 19, 2026

Copy link
Copy Markdown

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 60.08% (-0.06%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 0cad2cc | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!

@eliottness

Copy link
Copy Markdown
Contributor Author

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Apr 7, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-04-07 17:18:39 UTC ℹ️ Start processing command /merge


2026-04-07 17:18:47 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.


2026-04-07 17:24:28 UTC ℹ️ MergeQueue: merge request added to the queue

The expected merge time in main is approximately 27m (p90).


2026-04-07 17:34:04 UTCMergeQueue: The checks failed on this merge request

Tests failed on this commit 4cb8626:

What to do next?

  • Investigate the failures and when ready, re-add your pull request to the queue!
  • If your PR checks are green, try to rebase/merge. It might be because the CI run is a bit old.
  • Any question, go check the FAQ.

@eliottness

Copy link
Copy Markdown
Contributor Author

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Apr 8, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-04-08 08:54:00 UTC ℹ️ Start processing command /merge


2026-04-08 08:54:05 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 27m (p90).


2026-04-08 09:03:54 UTCMergeQueue: The checks failed on this merge request

Tests failed on this commit 30b3613:

What to do next?

  • Investigate the failures and when ready, re-add your pull request to the queue!
  • If your PR checks are green, try to rebase/merge. It might be because the CI run is a bit old.
  • Any question, go check the FAQ.

eliottness and others added 4 commits April 8, 2026 11:33
@eliottness
eliottness force-pushed the eliottness/uds-support-serviceextensions branch from 30d2b5b to 0cad2cc Compare April 8, 2026 09:42
@eliottness

Copy link
Copy Markdown
Contributor Author

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Apr 8, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-04-08 10:10:55 UTC ℹ️ Start processing command /merge


2026-04-08 10:10:59 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 27m (p90).


2026-04-08 10:22:54 UTCMergeQueue: The checks failed on this merge request

Tests failed on this commit 7e8a514:

What to do next?

  • Investigate the failures and when ready, re-add your pull request to the queue!
  • If your PR checks are green, try to rebase/merge. It might be because the CI run is a bit old.
  • Any question, go check the FAQ.

@eliottness
eliottness merged commit e36675b into main Apr 8, 2026
186 of 187 checks passed
@eliottness
eliottness deleted the eliottness/uds-support-serviceextensions branch April 8, 2026 12:01
eliottness added a commit that referenced this pull request Apr 10, 2026
…4463)

### What does this PR do?

Adds support for Unix domain socket (UDS) as an alternative transport
for the gRPC callout server in the ASM Service Extension. When
`DD_SERVICE_EXTENSION_UDS_PATH` is set, the server binds to the
specified socket path instead of listening on a TCP `host:port`.

### Motivation

When running the Service Extension alongside a self-managed Envoy on the
same host, a Unix domain socket avoids the need for TLS and reduces
network overhead compared to a loopback TCP connection. This is useful
for local Envoy deployments that are not operated through GCP Service
Extensions.

### Changes

- Add `extensionSocketPath string` field to `serviceExtensionConfig`
- Read `DD_SERVICE_EXTENSION_UDS_PATH` env var in `loadConfig` (empty =
TCP mode, no change to existing behaviour)
- In `startGPRCSsl`: use `net.Listen("unix", path)` when socket path is
set; warn and skip TLS in UDS mode; defer socket file cleanup to cover
all exit paths (clean shutdown and `Serve` errors); log a warning for
unexpected errors when removing stale socket files before bind
- Register `DD_SERVICE_EXTENSION_UDS_PATH` in
`internal/env/supported_configurations.json` and regenerate
`supported_configurations.gen.go`
- Fix pre-existing test isolation bug: `allKeys` had wrong TLS env var
names (`_CERT`/`_KEY` instead of `_CERT_FILE`/`_KEY_FILE`)
- Document the new env var in `README.md` with an Envoy YAML config
example

### Reviewer's Checklist

- [x] Changed code has unit tests for its functionality at or near 100%
coverage.
- [ ] [System-Tests](https://github.com/DataDog/system-tests/) covering
this feature have been added and enabled with the va.b.c-dev version
tag.
- [ ] There is a benchmark for any new code, or changes to existing
code.
- [ ] If this interacts with the agent in a new way, a system test has
been added.
- [x] New code is free of linting errors. You can check this by running
`make lint` locally.
- [x] New code doesn't break existing tests. You can check this by
running `make test` locally.
- [ ] Add an appropriate team label so this PR gets put in the right
place for the release notes.
- [x] All generated files are up to date. You can check this by running
`make generate` locally.
- [ ] Non-trivial go.mod changes, e.g. adding new modules, are reviewed
by @DataDog/dd-trace-go-guild. Make sure all nested modules are up to
date by running `make fix-modules` locally.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

apm:ecosystem contrib/* related feature requests or bugs mergequeue-status: rejected

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants