fix(dogstatsd): accept pre-built client (#83)

duncanista · web-flow · commit 28f796bf767f · 2026-03-04T16:38:19.000-05:00
* dogstatsd accepts a pre-built client

client building is not a concern of a dogstatsd server, therefore, we should provide a simple reqwest client which can be modified upstream

* update license

* remove fips on dogstatsd
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/LICENSE-3rdparty.csv b/LICENSE-3rdparty.csv
@@ -168,7 +168,6 @@ rustc-hash,https://github.com/rust-lang/rustc-hash,Apache-2.0 OR MIT,The Rust Pr
 rustix,https://github.com/bytecodealliance/rustix,Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT,"Dan Gohman <dev@sunfishcode.online>, Jakub Konka <kubkon@jakubkonka.com>"
 rustls,https://github.com/rustls/rustls,Apache-2.0 OR ISC OR MIT,The rustls Authors
 rustls-native-certs,https://github.com/rustls/rustls-native-certs,Apache-2.0 OR ISC OR MIT,The rustls-native-certs Authors
-rustls-pemfile,https://github.com/rustls/pemfile,Apache-2.0 OR ISC OR MIT,The rustls-pemfile Authors
 rustls-pki-types,https://github.com/rustls/pki-types,MIT OR Apache-2.0,The rustls-pki-types Authors
 rustls-webpki,https://github.com/rustls/webpki,ISC,The rustls-webpki Authors
 rusty-fork,https://github.com/altsysrq/rusty-fork,MIT OR Apache-2.0,Jason Lingle
diff --git a/crates/datadog-serverless-compat/Cargo.toml b/crates/datadog-serverless-compat/Cargo.toml
@@ -12,7 +12,9 @@ windows-pipes = ["datadog-trace-agent/windows-pipes", "dogstatsd/windows-pipes"]
 [dependencies]
 datadog-trace-agent = { path = "../datadog-trace-agent" }
 libdd-trace-utils = { git = "https://github.com/DataDog/libdatadog", rev = "d52ee90209cb12a28bdda0114535c1a985a29d95" }
+datadog-fips = { path = "../datadog-fips", default-features = false }
 dogstatsd = { path = "../dogstatsd", default-features = true }
+reqwest = { version = "0.12.4", default-features = false }
 tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
 tokio-util = { version = "0.7", default-features = false }
 tracing = { version = "0.1", default-features = false }
diff --git a/crates/datadog-serverless-compat/src/main.rs b/crates/datadog-serverless-compat/src/main.rs
@@ -25,6 +25,7 @@ use datadog_trace_agent::{
 
 use libdd_trace_utils::{config_utils::read_cloud_env, trace_utils::EnvironmentType};
 
+use datadog_fips::reqwest_adapter::create_reqwest_client_builder;
 use dogstatsd::{
     aggregator::{AggregatorHandle, AggregatorService},
     api_key::ApiKeyFactory,
@@ -262,21 +263,33 @@ async fn start_dogstatsd(
 
     let metrics_flusher = match dd_api_key {
         Some(dd_api_key) => {
-            #[allow(clippy::expect_used)]
+            let client = match build_metrics_client(https_proxy, DOGSTATSD_TIMEOUT_DURATION) {
+                Ok(client) => client,
+                Err(e) => {
+                    error!("Failed to build HTTP client: {e}, won't flush metrics");
+                    return (dogstatsd_cancel_token, None, handle);
+                }
+            };
+
+            let metrics_intake_url_prefix = match Site::new(dd_site)
+                .map_err(|e| e.to_string())
+                .and_then(|site| {
+                    MetricsIntakeUrlPrefix::new(Some(site), None).map_err(|e| e.to_string())
+                }) {
+                Ok(prefix) => prefix,
+                Err(e) => {
+                    error!("Failed to create metrics intake URL: {e}, won't flush metrics");
+                    return (dogstatsd_cancel_token, None, handle);
+                }
+            };
+
             let metrics_flusher = Flusher::new(FlusherConfig {
                 api_key_factory: Arc::new(ApiKeyFactory::new(&dd_api_key)),
                 aggregator_handle: handle.clone(),
-                metrics_intake_url_prefix: MetricsIntakeUrlPrefix::new(
-                    Some(Site::new(dd_site).expect("Failed to parse site")),
-                    None,
-                )
-                .expect("Failed to create intake URL prefix"),
-                https_proxy,
-                timeout: DOGSTATSD_TIMEOUT_DURATION,
+                metrics_intake_url_prefix,
+                client,
                 retry_strategy: RetryStrategy::LinearBackoff(3, 1),
                 compression_level: CompressionLevel::try_from(6).unwrap_or_default(),
-                // Not supported yet
-                ca_cert_path: None,
             });
             Some(metrics_flusher)
         }
@@ -288,3 +301,14 @@ async fn start_dogstatsd(
 
     (dogstatsd_cancel_token, metrics_flusher, handle)
 }
+
+fn build_metrics_client(
+    https_proxy: Option<String>,
+    timeout: Duration,
+) -> Result<reqwest::Client, Box<dyn std::error::Error>> {
+    let mut builder = create_reqwest_client_builder()?.timeout(timeout);
+    if let Some(proxy) = https_proxy {
+        builder = builder.proxy(reqwest::Proxy::https(proxy)?);
+    }
+    Ok(builder.build()?)
+}
diff --git a/crates/dogstatsd/Cargo.toml b/crates/dogstatsd/Cargo.toml
@@ -25,8 +25,6 @@ tokio-util = { version = "0.7.11", default-features = false }
 tracing = { version = "0.1.40", default-features = false }
 regex = { version = "1.10.6", default-features = false }
 zstd = { version = "0.13.3", default-features = false }
-datadog-fips = { path = "../datadog-fips", default-features = false }
-rustls-pemfile = { version = "2.0", default-features = false, features = ["std"] }
 
 [dev-dependencies]
 http = "1"
@@ -35,6 +33,5 @@ proptest = "1.4.0"
 tracing-test = { version = "0.2.5", default-features = false }
 
 [features]
-default = [ "reqwest/rustls-tls" ]
-fips = [ "reqwest/rustls-tls-no-provider", "datadog-fips/fips" ]
+default = []
 windows-pipes = ["tokio/io-util"]
diff --git a/crates/dogstatsd/src/datadog/shipping.rs b/crates/dogstatsd/src/datadog/shipping.rs
@@ -3,16 +3,13 @@
 
 use super::{MetricsIntakeUrlPrefix, Series};
 use crate::flusher::ShippingError;
-use datadog_fips::reqwest_adapter::create_reqwest_client_builder;
 use datadog_protos::metrics::SketchPayload;
 use protobuf::Message;
 use reqwest::{Client, Response};
 use serde_json;
-use std::error::Error;
-use std::fs::File;
-use std::io::{BufReader, Write};
+use std::io::Write;
 use std::time::Duration;
-use tracing::{debug, error, trace};
+use tracing::{debug, trace};
 use zstd::stream::write::Encoder;
 use zstd::zstd_safe::CompressionLevel;
 
@@ -21,7 +18,7 @@ use zstd::zstd_safe::CompressionLevel;
 pub struct DdApi {
     api_key: String,
     metrics_intake_url_prefix: MetricsIntakeUrlPrefix,
-    client: Option<Client>,
+    client: Client,
     retry_strategy: RetryStrategy,
     compression_level: CompressionLevel,
 }
@@ -31,17 +28,10 @@ impl DdApi {
     pub fn new(
         api_key: String,
         metrics_intake_url_prefix: MetricsIntakeUrlPrefix,
-        https_proxy: Option<String>,
-        ca_cert_path: Option<String>,
-        timeout: Duration,
+        client: Client,
         retry_strategy: RetryStrategy,
         compression_level: CompressionLevel,
     ) -> Self {
-        let client = build_client(https_proxy, ca_cert_path, timeout)
-            .inspect_err(|e| {
-                error!("Unable to create client {:?}", e);
-            })
-            .ok();
         DdApi {
             api_key,
             metrics_intake_url_prefix,
@@ -88,10 +78,7 @@ impl DdApi {
         body: Vec<u8>,
         content_type: &str,
     ) -> Result<Response, ShippingError> {
-        let client = &self
-            .client
-            .as_ref()
-            .ok_or_else(|| ShippingError::Destination(None, "No client".to_string()))?;
+        let client = &self.client;
         let start = std::time::Instant::now();
 
         let result = (|| -> std::io::Result<Vec<u8>> {
@@ -174,56 +161,3 @@ pub enum RetryStrategy {
     Immediate(u64),          // attempts
     LinearBackoff(u64, u64), // attempts, delay
 }
-
-fn build_client(
-    https_proxy: Option<String>,
-    ca_cert_path: Option<String>,
-    timeout: Duration,
-) -> Result<Client, Box<dyn Error>> {
-    let mut builder = create_reqwest_client_builder()?.timeout(timeout);
-
-    // Load custom TLS certificate if configured
-    if let Some(cert_path) = &ca_cert_path {
-        match load_custom_cert(cert_path) {
-            Ok(certs) => {
-                let cert_count = certs.len();
-                for cert in certs {
-                    builder = builder.add_root_certificate(cert);
-                }
-                debug!(
-                    "DOGSTATSD | Added {} root certificate(s) from {}",
-                    cert_count, cert_path
-                );
-            }
-            Err(e) => {
-                error!(
-                    "DOGSTATSD | Failed to load TLS certificate from {}: {}, continuing without custom cert",
-                    cert_path, e
-                );
-            }
-        }
-    }
-
-    if let Some(proxy) = https_proxy {
-        builder = builder.proxy(reqwest::Proxy::https(proxy)?);
-    }
-    Ok(builder.build()?)
-}
-
-fn load_custom_cert(cert_path: &str) -> Result<Vec<reqwest::Certificate>, Box<dyn Error>> {
-    let file = File::open(cert_path)?;
-    let mut reader = BufReader::new(file);
-
-    // Parse PEM certificates
-    let certs = rustls_pemfile::certs(&mut reader).collect::<Result<Vec<_>, _>>()?;
-
-    if certs.is_empty() {
-        return Err("No certificates found in file".into());
-    }
-
-    // Convert all certificates found in the file
-    certs
-        .into_iter()
-        .map(|cert| reqwest::Certificate::from_der(cert.as_ref()).map_err(Into::into))
-        .collect()
-}
diff --git a/crates/dogstatsd/src/flusher.rs b/crates/dogstatsd/src/flusher.rs
@@ -4,9 +4,8 @@
 use crate::aggregator::AggregatorHandle;
 use crate::api_key::ApiKeyFactory;
 use crate::datadog::{DdApi, MetricsIntakeUrlPrefix, RetryStrategy};
-use reqwest::{Response, StatusCode};
+use reqwest::{Client, Response, StatusCode};
 use std::sync::Arc;
-use std::time::Duration;
 use tokio::sync::OnceCell;
 use tracing::{debug, error};
 use zstd::zstd_safe::CompressionLevel;
@@ -16,9 +15,7 @@ pub struct Flusher {
     // Allow accepting a future so the API key resolution is deferred until the flush happens
     api_key_factory: Arc<ApiKeyFactory>,
     metrics_intake_url_prefix: MetricsIntakeUrlPrefix,
-    https_proxy: Option<String>,
-    ca_cert_path: Option<String>,
-    timeout: Duration,
+    client: Client,
     retry_strategy: RetryStrategy,
     aggregator_handle: AggregatorHandle,
     dd_api: OnceCell<Option<DdApi>>,
@@ -29,9 +26,7 @@ pub struct FlusherConfig {
     pub api_key_factory: Arc<ApiKeyFactory>,
     pub aggregator_handle: AggregatorHandle,
     pub metrics_intake_url_prefix: MetricsIntakeUrlPrefix,
-    pub https_proxy: Option<String>,
-    pub ca_cert_path: Option<String>,
-    pub timeout: Duration,
+    pub client: Client,
     pub retry_strategy: RetryStrategy,
     pub compression_level: CompressionLevel,
 }
@@ -41,9 +36,7 @@ impl Flusher {
         Flusher {
             api_key_factory: Arc::clone(&config.api_key_factory),
             metrics_intake_url_prefix: config.metrics_intake_url_prefix,
-            https_proxy: config.https_proxy,
-            ca_cert_path: config.ca_cert_path,
-            timeout: config.timeout,
+            client: config.client,
             retry_strategy: config.retry_strategy,
             aggregator_handle: config.aggregator_handle,
             compression_level: config.compression_level,
@@ -59,9 +52,7 @@ impl Flusher {
                     Some(api_key) => Some(DdApi::new(
                         api_key.to_string(),
                         self.metrics_intake_url_prefix.clone(),
-                        self.https_proxy.clone(),
-                        self.ca_cert_path.clone(),
-                        self.timeout,
+                        self.client.clone(),
                         self.retry_strategy.clone(),
                         self.compression_level,
                     )),
@@ -286,9 +277,7 @@ mod tests {
                 ),
             )
             .expect("failed to create URL"),
-            https_proxy: None,
-            ca_cert_path: None,
-            timeout: Duration::from_secs(5),
+            client: Client::builder().build().expect("failed to build client"),
             retry_strategy: RetryStrategy::Immediate(1),
             compression_level: CompressionLevel::try_from(6)
                 .expect("failed to create compression level"),
@@ -333,9 +322,7 @@ mod tests {
                 ),
             )
             .expect("failed to create URL"),
-            https_proxy: None,
-            ca_cert_path: None,
-            timeout: Duration::from_secs(5),
+            client: Client::builder().build().expect("failed to build client"),
             retry_strategy: RetryStrategy::Immediate(1),
             compression_level: CompressionLevel::try_from(6)
                 .expect("failed to create compression level"),
@@ -383,9 +370,7 @@ mod tests {
                 ),
             )
             .expect("failed to create URL"),
-            https_proxy: None,
-            ca_cert_path: None,
-            timeout: Duration::from_secs(5),
+            client: Client::builder().build().expect("failed to build client"),
             retry_strategy: RetryStrategy::Immediate(1),
             compression_level: CompressionLevel::try_from(6)
                 .expect("failed to create compression level"),
diff --git a/crates/dogstatsd/tests/integration_test.rs b/crates/dogstatsd/tests/integration_test.rs
