plugins/status: FIFO buffer channel for status events to prevent slow status API blocking (#7522)

If a status API is slow to respond it can cause OPA to be blocked writing to an unbuffered channel. This fixes it by using a buffered channel that never blocks but drops the oldest status update if full.

Signed-off-by: Sebastian Spaink <[email protected]>

Author: sspaink

docs/content/configuration.md

@@ -767,15 +767,15 @@ included in the actual bundle gzipped tarball.
 
 ## Status
 
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `status.service` | `string` | Yes | Name of service to use to contact remote server. |
-| `status.partition_name` | `string` | No | Path segment to include in status updates. |
-| `status.console` | `boolean` | No (default: `false`) | Log the status updates locally to the console. When enabled alongside a remote status update API the `service` must be configured, the default `service` selection will be disabled. |
-| `status.prometheus` | `boolean` | No (default: `false`) | Export the status (bundle and plugin) metrics to prometheus (see [the monitoring documentation](../monitoring/#prometheus)). When enabled alongside a remote status update API the `service` must be configured, the default `service` selection will be disabled. |
-| `status.prometheus_config.collectors.bundle_loading_duration_ns.buckets` | `[]float64` | No, (Only use when status.prometheus true, default: [1000, 2000, 4000, 8000, 16_000, 32_000, 64_000, 128_000, 256_000, 512_000, 1_024_000, 2_048_000, 4_096_000, 8_192_000, 16_384_000, 32_768_000, 65_536_000, 131_072_000, 262_144_000, 524_288_000]) | Specifies the buckets for the `bundle_loading_duration_ns` metric. Each value is a float, it is expressed in nanoseconds. |
-| `status.plugin` | `string` | No | Use the named plugin for status updates. If this field exists, the other configuration fields are not required. |
-| `status.trigger` | `string`  (default: `periodic`) | No | Controls how status updates are reported to the remote server. Allowed values are `periodic` and `manual` (`manual` triggers are only possible when using OPA as a Go package). |
+| Field                                                                    | Type        | Required                                                                                                                                                                                                                                                | Description                                                                                                                                                                                                                                                        |
+|--------------------------------------------------------------------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `status.service`                                                         | `string`    | Yes                                                                                                                                                                                                                                                     | Name of service to use to contact remote server.                                                                                                                                                                                                                   |
+| `status.partition_name`                                                  | `string`    | No                                                                                                                                                                                                                                                      | Path segment to include in status updates.                                                                                                                                                                                                                         |
+| `status.console`                                                         | `boolean`   | No (default: `false`)                                                                                                                                                                                                                                   | Log the status updates locally to the console. When enabled alongside a remote status update API the `service` must be configured, the default `service` selection will be disabled.                                                                               |
+| `status.prometheus`                                                      | `boolean`   | No (default: `false`)                                                                                                                                                                                                                                   | Export the status (bundle and plugin) metrics to prometheus (see [the monitoring documentation](../monitoring/#prometheus)). When enabled alongside a remote status update API the `service` must be configured, the default `service` selection will be disabled. |
+| `status.prometheus_config.collectors.bundle_loading_duration_ns.buckets` | `[]float64` | No, (Only use when status.prometheus true, default: [1000, 2000, 4000, 8000, 16_000, 32_000, 64_000, 128_000, 256_000, 512_000, 1_024_000, 2_048_000, 4_096_000, 8_192_000, 16_384_000, 32_768_000, 65_536_000, 131_072_000, 262_144_000, 524_288_000]) | Specifies the buckets for the `bundle_loading_duration_ns` metric. Each value is a float, it is expressed in nanoseconds.                                                                                                                                          |
+| `status.plugin`                                                          | `string`    | No                                                                                                                                                                                                                                                      | Use the named plugin for status updates. If this field exists, the other configuration fields are not required.                                                                                                                                                    |
+| `status.trigger`                                                         | `string`    | No (default: `periodic`)                                                                                                                                                                                                                                | Controls how status updates are reported to the remote server. Allowed values are `periodic` and `manual` (`manual` triggers are only possible when using OPA as a Go package).                                                                                    |
 
 ## Decision Logs
 

v1/plugins/logs/eventBuffer.go

@@ -13,6 +13,7 @@ import (
 	"github.com/open-policy-agent/opa/v1/logging"
 	"github.com/open-policy-agent/opa/v1/metrics"
 	"github.com/open-policy-agent/opa/v1/plugins/rest"
+	"github.com/open-policy-agent/opa/v1/util"
 )
 
 type bufferItem struct {
@@ -94,26 +95,7 @@ func (b *eventBuffer) Push(event *EventV1) {
 }
 
 func (b *eventBuffer) push(event *bufferItem) {
-	// This prevents getting blocked forever writing to a full buffer, in case another routine fills the last space.
-	// Retrying maxEventRetry times to drop the oldest event. Dropping the incoming event if there still isn't room.
-	maxEventRetry := 1000
-
-	for range maxEventRetry {
-		// non-blocking send to the buffer, to prevent blocking if buffer is full so room can be made.
-		select {
-		case b.buffer <- event:
-			return
-		default:
-		}
-
-		// non-blocking drop from the buffer to make room for incoming event.
-		// the buffer could have emptied due to an upload.
-		select {
-		case <-b.buffer:
-			b.incrMetric(logBufferEventDropCounterName)
-		default:
-		}
-	}
+	util.PushFIFO(b.buffer, event, b.metrics, logBufferEventDropCounterName)
 }
 
 // Upload reads events from the buffer and uploads them to the configured client.

v1/plugins/status/plugin.go

@@ -23,6 +23,11 @@ import (
 	"github.com/open-policy-agent/opa/v1/util"
 )
 
+const (
+	statusBufferLimit           = int64(10)
+	statusBufferDropCounterName = "status_dropped_buffer_limit_exceeded"
+)
+
 // Logger defines the interface for status plugins.
 type Logger interface {
 	plugins.Plugin
@@ -207,8 +212,8 @@ func New(parsedConfig *Config, manager *plugins.Manager) *Plugin {
 	p := &Plugin{
 		manager:        manager,
 		config:         *parsedConfig,
-		bundleCh:       make(chan bundle.Status),
-		bulkBundleCh:   make(chan map[string]*bundle.Status),
+		bundleCh:       make(chan bundle.Status, statusBufferLimit),
+		bulkBundleCh:   make(chan map[string]*bundle.Status, statusBufferLimit),
 		discoCh:        make(chan bundle.Status),
 		decisionLogsCh: make(chan lstat.Status),
 		stop:           make(chan chan struct{}),
@@ -278,12 +283,12 @@ func (p *Plugin) Stop(_ context.Context) {
 // UpdateBundleStatus notifies the plugin that the policy bundle was updated.
 // Deprecated: Use BulkUpdateBundleStatus instead.
 func (p *Plugin) UpdateBundleStatus(status bundle.Status) {
-	p.bundleCh <- status
+	util.PushFIFO(p.bundleCh, status, p.metrics, statusBufferDropCounterName)
 }
 
 // BulkUpdateBundleStatus notifies the plugin that the policy bundle was updated.
 func (p *Plugin) BulkUpdateBundleStatus(status map[string]*bundle.Status) {
-	p.bulkBundleCh <- status
+	util.PushFIFO(p.bulkBundleCh, status, p.metrics, statusBufferDropCounterName)
 }
 
 // UpdateDiscoveryStatus notifies the plugin that the discovery bundle was updated.
@@ -436,7 +441,7 @@ func (p *Plugin) oneShot(ctx context.Context) error {
 			WithJSON(req).
 			Do(ctx, "POST", fmt.Sprintf("/status/%v", p.config.PartitionName))
 		if err != nil {
-			return fmt.Errorf("Status update failed: %w", err)
+			return fmt.Errorf("status update failed: %w", err)
 		}
 
 		defer util.Close(resp)

v1/plugins/status/plugin_test.go

@@ -14,6 +14,7 @@ import (
 	"os"
 	"reflect"
 	"slices"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -38,6 +39,60 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }
 
+func TestStatusUpdateBuffer(t *testing.T) {
+
+	tests := []struct {
+		name                  string
+		numberOfStatusUpdates int
+		expectedStatusUpdates int
+		expectedNameDropped   string
+	}{
+		{
+			name:                  "add one over the limit and drop oldest",
+			numberOfStatusUpdates: 11,
+			expectedStatusUpdates: 10,
+			expectedNameDropped:   "0",
+		},
+		{
+			name:                  "don't drop anything",
+			numberOfStatusUpdates: 5,
+			expectedStatusUpdates: 5,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			fixture := newTestFixture(t, nil)
+			ctx := context.Background()
+
+			err := fixture.plugin.Start(ctx)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer fixture.plugin.Stop(ctx)
+
+			for i := range tc.numberOfStatusUpdates {
+				s := bundle.Status{
+					Name: strconv.Itoa(i),
+				}
+				fixture.plugin.BulkUpdateBundleStatus(map[string]*bundle.Status{
+					"test": &s,
+				})
+			}
+
+			if len(fixture.plugin.bulkBundleCh) != tc.expectedStatusUpdates {
+				t.Fatalf("expected %d updates, got %d", tc.expectedStatusUpdates, len(fixture.plugin.bulkBundleCh))
+			}
+			for _, v := range <-fixture.plugin.bulkBundleCh {
+				if v.Name == tc.expectedNameDropped {
+					t.Fatalf("expected %s dropped", tc.expectedNameDropped)
+				}
+			}
+		})
+	}
+
+}
+
 func TestConfigValueParse(t *testing.T) {
 	tests := []struct {
 		note             string
@@ -87,17 +142,17 @@ func TestConfigValueParse(t *testing.T) {
 		},
 	}
 
-	for _, test := range tests {
-		t.Run(test.note, func(t *testing.T) {
-			config, err := ParseConfig([]byte(test.input), []string{}, []string{"status"})
+	for _, tc := range tests {
+		t.Run(tc.note, func(t *testing.T) {
+			config, err := ParseConfig([]byte(tc.input), []string{}, []string{"status"})
 			if err != nil {
 				t.Errorf("expected no error: %v", err)
 			}
-			if test.expectedNoConfig && config != nil {
+			if tc.expectedNoConfig && config != nil {
 				t.Errorf("expected parsed config is nil, got %v", config)
 			}
-			if !test.expectedNoConfig && !slices.Equal(config.PrometheusConfig.Collectors.BundleLoadDurationNanoseconds.Buckets, test.expectedValue) {
-				t.Errorf("expected %v, got %v", test.expectedValue, config.PrometheusConfig.Collectors.BundleLoadDurationNanoseconds.Buckets)
+			if !tc.expectedNoConfig && !slices.Equal(config.PrometheusConfig.Collectors.BundleLoadDurationNanoseconds.Buckets, tc.expectedValue) {
+				t.Errorf("expected %v, got %v", tc.expectedValue, config.PrometheusConfig.Collectors.BundleLoadDurationNanoseconds.Buckets)
 			}
 		})
 	}
@@ -385,7 +440,7 @@ func TestPluginNoLogging(t *testing.T) {
 	}
 }
 
-func TestPluginStartTriggerManual(t *testing.T) {
+func TestPluginStartTriggerManualStart(t *testing.T) {
 
 	fixture := newTestFixture(t, nil)
 	fixture.server.ch = make(chan UpdateRequestV1)
@@ -421,18 +476,45 @@ func TestPluginStartTriggerManual(t *testing.T) {
 	if !maps.Equal(result.Labels, exp.Labels) {
 		t.Fatalf("Expected: %v but got: %v", exp, result)
 	}
+}
+
+func TestPluginStartTriggerManual(t *testing.T) {
+	fixture := newTestFixture(t, nil)
+	fixture.server.ch = make(chan UpdateRequestV1)
+	defer fixture.server.stop()
+	tr := plugins.TriggerManual
+	fixture.plugin.config.Trigger = &tr
 
 	status := testStatus()
 
 	fixture.plugin.BulkUpdateBundleStatus(map[string]*bundle.Status{"test": status})
 
+	statuses := <-fixture.plugin.bulkBundleCh
+	fixture.plugin.lastBundleStatuses = statuses
+
 	// trigger the status update
 	go func() {
-		_ = fixture.plugin.Trigger(ctx)
+		_ = fixture.plugin.Trigger(context.Background())
 	}()
 
-	result = <-fixture.server.ch
+	go func() {
+		update := <-fixture.plugin.trigger
+		err := fixture.plugin.oneShot(update.ctx)
+		if err != nil {
+			t.Error(err)
+			return
+		}
+	}()
 
+	result := <-fixture.server.ch
+
+	exp := UpdateRequestV1{
+		Labels: map[string]string{
+			"id":      "test-instance-id",
+			"app":     "example-app",
+			"version": version.Version,
+		},
+	}
 	exp.Bundles = map[string]*bundle.Status{"test": status}
 
 	if !maps.EqualFunc(result.Bundles, exp.Bundles, (*bundle.Status).Equal) {

v1/util/channel.go

@@ -0,0 +1,32 @@
+package util
+
+import (
+	"github.com/open-policy-agent/opa/v1/metrics"
+)
+
+// This prevents getting blocked forever writing to a full buffer, in case another routine fills the last space.
+// Retrying maxEventRetry times to drop the oldest event. Dropping the incoming event if there still isn't room.
+const maxEventRetry = 1000
+
+// PushFIFO pushes data into a buffered channel without blocking when full, making room by dropping the oldest data.
+// An optional metric can be recorded when data is dropped.
+func PushFIFO[T any](buffer chan T, data T, metrics metrics.Metrics, metricName string) {
+
+	for range maxEventRetry {
+		// non-blocking send to the buffer, to prevent blocking if buffer is full so room can be made.
+		select {
+		case buffer <- data:
+			return
+		default:
+		}
+
+		// non-blocking drop from the buffer to make room for incoming event
+		select {
+		case <-buffer:
+			if metrics != nil && metricName != "" {
+				metrics.Counter(metricName).Incr()
+			}
+		default:
+		}
+	}
+}