APIServer: Propagate a new context with limited information (#100374)

* APIServer: Propagate a new context with limited information * APIServer: Remove error return * APIServer: Test that context propagation does fork * APIServer: Fix golangci-lint lints * chore: make update-workspace
2025-02-25 18:55:37 -06:00 · 2025-02-12 10:11:52 +01:00 · 2025-02-12 10:11:52 +01:00 · a0701a42f1
commit a0701a42f1
parent aca024bcbb
4 changed files with 127 additions and 1 deletions
--- a/pkg/apiserver/endpoints/responsewriter/responsewriter.go
+++ b/pkg/apiserver/endpoints/responsewriter/responsewriter.go
@ -2,13 +2,19 @@ package responsewriter

 import (
 	"bufio"
+	"context"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"sync/atomic"

+	"github.com/grafana/grafana-app-sdk/logging"
+	"github.com/grafana/grafana/pkg/apimachinery/identity"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/endpoints/responsewriter"
+	"k8s.io/component-base/tracing"
 	"k8s.io/klog/v2"
 )

@ -27,6 +33,13 @@ func WrapHandler(handler http.Handler) func(req *http.Request) (*http.Response,
 	// so the client will be responsible for closing the response body.
 	//nolint:bodyclose
 	return func(req *http.Request) (*http.Response, error) {
+		ctx, cancel, err := createLimitedContext(req)
+		if err != nil {
+			return nil, err
+		}
+		defer cancel()
+		req = req.WithContext(ctx) // returns a shallow copy, so we can't do it as part of the adapter.
+
 		w := NewAdapter(req)
 		go func() {
 			handler.ServeHTTP(w, req)
@ -39,6 +52,74 @@ func WrapHandler(handler http.Handler) func(req *http.Request) (*http.Response,
 	}
 }

+// createLimitedContext creates a new context based on the the req's.
+// It contains vital information such as a logger for the driver of the request, a user for auth, tracing, and deadlines. It propagates the parent's cancellation.
+func createLimitedContext(req *http.Request) (context.Context, context.CancelFunc, error) {
+	refCtx := req.Context()
+	newCtx := context.Background()
+
+	if ns, ok := request.NamespaceFrom(refCtx); ok {
+		newCtx = request.WithNamespace(newCtx, ns)
+	}
+	if signal := request.ServerShutdownSignalFrom(refCtx); signal != nil {
+		newCtx = request.WithServerShutdownSignal(newCtx, signal)
+	}
+
+	requester, _ := identity.GetRequester(refCtx)
+	if requester != nil {
+		newCtx = identity.WithRequester(newCtx, requester)
+	}
+
+	usr, ok := request.UserFrom(refCtx)
+	if !ok && requester != nil {
+		// add in k8s user if not there yet
+		var ok bool
+		usr, ok = requester.(user.Info)
+		if !ok {
+			return nil, nil, fmt.Errorf("could not convert user to Kubernetes user")
+		}
+	}
+	if ok {
+		newCtx = request.WithUser(newCtx, usr)
+	}
+
+	// App SDK logger
+	appLogger := logging.FromContext(refCtx)
+	newCtx = logging.Context(newCtx, appLogger)
+	// Klog logger
+	klogger := klog.FromContext(refCtx)
+	if klogger.Enabled() {
+		newCtx = klog.NewContext(newCtx, klogger)
+	}
+
+	// The tracing package deals with both k8s trace and otel.
+	if span := tracing.SpanFromContext(refCtx); span != nil && *span != (tracing.Span{}) {
+		newCtx = tracing.ContextWithSpan(newCtx, span)
+	}
+
+	deadlineCancel := context.CancelFunc(func() {})
+	if deadline, ok := refCtx.Deadline(); ok {
+		newCtx, deadlineCancel = context.WithDeadline(newCtx, deadline)
+	}
+
+	newCtx, cancel := context.WithCancelCause(newCtx)
+	// We intentionally do not defer a cancel(nil) here. It wouldn't make sense to cancel until (*ResponseAdapter).Close() is called.
+	go func() { // Even context's own impls do goroutines for this type of pattern.
+		select {
+		case <-newCtx.Done():
+			// We don't have to do anything!
+		case <-refCtx.Done():
+			cancel(context.Cause(refCtx))
+		}
+		deadlineCancel()
+	}()
+
+	return newCtx, context.CancelFunc(func() {
+		cancel(nil)
+		deadlineCancel()
+	}), nil
+}
+
 // ResponseAdapter is an implementation of [http.ResponseWriter] that allows conversion to a [http.Response].
 type ResponseAdapter struct {
 	req         *http.Request
--- a/pkg/apiserver/endpoints/responsewriter/responsewriter_test.go
+++ b/pkg/apiserver/endpoints/responsewriter/responsewriter_test.go
@ -10,6 +10,8 @@ import (
 	"time"

 	"github.com/stretchr/testify/require"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/endpoints/request"

 	grafanaresponsewriter "github.com/grafana/grafana/pkg/apiserver/endpoints/responsewriter"
 )
@ -158,6 +160,44 @@ func TestResponseAdapter(t *testing.T) {
 		}
 		wg.Wait()
 	})
+
+	t.Run("should fork the context", func(t *testing.T) {
+		t.Parallel()
+
+		type K int
+		var key K
+		baseCtx := context.Background()
+		baseCtx = context.WithValue(baseCtx, key, "hello, world!") // we expect this one not to be sent to the inner handler.
+
+		expectedUsr := &user.DefaultInfo{Name: "hello, world!"}
+		baseCtx = request.WithUser(baseCtx, expectedUsr)
+		// There are more keys to consider, but this should be sufficient to decide that we do actually propagate select data across.
+
+		client := &http.Client{
+			Transport: &roundTripperFunc{
+				ready: make(chan struct{}),
+				// ignore the lint error because the response is passed directly to the client,
+				// so the client will be responsible for closing the response body.
+				//nolint:bodyclose
+				fn: grafanaresponsewriter.WrapHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					require.Nil(t, r.Context().Value(key), "inner handler should not have a value for key of type K")
+					usr, ok := request.UserFrom(r.Context())
+					require.True(t, ok, "no user found in request context")
+					require.Equal(t, expectedUsr.Name, usr.GetName(), "user data was not propagated through request context")
+
+					_, err := w.Write([]byte("OK"))
+					require.NoError(t, err)
+				})),
+			},
+		}
+
+		req, err := http.NewRequestWithContext(baseCtx, http.MethodGet, "/", nil)
+		require.NoError(t, err)
+
+		resp, err := client.Do(req)
+		require.NoError(t, err, "request should not fail")
+		require.NoError(t, resp.Body.Close())
+	})
 }

 func syncHandler(w http.ResponseWriter, r *http.Request) {
--- a/pkg/apiserver/go.mod
+++ b/pkg/apiserver/go.mod
@ -1,10 +1,13 @@
 module github.com/grafana/grafana/pkg/apiserver

-go 1.23.1
+go 1.23.4
+
+toolchain go1.23.6

 require (
 	github.com/google/go-cmp v0.6.0
 	github.com/grafana/authlib/types v0.0.0-20250120145936-5f0e28e7a87c
+	github.com/grafana/grafana-app-sdk/logging v0.30.0
 	github.com/grafana/grafana/pkg/apimachinery v0.0.0-20240701135906-559738ce6ae1
 	github.com/prometheus/client_golang v1.20.5
 	github.com/stretchr/testify v1.10.0
--- a/pkg/apiserver/go.sum
+++ b/pkg/apiserver/go.sum
@ -81,6 +81,8 @@ github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aN
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grafana/authlib/types v0.0.0-20250120145936-5f0e28e7a87c h1:b0sPDtt33uFdmvUJjSCld3kwE2E49dUvevuUDSJsEuo=
 github.com/grafana/authlib/types v0.0.0-20250120145936-5f0e28e7a87c/go.mod h1:qYjSd1tmJiuVoSICp7Py9/zD54O9uQQA3wuM6Gg4DFM=
+github.com/grafana/grafana-app-sdk/logging v0.30.0 h1:K/P/bm7Cp7Di4tqIJ3EQz2+842JozQGRaz62r95ApME=
+github.com/grafana/grafana-app-sdk/logging v0.30.0/go.mod h1:xy6ZyVXl50Z3DBDLybvBPphbykPhuVNed/VNmen9DQM=
 github.com/grafana/grafana/pkg/apimachinery v0.0.0-20240701135906-559738ce6ae1 h1:ItDcDxUjVLPKja+hogpqgW/kj8LxUL2qscelXIsN1Bs=
 github.com/grafana/grafana/pkg/apimachinery v0.0.0-20240701135906-559738ce6ae1/go.mod h1:DkxMin+qOh1Fgkxfbt+CUfBqqsCQJMG9op8Os/irBPA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=