feat: add Memory Protection Middleware

[miparnisari]

Pre-reqs

• chore: support ldflags in go-build actions#105

Description

This PR introduces a new memory protection middleware to help prevent out-of-memory conditions in SpiceDB by implementing admission control based on current memory usage.

This is not a perfect solution (doesn't prevent non-traffic-related sources of OOM) and is meant to support other future improvements to resource sharing in a single SpiceDB node.

The middleware is installed both in the main API and in Dispatch APIs, and it uses this lib: https://github.com/odigos-io/go-rtml

⚠️ It does NOT reject health check requests based on memory usage,
⚠️ It needs a special build flag.

References

Alternative implementation: #2646.

Upon testing both implementations, it was found that:

1. this PR rejects less requests.
2. this PR didn't OOM the docker container when mem_limit was hit.

[codecov]

Codecov Report

❌ Patch coverage is 93.06931% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.01%. Comparing base (ec7032a) to head (967b1b9).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cmd/server/server.go	88.24%	2 Missing and 2 partials ⚠️
pkg/cmd/testserver/testserver.go	0.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2691      +/-   ##
==========================================
- Coverage   77.01%   77.01%   -0.00%     
==========================================
  Files         462      464       +2     
  Lines       49134    49184      +50     
==========================================
+ Hits        37837    37872      +35     
- Misses       8509     8520      +11     
- Partials     2788     2792       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ecordell]

I would've expected that if the feature was disabled we would just not install the middleware at all, instead of installing it with a no-op limiter?

[miparnisari]

I'm wondering now why do we have the MemoryProtectionEnabled flag at all 🤔

[tstirrat15]

I'd be in favor of having it be always-on, and then we just don't install the middleware in tests (if that's possible).

[miparnisari]

I looked at our existing middlewares to see if we have an example of one that is conditionally installed, and it doesn't exist... if a middleware isn't enabled, it still runs, but it just no-ops. Example:

spicedb/internal/middleware/perfinsights/perfinsights.go

Lines 157 to 160 in d4ff660

	func (r *reporter) ServerReporter(ctx context.Context, callMeta interceptors.CallMeta) (interceptors.Reporter, context.Context) {
	if !r.isEnabled {
	return &interceptors.NoopReporter{}, ctx
	}

[tstirrat15]

Captured in #2723

[tstirrat15]

And I think I'm going to split the difference and not expose it as a user-facing flag, but leave the ability to configure it. My thought is that if (e.g.) our steelthread tests start hitting OOM conditions that trigger this middleware, it'll be good to disable the middleware so that we get failures instead of ResourceExhausteds

[ecordell]

I wish we had a way to set a threshold here. Since this will get called both for dispatch and primary api calls, it will start rejecting them both equally, when really we want to reject primary api before we start rejecting dispatch.

I don't think this is worth blocking on, but I do wonder if we should contribute a threshold % to the upstream library.

[miparnisari]

Good idea. Opened odigos-io/go-rtml#3

[vroldanbet]

why increasing from 10m to 20m?

[miparnisari]

Ah sorry, that was a leftover from a different PR. The answer is https://github.com/authzed/spicedb/pull/2674/files#r2505759338

Tl;dr instead of putting timeouts in the test code itself, i think it's better to put it in go test -timeout

[vroldanbet]

Why does it have to run before auth?

The rationale for EnsureAlreadyExecuted is to declare a dependency between middlewares explicitly: "I need this to run before me because I depend on its side effects". So why does the auth middleware depend on memory protection?

If not, you can remove it.

If anything, I'd argue that memory protection depends on all the previous middlewares, because we want observability to take place before we kick memory protection, otherwise we would be running blind when ResourceExhausted is returned.

[miparnisari]

Oh this was a leftover from @ecordell's original PR. I don't have a strong opinion around this, I didn't know that EnsureAlreadyExecuted meant an explicit dependency.

@ecordell do you have any thoughts?

[ecordell]

I don't have a strong opinion here, I just thought that the earlier the memory protection could run the better.

[tstirrat15]

See comments, otherwise looks good.

[tstirrat15]

Ah, we're doing it with a label? Hmm...

[tstirrat15]

I'd be keen to see what @ecordell has to say, and I'm down with the idea of making this memory middleware non-optional.

[tstirrat15]

I'd be in favor of having it be always-on, and then we just don't install the middleware in tests (if that's possible).

[tstirrat15]

This looks like it should be good.

[tstirrat15]

No vars, so don't need With

[tstirrat15]

LGTM