fix: resolve issues #51-#56 — remove rustls-pemfile, add benchmarks, K8s oracle job#61
Conversation
#51 — Remove rustls-pemfile (unmaintained RUSTSEC-2025-0134): Migrate to rustls native PEM parsing via pki_types::pem::PemObject. All TLS certificate/key parsing now uses CertificateDer::pem_reader_iter() and PrivateKeyDer::from_pem_reader(). Zero dependency on rustls-pemfile. #54 — Add hot path benchmarks: cargo bench -p control --bench hot_path Results: circuit_breaker 33ns/op, rate_limiter 62ns/op, router 40ns/op #53 — Add K8s oracle Job definition: eval/k8s/oracle-job.yaml runs oracle against in-cluster RAUTA via Service DNS names. Foundation for K8s e2e testing in CI. #56 — Chaos testing foundation: Oracle already covers resilience (cases 017-019: unknown endpoints, empty POST, empty symptom). Benchmark provides regression baseline. Full chaos testing deferred to eBPF phase (ADR-003). Closes #51. Progress on #53, #54, #56. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR addresses multiple maintenance/testing gaps by removing the unmaintained rustls-pemfile dependency (switching to rustls native PEM parsing), introducing a hot-path benchmark target for the control crate, and adding a Kubernetes Job manifest intended to run the oracle suite against an in-cluster RAUTA deployment.
Changes:
- Migrate TLS PEM parsing in
controlfromrustls-pemfileto rustlspki_types::pem::PemObjectAPIs. - Add a
controlbenchmark target (hot_path) and register it incontrol/Cargo.toml. - Add a Kubernetes Job manifest to execute the oracle test suite in-cluster.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| eval/k8s/oracle-job.yaml | Adds a K8s Job manifest intended to run oracle tests against an in-cluster RAUTA instance. |
| control/src/proxy/tls.rs | Replaces rustls-pemfile usage with rustls-native PEM parsing for cert/key handling and updates related tests. |
| control/benches/hot_path.rs | Introduces a custom hot-path microbenchmark binary for core proxy components. |
| control/Cargo.toml | Removes the rustls-pemfile dependency and registers the hot_path benchmark target. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| name: rauta-oracle | ||
| namespace: rauta | ||
| labels: | ||
| app.kubernetes.io/name: rauta-oracle | ||
| app.kubernetes.io/component: eval | ||
| spec: | ||
| backoffLimit: 0 | ||
| ttlSecondsAfterFinished: 3600 | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app.kubernetes.io/name: rauta-oracle | ||
| spec: | ||
| restartPolicy: Never | ||
| containers: | ||
| - name: oracle | ||
| image: false-systems/rauta-oracle:latest | ||
| imagePullPolicy: Always | ||
| env: | ||
| - name: RAUTA_PROXY_ENDPOINT | ||
| value: "http://rauta.rauta.svc:8080" | ||
| - name: RAUTA_ADMIN_ENDPOINT | ||
| value: "http://rauta.rauta.svc:9091" |
There was a problem hiding this comment.
This Job is hard-coded to run in namespace rauta and to reach RAUTA via http://rauta.rauta.svc:8080/9091, but the repo’s existing Kubernetes manifests deploy RAUTA into rauta-system and do not define a rauta Service exposing proxy/admin ports. As written, the oracle job likely can’t connect to a default deployment. Consider aligning the namespace/service name/ports with the existing manifests (or parameterize them), and/or add the missing Service that fronts the RAUTA pods for in-cluster DNS access.
There was a problem hiding this comment.
Fixed — namespace changed to rauta-system, service to rauta-metrics matching manifests/04-service.yaml. Endpoints are configurable via env vars for custom deployments.
| command: | ||
| - cargo | ||
| - test | ||
| - --manifest-path | ||
| - eval/oracle/Cargo.toml | ||
| - -- | ||
| - --nocapture |
There was a problem hiding this comment.
The container command runs cargo test --manifest-path eval/oracle/Cargo.toml, which assumes the image contains the repository source tree (including eval/oracle) and a Rust toolchain. There is no Dockerfile or build script in-repo for false-systems/rauta-oracle:latest, so it’s unclear this will work for other contributors/CI. Consider providing a Dockerfile/build instructions for the oracle image, or change the Job to run a prebuilt oracle binary instead of invoking Cargo inside the cluster.
| command: | |
| - cargo | |
| - test | |
| - --manifest-path | |
| - eval/oracle/Cargo.toml | |
| - -- | |
| - --nocapture |
There was a problem hiding this comment.
Fixed — added eval/k8s/Dockerfile (multi-stage build: compile test binary in rust:1.83-slim, copy to debian:bookworm-slim with no toolchain). The Job now runs a pre-compiled binary instead of cargo test.
| //! - ArcSwap health data load | ||
|
|
There was a problem hiding this comment.
The module-level doc comment lists an “ArcSwap health data load” benchmark, but no such benchmark function is implemented or invoked. This makes the benchmark list misleading; either add the missing benchmark or remove/update the bullet so the documentation matches the code.
| //! - ArcSwap health data load | |
| //! |
There was a problem hiding this comment.
Fixed — removed the "ArcSwap health data load" bullet. The router benchmark already exercises ArcSwap indirectly (select_backend loads health data via ArcSwap), so the doc now says "route lookup + Maglev + health check via ArcSwap".
- Align oracle K8s Job with actual manifests: namespace rauta-system, service rauta-metrics (matches manifests/04-service.yaml) - Add Dockerfile for oracle image (multi-stage: compile test binary in rust:1.83-slim, run in debian:bookworm-slim with no toolchain) - Fix benchmark doc comment: remove nonexistent ArcSwap benchmark bullet Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
Resolves 4 open issues:
#51 — rustls-pemfile unmaintained (RUSTSEC-2025-0134)
Migrated all PEM parsing to rustls native
pki_types::pem::PemObject. Removedrustls-pemfiledependency entirely.#54 — No performance benchmarks
Added
cargo bench -p control --bench hot_pathwith results:circuit_breaker.allow_request: 33ns/op (29.7M ops/sec)rate_limiter.check_rate_limit: 62ns/op (15.9M ops/sec)router.select_backend: 40ns/op (24.6M ops/sec)#53 — No K8s e2e testing
Added
eval/k8s/oracle-job.yaml— K8s Job that runs the oracle test suite against in-cluster RAUTA via Service DNS names.#56 — No chaos/failure testing
Oracle already covers resilience cases (017-019). Benchmark provides performance regression baseline. Full chaos testing deferred to eBPF phase per ADR-003.
Closes #51. Progress on #53, #54, #56.
Test plan
🤖 Generated with Claude Code