Enabling OPA AST optimizations in Skipper to store AST values in in-memory store (#3514)

**Context:**
With open-policy-agent/opa#7125 Open Policy
Agent introduced an option to read AST values from in-memory storage
instead of interfaces/slices.

When enabled it is expected to improve latency as this removes the time
spent converting raw data values to AST during policy evaluation. The
memory footprint of the store will increase, as processed AST values
would take more space in memory than the corresponding raw data values,
but overall memory usage of OPA might remain more stable over time, as
pre-converted data is shared across evaluations and isn't recomputed for
each evaluation.

With this PR, the option
`enable-open-policy-agent-data-preprocessing-optimization` is supported
as a Skipper configuration at OPA registry level. In other words, when
enabled it will be enabled for all the OPA systems running within the
same Skipper ingress.

### Benchmark test results show huge improvments

A 1000 run of the benchmark comparison.

For the simple policy,
<img width="805" alt="image" src="https://github.com/user-attachments/assets/b4a71b03-ed10-440f-bcd5-05a3e9d3dbaf" />

<google-sheets-html-origin><!--td {border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}-->
  | ns/op _default | ns/op _optimized | B/op _default | B/op _optimized | allocs/op _default | allocs/op _optimized
-- | -- | -- | -- | -- | -- | --
Median | 24727.5 | 25016 | 18945 | 18961 | 308 | 309
Average | 26727.107 | 27058.068 | 18945.996 | 18961.234 | 308 | 309
P99 | 37737.5 | 39558.05 | 18951 | 18967 | 308 | 309
Max | 44914 | 49197 | 18953 | 18968 | 308 | 309
Min | 23375 | 23899 | 18945 | 18961 | 308 | 309
Deviation | 3703.249928 | 3840.160723 | 1.550609038 | 0.9110840104 | 0 | 0


For the slightly complex policy,
<img width="778" alt="image" src="https://github.com/user-attachments/assets/c5cd93d2-38cc-47ef-b6b4-f31cad91c461" />

**Complex Policy**
<google-sheets-html-origin><!--td {border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}-->
  | ns/op _default | ns/op _optimized | B/op _default | B/op _optimized | allocs/op _default | allocs/op _optimized
-- | -- | -- | -- | -- | -- | --
Median | 1021329 | 28488.5 | 832732 | 20386 | 13990 | 336
Average | 1083208.684 | 29921.284 | 832734.342 | 20386.162 | 13990.147 | 336
P99 | 1612204.06 | 36141.25 | 832751 | 20388 | 13991 | 336
Max | 2908902 | 53455 | 832797 | 20394 | 13991 | 336
Min | 985625 | 26690 | 832726 | 20385 | 13990 | 336
Deviation | 140331.5701 | 3317.752934 | 7.238607147 | 1.144143813 | 0.3542831022 | 0







Signed-off-by: Pushpalanka Jayawardhana <pushpalanka.jayawardhana@zalando.de>

Author: Pushpalanka

config/config.go

@@ -297,17 +297,18 @@ type Config struct {
 	LuaModules *listFlag `yaml:"lua-modules"`
 	LuaSources *listFlag `yaml:"lua-sources"`
 
-	EnableOpenPolicyAgent                  bool          `yaml:"enable-open-policy-agent"`
-	EnableOpenPolicyAgentCustomControlLoop bool          `yaml:"enable-open-policy-agent-custom-control-loop"`
-	OpenPolicyAgentControlLoopInterval     time.Duration `yaml:"open-policy-agent-control-loop-interval"`
-	OpenPolicyAgentControlLoopMaxJitter    time.Duration `yaml:"open-policy-agent-control-loop-max-jitter"`
-	OpenPolicyAgentConfigTemplate          string        `yaml:"open-policy-agent-config-template"`
-	OpenPolicyAgentEnvoyMetadata           string        `yaml:"open-policy-agent-envoy-metadata"`
-	OpenPolicyAgentCleanerInterval         time.Duration `yaml:"open-policy-agent-cleaner-interval"`
-	OpenPolicyAgentStartupTimeout          time.Duration `yaml:"open-policy-agent-startup-timeout"`
-	OpenPolicyAgentRequestBodyBufferSize   int64         `yaml:"open-policy-agent-request-body-buffer-size"`
-	OpenPolicyAgentMaxRequestBodySize      int64         `yaml:"open-policy-agent-max-request-body-size"`
-	OpenPolicyAgentMaxMemoryBodyParsing    int64         `yaml:"open-policy-agent-max-memory-body-parsing"`
+	EnableOpenPolicyAgent                              bool          `yaml:"enable-open-policy-agent"`
+	EnableOpenPolicyAgentCustomControlLoop             bool          `yaml:"enable-open-policy-agent-custom-control-loop"`
+	OpenPolicyAgentControlLoopInterval                 time.Duration `yaml:"open-policy-agent-control-loop-interval"`
+	OpenPolicyAgentControlLoopMaxJitter                time.Duration `yaml:"open-policy-agent-control-loop-max-jitter"`
+	EnableOpenPolicyAgentDataPreProcessingOptimization bool          `yaml:"enable-open-policy-agent-data-preprocessing-optimization"`
+	OpenPolicyAgentConfigTemplate                      string        `yaml:"open-policy-agent-config-template"`
+	OpenPolicyAgentEnvoyMetadata                       string        `yaml:"open-policy-agent-envoy-metadata"`
+	OpenPolicyAgentCleanerInterval                     time.Duration `yaml:"open-policy-agent-cleaner-interval"`
+	OpenPolicyAgentStartupTimeout                      time.Duration `yaml:"open-policy-agent-startup-timeout"`
+	OpenPolicyAgentRequestBodyBufferSize               int64         `yaml:"open-policy-agent-request-body-buffer-size"`
+	OpenPolicyAgentMaxRequestBodySize                  int64         `yaml:"open-policy-agent-max-request-body-size"`
+	OpenPolicyAgentMaxMemoryBodyParsing                int64         `yaml:"open-policy-agent-max-memory-body-parsing"`
 
 	PassiveHealthCheck mapFlags `yaml:"passive-health-check"`
 }
@@ -536,6 +537,7 @@ func NewConfig() *Config {
 	flag.BoolVar(&cfg.EnableOpenPolicyAgentCustomControlLoop, "enable-open-policy-agent-custom-control-loop", false, "when enabled skipper will use a custom control loop to orchestrate certain opa behaviour (like the download of new bundles) instead of relying on periodic plugin triggers")
 	flag.DurationVar(&cfg.OpenPolicyAgentControlLoopInterval, "open-policy-agent-control-loop-interval", openpolicyagent.DefaultControlLoopInterval, "Interval between the execution of the control loop. Only applies if the custom control loop is enabled")
 	flag.DurationVar(&cfg.OpenPolicyAgentControlLoopMaxJitter, "open-policy-agent-control-loop-max-jitter", openpolicyagent.DefaultControlLoopMaxJitter, "Maximum jitter to add to the control loop interval. Only applies if the custom control loop is enabled")
+	flag.BoolVar(&cfg.EnableOpenPolicyAgentDataPreProcessingOptimization, "enable-open-policy-agent-data-preprocessing-optimization", false, "As a latency optimization, open policy agent will read values from in-memory storage as pre converted ASTs, removing conversion overhead at evaluation time. Currently experimental and if successful will be enabled by default")
 	flag.StringVar(&cfg.OpenPolicyAgentConfigTemplate, "open-policy-agent-config-template", "", "file containing a template for an Open Policy Agent configuration file that is interpolated for each OPA filter instance")
 	flag.StringVar(&cfg.OpenPolicyAgentEnvoyMetadata, "open-policy-agent-envoy-metadata", "", "JSON file containing meta-data passed as input for compatibility with Envoy policies in the format")
 	flag.DurationVar(&cfg.OpenPolicyAgentCleanerInterval, "open-policy-agent-cleaner-interval", openpolicyagent.DefaultCleanIdlePeriod, "Duration in seconds to wait before cleaning up unused opa instances")
@@ -993,17 +995,18 @@ func (c *Config) ToOptions() skipper.Options {
 		LuaModules: c.LuaModules.values,
 		LuaSources: c.LuaSources.values,
 
-		EnableOpenPolicyAgent:                  c.EnableOpenPolicyAgent,
-		EnableOpenPolicyAgentCustomControlLoop: c.EnableOpenPolicyAgentCustomControlLoop,
-		OpenPolicyAgentControlLoopInterval:     c.OpenPolicyAgentControlLoopInterval,
-		OpenPolicyAgentControlLoopMaxJitter:    c.OpenPolicyAgentControlLoopMaxJitter,
-		OpenPolicyAgentConfigTemplate:          c.OpenPolicyAgentConfigTemplate,
-		OpenPolicyAgentEnvoyMetadata:           c.OpenPolicyAgentEnvoyMetadata,
-		OpenPolicyAgentCleanerInterval:         c.OpenPolicyAgentCleanerInterval,
-		OpenPolicyAgentStartupTimeout:          c.OpenPolicyAgentStartupTimeout,
-		OpenPolicyAgentMaxRequestBodySize:      c.OpenPolicyAgentMaxRequestBodySize,
-		OpenPolicyAgentRequestBodyBufferSize:   c.OpenPolicyAgentRequestBodyBufferSize,
-		OpenPolicyAgentMaxMemoryBodyParsing:    c.OpenPolicyAgentMaxMemoryBodyParsing,
+		EnableOpenPolicyAgent:                              c.EnableOpenPolicyAgent,
+		EnableOpenPolicyAgentCustomControlLoop:             c.EnableOpenPolicyAgentCustomControlLoop,
+		OpenPolicyAgentControlLoopInterval:                 c.OpenPolicyAgentControlLoopInterval,
+		OpenPolicyAgentControlLoopMaxJitter:                c.OpenPolicyAgentControlLoopMaxJitter,
+		EnableOpenPolicyAgentDataPreProcessingOptimization: c.EnableOpenPolicyAgentDataPreProcessingOptimization,
+		OpenPolicyAgentConfigTemplate:                      c.OpenPolicyAgentConfigTemplate,
+		OpenPolicyAgentEnvoyMetadata:                       c.OpenPolicyAgentEnvoyMetadata,
+		OpenPolicyAgentCleanerInterval:                     c.OpenPolicyAgentCleanerInterval,
+		OpenPolicyAgentStartupTimeout:                      c.OpenPolicyAgentStartupTimeout,
+		OpenPolicyAgentMaxRequestBodySize:                  c.OpenPolicyAgentMaxRequestBodySize,
+		OpenPolicyAgentRequestBodyBufferSize:               c.OpenPolicyAgentRequestBodyBufferSize,
+		OpenPolicyAgentMaxMemoryBodyParsing:                c.OpenPolicyAgentMaxMemoryBodyParsing,
 
 		PassiveHealthCheck: c.PassiveHealthCheck.values,
 	}

filters/openpolicyagent/opaauthorizerequest/benchmark_test.go

@@ -343,6 +343,8 @@ func BenchmarkMinimalPolicyBundle(b *testing.B) {
 // pre-compiled bundles, serving as a representative use case.
 
 // A sample bundles for this benchmark are located at testResources/split-bundles.
+// To evaluate the performance of data-preprocessing optimization, use the resources at
+// testResources/data-pre-processing-visible-impact.
 // To generate a .tgz bundle, use the following command:
 //
 //   opa build -b <bundle_directory> -o <output_file.tgz>
@@ -357,49 +359,72 @@ func BenchmarkMinimalPolicyBundle(b *testing.B) {
 // and filterOpts variables are correctly configured to match your bundle and
 // the roots in .manifest files in your bundles do not overlap.
 func BenchmarkSplitPolicyAndDataBundles(b *testing.B) {
-	policyBundle := "policy"
-	dataBundle := "context-data"
-
-	bundleFiles := map[string]string{
-		policyBundle: "testResources/split-bundles/policy.tgz",
-		dataBundle:   "testResources/split-bundles/context-data.tgz",
+	type benchmarkCase struct {
+		name       string
+		createFunc func(FilterOptions) (filters.Filter, error)
 	}
 
-	opaControlPlane := newOpaControlPlaneServingDataAndPolicyBundles(b, bundleFiles)
-	defer opaControlPlane.Close()
-
-	filterOpts := FilterOptions{
-		OpaControlPlaneUrl:  opaControlPlane.URL,
-		DecisionConsumerUrl: opaControlPlane.URL,
-		DecisionPath:        "policy/allow",
-		BundleNames:         []string{policyBundle, dataBundle},
-		DecisionLogging:     false,
+	cases := []benchmarkCase{
+		{
+			name: "default_filter",
+			createFunc: func(opts FilterOptions) (filters.Filter, error) {
+				return createOpaFilterForMultipleBundles(opts)
+			},
+		},
+		{
+			name: "with_data_preprocessing_optimization",
+			createFunc: func(opts FilterOptions) (filters.Filter, error) {
+				return createOpaFilterWithDataProcessingOptimization(opts)
+			},
+		},
 	}
 
-	f, err := createOpaFilterForMultipleBundles(filterOpts)
-	require.NoError(b, err)
+	for _, bc := range cases {
+		b.Run(bc.name, func(b *testing.B) {
+			bundleFiles := map[string]string{
+				"policy":       "testResources/split-bundles/policy.tgz",
+				"context-data": "testResources/split-bundles/context-data.tgz",
+			}
 
-	requestUrl, err := url.Parse("http://opa-authorized.test/allow/alice")
-	require.NoError(b, err)
+			opaControlPlane := newOpaControlPlaneServingDataAndPolicyBundles(b, bundleFiles)
+			defer opaControlPlane.Close()
 
-	b.ResetTimer()
-	b.RunParallel(func(pb *testing.PB) {
-		for pb.Next() {
-			ctx := &filtertest.Context{
-				FStateBag: map[string]interface{}{},
-				FResponse: &http.Response{},
-				FRequest: &http.Request{
-					URL:    requestUrl,
-					Method: "GET",
-				},
-				FMetrics: &metricstest.MockMetrics{},
+			filterOpts := FilterOptions{
+				OpaControlPlaneUrl:  opaControlPlane.URL,
+				DecisionConsumerUrl: opaControlPlane.URL,
+				DecisionPath:        "policy/allow",
+				BundleNames:         []string{"policy", "context-data"},
+				DecisionLogging:     false,
 			}
-			f.Request(ctx)
-			assert.False(b, ctx.FServed)
-			assert.NotEqual(b, 403, ctx.FResponse.StatusCode, "Expected 403 Forbidden response")
-		}
-	})
 
+			f, err := bc.createFunc(filterOpts)
+			require.NoError(b, err)
+
+			requestURL, err := url.Parse("http://opa-authorized.test/allow/alice")
+			require.NoError(b, err)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+
+			b.RunParallel(func(pb *testing.PB) {
+				for pb.Next() {
+					ctx := &filtertest.Context{
+						FStateBag: map[string]interface{}{},
+						FResponse: &http.Response{},
+						FRequest: &http.Request{
+							URL:    requestURL,
+							Method: "GET",
+						},
+						FMetrics: &metricstest.MockMetrics{},
+					}
+
+					f.Request(ctx)
+					assert.False(b, ctx.FServed)
+					assert.NotEqual(b, 403, ctx.FResponse.StatusCode, "Expected 403 Forbidden response")
+				}
+			})
+		})
+	}
 }
 
 func newOpaControlPlaneServingDataAndPolicyBundles(b *testing.B, bundleFiles map[string]string) *httptest.Server {
@@ -506,6 +531,13 @@ func createOpaFilterForMultipleBundles(opts FilterOptions) (filters.Filter, erro
 	return spec.CreateFilter([]interface{}{opts.BundleNames[0], opts.ContextExtensions})
 }
 
+func createOpaFilterWithDataProcessingOptimization(opts FilterOptions) (filters.Filter, error) {
+	config := generateConfigForMultipleBundles(opts.BundleNames, opts.OpaControlPlaneUrl, opts.DecisionConsumerUrl, opts.DecisionPath, opts.DecisionLogging)
+	registry := openpolicyagent.NewOpenPolicyAgentRegistry(openpolicyagent.WithEnableDataPreProcessingOptimization(true))
+	spec := NewOpaAuthorizeRequestSpec(registry, openpolicyagent.WithConfigTemplate(config))
+	return spec.CreateFilter([]interface{}{opts.BundleNames[0], opts.ContextExtensions})
+}
+
 func generateConfigForMultipleBundles(bundlesNames []string, opaControlPlane string, decisionLogConsumer string, decisionPath string, decisionLogging bool) []byte {
 	var decisionPlugin string
 	if decisionLogging {

filters/openpolicyagent/opaauthorizerequest/testResources/data-pre-procesing-visible-impact/data/.manifest

@@ -0,0 +1,3 @@
+{
+  "roots": ["roles"]
+}