contrib/envoyproxy(feat): Implement API Sec proxy route sampler

[e-n-0]

What does this PR do?

This PR add a new API Security route sampler for proxies. It is defined in this RFC.

Using the new release of appsec-internal-go v1.13.0 (PR DataDog/appsec-internal-go#52)

Motivation

Correctly sample the requests for schema generation inside proxy environment.
Currently, the sampler applied is by key on the path (fallback on the path because the route is not available). This PR means to change it.

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code.
• If this interacts with the agent in a new way, a system test has been added.
• New code is free of linting errors. You can check this by running golangci-lint run locally.
• Add an appropriate team label so this PR gets put in the right place for the release notes.
• Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

Unsure? Have a question? Request a review!

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-06-27 15:38:12

Comparing candidate commit 71622f3 in PR branch flavien/proxy-route-sampler with baseline commit fe9272d in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 24 metrics, 0 unstable metrics.

[datadog-datadog-prod-us1]

Datadog Report

Branch report: flavien/proxy-route-sampler
Commit report: 25c9c0c
Test service: dd-trace-go

❌ 1 Failed (0 Known Flaky), 5422 Passed, 66 Skipped, 4m 23.29s Total Time

❌ Failed Tests (1)

• TestMultipleSpanIntegrationTags - github.com/DataDog/dd-trace-go/v2/ddtrace/tracer - Details

  Expand for error

   Failed
   
   === RUN   TestMultipleSpanIntegrationTags
       metrics_test.go:211: 
           	Error Trace:	/home/runner/work/dd-trace-go/dd-trace-go/ddtrace/tracer/metrics_test.go:211
           	Error:      	Not equal: 
           	            	expected: 10
           	            	actual  : 9
           	Test:       	TestMultipleSpanIntegrationTags
       metrics_test.go:218: 
   ...
  

[RomainMuller]

Ugh I should've asked for this constant name to mention the unit of the value; because here I have no clue...

I'd appreciate if you can:

1. Add a comment here mentioning the unit (samples-per-second?)
2. Maybe make a small PR to appsec-internal-go to document it on the constant if not done already.

And then, depending on the unit -- this may be too low to guarantee it'll always behave right on slow CI hosts... Should probably not be afraid to pump it up ridiculously.

[e-n-0]

The value of EnvAPISecProxySampleRate is a sample rate by minute. I opened this PR to refine the doc: DataDog/appsec-internal-go#53

I also updated the test to test that after 1 min, the sampler is restaured.

[RomainMuller]

I also updated the test to test that after 1 min, the sampler is restaured.

You sure about that? I don't see it... And you most certainly don't want your test to include a time.Sleep(time.Minute) -- that is a lot of time in CI!

[e-n-0]

I pushed the commit just after the comment 😄
The thing is that the minute of the sampler is not configurable, it will be always 1 min.