aws-observability / aws-otel-test-framework

AWS Distro for OpenTelemetry Test Framework
https://aws-otel.github.io/
Apache License 2.0
30 stars 62 forks source link

Bump the trace-java-client-gradle-deps group in /trace-java-client with 4 updates #1615

Closed dependabot[bot] closed 5 months ago

dependabot[bot] commented 6 months ago

Bumps the trace-java-client-gradle-deps group in /trace-java-client with 4 updates: io.opentracing.brave:brave-opentracing, io.zipkin.zipkin2:zipkin, io.zipkin.reporter2:zipkin-sender-okhttp3 and io.zipkin.brave:brave.

Updates io.opentracing.brave:brave-opentracing from 1.0.0 to 1.0.1

Commits


Updates io.zipkin.zipkin2:zipkin from 2.25.2 to 3.3.0

Release notes

Sourced from io.zipkin.zipkin2:zipkin's releases.

Zipkin 3.3 is maintenance only with no new features since the last release.

Notably, this raises the floor JRE version of libraries except core from 11 to 17. The only reason we had 11 in the past was due to Spark limitations that affected zipkin-dependencies. This was resolved by Spark 3.4, which we were recently able to upgrade to once libraries we used all became compatible with it.

Also, we now run Trivy security and misconfiguration scanner on every commit, in support of our new security policy. This policy was designed around the norms of our maintenance community, which is currently 100pct volunteers with no dedicated paid time for the project.

We appreciate Trivy adjusting the open source code for the somewhat unique needs of tracing projects: it requires running tests on old library versions. Their open mindedness in classification policy was critical in coming up with a policy at all. We need to focus the small amount of time we have available to the most important alerts, and not the noise: now we can.

Zipkin 3.2.1 fixes a regression where libraries that improve network performance (netty-tcnative) were not included in the main zipkin jar, resulting in unpublished Docker images.

Zipkin 3.2 improves accessibility blindness and language controls.

Before, there was no way to control "dark mode". Also, the color scheme lacked contrast and other features to support vision accessibility. @​giaroc's first commit to zipkin knocked this out of the park, resulting in an easier to read and control UI.

before:

after:

Full Changelog: https://github.com/openzipkin/zipkin/compare/3.1.1..3.2.0

Zipkin 3.1.1 is a hardening release, notably polishing out some UI glitches and experience problems for Cassandra users. Thanks a lot for all the feedback and patience, as we delayed this patch until we felt confident glitches were handled in a way that would be easy to diagnose in the future!

UI Fixes

Users and maintainers have noticed a few glitches since our UI moved from the abandoned react-scripts to vite for packaging. We think we've corrected everything at this point, but please reach out if you believe we didn't.

  • Fixed our test image ghcr.io/openzipkin/zipkin-ui resulting in 404s
  • Fixed handling of the env variable ZIPKIN_UI_BASEDIR, used when zipkin is deployed in a proxying

Cassandra and SASI default change

When STORAGE_TYPE=cassandra3, zipkin uses a feature called SASI for search features. This was enabled by default in Cassandra 3.11+, but in 4.x it became disabled by default.

Unlike schema settings, sasi_indexes_enabled: true is not something zipkin can change. Before, we weren't logging this critical setup problem, so users upgrading from cassandra 3 to 4 had a very hard time figuring it out. We now properly log what's going on, with more context. Ideally, this will help folks correct their configuration.

Here's an example, if you use the default cassandra docker image which has SASI disabled

2024-03-07T08:02:47.184+08:00 ERROR [/] 83635 --- [cking-tasks-2-1] z.s.c.Schema                             : Failed to execute [CREATE CUSTOM INDEX IF NOT EXISTS ON zipkin2.span (l_service) USING 'org.apache.cassandra.index.sasi.SASIIndex'
   WITH OPTIONS = {'mode': 'PREFIX'}]: SASI indexes are disabled. Enable in cassandra.yaml to use.

Build updates

While these changes won't impact end users, they do affect forks and are important.

  • we moved from long form license headers to SPDX ID

... (truncated)

Commits
  • dfd8ee2 [maven-release-plugin] prepare release 3.3.0
  • 1ed6c4a Adds SECURITY.md and scanning workflow (#3764)
  • b44940d Raises floor JRE version from 11 to 17 except core (#3763)
  • 846ad9a docker: fixes building zipkin from source (#3762)
  • 6248dd2 docker: gives more memory to prevent crash on OOM (#3761)
  • e941823 [maven-release-plugin] prepare for next development iteration
  • abed874 [maven-release-plugin] prepare release 3.2.1
  • 82c26a2 Restores tcnative accidentally left out of 3.2.0 (#3760)
  • 2de2642 [maven-release-plugin] prepare for next development iteration
  • 9300c35 [maven-release-plugin] prepare release 3.2.0
  • Additional commits viewable in compare view


Updates io.zipkin.reporter2:zipkin-sender-okhttp3 from 2.17.1 to 3.4.0

Release notes

Sourced from io.zipkin.reporter2:zipkin-sender-okhttp3's releases.

Zipkin Reporter 3.4 deprecates AsyncReporter/SpanHandler queuedMaxBytes and disables it by default.

When introduced, AsyncReporter had three ways to trigger a queue flush:

  • queuedMaxSpans - when the number of spans in the queue exceeds a threshold
  • queuedMaxBytes - when the size of the spans in the queue exceeds a threshold
  • messageTimeout - when a span has been in the queue longer than a threshold

queuedMaxBytes was deprecated because requires time in the critical path, to calculate the size of a span to make sure it doesn't breach the threshold. This is problematic in tools that check for pinning, like Virtual Threads.

Thanks a lot to @​reta for sorting this out!

Full Changelog: https://github.com/openzipkin/zipkin-reporter-java/compare/3.3.0..3.4.0

Zipkin Reporter 3.3 adds a BaseHttpSender type, which eases http library integration. It also adds HttpEndpointSupplier which supports dynamic endpoint discovery such as from Eureka, as well utilities to create constants or rate-limit suppliers. Finally, brave users get a native PROTO3 encoder through the new MutableSpanBytesEncoder type.

These features were made in support of spring-boot, but available to any user with no new dependencies. For example, the PROTO encoder adds no library dependency, even if it increases the size of zipkin-reporter-brave by a couple dozen KB. A lion's share of thanks goes to @​reta and @​anuraaga who were on design and review duty for several days leading to this.

Here's an example of pulling most of these things together, integrating a sender with spring-cloud-loadbalancer (a client-side loadbalancer library).

This endpoint supplier will get the configuration endpoint value and look up the next target to use with the loadBalancerClient. The rate limiter will ensure a gap of 30 seconds between queries. While below is hard-coded, it covers some routine advanced features formerly only available in spring-cloud-sleuth. Now, anyone can use them!

@Configuration(proxyBeanMethods = false)
public class ZipkinDiscoveryConfiguration {
  @Bean HttpEndpointSupplier.Factory loadbalancerEndpoints(LoadBalancerClient loadBalancerClient) {
    LoadBalancerHttpEndpointSupplier.Factory httpEndpointSupplierFactory =
        new LoadBalancerHttpEndpointSupplier.Factory(loadBalancerClient);
    // don't ask more than 30 seconds (just to show)
    return HttpEndpointSuppliers.newRateLimitedFactory(httpEndpointSupplierFactory, 30);
  }

record LoadBalancerHttpEndpointSupplier(LoadBalancerClient loadBalancerClient, URI virtualURL) implements HttpEndpointSupplier { record Factory(LoadBalancerClient loadBalancerClient) implements HttpEndpointSupplier.Factory {

  @Override public HttpEndpointSupplier create(String endpoint) {
    return new LoadBalancerHttpEndpointSupplier(loadBalancerClient, URI.create(endpoint));
  }
}

@Override public String get() {
  ServiceInstance instance = loadBalancerClient.choose(virtualURL.getHost());
  if (instance != null) {
    return instance.getUri() + virtualURL.getPath();
  }
  throw new IllegalArgumentException(virtualURL.getHost() + " is not registered");
}

@Override public void close() {
}

</tr></table>

... (truncated)

Commits
  • 0af48b8 [maven-release-plugin] prepare release 3.4.0
  • 22b6727 Adds spring-beans context test and defaults to Spring 5 (#265)
  • fcc67bb Deprecates AsyncReporter/SpanHandler queuedMaxBytes (#264)
  • e54db40 ci: adds lint check, fixes yaml formatting and unnecessary auth (#263)
  • f30ee66 AsyncReporter/SpanHandler: make queuedMaxBytes=0 disable pre-flight size chec...
  • 0c62f8b benchmarks: moves dependency scope to test (#262)
  • 939b6e4 deps: fix kafka floor JRE to 8 and updates all libs to latest (#261)
  • 16686ce license: removes copyright year and uses SPDX ID (#257)
  • f3b9cf7 [maven-release-plugin] prepare for next development iteration
  • 9b4489e [maven-release-plugin] prepare release 3.3.0
  • Additional commits viewable in compare view


Updates io.zipkin.brave:brave from 5.17.0 to 6.0.3

Release notes

Sourced from io.zipkin.brave:brave's releases.

Brave 6.0.3 including the following minor changes. Thanks very much to @​reta and @​anuraaga for review support!

  • fixes bug that allowed setting local or remote service names to the empty string ("")
  • fixed thread safety issue when using Tag.tag
  • ports brave-instrumentation-mongodb to work on the new org.mongodb:mongodb-driver-core v5
    • Note: the floor JRE of this instrumentation is now 1.7, where it formerly was 1.6
  • changes license headers to SPDX style, as used in zipkin and zipkin-reporter

Full Changelog: https://github.com/openzipkin/brave/compare/6.0.2..6.0.3

Brave 6.0.2 fixes a propagation glitch on kafka streams processors using context.forward(). Tons of thanks to @​frosiere for the help on this! We also changed how dependencies are managed so that less false-positives show up due to our backwards compatability testing. We appreciate your continued use and feedback!

Full Changelog: https://github.com/openzipkin/brave/compare/6.0.1..6.0.2

Brave 6.0.1 simplifies internals of the json encoder and kafka-streams instrumentation. It also fixes a bug where a Tag<Throwable> passed to MutableSpanBytesEncoder.zipkinJsonV2 always used the key "error" even when set to something else. Finally @​reta fixed a flakey JMS integration test which was plaguing our CI builds!

Full Changelog: https://github.com/openzipkin/brave/compare/6.0.0..6.0.1

Brave 6 removes all modules and functions deprecated in Brave 5.x. It no longer has any dependency on io.zipkin.zipkin2:zipkin. Special thanks to @​reta and @​anuraaga for a lot of review support leading to this release!

No more deprecated functions

The final release of Brave 5 with deprecated functions was 5.18.1. Removing these functions was the only way to decouple Brave from zipkin's core library (io.zipkin.zipkin2:zipkin). However, this does not change Brave's floor Java 6 support. We still integration test this via the brave-example repository.

Here's an example of a working Java 6 and Spring 2.5 application, which is 280KB smaller due to use of the lean combination of Brave 6 and Zipkin Reporter 3.x:

# brave 5.18.1
3860    target/brave-example-webmvc25-1.0-SNAPSHOT.war
# brave 6.0.0
3580    target/brave-example-webmvc25-1.0-SNAPSHOT.war

No more io.zipkin.reporter2:zipkin-reporter or io.zipkin.zipkin2:zipkin dependencies

io.zipkin.brave:brave-bom used to manage zipkin-reporter dependencies. Since Brave no longer has dependencies on zipkin, it no longer manages them.

This impact is that users will need to manage their own versions for zipkin-reporter, likely via io.zipkin.reporter2:zipkin-reporter-bom described in the zipkin-reporter README.

To fully remove a zipkin core library dependency from your traced applications, use io.zipkin.reporter2:zipkin-reporter-brave 3.x AsyncZipkinSpanHandler. This is described in the zipkin-reporter README. You can expect currently maintained frameworks to do this on your behalf.

Thanks for your patience with the major upgrade. Things like this allow easier maintenance and a longer life for Brave, particularly as zipkin-server moves ahead with later Java versions.

Full Changelog: https://github.com/openzipkin/brave/compare/5.17.1..5.18.1

Brave 5.18 prepares for Brave 6 by deprecating instrumentation for libraries not released in 1.5-3.5 years including:

  • context/rxjava2 - last released Feb 2021
    • replaced by RxJava3, but unlikely this module will be ported as it wasn't used widely.
  • instrumentation/dubbo-rpc - (alibaba) last released Dec 2021

... (truncated)

Commits
  • 95ae4c2 [maven-release-plugin] prepare release 6.0.3
  • 08e8e39 Fixes thread safety issue in Tag.tag (#1434)
  • 57f27e2 license: removes copyright year and uses SPDX ID (#1433)
  • 170c79f Speeds up dubbo tests, aligns conventions and bumps deps (#1432)
  • ef6fbbd Adds support for org.mongodb:mongodb-driver-core v5 (#1431)
  • fe3c8b4 fixes bug setting service names to empty (#1428)
  • 69e30f3 Adds BaggagePropagation benchmarks for decorate (#1425)
  • b7ece7b Consolidates notes on "extra" data (#1424)
  • d8dc495 benchmarks: moves dependency scope to test (#1422)
  • 5552507 [maven-release-plugin] prepare for next development iteration
  • Additional commits viewable in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
dependabot[bot] commented 5 months ago

Looks like these dependencies are updatable in another way, so this is no longer needed.