dependabot[bot] opened a new pull request, #4251: URL: https://github.com/apache/servicecomb-java-chassis/pull/4251
Bumps [io.zipkin.zipkin2:zipkin](https://github.com/openzipkin/zipkin) from 2.26.0 to 3.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/openzipkin/zipkin/releases";>io.zipkin.zipkin2:zipkin's releases</a>.</em></p> <blockquote> <p>Zipkin 3.1 includes our first additional features since the 3.0 platform update. Notably gRPC span collection is enabled by default, Eureka registration includes more properties, and you can now disable the UI independent of the REST API. Those using kubernetes should have a second look at our <a href="https://github.com/openzipkin/zipkin-helm";>helm chart</a> which is recently renovated as well!</p> <p>While most won't see this, we'd like to give a special shout out to <a href="https://github.com/SamTV12345";><code>@SamTV12345</code></a> for helping renovate our javascript build. It was Sam's first change in the project and quite a big one. We'd like to thank all the users for your feedback and the continued support from our all volunteer team, notably <a href="https://github.com/reta";><code>@reta</code></a> and <a href="https://github.com/anuraaga";><code>@anuraaga</code></a> who've stuck here with you so long.</p> <p>Here are the changes end users might notice</p> <ul> <li><code>COLLECTOR_GRPC_ENABLED</code> is now true by default, accepting spans from the <a href="https://github.com/openzipkin/zipkin-api/blob/master/zipkin.proto";>zipkin.proto3.SpanService/Report</a> service hosted on the same HTTP port as the normal API (default 9411)</li> <li>Eureka registration now populates the <code>homePageUrl</code> and <code>statusPageUrl</code> fields, the latter used in the spring-cloud-netflix UI. This was thanks to upstream changes in Armeria driven by <a href="https://github.com/minwoox";><code>@minwoox</code></a></li> <li>New <code>UI_ENABLED</code> for users who wish to expose the query API, but not host the javascript UI.</li> </ul> <p>Here are the build related changes:</p> <ul> <li>UI build now uses vite. <a href="https://github.com/SamTV12345";><code>@SamTV12345</code></a> was the MVP of this change, which eliminated a build-time CVE. This was a quite a lot of work, and we're grateful for Sam's help. We also appreciate others work on this, too, notably <a href="https://github.com/anuraaga";><code>@anuraaga</code></a> who advised and pitched in a test migration PR.</li> <li><a href="https://github.com/reta";><code>@reta</code></a> switched us to SLF4J 2.0, with heaps of thanks to <a href="https://github.com/wilkinsona";><code>@wilkinsona</code></a> who helped us come to the same page on what versions do what.</li> <li>our zipkin-slim image now includes netty tcnative libraries.</li> </ul> <p>Thank folks who helped with changes you want and don't forget to <a href="https://github.com/openzipkin/zipkin/stargazers";>star the project</a> if you're happy with our continued efforts! If you'd like to get in touch, please chat on <a href="https://app.gitter.im/#/room/#openzipkin_zipkin:gitter.im";>gitter</a>. See you next release!</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/openzipkin/zipkin/compare/3.0.6..3.1.0";>https://github.com/openzipkin/zipkin/compare/3.0.6..3.1.0</a></p> <p>Zipkin 3.0.6 updates to Armeria 1.27.1, fixes <code>ES_HTTP_LOGGING</code> and a glitch in Eureka registration.</p> <ul> <li>Armeria 1.27.1 helped us remove code around Eureka, which is now upstream, as well bring the server runtime to the latest Netty</li> <li><code>ES_HTTP_LOGGING</code> broke when we updated to SLF4J 2. <a href="https://github.com/reta";><code>@reta</code></a> resolved by bringing us back to the more compatible 1.7 plus config adjustment.</li> <li>Those using spring-cloud-sleuth were unable to discover zipkin even when it set env like <code>EUREKA_HOSTNAME</code>.</li> </ul> <h3>Eureka and spring-cloud</h3> <p>Skip this part unless you want to take a walk with us down troubleshooting lane!</p> <p><a href="https://github.com/Netflix/eureka/wiki";>Eureka</a> is a service registry originally started at Netflix. Zipkin can register itself in Eureka, allowing traced services to discover its listen address and health state. So, this is an alternative to normal DNS. We added support for this in Zipkin 2.27 and have been polishing that since.</p> <p>Before, we were testing Eureka integration with armeria. Armeria doesn't use the netflix/eureka codebase at all, as it implements its <a href="https://armeria.dev/docs/server-service-registration#eureka-based-service-registration-with-eurekaupdatinglistener";>api directly</a>. This is great for Armeria users as the <a href="https://github.com/Netflix/eureka";>Netflix/Eureka</a> codebase uses a lot of antique dependencies, some not updated in 8 years. However, it isn't a good test for zipkin for the same reason.</p> <p>Most users who use Eureka, use Spring Boot 2, and most of those who use zipkin, use <a href="https://spring.io/projects/spring-cloud-sleuth";>spring-cloud-sleuth</a> (which uses <a href="https://github.com/openzipkin/brave";>brave</a> internally). To get a better sense of confidence registration works in practice, we decided to update our sleuth example to use Eureka. The idea was to set a pseudo hostname in the zipkin endpoint: that would be replaced dynamically by a real endpoint in the "zipkin" application in Eureka. Then, we're all good.</p> <p>But, we weren't all good. This didn't work at all, as our example used a reactive <a href="https://docs.spring.io/spring-framework/reference/web/webflux.html";>WebFlux</a> configuration. For some reason, when a sleuth-instrumented application is using reactive, <a href="https://redirect.github.com/spring-cloud/spring-cloud-sleuth/issues/2339";>you cannot use Eureka to discover zipkin</a>. So, we backported our sleuth example to a version that can use Eureka. Ironically, we had to go back to <a href="https://docs.spring.io/spring-framework/reference/web/webmvc.html";>WebMvc</a> which was the original <a href="https://github.com/openzipkin-attic/sleuth-webmvc-example";>canonical zipkin example</a>! However, despite <a href="https://github.com/openzipkin/brave-example/tree/master/webmvc5-sleuth";>webmvc5-sleuth</a> using the right parts, the pseudo zipkin hostname wasn't replaced.</p> <p>In close inspection, the first thing we noticed was something <a href="https://cloud.spring.io/spring-cloud-sleuth/reference/html/#sending-spans-to-zipkin";>documented</a>, but <a href="https://redirect.github.com/spring-cloud/spring-cloud-netflix/issues/1788";>not entirely intuitive</a>. Documentation says to use the "service ID" as the pseudo-hostname in the zipkin URL, which would be replaced with the real hostname and port. In the case of Eureka, it seems intuitive to use the service to find instances of it. Specifically the Eureka application (<code>EUREKA_APP_NAME</code> of all zipkin instances). However, the "service ID" is not that, and it isn't even the <code>instanceId</code> in Eureka. Oddly, the "service ID" maps to the <code>vipAddress</code> field in Eureka, which is actually an instance's hostname! So, the strange thing is that the pseudo-hostname is actually the real hostname!</p> <p>Fine, so we put the <code>vipAddress</code> zipkin registered into Eureka into the hostname field as a quasi hostname, but still it didn't work. Stepping through a debugger, we found that if there is a port in the hostname (e.g. zipkin-server:9411) the configuration code assumes it is not something to look up, rather something already resolved. This led to a realization that the <code>vipAddress</code> having a port encoded, was actually a <a href="https://redirect.github.com/line/armeria/pull/5451";>config default bug</a>, but a simple one to work around. In 3.0.6, when someone sets <code>EUREKA_HOSTNAME</code>, we also set <code>vipAddress</code> explicitly to avoid the accidental port adding default.</p> <p>Voilla! Finally, we're all good: sleuth replaces <code>vipAddress</code> with that same address and also a port, and it could have only gotten that from eureka info. While it feels like a lot of work to accomplish little, people will still get the other benefits of Eureka (specifically spring-cloud-netflix use of it) including health checking and discovery of other endpoints besides the one you knew about and stuffed into the zipkin URL. While not as ideal as specifying the app name, this approach isn't completely unique to spring. Other technology sometimes ask for "well known addresses" in order to find the rest of a cluster.</p> <p>Through comments and issue links in the <a href="https://github.com/openzipkin/brave-example/tree/master/webmvc5-sleuth";>webmvc5-sleuth</a> example, we containerized this hard earned experience, to save future maintainers work trying to figure it all out again. In other words, they don't have to read these release notes and can just use the working binary.</p> <p>The moral of the story, is: integration test things twice or three times if you can, as some behaviors are not necessarily intuitive. If you have more integrations, all the strange things will present themselves. While painful to get through all of the troubleshooting, it is definitely better to have the project bear this weight than relying on end users to figure it out!</p> <h4>Follow-up</h4> <p>Immediately after this release, spring-cloud-sleuth released <a href="https://github.com/spring-cloud/spring-cloud-sleuth/releases/tag/v3.1.11";>3.1.11</a> which fixed WebFlux discovery with Eureka. Hence, we our the <a href="https://github.com/openzipkin/brave-example/tree/master/webflux5-sleuth";>webflux5-sleuth</a> example, while still keeping the webmvc one. All our Eureka-compatible examples are integration tested against a <a href="https://github.com/openzipkin/brave-example/blob/master/build-bin/docker-compose-eureka.test.yml";>real eureka server</a> on change now, to prevent unknowing regressions in the future.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/openzipkin/zipkin/commit/a29a97e26578845927653fe1fd605b26bfd7b3fb";><code>a29a97e</code></a> [maven-release-plugin] prepare release 3.1.0</li> <li><a href="https://github.com/openzipkin/zipkin/commit/09c523d842ab2c40a9c49cf6fef0c2777b21dea3";><code>09c523d</code></a> docker: fixes native library config (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3738";>#3738</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/c65ce5c4573b516da5b9e5d7d6206d3c26d7a6a5";><code>c65ce5c</code></a> updates depedencies to latest versions, notably fixing Eureka (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3737";>#3737</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/a16330351ad3cd6d01c63406ea03b58e51d188ce";><code>a163303</code></a> Switch logging to SLF4J 2.x (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3736";>#3736</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/b90cee9e460a8a0e1832497c9291aed80c1e9619";><code>b90cee9</code></a> disables the spring banner via empty banner.txt (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3734";>#3734</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/01ae5d8decfd39aec8b5ef511b9567e4e58f4540";><code>01ae5d8</code></a> deps: updates to tcnative 2.0.63.Final (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3733";>#3733</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/0970acb754ffe556f4d2d3ced6014e6be69a9690";><code>0970acb</code></a> grpc: enables collector by default (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3732";>#3732</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/d43412e054d542144be955e4c28897bf6459e0ce";><code>d43412e</code></a> Adds UI_ENABLED mapping to make more obvious how to disable it (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3731";>#3731</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/154f2f298c4c170c68743e1066a805d530af4a7b";><code>154f2f2</code></a> Fix UiConfig test (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3729";>#3729</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/aa68d18d8507d77593333c5ee07b9eb4591bf68a";><code>aa68d18</code></a> lens: fixes all trivy detectable CVEs by upgrading vitest (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3728";>#3728</a>)</li> <li>Additional commits viewable in <a href="https://github.com/openzipkin/zipkin/compare/2.26.0...3.1.0";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
