Move _dd.apm.enabled tag in tracing root span

[vpellan]

What does this PR do?

• It moves the addition of _dd.apm.enabled tag to spans in tracing root spans.
• It removes most references to AppSec standalone and replace it by "non_billing" mode (as "APM tracing disabled" can be confusing because this does not completely disables tracing, and we already have a way to completely disable tracing)

It does NOT change the env var DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED to a new one (as the discussion is still ongoing and most likely will stay continue until next quarter)

Motivation:
During the review of Standalone SCA system-tests, I found out that enabling 'Standalone Appsec Billing' (DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED=true) and disabling 'Appsec Threats' ( DD_APPSEC_ENABLED=false ) would make the tests fails as _dd.apm.enabled is set in appsec Rack middleware.

This is not correct as this tag is suppose to communicate to the Agent that we should not bill for APM traces, and Standalone Appsec Billing will still limit the number of traces to 1 per minute to keep services alive on the backend side even if Appsec Threats is not enabled, thus the traces must contain that tag. But appsec can have a lot of different service as root span, so we must add it in other integrations too.

Change log entry

None.

How to test the change?

Standalone SCA system-tests (./run.sh SCA_STANDALONE) should XPASS (or pass if force executed)

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-12-10 15:36:54

Comparing candidate commit eeffb42 in PR branch vpellan/move-dd-apm-enabled-tag with baseline commit c07a8d4 in branch master.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 30 metrics, 2 unstable metrics.

scenario:profiler - sample timeline=false

• 🟩 throughput [+0.547op/s; +0.562op/s] or [+9.088%; +9.344%]

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 98.93048% with 2 lines in your changes missing coverage. Please review.

Project coverage is 97.78%. Comparing base (c07a8d4) to head (fd7b84c).
Report is 13 commits behind head on master.

Files with missing lines	Patch %	Lines
lib/datadog/tracing/configuration/settings.rb	84.61%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4141      +/-   ##
==========================================
+ Coverage   97.77%   97.78%   +0.01%     
==========================================
  Files        1357     1355       -2     
  Lines       81973    82015      +42     
  Branches     4168     4173       +5     
==========================================
+ Hits        80145    80195      +50     
+ Misses       1828     1820       -8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[p-datadog]

In #3965 @anmarchenko mentioned tracing gaining a dependency on appsec and that pattern appears to continue here. I my opinion it would be better for tracing to provide hooks that appsec will hook into to avoid tracing referencing appsec in code, but I am not developing either part of the library.

I do also find it hard to ascertain whether the code behaves correctly - this PR sets APM enabled to 0 from tracing, but it is not clear from the diff where/under what conditions APM enabled is set to 1 (or if that happens at all).

[TonyCTHsu]

Can you elaborate the reason about tagging a rack span specifically?

[vpellan]

The env var name DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED is temporary, and what Standalone Appsec actually does is disabling tracing (or more precisely rate-limiting it at 1 trace per minute), and when 'Appsec' is activated along 'Standalone Appsec' (as Standalone Appsec does not in fact activate Appsec by itself), it force-keep traces that contains Appsec events.

There is a RFC currently being reviewed to find the final name for this env var, which will most likely be DD_TRACE_APM_ENABLED. When it will be approved, I will also change the configuration from Datadog.configuration.appsec.standalone.enabled to something like Datadog.configuration.tracing.apm.enabled, which will make more sense and show that there is no dependency from appsec in tracing (but the other way will be true, which already is anyway)

[vpellan]

Can you elaborate the reason about tagging a rack span specifically?

For now, the only product other than tracing that uses traces is Appsec, and in Appsec we only instrument rack-based apps (Rails, Sinatra, Rack itself...)
But maybe we could tag somewhere else, like in http frameworks, now that we have moved this part in tracing. What do you think of adding that tag on the HTTP level ? Or should we stick to Rack, and maybe also add other frameworks like sidekiq ?

[TonyCTHsu]

I understand this is experimental feature but similar concern with shotgun surgery and product coupling has been raised in the previous pull request code review, that signals the severity of design issue.

1. It is hard to make sense of the convention and logic using Datadog.configuration.tracing.apm.enabled, which APM includes multiple products including profiling.
2. I can see similar approach like rack, that AppSec contains the 3rd party patches that depends on TraceOperation.
3. Or maybe other kinds of dependency injection mechanism

Overall, the requirements (some kinds of hook systems, perhaps could be encompassed by @lloeki 's Instrumentation API ?) are not clear and I am afraid that if we are indifferent now could cast a long shadow in the future.

[y9v]

does it make sense to find the root span here and not the rack span?

[vpellan]

Yes, this is changed in e0c503a

Note that "non-billing" naming is temporary.

[y9v]

reminder: please change this branch to master before merging

[y9v]

does it make sense to find the root span here and not the rack span?

[vpellan]

As of 27th. of November, the scope of this PR has been changed to moving all "non-billing" mode code to Tracing part.
("Non billing" mode is what was previously referred as "ASM Standalone" mode, that is now referred as "APM Tracing disabled" mode, but since we have already have a different way to completely disable tracing, I refer to it as non-billing mode in this PR to differentiate both, but please note that this is not the official naming for this feature)
This is still a WIP (specs not updated) so I changed this PR back to Draft

[datadog-datadog-prod-us1]

Datadog Report

Branch report: vpellan/move-dd-apm-enabled-tag
Commit report: eeffb42
Test service: dd-trace-rb

✅ 0 Failed, 22057 Passed, 1458 Skipped, 6m 10.58s Total Time
⌛ 1 Performance Regression

⌛ Performance Regressions vs Default Branch (1)

• loading of products datadog/di loads successfully by itself - rspec 14.75s (+13.48s, +1062%) - Details

[github-actions]

👋 Hey @DataDog/ruby-guild, please fill "Change log entry" section in the pull request description.

If changes need to be present in CHANGELOG.md you can state it this way

**Change log entry**

Yes. A brief summary to be placed into the CHANGELOG.md

(possible answers Yes/Yep/Yeah)

Or you can opt out like that

**Change log entry**

None.

(possible answers No/Nope/None)

^{Visited at: 2024-12-10 15:07:36 UTC}

[p-datadog]

This method name contains two negatives. I would prefer something like should_send? for example but before renaming let's figure out the overall name for the setting.

[Strech]

Could we highlight that "temporary" nature in the name? It's a big ask to name it ENV_APM_ENABLED, but actually check for standalone feature

P.S let's do it only if it makes sense (merged before RFC is in final state)