prep release: v1.30.0

[abernix]

Note

When approved, this PR will merge into the 1.30.0 branch which will — upon being approved itself — merge into main.

Things to review in this PR:

• Changelog correctness (There is a preview below, but it is not necessarily the most up to date. See the Files Changed for the true reality.)
• Version bumps
• That it targets the right release branch (1.30.0 in this case!).

---

🚀 Features

Rhai Support at the router_service (Issue #2278)

It is now possible to interact with some aspects of requests and responses at the router_service level using Rhai-based customizations. The functionality is very similar to that provided for interacting with existing services, for example supergraph_service. For instance, you may "map" requests and responses as follows:

fn router_service(service) {
    const request_callback = Fn("process_request");
    service.map_request(request_callback);
    const response_callback = Fn("process_response");
    service.map_response(response_callback);
}

The main difference from existing services is that the router_service allows operating at an HTTP transport layer rather than the more structured GraphQL representations available at later service layers, like the supergraph service.

Initially, we are not allowing access to the body property itself. This issue tracks changing that in the future. For now, it is possible to access the context and headers.

By @garypen in #3234

🐛 Fixes

Small performance improvements to telemetry (PR #3656)

We applied some small performance improvements to the SpanMetricsExporter (which is used to report span timings), some of which apply in cases where telemetry is disabled and could be apparent to most users.

By @Geal in #3656

Handle interfaces in fragment spreads when __typename is omitted (Issue #2587)

We now check the parent type when using an inline-fragment, rather than relying on the expectation that __typename will be present. For cases where __typename was being omitted, this fixes responses where a portion of the selection set was silently dropped and not returned.

By @o0Ignition0o and @geal in #3718

Deduplication is, again, enabled by default as documented (PR #3773)

Subscription deduplication is again enabled by default as it was intended to be. This important performance feature for subscriptions at scale was inadvertently disabled in v1.25.0 due to a bug.

To explicitly disable deduplication, set enable_deduplication to false in your configuration.

By @bnjjj in #3773

Metrics are no longer coerced incorrectly (Issue #3687)

Metric attributes are no longer incorrectly coerced to strings. In addition, the logic around types which are accepted as metrics attributes has been simplified to avoid this in the future. Going forward, if the wrong type is specified, values will be ignored and a log message (at debug level) will be emitted.

By @BrynCooke in #3724

Optimizations applied to header-handling operations (Issue #3068)

Latency and overhead of passing headers to subgraph queries has been reduced.

By @Geal in #3721

Avoid request overhead when telemetry is not enabled

The overhead of OpenTelemetry has been removed when no tracing exporters are configured.

This also improves performance when sampling criteria has not been met by preventing unsampled sampled trace events from propagating to the rest of the OpenTelemetry stack.

By @Geal in #2999

Subgraph authentication: Apply signature after compression and APQ (Issue #3608)

The router will now sign subgraph requests just before they are sent to the subgraph (i.e., a bit later than previously), following up on the functionality of subgraph authentication which was first introduced in v1.27.0.

This fixes interactions with:

• Subgraph Automatic Persisted Queries (APQ)
• Subgraph HTTP compression
• Custom plugins that operate on the subgraph service (whether via Co-Processors, Rhai or a compiled Rust plugin)

In most cases, the interactions between these features and the subgraph authentication feature were problematic and required disabling one or the other in order to generate a request that was correctly signed by the signature algorithm. This should all be resolved.

By @o0Ignition0o in #3735

Handle multipart stream if the original stream was empty (Issue #3293)

Multi-part response streams (which are used for subscriptions and operations which include @defer directive) are now terminated correctly when the response stream is empty.

By @bnjjj in #3748

Subscriptions: Include x-accel-buffering header on multipart responses (Issue #3683)

Setting the x-accel-buffering header to no for multipart responses allows certain proxies to configure themselves in a mode that is compatible with the buffering used by subscriptions. This improves Subscriptions' compatibility with existing infrastructure.

By @bnjjj in #3749

🛠 Maintenance

Our Rust Toolchain has been updated to v1.72.0 (PR #3707)

Our Rust Toolchain has been updated to v1.72.0. For the majority of our users (those who do not compile their own Router from source), this change will not have any impact. Otherwise, Rust 1.72.0 can now be used.

By @o0Ignition0o in #3707

Replace atty crate with std (PR #3729)

To resolve a security advisory (for which our usage was not affected), we've replaced atty with std. Instead, we now use equivalent functionality available in the Rust standard library, available since Rust v1.70.0.

• https://github.com/apollographql/router/security/dependabot/68
• https://doc.rust-lang.org/stable/std/io/trait.IsTerminal.html

By @SimonSapin in #3729

Upgrade webpki and rustls-webpki (PR #3728)

These two dependency updates brings fixes for two separate security advisories:

• https://rustsec.org/advisories/RUSTSEC-2023-0052
• https://rustsec.org/advisories/RUSTSEC-2023-0053

Since Apollo Router does not accept client certificates, it could only have been affected if a subgraph had provided a pathological TLS server certificate.

By @SimonSapin in #3728

📚 Documentation

GraphOS authorization: Exemplify scope manipulation with Rhai at the router service level (PR #3719)

New Authorization documentation shows the how to use Rhai script to extract scopes and prepare them in the correct way, for use with @requiresScope. This becomes relevant since @requiresScopes expects scopes to come from the scope claim in the OAuth2 access token format while tokens may have scopes stored differently, e.g., as an array of strings, or even as different claims. If you have further questions on the right choice for you, please open a GitHub Discussion that provides an example of what you need to achieve.

By @Geal in #3719

[router-perf]

CI performance tests

• events_big_cap_high_rate - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity
• events_without_dedup - Stress test for events with a lot of users and deduplication DISABLED
• events - Stress test for events with a lot of users and deduplication ENABLED
• large-request - Stress test with a 1 MB request payload
• step - Basic stress test that steps up the number of users over time
• xlarge-request - Stress test with 10 MB request payload
• reload - Reload test over a long period of time at a constant rate of users
• no-graphos - Basic stress test, no GraphOS.
• xxlarge-request - Stress test with 100 MB request payload
• step-jemalloc-tuning - Clone of the basic stress test for jemalloc tuning
• const - Basic stress test that runs with a constant number of users