Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

prep release: v1.34.0 #4198

Merged
merged 2 commits into from
Nov 15, 2023
Merged

prep release: v1.34.0 #4198

merged 2 commits into from
Nov 15, 2023

Conversation

goto-bus-stop
Copy link
Member

Note

When approved, this PR will merge into the 1.34.0 branch which will — upon being approved itself — merge into main.

Things to review in this PR:

  • Changelog correctness (There is a preview below, but it is not necessarily the most up to date. See the Files Changed for the true reality.)
  • Version bumps
  • That it targets the right release branch (1.34.0 in this case!).

🚀 Features

Authorization: dry run option (Issue #3843)

It is now possible to execute authorization directives without modifying the query, but still return the list of affected paths as top-level errors in the response. This allows testing authorization without breaking existing traffic. See documentation for authorization.dry_run.

By @Geal in #4079

Rhai: support alternative base64 alphabets (Issue #3783)

This adds support for alternative base64 alphabets:

  • STANDARD
  • STANDARD_NO_PAD
  • URL_SAFE
  • URL_SAFE_NO_PAD

They can be used as follows:

let original = "alice and bob";
let encoded = base64::encode(original, base64::URL_SAFE);
// encoded will be "YWxpY2UgYW5kIGJvYgo="
try {
    let and_back = base64::decode(encoded, base64::URL_SAFE);
    // and_back will be "alice and bob"
}

The default when the alphabet argument is not specified is STANDARD.

By @Geal in #3885

GraphOS authorization directives: policy directive (PR #3751)

⚠️ This is an Enterprise feature of the Apollo Router. It requires an organization with a GraphOS Enterprise plan.

If your organization doesn't currently have an Enterprise plan, you can test out this functionality by signing up for a free Enterprise trial.

We introduce a new GraphOS authorization directive called @policy, that is designed to offload authorization policy execution to a coprocessor or Rhai script. it extracts from the query the list of relevant policies, the coprocessor indicates which of those policies failed, then the router filters unauthorized fields, as it does with @authenticated and @requiresScopes. If you want to know more, check out the documentation.

By @Geal in #3751

Add a router request builder (Issue #3267)

The builder implementation was missing on the router request side, which means that router service level plugins cannot reuse the context if they unpack the request object.

By @Geal in #3430

Authorization directives are enabled by default (Issue #3842)

If the router starts with an API key from an Enterprise account, and the schema contains the authorization directives, then they will be usable directly without further configuration.

By @Geal in #3713

Add a flag to disable authorization error logs (Issue #4077 & Issue #4116)

Authorization errors need flexible reporting depending on the use case. They can now be configured as follows:

authorization:
  preview_directives:
    errors:
      log: true # default: true
      response: "errors" # possible values: "errors" (default), "extensions", "disabled"

Logging can be disabled if platform operators do not want to see the logs polluted by common authorization errors.
Errors in responses may be:

  • moved to extensions, to avoid raising exceptions in clients
  • or disabled entirely, in which case clients will not receive any authorization errors.

By @Geal in #4076 & #4122

Add a new studio reporting metric (Issue #3883)

Count how many reports we have submitted to studio, with a "type" attribute that indicates if reporting "traces" or "metrics".

By @garypen in #4039

🐛 Fixes

Bring Otel service.name into line with the Otel spec (PR #4034)

Handling of Otel service.name has been brought into line with the Otel spec across traces and metrics.

Service name discovery is handled in the following order:

  1. OTEL_SERVICE_NAME env
  2. OTEL_RESOURCE_ATTRIBUTES env
  3. router.yaml service_name
  4. router.yaml resources (attributes)

If none of the above are found then the service name will be set to unknown_service:apollo_router or unknown_service if the executable name cannot be determined.

Users who have not explicitly configured their service name should do so either via the yaml config file or via the OTEL_SERVICE_NAME environment variable.

By @BrynCooke in #4034

Rename helm template from common. to apollographql. (Issue #4002)

There is a naming clash with bitnami common templates used in other charts. This is unfortunate when used in a chart which has multiple dependencies where names may clash.

The straightforward fix is to rename our templates from common to apollographql.

By @garypen in #4005

Propagate headers for source stream events with subscription (Issue #3731)

Before the headers coming from the request were not propagated to the subgraph request when configured with headers plugin on subscription events. You had to use a Rhai script as a workaround, it's not required anymore.

By @bnjjj in #4057

Fix memory issues in the apollo metrics exporter (PR #4107)

There were a number of issues with the apollo metrics exporter which meant that under load the router would look as though it was leaking memory. It isn't a leak, strictly speaking, but is in fact "lingering" memory.

The root cause was a bounded futures channel which did not enforce the bounds as we expected and thus could over-consume memory. We have fixed the issue by:

  • making the situation of channel overflow less likely to happen
    • speeding up metrics processing
    • altering the priority of metrics submission vs metrics gathering
  • switching to use a tokio bounded channel which enforces the bound as we originally expected

With these changes in place we have observed that the router behaves very well with respect to memory consumption under high load.

By @garypen in #4107

Support authorization directive renaming (PR #3949)

When importing directives through the @link directive, they can be renamed. This makes sure that the authorization plugin can still recognize its directives when they have been renamed.

By @Geal in #3949

📃 Configuration

Bring telemetry tracing config and metrics config into alignment (Issue #4043)

Configuration between tracing and metrics was inconsistent and did not align with otel spec terminology. The following changes have been made to router.yaml configuration:

telemetry.tracing.trace_config has been renamed to common

telemetry
  tracing:
-   trace_config:
+   common:   

telemetry.tracing.common.attributes has been renamed to resource

telemetry
  tracing:
    common:
-      attributes:
+      resource:   

telemetry.metrics.common.resources has been renamed to resource

telemetry
  metrics:
    common:
-      resources:
+      resource:   

telemetry.tracing.propagation.awsxray has been renamed to aws_xray

telemetry
  tracing:
    propagation:
-      awsxray: true
+      aws_xray: true

The Router will upgrade any existing configuration on startup. However, you should update your configuration to use the new format as soon as possible.

By @BrynCooke in #4044, #4050 and #4051

🛠 Maintenance

Router should respond with subscription-protocol header for callback (Issue #3929)

Callback protocol documentation specifies that router responds with subscription-protocol: callback/1.0 header to the initialization (check) message. Currently router does not set this header on the response.

By @bnjjj in #3939

Use trust dns for hyper client resolver (Issue #4030)

Investigating memory revealed that the default hyper client DNS resolver had a negative impact on the memory footprint of the router.

It may also not be respecting TTL correctly. Let's replace the default with Trust DNS.

By @garypen in #4088

📚 Documentation

Clarify and fix docs about supported WebSocket subprotocols (PR #4063)

The way we previously documented the supported websocket protocols for router to subgraph communication was confusing.
This changeset brings more clarity around how to customise the websocket protocol, including the subgraph path that exposes websocket capabilities.

By @shorgi in #4063

@router-perf
Copy link

router-perf bot commented Nov 14, 2023

CI performance tests

  • events_big_cap_high_rate - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity
  • events_without_dedup - Stress test for events with a lot of users and deduplication DISABLED
  • events - Stress test for events with a lot of users and deduplication ENABLED
  • large-request - Stress test with a 1 MB request payload
  • step - Basic stress test that steps up the number of users over time
  • xlarge-request - Stress test with 10 MB request payload
  • reload - Reload test over a long period of time at a constant rate of users
  • no-graphos - Basic stress test, no GraphOS.
  • xxlarge-request - Stress test with 100 MB request payload
  • step-jemalloc-tuning - Clone of the basic stress test for jemalloc tuning
  • const - Basic stress test that runs with a constant number of users

CHANGELOG.md Outdated Show resolved Hide resolved
@goto-bus-stop goto-bus-stop merged commit f37131d into 1.34.0 Nov 15, 2023
10 checks passed
@goto-bus-stop goto-bus-stop deleted the prep-1.34.0 branch November 15, 2023 09:55
>
> If your organization doesn't currently have an Enterprise plan, you can test out this functionality by signing up for a free Enterprise trial.

We introduce a new GraphOS authorization directive called `@policy`, that is designed to offload authorization policy execution to a coprocessor or Rhai script. it extracts from the query the list of relevant policies, the coprocessor indicates which of those policies failed, then the router filters unauthorized fields, as it does with `@authenticated` and `@requiresScopes`. If you want to know more, check out the [documentation](https://www.apollographql.com/docs/router/configuration/authorization#authenticated).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"..coprocessor or Rhai script. The new directive extracts the list of relevant policies from the query and the associated coprocessor indicates which of those policies failed. This result is then enforced by the router and it filters unauthorized fields, as it does with..."

PS: Where is the "suggestion" option?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants