Skip to content

auth: add span to FetchToken helpers #10231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 14, 2024
Merged

auth: add span to FetchToken helpers #10231

merged 1 commit into from
Jun 14, 2024

Conversation

jedevc
Copy link
Contributor

@jedevc jedevc commented May 15, 2024

Before this, during a call to the docker resolver, we would generate span wrappers for each HTTPRequest correctly, however, as the docker resolver reaches out to the docker authorizer, it could create HTTP requests (for fetching tokens) that would not be wrapped in any span.

This can result in rather confusing traces, e.g. something like:

remotes.docker.resolver.HTTPRequest
	HTTP HEAD (fetch index, fails with 401)
HTTP GET (fetch token)
remotes.docker.resolver.HTTPRequest
	HTTP HEAD (fetch index)
remotes.docker.resolver.HTTPRequest
	HTTP GET (fetch manifest)

By adding a span into the FetchToken, this trace becomes a little easier to consume:

remotes.docker.resolver.HTTPRequest
	HTTP HEAD (fetch index, fails with 401)
remotes.docker.resolver.FetchToken
	HTTP GET (fetch token)
remotes.docker.resolver.HTTPRequest
	HTTP HEAD (fetch index)
remotes.docker.resolver.HTTPRequest
	HTTP GET (fetch manifest)

I think this is the right kind of approach for this. However, maybe it makes more sense to add this in the authHandler instead? Happy to discuss 🎉

@jedevc
auth: add span to FetchToken helpers
9831a62 
Before this, during a call to the docker resolver, we would generate
span wrappers for each HTTPRequest correctly, however, as the docker
resolver reaches out to the docker authorizer, it could create HTTP
requests (for fetching tokens) that would not be wrapped in any span.

This can result in rather confusing traces, e.g. something like:

	remotes.docker.resolver.HTTPRequest
		HTTP HEAD (fetch index, fails with 401)
	HTTP GET (fetch token)
	remotes.docker.resolver.HTTPRequest
		HTTP HEAD (fetch index)
	remotes.docker.resolver.HTTPRequest
		HTTP GET (fetch manifest)

By adding a span into the FetchToken, this trace becomes a little easier
to consume:

	remotes.docker.resolver.HTTPRequest
		HTTP HEAD (fetch index, fails with 401)
	remotes.docker.resolver.FetchToken
		HTTP GET (fetch token)
	remotes.docker.resolver.HTTPRequest
		HTTP HEAD (fetch index)
	remotes.docker.resolver.HTTPRequest
		HTTP GET (fetch manifest)

Signed-off-by: Justin Chadwell <me@jedevc.com>
@k8s-ci-robot
Copy link

Hi @jedevc. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@jedevc jedevc mentioned this pull request May 15, 2024
Merged
kzys
kzys reviewed May 17, 2024
View reviewed changes
Copy link
Member

@kzys kzys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@jedevc
Copy link
Contributor Author

jedevc commented Jun 12, 2024

Bump - any issues with this?

@mxpv mxpv added this pull request to the merge queue Jun 14, 2024
thaJeztah
thaJeztah reviewed Jun 14, 2024
View reviewed changes
core/remotes/docker/auth/fetch.go
@@ -95,6 +96,10 @@ type OAuthTokenResponse struct {

// FetchTokenWithOAuth fetches a token using a POST request
func FetchTokenWithOAuth(ctx context.Context, client *http.Client, headers http.Header, clientID string, to TokenOptions) (*OAuthTokenResponse, error) {
c := *client
client = &c
tracing.UpdateHTTPClient(client, tracing.Name("remotes.docker.resolver", "FetchTokenWithOAuth"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not 100% sure what the conventions are; should this include "auth" (remotes.docker.auth.resolver) if this follows the name of the package we're in?

Merged via the queue into containerd:main with commit ab61734 Jun 14, 2024
@jedevc jedevc deleted the add-get-token-span branch July 15, 2024 11:22
@jedevc jedevc mentioned this pull request Jul 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzys kzys kzys left review comments

@thaJeztah thaJeztah thaJeztah left review comments

@dmcgowan dmcgowan dmcgowan approved these changes

@mxpv mxpv mxpv approved these changes

Assignees
No one assigned
Labels
ok-to-test size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jedevc @k8s-ci-robot @kzys @dmcgowan @mxpv @thaJeztah