Bump io.zipkin.zipkin2:zipkin from 2.26.0 to 3.1.0

[dependabot]

Bumps io.zipkin.zipkin2:zipkin from 2.26.0 to 3.1.0.

Release notes

Sourced from io.zipkin.zipkin2:zipkin's releases.

Zipkin 3.1 includes our first additional features since the 3.0 platform update. Notably gRPC span collection is enabled by default, Eureka registration includes more properties, and you can now disable the UI independent of the REST API. Those using kubernetes should have a second look at our helm chart which is recently renovated as well!

While most won't see this, we'd like to give a special shout out to @​SamTV12345 for helping renovate our javascript build. It was Sam's first change in the project and quite a big one. We'd like to thank all the users for your feedback and the continued support from our all volunteer team, notably @​reta and @​anuraaga who've stuck here with you so long.

Here are the changes end users might notice

• COLLECTOR_GRPC_ENABLED is now true by default, accepting spans from the zipkin.proto3.SpanService/Report service hosted on the same HTTP port as the normal API (default 9411)
• Eureka registration now populates the homePageUrl and statusPageUrl fields, the latter used in the spring-cloud-netflix UI. This was thanks to upstream changes in Armeria driven by @​minwoox
• New UI_ENABLED for users who wish to expose the query API, but not host the javascript UI.

Here are the build related changes:

• UI build now uses vite. @​SamTV12345 was the MVP of this change, which eliminated a build-time CVE. This was a quite a lot of work, and we're grateful for Sam's help. We also appreciate others work on this, too, notably @​anuraaga who advised and pitched in a test migration PR.
• @​reta switched us to SLF4J 2.0, with heaps of thanks to @​wilkinsona who helped us come to the same page on what versions do what.
• our zipkin-slim image now includes netty tcnative libraries.

Thank folks who helped with changes you want and don't forget to star the project if you're happy with our continued efforts! If you'd like to get in touch, please chat on gitter. See you next release!

Full Changelog: https://github.com/openzipkin/zipkin/compare/3.0.6..3.1.0

Zipkin 3.0.6 updates to Armeria 1.27.1, fixes ES_HTTP_LOGGING and a glitch in Eureka registration.

• Armeria 1.27.1 helped us remove code around Eureka, which is now upstream, as well bring the server runtime to the latest Netty
• ES_HTTP_LOGGING broke when we updated to SLF4J 2. @​reta resolved by bringing us back to the more compatible 1.7 plus config adjustment.
• Those using spring-cloud-sleuth were unable to discover zipkin even when it set env like EUREKA_HOSTNAME.

Eureka and spring-cloud

Skip this part unless you want to take a walk with us down troubleshooting lane!

Eureka is a service registry originally started at Netflix. Zipkin can register itself in Eureka, allowing traced services to discover its listen address and health state. So, this is an alternative to normal DNS. We added support for this in Zipkin 2.27 and have been polishing that since.

Before, we were testing Eureka integration with armeria. Armeria doesn't use the netflix/eureka codebase at all, as it implements its api directly. This is great for Armeria users as the Netflix/Eureka codebase uses a lot of antique dependencies, some not updated in 8 years. However, it isn't a good test for zipkin for the same reason.

Most users who use Eureka, use Spring Boot 2, and most of those who use zipkin, use spring-cloud-sleuth (which uses brave internally). To get a better sense of confidence registration works in practice, we decided to update our sleuth example to use Eureka. The idea was to set a pseudo hostname in the zipkin endpoint: that would be replaced dynamically by a real endpoint in the "zipkin" application in Eureka. Then, we're all good.

But, we weren't all good. This didn't work at all, as our example used a reactive WebFlux configuration. For some reason, when a sleuth-instrumented application is using reactive, you cannot use Eureka to discover zipkin. So, we backported our sleuth example to a version that can use Eureka. Ironically, we had to go back to WebMvc which was the original canonical zipkin example! However, despite webmvc5-sleuth using the right parts, the pseudo zipkin hostname wasn't replaced.

In close inspection, the first thing we noticed was something documented, but not entirely intuitive. Documentation says to use the "service ID" as the pseudo-hostname in the zipkin URL, which would be replaced with the real hostname and port. In the case of Eureka, it seems intuitive to use the service to find instances of it. Specifically the Eureka application (EUREKA_APP_NAME of all zipkin instances). However, the "service ID" is not that, and it isn't even the instanceId in Eureka. Oddly, the "service ID" maps to the vipAddress field in Eureka, which is actually an instance's hostname! So, the strange thing is that the pseudo-hostname is actually the real hostname!

Fine, so we put the vipAddress zipkin registered into Eureka into the hostname field as a quasi hostname, but still it didn't work. Stepping through a debugger, we found that if there is a port in the hostname (e.g. zipkin-server:9411) the configuration code assumes it is not something to look up, rather something already resolved. This led to a realization that the vipAddress having a port encoded, was actually a config default bug, but a simple one to work around. In 3.0.6, when someone sets EUREKA_HOSTNAME, we also set vipAddress explicitly to avoid the accidental port adding default.

Voilla! Finally, we're all good: sleuth replaces vipAddress with that same address and also a port, and it could have only gotten that from eureka info. While it feels like a lot of work to accomplish little, people will still get the other benefits of Eureka (specifically spring-cloud-netflix use of it) including health checking and discovery of other endpoints besides the one you knew about and stuffed into the zipkin URL. While not as ideal as specifying the app name, this approach isn't completely unique to spring. Other technology sometimes ask for "well known addresses" in order to find the rest of a cluster.

Through comments and issue links in the webmvc5-sleuth example, we containerized this hard earned experience, to save future maintainers work trying to figure it all out again. In other words, they don't have to read these release notes and can just use the working binary.

The moral of the story, is: integration test things twice or three times if you can, as some behaviors are not necessarily intuitive. If you have more integrations, all the strange things will present themselves. While painful to get through all of the troubleshooting, it is definitely better to have the project bear this weight than relying on end users to figure it out!

Follow-up

Immediately after this release, spring-cloud-sleuth released 3.1.11 which fixed WebFlux discovery with Eureka. Hence, we our the webflux5-sleuth example, while still keeping the webmvc one. All our Eureka-compatible examples are integration tested against a real eureka server on change now, to prevent unknowing regressions in the future.

... (truncated)

Commits

• a29a97e [maven-release-plugin] prepare release 3.1.0
• 09c523d docker: fixes native library config (#3738)
• c65ce5c updates depedencies to latest versions, notably fixing Eureka (#3737)
• a163303 Switch logging to SLF4J 2.x (#3736)
• b90cee9 disables the spring banner via empty banner.txt (#3734)
• 01ae5d8 deps: updates to tcnative 2.0.63.Final (#3733)
• 0970acb grpc: enables collector by default (#3732)
• d43412e Adds UI_ENABLED mapping to make more obvious how to disable it (#3731)
• 154f2f2 Fix UiConfig test (#3729)
• aa68d18 lens: fixes all trivy detectable CVEs by upgrading vitest (#3728)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 44.74%. Comparing base (d33d683) to head (187503b).

❗ Current head 187503b differs from pull request most recent head 6f0437c. Consider uploading reports for the commit 6f0437c to get more accurate results

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #4251      +/-   ##
============================================
- Coverage     44.79%   44.74%   -0.05%     
+ Complexity     5443     5438       -5     
============================================
  Files          1385     1385              
  Lines         34476    34476              
  Branches       3336     3336              
============================================
- Hits          15443    15426      -17     
- Misses        17787    17808      +21     
+ Partials       1246     1242       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dependabot]

Superseded by #4283.