Handle case where multiple instrumentations can be applied to a pod #529
Comments
|
Can we create a validation webhook that will block the creation of the podspec in that case? |
|
Validating is definitely an option. Personally I don't see a real advantage to validate / errors vs just structuring it into the annotations though where it stops being a problem. The assumption is two annotations is equivalent to one since they're almost always copy-pasted. |
|
I think allowing multiple injections to a single pod can be actually useful. I have this use-case in mind: A pod with {java,python,whatnot} application container is instrumented but the pod also has a sidecar proxy (e.g. envoy) that does tracing as well (e.g. to capture payloads or headers). Now user might want to inject javaagent into the first application container and then sdk configuration to the proxy sidecar container. The injection of SDK configuration is used by proxy to configure tracing in the proxy. |
|
@pavolloffay Any ideas on structuring the annotations to support multiple containers? Perhaps something like this? Or do you think it's valid to inject different OTel SDK settings into different containers in the pod? In that case I guess And if multiple instrumentation names were defined for a single container, we'd need to log an error and disable injection. I guess both of these seem OK. |
|
@pavolloffay @BronzeDeer Any thoughts on my syntax proposal? |
It gives more flexibility, but I don't know/doubt it is needed. A use-case might be to use a different sampling rate for init and the main container. small nit to the annotation name. I think it should be The most I like is cc) @BronzeDeer this is highly related to your proposal in #618 |
|
@anuraaga @pavolloffay Is there a precedent for "double slash" annotations in k8s? The way I read it, this would imply a hierarchical structure between values.
I'd replace the second slash with a dash and change it to container-names allowing for a comma delimited list. This would allow specifying exactly which container gets which language instrumentation, with each language instrumentation tied to either a specific Instrumentation CR or the namespace default. Intuitively I don't see a use case in which it would be necessary to inject two containers of the same language with different sdk versions, if there is a major compatibility breakage in an sdk, I'd prefer to go with something like "java-v2" in a new set of annotations and CRs. |
|
@BronzeDeer I am maybe a bit lost. Coul you please write an example of the annotations in a similar format?
Please provide an example how it would look like. In general I like more |
|
@pavolloffay Many things in Kubernetes follow a My second objection was about your third suggestion Here, instrumentation.opentelemetry.io/inject-{java,python,nodejs} conteptually is both a leaf value and a grouping of subordinate values, which looks wrong to me, but that is very subjective. I also don't think we should do dynamic annotation keys to pass container-names at minimum because it would turn processing the annotations of a pod from O(1) to O(n). I'd instead go with (java as example) This does however sacrifice the ability to inject two different instrumentations for one language, however I'm still not sure where that would be needed outside massive breaking API changes, which might be better represented as e.g. "java-v2" instead, which allows for to coexist and to be assigned to different sets of containers |
|
Oh and Kubernetes actually forbids a second slash in the annotation key: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set |
|
@pavolloffay I think this got buried over the holidays, can we pick up where we left of? |
|
Absolutely, let's move this forward ❤️
I am maybe missing something but the following could be supported on a single podspec as well. |
|
@pavolloffay Agreed, I meant having two containers of the same language (say Java) be served by two different Instrumentation CRs. But as I already said, I can't see that happening unless there has been a major api breakage on the OTEL side (say v1 and v2 of Java instrumentation), but in that case I would just go with creating a new "language" as I already outlined. So, are we agreed on the general approach and final syntax? |
something to document :) It looks good to me. @anuraaga you were looking into this as well, any concerns? |
|
LGTM thanks |
|
Okay, I'l continue work on the PR for this |
fixes open-telemetry#618 fixes open-telemetry#529 Currently, it is only possible to inject a single autoinstrumentation per pod and it will always be injected into the first container and first container only. This is especially troublesome if a mutating webhook will be injecting additional sidecars (e.g. Istio) which will often receive the instrumentation instead of the main container. Furthermore, for multi-container, multi-language pods only one container can currently be auto-instrumented. This commit introduces a new set of annotations of the form "instrumentation.opentelemetry.io/inject-<language>-container-names", which tells the operator which containers should receive which language instrumentation. The value of the annotation should be a comma-delimited list of container-names to inject into. If the annotation is not present, injection will use the default container-selection (currently first container). The annotation will be ignored if the corresponding language annotation "instrumentation.opentelemetry.io/inject-<language>" is not present or set to enable instrumentation for <language>. Note: It is now possible that instrumentation for multiple languages needs to be prepared for the same pod. To avoid clashes, the volumes, volume mount paths and initContainers for each language have been postfixed with "-<language>". Furthermore, to avoid ballooning the injection logic complexity, the initContainer and volume for a language will always be added to the Pod as long as injection for that language is enabled, even if the injection into every container fails. Previously, with only one language and one container to inject the operator would only inject the volume and initContainer if the container could successfully be modified.
fixes open-telemetry#618 fixes open-telemetry#529 Currently, it is only possible to inject a single autoinstrumentation per pod and it will always be injected into the first container and first container only. This is especially troublesome if a mutating webhook will be injecting additional sidecars (e.g. Istio) which will often receive the instrumentation instead of the main container. Furthermore, for multi-container, multi-language pods only one container can currently be auto-instrumented. This commit introduces a new set of annotations of the form "instrumentation.opentelemetry.io/inject-<language>-container-names", which tells the operator which containers should receive which language instrumentation. The value of the annotation should be a comma-delimited list of container-names to inject into. If the annotation is not present, injection will use the default container-selection (currently first container). The annotation will be ignored if the corresponding language annotation "instrumentation.opentelemetry.io/inject-<language>" is not present or set to enable instrumentation for <language>. Note: It is now possible that instrumentation for multiple languages needs to be prepared for the same pod. To avoid clashes, the volumes, volume mount paths and initContainers for each language have been postfixed with "-<language>". Furthermore, to avoid ballooning the injection logic complexity, the initContainer and volume for a language will always be added to the Pod as long as injection for that language is enabled, even if the injection into every container fails. Previously, with only one language and one container to inject the operator would only inject the volume and initContainer if the container could successfully be modified. Signed-off-by: Joel Pepper <pepper@bronze-deer.de>
pavolloffay
changed the title
|
@pavolloffay, are we able to close this PR? |
|
This is not a PR :) The issue is not resolved as far as I can tell. |
|
Ok :D |
|
I believe this PR closed this :) |
Currently, both
inject-javaandinject-nodejscan be applied to the same pod. This creates some awkwardness, especially if the instrumentation instance referenced is different, common SDK configuration will be applied from two unrelated instrumentations.One approach that could solve this is to split the current annotations into "whether to inject" and "what language to inject"
Originally posted by @anuraaga in #507 (comment)
The text was updated successfully, but these errors were encountered: