Skip to content

Feat: Enrich tracing of proxy-server#615

Open
sfc-gh-pkowalewski wants to merge 1 commit intomainfrom
improve-proxy-tracing
Open

Feat: Enrich tracing of proxy-server#615
sfc-gh-pkowalewski wants to merge 1 commit intomainfrom
improve-proxy-tracing

Conversation

@sfc-gh-pkowalewski
Copy link
Collaborator

@sfc-gh-pkowalewski sfc-gh-pkowalewski commented Mar 25, 2026
edited
Loading

Summary

Enriches proxy server traces with domain-specific span attributes and events so that a single trace in Tempo tells you who called, what targets were fanned out to, and how each target stream progressed, without needing to cross-reference logs.
Adds a proxy.target{/FullMethod} child span per backend connection and a proxy.target.dial sub-span for the dial+stream-creation phase, giving per-target latency breakdown within a fan-out.
All instrumentation is zero-cost when no TracerProvider is configured (OpenTelemetry noop behavior). No new dependencies , go.opentelemetry.io/otel packages already in go.mod.

Also, updated golangci to v2, as v1 is incompatible with go1.26.0

What's new

Root span enrichment (dispatch)

Attribute Description
sansshell.caller.principal Authenticated caller identity
sansshell.caller.address Caller network address
sansshell.caller.groups Caller group memberships
sansshell.caller.cert.cn Client certificate Common Name
sansshell.caller.cert.spiffe_id Client certificate SPIFFE ID
sansshell.proxy.justification Request justification from metadata
sansshell.proxy.target_count Total number of target streams opened
Event: dispatch.start_stream (once per target, carries sansshell.target.address and sansshell.target.method).

Per-target child span (proxy.target{/service/Method})

Attribute Description
sansshell.target.address Backend host:port
sansshell.target.method Full gRPC method name
sansshell.target.stream_id Mux stream ID
sansshell.target.stream_type unary / server_stream / client_stream / bidi
sansshell.target.authz_dry_run Whether this is a dry-run authz check
sansshell.target.dial_timeout_ms Dial timeout (when configured)
sansshell.target.proxied_principal Forwarded caller principal

Events on this span:

Event Attributes When
stream.connected Dial succeeded, gRPC stream is open
stream.first_response First RecvMsg from backend
authz.evaluated sansshell.authz.result, sansshell.authz.method After each per-message authz check
stream.finished grpc.status_code Stream completed

Dial sub-span (proxy.target.dial)

Wraps DialContext + NewStream. Records errors and status on dial/stream-creation failure.

@sfc-gh-pkowalewski sfc-gh-pkowalewski changed the title Feat: Improve tracing for proxy server Feat: Encrich tracing of proxy-server Mar 25, 2026
@sfc-gh-pkowalewski sfc-gh-pkowalewski force-pushed the improve-proxy-tracing branch 5 times, most recently from 85ad6c7 to 1539742 Compare March 25, 2026 18:36
@sfc-gh-pkowalewski sfc-gh-pkowalewski changed the title Feat: Encrich tracing of proxy-server Feat: Enrich tracing of proxy-server Mar 25, 2026
@sfc-gh-pkowalewski sfc-gh-pkowalewski force-pushed the improve-proxy-tracing branch 6 times, most recently from a61f9d4 to 4901a30 Compare March 25, 2026 20:41
@sfc-gh-pkowalewski sfc-gh-pkowalewski marked this pull request as ready for review March 26, 2026 08:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sfc-gh-pkowalewski