Bump the trace-java-client-gradle-deps group in /trace-java-client with 4 updates

[dependabot]

Bumps the trace-java-client-gradle-deps group in /trace-java-client with 4 updates: io.opentracing.brave:brave-opentracing, io.zipkin.zipkin2:zipkin, io.zipkin.reporter2:zipkin-sender-okhttp3 and io.zipkin.brave:brave.

Updates io.opentracing.brave:brave-opentracing from 1.0.0 to 1.0.1

Commits

• See full diff in compare view

Updates io.zipkin.zipkin2:zipkin from 2.25.2 to 3.0.5

Release notes

Sourced from io.zipkin.zipkin2:zipkin's releases.

Zipkin 3.0.5 cleans up CVEs and supports Eureka authentication. We also allow those testing with Cassandra to disable SSL hostname verification. While this is a point version, quite a lot of work went into this. Please thank volunteers involved on gitter or otherwise!

Dependency updates

Most notably, this updates our docker image to use JRE 21.0.2_p13, and all recent java libraries. We audited the UI and were able to fix all CVEs identified by Trivy and used at runtime, with special thanks to @​anuraaga on this. We also test with latest Elasticsearch 8.12.0, now. This was trickier than usual due to a JRE compatibility issue @​reta discovered a workaround for, and will be resolved when ES 8.12.1 is out. Rag and Andriy made themselves available and are the reason this release is all polished.

Eureka authentication

Zipkin 2.27 added Eureka discovery support, but we missed a spot. Eureka supports BASIC authentication via user info embedded in the service url. e.g. http://user:password@localhost:8761/eureka/v2. This is also handled the same way in spring-cloud-netflix. By also allowing url-embedded credentials, folks can use the same properties with zipkin as they do elsewhere.

To achieve this, and test it fully, we updated the following:

• Our test eureka server image, ghcr.io/openzipkin/zipkin-eureka, to require authentication via EUREKA_USERNAME and EUREKA_PASSWORD
• Our test armeria client image, ghcr.io/openzipkin/brave-example:armeria, to pass embedded credentials when looking up zipkin via EUREKA_SERVICE_URL
• Our main code (applicable to all zipkin packaging) to use embedded credentials when registering via EUREKA_SERVICE_URL
• Our docker-compose example to suggest how you can try the whole thing integrated.

Thanks for your patience with supporting this option, we hope you can tell that doing it right was a lot of work, and why we didn't just "wing it" earlier!

Disabling Cassandra hostname verification

Cassandra includes a setting for disabling hostname validation when using SSL, which is helpful for self-signed certificates. Thanks to @​priyavivek2307 and @​ankit-gautam23 for review, you can disable this now, by setting the env CASSANDRA_SSL_HOSTNAME_VALIDATION=false

Full Changelog: https://github.com/openzipkin/zipkin/compare/3.0.4..3.0.5

Zipkin 3.0.4 fixes a packaging bug which caused the UI to not load. Thanks @​jinyulei0710 for reporting!

Zipkin 3.0.3 updates its self-tracing to use the latest zipkin-reporter 3.2.1. It also enhances the Eureka example to include client tracing with Armeria services support.

Zipkin 3.0.2 removes a log warning from console output.

You may also be interested in the new homebrew formula. On mac or linux, you can now try zipkin via brew install zipkin

Zipkin 3.0 updates to Spring Boot 3 and floor JRE 17. The core library io.zipkin.zipkin2:zipkin now targets Java 8. This is a major version change for these reasons.

Apart from raising the server's Java target to 17, actual changes for Spring Boot 3 were a breeze. Upgrade breeze is not by accident, rather thanks to conscious thinking by the Spring Boot team. Please thank them for the good work!

On Java version changes

Recent releases of Zipkin use JRE 21 in docker images, as that's the latest LTS. The server now requires JRE 17 because that's the minimal Java target allowed by Spring Boot 3. JDK 17 no longer supports compilation below Java 8, which impacted our version range. The next notes cover impacts on the core library.

io.zipkin.zipkin2:zipkin now targets Java 8, formerly Java 6. Libraries who need to retain Java 6 or old Android versions should stay on 2.x or move to latest zipkin-reporter-brave which still supports Java 6. This should not impact many because known libraries that depend on zipkin require Java 8 or later.

Again, Zipkin Reporter 3 and Brave 6 no longer have a strict dependency on io.zipkin.zipkin2:zipkin so, still support Java 6.

Notable updates

As this is a major version update, we updated all server extensions we maintain, including:

• zipkin-aws (docker openzipkin/zipkin-aws)

... (truncated)

Commits

• 6c1857e [maven-release-plugin] prepare release 3.0.5
• 56d68cc deps: fixes to easy lens CVEs (#3705)
• f18696e deps: bumps to latest library versions, notably slf4j (#3704)
• 183faf7 docker: updates notably to JRE 21.0.2_p13 (#3702)
• 899170c cassandra: adds CASSANDRA_SSL_HOSTNAME_VALIDATION (#3701)
• 41b4a37 eureka: supports credentials in EUREKA_SERVICE_URL (#3700)
• 10e0458 docker: changes to direct auth filter in zipkin-eureka test image (#3699)
• 5ff651f docker: require auth for Eureka on EUREKA_USERNAME (#3698)
• 13e46f8 [maven-release-plugin] prepare for next development iteration
• 1b89798 [maven-release-plugin] prepare release 3.0.4
• Additional commits viewable in compare view

Updates io.zipkin.reporter2:zipkin-sender-okhttp3 from 2.17.1 to 3.2.1

Release notes

Sourced from io.zipkin.reporter2:zipkin-sender-okhttp3's releases.

Zipkin Reporter 3.2 deprecates Sender for a simpler type BytesMessageSender. This only supports synchronous invocation (as used by the async reporters in the reporting thread) and requires senders to pass an empty list vs a complicated and usually implemented check() function. The result is being able to implement a custom sender in less than 50 lines including imports like below! Thank a lot to @​anuraaga and @​reta for the review on this.

package brave.example;
import com.linecorp.armeria.client.WebClient;
import com.linecorp.armeria.common.AggregatedHttpResponse;
import com.linecorp.armeria.common.HttpData;
import com.linecorp.armeria.common.HttpMethod;
import com.linecorp.armeria.common.HttpRequest;
import com.linecorp.armeria.common.MediaType;
import java.io.IOException;
import java.util.List;
import zipkin2.reporter.BytesMessageEncoder;
import zipkin2.reporter.BytesMessageSender;
import zipkin2.reporter.ClosedSenderException;
import zipkin2.reporter.Encoding;
final class WebClientSender extends BytesMessageSender.Base {
final WebClient zipkinApiV2SpansClient;
volatile boolean closeCalled; // volatile as not called from the reporting thread.
WebClientSender(WebClient zipkinApiV2SpansClient) {
super(Encoding.JSON);
this.zipkinApiV2SpansClient = zipkinApiV2SpansClient;
}
@​Override public int messageMaxBytes() {
return 500_000; // Use the most common HTTP default
}
@​Override public void send(List<byte[]> encodedSpans) throws IOException {
if (closeCalled) throw new ClosedSenderException();
byte[] body = BytesMessageEncoder.JSON.encode(encodedSpans);
HttpRequest request =
HttpRequest.of(HttpMethod.POST, "", MediaType.JSON, HttpData.wrap(body));
AggregatedHttpResponse response = zipkinApiV2SpansClient.blocking().execute(request);
try (HttpData content = response.content()) {
if (!response.status().isSuccess()) {
if (content.isEmpty()) {
throw new IOException("response failed: " + response);
}
throw new IOException("response failed: " + content.toStringAscii());
}
}
}
@​Override public void close() {
closeCalled = true;
}
</tr></table>

... (truncated)

Commits

• 457009d [maven-release-plugin] prepare release 3.2.1
• 6e992f9 Adds deprecated functions for old Sender (#246)
• ee8c0f1 [maven-release-plugin] prepare for next development iteration
• e772cee [maven-release-plugin] prepare release 3.2.0
• 22b0e37 Deprecates Sender for much simpler BytesMessageSender (#244)
• 2dbac71 docker: polishes integration tests (#243)
• d97c014 bumps to brave 6 and warns about zipkin dep version (#242)
• 35db29b [maven-release-plugin] prepare for next development iteration
• 9508452 [maven-release-plugin] prepare release 3.1.1
• 9c666c4 ci: deploys bom separately to allow re-do on partial failure (#241)
• Additional commits viewable in compare view

Updates io.zipkin.brave:brave from 5.17.0 to 6.0.0

Release notes

Sourced from io.zipkin.brave:brave's releases.

Brave 6 removes all modules and functions deprecated in Brave 5.x. It no longer has any dependency on io.zipkin.zipkin2:zipkin. Special thanks to @​reta and @​anuraaga for a lot of review support leading to this release!

No more deprecated functions

The final release of Brave 5 with deprecated functions was 5.18.1. Removing these functions was the only way to decouple Brave from zipkin's core library (io.zipkin.zipkin2:zipkin). However, this does not change Brave's floor Java 6 support. We still integration test this via the brave-example repository.

Here's an example of a working Java 6 and Spring 2.5 application, which is 280KB smaller due to use of the lean combination of Brave 6 and Zipkin Reporter 3.x:

# brave 5.18.1
3860    target/brave-example-webmvc25-1.0-SNAPSHOT.war
# brave 6.0.0
3580    target/brave-example-webmvc25-1.0-SNAPSHOT.war

No more io.zipkin.reporter2:zipkin-reporter or io.zipkin.zipkin2:zipkin dependencies

io.zipkin.brave:brave-bom used to manage zipkin-reporter dependencies. Since Brave no longer has dependencies on zipkin, it no longer manages them.

This impact is that users will need to manage their own versions for zipkin-reporter, likely via io.zipkin.reporter2:zipkin-reporter-bom described in the zipkin-reporter README.

To fully remove a zipkin core library dependency from your traced applications, use io.zipkin.reporter2:zipkin-reporter-brave 3.x AsyncZipkinSpanHandler. This is described in the zipkin-reporter README. You can expect currently maintained frameworks to do this on your behalf.

Thanks for your patience with the major upgrade. Things like this allow easier maintenance and a longer life for Brave, particularly as zipkin-server moves ahead with later Java versions.

Full Changelog: https://github.com/openzipkin/brave/compare/5.17.1..5.18.1

Brave 5.18 prepares for Brave 6 by deprecating instrumentation for libraries not released in 1.5-3.5 years including:

• context/rxjava2 - last released Feb 2021
  • replaced by RxJava3, but unlikely this module will be ported as it wasn't used widely.
• instrumentation/dubbo-rpc - (alibaba) last released Dec 2021
  • replaced by Apache Dubbo instrumentation/dubbo
• instrumentation/p6spy - last released July 2020
  • project dormant
• instrumentation/sparkjava - last released July 2022
  • project dormant

A minor change is we changed the artifact we use to test MySQL 8 to com.mysql:mysql-connector-j (instead of mysql:mysql-connector-java), to ensure we validate against current versions. Thanks @​m1ngyuan for the help on this.

Full Changelog: https://github.com/openzipkin/brave/compare/5.17.1..5.18.1

Brave 5.17.1

Brave v5.17.1 fixes a bug where the jars that should be at Java 1.6 or 1.7 bytecode were not.

Full Changelog: https://github.com/openzipkin/brave/compare/5.17.0..5.17.1

Commits

• 6aa32a2 [maven-release-plugin] prepare release 6.0.0
• f57f544 kafka-streams: cleans up after deprecation removal (#1404)
• 5a81bf3 Docs: adds note about explicit reporter dependencies (#1402)
• cf8dbf9 Revert "Temporarily revert brave 6 change"
• 39b76ff [maven-release-plugin] prepare for next development iteration
• a50e658 [maven-release-plugin] prepare release 5.18.1
• 67b6013 deps: reverts to zipkin-reporter 2.x (#1403)
• 5c977a2 Temporarily revert brave 6 change
• f99265d bump to 6.0.0-SNAPSHOT
• 44e4081 Removes all deprecated types and modules for Brave v6 (#1395)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Superseded by #1569.