We Make Service Mesh Easy

Just provide a few details and you’ll be ready to use Aspen Mesh

F5 NETWORKS

BETA PRODUCT AGREEMENT

BY ACCEPTING THIS BETA PRODUCT AGREEMENT (THE “AGREEMENT”), REGISTERING FOR OR USING AN ACCOUNT (“ACCOUNT”) FOR THE BETA PRODUCT, OR BY ACCESSING THE BETA PRODUCT, YOU (1) agree to this BETA ServiceS Agreement (the “Agreement”) and the Aspen MESH portal terms of use on behalf of yourself and the Customer identified in the BETA PORTAL (the “Customer” or “YOU”), (2) represent and warrant to F5 (“f5,” “We, or “US”) that you are authorized to accept this Agreement on behalf of the Customer, and (3) agree that such Customer will be responsible for the acts and omissions of any individuals or other users who register for, access or use the BETA PRODUCT through your account. IF YOU AND/OR CUSTOMER DOES NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT ACCEPT THIS AGREEMENT AND DO NOT ACCESS THE BETA PRODUCT.

All references to “F5” in this Agreement are references to the applicable F5 entity as follows: (i) if the Customer’s primary place of business is located in Europe, the Middle East or Africa (“EMEA”), the F5 entity is F5 Networks Ltd.; (ii) if the Customer’s primary place of business is located in the Asia-Pacific region (“APAC”), the F5 entity is F5 Networks Singapore Pte Ltd.; and (iii) if the Customer’s primary place of business is located in a region outside of EMEA or APAC, the F5 entity is F5 Networks, Inc.

You will provide accurate, current and complete information (including about Customer and Customer’s users) in all registration and other Account-related forms on the Beta Portal (“Customer Information”) and you will maintain the security of your username(s) and password(s). You will maintain and promptly update the Customer Information to keep it accurate, current and complete. YOU UNDERSTAND THAT ANY PERSON WITH YOUR USERNAME(S) AND PASSWORD(S) MAY BE ABLE TO ACCESS YOUR ACCOUNT (INCLUDING CUSTOMER INFORMATION AND OTHER CUSTOMER DATA (COLLECTIVELY, “CONTENT”)). YOU ACCEPT ALL RISKS OF UNAUTHORIZED ACCESS TO YOUR ACCOUNT BASED ON THE SHARING OR LOSS OF A USERNAME AND PASSWORD. You will promptly notify us if you discover or otherwise suspect any unauthorized access related to your Account or the Beta Product, including any unauthorized use or disclosure of a username or password.

  1. Definitions.

1.1.    “Beta Period” means the period in which you may use the Beta Product under the terms of this Agreement as set forth on the Beta Portal Site; and if no period is specified, until we specify otherwise. We reserve the right to terminate the Beta Period at any time upon notice provided via the Beta Portal.

1.2.    “Beta Portal” means the Aspen Mesh Beta Portal website located at https://my.aspenmesh.io.

1.3.    “Beta Product” means the F5 beta software product(s) offered through the Beta Portal for download.

 

2.      Use of Beta Product.

2.1.    License Grant. Subject to your compliance with this Agreement, we grant you a non-transferable, nonexclusive right, during the Beta Period, to use the Beta Product for your internal evaluation and testing purposes only in a non-production environment.

2.2.    Title. The Beta Product and all enhancements, modifications and improvements thereto and the associated copyrights and intellectual property rights are owned by F5 and/or its licensors. Except for the license grant provided in Section 2.1, no rights to the Beta Product are granted or conveyed to Customer by implication or otherwise. To the extent that the Beta Product incorporates third party software, your use is subject to licenses with the respective licensor(s). The protections given to F5 under this Agreement also apply to the licensor(s) of this third party software, who are intended third party beneficiaries of this Agreement.

2.3.    Restrictions.  You will only use the Beta Product in accordance with all documentation and instructions we provide. You will use the Beta Product solely for your internal testing, and you will not modify or copy the Beta Product or any portion thereof. You will not demonstrate, market, reuse, copy, modify, translate or create derivative works of the Beta Service or any portion thereof; rent, sell, lease, transfer or otherwise make available the Beta Product or any portion thereof; or use it or any portion thereof for the benefit of a third party. You may not dissemble, de-compile, reverse assemble, reverse compile or reverse engineer the Beta Product or any portion thereof, or otherwise attempt to discover any Beta Product source code or underlying proprietary information. You will not use any information in any way related to or acquired by use of the Beta Product other than in connection with your evaluation of the Beta Product for a potential commercial implementation.

2.4.    Additional Obligations.

2.4.1.   You will use and test the Beta Product during the Beta Period. We may monitor your usage of the Beta Product.

2.4.2.   You will report to F5 on the performance of the Beta Product and will provide suggestions, comments or other feedback to F5 in the format and on the timing we reasonably request with respect to improving the Beta Product (collectively, “Feedback”). We may freely use, disclose, reproduce, license, distribute, and otherwise commercially exploit the Feedback without obligation or restriction of any kind.

2.4.3.   You will promptly report to F5 any problems with the Beta Product.

3.          Term and Termination. The term of this Agreement will commence when you accept this Agreement and will continue until the completion of the Beta Period or until terminated in accordance with this Agreement. This Agreement may be terminated by any party for any reason or no reason upon written notice to another party, and in any case will expire at the end of the Beta Period. We may extend the Beta Period upon written notice to you. We may discontinue the beta program or your Account at any time, in which case this Agreement will automatically terminate at the time of such discontinuation. Upon termination, the license granted hereunder will terminate and we may terminate your access to and use of the Beta Product immediately and without notice. Upon termination for any reason, you will immediately return all documents, notes and other materials regarding the Beta Product including, without limitation, all proprietary information of F5 and all copies and extracts of the foregoing. Any terms by which their nature impose an obligation after termination will survive termination or expiration of this Agreement, including but not limited to confidentiality, disclaimer of warranties, limitation of liabilities, indemnification, and governing law.

4.          Confidentiality.  You will comply with the terms of the Nondisclosure Agreement entered into by the parties (the “NDA”), if applicable. In the event that the parties have not entered into an NDA covering the subject matter of this Agreement, you agree that any non-public information regarding the Beta Product provided or made accessible hereunder, the results of any beta testing, and the terms and content of this Agreement are part of F5’s confidential information. You will not disclose F5 confidential information to any third party other than your employees or agents who have a business need to know and who are bound by written confidentiality obligations to you not to disclose the confidential information that are substantially similar this Section 4. This obligation of confidentiality will not apply to information which you can show by contemporaneous documentation to be (i) rightfully available to the public; (ii) rightfully received by you from a third party without breach of a duty to F5; (iii) independently developed by your employees without access to the Beta Product; or (iv) rightfully known to Customer prior to first receipt from F5 while not under a contemporaneous duty of non-disclosure. You will not use any confidential information of F5 or proprietary information of F5 except for purposes of your evaluation of the Beta Product under the terms of this Agreement. You acknowledge that the Beta Product, its performance, evaluation results, features and mode of operation, as well as all internal documentation, specifications, product requirements, problem reports, analysis and performance information, benchmarks, software documents, and other technical, business, product, marketing and financial information, plans and data relating to the Beta Product are the proprietary information of F5. You will not publish or disclose to others any results of any benchmarking or other tests run on the Beta Service without our prior written consent. You will return or destroy all F5 confidential information upon our request. If you destroy the F5 confidential information, you will provide a written certification of destruction signed by an authorized officer of Customer.

5.          Representations and Warranties. You hereby warrant, represent and covenant as follows in the performance of your obligations and use of the Beta Product (by Customer and any Customer Representatives): (i), you will comply with all applicable laws, rules, and regulations of all applicable U.S. and foreign authorities; (ii) you will not infringe the proprietary or privacy rights of any third party; (iii) you will not use the Beta Product in a manner which constitutes Misuse; (iv) the information and other data (including Personal Data) that you transmit, process, and receive in connection with the use of the Beta Product provided hereunder complies and will at all times during the term of this Agreement comply with all applicable laws and do not and will not infringe the proprietary rights or privacy rights of any third parties; (v) when using the Beta Product (or allowing others to use the Beta Product including its end users) you will comply with all applicable acceptable use policies and will not cause or allow others to cause the disruption of other parties’ use or enjoyment of the Internet; and (vi) you do not currently provide services that compete with the Beta Product and will not at any time in the future use any of the Beta Product or any other confidential information of F5 for the provision of any services that compete with the Beta Product. In addition, you represent and warrant that you are not on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce’s Table of Denial Orders.

6.          Warranty Disclaimer; Warning. The parties acknowledge that the Beta Product is provided “AS IS”. Customer understands that the Beta Product has not completed F5’s full quality assurance program and may have errors and may produce unexpected results. F5 DISCLAIMS ALL WARRANTIES RELATING TO THE BETA PRODUCT, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES AS TO TITLE, NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE (INCLUDING, WITHOUT LIMITATION, PREVENTION OF UNAUTHORIZED ACCESS),THAT THE BETA PRODUCT WILL BE FREE FROM ERROR OR INTERRUPTION OR FAILURE. F5 NEITHER ASSUMES, NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT, ANY OTHER LIABILITY IN CONNECTION WITH THE BETA PRODUCT OR ANY INFORMATION PROVIDED IN CONNECTION THEREWITH, INCLUDING, WITHOUT LIMITATION, LIABILITY ARISING OUT OF THE OPERATION, SUPPORT, OR USE OF THE BETA PRODUCT. F5 DOES NOT WARRANT THE RESULTS OF THE BETA PRODUCT OR THAT ANY ERRORS IN THE BETA PRODUCT WILL BE CORRECTED, OR THAT THE BETA PRODUCT WILL MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS. YOU SHOULD SAFEGUARD IMPORTANT DATA, USE CAUTION, AND NOT RELY IN ANY WAY ON THE CORRECT FUNCTIONING OR PERFORMANCE OF THE BETA PRODUCT AND/OR ACCOMPANYING MATERIALS.

7.          Limitation of Remedies and Damages. IN NO EVENT WILL F5 OR ITS LICENSORS BE LIABLE  FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE, DAMAGES INCLUDING, BUT NOT LIMITED TO LOSS OF PROFITS, REVENUE, DATA OR MACHINE USE, BUSINESS INTERRUPTION ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, THE USE OR THE INABILITY OF THE USE OR PERFORMANCE OF THE BETA PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE BETA PRODUCT, OR ANY INFORMATION PROVIDED, REGARDLESS OF THE NATURE OF THE ACTION OR UNDERLYING LEGAL THEORY (INCLUDING UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY), EVEN IF F5 AND/OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. F5 WILL NOT BE RESPONSIBLE FOR ANY MATTER BEYOND ITS REASONABLE CONTROL. IN NO EVENT WILL F5’S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT EXCEED ONE THOUSAND DOLLARS ($1,000). NO ACTION, REGARDLESS OF FORM, ARISING UNDER THIS AGREEMENT MAY BE BROUGHT BY CUSTOMER MORE THAN ONE YEAR AFTER THE END OF THE BETA PERIOD.

8.          Customer Acknowledgement. CUSTOMER ACKNOWLEDGES THE NATURE OF THE BETA PRODUCT, AND THAT IT MAY CONTAIN KNOWN OR UNKNOWN BUGS, DEFECTS AND ERRORS, MAY NOT FUNCTION AS INTENDED, MAY NOT FUNCTION AT THE LEVEL OF A FINAL, GENERALLY AVAILABLE PRODUCT, MAY CREATE UNFORESEEABLE EVENTS, AND MAY BE SUBSTANTIALLY MODIFIED PRIOR TO FIRST GENERAL COMMERCIAL AVAILABILITY, OR WITHDRAWN. CUSTOMER ACKNOWLEDGES THAT THE PRODUCT IS INTENDED TO BE USED ONLY IN A TESTING ENVIRONMENT, WITH TEST DATA, AND NOT FOR PRODUCTION PURPOSES. F5 HAS NO OBLIGATION TO CORRECT ANY BUGS, DEFECTS OR ERRORS IN THE BETA PRODUCT OR OTHERWISE SUPPORT OR MAINTAIN THE BETA PRODUCT. F5 reserves the right at any time not to generally commercially release the Beta Product or, even if released, to alter prices, features, specifications, capabilities, functions, release dates, general availability, or other characteristics of the Beta Product.

9.          Indemnification. Customer will defend, indemnify and hold F5, and its affiliates and their respective officers, directors, licensors, suppliers, service providers, employees, contractors and agents harmless against any claims, liabilities or expenses incurred (including reasonable attorneys’ fees), as well as amounts finally awarded in a settlement or by a court arising from any (i) breach by Customer or any Customer Representative of any representation, warranty, covenant or other obligation of this Agreement, (ii) Misuse, (iii) negligence or willful misconduct of Customer or Customer Representatives, or (iv) liability arising out of or relating to the use of the Beta Product. We will promptly notify you of any such claim or allegation, but any delay in providing such notice will not affect your obligations hereunder except to the extent that the defense of the claim is materially prejudiced by such delay. You will not agree to any settlement without our prior written approval. We will provide reasonable assistance upon request and at your sole cost.

10.        Customer Performance and Usage Data. We may use various third party software tools to measure and monitor Customer interaction with the Beta Product, and to generate reports relating to use of the Beta Product under this Agreement. All information and status reports derived from your use of the Beta Product will be our exclusive property. You will not disclose such information or reports. We may use aggregated data derived from the use of the Beta Product to support and improve F5 products and services, in the development of new features, products, tools, content, and for market research, provided that such data has been stripped of all information identifying you.

11.        General.

11.1.  Entire Agreement. This Agreement together with the Aspen Mesh Portal Terms of Use, and, if applicable, the NDA, constitutes the entire agreement between the parties pertaining to the subject matter hereof, and supersedes any and all prior proposals, negotiations, communications, and agreements, written or oral (except the NDA) previously existing between the parties pertaining to the subject matter hereof. Without limiting the generality of the foregoing, in the event of a conflict between the terms of this Agreement and any other agreement between the parties, this Agreement will govern with respect to any component of the Beta Product, including any portion thereof to the extent used as part of the Beta Product. We will not be bound by any use of any standardized form or correspondence (including any order form, purchase order, acknowledgement, shrink-wrap, boxtop, or click wrap license, or other form) containing additional or different terms. We may, at any time and in our discretion, modify this Agreement by posting a notice of changes to the beta portal. Your continued use of the Beta Product after we modify the Agreement constitutes your acceptance of the changes. If you do not agree to any changes, you must terminate the agreement and discontinue all use of the Beta Product.

11.2.  Governing Law, Attorneys’ Fees. This Agreement, and all matters arising out of or relating to this Agreement, will be governed by and construed in accordance with the laws of the jurisdiction set forth in the governing law column opposite the applicable undersigned F5 entity in the table below, without regard to that jurisdiction’s choice of law rules. Further, for any action arising out of or related to this Agreement, Customer consents to the exclusive jurisdiction and venue of the courts located in the venue column opposite the applicable undersigned F5 entity in the table below.

F5 Entity: Governing Law: Venue:
F5 Networks Singapore Pte Ltd The laws of Singapore Singapore
F5 Networks Ltd. The laws of England and Wales London, England
F5 Networks, Inc. The laws of the State of Washington Seattle, Washington

 

The Parties agree that the United Nations Convention on Contracts for the International Sale of Goods (CISG) and the Uniform Computer Information Transactions Act, in whatever form adopted, does not apply to this Agreement and the parties specifically opt out of the application of such laws. If either party engages attorneys to enforce any rights arising out of or relating to this Agreement, the prevailing party will be entitled to recover reasonable attorneys’ fees.

11.3.  Assignment. You may not assign this Agreement in whole or in part, without F5’s prior written consent. F5 may assign this Agreement or any of its rights and obligations under it at any time. Any attempted assignment or transfer in violation of this Section will be void and without effect. Subject to the foregoing, this Agreement will be binding upon and shall inure to the benefit of the parties and their respective permitted successors and assigns.

11.4.  U.S. Government Restricted Rights. If Customer uses the Beta Service by or for any unit or agency of the United States Government, this provision applies. The Beta Service and any associated documentation are “commercial items” incorporating “commercial computer software” and “commercial computer software documentation” as such terms are defined in the Federal Acquisition Regulations (48 C.F.R.) (the “FAR”) 2.101 and its supplements. The parties agree that the Beta Service was developed entirely at private expense, that no part of the Beta Service was first produced in the performance of a Government contract. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which this Agreement may be incorporated, Customer will acquire and may provide to a Government end user with only those rights set forth in this Agreement. Use and/or access of the Beta Service constitutes acknowledgment of F5’s and its licensors’ rights in the Beta Service.

11.5.  Notices. Any notice or other communication required or permitted under this Agreement must be in writing in English and will be deemed given three (3) business days after it is sent by registered or certified mail, return receipt requested and postage prepaid, one (1) business day after it is sent via reputable nationwide courier service, or upon personal delivery, or upon posting to or sending of a notification in the Beta Portal. Notices to Customer may be sent to the address set forth in Customer’s Account or other address provided to F5 in the registration process for the Beta Product, sent to Customer’s notification inbox in the Beta Portal, or posted in the Beta Portal. All notices to F5 will be sent to the address(es) of the applicable F5 entity in the table below. Either party may change its address by giving the other party written notice in accordance with this Section 16. Notice may also be sent by fax, with confirmation of receipt, or electronic mail provided that it is also provided in accordance with one other method described above within 3 business days.

F5 Entity: Notice Address: With a Copy to:
F5 Networks Singapore Pte Ltd F5 Networks Singapore Pte LtdAttn: Legal Department5 Temasek Boulevard#08-01/02/05 Suntec Tower 5Singapore 038985Singapore F5 Networks, Inc.Attention:  Legal Department401 Elliot Avenue WestSeattle, WA 98119USA
F5 Networks Ltd. F5 Networks Ltd.Attn: Legal DepartmentChertsey Gate West43-47 London Street ChertseySurrey KT16 8APUnited Kingdom F5 Networks, Inc.Attention:  Legal Department401 Elliot Avenue WestSeattle, WA 98119USA
F5 Networks, Inc. F5 Networks, Inc.Attn: Legal Department401 Elliott Avenue WestSeattle, WA 98119 USA

 

11.6.  Severability. Any provisions found to be invalid or unenforceable will not affect the validity or enforceability of the other provisions contained herein, but will instead be replaced with a provision as similar to the original as possible and the remainder of this Agreement shall remain valid and enforceable according to its terms.

11.7.   No Waiver. Failure of either party to insist upon strict performance of any of the terms and conditions of this Agreement will not preclude enforcement of such provisions or the exercise of any right. No waiver of a breach of this Agreement will be valid unless in writing. Waiver by either party in the exercise of any of its remedies shall not constitute a subsequent waiver of such terms and conditions or a waiver of any default or remedy.

11.8.  Relationship of the Parties. F5 and Customer are independent contractors and this Agreement will not establish any relationship of partnership, joint venture, employment, franchise, or agency between F5 and Customer. Customer shall not, and will have no power to, bind F5 or incur obligations on F5’s behalf.

11.9.  Interpretation. This Agreement will not be construed in favor of or against any party by reason of the extent to which any party participated in the preparation of this Agreement.

Submit Your Resume

Upload your resume. (5 MB max - .pdf, .doc, or .docx)

January 30, 2018

Distributed tracing with Istio in AWS

 

Everybody loves tracing! Am I right? If you attended KubeCon (my bad, CloudNativeCon!) 2017 at Austin or saw any of the keynotes posted online, you would have noticed the recurring theme explaining the benefits of tracing, especially as it relates to DevOps tools. Istio and service mesh were hot topics and many sessions discussed how Istio provides distributed tracing out of the box making it easier for application developers to integrate tracing into their system.

Indeed, a great benefit of using service mesh is getting more visibility and understanding of your applications. Since this is a tech post (I remember categorizing it as such) let’s dig deeper in how Istio provides application tracing.

When using Istio, a sidecar envoy proxy is automatically injected next to your applications (in Kubernetes this means adding containers to the application Pod). This sidecar proxy intercepts all traffic and can add/augment tracing headers to the requests entering/leaving the application container. Additionally, the sidecar proxy also handles asynchronous reporting of spans to the tracing backends like Jaeger, Zipkin, etc. Sounds pretty awesome!

One thing that the applications do need to implement is propagating tracing headers from incoming to outgoing requests as mentioned in this Istio guide. Simple enough right? Well it’s about to get interesting.

Before we proceed further, first a little background on why I’m writing this blog. We, here at Aspen Mesh offer a supported enterprise service mesh built on open source Istio. Not only do we offer a service mesh product but we also use it in our production SaaS platform hosted in AWS (isn’t that something?).

I was tasked with propagating tracing headers in our applications so that we get nice hierarchical traces graphing the relationship between our microservices. As we are hosted in AWS, many of our microservices make outgoing requests to AWS services. During this exercise, I found some interesting interactions between adding tracing headers and using Istio with AWS services that I decided to share my experience. This blog describes various iterations I went through to get it all working together.

The application in question for this post is a simple web server. When it receives a HTTP request it makes an outbound DynamoDB query to fetch an item. As it is deployed in the Istio service mesh, the sidecar proxy automatically adds tracing headers to the incoming request. I wanted to propagate the tracing headers from the incoming request to the DynamoDB query request for getting all the traces tied together.

First Iteration

In order to achieve this I decided to pass a custom function as request options to the AWS DynamoDB API which allows you to augment request headers before they are transmitted over the wire. In the snippet below I’m using the AWS go-sdk’s dynamo.GetItemWithContext for fetching an item and passing AddTracingHeaders as the request.Option. Note that the AddTracingHeaders method uses standard opentracing API for injecting headers from a input context.

func AddTracingHeaders() awsrequest.Option {
  return func(req *awsrequest.Request) {
    if span := ot.SpanFromContext(req.Context()); span != nil {
      ot.GlobalTracer().Inject(
      span.Context(),
      ot.HTTPHeaders,
      ot.HTTPHeadersCarrier(req.HTTPRequest.Header))
    }
  }
}

// ctx is the incoming request's context as received from the mesh
func makeDynamoQuery(ctx context.Context ) {
  // Note that AddTracingHeaders is passed as awsrequest.Option
  result, err := dynamo.GetItemWithContext(ctx, ..., AddTracingHeaders())
  // Do something with result
}

Ok, time for testing this solution! The new version compiles, and I verified locally that it is able to fetch items from DynamoDB. After deploying the new version in production with Istio (sidecar injected) I’m hoping to see the traces nicely tied together. Indeed, the traces look much better but wait all of the responses from DynamoDB are now HTTP Status Code 400. Bummer!

Looking at the error messages from aws-go-sdk we are getting AccessDeniedException which according to AWS docs indicate that the signature is not valid. Adding tracing headers seems to have broken signature validation which is odd, yet interesting as I had tested in my dev environment (without sidecar proxy) and the DynamoDB requests worked fine, but in production it stopped working. Typical developer nightmare!

Digging into the AWS sdk package, I found that the client code signs every request including headers with a few hardcoded exceptions. The difference between the earlier and the new version is the addition of tracing headers to the request which are now getting signed and then handed to the sidecar proxy. Istio’s sidecar proxy (in this case Envoy) changes these tracing headers (as it should!) before sending it to DynamoDB service which breaks the signature validation at the server.

To get this fixed we need to ensure that the tracing headers are added after the request is signed but before it is sent out by the AWS sdk. This is getting more complicated, but still doable.

Second Iteration

I couldn’t find an easy way to whitelist these tracing headers and prevent them from getting them signed. But, AWS session package provides a very flexible API for adding custom handlers which get invoked in various stages of the request lifecycle. Additionally, providing a session handler has the benefit of being added in all AWS service requests (not just DynamoDB) which use that session. Perfect!

Here’s the AddTracingHeaders method above added as a session handler:

sess, err := session.NewSession(cfg)

// Add the AddTracingHeaders as the first Send handler. This is important as one
// of the default Send handlers does the work of sending the request.
sess.Handlers.Send.PushFront(AddTracingHeaders)

This looks promising. Testing showed that the first request to the AWS DynamoDB service is successful (200 Ok!) Traces look good too! We are getting somewhere, time to test some failure scenarios.

I added a Istio fault injection rule to return a HTTP 500 error on outgoing DynamoDB requests to exercise the AWS sdk’s retry logic. Snap! receiving the HTTP Status Code 400 with AccessDeniedException error again on every retry.

Looking at the AWS request send logic, it appears that on retriable errors the code makes a copy of the previous request, signs it and then invokes the Send handlers. This means that on retries the previously added tracing headers would get signed again (i.e. earlier problem is back, hence 400s) and then the AddTracingHeaders handler would add back the tracing headers.

Now that we understand the issue, the solution we came up with is to add the tracing headers after the request is signed and before it is sent out just like the earlier implementation. In addition, to make retries work we now need to remove these headers after the request is sent so that the resigning and reinvocation of AddTracingHeaders is handled correctly.

Final Interation

Here’s what the final working version looks like:

func injectFromContextIntoHeader(ctx context.Context, header http.Header) {
  if span := ot.SpanFromContext(ctx); span != nil {
    ot.GlobalTracer().Inject(
    span.Context(),
    ot.HTTPHeaders,
    ot.HTTPHeadersCarrier(header))
  }
}

func AddTracingHeaders() awsrequest.Option {
  return func(req *awsrequest.Request) {
    injectFromContextIntoHeader(req.Context(), req.HTTPRequest.Header)
  }
}

// This is a bit odd, inject tracing headers into an empty header map so that
// we can remove them from the request.
func RemoveTracingHeaders(req *awsrequest.Request) {
  header := http.Header{}
  injectFromContextIntoHeader(req.Context(), header)
  for k := range header {
    req.HTTPRequest.Header.Del(k)
  }
}

sess, err := session.NewSession(cfg)

// Add the AddTracingHeaders as the first Send handler.
sess.Handlers.Send.PushFront(AddTracingHeaders)

// Pushback is used here so that this handler is added after the request has
// been sent.
sess.Handlers.Send.PushBack(RemoveTracingHeaders)

Agreed, above solution looks far from elegant but it does work. I hope this post helps if you are in a similar situation.

If you have a better solution feel free to reach out to me at neeraj@aspenmesh.io

Leave a Reply

Your email address will not be published. Required fields are marked *