Add WithoutSubSpans option to NewClientTrace

[coryb]

This adds an optional behavior to NewClientTrace so that it only
adds events and annotations to the span found in SpanFromContext.
The default behavior remains unchanged, several sub-spans will be
created for each request. This optional behavior is useful when
tracing "complex" processes that have many http calls. In this case
the added sub-spans become "noise" and may distract from the overall
trace.

This also adds several useful attributes from data available
in the httptrace callbacks:

• http.conn.reused - bool if connection was reused
• http.conn.wasidle - bool if connection was idle
• http.conn.idletime - if wasidle, duration of idletime
• http.conn.start.network - start connection network type [tcp/udp]
• http.conn.done.network - end connection network type [tcp/udp]
• http.conn.done.addr - connection address when done
• http.dns.addrs - list of addrs returned from dns lookup

Fixes #876

[tonistiigi]

I'd prefer if this wouldn't leak the length/spaces or waste space with long tokens. Just constant *** sgtm

[pellared]

I have even a stronger point of view. I think in such a case, the attribute should NOT be included at all. This is to ensure we do not leak any security-related internals.

Reasoning: open-telemetry/opentelemetry-specification#1502 (comment)

This would be also more in line with other specification recommendations such us:

• https://github.com/open-telemetry/opentelemetry-specification/blame/main/specification/trace/semantic_conventions/http.md#L71
• https://github.com/open-telemetry/opentelemetry-specification/blame/main/specification/trace/semantic_conventions/database.md#L160

[coryb]

For now I have updated to use fixed **** value. We can instead drop those annotations completely, I dont really have a preference. If we drop them, I guess I would change the WithRedactedHeaders to WithIgnoredHeaders to alllow appending to the fixed list. We can also swap the default to not collect any headers unless a WithHeaders option is specified. For the edge case of trying to debug authentication-related issues, we could add WithRedactgnoredHeaders (or some such name) to keep headers in the spans but always hide the values.

[tonistiigi]

I prefer the redacted value instead of ignoring one. Seeing which requests were authenticated and which were not is an important common feature in tracing HTTP traffic and can point to issues.

[codecov]

Codecov Report

Merging #879 (f89b79d) into main (061e903) will increase coverage by 0.1%.
The diff coverage is 77.4%.

@@           Coverage Diff           @@
##            main    #879     +/-   ##
=======================================
+ Coverage   69.2%   69.4%   +0.1%     
=======================================
  Files         77      77             
  Lines       4850    4929     +79     
=======================================
+ Hits        3359    3423     +64     
- Misses      1353    1367     +14     
- Partials     138     139      +1     

Impacted Files	Coverage Δ
...on/net/http/httptrace/otelhttptrace/clienttrace.go	77.6% <77.4%> (+1.7%)	⬆️

[pellared]

The default behavior remains unchanged,

I think this is not true b/c of the default redactedHeaders.

Also is it possible to remove the default redactedHeaders if someone really wants to trace them (e.g. for some local testing)? I think that security should be "enabled" by default but there should always be an option to explicitly configure to some insecure settings.

[coryb]

The default behavior remains unchanged,

I think this is not true b/c of the default redactedHeaders.

True, there is a behaviour change due to the redacted headers. I didn't know about the leaking headers when I opened the issue and made that comment.

Also is it possible to remove the default redactedHeaders if someone really wants to trace them (e.g. for some local testing)? I think that security should be "enabled" by default but there should always be an option to explicitly configure to some insecure settings.

We could add a WithInsecureHeaders to disable the redaction and reset the current list. Motivated users could always just add an http.RoundTrip wrapper to their client that adds more attributes to the spans. Either option seems fine to me, curious if others have opinions...

[coryb]

curious if others have opinions...

No response, so I went ahead and added WithInsecureHeaders to facilitate the "debugging auth issues" use-case. Also extended the tests to verify WithoutHeaders, WithRedactedHeaders, and the new WithInsecureHeaders so there should not be a drop in test coverage.

[coryb]

Updated lint issue that broke the tests, I forgot to run the precommit check but it is working now.

[thaJeztah]

@coryb needs a rebase

[coryb]

Thanks for the ping, rebased, again. Hopefully we can get this merged in, please.

[coryb]

Could someone please poke the workflow approval button so the test will run?

[coryb]

Can we please get this merged in? We have two approvals and tests are passing ... what more is left?

[thaJeztah]

@coryb needs a rebase (again 😞)

[coryb]

Hi folks, I have rebased again to address merge conflicts on the CHANGELOG. It has now been a month since the last change other than the rebases, so this is pretty frustrating.

I need someone to poke the workflow approval button again.

[thaJeztah]

@pellared @Aneurysm9 are you able to help out to this PR moving? 🤗

[thaJeztah]

Thanks!