Skip to content

RA-7777: [Trillian] Added event timing that conforms to opentelemetry standards. #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
himaschal wants to merge 13 commits into
base: master
Choose a base branch
from
Open

RA-7777: [Trillian] Added event timing that conforms to opentelemetry standards. #2

himaschal wants to merge 13 commits into from

Conversation

@himaschal
Copy link
Collaborator

@himaschal himaschal commented Jul 30, 2025

Changes made:

This PR introduces basic OpenTelemetry-style trace and span ID propagation and structured logging middleware to the Trillian server. The changes are focused on improving observability and request tracing for both HTTP and gRPC endpoints.

  • Added request tracing - with a focus on timing - to Trillian log server which allows for structured logging of a request from http through to the gRpc calls.
  • Added structured logging package with transaction and span ID tracking
  • HTTP middleware for automatic request timing and context injection
  • gRPC interceptor for consistent tracing across service boundaries
  • Context propagation between HTTP and gRPC calls using standardized headers
  • JSON logging format
  • Added / updated tests
  • The logging is handled by the logrus library - which is useful for structured output.
  • Conforms to the opentelemetry standards for request correlation id's etc.

The are 2 health endpoints exposed in terms of the trillian project:

  • /metrics which uses the prometheus http handler and by default are not logged (this is standard practice) ie. we will not see any logs for this
  • /healthz which uses the standard http handler, runs on schedule, and we will see logs for these
{"elapsed":"0ms","event_id":"timing","level":"info","method":"GET","msg":"request completed","path":"/healthz","span_id":"e52096a54fe76c74","status":200,"time":"2025-07-30T08:03:39.413Z","trace_id":"26870f0e8feb8c310f1b327e9740d282"}
{"elapsed":"0ms","event_id":"timing","level":"info","method":"GET","msg":"request completed","path":"/healthz","span_id":"4955ed2f3c011b0e","status":200,"time":"2025-07-30T08:04:09.413Z","trace_id":"6ac1f80f10b665da523e5ac0fb0f0018"}
{"elapsed":"0ms","event_id":"timing","level":"info","method":"GET","msg":"request completed","path":"/healthz","span_id":"3da73e7ec906d795","status":200,"time":"2025-07-30T08:04:39.412Z","trace_id":"82b811e0a0bded795379b0b173b4a478"}
{"elapsed":"0ms","event_id":"timing","level":"info","method":"GET","msg":"request completed","path":"/healthz","span_id":"dfc9cdddae887aaf","status":200,"time":"2025-07-30T08:05:09.410Z","trace_id":"c4d03a16c17588e50f53a22c6c4197a0"}
{"elapsed":"1ms","event_id":"timing","level":"info","method":"GET","msg":"request completed","path":"/healthz","span_id":"1f22ec8af0ea9848","status":200,"time":"2025-07-30T08:05:39.411Z","trace_id":"03706449e94d468fdaebb7f203acf5d1"}
{"elapsed":"0ms","event_id":"timing","level":"info","method":"GET","msg":"request completed","path":"/healthz","span_id":"e956b94da9578b2f","status":200,"time":"2025-07-30T08:06:09.413Z","trace_id":"6164ac16d5df1f7bce54f26eea05064c"}

We can also see that the gRpc call is logged (tested from invoking the get-sth call and tracing through)

curl -H 'traceparent: 00-$(openssl rand -hex 16)-$(openssl rand -hex 8)-01' http://localhost:6962/log/ct/v1/get-sth
Handling connection for 6962
{"tree_size":0,"timestamp":1753850472067,"sha256_root_hash":"47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=","tree_head_signature":"BAMASDBGAiEAvDCfQQenVkH7s4zI+Nw5Ueugok7ntLsTCoZ5lN8ZaWsCIQCAAV2jofjsu0uEyCNr6YwsXzgXJ/tVihO57ORIqZLfKw=="}%

Expected:
Both the CTFE and Logserver should have the same trace_id and different span id's

CTFE logs:

{"elapsed":"3ms","event_id":"timing","level":"info","method":"GET","msg":"request completed","path":"/log/ct/v1/get-sth","span_id":"613cf118eb34bf77","status":200,"time":"2025-07-30T08:13:05.593Z","trace_id":"5e7facbbfcd4725608bde5bac22f2606"}

Logserver (Trillian):

{"elapsed":0,"event_id":"timing","level":"info","method":"/trillian.TrillianLog/GetLatestSignedLogRoot","msg":"gRPC call completed","span_id":"87be766ec02e7cef","status":"OK","time":"2025-07-30T08:13:05.592Z","trace_id":"5e7facbbfcd4725608bde5bac22f2606"}

himaschal and others added 12 commits July 17, 2025 13:12
@himaschal
RA-7777: Incorporated logging of timing for a request from the http r…
9cb64e4 
…equest to response. Added transaction_id and span_id to the requests and propogate them through to the gRpc calls to help trace a request from end to end. NB. this also requires changes on the certificate-transparency-go project (ctfe) to be useful.
@himaschal
RA-7777: updated .gitignore for ide directories
c411a0c
@himaschal
RA-7777: modified logging format to json
83af335
@himaschal
RA-7777: Added some basic tests for the logger
6d206c3
@himaschal
RA-7777: Added some tests for the middleware
1d0787a
@himaschal @github-advanced-security
Potential fix for code scanning alert no. 6: Log entries created from…
4c15c30 
… user input

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@himaschal
Remove custom message. It was used for testing purposes only
5b85e61
@himaschal
Missed an import
7d0472f
@himaschal
The span id was being propogated through to each service. This is inc…
5f3edbe 
…orrect behavior. Each service should generate its own span id
@himaschal
RA-7777: Sanitize the transaction_id to some degree of confidence
c6dd30a
@himaschal
Revert "RA-7777: Sanitize the transaction_id to some degree of confid…
f261a64 
…ence"

This reverts commit c6dd30a.
@himaschal
Implement OpenTelemetry-compliant distributed tracing
7311cab 
- Replace legacy transaction_id with standard trace_id (32-char hex)
- Generate OpenTelemetry-standard IDs using crypto/rand (128-bit trace, 64-bit span)
- Implement proper service boundary handling (trace_id propagates, span_id doesn't)
- Add gRPC metadata support for x-trace-id header propagation
- Update HTTP middleware to integrate with logging system
- Add sanitization for security in log output (newline removal)
- Update all tests to reflect new field names and behavior
- Maintain backward compatibility for Trillian's role as backend gRPC service
- Add MiddlewareFunc for HTTP handler function wrapping
- Ensure proper trace correlation across CTFE->Trillian service calls
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 30, 2025
View reviewed changes
@himaschal himaschal mentioned this pull request Jul 30, 2025
Open
@himaschal himaschal changed the title RA-7777: Added event timing that conforms to opentelemetry standards. RA-7777: [Trillian] Added event timing that conforms to opentelemetry standards. Jul 30, 2025
@himaschal himaschal mentioned this pull request Aug 7, 2025
Closed
ryanmilne-digicert
ryanmilne-digicert reviewed Nov 3, 2025
View reviewed changes
.gitignore
/trillian_map_server
default.etcd
cockroach-data/
server/.DS_Store
Copy link

@ryanmilne-digicert ryanmilne-digicert Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change this to just .DS_Store and it will exclude it from all folders.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryanmilne-digicert ryanmilne-digicert ryanmilne-digicert left review comments

@tando-nxiweni tando-nxiweni Awaiting requested review from tando-nxiweni

@shamaneta shamaneta Awaiting requested review from shamaneta

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@himaschal @ryanmilne-digicert