🚀 Features
Federation v2.6.1
This updates the Apollo Federation version to v2.6.1.
Support configurable heartbeat for subscription callback protocol (Issue #4115)
The heartbeat interval that the Apollo Router uses for the subscription callback protocol is now configurable.
The heartbeat can even be disabled for certain platforms.
An example configuration:
subscription:
enabled: true
mode:
preview_callback:
public_url: http://127.0.0.1:4000
heartbeat_interval: 5s # Optional
listen: 127.0.0.1:4000
path: /callback
subgraphs:
- accountsEnhanced telemetry (Issue #3226)
Telemetry functionality has been enhanced. The enhancements include:
- Allowing fine-grained configuration of attributes on router, supergraph and subgraph spans.
- Allowing coarse-grained control over attributes using OpenTelemetry requirement levels.
- Bringing attributes into alignment with OpenTelemetry semantic conventions, with many new attributes now being configurable.
- Allowing custom attributes to be easily declared in YAML.
The enhanced telemetry enables new benefits. They include:
- Easily including trace IDs in your log statements for correlation.
- Extracting domain-specific data from the router's execution pipeline for example custom trace IDs.
- Diagnosing network related issues with standard Open Telemetry HTTP attributes.
- Improving performance by avoiding the use of large attributes on spans such as
graphql.document.
See the updated telemetry documentation for details on the new enhancements.
By @bnjjj, @BrynCooke and Edward Huang in #4102 and #4129
🐛 Fixes
Remove doubled slash (//) in logs for health check URL (Issue #4270)
Adding the ability to specify the path of the health endpoint introduced an error in the logging. An extra / was added before the specified path resulting in an unintended double-slash (//) in the rendered URL. It did not affect the actual health check endpoint. This is now fixed.
By @juancarlosjr97 in #4278
Improved query deduplication with extracted authorization information from subgraph queries (PR #4208)
Query deduplication has been improved with authorization information extracted from subgraph queries.
Previously, query deduplication was already taking authorization information into account in its key, but that was for the global authorization context (the intersection of what the query authorization requires and what the request token provides).
This was very coarse grained, leading to some subgraph queries with different authorization requirements or even no authorization requirements.
In this release, the authorization information from subgraph queries is used for deduplication. This now means that deduplicated queries can be shared more widely across different authorization contexts.
Add missing schemas for Redis connections (Issue #4173)
Previously, support for additional schemas for the Redis client used in the Apollo Router were added. However, the router's Redis connection logic wasn't updated to process the new schema options.
The Redis connection logic has been updated in this release.
Relax JWKS requirements (PR #4234)
Previously in the Apollo Router's logic for validating JWT with a corresponding JWK, a bug occured when the use and key_ops JWK parameters were absent, resulting in the key not being selected for verification. This bug has been fixed in this release.
Session count metrics no longer go negative (Issue #3485)
Previously, the apollo_router_session_count_total and apollo_router_session_count_active metrics were using counters that could become negative unexpectedly.
This issue has been fixed in this release, with the metric type changed from counter to gauge.
Decrease default GraphQL parser recursion limit to 500 (PR #4205)
The Apollo Router's GraphQL parser uses recursion for nested selection sets, list values, or object values. The nesting level is limited to protect against stack overflow.
Previously the default limit was 4096. That limit has been decreased to 500 in this release.
You can change the limit (or backport the new default to older router versions) in YAML configuration:
limits:
parser_max_recursion: 700Note: deeply nested selection sets often cause deeply nested response data. When handling a response from a subgraph, the JSON parser has its own recursion limit of 128 nesting levels. That limit is not configurable.
By @SimonSapin in #4205
Fix gRPC metadata configuration (Issue #2831)
Previously, telemetry exporters that used gRPC as a protocol would not correctly parse metadata configuration. Consequently, a user was forced to use a workaround of specifying a list of values instead of a map. For example:
telemetry:
exporters:
tracing:
otlp:
grpc:
metadata:
"key1": "value1" # Failed to parse
"key2": # Succeeded to parse
- "value2"This issue has been fixed, and the following example with a map of values now parses correctly:
telemetry:
exporters:
tracing:
otlp:
grpc:
metadata:
"key1": "value1"By @BrynCooke in #4285
Input objects values can be empty
This updates to apollo-parser@0.7.4 which fixes a critical bug introduced in apollo-parser@0.7.3 where empty input objects failed to parse. The following is valid again:
{ field(argument: {}) }By @goto-bus-stop in #4309
Rename apollo.router.telemetry.studio.reports' type attribute (Issue #4300)
To better comply with OpenTelemetry naming conventions, for apollo.router.telemetry.studio.reports the type attribute has been renamed to report.type.
Please update your dashboards if you are monitoring this metric.
Rhai scripts no longer preventing traces from appearing in Apollo Studio (PR #4228)
Previously, the trace report for the Apollo Router when configured with a Rhai script may have been incomplete. That issue has been resolved in this release.
🛠 Maintenance
Improve the secure deployability of our Helm Chart and Docker Image (Issue #3856)
This is a security improvement for the Apollo Router that is achieved by:
- Switching the router process owner from
rootto a user with less privileges - Changing the default port from 80 to 4000
- Updating the base image from bullseye (Debian 11) to bookworm (Debian 12)
The primary motivations for these changes is that many Kubernetes environments impose security restrictions on containers. For example:
- Don't run as root
- Can't bind to ports < 1024
With these changes in place, the router is more secure by default and much simpler to deploy to secure environments.
The base Debian image has also been updated at this time to keep track with bug fixes in the base image.
Changing the default port in the Helm chart from 80 to 4000 is an innocuous change. This shouldn't impact most users. Changing the default user from root to router will have an impact. You will no longer be able to exec to the executing container (Kubernetes or Docker) and perform root privilege operations. The container is now "locked down", by default. Good for security, but less convenient for support or debugging.
Although it's not recommended to revert to the previous behavior of the router executing as root and listening on port 80, it's possible to achieve that with the following configuration:
router:
configuration:
supergraph:
listen: 0.0.0.0:80
securityContext:
runAsUser: 0
Improve Uplink error and warning messages (Issue #3877)
A few log messages for Apollo Uplink have been improved:
- Added a warning if the router is started with only a single Uplink URL.
- Improved the error messages shown when a fetch from Uplink fails.
Centralize telemetry resource cleanup (Issue #4121)
The OpenTelemetry shutdown procedures within the Apollo Router have been improved by centralizing the cleanup logic.