github robintra/perf-sentinel v0.5.2
on GitHub

latest releases: chart-v0.2.52, v0.8.7, chart-v0.2.51...
one month ago

What's new in v0.5.2

Two new trace ingestion surfaces. perf-sentinel jaeger-query queries any backend that speaks the Jaeger query HTTP API, which covers Jaeger upstream and Victoria Traces in one subcommand. Both jaeger-query and the existing tempo gain --auth-header (curl-style "Name: Value") and --auth-header-env NAME (env-var read, no ps exposure) so backends sitting behind an auth proxy no longer require a local port-forward. Header validation is strict: 8 KiB input cap, non-empty name and value, RFC 7230 character restrictions (no CR/LF, no non-visible ASCII), and a blocklist of framing and authority headers (Host, Content-Length, Transfer-Encoding, Connection, Upgrade, TE, Proxy-Connection) to keep a malicious environment-variable expansion from hijacking the request shape. Credentials are marked sensitive so hyper redacts them from debug output and HTTP/2 HPACK tables, and a tracing::warn! fires when a token would travel over cleartext http://. 57 new tests land alongside the features.

Added

  • jaeger-query subcommand. Queries any backend speaking the Jaeger query HTTP API (/api/traces?service=X&lookback=Ns&limit=N and /api/traces/<id>). Covers Jaeger upstream AND Victoria Traces since both expose the same API surface. Unlike Tempo's ID-only /api/search followed by N per-trace fetches, Jaeger returns full traces in the search response so one round trip covers the entire ingestion. Flags mirror tempo: --endpoint, --trace-id, --service, --lookback, --max-traces (bounded 1..=10_000), --format, --ci. Gated by the new jaeger-query Cargo feature (default-on in the CLI binary). See docs/INTEGRATION.md "Jaeger query API integration" for the full recipe.
  • --auth-header "Name: Value" on both tempo and jaeger-query. Curl-format header line attached to every backend request. Covers Bearer tokens, Basic Auth, and custom API-key headers (Grafana Cloud multi-tenant X-Scope-OrgID, custom X-API-Key, etc.). Values are marked sensitive and never logged (only the header name is logged, for multi-tenant debugging).
  • --auth-header-env NAME on both subcommands. Reads the header line from the named environment variable instead of from argv, so the credential never appears in ps / /proc/<pid>/cmdline. Mutually exclusive with --auth-header.

Changed

  • BREAKING for library consumers (pre-1.0 so minor-bump allowed). The public ingest functions tempo::search_traces, tempo::fetch_trace, tempo::ingest_from_tempo, jaeger_query::search_and_fetch_traces, jaeger_query::fetch_trace, and jaeger_query::ingest_from_jaeger_query gain an auth: Option<&AuthHeader> (or auth_header: Option<&str> at the top-level boundary) parameter. External consumers calling these directly must pass None to keep the previous behaviour. CLI users are unaffected.

Fixed

  • Cleartext HTTP + auth header emits tracing::warn!. When the endpoint starts with http:// and an auth header is present, the subcommand logs a warning before sending the request so a http:// vs https:// typo is caught before the credential traverses the network in the clear.

Tests

  • 57 new tests across the ingest layer. 16 on AuthHeader parsing (bearer / custom / trim / forbidden names / empty name / empty value / CRLF / oversized input / case-insensitive blocklist / internal-tab preservation / Debug redaction), 8 on the shared lookback parser (overflow on multiplication, overflow on addition, happy paths), 4 on the shared URL helpers, wire-level asserts that the Authorization header actually lands on the socket for BOTH jaeger-query (single connection) and tempo (dual connection through the parallel fetch fanout), plus the remaining coverage for error paths (malformed JSON, 404, 500, timeout, invalid endpoint, credentials rejected, missing service/trace-id).

Docs

  • New "Jaeger query API integration" section in docs/INTEGRATION.md plus French parity. Full recipes (single-trace, service-scoped search, CI mode), caveats on backend retention and the 256 MiB response cap, recipes for both Jaeger upstream and Victoria Traces.
  • docs/LIMITATIONS.md plus French parity: the "Query-API subcommands" section rewritten. Two new sub-sections describe --auth-header usage (with the ps visibility note and one-header-per-invocation constraint) and the --auth-header-env alternative. Validation rules (8 KiB cap, non-empty name and value, forbidden header names, RFC 7230 restrictions) are listed for transparency.

Install

Prebuilt binaries (Linux amd64 / arm64, macOS arm64, Windows amd64): 

curl -LO https://github.com/robintra/perf-sentinel/releases/download/v0.5.2/perf-sentinel-linux-amd64
chmod +x perf-sentinel-linux-amd64
sudo mv perf-sentinel-linux-amd64 /usr/local/bin/perf-sentinel

Linux binaries are statically linked against musl and run on any distribution (Alpine, Debian, RHEL, Ubuntu any version) regardless of glibc version, and inside FROM scratch images.

From crates.io: 

cargo install perf-sentinel

Docker: 

docker run --rm -p 4317:4317 -p 4318:4318 \
  ghcr.io/robintra/perf-sentinel:0.5.2 watch --listen-address 0.0.0.0

Also available on Docker Hub: robintrassard/perf-sentinel:0.5.2.

Helm (chart 0.2.2 ships 0.5.2 as its appVersion default): 

helm install perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel \
  --version 0.2.2 \
  --namespace observability --create-namespace

Verify the binary against SHA256SUMS.txt: 

curl -LO https://github.com/robintra/perf-sentinel/releases/download/v0.5.2/SHA256SUMS.txt
sha256sum -c SHA256SUMS.txt --ignore-missing

Full diff: v0.5.1...v0.5.2

Check out latest releases or
releases around robintra/perf-sentinel v0.5.2

Don't miss a new perf-sentinel release

NewReleases is sending notifications on new releases.

Get notifications