Skip to content

Telemetry: stop retrying into 429s, honour Retry-After, fix userAgent#354

Open
samikshya-db wants to merge 8 commits into
mainfrom
telemetry-429-circuit-breaker-and-user-agent
Open

Telemetry: stop retrying into 429s, honour Retry-After, fix userAgent#354
samikshya-db wants to merge 8 commits into
mainfrom
telemetry-429-circuit-breaker-and-user-agent

Conversation

@samikshya-db
Copy link
Copy Markdown
Collaborator

@samikshya-db samikshya-db commented May 5, 2026
edited
Loading

Summary

After v1.11.0 enabled telemetry by default via the server feature flag, high-QPS workloads produced excessive 429s on /telemetry-ext. Three issues compounded:

  1. Double-retry. The telemetry exporter ran its own retry loop on top of the retryablehttp-wrapped HTTP client (internal/client.RetryableClient), which already retries 429/5xx with Retry-After. Result: up to RetryMax × (MaxRetries+1) HTTP attempts per export, all collapsed into a single circuit-breaker outcome — so the breaker barely opened against persistent throttling.
  2. Untraceable in access logs. Telemetry POSTs and feature-flag GETs sent no User-Agent, so 429s landed in access logs tagged as Go-http-client/1.1 and could not be attributed to godatabrickssqlconnector by driver version.
  3. High request volume. FlushInterval=5s / BatchSize=100.

Changes

Retry behavior

  • telemetry/exporter.go — Removed doExport's retry loop entirely. doExport now makes a single HTTP request; transient retries (429/5xx, Retry-After) are owned by the underlying retryablehttp client. Each export() call now corresponds to exactly one HTTP transaction = one breaker outcome.
  • telemetry/config.go, telemetry/driver_integration.go — Removed MaxRetries / RetryDelay from telemetry.Config and TelemetryInitOptions. telemetry_retry_count / telemetry_retry_delay DSN params still parse without error for backwards compatibility but are no-ops.

Identifiability

  • connector.go — New buildUserAgent helper mirroring internal/client/client.go:295-302 exactly: DriverName/DriverVersion + optional UserAgentEntry + agent product.
  • telemetry/exporter.go, telemetry/featureflag.go — Set User-Agent on telemetry POST and feature-flag GET. Plumbed via TelemetryInitOptions.UserAgent.

Cadence and breaker tuning

  • telemetry/config.goFlushInterval 5s → 30s, BatchSize 100 → 200.
  • telemetry/circuitbreaker.gominimumNumberOfCalls 20 → 10 (so low-traffic clients can trip the breaker now that each export is one signal), waitDurationInOpenState 30s → 60s (respect typical Retry-After).

Tests

  • Removed obsolete retry/backoff tests (TestExport_RetryOn5xx, TestExport_ExponentialBackoff, TestIsRetryableStatus, retry-config parsing tests).
  • Added TestExport_SingleAttemptPerExport covering 4xx/429/5xx, asserting the exporter never retries.
  • Added TestExport_SetsUserAgent and TestFetchFeatureFlag_SetsUserAgent.

Mitigation

While this rolls out, users can opt out via DSN: enableTelemetry=false. Server-side: disable enableTelemetryForGoDriver for affected workspaces.

Test plan

  • go test ./... — all green locally.
  • Exporter never retries (4xx, 429, 500, 503).
  • User-Agent set on telemetry POST and feature-flag GET.
  • Verify in Lumberjack post-deploy that /telemetry-ext and /api/2.0/connector-service/feature-flags/GOLANG/... requests carry godatabrickssqlconnector/<version> in http_user_agent.
  • Confirm 429 rate against /telemetry-ext drops after rollout.

This pull request and its description were written by Isaac.

@samikshya-db samikshya-db changed the title Stop telemetry 429s from amplifying load and identify telemetry traffic Stop telemetry 429s from retrying with backoff only for telemetry endpoint + fix userAgent on telemetry May 5, 2026
@samikshya-db samikshya-db force-pushed the telemetry-429-circuit-breaker-and-user-agent branch from 1300f1a to fbb0263 Compare May 5, 2026 10:19
@samikshya-db
Telemetry: stop double-retrying, identify traffic, tune breaker
d47bf99 
After v1.11.0 enabled telemetry by default via the server feature flag,
high-QPS workloads produced excessive 429s on /telemetry-ext. Three
issues compounded:

1. Double-retry. The exporter ran its own retry loop on top of the
   retryablehttp-wrapped HTTP client (internal/client.RetryableClient),
   which already retries 429/5xx with Retry-After. Result: up to
   RetryMax * (MaxRetries+1) HTTP attempts per export, all collapsed
   into one circuit-breaker outcome — so the breaker barely opened.
2. Untraceable in access logs. Telemetry POSTs and feature-flag GETs
   sent no User-Agent, so 429s were tagged Go-http-client/1.1 and
   could not be attributed to godatabrickssqlconnector by version.
3. High request volume. FlushInterval=5s, BatchSize=100.

Changes:

- telemetry/exporter.go: drop the retry loop entirely. doExport now
  makes a single HTTP request; transient retries (429/5xx, Retry-After)
  are owned by the underlying retryablehttp client. Each export call
  → exactly one breaker outcome.
- telemetry/exporter.go, telemetry/featureflag.go: set User-Agent
  header on telemetry POST and feature-flag GET. Built once at the
  connector site (buildUserAgent in connector.go), mirroring
  internal/client/client.go format
  (DriverName/DriverVersion + UserAgentEntry + agent product), and
  plumbed via TelemetryInitOptions.UserAgent.
- telemetry/config.go: FlushInterval 5s → 30s, BatchSize 100 → 200.
  Remove MaxRetries/RetryDelay from telemetry.Config and
  TelemetryInitOptions; telemetry_retry_count/_delay DSN params still
  parse for backwards compat but are no-ops.
- telemetry/circuitbreaker.go: lower minimumNumberOfCalls 20 → 10
  (so low-traffic clients can still trip the breaker on a sustained
  outage now that each export is one signal), and raise
  waitDurationInOpenState 30s → 60s (respect typical Retry-After).
- Tests: removed obsolete retry/backoff tests; added single-attempt
  assertion across 4xx/429/5xx; added User-Agent assertions on both
  endpoints.

Co-authored-by: Isaac
@samikshya-db samikshya-db force-pushed the telemetry-429-circuit-breaker-and-user-agent branch from fbb0263 to d47bf99 Compare May 5, 2026 10:40
@samikshya-db samikshya-db changed the title Stop telemetry 429s from retrying with backoff only for telemetry endpoint + fix userAgent on telemetry Telemetry: stop double-retrying, identify traffic, tune breaker May 5, 2026
@samikshya-db samikshya-db changed the title Telemetry: stop double-retrying, identify traffic, tune breaker Telemetry: stop double-retrying, fix user-agent, tune circuit breaker May 5, 2026
@samikshya-db
Telemetry: skip retryablehttp 429 retries, honour Retry-After, jitter…
d130207 
… first flush

The previous commit removed the exporter's inner retry loop, but the
retryablehttp layer (RetryMax=4) was still amplifying each telemetry
export into up to 5 attempts on a 429 — defeating the breaker because
only the final outcome was observed.

- internal/client: add WithSkipRateLimitRetry context helper. RetryPolicy
  treats 429 as non-retryable when the flag is set; 5xx and transport
  errors are unaffected. Set on telemetry POSTs and feature-flag GETs so
  each rate-limited request is exactly one HTTP transaction = one
  breaker signal.
- telemetry/circuitbreaker: record server-provided Retry-After deltas
  from 429 responses; the open-state wait becomes
  max(waitDurationInOpenState, hint). Hint cleared on the next
  half-open -> closed transition.
- telemetry/aggregator: offset the first flush by a random
  [0, FlushInterval) so a fleet of clients booted together does not
  phase-align bursts.

Co-authored-by: Isaac
@samikshya-db samikshya-db changed the title Telemetry: stop double-retrying, fix user-agent, tune circuit breaker Telemetry: stop retrying into 429s, honour Retry-After, identify traffic May 13, 2026
@samikshya-db samikshya-db changed the title Telemetry: stop retrying into 429s, honour Retry-After, identify traffic Telemetry: stop retrying into 429s, honour Retry-After, fix userAgent May 13, 2026
@samikshya-db
Telemetry: address PR #354 review findings
203e1ef 
- Doc accuracy on retry semantics: WithSkipRateLimitRetry only suppresses
  429s. Generic 5xx and transport errors are governed by ClientMethod, so
  telemetry contexts (which set no ClientMethod) get one-shot semantics on
  those failure modes; 503 still retries via the method-agnostic path.
  Updated SkipRateLimitRetry godoc and doExport comment to match.
- Drop dead TelemetryRetryCount / TelemetryRetryDelay fields from
  UserConfig. The DSN keys are still consumed (so they do not leak into
  session params) but no longer stored. Cleaned up assertions in
  config_test.go and connector_test.go.
- Clear retryAfterHint when the breaker transitions Open -> Half-Open, so
  a stale hint cannot extend a later reopen that did not carry its own
  Retry-After. Collapsed the two-step lock dance in execute() into one
  critical section. Updated godoc.
- Guard rand.Int63n against a zero flushInterval in flushLoop.
- Document the first-caller-wins User-Agent behaviour on the per-host
  telemetry client singleton, since later connections on the same host
  reuse the cached client.

Co-authored-by: Isaac
@samikshya-db samikshya-db requested a review from gopalldb May 13, 2026 20:49
@samikshya-db
Fix lint: gofmt -s, drop dogsled, remove unused setState
472c256 
- gofmt -s on connector_test.go, internal/config/config_test.go,
  telemetry/exporter.go (struct alignment + missing blank line).
- internal/config/config.go: telemetry_retry_count is parsed for
  backwards compat then discarded, so call extract (2 returns) rather
  than extractAsInt (3 returns) to satisfy dogsled.
- telemetry/circuitbreaker.go: drop the now-unused setState helper.
  execute() now transitions to half-open via setStateUnlocked under
  an already-held lock.

Co-authored-by: Isaac
@gopalldb
Copy link
Copy Markdown
Collaborator

gopalldb commented May 14, 2026

Must-fix

  1. "One breaker signal per export" is only true for 429. WithSkipRateLimitRetry(ctx) in exporter.go suppresses retryablehttp's 429 retries, but 502/503/5xx still retry internally per
    isRetryableServerResponse in internal/client/client.go. A 503 storm will go through N internal retries before surfacing one error to the breaker — same problem the PR claims to fix, just one code path
    narrower. Either pass a stricter "skip all retries" context flag from telemetry, or accept the asymmetry and document it explicitly.
  2. Retry-After is honored twice on 429. retryablehttp's backoff() (client.go ~L749) already waits Retry-After before re-attempting; the exporter then calls extendOpenStateAtLeast(...) with the same value, so
    the breaker sleeps Retry-After + waitDurationInOpenState. With both ~60s the effective pause is ~120s. Either move Retry-After handling exclusively to the breaker (don't retry at the transport layer for
    telemetry) or skip the breaker extension when retryablehttp owned the wait.
  3. Retry-After not parsed on 503. Exporter only extracts the header when resp.StatusCode == 429. A 503 with Retry-After is silently ignored — breaker stays open the default 60s regardless of what the server
    asked for. Apply the same Retry-After parse to 503 (and 429), not just 429.

Should-fix

  1. DSN backcompat is silent. telemetry_retry_count / telemetry_retry_delay are extracted and discarded (_, _ = params.extract(...) style). Users with legacy DSNs won't know their config is ignored. Log a
    one-time DEBUG (or WARN) when these params are present.
  2. Breaker math change isn't documented. minimumNumberOfCalls 20→10 with FlushInterval 5s→30s means worst-case ~5 minutes to detect a sustained outage at default cadence. State this in a code comment so
    future maintainers don't accidentally regress it.
  3. Sliding-window size didn't change with minimumNumberOfCalls. Window stayed at 30 while min dropped to 10. Verify intentional — the half-open recovery window now spans a smaller fraction, which shifts the
    trip-to-recover ratio.
  4. buildUserAgent is duplicated, not extracted. PR body says it "mirrors internal/client/client.go:295-302 exactly" — two copies of the same logic will drift. Extract to a shared helper (e.g.,
    internal/agent/useragent.go) and have both call sites use it.

Test coverage

  1. TestExport_SingleAttemptPerExport uses a bare *http.Client, not the retryablehttp-wrapped one. That correctly proves the exporter layer doesn't loop, but doesn't catch issue Add License file #1 above (transport-layer
    retry on 503). Add an integration-flavor test that uses the real RetryableClient() and asserts the combined behavior matches "one breaker signal per export" for all status codes the PR cares about.
  2. TestIsRetryableStatus was deleted, not relocated. isRetryableStatus moved from exporter to the transport layer (isRetryableServerResponse); the predicate test should move with it into
    internal/client/client_test.go.
  3. Breaker edge cases. New circuitbreaker_test.go (+118) covers happy paths for the Retry-After hint. Missing:
    - Two consecutive extendOpenStateAtLeast calls with different hints — which wins?
    - Half-open → fail → re-open while a prior hint is pending — does the hint persist? Reading the code, hints only clear on Close, so a stale hint can linger.

@samikshya-db
Copy link
Copy Markdown
Collaborator Author

samikshya-db commented May 23, 2026

Thanks for the thorough review. All ten items addressed in a follow-up commit on this branch:

Must-fix

  1. 5xx asymmetry fixed, not documented away. Renamed the context flag WithSkipRateLimitRetryWithSkipTransientRetries and broadened it to suppress retries for both 429 and 503 (everything isRetryableServerResponse matches). Telemetry sets this, so the transport now collapses to exactly one HTTP transaction per export for 429, 503, 5xx, and transport errors — one breaker signal per call, no asymmetry. (internal/client/client.go, telemetry/exporter.go, telemetry/featureflag.go)

  2. Double Retry-After eliminated. With Add License file #1 in place, retryablehttp never honours Retry-After internally on telemetry calls — the response flows directly back to the exporter. The exporter parses Retry-After once and feeds it to the breaker via extendOpenStateAtLeast. Also: the breaker already takes max(waitDurationInOpenState, retryAfterHint), not a sum, so no stacking even before this fix.

    While wiring this up I caught a related production bug: with retryablehttp's StandardClient adapter, when CheckRetry returns (false, err) net/http silently discards the response (logs "RoundTripper returned a response & error; ignoring response"). The exporter was therefore never seeing the actual 429/503 response in production. RetryPolicy now returns (false, nil) on the skip path so the response is preserved through net/http.

  3. 503 Retry-After now honoured. Exporter parses Retry-After on 429 || 503 (was 429-only). Added TestExport_503RecordsRetryAfter to lock this in.

Should-fix
4. Legacy DSN params now logged. telemetry_retry_count / telemetry_retry_delay emit a one-time WARN on extraction noting they're deprecated and ignored. (internal/config/config.go)
5. Breaker timing documented. Expanded the comment on defaultCircuitBreakerConfig to spell out the minimumNumberOfCalls=10 × FlushInterval=30s = ~5min detection time, and why that's intentional (slow trip avoids flapping on transient blips for low-traffic clients; open-state interval owns the recovery cadence).
6. Sliding-window vs minimum calls clarified. Same comment: minimumNumberOfCalls gates when evaluation starts; slidingWindowSize caps how many outcomes participate once it does. Intentional — recent successes get to offset transient failures inside a larger memory window.
7. buildUserAgent deduplicated. Extracted to internal/client/useragent.go as client.BuildUserAgent(cfg). Both connector.go (telemetry/feature-flag path) and client.InitThriftClient (Thrift path) call it now — single source of truth.

Test coverage
8. Integration test through real RetryableClient. Added TestExport_SingleAttemptThroughRetryableClient which routes the export through client.RetryableClient(cfg) with a noop authenticator and asserts exactly 1 attempt for 429, 503, and 500 — catches transport-layer retry leaks for every status code the PR cares about. This is what surfaced the response-discarding bug fixed in #2.
9. TestIsRetryableStatus relocated. Added TestIsRetryableServerResponse in internal/client/client_test.go against the new predicate. Note the predicate semantics narrowed (only 429 + 503 now — 500/502/504 take the generic 5xx branch governed by ClientMethod); the test reflects that.
10. Breaker edge cases covered.
- TestCircuitBreaker_RetryAfterHintTakesMax: consecutive extendOpenStateAtLeast calls — larger wins, smaller is ignored, non-positive is a no-op.
- TestCircuitBreaker_HintClearedBeforeHalfOpenFailRecycle: Open(hint=10s) → HalfOpen (hint cleared) → fail → Open. Verifies the second Open uses waitDurationInOpenState, not the stale 10s hint — i.e. no stale hint persistence on the recycle path.

All existing tests still pass; go vet ./... clean. Diff stat: 9 files changed, +336 / −107.

This comment was generated with GitHub MCP.

samikshya-db and others added 3 commits May 23, 2026 11:23
@samikshya-db
Telemetry: address PR #354 follow-up review
4ce642c 
- Broaden WithSkipRateLimitRetry → WithSkipTransientRetries to cover 429
  AND 503; telemetry now collapses to one HTTP transaction per export
  across all transient codes, eliminating the 5xx asymmetry and any
  double-honour of Retry-After.
- Fix latent bug: RetryPolicy returned (false, err) on the skip path,
  which made net/http's wrapper drop the response. Return (false, nil)
  so the exporter can see and act on Retry-After.
- Parse Retry-After on 503 in addition to 429.
- Log a one-time WARN when deprecated telemetry_retry_count /
  telemetry_retry_delay DSN params are present.
- Document the breaker's detection-time / window-size / minimum-calls
  rationale in defaultCircuitBreakerConfig.
- Extract BuildUserAgent into internal/client/useragent.go as the
  single source of truth for the Thrift + telemetry + feature-flag
  user-agent string.
- Tests: TestIsRetryableServerResponse, TestExport_503RecordsRetryAfter,
  TestExport_SingleAttemptThroughRetryableClient (integration test
  using the real RetryableClient), TestCircuitBreaker_RetryAfterHintTakesMax,
  TestCircuitBreaker_HintClearedBeforeHalfOpenFailRecycle.

Co-authored-by: Isaac
@samikshya-db
Merge branch 'main' into telemetry-429-circuit-breaker-and-user-agent
0a187b4
@samikshya-db
Telemetry: minor follow-ups from self-review
f02717d 
- RetryPolicy: only read Retry-After when we're going to use it
  (skip-transient-retries branch returns early).
- Add BuildUserAgent table test covering plain / UserAgentEntry /
  detected-agent / combined paths; test clears known agent env vars
  first so the host environment can't leak in.
- Gate each legacy-DSN-param deprecation warning behind a sync.Once
  so apps that reparse the same DSN per connection don't flood the
  log with the same notice.

Co-authored-by: Isaac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gopalldb gopalldb Awaiting requested review from gopalldb

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@samikshya-db @gopalldb