What Could Go Wrong with a GraphQL Query and Can OpenTelemetry Help? - Budhaditya Bhattacharya, Tyk

00:00

we're starting a couple of minutes early

00:01

because this is after all the last

00:03

session of the day so um I am expecting

00:06

the loudest Applause at the end of it

00:08

but hopefully you'll be with me on this

00:10

journey over the next 15 to 20 minutes

00:12

so thank you everyone for being here um

00:15

this has been a great open tary

00:16

Community this was my first time

00:18

speaking in Seattle uh and meeting a lot

00:21

of the folks that I've seen over

00:23

LinkedIn or YouTube videos or guub

00:25

issues in person which is great um so

00:28

with all that being said um I'm here to

00:30

talk a little bit about what could go

00:32

wrong with graphel queries and can open

00:36

Telemetry help us um I assure you it's

00:39

not going to be a bummer off a topic at

00:40

all even though the name might suggest

00:42

it that way um but um if murph's law

00:46

suggests that uh whatever can go wrong

00:49

would potentially go wrong or whatever

00:50

can happen will happen so let's just be

00:52

prepared uh when that happens I'm not

00:54

here I'm not going to be evangelizing

00:55

graph Cur as a technology so just as a

00:57

caveat to this uh I'm not trying to sell

00:59

you on using graphql but if you are

01:01

already sold onto that or considering

01:03

doing it then uh there are a couple of

01:05

things and challenges that you might

01:06

encounter and we'll go through some of

01:08

those uh and hopefully we'll see how

01:10

open Telemetry um can solve or address

01:13

some of those things either out of the

01:15

box or potentially with certain manual

01:17

instrumentations associated with it so

01:20

with that being said I am Buddha I am a

01:22

developer Advocate at Ty Ty for those

01:24

who do not know is a cloud native API

01:26

management platform powered by and uh an

01:29

open source API Gateway we are otel

01:32

native as well as um we are graphical

01:34

aware as an API Gateway um and I can

01:37

tell you all about that later on but the

01:39

idea is we kind of know a little bit

01:40

more about both of these different

01:42

worlds some of the challenges some of

01:43

the solutions associated with it um I'm

01:46

originally from India um lived most of

01:48

my life in Singapore currently living in

01:50

Durham North Carolina big big fan of

01:52

horror movies but I like my horror on

01:54

screen and in literature not so much in

01:56

software as you would see with craft Q

01:58

today um

02:00

additionally I'm the chairperson of the

02:02

open API um open API initiatives

02:05

business governance board in case you're

02:07

working in there as

02:08

well so um just to set the scene for

02:11

today um I'm looking at two sides of

02:14

when and how you are sort of promoting

02:16

or or or deploying an application in

02:19

this case a graph application to

02:21

production uh on one side obviously is

02:23

the development side of things where

02:24

you're looking at the different

02:25

capabilities your business logic of how

02:27

you're building out your graphical

02:28

application on the other side is a

02:30

little bit to do with your operations

02:32

how do you make sure that things are

02:33

stable they are deployed reliably and

02:36

things don't go wrong and when they do

02:37

you at least have a way to actually

02:39

address those things so I'm going to be

02:40

looking at both of those different sides

02:42

and hopefully help you get to that next

02:44

step in that Journey so without before

02:47

moving forward uh just a quick question

02:49

anyone here who's actually worked with

02:51

graphql before or is working with

02:53

graphql at the moment considering

02:55

working with graphql at the

02:56

moment okay all right once again I'm not

02:59

going to be trying to convert the others

03:01

who did not raise their hands over here

03:02

but hopefully address some of the

03:03

challenges that you might be facing here

03:06

um so for those who do not know graphql

03:08

is um it's a query language for apis and

03:12

um a runtime for fulfilling those

03:15

queries with your existing data it

03:17

usually gives you a very very easy

03:18

hopefully straightforward way to

03:20

describe your data and then let or

03:23

enables your client side or the DU

03:25

developers to actually ask for what they

03:27

need for their application and then

03:29

hopefully give those results in a more

03:30

predictable way the key difference or

03:32

the key value of actually having graph

03:34

as a technology is usually seen uh in

03:36

Omni Channel application especially when

03:38

you have to cater to different needs of

03:40

the of the consuming application this

03:43

was kind of the main reason why it was

03:45

for created in the first place at

03:47

Facebook um there are a couple of other

03:49

things that again when we talk about

03:51

grafal we we have to talk about rest as

03:53

well and I think again rest as an API

03:55

technology is usually a very very robust

03:59

uh way of dealing with apis and API

04:01

Styles but with some of these uh with

04:03

graphel we saw we noticed that there

04:05

were a couple of challenges that the

04:07

rest was kind of unable to solve um

04:10

namely over fetching and under fetching

04:12

in this case over fetching typically

04:13

refers to um returning or getting back a

04:16

lot of information more than what you

04:18

might need and then enabling your or

04:20

letting the heavy lifting being done in

04:22

the front end whereas with under

04:24

fetching you need to have multiple

04:25

Cycles or multiple queries to be get to

04:28

get back um the specific kind of

04:30

information that you need in some cases

04:32

this might be desirable but in most

04:33

cases that adds to the overall Network

04:35

cost or your payload costs moving on

04:38

just to give you a little bit of an

04:39

example of what graph qu looks like in

04:41

practice there is a schema just kind of

04:43

the blueprint of your overall graph API

04:47

um then the operations usually is

04:50

queries are the most typical

04:51

applications uh operations that you do

04:53

with graphql um you also have mutations

04:56

and subscriptions but you're not going

04:57

into those but the key thing to notice

04:59

over here is that the shape of the

05:01

response tends to mirror the shape of

05:03

the request which makes things a lot

05:05

more predictable in the way you um

05:08

receive or get information and again you

05:10

can request specific pieces of

05:12

information out of the schema as opposed

05:14

to getting back every single thing that

05:16

has been enabled by the API producers in

05:18

this case so with that being said um I'm

05:21

going to set the scene again today for

05:23

the application that we're going to be

05:24

using as a sample in this case this is a

05:26

travel application the server side

05:28

includes a couple of different

05:29

components there are a few different

05:31

services that you see there are a couple

05:32

of rest apis that are being called as

05:35

part of the graphql application in some

05:38

cases you can go directly building out

05:39

your own schema in some cases you

05:41

actually connect with existing data

05:43

points as well both of these completely

05:45

valid uh the application itself is no JS

05:49

application even though some might say

05:50

JavaScript is not a language but sure

05:52

we'll we'll we'll talk about that later

05:54

on um in the simplest use case of a

05:57

graphql application you would you would

05:59

have a react app or a front end a single

06:01

front end that is making this call uh in

06:03

which case graph C may not be the right

06:05

way because it might be a little bit

06:07

going over board whereas a more typical

06:09

applications would be that you have

06:11

multiple applications or multiple

06:12

clients making these requests you might

06:14

have different apps that could be

06:16

internal facing could be partner facing

06:18

could be an API Marketplace of its own

06:20

that would that you would need to

06:22

consider so with that again definitely

06:25

one of the components that you do need

06:26

to consider is an API Gateway typically

06:29

um and again I'm not just saying it

06:30

because I work in this space but a

06:32

graphel aware mature graphel aware API

06:35

Gateway adds a whole range of benefits

06:37

again when you're working with

06:38

observability specifically because it

06:40

acts as the name suggest as a Gateway

06:42

into your application but also as a

06:44

mediator between the different uh

06:47

security protocols and measures that you

06:48

might be integrating with as well as

06:50

different governance practices out there

06:52

and when you're thinking about end

06:53

tracing or endtoend observability

06:55

ideally you need to consider every

06:57

single component of your stack

07:00

now how do you monitor graphql in

07:02

production and one of the ways of doing

07:04

that is to apply the red method for

07:05

those who are not familiar with the red

07:07

method the red it is a monitoring

07:09

strategy that um that is used to gain

07:11

insight into the health and performance

07:14

of distributed systems um typically the

07:17

red stands for the rate errors and

07:19

duration and again if you're familiar

07:21

with it that's great based on these

07:23

metrics you can understand how good your

07:25

service is doing and uh set up your slos

07:29

according accordingly now to think about

07:31

how we can start adding open Telemetry

07:33

to the travel app that we just saw the

07:36

first step is to instrument your graphql

07:38

service with open Telemetry to get

07:39

distributed traces um and again now

07:43

there are there are different

07:43

implementations of graphql available in

07:45

the market in this case we've gone

07:47

specific to the nodejs instrumentation

07:49

in case you're looking for one that is

07:51

specific to your application U you can

07:53

always always go to the open Telemetry

07:55

website and under ecosystems is search

07:57

for um the instrument mation

07:59

requirements there and nothing we found

08:01

one for nodejs at least in this case uh

08:04

moving right along so we use the trace

08:06

JS file uh to instrument our service

08:08

with open Telemetry and this is how we

08:11

add the graph Cel instrumentation here

08:13

you'll also notice that we are exporting

08:15

the spans to the open Telemetry

08:17

collector uh and we see the result uh

08:20

that we have we have got endtoend

08:21

distributor traces in jger um and we can

08:25

see Ty API Gateway starting off the

08:27

trace as an entry point um for the

08:29

transaction and then reporting some

08:31

spans then the graph Feld Services take

08:33

over afterwards and then it goes into

08:35

sort of the underlying rest apis the

08:38

Upstream apis to go with it so now that

08:41

we've got all the setup done let's move

08:43

forward into how you're going to be

08:45

getting the red metrics integrated

08:47

Jagger already has some of these outof

08:49

the boox Integrations available uh it

08:52

uses a component in The oel Collector

08:54

called the span metrics connector to

08:56

generate these metrics based on the

08:58

spans um and the span metric selector

09:00

creates two metrics based on uh the span

09:03

itself the calls total and um the

09:06

latency I believe a latency count so

09:09

those metrics are stored in Prometheus

09:11

and Jer and will connect to Prometheus

09:13

to display these uh

09:15

metrics uh finally this is kind of the

09:17

dashboard you finally have a look at

09:18

this uh in the monitor tab you can now

09:20

see the request rate you can see the

09:22

error rate um and the duration for your

09:25

graphql service so we're all all good to

09:27

go now let's look at some of the

09:29

possible errors that might happen we'll

09:31

be looking at two of them one of them is

09:33

the Upstream errors and the other one is

09:35

a resolver error um so the first one as

09:39

you can see here I'm trying to uh send a

09:41

request to to get information about um

09:44

the country Italy in this case um along

09:47

with its weather data but um there seems

09:50

to be something that's gone wrong as we

09:52

can see from the message over there

09:53

we're not getting the right response so

09:55

now let's look at how we can start

09:56

troubleshooting this so if you look go

09:59

straight into the dashboard uh the Jaga

10:01

dashboard you will already see that

10:02

there is an increase in the error rate

10:05

um and I can then we can as a next step

10:08

of this we can start looking at the

10:09

traces and I can find within the Traces

10:12

by filtering them in Jer using the error

10:14

tag uh you'll be able to see that a the

10:18

the the you can actually see that you

10:20

can um the graph service itself is

10:23

giving a 500 HTTP status code and uh

10:27

that is because it's a consequence of uh

10:29

The Weather Service itself returning a

10:31

400 ER the external Upstream Weather

10:33

Service that we are connected to so in

10:36

this example I can get all the

10:37

information I need from open Telemetry

10:40

and I can check out uh which query is

10:43

having this issue as well if you wanted

10:44

to go a little bit deeper a little bit

10:45

more specific so done resolved fixed

10:49

that issue and now we're all back and

10:51

back and happy the final one we go into

10:55

the U the resolver issue here um this to

10:59

be a little bit more unique so we'll

11:00

we'll go into that a little bit right

11:02

now where again we we see an error that

11:04

is that is being um shown here um but in

11:08

this case when we look at the dashboard

11:10

we're not really getting a hint as to

11:12

what's really going on in this case um

11:14

neither can we find something over here

11:15

it looks like everything is fine so

11:17

we're not really able to reproduce this

11:19

at this stage now there is a reason for

11:21

this because for those who are again

11:23

familiar with graphql a big challenge

11:25

with graphql is that at a status code

11:27

level the HTTP status code typically

11:29

Ally even when things are going wrong

11:31

tends to give back a 200 um response and

11:35

that has its own challenges so even if

11:37

things are not going well graphel can be

11:39

the perfect Optimist pretty much turning

11:41

a blind eye to what's going on

11:43

underneath so you don't want that you

11:44

obviously want to get to the heart of

11:46

the issue in this case um and as you can

11:49

see the the object body or the the

11:53

response body is where you can actually

11:54

see the errors coming up and it has its

11:57

own object where you can see some of the

12:00

different details around it has message

12:02

and it has location but how do we catch

12:05

this as an error um so let's let's go

12:08

diving a little bit into the semantic

12:10

convention that's associated with

12:11

graphql at this point of time and it

12:13

looks like it's a little bit limited

12:15

there are a couple of different options

12:17

available here but it doesn't go into

12:19

say a graphel error it's not giving me

12:21

the specific um is specific conventions

12:25

that I would need to actually get to the

12:27

heart of this issue in this case so

12:30

let's just add our own attribute and

12:32

we're going to be calling it a graphql

12:33

error. message and uh with with some

12:36

manual

12:37

instrumentation I've added that now into

12:40

my code and now I can start seeing um

12:43

the errors being recorded on my spans

12:46

one thing you will still notice is that

12:47

the entry point is still giving me a 200

12:49

because that doesn't change here but we

12:51

are getting a bit more information here

12:53

and especially if you go into Prometheus

12:56

in this case we can find out that their

12:58

error rates are being reported based on

13:00

the manual instrumentation that has

13:01

happened so that's just something to

13:03

keep in mind when you're working with

13:04

graphql the HP status 200 is not always

13:08

uh an indicator that everything is fine

13:11

and then finally we talk about a little

13:12

bit about performance here um one of the

13:15

other challenge of graphql is that um

13:19

the end point of a graphql API is

13:21

typically again a slash graphql or

13:24

something to that effect so the main

13:26

changes or updates the requests that are

13:28

going through are again at a layer below

13:30

which is in the form of queries so you

13:32

can still be calling that same endpoint

13:34

but requesting different forms of data

13:37

um and that could be very very flexible

13:39

in the way in whichever way the the

13:41

requester wants it to be so if they can

13:43

essentially call it an any particular

13:45

order that they want to that shape could

13:47

be completely different for every single

13:49

one of the requests that they might make

13:51

so this obviously poses a little bit of

13:53

a challenge um where there could be you

13:56

know we could have multiple clients

13:57

consuming this API each in their own own

14:00

way um but it also poses that challenge

14:03

of um how do you then profile that

14:06

performance because uh what could be

14:08

right for a specific query for a

14:10

specific client uh may not be right for

14:12

the others so how do you actually start

14:15

looking or thinking about that a little

14:16

bit more so what you need in this case

14:19

is while that P95 value over there um is

14:22

an indicator of some things it's really

14:24

not enough because it's just giving you

14:25

an average um overall error rate or

14:28

latency rate in this case uh which again

14:30

doesn't give you the full picture so we

14:31

need to go a little bit more granular in

14:33

this case and there are some typical

14:36

performance issues that can be seen with

14:38

graphql um we are not going to go into

14:40

each one of them given a few minutes

14:42

left for us um so I'm going to just talk

14:46

about the first one but we I'm happy to

14:47

discuss the remaining ones um directly

14:49

with you if you wanted to have a chat

14:51

but the most typical performance issue

14:53

that you see here is the n plus1 issue

14:56

again if you're not familiar with it um

14:58

it BAS basically means that when you're

15:00

making a request or or querying some

15:02

data it the first response is to get

15:05

back a set of um set of set of

15:08

information or resources and then as a

15:11

subsequent call you're essentially going

15:12

into each one of those resources and

15:15

making a query for each one of them

15:16

hence the N plus1 problem it is fixable

15:19

by using things like data loaders but it

15:22

can also be quite easily overlooked and

15:24

you don't want that because it has a lot

15:26

of huge performance implications for

15:29

graphical apis um so how do you solve

15:31

that there's actually a fairly

15:32

straightforward way to doing to to to

15:34

actually solving this um in this example

15:38

again you can see that you know a very

15:39

simple query has actually gone into a

15:41

pretty much of a cycle where you've got

15:44

multiple uh continents and countries

15:46

coming up as the response with open

15:48

Telemetry uh you can nicely detect this

15:50

n n plus1 query problem uh in this

15:53

particular example if you look at this

15:54

dashboard with jerger you'll see that

15:56

within the stay diagram that one query

15:59

has led to 27 HTTP get calls uh and

16:02

that's a typical indicator that

16:04

something is going wrong in which Cas in

16:05

this case specifically n plus1 um is is

16:08

likely the cause here so you can even

16:11

get that number in Prometheus if you

16:12

wanted to look at it um so getting an

16:15

average number of outgoing requests for

16:16

graphical query if it's that high

16:18

typically means that something is wrong

16:20

and in this case that is probably an N

16:22

plus1 problem you can set alerts in test

16:24

or in your production environment to

16:26

actually um get to know when this is

16:28

happening

16:29

then finally the final steps here um so

16:32

we've kind of understood a little bit

16:34

more about what's going on um we spoke

16:37

about um the open limit is still useful

16:40

as a way to troubleshoot your graph fuel

16:42

apis uh but there are still certain

16:43

things that you need to consider

16:45

including you know the semantic

16:46

inventions are still a little bit

16:48

limited uh it needs to be a little bit

16:49

more specific in terms of graphql um and

16:53

then the instrumentation providers or

16:55

the instrumentation vendors may not

16:57

always respect the common semantic

17:00

convention and may have their own

17:01

implementations and that could pose its

17:03

own challenge um but um it's a work in

17:07

progress where I think we've started

17:08

contributing a little bit more in this

17:09

area uh we opened up an issue here so

17:11

feel free to comment and uh add your uh

17:15

considerations your um you know

17:17

contributions to this um hopefully this

17:20

takes the shape of something a little

17:21

bit more formal over the next um few

17:23

months and years and with that um it

17:26

looks like everyone's happy at this

17:27

point hopefully we to address some of

17:29

the key challenges around graphql with

17:32

open Telemetry in production um both

17:34

sides of the party the developers as

17:35

well as the operational side is is a bit

17:37

more happy having a little bit more

17:39

reliability baked into their system so

17:42

that's it uh the final talk hopefully

17:44

with five minutes left for today um

17:46

that's that's me um on the right hand

17:49

side there is there are a couple of

17:50

resources um I've created a couple of

17:52

courses around open Telemetry API

17:55

observability and API platforms feel

17:57

free to check those out or connect with

17:59

me on LinkedIn if you so desire so with

18:02

that um I come to the end of the

18:04

presentation and hopefully all

18:05

presentations for the day so thank you

18:07

so much appreciate it