Skip to content

crypto: feature-gate telemetry SDKs (LaunchDarkly, Segment, Sentry)#35946

Draft
jasonhernandez wants to merge 3 commits intomainfrom
pr6-telemetry-feature-gate
Draft

crypto: feature-gate telemetry SDKs (LaunchDarkly, Segment, Sentry)#35946
jasonhernandez wants to merge 3 commits intomainfrom
pr6-telemetry-feature-gate

Conversation

@jasonhernandez
Copy link
Copy Markdown
Contributor

@jasonhernandez jasonhernandez commented Apr 10, 2026
edited
Loading

Summary

  • Feature-gate LaunchDarkly SDK behind telemetry feature in adapter/balancerd/environmentd
  • Feature-gate Segment analytics behind telemetry feature in adapter/environmentd
  • Split Sentry from tracing feature in mz-ore (make sentry-tracing optional via sentry feature)
  • Add sentry feature to orchestrator-tracing and service crates
  • cfg-gate sentry::Hub usage in panic handler behind sentry feature
  • Disable default features for mz-service/mz-orchestrator-tracing in environmentd for proper feature isolation
  • All features enabled by default — no behavioral change
  • Enables FIPS builds to exclude non-compliant crypto from telemetry SDKs

Part 6 of 7 in the crypto migration. Depends on PR1 (#35940).

Test plan

  • cargo check --workspace passes (telemetry enabled by default)
  • cargo check -p mz-environmentd --features test passes
  • No behavioral change when telemetry feature is enabled

🤖 Generated with Claude Code

jasonhernandez and others added 2 commits April 10, 2026 13:46
@jasonhernandez @claude
crypto: add core crypto infrastructure (mz-ore crypto module)
8bab8aa 
Add rustls/aws-lc-rs workspace dependencies alongside existing OpenSSL
deps, and introduce a `crypto` feature in mz-ore with a `#[ctor::ctor]`
auto-install of the aws-lc-rs CryptoProvider. This is the foundation
for the full crypto migration from native-tls/OpenSSL to rustls/aws-lc-rs.

Changes:
- Add rustls, rustls-pemfile, rustls-pki-types, tokio-rustls,
  hyper-rustls, rcgen, launchdarkly-server-sdk, launchdarkly-sdk-transport
  to workspace dependencies
- Add fork overrides for azure-sdk and launchdarkly-sdk-transport
- Add `crypto` and `fips` features to mz-ore with aws-lc-rs/rustls/ctor deps
- Add src/ore/src/crypto.rs with auto-install and fips_crypto_provider()
- Add CDLA-Permissive-2.0 to accepted licenses (about.toml + deny.toml)
- Remove rustls ban from deny.toml (migration in progress)
- Add rustls ecosystem duplicate version skips to deny.toml

Part 1 of 7 in the crypto migration from native-tls/OpenSSL to
rustls/aws-lc-rs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jasonhernandez @claude
crypto: feature-gate telemetry SDKs (LaunchDarkly, Segment, Sentry)
c3505bc 
Make telemetry SDKs optional behind feature flags to enable FIPS builds
that exclude non-compliant crypto dependencies:

- adapter: telemetry feature gates launchdarkly-server-sdk, mz-segment
- environmentd: telemetry feature gates mz-segment, sentry-tracing
- balancerd: telemetry feature gates launchdarkly-server-sdk
- ore: split sentry from tracing feature (sentry-tracing now optional)
- orchestrator-tracing, service: sentry feature for sentry-tracing

All features enabled by default — no behavioral change.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@jasonhernandez @claude
crypto: disable default features for mz-service and mz-orchestrator-t…
95f6656 
…racing in environmentd

Ensures sentry deps are only pulled in via explicit telemetry/test
features rather than through default feature propagation, enabling
proper exclusion in FIPS builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonhernandez