feat: configure TLS with environment variables.

Updates the opentelemetry-otlp crate to allow users to configure TLS using environment variables. Removing the need to crating the TLS config object and defining it with the `with_tls_config` method. In the same way other OTLP libraries does (e.g. go lang). Signed-off-by: José Guilherme Vanz <[email protected]>
open-telemetry · Dec 31, 2024 · 9458a03 · 9458a03
1 parent 6e1032f
commit 9458a03
Show file tree

Hide file tree

Showing 10 changed files with 497 additions and 42 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -51,3 +51,5 @@ tracing = { version = ">=0.1.40", default-features = false }
 tracing-core = { version = ">=0.1.33", default-features = false } 
 tracing-subscriber = { version = "0.3", default-features = false }
 url = { version = "2.5", default-features = false }
+rcgen = { version = "0.13", features = ["crypto"] }
+tempfile = "3.14"
diff --git a/opentelemetry-otlp/CHANGELOG.md b/opentelemetry-otlp/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## vNext
 
 - Bump msrv to 1.75.0.
+- TLS configuration via environment variables for GRPc exporters.
 
 
 ## 0.27.0

diff --git a/opentelemetry-otlp/Cargo.toml b/opentelemetry-otlp/Cargo.toml
@@ -51,6 +51,8 @@ opentelemetry_sdk = { features = ["trace", "rt-tokio", "testing"], path = "../op
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 futures-util = { workspace = true }
 temp-env = { workspace = true }
+rcgen = { workspace = true }
+tempfile = { workspace = true }
 
 [features]
 # telemetry pillars and functions

diff --git a/opentelemetry-otlp/src/exporter/mod.rs b/opentelemetry-otlp/src/exporter/mod.rs
@@ -28,6 +28,19 @@ pub const OTEL_EXPORTER_OTLP_PROTOCOL: &str = "OTEL_EXPORTER_OTLP_PROTOCOL";
 /// Compression algorithm to use, defaults to none.
 pub const OTEL_EXPORTER_OTLP_COMPRESSION: &str = "OTEL_EXPORTER_OTLP_COMPRESSION";
 
+/// Certificate file to validate the OTLP server connection
+#[cfg(feature = "tls")]
+pub const OTEL_EXPORTER_OTLP_CERTIFICATE: &str = "OTEL_EXPORTER_OTLP_CERTIFICATE";
+/// Path to the certificate file to use for client authentication (mTLS).
+#[cfg(feature = "tls")]
+pub const OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE: &str = "OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE";
+/// Path to the key file to use for client authentication (mTLS).
+#[cfg(feature = "tls")]
+pub const OTEL_EXPORTER_OTLP_CLIENT_KEY: &str = "OTEL_EXPORTER_OTLP_CLIENT_KEY";
+/// Use insecure connection. Disable TLS
+#[cfg(feature = "tls")]
+pub const OTEL_EXPORTER_OTLP_INSECURE: &str = "OTEL_EXPORTER_OTLP_INSECURE";
+
 #[cfg(feature = "http-json")]
 /// Default protocol, using http-json.
 pub const OTEL_EXPORTER_OTLP_PROTOCOL_DEFAULT: &str = OTEL_EXPORTER_OTLP_PROTOCOL_HTTP_JSON;
@@ -76,6 +89,18 @@ pub struct ExportConfig {
 
     /// The timeout to the collector.
     pub timeout: Duration,
+
+    /// Disable TLS
+    pub insecure: Option<bool>,
+
+    /// The certificate file to validate the OTLP server connection
+    pub certificate: Option<String>,
+
+    /// The path to the certificate file to use for client authentication (mTLS).
+    pub client_certificate: Option<String>,
+
+    /// The path to the key file to use for client authentication (mTLS).
+    pub client_key: Option<String>,
 }
 
 impl Default for ExportConfig {
@@ -88,6 +113,10 @@ impl Default for ExportConfig {
             // won't know if user provided a value
             protocol,
             timeout: Duration::from_secs(OTEL_EXPORTER_OTLP_TIMEOUT_DEFAULT),
+            insecure: None,
+            certificate: None,
+            client_certificate: None,
+            client_key: None,
         }
     }
 }
@@ -195,6 +224,17 @@ pub trait WithExportConfig {
     fn with_timeout(self, timeout: Duration) -> Self;
     /// Set export config. This will override all previous configuration.
     fn with_export_config(self, export_config: ExportConfig) -> Self;
+    /// Set insecure connection. Disable TLS
+    fn with_insecure(self) -> Self;
+    /// Set the certificate file to validate the OTLP server connection
+    /// This is only available when the `tls` feature is enabled.
+    fn with_certificate<T: Into<String>>(self, certificate: T) -> Self;
+    /// Set the path to the certificate file to use for client authentication (mTLS).
+    /// This is only available when the `tls` feature is enabled.
+    fn with_client_certificate<T: Into<String>>(self, client_certificate: T) -> Self;
+    /// Set the path to the key file to use for client authentication (mTLS).
+    /// This is only available when the `tls` feature is enabled.
+    fn with_client_key<T: Into<String>>(self, client_key: T) -> Self;
 }
 
 impl<B: HasExportConfig> WithExportConfig for B {
@@ -217,6 +257,27 @@ impl<B: HasExportConfig> WithExportConfig for B {
         self.export_config().endpoint = exporter_config.endpoint;
         self.export_config().protocol = exporter_config.protocol;
         self.export_config().timeout = exporter_config.timeout;
+        self.export_config().insecure = Some(true);
+        self
+    }
+
+    fn with_insecure(mut self) -> Self {
+        self.export_config().insecure = Some(true);
+        self
+    }
+
+    fn with_certificate<T: Into<String>>(mut self, certificate: T) -> Self {
+        self.export_config().certificate = Some(certificate.into());
+        self
+    }
+
+    fn with_client_certificate<T: Into<String>>(mut self, client_certificate: T) -> Self {
+        self.export_config().client_certificate = Some(client_certificate.into());
+        self
+    }
+
+    fn with_client_key<T: Into<String>>(mut self, client_key: T) -> Self {
+        self.export_config().client_key = Some(client_key.into());
         self
     }
 }